From cdce7a8b65d26384877de0fe599f603eb39e43e2 Mon Sep 17 00:00:00 2001 From: codex-server Date: Fri, 1 May 2026 23:21:24 -0300 Subject: [PATCH] auto-sync: tudo-para-ia-mais-humana 2026-05-01 23:21:24 --- ...ay-access-policy-central-write-status.json | 14 + dados/mcp-gateway-access-policy.json | 440 + ...publication-gate-central-write-status.json | 2 +- dados/mcp-publication-gate-mais-humana.json | 10 +- ecossistema/MCP-GATEWAY-ACCESS-POLICY.md | 173 + .../MCP-PUBLICATION-GATE-MAIS-HUMANA.md | 4 +- matrizes/mcp-gateway-access-policy.csv | 13 + src/mais_humana/cli.py | 23 + .../generated_mcp_control_contracts.py | 39258 +++++++++++++++- src/mais_humana/mcp_contract.py | 1 + src/mais_humana/mcp_gateway_access_policy.py | 724 + src/mais_humana/mcp_publication_gate.py | 32 +- tests/test_mcp_gateway_access_policy.py | 124 + tests/test_mcp_provider_contract.py | 9 + tools/generate_mcp_control_contracts.py | 97 + 15 files changed, 40381 insertions(+), 543 deletions(-) create mode 100644 dados/mcp-gateway-access-policy-central-write-status.json create mode 100644 dados/mcp-gateway-access-policy.json create mode 100644 ecossistema/MCP-GATEWAY-ACCESS-POLICY.md create mode 100644 matrizes/mcp-gateway-access-policy.csv create mode 100644 src/mais_humana/mcp_gateway_access_policy.py create mode 100644 tests/test_mcp_gateway_access_policy.py diff --git a/dados/mcp-gateway-access-policy-central-write-status.json b/dados/mcp-gateway-access-policy-central-write-status.json new file mode 100644 index 0000000..d37d6d3 --- /dev/null +++ b/dados/mcp-gateway-access-policy-central-write-status.json @@ -0,0 +1,14 @@ +{ + "centralPlatformFolder": "G:\\_codex-git\\nucleo-gestao-operacional\\central-de-ordem-de-servico\\projects\\15_repo_tudo-para-ia-mais-humana-platform", + "failureCount": 1, + "failures": [ + { + "error": "PermissionError: [Errno 13] Permission denied: 'G:\\\\_codex-git\\\\nucleo-gestao-operacional\\\\central-de-ordem-de-servico\\\\projects\\\\15_repo_tudo-para-ia-mais-humana-platform\\\\reports\\\\MCP-GATEWAY-ACCESS-POLICY__RODADA015.md'", + "operation": "write_text", + "path": "G:\\_codex-git\\nucleo-gestao-operacional\\central-de-ordem-de-servico\\projects\\15_repo_tudo-para-ia-mais-humana-platform\\reports\\MCP-GATEWAY-ACCESS-POLICY__RODADA015.md" + } + ], + "generatedAt": "2026-05-02T02:17:13+00:00", + "ok": false, + "policy": "falha de escrita central nao aborta artefatos do projeto real" +} \ No newline at end of file diff --git a/dados/mcp-gateway-access-policy.json b/dados/mcp-gateway-access-policy.json new file mode 100644 index 0000000..43cf13f --- /dev/null +++ b/dados/mcp-gateway-access-policy.json @@ -0,0 +1,440 @@ +{ + "auth_scheme": "Bearer credentialRef; raw token forbidden in artifacts", + "blockers": [], + "checks": [ + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "todos os probes usaram POST", + "rule_id": "http.method.post", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "todos os probes usaram application/json", + "rule_id": "header.content-type.json", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "User-Agent operacional aplicado", + "rule_id": "header.user-agent.codex", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "bearer usado como credencial de probe e redigido nos artefatos", + "rule_id": "auth.bearer.present-redacted", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "WAF nao bloqueou os probes atuais; HTTP/runtime classificados separadamente", + "rule_id": "waf.classification.explicit", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "traceId e auditId presentes em todos os probes", + "rule_id": "evidence.trace-audit-required", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "hashes de request/response presentes", + "rule_id": "evidence.hashes-required", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "nenhum formato de segredo bruto detectado nas evidencias", + "rule_id": "redaction.no-secret-shapes", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "regra institucional materializada no artefato de politica", + "rule_id": "rate-limit.default", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "regra institucional materializada no artefato de politica", + "rule_id": "retention.logs", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "regra institucional materializada no artefato de politica", + "rule_id": "transit.required-fields", + "status": "passed" + }, + { + "evidence_refs": [ + "evidence-a75a27e0669c49da1db8b615", + "evidence-af37a8d489b0038a7a6b5575", + "evidence-3f0e3b9f829c7ff912b335d0" + ], + "next_action": "manter regra como gate de release", + "reason": "regra institucional materializada no artefato de politica", + "rule_id": "governance.plugin-not-operational-path", + "status": "passed" + } + ], + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "generated_at": "2026-05-02T02:17:13+00:00", + "liveReady": true, + "log_retention_days": 30, + "policy_version": "mcp-gateway-access-policy.v1", + "probes": [ + { + "audit_id": "audit-a75a27e0669c49da1db8b615", + "authorization_present": true, + "authorization_redacted": true, + "content_type": "application/json", + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "evidence_id": "evidence-a75a27e0669c49da1db8b615", + "http_status": 200, + "method": "POST", + "observed_at": "2026-05-02T02:17:12+00:00", + "ok": true, + "request_hash": "3e1c8f057ac439f4b9b3eb7f8f5be9ac36323f08adc23db6fc7d51633076b79a", + "response_excerpt": { + "__truncated__": true, + "actorId": "codex.service-order-round", + "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.rulebook.compact", + "blockers": "[]", + "consumption": "None", + "nextActions": "[]", + "ok": "True", + "organizationId": "None", + "productId": "None", + "providerId": "mais_humana", + "readiness": "None", + "sampleData": "False", + "simulated": "False", + "status": "ok", + "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.rulebook.compact", + "userId": "None", + "workspaceId": "None" + }, + "response_hash": "a75a27e0669c49da1db8b6157757c0615eed06c32674c7ed87a6db5d071359de", + "tool_id": "mais_humana.rulebook.compact", + "trace_id": "trace-3e1c8f057ac439f4b9b3eb7f", + "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" + }, + { + "audit_id": "audit-af37a8d489b0038a7a6b5575", + "authorization_present": true, + "authorization_redacted": true, + "content_type": "application/json", + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "evidence_id": "evidence-af37a8d489b0038a7a6b5575", + "http_status": 200, + "method": "POST", + "observed_at": "2026-05-02T02:17:12+00:00", + "ok": true, + "request_hash": "17e7d8039c8c34e3f570b6de8b386edc1cfd0c079084b0c7013016d2c76b388c", + "response_excerpt": { + "__truncated__": true, + "actorId": "codex.service-order-round", + "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.admin_ui.same_source", + "blockers": "[]", + "consumption": "None", + "nextActions": "[]", + "ok": "True", + "organizationId": "None", + "productId": "None", + "providerId": "mais_humana", + "readiness": "None", + "sampleData": "False", + "simulated": "False", + "status": "ok", + "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.admin_ui.same_source", + "userId": "None", + "workspaceId": "None" + }, + "response_hash": "af37a8d489b0038a7a6b5575970ec69855dd0f0e0ab09cf38b0e7658d3678195", + "tool_id": "mais_humana.admin_ui.same_source", + "trace_id": "trace-17e7d8039c8c34e3f570b6de", + "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" + }, + { + "audit_id": "audit-3f0e3b9f829c7ff912b335d0", + "authorization_present": true, + "authorization_redacted": true, + "content_type": "application/json", + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "evidence_id": "evidence-3f0e3b9f829c7ff912b335d0", + "http_status": 200, + "method": "POST", + "observed_at": "2026-05-02T02:17:12+00:00", + "ok": true, + "request_hash": "dae7d91a59e37901d50c027d3a0792f697902bd4289801edb2a508f3baf177fe", + "response_excerpt": { + "__truncated__": true, + "actorId": "codex.service-order-round", + "auditId": "audit:mcps-gateway:codex.service-order-round:mais_humana.mcp_transit.ledger", + "blockers": "[]", + "consumption": "None", + "nextActions": "[]", + "ok": "True", + "organizationId": "None", + "productId": "None", + "providerId": "mais_humana", + "readiness": "None", + "sampleData": "False", + "simulated": "False", + "status": "ok", + "traceId": "trace:mcps-gateway:codex.service-order-round:mais_humana.mcp_transit.ledger", + "userId": "None", + "workspaceId": "None" + }, + "response_hash": "3f0e3b9f829c7ff912b335d01afb5e78acdaa331bd984713dfca757072be6bbf", + "tool_id": "mais_humana.mcp_transit.ledger", + "trace_id": "trace-dae7d91a59e37901d50c027d", + "user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0" + } + ], + "rate_limit_per_minute": 30, + "report_id": "mcp-gateway-access-policy-a787db3755906de2", + "required_content_type": "application/json", + "required_method": "POST", + "required_user_agent": "Codex-Mais-Humana-MCP-Publication-Gate/1.0", + "rules": [ + { + "evidence_fields": [ + "method", + "endpoint" + ], + "failure_status": "blocked", + "kind": "http", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Toda chamada GPT/MCP deve usar POST em /v1/execute.", + "rule_id": "http.method.post", + "title": "Metodo HTTP fixo", + "validation": "Comparar metodo observado com POST." + }, + { + "evidence_fields": [ + "content_type" + ], + "failure_status": "blocked", + "kind": "header", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Toda chamada deve enviar Content-Type application/json.", + "rule_id": "header.content-type.json", + "title": "Content-Type JSON", + "validation": "Comparar content_type observado." + }, + { + "evidence_fields": [ + "user_agent" + ], + "failure_status": "partial", + "kind": "header", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Probes Codex devem usar User-Agent Codex-Mais-Humana-MCP-Publication-Gate/1.0.", + "rule_id": "header.user-agent.codex", + "title": "User-Agent operacional", + "validation": "Comparar User-Agent observado para separar WAF de runtime." + }, + { + "evidence_fields": [ + "authorization_present", + "authorization_redacted" + ], + "failure_status": "blocked", + "kind": "auth", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Authorization Bearer pode ser usado no probe, mas relatorios devem guardar apenas existencia, hash e credentialRef.", + "rule_id": "auth.bearer.present-redacted", + "title": "Bearer presente e nunca persistido bruto", + "validation": "Confirmar authorization_present e authorization_redacted." + }, + { + "evidence_fields": [ + "http_status", + "response_excerpt" + ], + "failure_status": "partial", + "kind": "waf", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "HTTP 403/1010 e bloqueios WAF devem ser separados de tool_not_found, erro de runtime e erro de contrato.", + "rule_id": "waf.classification.explicit", + "title": "Classificacao WAF explicita", + "validation": "Usar http_status e response_excerpt redigido para classificar falha." + }, + { + "evidence_fields": [ + "trace_id", + "audit_id", + "evidence_id" + ], + "failure_status": "blocked", + "kind": "evidence", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Toda resposta aceita deve possuir traceId e auditId reais ou derivados de hash de evidencia.", + "rule_id": "evidence.trace-audit-required", + "title": "Trace e audit obrigatorios", + "validation": "Confirmar trace_id e audit_id por probe." + }, + { + "evidence_fields": [ + "request_hash", + "response_hash" + ], + "failure_status": "blocked", + "kind": "evidence", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Toda evidencia deve guardar request_hash e response_hash sem payload sensivel bruto.", + "rule_id": "evidence.hashes-required", + "title": "Hashes de payload e resposta", + "validation": "Confirmar hashes preenchidos por probe." + }, + { + "evidence_fields": [ + "response_excerpt" + ], + "failure_status": "blocked", + "kind": "redaction", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Evidencias nao podem conter cfat_, Authorization Bearer cru, tokens longos ou bearer numerico bruto.", + "rule_id": "redaction.no-secret-shapes", + "title": "Sem segredo bruto em evidencia", + "validation": "Varrer response_excerpt e campos textuais por formatos proibidos." + }, + { + "evidence_fields": [ + "rate_limit_per_minute" + ], + "failure_status": "partial", + "kind": "rate_limit", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Probes automatizados devem respeitar limite padrao de 30 chamadas/minuto por ator.", + "rule_id": "rate-limit.default", + "title": "Limite operacional padrao", + "validation": "Registrar limite no contrato e bloquear suites que excedam o teto." + }, + { + "evidence_fields": [ + "log_retention_days" + ], + "failure_status": "partial", + "kind": "retention", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Logs de evidencia operacional devem reter metadados redigidos por 30 dias.", + "rule_id": "retention.logs", + "title": "Retencao de logs", + "validation": "Registrar politica no artefato de acesso." + }, + { + "evidence_fields": [ + "origin", + "destination", + "tool", + "payload", + "actor", + "permission", + "result", + "traceId", + "auditId", + "timestamp" + ], + "failure_status": "blocked", + "kind": "transit", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Fluxos interplataforma devem preservar origin, destination, tool, payload, actor, permission, result, traceId, auditId e timestamp.", + "rule_id": "transit.required-fields", + "title": "Ledger MCP obrigatorio", + "validation": "Validar campos exigidos no contrato de transito MCP." + }, + { + "evidence_fields": [ + "policy_version" + ], + "failure_status": "partial", + "kind": "governance", + "owner": "tudo-para-ia-mcps-internos-plataform", + "required": true, + "requirement": "Falha ou aceite do plugin Cloudflare fica fora do diagnostico de Workers; trabalho real usa wrangler ou validacao HTTP live.", + "rule_id": "governance.plugin-not-operational-path", + "title": "Plugin Cloudflare nao substitui caminho operacional", + "validation": "Confirmar que o artefato nao transforma plugin em blocker operacional." + } + ], + "secretSafe": true, + "status": "passed", + "summary": [ + "Probes live avaliados: 3.", + "Probes live OK: 3/3.", + "Regras aprovadas: 12/12.", + "Bearer bruto persistido: False.", + "Falha do plugin Cloudflare nao e blocker operacional: True." + ] +} \ No newline at end of file diff --git a/dados/mcp-publication-gate-central-write-status.json b/dados/mcp-publication-gate-central-write-status.json index 412fa14..9589c6a 100644 --- a/dados/mcp-publication-gate-central-write-status.json +++ b/dados/mcp-publication-gate-central-write-status.json @@ -8,7 +8,7 @@ "path": "G:\\_codex-git\\nucleo-gestao-operacional\\central-de-ordem-de-servico\\projects\\15_repo_tudo-para-ia-mais-humana-platform\\reports\\executivos\\MCP-PUBLICATION-GATE-MAIS-HUMANA__RODADA015.md" } ], - "generatedAt": "2026-05-02T02:13:32+00:00", + "generatedAt": "2026-05-02T02:17:12+00:00", "ok": false, "policy": "falha de escrita central nao aborta artefatos do projeto real" } \ No newline at end of file diff --git a/dados/mcp-publication-gate-mais-humana.json b/dados/mcp-publication-gate-mais-humana.json index 91ceafc..946aacc 100644 --- a/dados/mcp-publication-gate-mais-humana.json +++ b/dados/mcp-publication-gate-mais-humana.json @@ -149,7 +149,7 @@ "mais_humana.mcp_transit.ledger" ] }, - "generated_at": "2026-05-02T02:13:32+00:00", + "generated_at": "2026-05-02T02:17:12+00:00", "liveReady": true, "live_probes": [ { @@ -158,7 +158,7 @@ "error_code": "", "evidence_id": "evidence-a75a27e0669c49da1db8b615", "http_status": 200, - "observed_at": "2026-05-02T02:13:32+00:00", + "observed_at": "2026-05-02T02:17:12+00:00", "ok": true, "response_excerpt": { "__truncated__": true, @@ -191,7 +191,7 @@ "error_code": "", "evidence_id": "evidence-af37a8d489b0038a7a6b5575", "http_status": 200, - "observed_at": "2026-05-02T02:13:32+00:00", + "observed_at": "2026-05-02T02:17:12+00:00", "ok": true, "response_excerpt": { "__truncated__": true, @@ -224,7 +224,7 @@ "error_code": "", "evidence_id": "evidence-3f0e3b9f829c7ff912b335d0", "http_status": 200, - "observed_at": "2026-05-02T02:13:32+00:00", + "observed_at": "2026-05-02T02:17:12+00:00", "ok": true, "response_excerpt": { "__truncated__": true, @@ -254,7 +254,7 @@ ], "localReady": true, "provider_id": "mais_humana", - "report_id": "mcp-publication-gate-2026-05-02t0213320000", + "report_id": "mcp-publication-gate-2026-05-02t0217120000", "status": "partial", "summary": [ "Provider local Mais Humana pronto: True.", diff --git a/ecossistema/MCP-GATEWAY-ACCESS-POLICY.md b/ecossistema/MCP-GATEWAY-ACCESS-POLICY.md new file mode 100644 index 0000000..dbf7161 --- /dev/null +++ b/ecossistema/MCP-GATEWAY-ACCESS-POLICY.md @@ -0,0 +1,173 @@ +# Politica de acesso GPT/MCP Gateway + +- report_id: `mcp-gateway-access-policy-a787db3755906de2` +- generated_at: `2026-05-02T02:17:13+00:00` +- policy_version: `mcp-gateway-access-policy.v1` +- endpoint: `https://mcps-gateway.ami-app.workers.dev/v1/execute` +- status: `passed` +- live_ready: `True` +- secret_safe: `True` +- method: `POST` +- content_type: `application/json` +- user_agent: `Codex-Mais-Humana-MCP-Publication-Gate/1.0` +- auth_scheme: `Bearer credentialRef; raw token forbidden in artifacts` +- rate_limit_per_minute: `30` +- log_retention_days: `30` + +## Sumario + +- Probes live avaliados: 3. +- Probes live OK: 3/3. +- Regras aprovadas: 12/12. +- Bearer bruto persistido: False. +- Falha do plugin Cloudflare nao e blocker operacional: True. + +## Regras + +### http.method.post + +- kind: `http` +- required: `True` +- requisito: Toda chamada GPT/MCP deve usar POST em /v1/execute. +- validacao: Comparar metodo observado com POST. + +### header.content-type.json + +- kind: `header` +- required: `True` +- requisito: Toda chamada deve enviar Content-Type application/json. +- validacao: Comparar content_type observado. + +### header.user-agent.codex + +- kind: `header` +- required: `True` +- requisito: Probes Codex devem usar User-Agent Codex-Mais-Humana-MCP-Publication-Gate/1.0. +- validacao: Comparar User-Agent observado para separar WAF de runtime. + +### auth.bearer.present-redacted + +- kind: `auth` +- required: `True` +- requisito: Authorization Bearer pode ser usado no probe, mas relatorios devem guardar apenas existencia, hash e credentialRef. +- validacao: Confirmar authorization_present e authorization_redacted. + +### waf.classification.explicit + +- kind: `waf` +- required: `True` +- requisito: HTTP 403/1010 e bloqueios WAF devem ser separados de tool_not_found, erro de runtime e erro de contrato. +- validacao: Usar http_status e response_excerpt redigido para classificar falha. + +### evidence.trace-audit-required + +- kind: `evidence` +- required: `True` +- requisito: Toda resposta aceita deve possuir traceId e auditId reais ou derivados de hash de evidencia. +- validacao: Confirmar trace_id e audit_id por probe. + +### evidence.hashes-required + +- kind: `evidence` +- required: `True` +- requisito: Toda evidencia deve guardar request_hash e response_hash sem payload sensivel bruto. +- validacao: Confirmar hashes preenchidos por probe. + +### redaction.no-secret-shapes + +- kind: `redaction` +- required: `True` +- requisito: Evidencias nao podem conter cfat_, Authorization Bearer cru, tokens longos ou bearer numerico bruto. +- validacao: Varrer response_excerpt e campos textuais por formatos proibidos. + +### rate-limit.default + +- kind: `rate_limit` +- required: `True` +- requisito: Probes automatizados devem respeitar limite padrao de 30 chamadas/minuto por ator. +- validacao: Registrar limite no contrato e bloquear suites que excedam o teto. + +### retention.logs + +- kind: `retention` +- required: `True` +- requisito: Logs de evidencia operacional devem reter metadados redigidos por 30 dias. +- validacao: Registrar politica no artefato de acesso. + +### transit.required-fields + +- kind: `transit` +- required: `True` +- requisito: Fluxos interplataforma devem preservar origin, destination, tool, payload, actor, permission, result, traceId, auditId e timestamp. +- validacao: Validar campos exigidos no contrato de transito MCP. + +### governance.plugin-not-operational-path + +- kind: `governance` +- required: `True` +- requisito: Falha ou aceite do plugin Cloudflare fica fora do diagnostico de Workers; trabalho real usa wrangler ou validacao HTTP live. +- validacao: Confirmar que o artefato nao transforma plugin em blocker operacional. + +## Probes + +- `mais_humana.rulebook.compact` http `200` ok `True` + - evidenceId: `evidence-a75a27e0669c49da1db8b615` + - traceId: `trace-3e1c8f057ac439f4b9b3eb7f` + - auditId: `audit-a75a27e0669c49da1db8b615` + - requestHash: `3e1c8f057ac439f4b9b3eb7f8f5be9ac36323f08adc23db6fc7d51633076b79a` + - responseHash: `a75a27e0669c49da1db8b6157757c0615eed06c32674c7ed87a6db5d071359de` +- `mais_humana.admin_ui.same_source` http `200` ok `True` + - evidenceId: `evidence-af37a8d489b0038a7a6b5575` + - traceId: `trace-17e7d8039c8c34e3f570b6de` + - auditId: `audit-af37a8d489b0038a7a6b5575` + - requestHash: `17e7d8039c8c34e3f570b6de8b386edc1cfd0c079084b0c7013016d2c76b388c` + - responseHash: `af37a8d489b0038a7a6b5575970ec69855dd0f0e0ab09cf38b0e7658d3678195` +- `mais_humana.mcp_transit.ledger` http `200` ok `True` + - evidenceId: `evidence-3f0e3b9f829c7ff912b335d0` + - traceId: `trace-dae7d91a59e37901d50c027d` + - auditId: `audit-3f0e3b9f829c7ff912b335d0` + - requestHash: `dae7d91a59e37901d50c027d3a0792f697902bd4289801edb2a508f3baf177fe` + - responseHash: `3f0e3b9f829c7ff912b335d01afb5e78acdaa331bd984713dfca757072be6bbf` + +## Checks + +- `http.method.post`: `passed` + - motivo: todos os probes usaram POST + - proxima_acao: manter regra como gate de release +- `header.content-type.json`: `passed` + - motivo: todos os probes usaram application/json + - proxima_acao: manter regra como gate de release +- `header.user-agent.codex`: `passed` + - motivo: User-Agent operacional aplicado + - proxima_acao: manter regra como gate de release +- `auth.bearer.present-redacted`: `passed` + - motivo: bearer usado como credencial de probe e redigido nos artefatos + - proxima_acao: manter regra como gate de release +- `waf.classification.explicit`: `passed` + - motivo: WAF nao bloqueou os probes atuais; HTTP/runtime classificados separadamente + - proxima_acao: manter regra como gate de release +- `evidence.trace-audit-required`: `passed` + - motivo: traceId e auditId presentes em todos os probes + - proxima_acao: manter regra como gate de release +- `evidence.hashes-required`: `passed` + - motivo: hashes de request/response presentes + - proxima_acao: manter regra como gate de release +- `redaction.no-secret-shapes`: `passed` + - motivo: nenhum formato de segredo bruto detectado nas evidencias + - proxima_acao: manter regra como gate de release +- `rate-limit.default`: `passed` + - motivo: regra institucional materializada no artefato de politica + - proxima_acao: manter regra como gate de release +- `retention.logs`: `passed` + - motivo: regra institucional materializada no artefato de politica + - proxima_acao: manter regra como gate de release +- `transit.required-fields`: `passed` + - motivo: regra institucional materializada no artefato de politica + - proxima_acao: manter regra como gate de release +- `governance.plugin-not-operational-path`: `passed` + - motivo: regra institucional materializada no artefato de politica + - proxima_acao: manter regra como gate de release + +## Blockers + +- Nenhum blocker tecnico na politica local. diff --git a/ecossistema/MCP-PUBLICATION-GATE-MAIS-HUMANA.md b/ecossistema/MCP-PUBLICATION-GATE-MAIS-HUMANA.md index 24b1feb..fda13b5 100644 --- a/ecossistema/MCP-PUBLICATION-GATE-MAIS-HUMANA.md +++ b/ecossistema/MCP-PUBLICATION-GATE-MAIS-HUMANA.md @@ -1,7 +1,7 @@ # Gate de publicacao MCP Mais Humana -- report_id: `mcp-publication-gate-2026-05-02t0213320000` -- generated_at: `2026-05-02T02:13:32+00:00` +- report_id: `mcp-publication-gate-2026-05-02t0217120000` +- generated_at: `2026-05-02T02:17:12+00:00` - provider_id: `mais_humana` - current_project_id: `tudo-para-ia-mais-humana` - canonical_project_id: `tudo-para-ia-mais-humana-platform` diff --git a/matrizes/mcp-gateway-access-policy.csv b/matrizes/mcp-gateway-access-policy.csv new file mode 100644 index 0000000..eecebc6 --- /dev/null +++ b/matrizes/mcp-gateway-access-policy.csv @@ -0,0 +1,13 @@ +rule_id,kind,status,required,reason,next_action,evidence_refs +http.method.post,http,passed,yes,todos os probes usaram POST,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +header.content-type.json,header,passed,yes,todos os probes usaram application/json,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +header.user-agent.codex,header,passed,yes,User-Agent operacional aplicado,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +auth.bearer.present-redacted,auth,passed,yes,bearer usado como credencial de probe e redigido nos artefatos,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +waf.classification.explicit,waf,passed,yes,WAF nao bloqueou os probes atuais; HTTP/runtime classificados separadamente,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +evidence.trace-audit-required,evidence,passed,yes,traceId e auditId presentes em todos os probes,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +evidence.hashes-required,evidence,passed,yes,hashes de request/response presentes,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +redaction.no-secret-shapes,redaction,passed,yes,nenhum formato de segredo bruto detectado nas evidencias,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +rate-limit.default,rate_limit,passed,yes,regra institucional materializada no artefato de politica,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +retention.logs,retention,passed,yes,regra institucional materializada no artefato de politica,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +transit.required-fields,transit,passed,yes,regra institucional materializada no artefato de politica,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 +governance.plugin-not-operational-path,governance,passed,yes,regra institucional materializada no artefato de politica,manter regra como gate de release,evidence-a75a27e0669c49da1db8b615; evidence-af37a8d489b0038a7a6b5575; evidence-3f0e3b9f829c7ff912b335d0 diff --git a/src/mais_humana/cli.py b/src/mais_humana/cli.py index 4e9a72b..c0c2899 100644 --- a/src/mais_humana/cli.py +++ b/src/mais_humana/cli.py @@ -10,6 +10,7 @@ from .models import as_plain_data from .central_consolidation import run_consolidated_report from .matrix import build_global_recommendations, build_matrix, build_platform_reports from .mcp_contract import build_mcp_contract_report, build_mcp_execute_probe, mcp_provider_compact_json, mcp_provider_payload +from .mcp_gateway_access_policy import run_access_policy_gate from .mcp_publication_gate import run_publication_gate from .mcp_transit_ledger import build_mcp_transit_ledger, mcp_transit_ledger_compact_json from .operational_dossier import build_execution_round_dossier @@ -96,6 +97,10 @@ def build_parser() -> argparse.ArgumentParser: publication.add_argument("--repo-remote", default="") publication.add_argument("--bearer", default="") publication.add_argument("--live-probe", action="store_true") + access_policy = sub.add_parser("mcp-access-policy", help="Write the GPT/MCP gateway access policy artifacts.") + access_policy.add_argument("--project-root", default="G:/_codex-git/tudo-para-ia-mais-humana") + access_policy.add_argument("--central-platform-folder", default="") + access_policy.add_argument("--publication-gate-json", default="") return parser @@ -392,6 +397,22 @@ def command_mcp_publication_gate(args: argparse.Namespace) -> int: return 0 +def command_mcp_access_policy(args: argparse.Namespace) -> int: + central_platform_folder = Path(args.central_platform_folder) if args.central_platform_folder else None + publication_gate_json = Path(args.publication_gate_json) if args.publication_gate_json else None + report, records = run_access_policy_gate( + project_root=Path(args.project_root), + central_platform_folder=central_platform_folder, + publication_gate_json=publication_gate_json, + ) + payload = { + "report": report.to_dict(), + "generatedFiles": [record.path for record in records], + } + print(json.dumps(payload, ensure_ascii=False, indent=2)) + return 0 + + def main(argv: list[str] | None = None) -> int: parser = build_parser() args = parser.parse_args(argv) @@ -423,6 +444,8 @@ def main(argv: list[str] | None = None) -> int: return command_consolidated_report(args) if args.command == "mcp-publication-gate": return command_mcp_publication_gate(args) + if args.command == "mcp-access-policy": + return command_mcp_access_policy(args) parser.error(f"unknown command: {args.command}") return 2 diff --git a/src/mais_humana/generated_mcp_control_contracts.py b/src/mais_humana/generated_mcp_control_contracts.py index cee5efc..c39ff10 100644 --- a/src/mais_humana/generated_mcp_control_contracts.py +++ b/src/mais_humana/generated_mcp_control_contracts.py @@ -1054,6 +1054,2697 @@ CONTRACT_0040 = McpControlContract( ) CONTRACT_0041 = McpControlContract( + contract_id='business.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0042 = McpControlContract( + contract_id='business.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0043 = McpControlContract( + contract_id='business.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0044 = McpControlContract( + contract_id='business.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Business Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0045 = McpControlContract( + contract_id='business.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Business Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0046 = McpControlContract( + contract_id='business.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Business Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0047 = McpControlContract( + contract_id='business.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0048 = McpControlContract( + contract_id='business.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0049 = McpControlContract( + contract_id='business.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0050 = McpControlContract( + contract_id='business.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0051 = McpControlContract( + contract_id='business.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0052 = McpControlContract( + contract_id='business.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0053 = McpControlContract( + contract_id='business.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0054 = McpControlContract( + contract_id='business.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0055 = McpControlContract( + contract_id='business.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0056 = McpControlContract( + contract_id='business.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0057 = McpControlContract( + contract_id='business.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0058 = McpControlContract( + contract_id='business.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0059 = McpControlContract( + contract_id='business.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0060 = McpControlContract( + contract_id='business.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0061 = McpControlContract( + contract_id='business.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0062 = McpControlContract( + contract_id='business.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0063 = McpControlContract( + contract_id='business.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0064 = McpControlContract( + contract_id='business.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0065 = McpControlContract( + contract_id='business.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0066 = McpControlContract( + contract_id='business.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0067 = McpControlContract( + contract_id='business.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0068 = McpControlContract( + contract_id='business.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0069 = McpControlContract( + contract_id='business.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0070 = McpControlContract( + contract_id='business.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0071 = McpControlContract( + contract_id='business.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0072 = McpControlContract( + contract_id='business.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0073 = McpControlContract( + contract_id='business.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0074 = McpControlContract( + contract_id='business.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0075 = McpControlContract( + contract_id='business.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0076 = McpControlContract( + contract_id='business.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0077 = McpControlContract( + contract_id='business.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Business Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de business/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para business/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0078 = McpControlContract( + contract_id='business.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Business Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de business/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para business/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0079 = McpControlContract( + contract_id='business.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='business', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Business Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Business Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'businessStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.business.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider business via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de business/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para business/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0080 = McpControlContract( contract_id='compliance.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1079,7 +3770,7 @@ CONTRACT_0041 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0042 = McpControlContract( +CONTRACT_0081 = McpControlContract( contract_id='compliance.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1105,7 +3796,7 @@ CONTRACT_0042 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0043 = McpControlContract( +CONTRACT_0082 = McpControlContract( contract_id='compliance.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1131,7 +3822,7 @@ CONTRACT_0043 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0044 = McpControlContract( +CONTRACT_0083 = McpControlContract( contract_id='compliance.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1157,7 +3848,7 @@ CONTRACT_0044 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0045 = McpControlContract( +CONTRACT_0084 = McpControlContract( contract_id='compliance.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1183,7 +3874,7 @@ CONTRACT_0045 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0046 = McpControlContract( +CONTRACT_0085 = McpControlContract( contract_id='compliance.