feat: enforce layer0 gate and add tests

2025-12-17 00:02:39 +00:00
parent 37a867c485
commit 7f2e60e1c5
21 changed files with 2066 additions and 16 deletions
--- a/layer0/preboot_logger.py
+++ b/layer0/preboot_logger.py
@@ -0,0 +1,33 @@
+import datetime
+import json
+import os
+from typing import Optional
+
+from .shadow_classifier import ShadowEvalResult, Classification
+
+
+class PrebootLogger:
+    LOG_PATH = "anomalies/preboot_shield.jsonl"
+
+    @staticmethod
+    def log(event: ShadowEvalResult, query: str, reason_override: Optional[str] = None):
+        if event.classification not in (Classification.CATASTROPHIC, Classification.FORBIDDEN):
+            return  # Only violations get logged
+
+        record = {
+            "timestamp": datetime.datetime.utcnow().isoformat() + "Z",
+            "query": query,
+            "classification": event.classification.value,
+            "reason": reason_override or event.reason,
+            "trace_id": event.trace_id,
+            "metadata": {
+                "risk_score": event.risk_score,
+                "flags": event.flags,
+                "source": "layer0",
+            },
+        }
+
+        os.makedirs(os.path.dirname(PrebootLogger.LOG_PATH), exist_ok=True)
+
+        with open(PrebootLogger.LOG_PATH, "a", encoding="utf-8") as f:
+            f.write(json.dumps(record) + "\n")