feat(ci): GT-149 progress — executable OPA + Native/OPA parity gate (~70%, not closed)#62
Merged
Merged
Conversation
Add the pinned, host-binary-free OPA execution path and the differential parity gate: - opa-eval.mjs: evaluateWasm() runs a compiled policy bundle through @open-policy-agent/opa-wasm (no host `opa` binary) with duration telemetry; normalizeOpaDecisions() maps results to the canonical decision contract. - parity-gate.mjs: diffDecisions()/parityReport() fail on verdict, rule-ID, severity, or evidence-location drift; versioned machine-readable report. - 16-opa-parity-gate.mjs: per accepted topology, evaluate parity-fixtures against the compiled bundle and diff vs declared Native decisions; fails closed on drift or evaluator failure; dry-run-safe (defers to the scheduled full run when bundles/fixtures are not yet compiled). Auto-run by ci-runner. - parity-gate.test.mjs: 7 node:test cases including a real opa-wasm execution of the committed policy.wasm and a malformed-policy fail-closed fixture. Verifiable core (engine + differential) complete. Per-topology bundle compilation, fixtures, Native wiring and the scheduled full run are CI/ toolchain-gated (opa not available locally). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…-149) Advance the non-toolchain-blocked criteria: - parity-gate.mjs: scopeTopologies (changed-vs-full CI scoping) and contentVersion (ruleset/policy version stamps for the report). - 16-opa-parity-gate.mjs: git-diff scoping (EVOLITH_PARITY_FULL for the full run), and policy/ruleset content versions in each parity report. - .github/workflows/opa-parity.yml: daily scheduled job that compiles topology policies with the pinned opa toolchain and runs the full parity gate (least-privilege contents:read). - parity-gate.test.mjs: +3 cases (scoping full/changed, content version). Remaining for GT-149 closure: per-topology .rego->WASM bundle compilation (needs the opa binary, CI-only), positive/negative/boundary fixtures, and wiring the real Native evaluator pipeline (EvaluationContext) into the gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Avance de GT-149 (NO lo cierra) — andamiaje verificable; pendiente de toolchain
opaen CI.Hecho + tested (10 node:test):
opa-eval.mjs: ejecuta WASM vía opa-wasm sin binario host (probado vs policy.wasm real).parity-gate.mjs: diferencial Native/OPA (verdict/rule-id/severity/evidencia) + scoping + version hash.16-opa-parity-gate.mjs: runner fail-closed, dry-run-safe, git-diff scoping, versiones; auto-run por ci-runner.opa-parity.yml: workflow cron del full run (least-privilege).Pendiente para cierre: A compilar .rego de topología→WASM (necesita opa, CI-only), B fixtures por topología, C wiring del pipeline Native real. GT-149 queda PENDING.
🤖 Generated with Claude Code