chore: init vm-cc compliance scaffold

2025-12-27 00:44:38 +00:00
commit b654462586
18 changed files with 132 additions and 0 deletions
--- a/config/redaction.yaml
+++ b/config/redaction.yaml
@@ -0,0 +1,21 @@
+# Redaction policy for evidence before reporting/proofs.
+# Define fields to drop or mask by source.
+
+vm_skills:
+  drop:
+    - "*.png"  # example if screenshots are present
+  mask:
+    - "**/secrets/**"
+
+ops:
+  drop: []
+  mask:
+    - "**/private_keys/**"
+
+vm_ledger:
+  drop: []
+  mask: []
+
+vm_mcp:
+  drop: []
+  mask: []
--- a/config/rules.yaml
+++ b/config/rules.yaml
@@ -0,0 +1,24 @@
+# Rule registry. Each entry binds a rule id to a source and evaluation script.
+# Keep rule definitions in 40-rules/; this file ties them to schedules and severity.
+
+rules:
+  - id: authority-hierarchy
+    severity: HIGH
+    entry: "40-rules/authority_hierarchy.yaml"
+    evidence:
+      - vm_mcp
+      - vm_ledger
+
+  - id: skills-health
+    severity: MEDIUM
+    entry: "40-rules/skills_health.yaml"
+    evidence:
+      - vm_skills
+      - ops
+
+  - id: receipts-schema
+    severity: HIGH
+    entry: "40-rules/receipts_schema.yaml"
+    evidence:
+      - vm_contracts
+      - vm_ledger
--- a/config/schedules.yaml
+++ b/config/schedules.yaml
@@ -0,0 +1,13 @@
+# Schedules for rule execution. Cron-like or duration strings.
+
+schedules:
+  - name: hourly-critical
+    every: "1h"
+    rules:
+      - authority-hierarchy
+      - receipts-schema
+
+  - name: daily-health
+    every: "24h"
+    rules:
+      - skills-health
--- a/config/sources.yaml
+++ b/config/sources.yaml
@@ -0,0 +1,33 @@
+# Define evidence sources and where collectors should look.
+# Keep paths external to code so collectors are layout-agnostic.
+
+vm_skills:
+  path: "../vm-skills"
+  evidence:
+    - "*/outputs/status_matrix.json"
+    - "*/outputs/audit_report.md"
+    - "*/outputs/PROOF.json"
+    - "*/outputs/ROOT.txt"
+
+ops:
+  path: "../ops"
+  evidence:
+    - "20-identity/**"
+    - "60-backups/**"
+    - "70-audits/**"
+
+vm_ledger:
+  path: "../vm-ledger"
+  evidence:
+    - "log/entries.cborseq"
+    - "ledger-cli verify --format json"  # command invocation placeholder
+
+vm_mcp:
+  path: "../vm-mcp"
+  evidence:
+    - "governance/constitution.lock"
+
+vm_contracts:
+  path: "../vm-contracts"
+  evidence:
+    - "receipt_v1.schema.json"