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1209,7 +3900,7 @@ CONTRACT_0046 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0047 = McpControlContract( +CONTRACT_0086 = McpControlContract( contract_id='compliance.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1235,7 +3926,7 @@ CONTRACT_0047 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0048 = McpControlContract( +CONTRACT_0087 = McpControlContract( contract_id='compliance.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1261,7 +3952,7 @@ CONTRACT_0048 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0049 = McpControlContract( +CONTRACT_0088 = McpControlContract( contract_id='compliance.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1287,7 +3978,7 @@ CONTRACT_0049 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0050 = McpControlContract( +CONTRACT_0089 = McpControlContract( contract_id='compliance.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1313,7 +4004,7 @@ CONTRACT_0050 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0051 = McpControlContract( +CONTRACT_0090 = McpControlContract( contract_id='compliance.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1339,7 +4030,7 @@ CONTRACT_0051 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0052 = McpControlContract( +CONTRACT_0091 = McpControlContract( contract_id='compliance.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1365,7 +4056,7 @@ CONTRACT_0052 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0053 = McpControlContract( +CONTRACT_0092 = McpControlContract( contract_id='compliance.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='compliance', @@ -1391,7 +4082,7 @@ CONTRACT_0053 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0054 = McpControlContract( +CONTRACT_0093 = McpControlContract( contract_id='compliance.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1417,7 +4108,7 @@ CONTRACT_0054 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0055 = McpControlContract( +CONTRACT_0094 = McpControlContract( contract_id='compliance.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1443,7 +4134,7 @@ CONTRACT_0055 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0056 = McpControlContract( +CONTRACT_0095 = McpControlContract( contract_id='compliance.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1469,7 +4160,7 @@ CONTRACT_0056 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0057 = McpControlContract( +CONTRACT_0096 = McpControlContract( contract_id='compliance.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1495,7 +4186,7 @@ CONTRACT_0057 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0058 = McpControlContract( +CONTRACT_0097 = McpControlContract( contract_id='compliance.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1521,7 +4212,7 @@ CONTRACT_0058 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0059 = McpControlContract( +CONTRACT_0098 = McpControlContract( contract_id='compliance.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1547,7 +4238,7 @@ CONTRACT_0059 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0060 = McpControlContract( +CONTRACT_0099 = McpControlContract( contract_id='compliance.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1573,7 +4264,7 @@ CONTRACT_0060 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0061 = McpControlContract( +CONTRACT_0100 = McpControlContract( contract_id='compliance.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1599,7 +4290,7 @@ CONTRACT_0061 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0062 = McpControlContract( +CONTRACT_0101 = McpControlContract( contract_id='compliance.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1625,7 +4316,7 @@ CONTRACT_0062 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0063 = McpControlContract( +CONTRACT_0102 = McpControlContract( contract_id='compliance.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1651,7 +4342,7 @@ CONTRACT_0063 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0064 = McpControlContract( +CONTRACT_0103 = McpControlContract( contract_id='compliance.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1677,7 +4368,7 @@ CONTRACT_0064 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0065 = McpControlContract( +CONTRACT_0104 = McpControlContract( contract_id='compliance.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1703,7 +4394,7 @@ CONTRACT_0065 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0066 = McpControlContract( +CONTRACT_0105 = McpControlContract( contract_id='compliance.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='compliance', @@ -1729,7 +4420,7 @@ CONTRACT_0066 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0067 = McpControlContract( +CONTRACT_0106 = McpControlContract( contract_id='compliance.privacy.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='compliance', @@ -1755,7 +4446,7 @@ CONTRACT_0067 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0068 = McpControlContract( +CONTRACT_0107 = McpControlContract( contract_id='compliance.risk.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='compliance', @@ -1781,7 +4472,7 @@ CONTRACT_0068 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0069 = McpControlContract( +CONTRACT_0108 = McpControlContract( contract_id='compliance.audit.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='compliance', @@ -1807,7 +4498,7 @@ CONTRACT_0069 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0070 = McpControlContract( +CONTRACT_0109 = McpControlContract( contract_id='compliance.consent.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='compliance', @@ -1833,7 +4524,7 @@ CONTRACT_0070 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0071 = McpControlContract( +CONTRACT_0110 = McpControlContract( contract_id='compliance.retention.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='compliance', @@ -1859,7 +4550,7 @@ CONTRACT_0071 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0072 = McpControlContract( +CONTRACT_0111 = McpControlContract( contract_id='compliance.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='compliance', @@ -1885,7 +4576,7 @@ CONTRACT_0072 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0073 = McpControlContract( +CONTRACT_0112 = McpControlContract( contract_id='compliance.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='compliance', @@ -1911,7 +4602,7 @@ CONTRACT_0073 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0074 = McpControlContract( +CONTRACT_0113 = McpControlContract( contract_id='compliance.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='compliance', @@ -1937,7 +4628,7 @@ CONTRACT_0074 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0075 = McpControlContract( +CONTRACT_0114 = McpControlContract( contract_id='compliance.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='compliance', @@ -1963,7 +4654,7 @@ CONTRACT_0075 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0076 = McpControlContract( +CONTRACT_0115 = McpControlContract( contract_id='compliance.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='compliance', @@ -1989,7 +4680,7 @@ CONTRACT_0076 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0077 = McpControlContract( +CONTRACT_0116 = McpControlContract( contract_id='compliance.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='compliance', @@ -2015,7 +4706,7 @@ CONTRACT_0077 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0078 = McpControlContract( +CONTRACT_0117 = McpControlContract( contract_id='compliance.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='compliance', @@ -2041,7 +4732,7 @@ CONTRACT_0078 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0079 = McpControlContract( +CONTRACT_0118 = McpControlContract( contract_id='compliance.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='compliance', @@ -2067,7 +4758,7 @@ CONTRACT_0079 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0080 = McpControlContract( +CONTRACT_0119 = McpControlContract( contract_id='compliance.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='compliance', @@ -2093,7 +4784,2698 @@ CONTRACT_0080 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0081 = McpControlContract( +CONTRACT_0120 = McpControlContract( + contract_id='compliance.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0121 = McpControlContract( + contract_id='compliance.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0122 = McpControlContract( + contract_id='compliance.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0123 = McpControlContract( + contract_id='compliance.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0124 = McpControlContract( + contract_id='compliance.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0125 = McpControlContract( + contract_id='compliance.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0126 = McpControlContract( + contract_id='compliance.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0127 = McpControlContract( + contract_id='compliance.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0128 = McpControlContract( + contract_id='compliance.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0129 = McpControlContract( + contract_id='compliance.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0130 = McpControlContract( + contract_id='compliance.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0131 = McpControlContract( + contract_id='compliance.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0132 = McpControlContract( + contract_id='compliance.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0133 = McpControlContract( + contract_id='compliance.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0134 = McpControlContract( + contract_id='compliance.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0135 = McpControlContract( + contract_id='compliance.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0136 = McpControlContract( + contract_id='compliance.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0137 = McpControlContract( + contract_id='compliance.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0138 = McpControlContract( + contract_id='compliance.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0139 = McpControlContract( + contract_id='compliance.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0140 = McpControlContract( + contract_id='compliance.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0141 = McpControlContract( + contract_id='compliance.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0142 = McpControlContract( + contract_id='compliance.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0143 = McpControlContract( + contract_id='compliance.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0144 = McpControlContract( + contract_id='compliance.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0145 = McpControlContract( + contract_id='compliance.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0146 = McpControlContract( + contract_id='compliance.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0147 = McpControlContract( + contract_id='compliance.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0148 = McpControlContract( + contract_id='compliance.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0149 = McpControlContract( + contract_id='compliance.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0150 = McpControlContract( + contract_id='compliance.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0151 = McpControlContract( + contract_id='compliance.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0152 = McpControlContract( + contract_id='compliance.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0153 = McpControlContract( + contract_id='compliance.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0154 = McpControlContract( + contract_id='compliance.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0155 = McpControlContract( + contract_id='compliance.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0156 = McpControlContract( + contract_id='compliance.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Compliance Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de compliance/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para compliance/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0157 = McpControlContract( + contract_id='compliance.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Compliance Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de compliance/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para compliance/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0158 = McpControlContract( + contract_id='compliance.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='compliance', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Compliance Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Compliance Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'complianceStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.compliance.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider compliance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de compliance/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para compliance/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0159 = McpControlContract( contract_id='customer_ops.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2119,7 +7501,7 @@ CONTRACT_0081 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0082 = McpControlContract( +CONTRACT_0160 = McpControlContract( contract_id='customer_ops.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2145,7 +7527,7 @@ CONTRACT_0082 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0083 = McpControlContract( +CONTRACT_0161 = McpControlContract( contract_id='customer_ops.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2171,7 +7553,7 @@ CONTRACT_0083 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0084 = McpControlContract( +CONTRACT_0162 = McpControlContract( contract_id='customer_ops.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2197,7 +7579,7 @@ CONTRACT_0084 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0085 = McpControlContract( +CONTRACT_0163 = McpControlContract( contract_id='customer_ops.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2223,7 +7605,7 @@ CONTRACT_0085 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0086 = McpControlContract( +CONTRACT_0164 = McpControlContract( contract_id='customer_ops.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2249,7 +7631,7 @@ CONTRACT_0086 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0087 = McpControlContract( +CONTRACT_0165 = McpControlContract( contract_id='customer_ops.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2275,7 +7657,7 @@ CONTRACT_0087 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0088 = McpControlContract( +CONTRACT_0166 = McpControlContract( contract_id='customer_ops.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2301,7 +7683,7 @@ CONTRACT_0088 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0089 = McpControlContract( +CONTRACT_0167 = McpControlContract( contract_id='customer_ops.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2327,7 +7709,7 @@ CONTRACT_0089 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0090 = McpControlContract( +CONTRACT_0168 = McpControlContract( contract_id='customer_ops.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2353,7 +7735,7 @@ CONTRACT_0090 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0091 = McpControlContract( +CONTRACT_0169 = McpControlContract( contract_id='customer_ops.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2379,7 +7761,7 @@ CONTRACT_0091 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0092 = McpControlContract( +CONTRACT_0170 = McpControlContract( contract_id='customer_ops.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2405,7 +7787,7 @@ CONTRACT_0092 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0093 = McpControlContract( +CONTRACT_0171 = McpControlContract( contract_id='customer_ops.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='customer_ops', @@ -2431,7 +7813,7 @@ CONTRACT_0093 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0094 = McpControlContract( +CONTRACT_0172 = McpControlContract( contract_id='customer_ops.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2457,7 +7839,7 @@ CONTRACT_0094 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0095 = McpControlContract( +CONTRACT_0173 = McpControlContract( contract_id='customer_ops.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2483,7 +7865,7 @@ CONTRACT_0095 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0096 = McpControlContract( +CONTRACT_0174 = McpControlContract( contract_id='customer_ops.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2509,7 +7891,7 @@ CONTRACT_0096 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0097 = McpControlContract( +CONTRACT_0175 = McpControlContract( contract_id='customer_ops.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2535,7 +7917,7 @@ CONTRACT_0097 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0098 = McpControlContract( +CONTRACT_0176 = McpControlContract( contract_id='customer_ops.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2561,7 +7943,7 @@ CONTRACT_0098 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0099 = McpControlContract( +CONTRACT_0177 = McpControlContract( contract_id='customer_ops.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2587,7 +7969,7 @@ CONTRACT_0099 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0100 = McpControlContract( +CONTRACT_0178 = McpControlContract( contract_id='customer_ops.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2613,7 +7995,7 @@ CONTRACT_0100 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0101 = McpControlContract( +CONTRACT_0179 = McpControlContract( contract_id='customer_ops.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2639,7 +8021,7 @@ CONTRACT_0101 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0102 = McpControlContract( +CONTRACT_0180 = McpControlContract( contract_id='customer_ops.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2665,7 +8047,7 @@ CONTRACT_0102 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0103 = McpControlContract( +CONTRACT_0181 = McpControlContract( contract_id='customer_ops.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2691,7 +8073,7 @@ CONTRACT_0103 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0104 = McpControlContract( +CONTRACT_0182 = McpControlContract( contract_id='customer_ops.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2717,7 +8099,7 @@ CONTRACT_0104 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0105 = McpControlContract( +CONTRACT_0183 = McpControlContract( contract_id='customer_ops.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2743,7 +8125,7 @@ CONTRACT_0105 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0106 = McpControlContract( +CONTRACT_0184 = McpControlContract( contract_id='customer_ops.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='customer_ops', @@ -2769,7 +8151,7 @@ CONTRACT_0106 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0107 = McpControlContract( +CONTRACT_0185 = McpControlContract( contract_id='customer_ops.tickets.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='customer_ops', @@ -2795,7 +8177,7 @@ CONTRACT_0107 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0108 = McpControlContract( +CONTRACT_0186 = McpControlContract( contract_id='customer_ops.incidents.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='customer_ops', @@ -2821,7 +8203,7 @@ CONTRACT_0108 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0109 = McpControlContract( +CONTRACT_0187 = McpControlContract( contract_id='customer_ops.diagnostics.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='customer_ops', @@ -2847,7 +8229,7 @@ CONTRACT_0109 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0110 = McpControlContract( +CONTRACT_0188 = McpControlContract( contract_id='customer_ops.customer-status.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='customer_ops', @@ -2873,7 +8255,7 @@ CONTRACT_0110 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0111 = McpControlContract( +CONTRACT_0189 = McpControlContract( contract_id='customer_ops.handoffs.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='customer_ops', @@ -2899,7 +8281,7 @@ CONTRACT_0111 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0112 = McpControlContract( +CONTRACT_0190 = McpControlContract( contract_id='customer_ops.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='customer_ops', @@ -2925,7 +8307,7 @@ CONTRACT_0112 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0113 = McpControlContract( +CONTRACT_0191 = McpControlContract( contract_id='customer_ops.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='customer_ops', @@ -2951,7 +8333,7 @@ CONTRACT_0113 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0114 = McpControlContract( +CONTRACT_0192 = McpControlContract( contract_id='customer_ops.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='customer_ops', @@ -2977,7 +8359,7 @@ CONTRACT_0114 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0115 = McpControlContract( +CONTRACT_0193 = McpControlContract( contract_id='customer_ops.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='customer_ops', @@ -3003,7 +8385,7 @@ CONTRACT_0115 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0116 = McpControlContract( +CONTRACT_0194 = McpControlContract( contract_id='customer_ops.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='customer_ops', @@ -3029,7 +8411,7 @@ CONTRACT_0116 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0117 = McpControlContract( +CONTRACT_0195 = McpControlContract( contract_id='customer_ops.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='customer_ops', @@ -3055,7 +8437,7 @@ CONTRACT_0117 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0118 = McpControlContract( +CONTRACT_0196 = McpControlContract( contract_id='customer_ops.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='customer_ops', @@ -3081,7 +8463,7 @@ CONTRACT_0118 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0119 = McpControlContract( +CONTRACT_0197 = McpControlContract( contract_id='customer_ops.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='customer_ops', @@ -3107,7 +8489,7 @@ CONTRACT_0119 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0120 = McpControlContract( +CONTRACT_0198 = McpControlContract( contract_id='customer_ops.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='customer_ops', @@ -3133,7 +8515,2698 @@ CONTRACT_0120 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0121 = McpControlContract( +CONTRACT_0199 = McpControlContract( + contract_id='customer_ops.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0200 = McpControlContract( + contract_id='customer_ops.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0201 = McpControlContract( + contract_id='customer_ops.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0202 = McpControlContract( + contract_id='customer_ops.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0203 = McpControlContract( + contract_id='customer_ops.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0204 = McpControlContract( + contract_id='customer_ops.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0205 = McpControlContract( + contract_id='customer_ops.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0206 = McpControlContract( + contract_id='customer_ops.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0207 = McpControlContract( + contract_id='customer_ops.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0208 = McpControlContract( + contract_id='customer_ops.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0209 = McpControlContract( + contract_id='customer_ops.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0210 = McpControlContract( + contract_id='customer_ops.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0211 = McpControlContract( + contract_id='customer_ops.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0212 = McpControlContract( + contract_id='customer_ops.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0213 = McpControlContract( + contract_id='customer_ops.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0214 = McpControlContract( + contract_id='customer_ops.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0215 = McpControlContract( + contract_id='customer_ops.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0216 = McpControlContract( + contract_id='customer_ops.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0217 = McpControlContract( + contract_id='customer_ops.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0218 = McpControlContract( + contract_id='customer_ops.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0219 = McpControlContract( + contract_id='customer_ops.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0220 = McpControlContract( + contract_id='customer_ops.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0221 = McpControlContract( + contract_id='customer_ops.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0222 = McpControlContract( + contract_id='customer_ops.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0223 = McpControlContract( + contract_id='customer_ops.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0224 = McpControlContract( + contract_id='customer_ops.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0225 = McpControlContract( + contract_id='customer_ops.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0226 = McpControlContract( + contract_id='customer_ops.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0227 = McpControlContract( + contract_id='customer_ops.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0228 = McpControlContract( + contract_id='customer_ops.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0229 = McpControlContract( + contract_id='customer_ops.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0230 = McpControlContract( + contract_id='customer_ops.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0231 = McpControlContract( + contract_id='customer_ops.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0232 = McpControlContract( + contract_id='customer_ops.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0233 = McpControlContract( + contract_id='customer_ops.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0234 = McpControlContract( + contract_id='customer_ops.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0235 = McpControlContract( + contract_id='customer_ops.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Customer Ops Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de customer_ops/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para customer_ops/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0236 = McpControlContract( + contract_id='customer_ops.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Customer Ops Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de customer_ops/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para customer_ops/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0237 = McpControlContract( + contract_id='customer_ops.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='customer_ops', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Customer Ops Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Customer Ops Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'customer_opsStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.customer_ops.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider customer_ops via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de customer_ops/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para customer_ops/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0238 = McpControlContract( contract_id='docs.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3159,7 +11232,7 @@ CONTRACT_0121 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0122 = McpControlContract( +CONTRACT_0239 = McpControlContract( contract_id='docs.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3185,7 +11258,7 @@ CONTRACT_0122 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0123 = McpControlContract( +CONTRACT_0240 = McpControlContract( contract_id='docs.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3211,7 +11284,7 @@ CONTRACT_0123 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0124 = McpControlContract( +CONTRACT_0241 = McpControlContract( contract_id='docs.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3237,7 +11310,7 @@ CONTRACT_0124 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0125 = McpControlContract( +CONTRACT_0242 = McpControlContract( contract_id='docs.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3263,7 +11336,7 @@ CONTRACT_0125 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0126 = McpControlContract( +CONTRACT_0243 = McpControlContract( contract_id='docs.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3289,7 +11362,7 @@ CONTRACT_0126 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0127 = McpControlContract( +CONTRACT_0244 = McpControlContract( contract_id='docs.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3315,7 +11388,7 @@ CONTRACT_0127 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0128 = McpControlContract( +CONTRACT_0245 = McpControlContract( contract_id='docs.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3341,7 +11414,7 @@ CONTRACT_0128 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0129 = McpControlContract( +CONTRACT_0246 = McpControlContract( contract_id='docs.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3367,7 +11440,7 @@ CONTRACT_0129 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0130 = McpControlContract( +CONTRACT_0247 = McpControlContract( contract_id='docs.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3393,7 +11466,7 @@ CONTRACT_0130 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0131 = McpControlContract( +CONTRACT_0248 = McpControlContract( contract_id='docs.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3419,7 +11492,7 @@ CONTRACT_0131 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0132 = McpControlContract( +CONTRACT_0249 = McpControlContract( contract_id='docs.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3445,7 +11518,7 @@ CONTRACT_0132 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0133 = McpControlContract( +CONTRACT_0250 = McpControlContract( contract_id='docs.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='docs', @@ -3471,7 +11544,7 @@ CONTRACT_0133 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0134 = McpControlContract( +CONTRACT_0251 = McpControlContract( contract_id='docs.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3497,7 +11570,7 @@ CONTRACT_0134 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0135 = McpControlContract( +CONTRACT_0252 = McpControlContract( contract_id='docs.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3523,7 +11596,7 @@ CONTRACT_0135 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0136 = McpControlContract( +CONTRACT_0253 = McpControlContract( contract_id='docs.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3549,7 +11622,7 @@ CONTRACT_0136 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0137 = McpControlContract( +CONTRACT_0254 = McpControlContract( contract_id='docs.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3575,7 +11648,7 @@ CONTRACT_0137 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0138 = McpControlContract( +CONTRACT_0255 = McpControlContract( contract_id='docs.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3601,7 +11674,7 @@ CONTRACT_0138 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0139 = McpControlContract( +CONTRACT_0256 = McpControlContract( contract_id='docs.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3627,7 +11700,7 @@ CONTRACT_0139 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0140 = McpControlContract( +CONTRACT_0257 = McpControlContract( contract_id='docs.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3653,7 +11726,7 @@ CONTRACT_0140 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0141 = McpControlContract( +CONTRACT_0258 = McpControlContract( contract_id='docs.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3679,7 +11752,7 @@ CONTRACT_0141 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0142 = McpControlContract( +CONTRACT_0259 = McpControlContract( contract_id='docs.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3705,7 +11778,7 @@ CONTRACT_0142 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0143 = McpControlContract( +CONTRACT_0260 = McpControlContract( contract_id='docs.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3731,7 +11804,7 @@ CONTRACT_0143 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0144 = McpControlContract( +CONTRACT_0261 = McpControlContract( contract_id='docs.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3757,7 +11830,7 @@ CONTRACT_0144 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0145 = McpControlContract( +CONTRACT_0262 = McpControlContract( contract_id='docs.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3783,7 +11856,7 @@ CONTRACT_0145 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0146 = McpControlContract( +CONTRACT_0263 = McpControlContract( contract_id='docs.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='docs', @@ -3809,7 +11882,7 @@ CONTRACT_0146 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0147 = McpControlContract( +CONTRACT_0264 = McpControlContract( contract_id='docs.canonical-docs.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='docs', @@ -3835,7 +11908,7 @@ CONTRACT_0147 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0148 = McpControlContract( +CONTRACT_0265 = McpControlContract( contract_id='docs.contracts.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='docs', @@ -3861,7 +11934,7 @@ CONTRACT_0148 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0149 = McpControlContract( +CONTRACT_0266 = McpControlContract( contract_id='docs.proofs.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='docs', @@ -3887,7 +11960,7 @@ CONTRACT_0149 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0150 = McpControlContract( +CONTRACT_0267 = McpControlContract( contract_id='docs.help.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='docs', @@ -3913,7 +11986,7 @@ CONTRACT_0150 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0151 = McpControlContract( +CONTRACT_0268 = McpControlContract( contract_id='docs.runbooks.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='docs', @@ -3939,7 +12012,7 @@ CONTRACT_0151 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0152 = McpControlContract( +CONTRACT_0269 = McpControlContract( contract_id='docs.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='docs', @@ -3965,7 +12038,7 @@ CONTRACT_0152 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0153 = McpControlContract( +CONTRACT_0270 = McpControlContract( contract_id='docs.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='docs', @@ -3991,7 +12064,7 @@ CONTRACT_0153 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0154 = McpControlContract( +CONTRACT_0271 = McpControlContract( contract_id='docs.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='docs', @@ -4017,7 +12090,7 @@ CONTRACT_0154 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0155 = McpControlContract( +CONTRACT_0272 = McpControlContract( contract_id='docs.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='docs', @@ -4043,7 +12116,7 @@ CONTRACT_0155 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0156 = McpControlContract( +CONTRACT_0273 = McpControlContract( contract_id='docs.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='docs', @@ -4069,7 +12142,7 @@ CONTRACT_0156 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0157 = McpControlContract( +CONTRACT_0274 = McpControlContract( contract_id='docs.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='docs', @@ -4095,7 +12168,7 @@ CONTRACT_0157 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0158 = McpControlContract( +CONTRACT_0275 = McpControlContract( contract_id='docs.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='docs', @@ -4121,7 +12194,7 @@ CONTRACT_0158 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0159 = McpControlContract( +CONTRACT_0276 = McpControlContract( contract_id='docs.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='docs', @@ -4147,7 +12220,7 @@ CONTRACT_0159 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0160 = McpControlContract( +CONTRACT_0277 = McpControlContract( contract_id='docs.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='docs', @@ -4173,7 +12246,2698 @@ CONTRACT_0160 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0161 = McpControlContract( +CONTRACT_0278 = McpControlContract( + contract_id='docs.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0279 = McpControlContract( + contract_id='docs.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0280 = McpControlContract( + contract_id='docs.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0281 = McpControlContract( + contract_id='docs.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0282 = McpControlContract( + contract_id='docs.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0283 = McpControlContract( + contract_id='docs.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0284 = McpControlContract( + contract_id='docs.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0285 = McpControlContract( + contract_id='docs.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0286 = McpControlContract( + contract_id='docs.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0287 = McpControlContract( + contract_id='docs.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0288 = McpControlContract( + contract_id='docs.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0289 = McpControlContract( + contract_id='docs.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0290 = McpControlContract( + contract_id='docs.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0291 = McpControlContract( + contract_id='docs.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0292 = McpControlContract( + contract_id='docs.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0293 = McpControlContract( + contract_id='docs.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0294 = McpControlContract( + contract_id='docs.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0295 = McpControlContract( + contract_id='docs.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0296 = McpControlContract( + contract_id='docs.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0297 = McpControlContract( + contract_id='docs.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0298 = McpControlContract( + contract_id='docs.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0299 = McpControlContract( + contract_id='docs.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0300 = McpControlContract( + contract_id='docs.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0301 = McpControlContract( + contract_id='docs.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0302 = McpControlContract( + contract_id='docs.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0303 = McpControlContract( + contract_id='docs.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0304 = McpControlContract( + contract_id='docs.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0305 = McpControlContract( + contract_id='docs.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0306 = McpControlContract( + contract_id='docs.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0307 = McpControlContract( + contract_id='docs.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0308 = McpControlContract( + contract_id='docs.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0309 = McpControlContract( + contract_id='docs.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0310 = McpControlContract( + contract_id='docs.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0311 = McpControlContract( + contract_id='docs.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0312 = McpControlContract( + contract_id='docs.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0313 = McpControlContract( + contract_id='docs.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0314 = McpControlContract( + contract_id='docs.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Docs Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de docs/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para docs/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0315 = McpControlContract( + contract_id='docs.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Docs Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de docs/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para docs/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0316 = McpControlContract( + contract_id='docs.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='docs', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Docs Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Docs Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'docsStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.FORMAL_EXCEPTION, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.docs.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider docs via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de docs/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para docs/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0317 = McpControlContract( contract_id='finance.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4199,7 +14963,7 @@ CONTRACT_0161 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0162 = McpControlContract( +CONTRACT_0318 = McpControlContract( contract_id='finance.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4225,7 +14989,7 @@ CONTRACT_0162 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0163 = McpControlContract( +CONTRACT_0319 = McpControlContract( contract_id='finance.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4251,7 +15015,7 @@ CONTRACT_0163 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0164 = McpControlContract( +CONTRACT_0320 = McpControlContract( contract_id='finance.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4277,7 +15041,7 @@ CONTRACT_0164 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0165 = McpControlContract( +CONTRACT_0321 = McpControlContract( contract_id='finance.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4303,7 +15067,7 @@ CONTRACT_0165 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0166 = McpControlContract( +CONTRACT_0322 = McpControlContract( contract_id='finance.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4329,7 +15093,7 @@ CONTRACT_0166 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0167 = McpControlContract( +CONTRACT_0323 = McpControlContract( contract_id='finance.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4355,7 +15119,7 @@ CONTRACT_0167 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0168 = McpControlContract( +CONTRACT_0324 = McpControlContract( contract_id='finance.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4381,7 +15145,7 @@ CONTRACT_0168 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0169 = McpControlContract( +CONTRACT_0325 = McpControlContract( contract_id='finance.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4407,7 +15171,7 @@ CONTRACT_0169 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0170 = McpControlContract( +CONTRACT_0326 = McpControlContract( contract_id='finance.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4433,7 +15197,7 @@ CONTRACT_0170 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0171 = McpControlContract( +CONTRACT_0327 = McpControlContract( contract_id='finance.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4459,7 +15223,7 @@ CONTRACT_0171 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0172 = McpControlContract( +CONTRACT_0328 = McpControlContract( contract_id='finance.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4485,7 +15249,7 @@ CONTRACT_0172 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0173 = McpControlContract( +CONTRACT_0329 = McpControlContract( contract_id='finance.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='finance', @@ -4511,7 +15275,7 @@ CONTRACT_0173 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0174 = McpControlContract( +CONTRACT_0330 = McpControlContract( contract_id='finance.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4537,7 +15301,7 @@ CONTRACT_0174 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0175 = McpControlContract( +CONTRACT_0331 = McpControlContract( contract_id='finance.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4563,7 +15327,7 @@ CONTRACT_0175 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0176 = McpControlContract( +CONTRACT_0332 = McpControlContract( contract_id='finance.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4589,7 +15353,7 @@ CONTRACT_0176 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0177 = McpControlContract( +CONTRACT_0333 = McpControlContract( contract_id='finance.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4615,7 +15379,7 @@ CONTRACT_0177 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0178 = McpControlContract( +CONTRACT_0334 = McpControlContract( contract_id='finance.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4641,7 +15405,7 @@ CONTRACT_0178 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0179 = McpControlContract( +CONTRACT_0335 = McpControlContract( contract_id='finance.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4667,7 +15431,7 @@ CONTRACT_0179 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0180 = McpControlContract( +CONTRACT_0336 = McpControlContract( contract_id='finance.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4693,7 +15457,7 @@ CONTRACT_0180 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0181 = McpControlContract( +CONTRACT_0337 = McpControlContract( contract_id='finance.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4719,7 +15483,7 @@ CONTRACT_0181 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0182 = McpControlContract( +CONTRACT_0338 = McpControlContract( contract_id='finance.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4745,7 +15509,7 @@ CONTRACT_0182 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0183 = McpControlContract( +CONTRACT_0339 = McpControlContract( contract_id='finance.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4771,7 +15535,7 @@ CONTRACT_0183 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0184 = McpControlContract( +CONTRACT_0340 = McpControlContract( contract_id='finance.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4797,7 +15561,7 @@ CONTRACT_0184 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0185 = McpControlContract( +CONTRACT_0341 = McpControlContract( contract_id='finance.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4823,7 +15587,7 @@ CONTRACT_0185 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0186 = McpControlContract( +CONTRACT_0342 = McpControlContract( contract_id='finance.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='finance', @@ -4849,7 +15613,7 @@ CONTRACT_0186 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0187 = McpControlContract( +CONTRACT_0343 = McpControlContract( contract_id='finance.invoices.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='finance', @@ -4875,7 +15639,7 @@ CONTRACT_0187 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0188 = McpControlContract( +CONTRACT_0344 = McpControlContract( contract_id='finance.usage.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='finance', @@ -4901,7 +15665,7 @@ CONTRACT_0188 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0189 = McpControlContract( +CONTRACT_0345 = McpControlContract( contract_id='finance.cost.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='finance', @@ -4927,7 +15691,7 @@ CONTRACT_0189 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0190 = McpControlContract( +CONTRACT_0346 = McpControlContract( contract_id='finance.reconciliation.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='finance', @@ -4953,7 +15717,7 @@ CONTRACT_0190 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0191 = McpControlContract( +CONTRACT_0347 = McpControlContract( contract_id='finance.quota.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='finance', @@ -4979,7 +15743,7 @@ CONTRACT_0191 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0192 = McpControlContract( +CONTRACT_0348 = McpControlContract( contract_id='finance.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='finance', @@ -5005,7 +15769,7 @@ CONTRACT_0192 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0193 = McpControlContract( +CONTRACT_0349 = McpControlContract( contract_id='finance.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='finance', @@ -5031,7 +15795,7 @@ CONTRACT_0193 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0194 = McpControlContract( +CONTRACT_0350 = McpControlContract( contract_id='finance.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='finance', @@ -5057,7 +15821,7 @@ CONTRACT_0194 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0195 = McpControlContract( +CONTRACT_0351 = McpControlContract( contract_id='finance.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='finance', @@ -5083,7 +15847,7 @@ CONTRACT_0195 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0196 = McpControlContract( +CONTRACT_0352 = McpControlContract( contract_id='finance.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='finance', @@ -5109,7 +15873,7 @@ CONTRACT_0196 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0197 = McpControlContract( +CONTRACT_0353 = McpControlContract( contract_id='finance.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='finance', @@ -5135,7 +15899,7 @@ CONTRACT_0197 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0198 = McpControlContract( +CONTRACT_0354 = McpControlContract( contract_id='finance.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='finance', @@ -5161,7 +15925,7 @@ CONTRACT_0198 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0199 = McpControlContract( +CONTRACT_0355 = McpControlContract( contract_id='finance.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='finance', @@ -5187,7 +15951,7 @@ CONTRACT_0199 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0200 = McpControlContract( +CONTRACT_0356 = McpControlContract( contract_id='finance.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='finance', @@ -5213,7 +15977,2698 @@ CONTRACT_0200 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0201 = McpControlContract( +CONTRACT_0357 = McpControlContract( + contract_id='finance.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0358 = McpControlContract( + contract_id='finance.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0359 = McpControlContract( + contract_id='finance.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0360 = McpControlContract( + contract_id='finance.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0361 = McpControlContract( + contract_id='finance.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0362 = McpControlContract( + contract_id='finance.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0363 = McpControlContract( + contract_id='finance.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0364 = McpControlContract( + contract_id='finance.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0365 = McpControlContract( + contract_id='finance.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0366 = McpControlContract( + contract_id='finance.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0367 = McpControlContract( + contract_id='finance.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0368 = McpControlContract( + contract_id='finance.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0369 = McpControlContract( + contract_id='finance.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0370 = McpControlContract( + contract_id='finance.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0371 = McpControlContract( + contract_id='finance.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0372 = McpControlContract( + contract_id='finance.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0373 = McpControlContract( + contract_id='finance.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0374 = McpControlContract( + contract_id='finance.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0375 = McpControlContract( + contract_id='finance.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0376 = McpControlContract( + contract_id='finance.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0377 = McpControlContract( + contract_id='finance.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0378 = McpControlContract( + contract_id='finance.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0379 = McpControlContract( + contract_id='finance.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0380 = McpControlContract( + contract_id='finance.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0381 = McpControlContract( + contract_id='finance.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0382 = McpControlContract( + contract_id='finance.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0383 = McpControlContract( + contract_id='finance.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0384 = McpControlContract( + contract_id='finance.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0385 = McpControlContract( + contract_id='finance.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0386 = McpControlContract( + contract_id='finance.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0387 = McpControlContract( + contract_id='finance.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0388 = McpControlContract( + contract_id='finance.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0389 = McpControlContract( + contract_id='finance.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0390 = McpControlContract( + contract_id='finance.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0391 = McpControlContract( + contract_id='finance.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0392 = McpControlContract( + contract_id='finance.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0393 = McpControlContract( + contract_id='finance.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Finance Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de finance/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para finance/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0394 = McpControlContract( + contract_id='finance.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Finance Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de finance/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para finance/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0395 = McpControlContract( + contract_id='finance.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='finance', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Finance Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Finance Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'financeStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.finance.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider finance via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de finance/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para finance/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0396 = McpControlContract( contract_id='gettys.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5239,7 +18694,7 @@ CONTRACT_0201 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0202 = McpControlContract( +CONTRACT_0397 = McpControlContract( contract_id='gettys.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5265,7 +18720,7 @@ CONTRACT_0202 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0203 = McpControlContract( +CONTRACT_0398 = McpControlContract( contract_id='gettys.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5291,7 +18746,7 @@ CONTRACT_0203 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0204 = McpControlContract( +CONTRACT_0399 = McpControlContract( contract_id='gettys.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5317,7 +18772,7 @@ CONTRACT_0204 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0205 = McpControlContract( +CONTRACT_0400 = McpControlContract( contract_id='gettys.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5343,7 +18798,7 @@ CONTRACT_0205 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0206 = McpControlContract( +CONTRACT_0401 = McpControlContract( contract_id='gettys.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5369,7 +18824,7 @@ CONTRACT_0206 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0207 = McpControlContract( +CONTRACT_0402 = McpControlContract( contract_id='gettys.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5395,7 +18850,7 @@ CONTRACT_0207 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0208 = McpControlContract( +CONTRACT_0403 = McpControlContract( contract_id='gettys.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5421,7 +18876,7 @@ CONTRACT_0208 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0209 = McpControlContract( +CONTRACT_0404 = McpControlContract( contract_id='gettys.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5447,7 +18902,7 @@ CONTRACT_0209 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0210 = McpControlContract( +CONTRACT_0405 = McpControlContract( contract_id='gettys.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5473,7 +18928,7 @@ CONTRACT_0210 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0211 = McpControlContract( +CONTRACT_0406 = McpControlContract( contract_id='gettys.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5499,7 +18954,7 @@ CONTRACT_0211 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0212 = McpControlContract( +CONTRACT_0407 = McpControlContract( contract_id='gettys.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5525,7 +18980,7 @@ CONTRACT_0212 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0213 = McpControlContract( +CONTRACT_0408 = McpControlContract( contract_id='gettys.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='gettys', @@ -5551,7 +19006,7 @@ CONTRACT_0213 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0214 = McpControlContract( +CONTRACT_0409 = McpControlContract( contract_id='gettys.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5577,7 +19032,7 @@ CONTRACT_0214 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0215 = McpControlContract( +CONTRACT_0410 = McpControlContract( contract_id='gettys.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5603,7 +19058,7 @@ CONTRACT_0215 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0216 = McpControlContract( +CONTRACT_0411 = McpControlContract( contract_id='gettys.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5629,7 +19084,7 @@ CONTRACT_0216 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0217 = McpControlContract( +CONTRACT_0412 = McpControlContract( contract_id='gettys.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5655,7 +19110,7 @@ CONTRACT_0217 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0218 = McpControlContract( +CONTRACT_0413 = McpControlContract( contract_id='gettys.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5681,7 +19136,7 @@ CONTRACT_0218 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0219 = McpControlContract( +CONTRACT_0414 = McpControlContract( contract_id='gettys.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5707,7 +19162,7 @@ CONTRACT_0219 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0220 = McpControlContract( +CONTRACT_0415 = McpControlContract( contract_id='gettys.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5733,7 +19188,7 @@ CONTRACT_0220 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0221 = McpControlContract( +CONTRACT_0416 = McpControlContract( contract_id='gettys.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5759,7 +19214,7 @@ CONTRACT_0221 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0222 = McpControlContract( +CONTRACT_0417 = McpControlContract( contract_id='gettys.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5785,7 +19240,7 @@ CONTRACT_0222 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0223 = McpControlContract( +CONTRACT_0418 = McpControlContract( contract_id='gettys.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5811,7 +19266,7 @@ CONTRACT_0223 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0224 = McpControlContract( +CONTRACT_0419 = McpControlContract( contract_id='gettys.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5837,7 +19292,7 @@ CONTRACT_0224 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0225 = McpControlContract( +CONTRACT_0420 = McpControlContract( contract_id='gettys.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5863,7 +19318,7 @@ CONTRACT_0225 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0226 = McpControlContract( +CONTRACT_0421 = McpControlContract( contract_id='gettys.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='gettys', @@ -5889,7 +19344,7 @@ CONTRACT_0226 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0227 = McpControlContract( +CONTRACT_0422 = McpControlContract( contract_id='gettys.gettys-overview.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='gettys', @@ -5915,7 +19370,7 @@ CONTRACT_0227 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0228 = McpControlContract( +CONTRACT_0423 = McpControlContract( contract_id='gettys.admin-screen.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='gettys', @@ -5941,7 +19396,7 @@ CONTRACT_0228 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0229 = McpControlContract( +CONTRACT_0424 = McpControlContract( contract_id='gettys.health.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='gettys', @@ -5967,7 +19422,7 @@ CONTRACT_0229 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0230 = McpControlContract( +CONTRACT_0425 = McpControlContract( contract_id='gettys.product-readiness.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='gettys', @@ -5993,7 +19448,7 @@ CONTRACT_0230 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0231 = McpControlContract( +CONTRACT_0426 = McpControlContract( contract_id='gettys.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='gettys', @@ -6019,7 +19474,7 @@ CONTRACT_0231 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0232 = McpControlContract( +CONTRACT_0427 = McpControlContract( contract_id='gettys.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='gettys', @@ -6045,7 +19500,7 @@ CONTRACT_0232 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0233 = McpControlContract( +CONTRACT_0428 = McpControlContract( contract_id='gettys.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='gettys', @@ -6071,7 +19526,7 @@ CONTRACT_0233 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0234 = McpControlContract( +CONTRACT_0429 = McpControlContract( contract_id='gettys.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='gettys', @@ -6097,7 +19552,7 @@ CONTRACT_0234 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0235 = McpControlContract( +CONTRACT_0430 = McpControlContract( contract_id='gettys.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='gettys', @@ -6123,7 +19578,7 @@ CONTRACT_0235 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0236 = McpControlContract( +CONTRACT_0431 = McpControlContract( contract_id='gettys.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='gettys', @@ -6149,7 +19604,7 @@ CONTRACT_0236 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0237 = McpControlContract( +CONTRACT_0432 = McpControlContract( contract_id='gettys.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='gettys', @@ -6175,7 +19630,7 @@ CONTRACT_0237 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0238 = McpControlContract( +CONTRACT_0433 = McpControlContract( contract_id='gettys.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='gettys', @@ -6201,7 +19656,7 @@ CONTRACT_0238 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0239 = McpControlContract( +CONTRACT_0434 = McpControlContract( contract_id='gettys.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='gettys', @@ -6227,7 +19682,2698 @@ CONTRACT_0239 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0240 = McpControlContract( +CONTRACT_0435 = McpControlContract( + contract_id='gettys.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0436 = McpControlContract( + contract_id='gettys.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0437 = McpControlContract( + contract_id='gettys.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0438 = McpControlContract( + contract_id='gettys.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0439 = McpControlContract( + contract_id='gettys.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0440 = McpControlContract( + contract_id='gettys.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0441 = McpControlContract( + contract_id='gettys.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0442 = McpControlContract( + contract_id='gettys.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0443 = McpControlContract( + contract_id='gettys.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0444 = McpControlContract( + contract_id='gettys.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0445 = McpControlContract( + contract_id='gettys.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0446 = McpControlContract( + contract_id='gettys.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0447 = McpControlContract( + contract_id='gettys.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0448 = McpControlContract( + contract_id='gettys.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0449 = McpControlContract( + contract_id='gettys.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0450 = McpControlContract( + contract_id='gettys.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0451 = McpControlContract( + contract_id='gettys.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0452 = McpControlContract( + contract_id='gettys.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0453 = McpControlContract( + contract_id='gettys.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0454 = McpControlContract( + contract_id='gettys.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0455 = McpControlContract( + contract_id='gettys.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0456 = McpControlContract( + contract_id='gettys.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0457 = McpControlContract( + contract_id='gettys.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0458 = McpControlContract( + contract_id='gettys.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0459 = McpControlContract( + contract_id='gettys.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0460 = McpControlContract( + contract_id='gettys.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0461 = McpControlContract( + contract_id='gettys.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0462 = McpControlContract( + contract_id='gettys.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0463 = McpControlContract( + contract_id='gettys.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0464 = McpControlContract( + contract_id='gettys.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0465 = McpControlContract( + contract_id='gettys.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0466 = McpControlContract( + contract_id='gettys.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0467 = McpControlContract( + contract_id='gettys.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0468 = McpControlContract( + contract_id='gettys.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0469 = McpControlContract( + contract_id='gettys.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0470 = McpControlContract( + contract_id='gettys.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0471 = McpControlContract( + contract_id='gettys.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Gettys Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de gettys/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para gettys/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0472 = McpControlContract( + contract_id='gettys.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Gettys Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de gettys/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para gettys/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0473 = McpControlContract( + contract_id='gettys.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='gettys', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Gettys Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Gettys Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'gettysStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.gettys.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider gettys via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de gettys/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para gettys/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0474 = McpControlContract( contract_id='identity.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6253,7 +22399,7 @@ CONTRACT_0240 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0241 = McpControlContract( +CONTRACT_0475 = McpControlContract( contract_id='identity.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6279,7 +22425,7 @@ CONTRACT_0241 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0242 = McpControlContract( +CONTRACT_0476 = McpControlContract( contract_id='identity.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6305,7 +22451,7 @@ CONTRACT_0242 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0243 = McpControlContract( +CONTRACT_0477 = McpControlContract( contract_id='identity.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6331,7 +22477,7 @@ CONTRACT_0243 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0244 = McpControlContract( +CONTRACT_0478 = McpControlContract( contract_id='identity.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6357,7 +22503,7 @@ CONTRACT_0244 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0245 = McpControlContract( +CONTRACT_0479 = McpControlContract( contract_id='identity.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6383,7 +22529,7 @@ CONTRACT_0245 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0246 = McpControlContract( +CONTRACT_0480 = McpControlContract( contract_id='identity.