feat: add SOD validation, audit reporting, and init scaffolding#12
Merged
shreyas-lyzr merged 2 commits intoopen-gitagent:mainfrom Feb 27, 2026
Merged
Conversation
This was referenced Feb 27, 2026
Add the `segregation_of_duties` subsection to the compliance schema with support for roles, conflict matrix, assignments, isolation levels, handoff workflows, and enforcement modes. - JSON Schema definition in agent-yaml.schema.json - TypeScript types in loader.ts ComplianceConfig interface - Spec documentation including DUTIES.md convention, validation rules, and regulatory reference table Closes open-gitagent#10 (part 1 of 4)
- validate.ts: 16 validation rules for SOD (role uniqueness, conflict detection, assignment integrity, handoff validation, risk tier checks) - audit.ts: new "Segregation of Duties" section in audit report - init.ts: DUTIES.md scaffolding in full template Part 2 of 4 — depends on feat/sod-1-spec-schema
patel-lyzr
force-pushed
the
feat/sod-2-cli-commands
branch
from
0c94bb6 to
30a5fd7
Compare
shreyas-lyzr
approved these changes
Feb 27, 2026
Contributor
shreyas-lyzr
left a comment
shreyas-lyzr
left a comment
There was a problem hiding this comment.
Validation logic is thorough — 16 checks covering:
- Role uniqueness and minimum count
- Conflict pair integrity (no self-conflicts, references defined roles)
- Assignment validation with core SOD violation detection
- Handoff role validation with minimum 2 distinct roles
- Risk tier recommendations (strict enforcement + full isolation for high/critical)
- Advisory vs strict enforcement mode handling
The audit section is clean — shows assignments, conflicts, violations, and handoffs clearly. DUTIES.md scaffolding in init --template full is a nice touch.
One note: the audit section numbering shifts existing sections (8→9, 9→10) — make sure the final merged order makes sense if other PRs also touch audit.ts.
LGTM — approving.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds CLI support for segregation of duties across three commands:
DUTIES.mdscaffolding in thefulltemplateContext
Part 2 of 4 for the SOD feature (#10). Depends on #11 (spec + schema + types).
Test plan
npm run buildpasses cleanlynode dist/index.js validate -d examples/full --compliance— passes with SOD sectionnode dist/index.js audit -d examples/full— shows "Segregation of Duties" sectionnode dist/index.js init -t full -d /tmp/test-agent— creates DUTIES.mdPR Stack
🤖 Generated with Claude Code