auto-sync: tudo-para-ia-mais-humana 2026-05-01 23:21:24

2026-05-01 23:21:24 -03:00
parent a3a5dcd8ce
commit cdce7a8b65
15 changed files with 40381 additions and 543 deletions
--- a/tools/generate_mcp_control_contracts.py
+++ b/tools/generate_mcp_control_contracts.py
@@ -141,6 +141,48 @@ def redaction_requirements(platform_id: str) -> tuple[str, ...]:
    )


+ACCESS_POLICY_SURFACES = (
+    ("gpt-execute-probe", "governance", "mais_humana.gateway.access_policy.gpt_probe"),
+    ("admin-ui-render", "experience", "mais_humana.gateway.access_policy.admin_ui"),
+    ("automation-smoke", "observability", "mais_humana.gateway.access_policy.smoke"),
+)
+
+
+def unique_tuple(values: Iterable[object]) -> tuple[str, ...]:
+    seen: set[str] = set()
+    output: list[str] = []
+    for value in values:
+        text = str(value)
+        if not text or text in seen:
+            continue
+        seen.add(text)
+        output.append(text)
+    return tuple(output)
+
+
+def access_policy_payload_fields(platform_id: str, profile_id: str, surface: str, category: str) -> tuple[str, ...]:
+    return unique_tuple(
+        payload_fields(platform_id, profile_id, surface, category)
+        + (
+            "httpMethod",
+            "contentType",
+            "userAgent",
+            "authorizationCredentialRef",
+            "authorizationRawPersisted",
+            "wafDecision",
+            "wafRuleId",
+            "rateLimitPerMinute",
+            "logRetentionDays",
+            "requestHash",
+            "responseHash",
+            "redactionPolicyId",
+            "secretSafe",
+            "pluginCloudflareDiagnosticIgnored",
+            "wranglerOperationalReference",
+        )
+    )
+
+
 def validation_steps(platform_id: str, profile_id: str, surface: str, kind: str) -> tuple[str, ...]:
    return (
        f"chamar {platform_id} somente via tudo-para-ia-mcps-internos-plataform",
@@ -152,6 +194,17 @@ def validation_steps(platform_id: str, profile_id: str, surface: str, kind: str)
    )


+def access_policy_validations(platform_id: str, profile_id: str, surface: str) -> tuple[str, ...]:
+    return (
+        f"executar {surface} de {platform_id}/{profile_id} por /v1/execute com POST application/json",
+        "confirmar User-Agent operacional e separar WAF de erro runtime",
+        "confirmar Authorization via credentialRef sem persistir bearer bruto",
+        "validar traceId, auditId, requestHash e responseHash",
+        "validar redaction contra cfat_, bearer bruto e tokens numericos longos",
+        "registrar rate limit, retencao de logs e decisao WAF no MCP",
+    )
+
+
 def contract_block(
    name: str,
    *,
@@ -398,6 +451,50 @@ def build_contracts() -> tuple[list[str], list[str]]:
            )
            index += 1

+        for profile in HUMAN_PROFILES:
+            profile_categories = category_values(profile.priority_needs)
+            audience = audience_for_profile(profile.profile_id, profile_categories)
+            for surface, category, tool_id in ACCESS_POLICY_SURFACES:
+                name = f"CONTRACT_{index:04d}"
+                names.append(name)
+                blocks.append(
+                    contract_block(
+                        name,
+                        contract_id=f"{platform.platform_id}.{profile.profile_id}.{surface}.access-policy",
+                        kind="ACCESS_POLICY",
+                        platform_id=platform.platform_id,
+                        profile_id=profile.profile_id,
+                        tool_id=tool_id,
+                        title=f"Politica de acesso {surface} para {platform.title} e {profile.name}",
+                        purpose=(
+                            f"Garantir que chamadas GPT/MCP de {platform.title} para {profile.name} "
+                            "usem headers, bearer redigido, WAF classificado, hashes e ledger auditavel."
+                        ),
+                        source_tool_id="mais_humana.gateway.access_policy",
+                        payload=access_policy_payload_fields(platform.platform_id, profile.profile_id, surface, category),
+                        truth=truth,
+                        panel_ready=panel_ready,
+                        gpt_explainable=True,
+                        report_model_id=f"access.{platform.platform_id}.{profile.profile_id}.{normalize(surface)}",
+                        audience=audience,
+                        redaction=redaction_requirements(platform.platform_id)
+                        + (
+                            "bloquear persistencia de Authorization Bearer bruto",
+                            "registrar apenas credentialRef e hashes de evidencia",
+                        ),
+                        validations=access_policy_validations(platform.platform_id, profile.profile_id, surface),
+                        pending=f"homologar politica de acesso {surface} para {platform.platform_id}/{profile.profile_id}",
+                        order_ids=(
+                            "0032_EXECUTIVA__validar-live-tools-mais-humana-v1-execute-com-evidencia",
+                            "0045_GERENCIAL__pactuar-politica-acesso-waf-gpt-mcp-gateway",
+                        ),
+                        policy_tags=("access_policy", "waf", "redaction", "same_source", normalize(surface)),
+                        maturity=max(7, maturity),
+                        generated_from="platform_profile_access_policy_contract",
+                    )
+                )
+                index += 1
+
    special_contracts = [
        (
            "docs.formal-exception.docs-catalogonly",