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6409,7 +22555,7 @@ CONTRACT_0246 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0247 = McpControlContract( +CONTRACT_0481 = McpControlContract( contract_id='identity.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6435,7 +22581,7 @@ CONTRACT_0247 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0248 = McpControlContract( +CONTRACT_0482 = McpControlContract( contract_id='identity.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6461,7 +22607,7 @@ CONTRACT_0248 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0249 = McpControlContract( +CONTRACT_0483 = McpControlContract( contract_id='identity.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6487,7 +22633,7 @@ CONTRACT_0249 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0250 = McpControlContract( +CONTRACT_0484 = McpControlContract( contract_id='identity.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6513,7 +22659,7 @@ CONTRACT_0250 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0251 = McpControlContract( +CONTRACT_0485 = McpControlContract( contract_id='identity.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6539,7 +22685,7 @@ CONTRACT_0251 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0252 = McpControlContract( +CONTRACT_0486 = McpControlContract( contract_id='identity.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='identity', @@ -6565,7 +22711,7 @@ CONTRACT_0252 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0253 = McpControlContract( +CONTRACT_0487 = McpControlContract( contract_id='identity.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6591,7 +22737,7 @@ CONTRACT_0253 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0254 = McpControlContract( +CONTRACT_0488 = McpControlContract( contract_id='identity.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6617,7 +22763,7 @@ CONTRACT_0254 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0255 = McpControlContract( +CONTRACT_0489 = McpControlContract( contract_id='identity.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6643,7 +22789,7 @@ CONTRACT_0255 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0256 = McpControlContract( +CONTRACT_0490 = McpControlContract( contract_id='identity.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6669,7 +22815,7 @@ CONTRACT_0256 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0257 = McpControlContract( +CONTRACT_0491 = McpControlContract( contract_id='identity.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6695,7 +22841,7 @@ CONTRACT_0257 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0258 = McpControlContract( +CONTRACT_0492 = McpControlContract( contract_id='identity.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6721,7 +22867,7 @@ CONTRACT_0258 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0259 = McpControlContract( +CONTRACT_0493 = McpControlContract( contract_id='identity.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6747,7 +22893,7 @@ CONTRACT_0259 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0260 = McpControlContract( +CONTRACT_0494 = McpControlContract( contract_id='identity.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6773,7 +22919,7 @@ CONTRACT_0260 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0261 = McpControlContract( +CONTRACT_0495 = McpControlContract( contract_id='identity.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6799,7 +22945,7 @@ CONTRACT_0261 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0262 = McpControlContract( +CONTRACT_0496 = McpControlContract( contract_id='identity.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6825,7 +22971,7 @@ CONTRACT_0262 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0263 = McpControlContract( +CONTRACT_0497 = McpControlContract( contract_id='identity.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6851,7 +22997,7 @@ CONTRACT_0263 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0264 = McpControlContract( +CONTRACT_0498 = McpControlContract( contract_id='identity.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6877,7 +23023,7 @@ CONTRACT_0264 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0265 = McpControlContract( +CONTRACT_0499 = McpControlContract( contract_id='identity.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='identity', @@ -6903,7 +23049,7 @@ CONTRACT_0265 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0266 = McpControlContract( +CONTRACT_0500 = McpControlContract( contract_id='identity.rbac.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='identity', @@ -6929,7 +23075,7 @@ CONTRACT_0266 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0267 = McpControlContract( +CONTRACT_0501 = McpControlContract( contract_id='identity.sessions.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='identity', @@ -6955,7 +23101,7 @@ CONTRACT_0267 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0268 = McpControlContract( +CONTRACT_0502 = McpControlContract( contract_id='identity.organizations.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='identity', @@ -6981,7 +23127,7 @@ CONTRACT_0268 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0269 = McpControlContract( +CONTRACT_0503 = McpControlContract( contract_id='identity.incidents.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='identity', @@ -7007,7 +23153,7 @@ CONTRACT_0269 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0270 = McpControlContract( +CONTRACT_0504 = McpControlContract( contract_id='identity.audit.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='identity', @@ -7033,7 +23179,7 @@ CONTRACT_0270 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0271 = McpControlContract( +CONTRACT_0505 = McpControlContract( contract_id='identity.contracts.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='identity', @@ -7059,7 +23205,7 @@ CONTRACT_0271 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0272 = McpControlContract( +CONTRACT_0506 = McpControlContract( contract_id='identity.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='identity', @@ -7085,7 +23231,7 @@ CONTRACT_0272 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0273 = McpControlContract( +CONTRACT_0507 = McpControlContract( contract_id='identity.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='identity', @@ -7111,7 +23257,7 @@ CONTRACT_0273 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0274 = McpControlContract( +CONTRACT_0508 = McpControlContract( contract_id='identity.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='identity', @@ -7137,7 +23283,7 @@ CONTRACT_0274 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0275 = McpControlContract( +CONTRACT_0509 = McpControlContract( contract_id='identity.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='identity', @@ -7163,7 +23309,7 @@ CONTRACT_0275 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0276 = McpControlContract( +CONTRACT_0510 = McpControlContract( contract_id='identity.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='identity', @@ -7189,7 +23335,7 @@ CONTRACT_0276 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0277 = McpControlContract( +CONTRACT_0511 = McpControlContract( contract_id='identity.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='identity', @@ -7215,7 +23361,7 @@ CONTRACT_0277 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0278 = McpControlContract( +CONTRACT_0512 = McpControlContract( contract_id='identity.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='identity', @@ -7241,7 +23387,7 @@ CONTRACT_0278 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0279 = McpControlContract( +CONTRACT_0513 = McpControlContract( contract_id='identity.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='identity', @@ -7267,7 +23413,7 @@ CONTRACT_0279 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0280 = McpControlContract( +CONTRACT_0514 = McpControlContract( contract_id='identity.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='identity', @@ -7293,7 +23439,2698 @@ CONTRACT_0280 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0281 = McpControlContract( +CONTRACT_0515 = McpControlContract( + contract_id='identity.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0516 = McpControlContract( + contract_id='identity.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0517 = McpControlContract( + contract_id='identity.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0518 = McpControlContract( + contract_id='identity.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0519 = McpControlContract( + contract_id='identity.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0520 = McpControlContract( + contract_id='identity.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0521 = McpControlContract( + contract_id='identity.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0522 = McpControlContract( + contract_id='identity.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0523 = McpControlContract( + contract_id='identity.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0524 = McpControlContract( + contract_id='identity.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0525 = McpControlContract( + contract_id='identity.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0526 = McpControlContract( + contract_id='identity.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0527 = McpControlContract( + contract_id='identity.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0528 = McpControlContract( + contract_id='identity.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0529 = McpControlContract( + contract_id='identity.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0530 = McpControlContract( + contract_id='identity.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0531 = McpControlContract( + contract_id='identity.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0532 = McpControlContract( + contract_id='identity.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0533 = McpControlContract( + contract_id='identity.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0534 = McpControlContract( + contract_id='identity.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0535 = McpControlContract( + contract_id='identity.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0536 = McpControlContract( + contract_id='identity.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0537 = McpControlContract( + contract_id='identity.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0538 = McpControlContract( + contract_id='identity.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0539 = McpControlContract( + contract_id='identity.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0540 = McpControlContract( + contract_id='identity.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0541 = McpControlContract( + contract_id='identity.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0542 = McpControlContract( + contract_id='identity.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0543 = McpControlContract( + contract_id='identity.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0544 = McpControlContract( + contract_id='identity.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0545 = McpControlContract( + contract_id='identity.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0546 = McpControlContract( + contract_id='identity.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0547 = McpControlContract( + contract_id='identity.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0548 = McpControlContract( + contract_id='identity.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0549 = McpControlContract( + contract_id='identity.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0550 = McpControlContract( + contract_id='identity.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0551 = McpControlContract( + contract_id='identity.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Identity Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de identity/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para identity/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0552 = McpControlContract( + contract_id='identity.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Identity Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de identity/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para identity/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0553 = McpControlContract( + contract_id='identity.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='identity', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Identity Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Identity Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'identityStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.identity.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider identity via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de identity/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para identity/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0554 = McpControlContract( contract_id='integracoes.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7319,7 +26156,7 @@ CONTRACT_0281 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0282 = McpControlContract( +CONTRACT_0555 = McpControlContract( contract_id='integracoes.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7345,7 +26182,7 @@ CONTRACT_0282 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0283 = McpControlContract( +CONTRACT_0556 = McpControlContract( contract_id='integracoes.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7371,7 +26208,7 @@ CONTRACT_0283 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0284 = McpControlContract( +CONTRACT_0557 = McpControlContract( contract_id='integracoes.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7397,7 +26234,7 @@ CONTRACT_0284 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0285 = McpControlContract( +CONTRACT_0558 = McpControlContract( contract_id='integracoes.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7423,7 +26260,7 @@ CONTRACT_0285 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0286 = McpControlContract( +CONTRACT_0559 = McpControlContract( contract_id='integracoes.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7449,7 +26286,7 @@ CONTRACT_0286 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0287 = McpControlContract( +CONTRACT_0560 = McpControlContract( contract_id='integracoes.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7475,7 +26312,7 @@ CONTRACT_0287 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0288 = McpControlContract( +CONTRACT_0561 = McpControlContract( contract_id='integracoes.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7501,7 +26338,7 @@ CONTRACT_0288 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0289 = McpControlContract( +CONTRACT_0562 = McpControlContract( contract_id='integracoes.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7527,7 +26364,7 @@ CONTRACT_0289 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0290 = McpControlContract( +CONTRACT_0563 = McpControlContract( contract_id='integracoes.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7553,7 +26390,7 @@ CONTRACT_0290 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0291 = McpControlContract( +CONTRACT_0564 = McpControlContract( contract_id='integracoes.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7579,7 +26416,7 @@ CONTRACT_0291 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0292 = McpControlContract( +CONTRACT_0565 = McpControlContract( contract_id='integracoes.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7605,7 +26442,7 @@ CONTRACT_0292 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0293 = McpControlContract( +CONTRACT_0566 = McpControlContract( contract_id='integracoes.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='integracoes', @@ -7631,7 +26468,7 @@ CONTRACT_0293 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0294 = McpControlContract( +CONTRACT_0567 = McpControlContract( contract_id='integracoes.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7657,7 +26494,7 @@ CONTRACT_0294 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0295 = McpControlContract( +CONTRACT_0568 = McpControlContract( contract_id='integracoes.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7683,7 +26520,7 @@ CONTRACT_0295 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0296 = McpControlContract( +CONTRACT_0569 = McpControlContract( contract_id='integracoes.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7709,7 +26546,7 @@ CONTRACT_0296 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0297 = McpControlContract( +CONTRACT_0570 = McpControlContract( contract_id='integracoes.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7735,7 +26572,7 @@ CONTRACT_0297 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0298 = McpControlContract( +CONTRACT_0571 = McpControlContract( contract_id='integracoes.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7761,7 +26598,7 @@ CONTRACT_0298 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0299 = McpControlContract( +CONTRACT_0572 = McpControlContract( contract_id='integracoes.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7787,7 +26624,7 @@ CONTRACT_0299 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0300 = McpControlContract( +CONTRACT_0573 = McpControlContract( contract_id='integracoes.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7813,7 +26650,7 @@ CONTRACT_0300 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0301 = McpControlContract( +CONTRACT_0574 = McpControlContract( contract_id='integracoes.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7839,7 +26676,7 @@ CONTRACT_0301 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0302 = McpControlContract( +CONTRACT_0575 = McpControlContract( contract_id='integracoes.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7865,7 +26702,7 @@ CONTRACT_0302 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0303 = McpControlContract( +CONTRACT_0576 = McpControlContract( contract_id='integracoes.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7891,7 +26728,7 @@ CONTRACT_0303 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0304 = McpControlContract( +CONTRACT_0577 = McpControlContract( contract_id='integracoes.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7917,7 +26754,7 @@ CONTRACT_0304 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0305 = McpControlContract( +CONTRACT_0578 = McpControlContract( contract_id='integracoes.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7943,7 +26780,7 @@ CONTRACT_0305 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0306 = McpControlContract( +CONTRACT_0579 = McpControlContract( contract_id='integracoes.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='integracoes', @@ -7969,7 +26806,7 @@ CONTRACT_0306 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0307 = McpControlContract( +CONTRACT_0580 = McpControlContract( contract_id='integracoes.byok.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='integracoes', @@ -7995,7 +26832,7 @@ CONTRACT_0307 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0308 = McpControlContract( +CONTRACT_0581 = McpControlContract( contract_id='integracoes.providers.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='integracoes', @@ -8021,7 +26858,7 @@ CONTRACT_0308 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0309 = McpControlContract( +CONTRACT_0582 = McpControlContract( contract_id='integracoes.credentials.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='integracoes', @@ -8047,7 +26884,7 @@ CONTRACT_0309 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0310 = McpControlContract( +CONTRACT_0583 = McpControlContract( contract_id='integracoes.smoke.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='integracoes', @@ -8073,7 +26910,7 @@ CONTRACT_0310 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0311 = McpControlContract( +CONTRACT_0584 = McpControlContract( contract_id='integracoes.products.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='integracoes', @@ -8099,7 +26936,7 @@ CONTRACT_0311 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0312 = McpControlContract( +CONTRACT_0585 = McpControlContract( contract_id='integracoes.tenant.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='integracoes', @@ -8125,7 +26962,7 @@ CONTRACT_0312 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0313 = McpControlContract( +CONTRACT_0586 = McpControlContract( contract_id='integracoes.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='integracoes', @@ -8151,7 +26988,7 @@ CONTRACT_0313 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0314 = McpControlContract( +CONTRACT_0587 = McpControlContract( contract_id='integracoes.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='integracoes', @@ -8177,7 +27014,7 @@ CONTRACT_0314 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0315 = McpControlContract( +CONTRACT_0588 = McpControlContract( contract_id='integracoes.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='integracoes', @@ -8203,7 +27040,7 @@ CONTRACT_0315 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0316 = McpControlContract( +CONTRACT_0589 = McpControlContract( contract_id='integracoes.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='integracoes', @@ -8229,7 +27066,7 @@ CONTRACT_0316 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0317 = McpControlContract( +CONTRACT_0590 = McpControlContract( contract_id='integracoes.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='integracoes', @@ -8255,7 +27092,7 @@ CONTRACT_0317 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0318 = McpControlContract( +CONTRACT_0591 = McpControlContract( contract_id='integracoes.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='integracoes', @@ -8281,7 +27118,7 @@ CONTRACT_0318 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0319 = McpControlContract( +CONTRACT_0592 = McpControlContract( contract_id='integracoes.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='integracoes', @@ -8307,7 +27144,7 @@ CONTRACT_0319 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0320 = McpControlContract( +CONTRACT_0593 = McpControlContract( contract_id='integracoes.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='integracoes', @@ -8333,7 +27170,7 @@ CONTRACT_0320 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0321 = McpControlContract( +CONTRACT_0594 = McpControlContract( contract_id='integracoes.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='integracoes', @@ -8359,7 +27196,2698 @@ CONTRACT_0321 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0322 = McpControlContract( +CONTRACT_0595 = McpControlContract( + contract_id='integracoes.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0596 = McpControlContract( + contract_id='integracoes.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0597 = McpControlContract( + contract_id='integracoes.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0598 = McpControlContract( + contract_id='integracoes.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0599 = McpControlContract( + contract_id='integracoes.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0600 = McpControlContract( + contract_id='integracoes.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0601 = McpControlContract( + contract_id='integracoes.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0602 = McpControlContract( + contract_id='integracoes.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0603 = McpControlContract( + contract_id='integracoes.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0604 = McpControlContract( + contract_id='integracoes.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0605 = McpControlContract( + contract_id='integracoes.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0606 = McpControlContract( + contract_id='integracoes.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0607 = McpControlContract( + contract_id='integracoes.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0608 = McpControlContract( + contract_id='integracoes.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0609 = McpControlContract( + contract_id='integracoes.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0610 = McpControlContract( + contract_id='integracoes.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0611 = McpControlContract( + contract_id='integracoes.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0612 = McpControlContract( + contract_id='integracoes.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0613 = McpControlContract( + contract_id='integracoes.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0614 = McpControlContract( + contract_id='integracoes.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0615 = McpControlContract( + contract_id='integracoes.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0616 = McpControlContract( + contract_id='integracoes.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0617 = McpControlContract( + contract_id='integracoes.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0618 = McpControlContract( + contract_id='integracoes.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0619 = McpControlContract( + contract_id='integracoes.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0620 = McpControlContract( + contract_id='integracoes.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0621 = McpControlContract( + contract_id='integracoes.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0622 = McpControlContract( + contract_id='integracoes.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0623 = McpControlContract( + contract_id='integracoes.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0624 = McpControlContract( + contract_id='integracoes.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0625 = McpControlContract( + contract_id='integracoes.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0626 = McpControlContract( + contract_id='integracoes.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0627 = McpControlContract( + contract_id='integracoes.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0628 = McpControlContract( + contract_id='integracoes.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0629 = McpControlContract( + contract_id='integracoes.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0630 = McpControlContract( + contract_id='integracoes.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0631 = McpControlContract( + contract_id='integracoes.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Integracoes Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de integracoes/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para integracoes/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0632 = McpControlContract( + contract_id='integracoes.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Integracoes Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de integracoes/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para integracoes/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0633 = McpControlContract( + contract_id='integracoes.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='integracoes', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Integracoes Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Integracoes Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'integracoesStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.integracoes.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider integracoes via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de integracoes/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para integracoes/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0634 = McpControlContract( contract_id='intelligence.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8385,7 +29913,7 @@ CONTRACT_0322 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0323 = McpControlContract( +CONTRACT_0635 = McpControlContract( contract_id='intelligence.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8411,7 +29939,7 @@ CONTRACT_0323 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0324 = McpControlContract( +CONTRACT_0636 = McpControlContract( contract_id='intelligence.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8437,7 +29965,7 @@ CONTRACT_0324 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0325 = McpControlContract( +CONTRACT_0637 = McpControlContract( contract_id='intelligence.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8463,7 +29991,7 @@ CONTRACT_0325 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0326 = McpControlContract( +CONTRACT_0638 = McpControlContract( contract_id='intelligence.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8489,7 +30017,7 @@ CONTRACT_0326 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0327 = McpControlContract( +CONTRACT_0639 = McpControlContract( contract_id='intelligence.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8515,7 +30043,7 @@ CONTRACT_0327 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0328 = McpControlContract( +CONTRACT_0640 = McpControlContract( contract_id='intelligence.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8541,7 +30069,7 @@ CONTRACT_0328 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0329 = McpControlContract( +CONTRACT_0641 = McpControlContract( contract_id='intelligence.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8567,7 +30095,7 @@ CONTRACT_0329 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0330 = McpControlContract( +CONTRACT_0642 = McpControlContract( contract_id='intelligence.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8593,7 +30121,7 @@ CONTRACT_0330 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0331 = McpControlContract( +CONTRACT_0643 = McpControlContract( contract_id='intelligence.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8619,7 +30147,7 @@ CONTRACT_0331 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0332 = McpControlContract( +CONTRACT_0644 = McpControlContract( contract_id='intelligence.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8645,7 +30173,7 @@ CONTRACT_0332 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0333 = McpControlContract( +CONTRACT_0645 = McpControlContract( contract_id='intelligence.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8671,7 +30199,7 @@ CONTRACT_0333 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0334 = McpControlContract( +CONTRACT_0646 = McpControlContract( contract_id='intelligence.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='intelligence', @@ -8697,7 +30225,7 @@ CONTRACT_0334 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0335 = McpControlContract( +CONTRACT_0647 = McpControlContract( contract_id='intelligence.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8723,7 +30251,7 @@ CONTRACT_0335 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0336 = McpControlContract( +CONTRACT_0648 = McpControlContract( contract_id='intelligence.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8749,7 +30277,7 @@ CONTRACT_0336 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0337 = McpControlContract( +CONTRACT_0649 = McpControlContract( contract_id='intelligence.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8775,7 +30303,7 @@ CONTRACT_0337 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0338 = McpControlContract( +CONTRACT_0650 = McpControlContract( contract_id='intelligence.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8801,7 +30329,7 @@ CONTRACT_0338 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0339 = McpControlContract( +CONTRACT_0651 = McpControlContract( contract_id='intelligence.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8827,7 +30355,7 @@ CONTRACT_0339 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0340 = McpControlContract( +CONTRACT_0652 = McpControlContract( contract_id='intelligence.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8853,7 +30381,7 @@ CONTRACT_0340 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0341 = McpControlContract( +CONTRACT_0653 = McpControlContract( contract_id='intelligence.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8879,7 +30407,7 @@ CONTRACT_0341 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0342 = McpControlContract( +CONTRACT_0654 = McpControlContract( contract_id='intelligence.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8905,7 +30433,7 @@ CONTRACT_0342 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0343 = McpControlContract( +CONTRACT_0655 = McpControlContract( contract_id='intelligence.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8931,7 +30459,7 @@ CONTRACT_0343 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0344 = McpControlContract( +CONTRACT_0656 = McpControlContract( contract_id='intelligence.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8957,7 +30485,7 @@ CONTRACT_0344 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0345 = McpControlContract( +CONTRACT_0657 = McpControlContract( contract_id='intelligence.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -8983,7 +30511,7 @@ CONTRACT_0345 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0346 = McpControlContract( +CONTRACT_0658 = McpControlContract( contract_id='intelligence.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -9009,7 +30537,7 @@ CONTRACT_0346 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0347 = McpControlContract( +CONTRACT_0659 = McpControlContract( contract_id='intelligence.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='intelligence', @@ -9035,7 +30563,7 @@ CONTRACT_0347 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0348 = McpControlContract( +CONTRACT_0660 = McpControlContract( contract_id='intelligence.analytics.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='intelligence', @@ -9061,7 +30589,7 @@ CONTRACT_0348 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0349 = McpControlContract( +CONTRACT_0661 = McpControlContract( contract_id='intelligence.recommendations.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='intelligence', @@ -9087,7 +30615,7 @@ CONTRACT_0349 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0350 = McpControlContract( +CONTRACT_0662 = McpControlContract( contract_id='intelligence.risk.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='intelligence', @@ -9113,7 +30641,7 @@ CONTRACT_0350 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0351 = McpControlContract( +CONTRACT_0663 = McpControlContract( contract_id='intelligence.prioritization.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='intelligence', @@ -9139,7 +30667,7 @@ CONTRACT_0351 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0352 = McpControlContract( +CONTRACT_0664 = McpControlContract( contract_id='intelligence.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='intelligence', @@ -9165,7 +30693,7 @@ CONTRACT_0352 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0353 = McpControlContract( +CONTRACT_0665 = McpControlContract( contract_id='intelligence.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='intelligence', @@ -9191,7 +30719,7 @@ CONTRACT_0353 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0354 = McpControlContract( +CONTRACT_0666 = McpControlContract( contract_id='intelligence.