Skip to content

feat: implement Operational Policy Compliance check (APPENG-5623)#50

Open
csoceanu wants to merge 7 commits into
mainfrom
APPENG-5623/operational-policy-compliance
Open

feat: implement Operational Policy Compliance check (APPENG-5623)#50
csoceanu wants to merge 7 commits into
mainfrom
APPENG-5623/operational-policy-compliance

Conversation

@csoceanu

@csoceanu csoceanu commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Implements the Operational Policy Compliance certification check (Trusted level) as defined in APPENG-5623. The check validates that skill submissions meet operational standards before deployment — all deterministic, no LLM needed.

What the check does:

  • Validates resource fields are explicitly declared in metadata.yaml (cpus, memory_mb, agent_timeout_sec)
  • Enforces configurable resource limits (default: 4 CPUs, 8GB memory, 1h timeout)
  • Detects poor error handling in test files (bare except: pass patterns via AST parsing)
  • Flags logging suppression patterns in SKILL.md (with security-qualified exclusions)

Changes:

  • abevalflow/operational_policy.py — new module with 5 check functions and orchestrator
  • abevalflow/schemas.py — added OperationalLimits model and get_operational_limits() on CertificationPolicy
  • abevalflow/certification.py — uncommented in TRUSTED_CHECKS, added operational_policy_result param to compute_certification()
  • config/certification_profiles.yaml — enabled in all 5 profiles (skill, mcp_server, plugin, agent, full)
  • scripts/aggregate_scorecard.py — wired check_operational_policy() into the analyze phase
  • tests/test_operational_policy.py — 340 lines covering all checks, custom limits, and edge cases
  • tests/test_certification.py — integration tests for certification wiring

Pipeline validation

Ran 3 CI ASE pipeline runs on the cluster:

Run Submission Policy result Score
ci-ase-hello-world-full-tg6f4 hello-world-full passed=False — missing resource declarations 0.75
ci-ase-policy-violations-7q2kr hello-world-policy-violations passed=False — all 4 checks fired 0.0
ci-ase-policy-pass-lthch hello-world-policy-pass passed=True — all checks passed 1.0

Test submissions created in skill-submissions repo:

  • eval/hello-world-policy-violations — intentional violations (excessive CPU, missing fields, bare except, logging suppression)
  • eval/hello-world-policy-pass — compliant submission with all resource fields declared

Test plan

  • 105 unit tests passing (covers all policy rules, custom limits, edge cases, certification integration)
  • CI ASE pipeline run — violations submission triggers all 4 checks
  • CI ASE pipeline run — compliant submission passes all checks
  • Results saved to scorecard.json in MinIO with correct messages

csoceanu and others added 5 commits July 9, 2026 13:43
…PENG-5623)

Add deterministic operational policy checks for skill submissions:
- Resource limits: CPU and memory within configurable max thresholds
- Timeout compliance: agent timeout within reasonable bounds
- Error handling: detect bare except:pass patterns in test files
- Logging suppression: detect patterns in SKILL.md that suppress agent logging

Wire into certification system via compute_certification() parameter,
following the existing boolean pattern. Uncomment in TRUSTED_CHECKS
and in mcp_server/full certification profiles.

28 new tests in test_operational_policy.py, all passing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix import sort order in aggregate_scorecard.py
- Split long logger.info line to stay within 120 char limit
- Remove unused pytest import from test_operational_policy.py

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Configurable thresholds via OperationalLimits model in schemas.py,
  overridable through CertificationPolicy in metadata.yaml
- Detect missing resource declarations (cpus, memory_mb, agent_timeout_sec)
  by checking raw YAML before Pydantic defaults apply
- Add operational_policy_compliance to skill and agent certification profiles
- Fix logging suppression false positives: skip lines with security
  qualifiers (passwords, credentials, tokens, etc.)
- Add 3 integration tests verifying certification wiring (pass, fail, None)
- 105 tests passing, ruff clean

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove MAX_CPUS/MAX_MEMORY_MB/MAX_AGENT_TIMEOUT_SEC module constants
  from operational_policy.py — single source of truth is now
  OperationalLimits defaults in schemas.py
- Tests derive boundary values from OperationalLimits() directly
- Add operational_policy_compliance to plugin certification profile
  for consistency across all profiles

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@csoceanu csoceanu requested a review from GuyZivRH July 9, 2026 10:55
csoceanu and others added 2 commits July 9, 2026 14:15
operational_limits was on CertificationLevelPolicy (per-level model) but
only consumed from the trusted level. This broke the symmetry pattern of
checks/thresholds and allowed silent misconfiguration. Moved it to the
top-level CertificationPolicy where it belongs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…cy result

setdefault would silently drop the explicitly-passed result if a gate
ever maps to OPERATIONAL_POLICY_COMPLIANCE. Direct assignment makes the
intent clear: this is the authoritative result for this check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant