auto-sync: tudo-para-ia-mais-humana 2026-05-02 02:34:18
This commit is contained in:
@@ -147,6 +147,14 @@ ACCESS_POLICY_SURFACES = (
|
||||
("automation-smoke", "observability", "mais_humana.gateway.access_policy.smoke"),
|
||||
)
|
||||
|
||||
ADMINISTRATION_OPERATIONS = (
|
||||
("consulta", "query", "mcp.admin.readonly", "mais_humana.admin.consulta"),
|
||||
("diagnostico", "diagnostic", "mcp.admin.diagnostic", "mais_humana.admin.diagnostico"),
|
||||
("acao", "action", "mcp.admin.action.request", "mais_humana.admin.acao"),
|
||||
("auditoria", "audit", "mcp.admin.audit", "mais_humana.admin.auditoria"),
|
||||
("explicacao", "explanation", "mcp.admin.explain", "mais_humana.admin.explicacao"),
|
||||
)
|
||||
|
||||
|
||||
def unique_tuple(values: Iterable[object]) -> tuple[str, ...]:
|
||||
seen: set[str] = set()
|
||||
@@ -183,6 +191,46 @@ def access_policy_payload_fields(platform_id: str, profile_id: str, surface: str
|
||||
)
|
||||
|
||||
|
||||
def administration_route_payload_fields(
|
||||
platform_id: str,
|
||||
profile_id: str,
|
||||
operation: str,
|
||||
route_family: str,
|
||||
permission: str,
|
||||
category: str,
|
||||
) -> tuple[str, ...]:
|
||||
return unique_tuple(
|
||||
payload_fields(platform_id, profile_id, operation, category)
|
||||
+ (
|
||||
"adminRouteId",
|
||||
"adminRouteKind",
|
||||
"controlPlaneId",
|
||||
"ownerPlatformId",
|
||||
"targetPlatformId",
|
||||
"routeFamily",
|
||||
"permissionScope",
|
||||
"executionMode",
|
||||
"capabilityId",
|
||||
"capabilityVersion",
|
||||
"policyDecision",
|
||||
"policyReason",
|
||||
"inputSchemaHash",
|
||||
"outputSchemaHash",
|
||||
"operatorIntent",
|
||||
"approvalRequired",
|
||||
"dryRunSupported",
|
||||
"rollbackSupported",
|
||||
"humanExplanation",
|
||||
"auditRetentionPolicy",
|
||||
"mcpOnlyAdministration",
|
||||
"directPlatformBypassBlocked",
|
||||
f"{operation}Route",
|
||||
f"{route_family}Family",
|
||||
permission.replace(".", "_"),
|
||||
)
|
||||
)
|
||||
|
||||
|
||||
def validation_steps(platform_id: str, profile_id: str, surface: str, kind: str) -> tuple[str, ...]:
|
||||
return (
|
||||
f"chamar {platform_id} somente via tudo-para-ia-mcps-internos-plataform",
|
||||
@@ -205,6 +253,17 @@ def access_policy_validations(platform_id: str, profile_id: str, surface: str) -
|
||||
)
|
||||
|
||||
|
||||
def administration_route_validations(platform_id: str, profile_id: str, operation: str, permission: str) -> tuple[str, ...]:
|
||||
return (
|
||||
f"executar rota administrativa {operation} para {platform_id}/{profile_id} exclusivamente pelo MCPs Internos",
|
||||
"confirmar origin, destination, tool, payload, actor, permission, result, traceId, auditId e timestamp",
|
||||
f"validar permissionScope={permission} e bloquear bypass direto da plataforma",
|
||||
"registrar inputSchemaHash, outputSchemaHash, sourcePayloadHash e sourceRecordsHash",
|
||||
"confirmar que acao mutavel exige approvalRequired ou dryRunSupported conforme contrato",
|
||||
"gerar humanExplanation para auditoria da IA administradora",
|
||||
)
|
||||
|
||||
|
||||
def contract_block(
|
||||
name: str,
|
||||
*,
|
||||
@@ -418,6 +477,60 @@ def build_contracts() -> tuple[list[str], list[str]]:
|
||||
)
|
||||
index += 1
|
||||
|
||||
for profile in HUMAN_PROFILES:
|
||||
profile_categories = category_values(profile.priority_needs)
|
||||
category = platform_categories[0] if platform_categories else "governance"
|
||||
audience = audience_for_profile(profile.profile_id, profile_categories)
|
||||
for operation, route_family, permission, tool_id in ADMINISTRATION_OPERATIONS:
|
||||
route_id = f"{platform.platform_id}.{profile.profile_id}.{operation}.administration-route"
|
||||
name = f"CONTRACT_{index:04d}"
|
||||
names.append(name)
|
||||
blocks.append(
|
||||
contract_block(
|
||||
name,
|
||||
contract_id=route_id,
|
||||
kind="ADMINISTRATION_ROUTE",
|
||||
platform_id=platform.platform_id,
|
||||
profile_id=profile.profile_id,
|
||||
tool_id=tool_id,
|
||||
title=f"Rota administrativa {operation} de {platform.title} para {profile.name}",
|
||||
purpose=(
|
||||
f"Expor {operation} de {platform.title} para {profile.name} somente pelo MCP control plane, "
|
||||
"com decisao de permissao, auditoria, explicacao humana e bloqueio de bypass direto."
|
||||
),
|
||||
source_tool_id="mais_humana.mcp_transit.ledger",
|
||||
payload=administration_route_payload_fields(
|
||||
platform.platform_id,
|
||||
profile.profile_id,
|
||||
operation,
|
||||
route_family,
|
||||
permission,
|
||||
category,
|
||||
),
|
||||
truth=truth,
|
||||
panel_ready=panel_ready,
|
||||
gpt_explainable=True,
|
||||
report_model_id=f"admin-route.{platform.platform_id}.{profile.profile_id}.{operation}",
|
||||
audience=audience,
|
||||
redaction=redaction_requirements(platform.platform_id)
|
||||
+ (
|
||||
"bloquear administracao direta fora do MCPs Internos",
|
||||
"persistir apenas hashes e referencias opacas de credencial",
|
||||
),
|
||||
validations=administration_route_validations(platform.platform_id, profile.profile_id, operation, permission),
|
||||
pending=f"homologar rota administrativa {operation} para {platform.platform_id}/{profile.profile_id}",
|
||||
order_ids=(
|
||||
"0029_GERENCIAL__pactuar-mcp-como-caminho-unico-administrativo",
|
||||
"0044_GERENCIAL__institucionalizar-ledger-transito-mcp-como-gate-release",
|
||||
"0048_GERENCIAL__homologar-politica-acesso-gpt-mcp-como-gate-institucional",
|
||||
),
|
||||
policy_tags=("administration_route", "mcp_only", route_family, operation, permission),
|
||||
maturity=max(7, maturity),
|
||||
generated_from="platform_profile_administration_route_contract",
|
||||
)
|
||||
)
|
||||
index += 1
|
||||
|
||||
for ref_kind in ("credentialRef", "tokenRef", "secretRef", "cfat"):
|
||||
name = f"CONTRACT_{index:04d}"
|
||||
names.append(name)
|
||||
|
||||
Reference in New Issue
Block a user