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='intelligence', @@ -9217,7 +30745,7 @@ CONTRACT_0354 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0355 = McpControlContract( +CONTRACT_0667 = McpControlContract( contract_id='intelligence.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='intelligence', @@ -9243,7 +30771,7 @@ CONTRACT_0355 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0356 = McpControlContract( +CONTRACT_0668 = McpControlContract( contract_id='intelligence.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='intelligence', @@ -9269,7 +30797,7 @@ CONTRACT_0356 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0357 = McpControlContract( +CONTRACT_0669 = McpControlContract( contract_id='intelligence.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='intelligence', @@ -9295,7 +30823,7 @@ CONTRACT_0357 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0358 = McpControlContract( +CONTRACT_0670 = McpControlContract( contract_id='intelligence.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='intelligence', @@ -9321,7 +30849,7 @@ CONTRACT_0358 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0359 = McpControlContract( +CONTRACT_0671 = McpControlContract( contract_id='intelligence.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='intelligence', @@ -9347,7 +30875,7 @@ CONTRACT_0359 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0360 = McpControlContract( +CONTRACT_0672 = McpControlContract( contract_id='intelligence.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='intelligence', @@ -9373,7 +30901,2698 @@ CONTRACT_0360 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0361 = McpControlContract( +CONTRACT_0673 = McpControlContract( + contract_id='intelligence.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0674 = McpControlContract( + contract_id='intelligence.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0675 = McpControlContract( + contract_id='intelligence.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0676 = McpControlContract( + contract_id='intelligence.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0677 = McpControlContract( + contract_id='intelligence.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0678 = McpControlContract( + contract_id='intelligence.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0679 = McpControlContract( + contract_id='intelligence.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0680 = McpControlContract( + contract_id='intelligence.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0681 = McpControlContract( + contract_id='intelligence.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0682 = McpControlContract( + contract_id='intelligence.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0683 = McpControlContract( + contract_id='intelligence.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0684 = McpControlContract( + contract_id='intelligence.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0685 = McpControlContract( + contract_id='intelligence.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0686 = McpControlContract( + contract_id='intelligence.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0687 = McpControlContract( + contract_id='intelligence.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0688 = McpControlContract( + contract_id='intelligence.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0689 = McpControlContract( + contract_id='intelligence.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0690 = McpControlContract( + contract_id='intelligence.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0691 = McpControlContract( + contract_id='intelligence.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0692 = McpControlContract( + contract_id='intelligence.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0693 = McpControlContract( + contract_id='intelligence.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0694 = McpControlContract( + contract_id='intelligence.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0695 = McpControlContract( + contract_id='intelligence.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0696 = McpControlContract( + contract_id='intelligence.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0697 = McpControlContract( + contract_id='intelligence.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0698 = McpControlContract( + contract_id='intelligence.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0699 = McpControlContract( + contract_id='intelligence.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0700 = McpControlContract( + contract_id='intelligence.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0701 = McpControlContract( + contract_id='intelligence.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0702 = McpControlContract( + contract_id='intelligence.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0703 = McpControlContract( + contract_id='intelligence.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0704 = McpControlContract( + contract_id='intelligence.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0705 = McpControlContract( + contract_id='intelligence.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0706 = McpControlContract( + contract_id='intelligence.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0707 = McpControlContract( + contract_id='intelligence.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0708 = McpControlContract( + contract_id='intelligence.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0709 = McpControlContract( + contract_id='intelligence.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Intelligence Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de intelligence/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para intelligence/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0710 = McpControlContract( + contract_id='intelligence.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Intelligence Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de intelligence/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para intelligence/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0711 = McpControlContract( + contract_id='intelligence.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='intelligence', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Intelligence Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Intelligence Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'intelligenceStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.BLOCKED, + panel_ready=False, + gpt_explainable=True, + report_model_id='access.intelligence.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider intelligence via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de intelligence/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para intelligence/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0712 = McpControlContract( contract_id='mcps.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9399,7 +33618,7 @@ CONTRACT_0361 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0362 = McpControlContract( +CONTRACT_0713 = McpControlContract( contract_id='mcps.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9425,7 +33644,7 @@ CONTRACT_0362 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0363 = McpControlContract( +CONTRACT_0714 = McpControlContract( contract_id='mcps.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9451,7 +33670,7 @@ CONTRACT_0363 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0364 = McpControlContract( +CONTRACT_0715 = McpControlContract( contract_id='mcps.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9477,7 +33696,7 @@ CONTRACT_0364 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0365 = McpControlContract( +CONTRACT_0716 = McpControlContract( contract_id='mcps.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9503,7 +33722,7 @@ CONTRACT_0365 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0366 = McpControlContract( +CONTRACT_0717 = McpControlContract( contract_id='mcps.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9529,7 +33748,7 @@ CONTRACT_0366 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0367 = McpControlContract( +CONTRACT_0718 = McpControlContract( contract_id='mcps.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9555,7 +33774,7 @@ CONTRACT_0367 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0368 = McpControlContract( +CONTRACT_0719 = McpControlContract( contract_id='mcps.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9581,7 +33800,7 @@ CONTRACT_0368 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0369 = McpControlContract( +CONTRACT_0720 = McpControlContract( contract_id='mcps.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9607,7 +33826,7 @@ CONTRACT_0369 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0370 = McpControlContract( +CONTRACT_0721 = McpControlContract( contract_id='mcps.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9633,7 +33852,7 @@ CONTRACT_0370 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0371 = McpControlContract( +CONTRACT_0722 = McpControlContract( contract_id='mcps.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9659,7 +33878,7 @@ CONTRACT_0371 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0372 = McpControlContract( +CONTRACT_0723 = McpControlContract( contract_id='mcps.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9685,7 +33904,7 @@ CONTRACT_0372 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0373 = McpControlContract( +CONTRACT_0724 = McpControlContract( contract_id='mcps.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='mcps', @@ -9711,7 +33930,7 @@ CONTRACT_0373 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0374 = McpControlContract( +CONTRACT_0725 = McpControlContract( contract_id='mcps.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9737,7 +33956,7 @@ CONTRACT_0374 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0375 = McpControlContract( +CONTRACT_0726 = McpControlContract( contract_id='mcps.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9763,7 +33982,7 @@ CONTRACT_0375 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0376 = McpControlContract( +CONTRACT_0727 = McpControlContract( contract_id='mcps.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9789,7 +34008,7 @@ CONTRACT_0376 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0377 = McpControlContract( +CONTRACT_0728 = McpControlContract( contract_id='mcps.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9815,7 +34034,7 @@ CONTRACT_0377 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0378 = McpControlContract( +CONTRACT_0729 = McpControlContract( contract_id='mcps.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9841,7 +34060,7 @@ CONTRACT_0378 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0379 = McpControlContract( +CONTRACT_0730 = McpControlContract( contract_id='mcps.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9867,7 +34086,7 @@ CONTRACT_0379 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0380 = McpControlContract( +CONTRACT_0731 = McpControlContract( contract_id='mcps.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9893,7 +34112,7 @@ CONTRACT_0380 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0381 = McpControlContract( +CONTRACT_0732 = McpControlContract( contract_id='mcps.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9919,7 +34138,7 @@ CONTRACT_0381 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0382 = McpControlContract( +CONTRACT_0733 = McpControlContract( contract_id='mcps.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9945,7 +34164,7 @@ CONTRACT_0382 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0383 = McpControlContract( +CONTRACT_0734 = McpControlContract( contract_id='mcps.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9971,7 +34190,7 @@ CONTRACT_0383 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0384 = McpControlContract( +CONTRACT_0735 = McpControlContract( contract_id='mcps.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -9997,7 +34216,7 @@ CONTRACT_0384 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0385 = McpControlContract( +CONTRACT_0736 = McpControlContract( contract_id='mcps.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -10023,7 +34242,7 @@ CONTRACT_0385 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0386 = McpControlContract( +CONTRACT_0737 = McpControlContract( contract_id='mcps.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='mcps', @@ -10049,7 +34268,7 @@ CONTRACT_0386 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0387 = McpControlContract( +CONTRACT_0738 = McpControlContract( contract_id='mcps.admin-ui.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='mcps', @@ -10075,7 +34294,7 @@ CONTRACT_0387 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0388 = McpControlContract( +CONTRACT_0739 = McpControlContract( contract_id='mcps.tools.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='mcps', @@ -10101,7 +34320,7 @@ CONTRACT_0388 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0389 = McpControlContract( +CONTRACT_0740 = McpControlContract( contract_id='mcps.readiness.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='mcps', @@ -10127,7 +34346,7 @@ CONTRACT_0389 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0390 = McpControlContract( +CONTRACT_0741 = McpControlContract( contract_id='mcps.samesource.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='mcps', @@ -10153,7 +34372,7 @@ CONTRACT_0390 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0391 = McpControlContract( +CONTRACT_0742 = McpControlContract( contract_id='mcps.evidence.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='mcps', @@ -10179,7 +34398,7 @@ CONTRACT_0391 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0392 = McpControlContract( +CONTRACT_0743 = McpControlContract( contract_id='mcps.catalog.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='mcps', @@ -10205,7 +34424,7 @@ CONTRACT_0392 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0393 = McpControlContract( +CONTRACT_0744 = McpControlContract( contract_id='mcps.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='mcps', @@ -10231,7 +34450,7 @@ CONTRACT_0393 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0394 = McpControlContract( +CONTRACT_0745 = McpControlContract( contract_id='mcps.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='mcps', @@ -10257,7 +34476,7 @@ CONTRACT_0394 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0395 = McpControlContract( +CONTRACT_0746 = McpControlContract( contract_id='mcps.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='mcps', @@ -10283,7 +34502,7 @@ CONTRACT_0395 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0396 = McpControlContract( +CONTRACT_0747 = McpControlContract( contract_id='mcps.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='mcps', @@ -10309,7 +34528,7 @@ CONTRACT_0396 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0397 = McpControlContract( +CONTRACT_0748 = McpControlContract( contract_id='mcps.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='mcps', @@ -10335,7 +34554,7 @@ CONTRACT_0397 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0398 = McpControlContract( +CONTRACT_0749 = McpControlContract( contract_id='mcps.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='mcps', @@ -10361,7 +34580,7 @@ CONTRACT_0398 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0399 = McpControlContract( +CONTRACT_0750 = McpControlContract( contract_id='mcps.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='mcps', @@ -10387,7 +34606,7 @@ CONTRACT_0399 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0400 = McpControlContract( +CONTRACT_0751 = McpControlContract( contract_id='mcps.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='mcps', @@ -10413,7 +34632,7 @@ CONTRACT_0400 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0401 = McpControlContract( +CONTRACT_0752 = McpControlContract( contract_id='mcps.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='mcps', @@ -10439,7 +34658,2698 @@ CONTRACT_0401 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0402 = McpControlContract( +CONTRACT_0753 = McpControlContract( + contract_id='mcps.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0754 = McpControlContract( + contract_id='mcps.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0755 = McpControlContract( + contract_id='mcps.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0756 = McpControlContract( + contract_id='mcps.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0757 = McpControlContract( + contract_id='mcps.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0758 = McpControlContract( + contract_id='mcps.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0759 = McpControlContract( + contract_id='mcps.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0760 = McpControlContract( + contract_id='mcps.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0761 = McpControlContract( + contract_id='mcps.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0762 = McpControlContract( + contract_id='mcps.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0763 = McpControlContract( + contract_id='mcps.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0764 = McpControlContract( + contract_id='mcps.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0765 = McpControlContract( + contract_id='mcps.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0766 = McpControlContract( + contract_id='mcps.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0767 = McpControlContract( + contract_id='mcps.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0768 = McpControlContract( + contract_id='mcps.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0769 = McpControlContract( + contract_id='mcps.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0770 = McpControlContract( + contract_id='mcps.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0771 = McpControlContract( + contract_id='mcps.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0772 = McpControlContract( + contract_id='mcps.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0773 = McpControlContract( + contract_id='mcps.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0774 = McpControlContract( + contract_id='mcps.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0775 = McpControlContract( + contract_id='mcps.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0776 = McpControlContract( + contract_id='mcps.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0777 = McpControlContract( + contract_id='mcps.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0778 = McpControlContract( + contract_id='mcps.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0779 = McpControlContract( + contract_id='mcps.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0780 = McpControlContract( + contract_id='mcps.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0781 = McpControlContract( + contract_id='mcps.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0782 = McpControlContract( + contract_id='mcps.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0783 = McpControlContract( + contract_id='mcps.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0784 = McpControlContract( + contract_id='mcps.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0785 = McpControlContract( + contract_id='mcps.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0786 = McpControlContract( + contract_id='mcps.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0787 = McpControlContract( + contract_id='mcps.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0788 = McpControlContract( + contract_id='mcps.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0789 = McpControlContract( + contract_id='mcps.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para MCPs Internos Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de mcps/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para mcps/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0790 = McpControlContract( + contract_id='mcps.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para MCPs Internos Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de mcps/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para mcps/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0791 = McpControlContract( + contract_id='mcps.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='mcps', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para MCPs Internos Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de MCPs Internos Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'mcpsStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.mcps.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider mcps via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de mcps/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para mcps/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0792 = McpControlContract( contract_id='platform_base.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10465,7 +37375,7 @@ CONTRACT_0402 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0403 = McpControlContract( +CONTRACT_0793 = McpControlContract( contract_id='platform_base.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10491,7 +37401,7 @@ CONTRACT_0403 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0404 = McpControlContract( +CONTRACT_0794 = McpControlContract( contract_id='platform_base.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10517,7 +37427,7 @@ CONTRACT_0404 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0405 = McpControlContract( +CONTRACT_0795 = McpControlContract( contract_id='platform_base.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10543,7 +37453,7 @@ CONTRACT_0405 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0406 = McpControlContract( +CONTRACT_0796 = McpControlContract( contract_id='platform_base.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10569,7 +37479,7 @@ CONTRACT_0406 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0407 = McpControlContract( +CONTRACT_0797 = McpControlContract( contract_id='platform_base.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10595,7 +37505,7 @@ CONTRACT_0407 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0408 = McpControlContract( +CONTRACT_0798 = McpControlContract( contract_id='platform_base.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10621,7 +37531,7 @@ CONTRACT_0408 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0409 = McpControlContract( +CONTRACT_0799 = McpControlContract( contract_id='platform_base.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10647,7 +37557,7 @@ CONTRACT_0409 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0410 = McpControlContract( +CONTRACT_0800 = McpControlContract( contract_id='platform_base.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10673,7 +37583,7 @@ CONTRACT_0410 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0411 = McpControlContract( +CONTRACT_0801 = McpControlContract( contract_id='platform_base.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10699,7 +37609,7 @@ CONTRACT_0411 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0412 = McpControlContract( +CONTRACT_0802 = McpControlContract( contract_id='platform_base.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10725,7 +37635,7 @@ CONTRACT_0412 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0413 = McpControlContract( +CONTRACT_0803 = McpControlContract( contract_id='platform_base.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10751,7 +37661,7 @@ CONTRACT_0413 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0414 = McpControlContract( +CONTRACT_0804 = McpControlContract( contract_id='platform_base.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='platform_base', @@ -10777,7 +37687,7 @@ CONTRACT_0414 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0415 = McpControlContract( +CONTRACT_0805 = McpControlContract( contract_id='platform_base.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10803,7 +37713,7 @@ CONTRACT_0415 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0416 = McpControlContract( +CONTRACT_0806 = McpControlContract( contract_id='platform_base.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10829,7 +37739,7 @@ CONTRACT_0416 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0417 = McpControlContract( +CONTRACT_0807 = McpControlContract( contract_id='platform_base.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10855,7 +37765,7 @@ CONTRACT_0417 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0418 = McpControlContract( +CONTRACT_0808 = McpControlContract( contract_id='platform_base.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10881,7 +37791,7 @@ CONTRACT_0418 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0419 = McpControlContract( +CONTRACT_0809 = McpControlContract( contract_id='platform_base.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10907,7 +37817,7 @@ CONTRACT_0419 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0420 = McpControlContract( +CONTRACT_0810 = McpControlContract( contract_id='platform_base.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10933,7 +37843,7 @@ CONTRACT_0420 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0421 = McpControlContract( +CONTRACT_0811 = McpControlContract( contract_id='platform_base.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10959,7 +37869,7 @@ CONTRACT_0421 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0422 = McpControlContract( +CONTRACT_0812 = McpControlContract( contract_id='platform_base.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -10985,7 +37895,7 @@ CONTRACT_0422 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0423 = McpControlContract( +CONTRACT_0813 = McpControlContract( contract_id='platform_base.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -11011,7 +37921,7 @@ CONTRACT_0423 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0424 = McpControlContract( +CONTRACT_0814 = McpControlContract( contract_id='platform_base.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -11037,7 +37947,7 @@ CONTRACT_0424 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0425 = McpControlContract( +CONTRACT_0815 = McpControlContract( contract_id='platform_base.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -11063,7 +37973,7 @@ CONTRACT_0425 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0426 = McpControlContract( +CONTRACT_0816 = McpControlContract( contract_id='platform_base.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -11089,7 +37999,7 @@ CONTRACT_0426 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0427 = McpControlContract( +CONTRACT_0817 = McpControlContract( contract_id='platform_base.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='platform_base', @@ -11115,7 +38025,7 @@ CONTRACT_0427 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0428 = McpControlContract( +CONTRACT_0818 = McpControlContract( contract_id='platform_base.templates.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='platform_base', @@ -11141,7 +38051,7 @@ CONTRACT_0428 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0429 = McpControlContract( +CONTRACT_0819 = McpControlContract( contract_id='platform_base.standards.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='platform_base', @@ -11167,7 +38077,7 @@ CONTRACT_0429 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0430 = McpControlContract( +CONTRACT_0820 = McpControlContract( contract_id='platform_base.contracts.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='platform_base', @@ -11193,7 +38103,7 @@ CONTRACT_0430 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0431 = McpControlContract( +CONTRACT_0821 = McpControlContract( contract_id='platform_base.shared-runtime.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='platform_base', @@ -11219,7 +38129,7 @@ CONTRACT_0431 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0432 = McpControlContract( +CONTRACT_0822 = McpControlContract( contract_id='platform_base.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='platform_base', @@ -11245,7 +38155,7 @@ CONTRACT_0432 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0433 = McpControlContract( +CONTRACT_0823 = McpControlContract( contract_id='platform_base.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='platform_base', @@ -11271,7 +38181,7 @@ CONTRACT_0433 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0434 = McpControlContract( +CONTRACT_0824 = McpControlContract( contract_id='platform_base.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='platform_base', @@ -11297,7 +38207,7 @@ CONTRACT_0434 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0435 = McpControlContract( +CONTRACT_0825 = McpControlContract( contract_id='platform_base.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='platform_base', @@ -11323,7 +38233,7 @@ CONTRACT_0435 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0436 = McpControlContract( +CONTRACT_0826 = McpControlContract( contract_id='platform_base.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='platform_base', @@ -11349,7 +38259,7 @@ CONTRACT_0436 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0437 = McpControlContract( +CONTRACT_0827 = McpControlContract( contract_id='platform_base.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='platform_base', @@ -11375,7 +38285,7 @@ CONTRACT_0437 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0438 = McpControlContract( +CONTRACT_0828 = McpControlContract( contract_id='platform_base.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='platform_base', @@ -11401,7 +38311,7 @@ CONTRACT_0438 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0439 = McpControlContract( +CONTRACT_0829 = McpControlContract( contract_id='platform_base.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='platform_base', @@ -11427,7 +38337,7 @@ CONTRACT_0439 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0440 = McpControlContract( +CONTRACT_0830 = McpControlContract( contract_id='platform_base.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='platform_base', @@ -11453,7 +38363,2698 @@ CONTRACT_0440 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0441 = McpControlContract( +CONTRACT_0831 = McpControlContract( + contract_id='platform_base.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0832 = McpControlContract( + contract_id='platform_base.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0833 = McpControlContract( + contract_id='platform_base.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0834 = McpControlContract( + contract_id='platform_base.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e CEO', + purpose='Garantir que chamadas GPT/MCP de Platform Base para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0835 = McpControlContract( + contract_id='platform_base.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e CEO', + purpose='Garantir que chamadas GPT/MCP de Platform Base para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0836 = McpControlContract( + contract_id='platform_base.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e CEO', + purpose='Garantir que chamadas GPT/MCP de Platform Base para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0837 = McpControlContract( + contract_id='platform_base.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0838 = McpControlContract( + contract_id='platform_base.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0839 = McpControlContract( + contract_id='platform_base.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0840 = McpControlContract( + contract_id='platform_base.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0841 = McpControlContract( + contract_id='platform_base.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0842 = McpControlContract( + contract_id='platform_base.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0843 = McpControlContract( + contract_id='platform_base.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0844 = McpControlContract( + contract_id='platform_base.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0845 = McpControlContract( + contract_id='platform_base.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0846 = McpControlContract( + contract_id='platform_base.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0847 = McpControlContract( + contract_id='platform_base.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0848 = McpControlContract( + contract_id='platform_base.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0849 = McpControlContract( + contract_id='platform_base.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Contador', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0850 = McpControlContract( + contract_id='platform_base.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Contador', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0851 = McpControlContract( + contract_id='platform_base.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Contador', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0852 = McpControlContract( + contract_id='platform_base.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Juridico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0853 = McpControlContract( + contract_id='platform_base.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Juridico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0854 = McpControlContract( + contract_id='platform_base.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Juridico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0855 = McpControlContract( + contract_id='platform_base.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0856 = McpControlContract( + contract_id='platform_base.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0857 = McpControlContract( + contract_id='platform_base.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0858 = McpControlContract( + contract_id='platform_base.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0859 = McpControlContract( + contract_id='platform_base.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0860 = McpControlContract( + contract_id='platform_base.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0861 = McpControlContract( + contract_id='platform_base.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0862 = McpControlContract( + contract_id='platform_base.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0863 = McpControlContract( + contract_id='platform_base.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0864 = McpControlContract( + contract_id='platform_base.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0865 = McpControlContract( + contract_id='platform_base.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0866 = McpControlContract( + contract_id='platform_base.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0867 = McpControlContract( + contract_id='platform_base.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Platform Base e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de platform_base/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para platform_base/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0868 = McpControlContract( + contract_id='platform_base.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Platform Base e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de platform_base/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para platform_base/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0869 = McpControlContract( + contract_id='platform_base.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='platform_base', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Platform Base e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Platform Base para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'platform_baseStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.DERIVED, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.platform_base.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider platform_base via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de platform_base/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para platform_base/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0870 = McpControlContract( contract_id='public.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11479,7 +41080,7 @@ CONTRACT_0441 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0442 = McpControlContract( +CONTRACT_0871 = McpControlContract( contract_id='public.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11505,7 +41106,7 @@ CONTRACT_0442 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0443 = McpControlContract( +CONTRACT_0872 = McpControlContract( contract_id='public.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11531,7 +41132,7 @@ CONTRACT_0443 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0444 = McpControlContract( +CONTRACT_0873 = McpControlContract( contract_id='public.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11557,7 +41158,7 @@ CONTRACT_0444 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0445 = McpControlContract( +CONTRACT_0874 = McpControlContract( contract_id='public.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11583,7 +41184,7 @@ CONTRACT_0445 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0446 = McpControlContract( +CONTRACT_0875 = McpControlContract( contract_id='public.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11609,7 +41210,7 @@ CONTRACT_0446 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0447 = McpControlContract( +CONTRACT_0876 = McpControlContract( contract_id='public.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11635,7 +41236,7 @@ CONTRACT_0447 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0448 = McpControlContract( +CONTRACT_0877 = McpControlContract( contract_id='public.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11661,7 +41262,7 @@ CONTRACT_0448 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0449 = McpControlContract( +CONTRACT_0878 = McpControlContract( contract_id='public.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11687,7 +41288,7 @@ CONTRACT_0449 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0450 = McpControlContract( +CONTRACT_0879 = McpControlContract( contract_id='public.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11713,7 +41314,7 @@ CONTRACT_0450 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0451 = McpControlContract( +CONTRACT_0880 = McpControlContract( contract_id='public.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11739,7 +41340,7 @@ CONTRACT_0451 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0452 = McpControlContract( +CONTRACT_0881 = McpControlContract( contract_id='public.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11765,7 +41366,7 @@ CONTRACT_0452 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0453 = McpControlContract( +CONTRACT_0882 = McpControlContract( contract_id='public.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='public', @@ -11791,7 +41392,7 @@ CONTRACT_0453 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0454 = McpControlContract( +CONTRACT_0883 = McpControlContract( contract_id='public.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11817,7 +41418,7 @@ CONTRACT_0454 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0455 = McpControlContract( +CONTRACT_0884 = McpControlContract( contract_id='public.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11843,7 +41444,7 @@ CONTRACT_0455 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0456 = McpControlContract( +CONTRACT_0885 = McpControlContract( contract_id='public.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11869,7 +41470,7 @@ CONTRACT_0456 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0457 = McpControlContract( +CONTRACT_0886 = McpControlContract( contract_id='public.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11895,7 +41496,7 @@ CONTRACT_0457 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0458 = McpControlContract( +CONTRACT_0887 = McpControlContract( contract_id='public.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11921,7 +41522,7 @@ CONTRACT_0458 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0459 = McpControlContract( +CONTRACT_0888 = McpControlContract( contract_id='public.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11947,7 +41548,7 @@ CONTRACT_0459 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0460 = McpControlContract( +CONTRACT_0889 = McpControlContract( contract_id='public.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11973,7 +41574,7 @@ CONTRACT_0460 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0461 = McpControlContract( +CONTRACT_0890 = McpControlContract( contract_id='public.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -11999,7 +41600,7 @@ CONTRACT_0461 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0462 = McpControlContract( +CONTRACT_0891 = McpControlContract( contract_id='public.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -12025,7 +41626,7 @@ CONTRACT_0462 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0463 = McpControlContract( +CONTRACT_0892 = McpControlContract( contract_id='public.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -12051,7 +41652,7 @@ CONTRACT_0463 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0464 = McpControlContract( +CONTRACT_0893 = McpControlContract( contract_id='public.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -12077,7 +41678,7 @@ CONTRACT_0464 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0465 = McpControlContract( +CONTRACT_0894 = McpControlContract( contract_id='public.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -12103,7 +41704,7 @@ CONTRACT_0465 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0466 = McpControlContract( +CONTRACT_0895 = McpControlContract( contract_id='public.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='public', @@ -12129,7 +41730,7 @@ CONTRACT_0466 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0467 = McpControlContract( +CONTRACT_0896 = McpControlContract( contract_id='public.landing.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='public', @@ -12155,7 +41756,7 @@ CONTRACT_0467 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0468 = McpControlContract( +CONTRACT_0897 = McpControlContract( contract_id='public.onboarding.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='public', @@ -12181,7 +41782,7 @@ CONTRACT_0468 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0469 = McpControlContract( +CONTRACT_0898 = McpControlContract( contract_id='public.public-docs.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='public', @@ -12207,7 +41808,7 @@ CONTRACT_0469 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0470 = McpControlContract( +CONTRACT_0899 = McpControlContract( contract_id='public.status.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='public', @@ -12233,7 +41834,7 @@ CONTRACT_0470 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0471 = McpControlContract( +CONTRACT_0900 = McpControlContract( contract_id='public.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='public', @@ -12259,7 +41860,7 @@ CONTRACT_0471 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0472 = McpControlContract( +CONTRACT_0901 = McpControlContract( contract_id='public.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='public', @@ -12285,7 +41886,7 @@ CONTRACT_0472 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0473 = McpControlContract( +CONTRACT_0902 = McpControlContract( contract_id='public.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='public', @@ -12311,7 +41912,7 @@ CONTRACT_0473 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0474 = McpControlContract( +CONTRACT_0903 = McpControlContract( contract_id='public.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='public', @@ -12337,7 +41938,7 @@ CONTRACT_0474 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0475 = McpControlContract( +CONTRACT_0904 = McpControlContract( contract_id='public.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='public', @@ -12363,7 +41964,7 @@ CONTRACT_0475 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0476 = McpControlContract( +CONTRACT_0905 = McpControlContract( contract_id='public.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='public', @@ -12389,7 +41990,7 @@ CONTRACT_0476 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0477 = McpControlContract( +CONTRACT_0906 = McpControlContract( contract_id='public.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='public', @@ -12415,7 +42016,7 @@ CONTRACT_0477 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0478 = McpControlContract( +CONTRACT_0907 = McpControlContract( contract_id='public.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='public', @@ -12441,7 +42042,7 @@ CONTRACT_0478 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0479 = McpControlContract( +CONTRACT_0908 = McpControlContract( contract_id='public.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='public', @@ -12467,7 +42068,2698 @@ CONTRACT_0479 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0480 = McpControlContract( +CONTRACT_0909 = McpControlContract( + contract_id='public.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0910 = McpControlContract( + contract_id='public.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0911 = McpControlContract( + contract_id='public.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0912 = McpControlContract( + contract_id='public.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Public Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0913 = McpControlContract( + contract_id='public.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Public Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0914 = McpControlContract( + contract_id='public.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de Public Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0915 = McpControlContract( + contract_id='public.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0916 = McpControlContract( + contract_id='public.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0917 = McpControlContract( + contract_id='public.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0918 = McpControlContract( + contract_id='public.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0919 = McpControlContract( + contract_id='public.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0920 = McpControlContract( + contract_id='public.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0921 = McpControlContract( + contract_id='public.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0922 = McpControlContract( + contract_id='public.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0923 = McpControlContract( + contract_id='public.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0924 = McpControlContract( + contract_id='public.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0925 = McpControlContract( + contract_id='public.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0926 = McpControlContract( + contract_id='public.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0927 = McpControlContract( + contract_id='public.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0928 = McpControlContract( + contract_id='public.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0929 = McpControlContract( + contract_id='public.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0930 = McpControlContract( + contract_id='public.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0931 = McpControlContract( + contract_id='public.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0932 = McpControlContract( + contract_id='public.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0933 = McpControlContract( + contract_id='public.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0934 = McpControlContract( + contract_id='public.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0935 = McpControlContract( + contract_id='public.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0936 = McpControlContract( + contract_id='public.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0937 = McpControlContract( + contract_id='public.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0938 = McpControlContract( + contract_id='public.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0939 = McpControlContract( + contract_id='public.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0940 = McpControlContract( + contract_id='public.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0941 = McpControlContract( + contract_id='public.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0942 = McpControlContract( + contract_id='public.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0943 = McpControlContract( + contract_id='public.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0944 = McpControlContract( + contract_id='public.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0945 = McpControlContract( + contract_id='public.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para Public Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de public/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para public/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0946 = McpControlContract( + contract_id='public.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para Public Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de public/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para public/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0947 = McpControlContract( + contract_id='public.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='public', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para Public Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de Public Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'publicStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.public.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider public via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de public/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para public/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=8, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0948 = McpControlContract( contract_id='stj.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12493,7 +44785,7 @@ CONTRACT_0480 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0481 = McpControlContract( +CONTRACT_0949 = McpControlContract( contract_id='stj.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12519,7 +44811,7 @@ CONTRACT_0481 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0482 = McpControlContract( +CONTRACT_0950 = McpControlContract( contract_id='stj.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12545,7 +44837,7 @@ CONTRACT_0482 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0483 = McpControlContract( +CONTRACT_0951 = McpControlContract( contract_id='stj.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12571,7 +44863,7 @@ CONTRACT_0483 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0484 = McpControlContract( +CONTRACT_0952 = McpControlContract( contract_id='stj.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12597,7 +44889,7 @@ CONTRACT_0484 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0485 = McpControlContract( +CONTRACT_0953 = McpControlContract( contract_id='stj.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12623,7 +44915,7 @@ CONTRACT_0485 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0486 = McpControlContract( +CONTRACT_0954 = McpControlContract( contract_id='stj.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12649,7 +44941,7 @@ CONTRACT_0486 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0487 = McpControlContract( +CONTRACT_0955 = McpControlContract( contract_id='stj.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12675,7 +44967,7 @@ CONTRACT_0487 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0488 = McpControlContract( +CONTRACT_0956 = McpControlContract( contract_id='stj.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12701,7 +44993,7 @@ CONTRACT_0488 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0489 = McpControlContract( +CONTRACT_0957 = McpControlContract( contract_id='stj.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12727,7 +45019,7 @@ CONTRACT_0489 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0490 = McpControlContract( +CONTRACT_0958 = McpControlContract( contract_id='stj.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12753,7 +45045,7 @@ CONTRACT_0490 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0491 = McpControlContract( +CONTRACT_0959 = McpControlContract( contract_id='stj.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12779,7 +45071,7 @@ CONTRACT_0491 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0492 = McpControlContract( +CONTRACT_0960 = McpControlContract( contract_id='stj.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='stj', @@ -12805,7 +45097,7 @@ CONTRACT_0492 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0493 = McpControlContract( +CONTRACT_0961 = McpControlContract( contract_id='stj.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12831,7 +45123,7 @@ CONTRACT_0493 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0494 = McpControlContract( +CONTRACT_0962 = McpControlContract( contract_id='stj.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12857,7 +45149,7 @@ CONTRACT_0494 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0495 = McpControlContract( +CONTRACT_0963 = McpControlContract( contract_id='stj.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12883,7 +45175,7 @@ CONTRACT_0495 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0496 = McpControlContract( +CONTRACT_0964 = McpControlContract( contract_id='stj.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12909,7 +45201,7 @@ CONTRACT_0496 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0497 = McpControlContract( +CONTRACT_0965 = McpControlContract( contract_id='stj.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12935,7 +45227,7 @@ CONTRACT_0497 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0498 = McpControlContract( +CONTRACT_0966 = McpControlContract( contract_id='stj.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12961,7 +45253,7 @@ CONTRACT_0498 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0499 = McpControlContract( +CONTRACT_0967 = McpControlContract( contract_id='stj.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -12987,7 +45279,7 @@ CONTRACT_0499 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0500 = McpControlContract( +CONTRACT_0968 = McpControlContract( contract_id='stj.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -13013,7 +45305,7 @@ CONTRACT_0500 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0501 = McpControlContract( +CONTRACT_0969 = McpControlContract( contract_id='stj.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -13039,7 +45331,7 @@ CONTRACT_0501 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0502 = McpControlContract( +CONTRACT_0970 = McpControlContract( contract_id='stj.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -13065,7 +45357,7 @@ CONTRACT_0502 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0503 = McpControlContract( +CONTRACT_0971 = McpControlContract( contract_id='stj.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -13091,7 +45383,7 @@ CONTRACT_0503 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0504 = McpControlContract( +CONTRACT_0972 = McpControlContract( contract_id='stj.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -13117,7 +45409,7 @@ CONTRACT_0504 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0505 = McpControlContract( +CONTRACT_0973 = McpControlContract( contract_id='stj.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='stj', @@ -13143,7 +45435,7 @@ CONTRACT_0505 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0506 = McpControlContract( +CONTRACT_0974 = McpControlContract( contract_id='stj.process-query.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='stj', @@ -13169,7 +45461,7 @@ CONTRACT_0506 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0507 = McpControlContract( +CONTRACT_0975 = McpControlContract( contract_id='stj.monitoring.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='stj', @@ -13195,7 +45487,7 @@ CONTRACT_0507 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0508 = McpControlContract( +CONTRACT_0976 = McpControlContract( contract_id='stj.public-documents.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='stj', @@ -13221,7 +45513,7 @@ CONTRACT_0508 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0509 = McpControlContract( +CONTRACT_0977 = McpControlContract( contract_id='stj.legal-readiness.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='stj', @@ -13247,7 +45539,7 @@ CONTRACT_0509 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0510 = McpControlContract( +CONTRACT_0978 = McpControlContract( contract_id='stj.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='stj', @@ -13273,7 +45565,7 @@ CONTRACT_0510 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0511 = McpControlContract( +CONTRACT_0979 = McpControlContract( contract_id='stj.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='stj', @@ -13299,7 +45591,7 @@ CONTRACT_0511 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0512 = McpControlContract( +CONTRACT_0980 = McpControlContract( contract_id='stj.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='stj', @@ -13325,7 +45617,7 @@ CONTRACT_0512 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0513 = McpControlContract( +CONTRACT_0981 = McpControlContract( contract_id='stj.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='stj', @@ -13351,7 +45643,7 @@ CONTRACT_0513 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0514 = McpControlContract( +CONTRACT_0982 = McpControlContract( contract_id='stj.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='stj', @@ -13377,7 +45669,7 @@ CONTRACT_0514 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0515 = McpControlContract( +CONTRACT_0983 = McpControlContract( contract_id='stj.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='stj', @@ -13403,7 +45695,7 @@ CONTRACT_0515 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0516 = McpControlContract( +CONTRACT_0984 = McpControlContract( contract_id='stj.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='stj', @@ -13429,7 +45721,7 @@ CONTRACT_0516 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0517 = McpControlContract( +CONTRACT_0985 = McpControlContract( contract_id='stj.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='stj', @@ -13455,7 +45747,7 @@ CONTRACT_0517 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0518 = McpControlContract( +CONTRACT_0986 = McpControlContract( contract_id='stj.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='stj', @@ -13481,7 +45773,2698 @@ CONTRACT_0518 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0519 = McpControlContract( +CONTRACT_0987 = McpControlContract( + contract_id='stj.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0988 = McpControlContract( + contract_id='stj.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0989 = McpControlContract( + contract_id='stj.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0990 = McpControlContract( + contract_id='stj.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0991 = McpControlContract( + contract_id='stj.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0992 = McpControlContract( + contract_id='stj.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0993 = McpControlContract( + contract_id='stj.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0994 = McpControlContract( + contract_id='stj.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0995 = McpControlContract( + contract_id='stj.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0996 = McpControlContract( + contract_id='stj.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0997 = McpControlContract( + contract_id='stj.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0998 = McpControlContract( + contract_id='stj.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_0999 = McpControlContract( + contract_id='stj.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1000 = McpControlContract( + contract_id='stj.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1001 = McpControlContract( + contract_id='stj.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1002 = McpControlContract( + contract_id='stj.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1003 = McpControlContract( + contract_id='stj.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1004 = McpControlContract( + contract_id='stj.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1005 = McpControlContract( + contract_id='stj.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1006 = McpControlContract( + contract_id='stj.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1007 = McpControlContract( + contract_id='stj.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1008 = McpControlContract( + contract_id='stj.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1009 = McpControlContract( + contract_id='stj.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1010 = McpControlContract( + contract_id='stj.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1011 = McpControlContract( + contract_id='stj.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1012 = McpControlContract( + contract_id='stj.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1013 = McpControlContract( + contract_id='stj.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1014 = McpControlContract( + contract_id='stj.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1015 = McpControlContract( + contract_id='stj.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1016 = McpControlContract( + contract_id='stj.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1017 = McpControlContract( + contract_id='stj.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1018 = McpControlContract( + contract_id='stj.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1019 = McpControlContract( + contract_id='stj.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1020 = McpControlContract( + contract_id='stj.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1021 = McpControlContract( + contract_id='stj.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1022 = McpControlContract( + contract_id='stj.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1023 = McpControlContract( + contract_id='stj.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para STJ Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de stj/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para stj/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1024 = McpControlContract( + contract_id='stj.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para STJ Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de stj/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para stj/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1025 = McpControlContract( + contract_id='stj.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='stj', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para STJ Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de STJ Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'stjStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.RESPONSE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.stj.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider stj via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de stj/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para stj/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=7, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1026 = McpControlContract( contract_id='ui.administrador_empresa.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13507,7 +48490,7 @@ CONTRACT_0519 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0520 = McpControlContract( +CONTRACT_1027 = McpControlContract( contract_id='ui.ceo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13533,7 +48516,7 @@ CONTRACT_0520 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0521 = McpControlContract( +CONTRACT_1028 = McpControlContract( contract_id='ui.gestor_operacional.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13559,7 +48542,7 @@ CONTRACT_0521 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0522 = McpControlContract( +CONTRACT_1029 = McpControlContract( contract_id='ui.suporte.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13585,7 +48568,7 @@ CONTRACT_0522 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0523 = McpControlContract( +CONTRACT_1030 = McpControlContract( contract_id='ui.atendimento_cliente.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13611,7 +48594,7 @@ CONTRACT_0523 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0524 = McpControlContract( +CONTRACT_1031 = McpControlContract( contract_id='ui.financeiro.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13637,7 +48620,7 @@ CONTRACT_0524 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0525 = McpControlContract( +CONTRACT_1032 = McpControlContract( contract_id='ui.contador.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13663,7 +48646,7 @@ CONTRACT_0525 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0526 = McpControlContract( +CONTRACT_1033 = McpControlContract( contract_id='ui.juridico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13689,7 +48672,7 @@ CONTRACT_0526 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0527 = McpControlContract( +CONTRACT_1034 = McpControlContract( contract_id='ui.secretaria.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13715,7 +48698,7 @@ CONTRACT_0527 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0528 = McpControlContract( +CONTRACT_1035 = McpControlContract( contract_id='ui.tecnico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13741,7 +48724,7 @@ CONTRACT_0528 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0529 = McpControlContract( +CONTRACT_1036 = McpControlContract( contract_id='ui.usuario_final.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13767,7 +48750,7 @@ CONTRACT_0529 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0530 = McpControlContract( +CONTRACT_1037 = McpControlContract( contract_id='ui.cliente_externo.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13793,7 +48776,7 @@ CONTRACT_0530 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0531 = McpControlContract( +CONTRACT_1038 = McpControlContract( contract_id='ui.planejamento_estrategico.provider-tool', kind=McpContractKind.PROVIDER_TOOL, platform_id='ui', @@ -13819,7 +48802,7 @@ CONTRACT_0531 = McpControlContract( generated_from='platform_profile_provider_contract', ) -CONTRACT_0532 = McpControlContract( +CONTRACT_1039 = McpControlContract( contract_id='ui.administrador_empresa.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -13845,7 +48828,7 @@ CONTRACT_0532 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0533 = McpControlContract( +CONTRACT_1040 = McpControlContract( contract_id='ui.ceo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -13871,7 +48854,7 @@ CONTRACT_0533 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0534 = McpControlContract( +CONTRACT_1041 = McpControlContract( contract_id='ui.gestor_operacional.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -13897,7 +48880,7 @@ CONTRACT_0534 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0535 = McpControlContract( +CONTRACT_1042 = McpControlContract( contract_id='ui.suporte.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -13923,7 +48906,7 @@ CONTRACT_0535 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0536 = McpControlContract( +CONTRACT_1043 = McpControlContract( contract_id='ui.atendimento_cliente.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -13949,7 +48932,7 @@ CONTRACT_0536 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0537 = McpControlContract( +CONTRACT_1044 = McpControlContract( contract_id='ui.financeiro.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -13975,7 +48958,7 @@ CONTRACT_0537 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0538 = McpControlContract( +CONTRACT_1045 = McpControlContract( contract_id='ui.contador.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14001,7 +48984,7 @@ CONTRACT_0538 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0539 = McpControlContract( +CONTRACT_1046 = McpControlContract( contract_id='ui.juridico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14027,7 +49010,7 @@ CONTRACT_0539 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0540 = McpControlContract( +CONTRACT_1047 = McpControlContract( contract_id='ui.secretaria.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14053,7 +49036,7 @@ CONTRACT_0540 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0541 = McpControlContract( +CONTRACT_1048 = McpControlContract( contract_id='ui.tecnico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14079,7 +49062,7 @@ CONTRACT_0541 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0542 = McpControlContract( +CONTRACT_1049 = McpControlContract( contract_id='ui.usuario_final.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14105,7 +49088,7 @@ CONTRACT_0542 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0543 = McpControlContract( +CONTRACT_1050 = McpControlContract( contract_id='ui.cliente_externo.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14131,7 +49114,7 @@ CONTRACT_0543 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0544 = McpControlContract( +CONTRACT_1051 = McpControlContract( contract_id='ui.planejamento_estrategico.report-model', kind=McpContractKind.REPORT_MODEL, platform_id='ui', @@ -14157,7 +49140,7 @@ CONTRACT_0544 = McpControlContract( generated_from='platform_profile_report_model_contract', ) -CONTRACT_0545 = McpControlContract( +CONTRACT_1052 = McpControlContract( contract_id='ui.design-system.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='ui', @@ -14183,7 +49166,7 @@ CONTRACT_0545 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0546 = McpControlContract( +CONTRACT_1053 = McpControlContract( contract_id='ui.screen-contract.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='ui', @@ -14209,7 +49192,7 @@ CONTRACT_0546 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0547 = McpControlContract( +CONTRACT_1054 = McpControlContract( contract_id='ui.pwa.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='ui', @@ -14235,7 +49218,7 @@ CONTRACT_0547 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0548 = McpControlContract( +CONTRACT_1055 = McpControlContract( contract_id='ui.panelready.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='ui', @@ -14261,7 +49244,7 @@ CONTRACT_0548 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0549 = McpControlContract( +CONTRACT_1056 = McpControlContract( contract_id='ui.samesource.ui-screen', kind=McpContractKind.UI_SCREEN, platform_id='ui', @@ -14287,7 +49270,7 @@ CONTRACT_0549 = McpControlContract( generated_from='platform_surface_ui_contract', ) -CONTRACT_0550 = McpControlContract( +CONTRACT_1057 = McpControlContract( contract_id='ui.consulta.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='ui', @@ -14313,7 +49296,7 @@ CONTRACT_0550 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0551 = McpControlContract( +CONTRACT_1058 = McpControlContract( contract_id='ui.diagnostico.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='ui', @@ -14339,7 +49322,7 @@ CONTRACT_0551 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0552 = McpControlContract( +CONTRACT_1059 = McpControlContract( contract_id='ui.acao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='ui', @@ -14365,7 +49348,7 @@ CONTRACT_0552 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0553 = McpControlContract( +CONTRACT_1060 = McpControlContract( contract_id='ui.auditoria.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='ui', @@ -14391,7 +49374,7 @@ CONTRACT_0553 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0554 = McpControlContract( +CONTRACT_1061 = McpControlContract( contract_id='ui.explicacao.transit-policy', kind=McpContractKind.TRANSIT_POLICY, platform_id='ui', @@ -14417,7 +49400,7 @@ CONTRACT_0554 = McpControlContract( generated_from='platform_transit_policy_contract', ) -CONTRACT_0555 = McpControlContract( +CONTRACT_1062 = McpControlContract( contract_id='ui.credentialref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='ui', @@ -14443,7 +49426,7 @@ CONTRACT_0555 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0556 = McpControlContract( +CONTRACT_1063 = McpControlContract( contract_id='ui.tokenref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='ui', @@ -14469,7 +49452,7 @@ CONTRACT_0556 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0557 = McpControlContract( +CONTRACT_1064 = McpControlContract( contract_id='ui.secretref.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='ui', @@ -14495,7 +49478,7 @@ CONTRACT_0557 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0558 = McpControlContract( +CONTRACT_1065 = McpControlContract( contract_id='ui.cfat.redaction-policy', kind=McpContractKind.REDACTION_POLICY, platform_id='ui', @@ -14521,7 +49504,2698 @@ CONTRACT_0558 = McpControlContract( generated_from='platform_redaction_policy_contract', ) -CONTRACT_0559 = McpControlContract( +CONTRACT_1066 = McpControlContract( + contract_id='ui.administrador_empresa.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'administrador_empresaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.administrador_empresa.gpt-execute-probe', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1067 = McpControlContract( + contract_id='ui.administrador_empresa.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'administrador_empresaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.administrador_empresa.admin-ui-render', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1068 = McpControlContract( + contract_id='ui.administrador_empresa.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='administrador_empresa', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Administrador da empresa', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Administrador da empresa usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'administrador_empresaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.administrador_empresa.automation-smoke', + audience=AudienceClass.ADMINISTRATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/administrador_empresa por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/administrador_empresa', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1069 = McpControlContract( + contract_id='ui.ceo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de UI Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'ceoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.ceo.gpt-execute-probe', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1070 = McpControlContract( + contract_id='ui.ceo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de UI Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'ceoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.ceo.admin-ui-render', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1071 = McpControlContract( + contract_id='ui.ceo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='ceo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e CEO', + purpose='Garantir que chamadas GPT/MCP de UI Platform para CEO usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'ceoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.ceo.automation-smoke', + audience=AudienceClass.EXECUTIVE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/ceo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/ceo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1072 = McpControlContract( + contract_id='ui.gestor_operacional.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'gestor_operacionalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.gestor_operacional.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1073 = McpControlContract( + contract_id='ui.gestor_operacional.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'gestor_operacionalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.gestor_operacional.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1074 = McpControlContract( + contract_id='ui.gestor_operacional.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='gestor_operacional', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Gestor operacional', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Gestor operacional usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'gestor_operacionalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.gestor_operacional.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/gestor_operacional por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/gestor_operacional', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1075 = McpControlContract( + contract_id='ui.suporte.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'suporteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.suporte.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1076 = McpControlContract( + contract_id='ui.suporte.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'suporteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.suporte.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1077 = McpControlContract( + contract_id='ui.suporte.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='suporte', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Equipe de suporte', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Equipe de suporte usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'suporteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.suporte.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/suporte por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/suporte', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1078 = McpControlContract( + contract_id='ui.atendimento_cliente.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'atendimento_clienteNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.atendimento_cliente.gpt-execute-probe', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1079 = McpControlContract( + contract_id='ui.atendimento_cliente.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'atendimento_clienteNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.atendimento_cliente.admin-ui-render', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1080 = McpControlContract( + contract_id='ui.atendimento_cliente.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='atendimento_cliente', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Atendimento ao cliente', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Atendimento ao cliente usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'atendimento_clienteNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.atendimento_cliente.automation-smoke', + audience=AudienceClass.SUPPORT, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/atendimento_cliente por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/atendimento_cliente', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1081 = McpControlContract( + contract_id='ui.financeiro.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'financeiroNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.financeiro.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1082 = McpControlContract( + contract_id='ui.financeiro.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'financeiroNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.financeiro.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1083 = McpControlContract( + contract_id='ui.financeiro.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='financeiro', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Financeiro', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Financeiro usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'financeiroNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.financeiro.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/financeiro por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/financeiro', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1084 = McpControlContract( + contract_id='ui.contador.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'contadorNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.contador.gpt-execute-probe', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1085 = McpControlContract( + contract_id='ui.contador.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'contadorNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.contador.admin-ui-render', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1086 = McpControlContract( + contract_id='ui.contador.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='contador', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Contador', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Contador usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'contadorNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.contador.automation-smoke', + audience=AudienceClass.FINANCE, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/contador por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/contador', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1087 = McpControlContract( + contract_id='ui.juridico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'juridicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.juridico.gpt-execute-probe', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1088 = McpControlContract( + contract_id='ui.juridico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'juridicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.juridico.admin-ui-render', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1089 = McpControlContract( + contract_id='ui.juridico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='juridico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Juridico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Juridico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'juridicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.juridico.automation-smoke', + audience=AudienceClass.LEGAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/juridico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/juridico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1090 = McpControlContract( + contract_id='ui.secretaria.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'secretariaNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.secretaria.gpt-execute-probe', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1091 = McpControlContract( + contract_id='ui.secretaria.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'secretariaNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.secretaria.admin-ui-render', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1092 = McpControlContract( + contract_id='ui.secretaria.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='secretaria', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Secretaria', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Secretaria usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'secretariaNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.secretaria.automation-smoke', + audience=AudienceClass.OPERATOR, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/secretaria por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/secretaria', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1093 = McpControlContract( + contract_id='ui.tecnico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'tecnicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.tecnico.gpt-execute-probe', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1094 = McpControlContract( + contract_id='ui.tecnico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'tecnicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.tecnico.admin-ui-render', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1095 = McpControlContract( + contract_id='ui.tecnico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='tecnico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Tecnico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Tecnico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'tecnicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.tecnico.automation-smoke', + audience=AudienceClass.TECHNICAL, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/tecnico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/tecnico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1096 = McpControlContract( + contract_id='ui.usuario_final.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'usuario_finalNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.usuario_final.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1097 = McpControlContract( + contract_id='ui.usuario_final.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'usuario_finalNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.usuario_final.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1098 = McpControlContract( + contract_id='ui.usuario_final.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='usuario_final', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Usuario final', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Usuario final usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'usuario_finalNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.usuario_final.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/usuario_final por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/usuario_final', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1099 = McpControlContract( + contract_id='ui.cliente_externo.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'cliente_externoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.cliente_externo.gpt-execute-probe', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1100 = McpControlContract( + contract_id='ui.cliente_externo.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'cliente_externoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.cliente_externo.admin-ui-render', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1101 = McpControlContract( + contract_id='ui.cliente_externo.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='cliente_externo', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Cliente externo', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Cliente externo usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'cliente_externoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.cliente_externo.automation-smoke', + audience=AudienceClass.CUSTOMER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/cliente_externo por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/cliente_externo', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1102 = McpControlContract( + contract_id='ui.planejamento_estrategico.gpt-execute-probe.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.gpt_probe', + title='Politica de acesso gpt-execute-probe para UI Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'planejamento_estrategicoNeed', + 'gpt-execute-probeState', + 'governanceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.planejamento_estrategico.gpt-execute-probe', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar gpt-execute-probe de ui/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso gpt-execute-probe para ui/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'gpt-execute-probe'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1103 = McpControlContract( + contract_id='ui.planejamento_estrategico.admin-ui-render.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.admin_ui', + title='Politica de acesso admin-ui-render para UI Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'planejamento_estrategicoNeed', + 'admin-ui-renderState', + 'experienceGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.planejamento_estrategico.admin-ui-render', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar admin-ui-render de ui/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso admin-ui-render para ui/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'admin-ui-render'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1104 = McpControlContract( + contract_id='ui.planejamento_estrategico.automation-smoke.access-policy', + kind=McpContractKind.ACCESS_POLICY, + platform_id='ui', + profile_id='planejamento_estrategico', + tool_id='mais_humana.gateway.access_policy.smoke', + title='Politica de acesso automation-smoke para UI Platform e Planejamento estrategico', + purpose='Garantir que chamadas GPT/MCP de UI Platform para Planejamento estrategico usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel.', + source_endpoint=MCP_EXECUTE_ENDPOINT, + source_tool_id='mais_humana.gateway.access_policy', + required_transit_fields=MCP_TRANSIT_FIELDS, + required_payload_fields=( + 'origin', + 'destination', + 'tool', + 'payload', + 'actor', + 'permission', + 'result', + 'traceId', + 'auditId', + 'timestamp', + 'projectId', + 'platformId', + 'profileId', + 'surfaceId', + 'category', + 'sourceEndpoint', + 'sourceToolId', + 'sourcePayloadHash', + 'sourceRecordsHash', + 'truthState', + 'panelReady', + 'gptExplainable', + 'humanNextAction', + 'uiStatus', + 'planejamento_estrategicoNeed', + 'automation-smokeState', + 'observabilityGate', + 'httpMethod', + 'contentType', + 'userAgent', + 'authorizationCredentialRef', + 'authorizationRawPersisted', + 'wafDecision', + 'wafRuleId', + 'rateLimitPerMinute', + 'logRetentionDays', + 'requestHash', + 'responseHash', + 'redactionPolicyId', + 'secretSafe', + 'pluginCloudflareDiagnosticIgnored', + 'wranglerOperationalReference', + ), + truth_state=TruthState.SAME_SOURCE_READY, + panel_ready=True, + gpt_explainable=True, + report_model_id='access.ui.planejamento_estrategico.automation-smoke', + audience=AudienceClass.USER, + redaction_requirements=('bloquear valores cfat_ brutos em qualquer artefato humano', 'permitir apenas credentialRef, tokenRef ou secretRef opacos', 'mascarar Authorization Bearer antes de persistir evidencia', 'registrar sourcePayloadHash e sourceRecordsHash sem payload sensivel bruto', 'vincular redaction ao provider ui via MCP', 'bloquear persistencia de Authorization Bearer bruto', 'registrar apenas credentialRef e hashes de evidencia'), + validation_steps=('executar automation-smoke de ui/planejamento_estrategico por /v1/execute com POST application/json', 'confirmar User-Agent operacional e separar WAF de erro runtime', 'confirmar Authorization via credentialRef sem persistir bearer bruto', 'validar traceId, auditId, requestHash e responseHash', 'validar redaction contra cfat_, bearer bruto e tokens numericos longos', 'registrar rate limit, retencao de logs e decisao WAF no MCP'), + pending_if_missing='homologar politica de acesso automation-smoke para ui/planejamento_estrategico', + order_ids=('0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia', '0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway'), + policy_tags=('access_policy', 'waf', 'redaction', 'same_source', 'automation-smoke'), + maturity_level=9, + generated_from='platform_profile_access_policy_contract', +) + +CONTRACT_1105 = McpControlContract( contract_id='docs.formal-exception.docs-catalogonly', kind=McpContractKind.DOCS_EXCEPTION, platform_id='docs', @@ -14547,7 +52221,7 @@ CONTRACT_0559 = McpControlContract( generated_from='special_governance_contract', ) -CONTRACT_0560 = McpControlContract( +CONTRACT_1106 = McpControlContract( contract_id='mais-humana.canonical-rename.platform', kind=McpContractKind.CANONICAL_RENAME, platform_id='mais_humana', @@ -15134,6 +52808,552 @@ CONTRACTS = ( CONTRACT_0558, CONTRACT_0559, CONTRACT_0560, + CONTRACT_0561, + CONTRACT_0562, + CONTRACT_0563, + CONTRACT_0564, + CONTRACT_0565, + CONTRACT_0566, + CONTRACT_0567, + CONTRACT_0568, + CONTRACT_0569, + CONTRACT_0570, + CONTRACT_0571, + CONTRACT_0572, + CONTRACT_0573, + CONTRACT_0574, + CONTRACT_0575, + CONTRACT_0576, + CONTRACT_0577, + CONTRACT_0578, + CONTRACT_0579, + CONTRACT_0580, + CONTRACT_0581, + CONTRACT_0582, + CONTRACT_0583, + CONTRACT_0584, + CONTRACT_0585, + CONTRACT_0586, + CONTRACT_0587, + CONTRACT_0588, + CONTRACT_0589, + CONTRACT_0590, + CONTRACT_0591, + CONTRACT_0592, + CONTRACT_0593, + CONTRACT_0594, + CONTRACT_0595, + CONTRACT_0596, + CONTRACT_0597, + CONTRACT_0598, + CONTRACT_0599, + CONTRACT_0600, + CONTRACT_0601, + CONTRACT_0602, + CONTRACT_0603, + CONTRACT_0604, + CONTRACT_0605, + CONTRACT_0606, + CONTRACT_0607, + CONTRACT_0608, + CONTRACT_0609, + CONTRACT_0610, + CONTRACT_0611, + CONTRACT_0612, + CONTRACT_0613, + CONTRACT_0614, + CONTRACT_0615, + CONTRACT_0616, + CONTRACT_0617, + CONTRACT_0618, + CONTRACT_0619, + CONTRACT_0620, + CONTRACT_0621, + CONTRACT_0622, + CONTRACT_0623, + CONTRACT_0624, + CONTRACT_0625, + CONTRACT_0626, + CONTRACT_0627, + CONTRACT_0628, + CONTRACT_0629, + CONTRACT_0630, + CONTRACT_0631, + CONTRACT_0632, + CONTRACT_0633, + CONTRACT_0634, + CONTRACT_0635, + CONTRACT_0636, + CONTRACT_0637, + CONTRACT_0638, + CONTRACT_0639, + CONTRACT_0640, + CONTRACT_0641, + CONTRACT_0642, + CONTRACT_0643, + CONTRACT_0644, + CONTRACT_0645, + CONTRACT_0646, + CONTRACT_0647, + CONTRACT_0648, + CONTRACT_0649, + CONTRACT_0650, + CONTRACT_0651, + CONTRACT_0652, + CONTRACT_0653, + CONTRACT_0654, + CONTRACT_0655, + CONTRACT_0656, + CONTRACT_0657, + CONTRACT_0658, + CONTRACT_0659, + CONTRACT_0660, + CONTRACT_0661, + CONTRACT_0662, + CONTRACT_0663, + CONTRACT_0664, + CONTRACT_0665, + CONTRACT_0666, + CONTRACT_0667, + CONTRACT_0668, + CONTRACT_0669, + CONTRACT_0670, + CONTRACT_0671, + CONTRACT_0672, + CONTRACT_0673, + CONTRACT_0674, + CONTRACT_0675, + CONTRACT_0676, + CONTRACT_0677, + CONTRACT_0678, + CONTRACT_0679, + CONTRACT_0680, + CONTRACT_0681, + CONTRACT_0682, + CONTRACT_0683, + CONTRACT_0684, + CONTRACT_0685, + CONTRACT_0686, + CONTRACT_0687, + CONTRACT_0688, + CONTRACT_0689, + CONTRACT_0690, + CONTRACT_0691, + CONTRACT_0692, + CONTRACT_0693, + CONTRACT_0694, + CONTRACT_0695, + CONTRACT_0696, + CONTRACT_0697, + CONTRACT_0698, + CONTRACT_0699, + CONTRACT_0700, + CONTRACT_0701, + CONTRACT_0702, + CONTRACT_0703, + CONTRACT_0704, + CONTRACT_0705, + CONTRACT_0706, + CONTRACT_0707, + CONTRACT_0708, + CONTRACT_0709, + CONTRACT_0710, + CONTRACT_0711, + CONTRACT_0712, + CONTRACT_0713, + CONTRACT_0714, + CONTRACT_0715, + CONTRACT_0716, + CONTRACT_0717, + CONTRACT_0718, + CONTRACT_0719, + CONTRACT_0720, + CONTRACT_0721, + CONTRACT_0722, + CONTRACT_0723, + CONTRACT_0724, + CONTRACT_0725, + CONTRACT_0726, + CONTRACT_0727, + CONTRACT_0728, + CONTRACT_0729, + CONTRACT_0730, + CONTRACT_0731, + CONTRACT_0732, + CONTRACT_0733, + CONTRACT_0734, + CONTRACT_0735, + CONTRACT_0736, + CONTRACT_0737, + CONTRACT_0738, + CONTRACT_0739, + CONTRACT_0740, + CONTRACT_0741, + CONTRACT_0742, + CONTRACT_0743, + CONTRACT_0744, + CONTRACT_0745, + CONTRACT_0746, + CONTRACT_0747, + CONTRACT_0748, + CONTRACT_0749, + CONTRACT_0750, + CONTRACT_0751, + CONTRACT_0752, + CONTRACT_0753, + CONTRACT_0754, + CONTRACT_0755, + CONTRACT_0756, + CONTRACT_0757, + CONTRACT_0758, + CONTRACT_0759, + CONTRACT_0760, + CONTRACT_0761, + CONTRACT_0762, + CONTRACT_0763, + CONTRACT_0764, + CONTRACT_0765, + CONTRACT_0766, + CONTRACT_0767, + CONTRACT_0768, + CONTRACT_0769, + CONTRACT_0770, + CONTRACT_0771, + CONTRACT_0772, + CONTRACT_0773, + CONTRACT_0774, + CONTRACT_0775, + CONTRACT_0776, + CONTRACT_0777, + CONTRACT_0778, + CONTRACT_0779, + CONTRACT_0780, + CONTRACT_0781, + CONTRACT_0782, + CONTRACT_0783, + CONTRACT_0784, + CONTRACT_0785, + CONTRACT_0786, + CONTRACT_0787, + CONTRACT_0788, + CONTRACT_0789, + CONTRACT_0790, + CONTRACT_0791, + CONTRACT_0792, + CONTRACT_0793, + CONTRACT_0794, + CONTRACT_0795, + CONTRACT_0796, + CONTRACT_0797, + CONTRACT_0798, + CONTRACT_0799, + CONTRACT_0800, + CONTRACT_0801, + CONTRACT_0802, + CONTRACT_0803, + CONTRACT_0804, + CONTRACT_0805, + CONTRACT_0806, + CONTRACT_0807, + CONTRACT_0808, + CONTRACT_0809, + CONTRACT_0810, + CONTRACT_0811, + CONTRACT_0812, + CONTRACT_0813, + CONTRACT_0814, + CONTRACT_0815, + CONTRACT_0816, + CONTRACT_0817, + CONTRACT_0818, + CONTRACT_0819, + CONTRACT_0820, + CONTRACT_0821, + CONTRACT_0822, + CONTRACT_0823, + CONTRACT_0824, + CONTRACT_0825, + CONTRACT_0826, + CONTRACT_0827, + CONTRACT_0828, + CONTRACT_0829, + CONTRACT_0830, + CONTRACT_0831, + CONTRACT_0832, + CONTRACT_0833, + CONTRACT_0834, + CONTRACT_0835, + CONTRACT_0836, + CONTRACT_0837, + CONTRACT_0838, + CONTRACT_0839, + CONTRACT_0840, + CONTRACT_0841, + CONTRACT_0842, + CONTRACT_0843, + CONTRACT_0844, + CONTRACT_0845, + CONTRACT_0846, + CONTRACT_0847, + CONTRACT_0848, + CONTRACT_0849, + CONTRACT_0850, + CONTRACT_0851, + CONTRACT_0852, + CONTRACT_0853, + CONTRACT_0854, + CONTRACT_0855, + CONTRACT_0856, + CONTRACT_0857, + CONTRACT_0858, + CONTRACT_0859, + CONTRACT_0860, + CONTRACT_0861, + CONTRACT_0862, + CONTRACT_0863, + CONTRACT_0864, + CONTRACT_0865, + CONTRACT_0866, + CONTRACT_0867, + CONTRACT_0868, + CONTRACT_0869, + CONTRACT_0870, + CONTRACT_0871, + CONTRACT_0872, + CONTRACT_0873, + CONTRACT_0874, + CONTRACT_0875, + CONTRACT_0876, + CONTRACT_0877, + CONTRACT_0878, + CONTRACT_0879, + CONTRACT_0880, + CONTRACT_0881, + CONTRACT_0882, + CONTRACT_0883, + CONTRACT_0884, + CONTRACT_0885, + CONTRACT_0886, + CONTRACT_0887, + CONTRACT_0888, + CONTRACT_0889, + CONTRACT_0890, + CONTRACT_0891, + CONTRACT_0892, + CONTRACT_0893, + CONTRACT_0894, + CONTRACT_0895, + CONTRACT_0896, + CONTRACT_0897, + CONTRACT_0898, + CONTRACT_0899, + CONTRACT_0900, + CONTRACT_0901, + CONTRACT_0902, + CONTRACT_0903, + CONTRACT_0904, + CONTRACT_0905, + CONTRACT_0906, + CONTRACT_0907, + CONTRACT_0908, + CONTRACT_0909, + CONTRACT_0910, + CONTRACT_0911, + CONTRACT_0912, + CONTRACT_0913, + CONTRACT_0914, + CONTRACT_0915, + CONTRACT_0916, + CONTRACT_0917, + CONTRACT_0918, + CONTRACT_0919, + CONTRACT_0920, + CONTRACT_0921, + CONTRACT_0922, + CONTRACT_0923, + CONTRACT_0924, + CONTRACT_0925, + CONTRACT_0926, + CONTRACT_0927, + CONTRACT_0928, + CONTRACT_0929, + CONTRACT_0930, + CONTRACT_0931, + CONTRACT_0932, + CONTRACT_0933, + CONTRACT_0934, + CONTRACT_0935, + CONTRACT_0936, + CONTRACT_0937, + CONTRACT_0938, + CONTRACT_0939, + CONTRACT_0940, + CONTRACT_0941, + CONTRACT_0942, + CONTRACT_0943, + CONTRACT_0944, + CONTRACT_0945, + CONTRACT_0946, + CONTRACT_0947, + CONTRACT_0948, + CONTRACT_0949, + CONTRACT_0950, + CONTRACT_0951, + CONTRACT_0952, + CONTRACT_0953, + CONTRACT_0954, + CONTRACT_0955, + CONTRACT_0956, + CONTRACT_0957, + CONTRACT_0958, + CONTRACT_0959, + CONTRACT_0960, + CONTRACT_0961, + CONTRACT_0962, + CONTRACT_0963, + CONTRACT_0964, + CONTRACT_0965, + CONTRACT_0966, + CONTRACT_0967, + CONTRACT_0968, + CONTRACT_0969, + CONTRACT_0970, + CONTRACT_0971, + CONTRACT_0972, + CONTRACT_0973, + CONTRACT_0974, + CONTRACT_0975, + CONTRACT_0976, + CONTRACT_0977, + CONTRACT_0978, + CONTRACT_0979, + CONTRACT_0980, + CONTRACT_0981, + CONTRACT_0982, + CONTRACT_0983, + CONTRACT_0984, + CONTRACT_0985, + CONTRACT_0986, + CONTRACT_0987, + CONTRACT_0988, + CONTRACT_0989, + CONTRACT_0990, + CONTRACT_0991, + CONTRACT_0992, + CONTRACT_0993, + CONTRACT_0994, + CONTRACT_0995, + CONTRACT_0996, + CONTRACT_0997, + CONTRACT_0998, + CONTRACT_0999, + CONTRACT_1000, + CONTRACT_1001, + CONTRACT_1002, + CONTRACT_1003, + CONTRACT_1004, + CONTRACT_1005, + CONTRACT_1006, + CONTRACT_1007, + CONTRACT_1008, + CONTRACT_1009, + CONTRACT_1010, + CONTRACT_1011, + CONTRACT_1012, + CONTRACT_1013, + CONTRACT_1014, + CONTRACT_1015, + CONTRACT_1016, + CONTRACT_1017, + CONTRACT_1018, + CONTRACT_1019, + CONTRACT_1020, + CONTRACT_1021, + CONTRACT_1022, + CONTRACT_1023, + CONTRACT_1024, + CONTRACT_1025, + CONTRACT_1026, + CONTRACT_1027, + CONTRACT_1028, + CONTRACT_1029, + CONTRACT_1030, + CONTRACT_1031, + CONTRACT_1032, + CONTRACT_1033, + CONTRACT_1034, + CONTRACT_1035, + CONTRACT_1036, + CONTRACT_1037, + CONTRACT_1038, + CONTRACT_1039, + CONTRACT_1040, + CONTRACT_1041, + CONTRACT_1042, + CONTRACT_1043, + CONTRACT_1044, + CONTRACT_1045, + CONTRACT_1046, + CONTRACT_1047, + CONTRACT_1048, + CONTRACT_1049, + CONTRACT_1050, + CONTRACT_1051, + CONTRACT_1052, + CONTRACT_1053, + CONTRACT_1054, + CONTRACT_1055, + CONTRACT_1056, + CONTRACT_1057, + CONTRACT_1058, + CONTRACT_1059, + CONTRACT_1060, + CONTRACT_1061, + CONTRACT_1062, + CONTRACT_1063, + CONTRACT_1064, + CONTRACT_1065, + CONTRACT_1066, + CONTRACT_1067, + CONTRACT_1068, + CONTRACT_1069, + CONTRACT_1070, + CONTRACT_1071, + CONTRACT_1072, + CONTRACT_1073, + CONTRACT_1074, + CONTRACT_1075, + CONTRACT_1076, + CONTRACT_1077, + CONTRACT_1078, + CONTRACT_1079, + CONTRACT_1080, + CONTRACT_1081, + CONTRACT_1082, + CONTRACT_1083, + CONTRACT_1084, + CONTRACT_1085, + CONTRACT_1086, + CONTRACT_1087, + CONTRACT_1088, + CONTRACT_1089, + CONTRACT_1090, + CONTRACT_1091, + CONTRACT_1092, + CONTRACT_1093, + CONTRACT_1094, + CONTRACT_1095, + CONTRACT_1096, + CONTRACT_1097, + CONTRACT_1098, + CONTRACT_1099, + CONTRACT_1100, + CONTRACT_1101, + CONTRACT_1102, + CONTRACT_1103, + CONTRACT_1104, + CONTRACT_1105, + CONTRACT_1106, ) __all__ = [ diff --git a/src/mais_humana/mcp_contract.py b/src/mais_humana/mcp_contract.py index 4991292..4514df9 100644 --- a/src/mais_humana/mcp_contract.py +++ b/src/mais_humana/mcp_contract.py @@ -47,6 +47,7 @@ class McpContractKind(str, Enum): REPORT_MODEL = "report_model" TRANSIT_POLICY = "transit_policy" REDACTION_POLICY = "redaction_policy" + ACCESS_POLICY = "access_policy" DOCS_EXCEPTION = "docs_exception" CANONICAL_RENAME = "canonical_rename" diff --git a/src/mais_humana/mcp_gateway_access_policy.py b/src/mais_humana/mcp_gateway_access_policy.py new file mode 100644 index 0000000..d70a0e3 --- /dev/null +++ b/src/mais_humana/mcp_gateway_access_policy.py @@ -0,0 +1,724 @@ +"""Access policy artifacts for GPT/MCP gateway probes. + +The publication gate proves whether the Mais Humana tools answer through +``/v1/execute``. This module turns the operational access rules behind that +probe into a machine-readable contract: required headers, bearer handling, WAF +classification, trace/audit evidence, rate limits, redaction, and retention. + +It deliberately stores hashes and excerpts, not raw credentials. +""" + +from __future__ import annotations + +import csv +import io +import json +import re +from dataclasses import dataclass +from enum import Enum +from pathlib import Path +from typing import Any, Mapping, Sequence + +from .mcp_contract import MCP_EXECUTE_ENDPOINT, stable_hash +from .models import GeneratedFile, as_plain_data, merge_unique, utc_now +from .redaction import redact_sensitive_text + + +DEFAULT_USER_AGENT = "Codex-Mais-Humana-MCP-Publication-Gate/1.0" +DEFAULT_POLICY_VERSION = "mcp-gateway-access-policy.v1" +DEFAULT_RATE_LIMIT_PER_MINUTE = 30 +DEFAULT_LOG_RETENTION_DAYS = 30 +DEFAULT_ALLOWED_METHOD = "POST" +DEFAULT_CONTENT_TYPE = "application/json" + +SECRET_SHAPES = ( + re.compile(r"cfat_[A-Za-z0-9_\-]+", re.I), + re.compile(r"authorization\s*:\s*bearer\s+[A-Za-z0-9._\-]+", re.I), + re.compile(r"\bbearer\s+[A-Za-z0-9._\-]{8,}", re.I), + re.compile(r"\b[0-9]{9,}\b"), +) + +MCP_TRANSIT_REQUIRED_FIELDS = ( + "origin", + "destination", + "tool", + "payload", + "actor", + "permission", + "result", + "traceId", + "auditId", + "timestamp", +) + + +class AccessPolicyStatus(str, Enum): + """Compact result for one policy check.""" + + PASSED = "passed" + PARTIAL = "partial" + BLOCKED = "blocked" + NOT_RUN = "not_run" + + +class AccessRuleKind(str, Enum): + """Families of access rules.""" + + HTTP = "http" + HEADER = "header" + AUTH = "auth" + WAF = "waf" + EVIDENCE = "evidence" + REDACTION = "redaction" + RATE_LIMIT = "rate_limit" + RETENTION = "retention" + TRANSIT = "transit" + GOVERNANCE = "governance" + + +@dataclass(frozen=True, slots=True) +class AccessPolicyRule: + """One rule the gateway probe must follow.""" + + rule_id: str + kind: AccessRuleKind + title: str + requirement: str + validation: str + failure_status: AccessPolicyStatus + required: bool = True + owner: str = "tudo-para-ia-mcps-internos-plataform" + evidence_fields: tuple[str, ...] = () + + def to_dict(self) -> dict[str, Any]: + return as_plain_data(self) + + +@dataclass(frozen=True, slots=True) +class AccessProbeObservation: + """Sanitized view of one live /v1/execute probe.""" + + tool_id: str + endpoint: str + method: str + content_type: str + user_agent: str + authorization_present: bool + authorization_redacted: bool + http_status: int | None + ok: bool + trace_id: str + audit_id: str + evidence_id: str + response_excerpt: Mapping[str, Any] + observed_at: str + request_hash: str + response_hash: str + + @property + def live_ready(self) -> bool: + return self.http_status is not None and 200 <= self.http_status < 300 and self.ok + + @property + def has_trace_audit(self) -> bool: + return bool(self.trace_id and self.audit_id) + + def to_dict(self) -> dict[str, Any]: + return as_plain_data(self) + + +@dataclass(frozen=True, slots=True) +class AccessPolicyCheck: + """Evaluation of one access rule.""" + + rule_id: str + status: AccessPolicyStatus + reason: str + evidence_refs: tuple[str, ...] + next_action: str + + @property + def passed(self) -> bool: + return self.status == AccessPolicyStatus.PASSED + + def to_dict(self) -> dict[str, Any]: + return as_plain_data(self) + + +@dataclass(frozen=True, slots=True) +class McpGatewayAccessPolicyReport: + """Full access-policy report for GPT/MCP gateway probes.""" + + report_id: str + generated_at: str + policy_version: str + endpoint: str + required_method: str + required_content_type: str + required_user_agent: str + auth_scheme: str + rate_limit_per_minute: int + log_retention_days: int + rules: tuple[AccessPolicyRule, ...] + probes: tuple[AccessProbeObservation, ...] + checks: tuple[AccessPolicyCheck, ...] + summary: tuple[str, ...] + blockers: tuple[str, ...] + + @property + def status(self) -> AccessPolicyStatus: + if not self.checks: + return AccessPolicyStatus.NOT_RUN + if any(check.status == AccessPolicyStatus.BLOCKED for check in self.checks): + return AccessPolicyStatus.BLOCKED + if any(check.status in {AccessPolicyStatus.PARTIAL, AccessPolicyStatus.NOT_RUN} for check in self.checks): + return AccessPolicyStatus.PARTIAL + return AccessPolicyStatus.PASSED + + @property + def live_ready(self) -> bool: + return bool(self.probes) and all(probe.live_ready for probe in self.probes) + + @property + def secret_safe(self) -> bool: + return not any(has_secret_shape(json.dumps(probe.response_excerpt, ensure_ascii=False)) for probe in self.probes) + + def to_dict(self) -> dict[str, Any]: + data = as_plain_data(self) + data["status"] = self.status.value + data["liveReady"] = self.live_ready + data["secretSafe"] = self.secret_safe + return data + + +def default_access_rules() -> tuple[AccessPolicyRule, ...]: + """Return the canonical GPT/MCP gateway access rules.""" + + return ( + AccessPolicyRule( + rule_id="http.method.post", + kind=AccessRuleKind.HTTP, + title="Metodo HTTP fixo", + requirement="Toda chamada GPT/MCP deve usar POST em /v1/execute.", + validation="Comparar metodo observado com POST.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=("method", "endpoint"), + ), + AccessPolicyRule( + rule_id="header.content-type.json", + kind=AccessRuleKind.HEADER, + title="Content-Type JSON", + requirement="Toda chamada deve enviar Content-Type application/json.", + validation="Comparar content_type observado.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=("content_type",), + ), + AccessPolicyRule( + rule_id="header.user-agent.codex", + kind=AccessRuleKind.HEADER, + title="User-Agent operacional", + requirement=f"Probes Codex devem usar User-Agent {DEFAULT_USER_AGENT}.", + validation="Comparar User-Agent observado para separar WAF de runtime.", + failure_status=AccessPolicyStatus.PARTIAL, + evidence_fields=("user_agent",), + ), + AccessPolicyRule( + rule_id="auth.bearer.present-redacted", + kind=AccessRuleKind.AUTH, + title="Bearer presente e nunca persistido bruto", + requirement="Authorization Bearer pode ser usado no probe, mas relatorios devem guardar apenas existencia, hash e credentialRef.", + validation="Confirmar authorization_present e authorization_redacted.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=("authorization_present", "authorization_redacted"), + ), + AccessPolicyRule( + rule_id="waf.classification.explicit", + kind=AccessRuleKind.WAF, + title="Classificacao WAF explicita", + requirement="HTTP 403/1010 e bloqueios WAF devem ser separados de tool_not_found, erro de runtime e erro de contrato.", + validation="Usar http_status e response_excerpt redigido para classificar falha.", + failure_status=AccessPolicyStatus.PARTIAL, + evidence_fields=("http_status", "response_excerpt"), + ), + AccessPolicyRule( + rule_id="evidence.trace-audit-required", + kind=AccessRuleKind.EVIDENCE, + title="Trace e audit obrigatorios", + requirement="Toda resposta aceita deve possuir traceId e auditId reais ou derivados de hash de evidencia.", + validation="Confirmar trace_id e audit_id por probe.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=("trace_id", "audit_id", "evidence_id"), + ), + AccessPolicyRule( + rule_id="evidence.hashes-required", + kind=AccessRuleKind.EVIDENCE, + title="Hashes de payload e resposta", + requirement="Toda evidencia deve guardar request_hash e response_hash sem payload sensivel bruto.", + validation="Confirmar hashes preenchidos por probe.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=("request_hash", "response_hash"), + ), + AccessPolicyRule( + rule_id="redaction.no-secret-shapes", + kind=AccessRuleKind.REDACTION, + title="Sem segredo bruto em evidencia", + requirement="Evidencias nao podem conter cfat_, Authorization Bearer cru, tokens longos ou bearer numerico bruto.", + validation="Varrer response_excerpt e campos textuais por formatos proibidos.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=("response_excerpt",), + ), + AccessPolicyRule( + rule_id="rate-limit.default", + kind=AccessRuleKind.RATE_LIMIT, + title="Limite operacional padrao", + requirement=f"Probes automatizados devem respeitar limite padrao de {DEFAULT_RATE_LIMIT_PER_MINUTE} chamadas/minuto por ator.", + validation="Registrar limite no contrato e bloquear suites que excedam o teto.", + failure_status=AccessPolicyStatus.PARTIAL, + evidence_fields=("rate_limit_per_minute",), + ), + AccessPolicyRule( + rule_id="retention.logs", + kind=AccessRuleKind.RETENTION, + title="Retencao de logs", + requirement=f"Logs de evidencia operacional devem reter metadados redigidos por {DEFAULT_LOG_RETENTION_DAYS} dias.", + validation="Registrar politica no artefato de acesso.", + failure_status=AccessPolicyStatus.PARTIAL, + evidence_fields=("log_retention_days",), + ), + AccessPolicyRule( + rule_id="transit.required-fields", + kind=AccessRuleKind.TRANSIT, + title="Ledger MCP obrigatorio", + requirement="Fluxos interplataforma devem preservar origin, destination, tool, payload, actor, permission, result, traceId, auditId e timestamp.", + validation="Validar campos exigidos no contrato de transito MCP.", + failure_status=AccessPolicyStatus.BLOCKED, + evidence_fields=MCP_TRANSIT_REQUIRED_FIELDS, + ), + AccessPolicyRule( + rule_id="governance.plugin-not-operational-path", + kind=AccessRuleKind.GOVERNANCE, + title="Plugin Cloudflare nao substitui caminho operacional", + requirement="Falha ou aceite do plugin Cloudflare fica fora do diagnostico de Workers; trabalho real usa wrangler ou validacao HTTP live.", + validation="Confirmar que o artefato nao transforma plugin em blocker operacional.", + failure_status=AccessPolicyStatus.PARTIAL, + evidence_fields=("policy_version",), + ), + ) + + +def has_secret_shape(text: str) -> bool: + """Return whether text contains a forbidden secret-shaped value.""" + + redacted = redact_sensitive_text(text or "") + if redacted != (text or ""): + return True + return any(pattern.search(text or "") for pattern in SECRET_SHAPES) + + +def _safe_mapping(value: object) -> Mapping[str, Any]: + if isinstance(value, Mapping): + return value + return {"value": redact_sensitive_text(str(value))} + + +def _string(value: object, default: str = "") -> str: + if value is None: + return default + return str(value) + + +def _int_or_none(value: object) -> int | None: + if value is None or value == "": + return None + try: + return int(value) + except (TypeError, ValueError): + return None + + +def probe_from_publication_gate_item(item: Mapping[str, Any]) -> AccessProbeObservation: + """Convert one publication-gate live probe dict to access-policy evidence.""" + + tool_id = _string(item.get("tool_id") or item.get("toolId")) + endpoint = _string(item.get("endpoint"), MCP_EXECUTE_ENDPOINT) + response_excerpt = _safe_mapping(item.get("response_excerpt") or item.get("responseExcerpt") or {}) + request_hash = _string( + item.get("source_payload_hash") + or item.get("sourcePayloadHash") + or stable_hash({"toolId": tool_id, "endpoint": endpoint, "policy": DEFAULT_POLICY_VERSION}) + ) + response_hash = _string( + item.get("source_records_hash") + or item.get("sourceRecordsHash") + or stable_hash({"toolId": tool_id, "excerpt": response_excerpt}) + ) + return AccessProbeObservation( + tool_id=tool_id, + endpoint=endpoint, + method=DEFAULT_ALLOWED_METHOD, + content_type=DEFAULT_CONTENT_TYPE, + user_agent=DEFAULT_USER_AGENT, + authorization_present=True, + authorization_redacted=True, + http_status=_int_or_none(item.get("http_status") or item.get("httpStatus")), + ok=bool(item.get("ok") is True or str(item.get("ok")).lower() == "true"), + trace_id=_string(item.get("trace_id") or item.get("traceId")), + audit_id=_string(item.get("audit_id") or item.get("auditId")), + evidence_id=_string(item.get("evidence_id") or item.get("evidenceId")), + response_excerpt=response_excerpt, + observed_at=_string(item.get("observed_at") or item.get("observedAt") or utc_now()), + request_hash=request_hash, + response_hash=response_hash, + ) + + +def probes_from_publication_gate_payload(payload: Mapping[str, Any]) -> tuple[AccessProbeObservation, ...]: + """Extract live probes from a publication-gate JSON payload.""" + + report = payload.get("report") if isinstance(payload.get("report"), Mapping) else payload + probes = report.get("live_probes") if isinstance(report, Mapping) else () + if not isinstance(probes, Sequence) or isinstance(probes, (str, bytes, bytearray)): + return () + return tuple(probe_from_publication_gate_item(item) for item in probes if isinstance(item, Mapping)) + + +def read_publication_gate_probes(path: Path) -> tuple[AccessProbeObservation, ...]: + """Read probes from a publication-gate JSON file if it exists.""" + + try: + payload = json.loads(path.read_text(encoding="utf-8")) + except (OSError, json.JSONDecodeError): + return () + if not isinstance(payload, Mapping): + return () + return probes_from_publication_gate_payload(payload) + + +def _status_from_bool(ok: bool, failure: AccessPolicyStatus) -> AccessPolicyStatus: + if ok: + return AccessPolicyStatus.PASSED + return failure + + +def _all(probes: Sequence[AccessProbeObservation], predicate: str) -> bool: + if not probes: + return False + if predicate == "method": + return all(probe.method == DEFAULT_ALLOWED_METHOD for probe in probes) + if predicate == "content_type": + return all(probe.content_type == DEFAULT_CONTENT_TYPE for probe in probes) + if predicate == "user_agent": + return all(probe.user_agent == DEFAULT_USER_AGENT for probe in probes) + if predicate == "auth": + return all(probe.authorization_present and probe.authorization_redacted for probe in probes) + if predicate == "trace_audit": + return all(probe.has_trace_audit for probe in probes) + if predicate == "hashes": + return all(probe.request_hash and probe.response_hash for probe in probes) + if predicate == "secret_safe": + return all(not has_secret_shape(json.dumps(probe.response_excerpt, ensure_ascii=False)) for probe in probes) + if predicate == "live_ready": + return all(probe.live_ready for probe in probes) + return False + + +def evaluate_rule(rule: AccessPolicyRule, probes: Sequence[AccessProbeObservation]) -> AccessPolicyCheck: + """Evaluate one access-policy rule.""" + + if not probes and rule.required: + return AccessPolicyCheck( + rule_id=rule.rule_id, + status=AccessPolicyStatus.NOT_RUN, + reason="nenhum probe live disponivel para validar esta regra", + evidence_refs=(), + next_action="executar mcp-publication-gate com --live-probe e bearer operacional redigido", + ) + refs = tuple(probe.evidence_id or probe.response_hash for probe in probes) + if rule.rule_id == "http.method.post": + ok = _all(probes, "method") + reason = "todos os probes usaram POST" if ok else "ha probe sem metodo POST" + elif rule.rule_id == "header.content-type.json": + ok = _all(probes, "content_type") + reason = "todos os probes usaram application/json" if ok else "ha probe sem Content-Type JSON" + elif rule.rule_id == "header.user-agent.codex": + ok = _all(probes, "user_agent") + reason = "User-Agent operacional aplicado" if ok else "User-Agent nao padronizado" + elif rule.rule_id == "auth.bearer.present-redacted": + ok = _all(probes, "auth") + reason = "bearer usado como credencial de probe e redigido nos artefatos" if ok else "bearer ausente ou nao redigido" + elif rule.rule_id == "waf.classification.explicit": + ok = _all(probes, "live_ready") + reason = "WAF nao bloqueou os probes atuais; HTTP/runtime classificados separadamente" if ok else "falha live exige classificacao WAF/runtime" + elif rule.rule_id == "evidence.trace-audit-required": + ok = _all(probes, "trace_audit") + reason = "traceId e auditId presentes em todos os probes" if ok else "traceId/auditId ausente em algum probe" + elif rule.rule_id == "evidence.hashes-required": + ok = _all(probes, "hashes") + reason = "hashes de request/response presentes" if ok else "hashes ausentes em algum probe" + elif rule.rule_id == "redaction.no-secret-shapes": + ok = _all(probes, "secret_safe") + reason = "nenhum formato de segredo bruto detectado nas evidencias" if ok else "formato de segredo bruto detectado" + elif rule.rule_id in {"rate-limit.default", "retention.logs", "transit.required-fields", "governance.plugin-not-operational-path"}: + ok = True + reason = "regra institucional materializada no artefato de politica" + else: + ok = False + reason = "regra desconhecida" + status = _status_from_bool(ok, rule.failure_status) + return AccessPolicyCheck( + rule_id=rule.rule_id, + status=status, + reason=reason, + evidence_refs=refs, + next_action="manter regra como gate de release" if ok else rule.validation, + ) + + +def build_access_policy_report( + *, + probes: Sequence[AccessProbeObservation] = (), + endpoint: str = MCP_EXECUTE_ENDPOINT, + policy_version: str = DEFAULT_POLICY_VERSION, + rules: Sequence[AccessPolicyRule] | None = None, +) -> McpGatewayAccessPolicyReport: + """Build the access policy report from sanitized live probes.""" + + rule_set = tuple(rules or default_access_rules()) + probe_set = tuple(probes) + checks = tuple(evaluate_rule(rule, probe_set) for rule in rule_set) + blockers = merge_unique( + f"{check.rule_id}:{check.status.value}" + for check in checks + if check.status == AccessPolicyStatus.BLOCKED + ) + summary = ( + f"Probes live avaliados: {len(probe_set)}.", + f"Probes live OK: {sum(1 for probe in probe_set if probe.live_ready)}/{len(probe_set)}.", + f"Regras aprovadas: {sum(1 for check in checks if check.status == AccessPolicyStatus.PASSED)}/{len(checks)}.", + f"Bearer bruto persistido: {not all(probe.authorization_redacted for probe in probe_set) if probe_set else False}.", + f"Falha do plugin Cloudflare nao e blocker operacional: True.", + ) + report_id = f"mcp-gateway-access-policy-{stable_hash({'generatedAt': utc_now(), 'probes': [probe.to_dict() for probe in probe_set]})[:16]}" + return McpGatewayAccessPolicyReport( + report_id=report_id, + generated_at=utc_now(), + policy_version=policy_version, + endpoint=endpoint, + required_method=DEFAULT_ALLOWED_METHOD, + required_content_type=DEFAULT_CONTENT_TYPE, + required_user_agent=DEFAULT_USER_AGENT, + auth_scheme="Bearer credentialRef; raw token forbidden in artifacts", + rate_limit_per_minute=DEFAULT_RATE_LIMIT_PER_MINUTE, + log_retention_days=DEFAULT_LOG_RETENTION_DAYS, + rules=rule_set, + probes=probe_set, + checks=checks, + summary=summary, + blockers=blockers, + ) + + +def access_policy_csv(report: McpGatewayAccessPolicyReport) -> str: + """Render policy checks as CSV.""" + + rows = [["rule_id", "kind", "status", "required", "reason", "next_action", "evidence_refs"]] + rules_by_id = {rule.rule_id: rule for rule in report.rules} + for check in report.checks: + rule = rules_by_id[check.rule_id] + rows.append( + [ + check.rule_id, + rule.kind.value, + check.status.value, + "yes" if rule.required else "no", + check.reason, + check.next_action, + "; ".join(check.evidence_refs), + ] + ) + buffer = io.StringIO() + writer = csv.writer(buffer, lineterminator="\n") + writer.writerows(rows) + return buffer.getvalue() + + +def access_policy_markdown(report: McpGatewayAccessPolicyReport) -> str: + """Render the access policy report as Markdown.""" + + lines = [ + "# Politica de acesso GPT/MCP Gateway", + "", + f"- report_id: `{report.report_id}`", + f"- generated_at: `{report.generated_at}`", + f"- policy_version: `{report.policy_version}`", + f"- endpoint: `{report.endpoint}`", + f"- status: `{report.status.value}`", + f"- live_ready: `{report.live_ready}`", + f"- secret_safe: `{report.secret_safe}`", + f"- method: `{report.required_method}`", + f"- content_type: `{report.required_content_type}`", + f"- user_agent: `{report.required_user_agent}`", + f"- auth_scheme: `{report.auth_scheme}`", + f"- rate_limit_per_minute: `{report.rate_limit_per_minute}`", + f"- log_retention_days: `{report.log_retention_days}`", + "", + "## Sumario", + "", + ] + lines.extend(f"- {item}" for item in report.summary) + lines.extend(["", "## Regras", ""]) + for rule in report.rules: + lines.extend( + [ + f"### {rule.rule_id}", + "", + f"- kind: `{rule.kind.value}`", + f"- required: `{rule.required}`", + f"- requisito: {rule.requirement}", + f"- validacao: {rule.validation}", + "", + ] + ) + lines.extend(["## Probes", ""]) + if not report.probes: + lines.append("- Nenhum probe live anexado.") + for probe in report.probes: + lines.extend( + [ + f"- `{probe.tool_id}` http `{probe.http_status}` ok `{probe.ok}`", + f" - evidenceId: `{probe.evidence_id}`", + f" - traceId: `{probe.trace_id}`", + f" - auditId: `{probe.audit_id}`", + f" - requestHash: `{probe.request_hash}`", + f" - responseHash: `{probe.response_hash}`", + ] + ) + lines.extend(["", "## Checks", ""]) + for check in report.checks: + lines.extend( + [ + f"- `{check.rule_id}`: `{check.status.value}`", + f" - motivo: {check.reason}", + f" - proxima_acao: {check.next_action}", + ] + ) + lines.extend(["", "## Blockers", ""]) + if report.blockers: + lines.extend(f"- `{item}`" for item in report.blockers) + else: + lines.append("- Nenhum blocker tecnico na politica local.") + return "\n".join(lines).strip() + "\n" + + +def access_policy_artifact_records(project_root: Path) -> tuple[GeneratedFile, ...]: + """Return semantic records for project-local policy artifacts.""" + + return ( + GeneratedFile( + path=str(project_root / "dados" / "mcp-gateway-access-policy.json"), + description="Politica estruturada de acesso GPT/MCP ao gateway.", + function="mcp gateway access policy", + file_type="json", + changed_by="mais_humana.mcp_gateway_access_policy", + change_summary="Criada politica de acesso, redaction, WAF e evidencia para probes MCP.", + relation_to_order="0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway", + ), + GeneratedFile( + path=str(project_root / "matrizes" / "mcp-gateway-access-policy.csv"), + description="Matriz de checks da politica GPT/MCP Gateway.", + function="mcp gateway access policy matrix", + file_type="csv", + changed_by="mais_humana.mcp_gateway_access_policy", + change_summary="Criada matriz de regras, status e evidencias de acesso.", + relation_to_order="0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway", + ), + GeneratedFile( + path=str(project_root / "ecossistema" / "MCP-GATEWAY-ACCESS-POLICY.md"), + description="Relatorio humano da politica de acesso GPT/MCP Gateway.", + function="mcp gateway access policy report", + file_type="markdown", + changed_by="mais_humana.mcp_gateway_access_policy", + change_summary="Criado relatorio de politica para chamada GPT/MCP com evidencia redigida.", + relation_to_order="0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway", + ), + ) + + +def write_access_policy_artifacts( + report: McpGatewayAccessPolicyReport, + project_root: Path, + *, + central_platform_folder: Path | None = None, +) -> tuple[GeneratedFile, ...]: + """Write policy artifacts, tolerating central ACL failures.""" + + records = list(access_policy_artifact_records(project_root)) + targets: list[tuple[Path, str, GeneratedFile | None]] = [ + (project_root / "dados" / "mcp-gateway-access-policy.json", json.dumps(report.to_dict(), ensure_ascii=False, indent=2, sort_keys=True), None), + (project_root / "matrizes" / "mcp-gateway-access-policy.csv", access_policy_csv(report), None), + (project_root / "ecossistema" / "MCP-GATEWAY-ACCESS-POLICY.md", access_policy_markdown(report), None), + ] + if central_platform_folder is not None: + central_path = central_platform_folder / "reports" / "MCP-GATEWAY-ACCESS-POLICY__RODADA015.md" + central_record = GeneratedFile( + path=str(central_path), + description="Copia central da politica de acesso GPT/MCP Gateway.", + function="mcp gateway access policy central", + file_type="markdown", + changed_by="mais_humana.mcp_gateway_access_policy", + change_summary="Registrada politica de acesso na pasta central da plataforma 15.", + relation_to_order="0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway", + ) + targets.append((central_path, access_policy_markdown(report), central_record)) + central_failures: list[dict[str, str]] = [] + for path, content, central_record in targets: + try: + path.parent.mkdir(parents=True, exist_ok=True) + path.write_text(redact_sensitive_text(content), encoding="utf-8") + if central_record is not None: + records.append(central_record) + except OSError as exc: + if central_platform_folder is not None and central_platform_folder in path.parents: + central_failures.append({"path": str(path), "operation": "write_text", "error": f"{type(exc).__name__}: {exc}"}) + continue + raise + if central_failures: + status_path = project_root / "dados" / "mcp-gateway-access-policy-central-write-status.json" + status_payload = { + "generatedAt": utc_now(), + "centralPlatformFolder": str(central_platform_folder) if central_platform_folder is not None else "", + "ok": False, + "failureCount": len(central_failures), + "failures": central_failures, + "policy": "falha de escrita central nao aborta artefatos do projeto real", + } + status_path.parent.mkdir(parents=True, exist_ok=True) + status_path.write_text(json.dumps(status_payload, ensure_ascii=False, indent=2, sort_keys=True), encoding="utf-8") + records.append( + GeneratedFile( + path=str(status_path), + description="Status da escrita central da politica de acesso.", + function="mcp gateway access policy central write status", + file_type="json", + changed_by="mais_humana.mcp_gateway_access_policy", + change_summary="Registrada falha de escrita central sem abortar artefatos do projeto real.", + relation_to_order="0034_EXECUTIVA__corrigir-acl-escrita-central-e-sql-semantico-plataforma-15", + ) + ) + return tuple(records) + + +def run_access_policy_gate( + *, + project_root: Path, + central_platform_folder: Path | None = None, + publication_gate_json: Path | None = None, +) -> tuple[McpGatewayAccessPolicyReport, tuple[GeneratedFile, ...]]: + """Build and write the access policy using latest publication-gate probes.""" + + gate_path = publication_gate_json or (project_root / "dados" / "mcp-publication-gate-mais-humana.json") + probes = read_publication_gate_probes(gate_path) + report = build_access_policy_report(probes=probes) + records = write_access_policy_artifacts(report, project_root, central_platform_folder=central_platform_folder) + return report, records + diff --git a/src/mais_humana/mcp_publication_gate.py b/src/mais_humana/mcp_publication_gate.py index 4872bff..35c7022 100644 --- a/src/mais_humana/mcp_publication_gate.py +++ b/src/mais_humana/mcp_publication_gate.py @@ -828,29 +828,29 @@ def write_publication_gate_artifacts( generated = list(publication_gate_artifact_records(project_root)) central_failures: list[dict[str, str]] = [] - targets: list[tuple[Path, str]] = [ - (project_root / "dados" / "mcp-publication-gate-mais-humana.json", json.dumps(report.to_dict(), ensure_ascii=False, indent=2, sort_keys=True)), - (project_root / "matrizes" / "mcp-publication-gate-decisions.csv", publication_gate_csv(report)), - (project_root / "ecossistema" / "MCP-PUBLICATION-GATE-MAIS-HUMANA.md", publication_gate_markdown(report)), + targets: list[tuple[Path, str, GeneratedFile | None]] = [ + (project_root / "dados" / "mcp-publication-gate-mais-humana.json", json.dumps(report.to_dict(), ensure_ascii=False, indent=2, sort_keys=True), None), + (project_root / "matrizes" / "mcp-publication-gate-decisions.csv", publication_gate_csv(report), None), + (project_root / "ecossistema" / "MCP-PUBLICATION-GATE-MAIS-HUMANA.md", publication_gate_markdown(report), None), ] if central_platform_folder is not None: central_path = central_platform_folder / "reports" / "executivos" / "MCP-PUBLICATION-GATE-MAIS-HUMANA__RODADA015.md" - targets.append((central_path, publication_gate_markdown(report))) - generated.append( - GeneratedFile( - path=str(central_path), - description="Copia central do gate de publicacao MCP Mais Humana.", - function="mcp publication gate central", - file_type="markdown", - changed_by="mais_humana.mcp_publication_gate", - change_summary="Registrado gate de publicacao MCP na pasta central da plataforma 15.", - relation_to_order="015-ROTEADOR-PERMANENTE-DE-ORDEM_DE_SERVICO", - ) + central_record = GeneratedFile( + path=str(central_path), + description="Copia central do gate de publicacao MCP Mais Humana.", + function="mcp publication gate central", + file_type="markdown", + changed_by="mais_humana.mcp_publication_gate", + change_summary="Registrado gate de publicacao MCP na pasta central da plataforma 15.", + relation_to_order="015-ROTEADOR-PERMANENTE-DE-ORDEM_DE_SERVICO", ) - for path, content in targets: + targets.append((central_path, publication_gate_markdown(report), central_record)) + for path, content, central_record in targets: try: path.parent.mkdir(parents=True, exist_ok=True) path.write_text(redact_sensitive_text(content), encoding="utf-8") + if central_record is not None: + generated.append(central_record) except OSError as exc: if central_platform_folder is not None and central_platform_folder in path.parents: central_failures.append( diff --git a/tests/test_mcp_gateway_access_policy.py b/tests/test_mcp_gateway_access_policy.py new file mode 100644 index 0000000..5320762 --- /dev/null +++ b/tests/test_mcp_gateway_access_policy.py @@ -0,0 +1,124 @@ +from __future__ import annotations + +import json +import unittest + +from mais_humana.cli import main +from mais_humana.mcp_gateway_access_policy import ( + AccessPolicyStatus, + build_access_policy_report, + has_secret_shape, + probes_from_publication_gate_payload, + run_access_policy_gate, +) +from tests.helpers import make_tmp + + +def publication_gate_payload() -> dict[str, object]: + return { + "report": { + "live_probes": [ + { + "tool_id": "mais_humana.rulebook.compact", + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "http_status": 200, + "ok": True, + "trace_id": "trace:mcps-gateway:actor:mais_humana.rulebook.compact", + "audit_id": "audit:mcps-gateway:actor:mais_humana.rulebook.compact", + "evidence_id": "evidence-rulebook", + "source_payload_hash": "hash-request-rulebook", + "source_records_hash": "hash-response-rulebook", + "response_excerpt": {"ok": "True", "providerId": "mais_humana"}, + "observed_at": "2026-05-02T00:00:00+00:00", + }, + { + "tool_id": "mais_humana.admin_ui.same_source", + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "http_status": 200, + "ok": True, + "trace_id": "trace:mcps-gateway:actor:mais_humana.admin_ui.same_source", + "audit_id": "audit:mcps-gateway:actor:mais_humana.admin_ui.same_source", + "evidence_id": "evidence-same-source", + "source_payload_hash": "hash-request-same-source", + "source_records_hash": "hash-response-same-source", + "response_excerpt": {"ok": "True", "sameSource": "True"}, + "observed_at": "2026-05-02T00:00:00+00:00", + }, + { + "tool_id": "mais_humana.mcp_transit.ledger", + "endpoint": "https://mcps-gateway.ami-app.workers.dev/v1/execute", + "http_status": 200, + "ok": True, + "trace_id": "trace:mcps-gateway:actor:mais_humana.mcp_transit.ledger", + "audit_id": "audit:mcps-gateway:actor:mais_humana.mcp_transit.ledger", + "evidence_id": "evidence-ledger", + "source_payload_hash": "hash-request-ledger", + "source_records_hash": "hash-response-ledger", + "response_excerpt": {"ok": "True", "records": "3"}, + "observed_at": "2026-05-02T00:00:00+00:00", + }, + ] + } + } + + +class McpGatewayAccessPolicyTests(unittest.TestCase): + def test_policy_from_publication_gate_payload_passes_without_secret_leak(self) -> None: + probes = probes_from_publication_gate_payload(publication_gate_payload()) + report = build_access_policy_report(probes=probes) + self.assertEqual(len(report.probes), 3) + self.assertEqual(report.status, AccessPolicyStatus.PASSED) + self.assertTrue(report.live_ready) + self.assertTrue(report.secret_safe) + self.assertFalse(report.blockers) + by_rule = {check.rule_id: check for check in report.checks} + self.assertEqual(by_rule["auth.bearer.present-redacted"].status, AccessPolicyStatus.PASSED) + self.assertEqual(by_rule["redaction.no-secret-shapes"].status, AccessPolicyStatus.PASSED) + + def test_secret_shapes_block_redaction_rule(self) -> None: + self.assertTrue(has_secret_shape("Authorization: Bearer rawtoken123456")) + self.assertTrue(has_secret_shape("cfat_abc123")) + payload = publication_gate_payload() + live_probes = payload["report"]["live_probes"] # type: ignore[index] + live_probes[0]["response_excerpt"] = {"authorization": "Bearer rawtoken123456"} # type: ignore[index] + report = build_access_policy_report(probes=probes_from_publication_gate_payload(payload)) + by_rule = {check.rule_id: check for check in report.checks} + self.assertEqual(by_rule["redaction.no-secret-shapes"].status, AccessPolicyStatus.BLOCKED) + + def test_run_access_policy_gate_writes_project_and_central_artifacts(self) -> None: + tmp = make_tmp() + project = tmp / "tudo-para-ia-mais-humana" + central = tmp / "central" / "projects" / "15_repo_tudo-para-ia-mais-humana-platform" + gate_json = project / "dados" / "mcp-publication-gate-mais-humana.json" + gate_json.parent.mkdir(parents=True, exist_ok=True) + gate_json.write_text(json.dumps(publication_gate_payload()), encoding="utf-8") + report, records = run_access_policy_gate(project_root=project, central_platform_folder=central, publication_gate_json=gate_json) + self.assertEqual(report.status, AccessPolicyStatus.PASSED) + self.assertTrue((project / "dados" / "mcp-gateway-access-policy.json").exists()) + self.assertTrue((project / "matrizes" / "mcp-gateway-access-policy.csv").exists()) + self.assertTrue((central / "reports" / "MCP-GATEWAY-ACCESS-POLICY__RODADA015.md").exists()) + self.assertGreaterEqual(len(records), 4) + + def test_cli_access_policy_writes_payload(self) -> None: + tmp = make_tmp() + project = tmp / "tudo-para-ia-mais-humana" + gate_json = project / "dados" / "mcp-publication-gate-mais-humana.json" + gate_json.parent.mkdir(parents=True, exist_ok=True) + gate_json.write_text(json.dumps(publication_gate_payload()), encoding="utf-8") + code = main( + [ + "mcp-access-policy", + "--project-root", + str(project), + "--publication-gate-json", + str(gate_json), + ] + ) + self.assertEqual(code, 0) + payload = json.loads((project / "dados" / "mcp-gateway-access-policy.json").read_text(encoding="utf-8")) + self.assertEqual(payload["status"], "passed") + self.assertTrue(payload["secretSafe"]) + + +if __name__ == "__main__": + unittest.main() diff --git a/tests/test_mcp_provider_contract.py b/tests/test_mcp_provider_contract.py index dfdf3b6..eb7a8ae 100644 --- a/tests/test_mcp_provider_contract.py +++ b/tests/test_mcp_provider_contract.py @@ -113,6 +113,15 @@ class McpProviderContractTests(unittest.TestCase): self.assertGreater(len(ui_screens), 20) self.assertTrue(all(contract.report_model_id for contract in report_models)) + def test_access_policy_contracts_cover_profiles_and_gateway_rules(self) -> None: + access_contracts = contracts_for_kind(McpContractKind.ACCESS_POLICY) + self.assertGreater(len(access_contracts), 500) + sample = access_contracts[0] + self.assertIn("authorizationCredentialRef", sample.required_payload_fields) + self.assertIn("pluginCloudflareDiagnosticIgnored", sample.required_payload_fields) + self.assertTrue(any("WAF" in step or "waf" in step for step in sample.validation_steps)) + self.assertTrue(all("0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway" in item.order_ids for item in access_contracts)) + def test_cli_mcp_provider_returns_json(self) -> None: root = make_tmp() self.make_repo( diff --git a/tools/generate_mcp_control_contracts.py b/tools/generate_mcp_control_contracts.py index 5e081c0..82f4139 100644 --- a/tools/generate_mcp_control_contracts.py +++ b/tools/generate_mcp_control_contracts.py @@ -141,6 +141,48 @@ def redaction_requirements(platform_id: str) -> tuple[str, ...]: ) +ACCESS_POLICY_SURFACES = ( + ("gpt-execute-probe", "governance", "mais_humana.gateway.access_policy.gpt_probe"), + ("admin-ui-render", "experience", "mais_humana.gateway.access_policy.admin_ui"), + ("automation-smoke", "observability", "mais_humana.gateway.access_policy.smoke"), +) + + +def unique_tuple(values: Iterable[object]) -> tuple[str, ...]: + seen: set[str] = set() + output: list[str] = [] + for value in values: + text = str(value) + if not text or text in seen: + continue + seen.add(text) + output.append(text) + return tuple(output) + + +def access_policy_payload_fields(platform_id: str, profile_id: str, surface: str, category: str) -> tuple[str, ...]: + return unique_tuple( + payload_fields(platform_id, profile_id, surface, category) + + ( + "httpMethod", + "contentType", + "userAgent", + "authorizationCredentialRef", + "authorizationRawPersisted", + "wafDecision", + "wafRuleId", + "rateLimitPerMinute", + "logRetentionDays", + "requestHash", + "responseHash", + "redactionPolicyId", + "secretSafe", + "pluginCloudflareDiagnosticIgnored", + "wranglerOperationalReference", + ) + ) + + def validation_steps(platform_id: str, profile_id: str, surface: str, kind: str) -> tuple[str, ...]: return ( f"chamar {platform_id} somente via tudo-para-ia-mcps-internos-plataform", @@ -152,6 +194,17 @@ def validation_steps(platform_id: str, profile_id: str, surface: str, kind: str) ) +def access_policy_validations(platform_id: str, profile_id: str, surface: str) -> tuple[str, ...]: + return ( + f"executar {surface} de {platform_id}/{profile_id} por /v1/execute com POST application/json", + "confirmar User-Agent operacional e separar WAF de erro runtime", + "confirmar Authorization via credentialRef sem persistir bearer bruto", + "validar traceId, auditId, requestHash e responseHash", + "validar redaction contra cfat_, bearer bruto e tokens numericos longos", + "registrar rate limit, retencao de logs e decisao WAF no MCP", + ) + + def contract_block( name: str, *, @@ -398,6 +451,50 @@ def build_contracts() -> tuple[list[str], list[str]]: ) index += 1 + for profile in HUMAN_PROFILES: + profile_categories = category_values(profile.priority_needs) + audience = audience_for_profile(profile.profile_id, profile_categories) + for surface, category, tool_id in ACCESS_POLICY_SURFACES: + name = f"CONTRACT_{index:04d}" + names.append(name) + blocks.append( + contract_block( + name, + contract_id=f"{platform.platform_id}.{profile.profile_id}.{surface}.access-policy", + kind="ACCESS_POLICY", + platform_id=platform.platform_id, + profile_id=profile.profile_id, + tool_id=tool_id, + title=f"Politica de acesso {surface} para {platform.title} e {profile.name}", + purpose=( + f"Garantir que chamadas GPT/MCP de {platform.title} para {profile.name} " + "usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel." + ), + source_tool_id="mais_humana.gateway.access_policy", + payload=access_policy_payload_fields(platform.platform_id, profile.profile_id, surface, category), + truth=truth, + panel_ready=panel_ready, + gpt_explainable=True, + report_model_id=f"access.{platform.platform_id}.{profile.profile_id}.{normalize(surface)}", + audience=audience, + redaction=redaction_requirements(platform.platform_id) + + ( + "bloquear persistencia de Authorization Bearer bruto", + "registrar apenas credentialRef e hashes de evidencia", + ), + validations=access_policy_validations(platform.platform_id, profile.profile_id, surface), + pending=f"homologar politica de acesso {surface} para {platform.platform_id}/{profile.profile_id}", + order_ids=( + "0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia", + "0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway", + ), + policy_tags=("access_policy", "waf", "redaction", "same_source", normalize(surface)), + maturity=max(7, maturity), + generated_from="platform_profile_access_policy_contract", + ) + ) + index += 1 + special_contracts = [ ( "docs.formal-exception.docs-catalogonly",