Evidence → Assertions → SEA-DSL Pipeline Audit (Repository-Based)

Method: code/config audit only. Deterministic, compiler-style logic preferred. LLMs treated as optional and absent unless wired. All claims cite file paths and symbols.

SEA-DSL is treated as the canonical semantic code for SEA-Forge; projections and compiler outputs must be derived from SEA-DSL rather than the other way around.

1) Executive Summary

Evidence ingestion connectors (Okta/GitHub/CI/CD) are missing in code; there are no adapters or services for these sources today. The only “evidence-like” ingestion implemented is OTLP telemetry normalization for behavior correlation, which is not wired to OpenObserve ingestion yet and is used with mock data in the API. (services/workbench-bff/src/adapters/behavior_normalizer.py:BehaviorNormalizer, services/workbench-bff/src/api/behavior_routes.py)
Append-only evidence ledger is not implemented. There are append-only audit logs (JSONL) for ops and drift remediation, and a domain entity EvidenceArtifact in governance-runtime that can be repurposed, but the persistence adapter for it is missing. (services/workbench-bff/src/adapters/ops_runner.py:_get_audit_log_path, services/workbench-bff/src/adapters/remediation_engine.py:_log_audit, libs/governance-runtime/domain/src/gen/entities/evidence_artifact.py:EvidenceArtifact, libs/governance-runtime/application/src/gen/commands/collect_evidence_command.py:EvidenceArtifactRepositoryPort)
Deterministic parsing and inference exist for OTLP telemetry → BehaviorEvidence → correlation/drift, and can be reused as the “compiler-style” inference engine for observed assertions when inputs are telemetry-like. For GitHub/Okta/CI, parsers must be added. (services/workbench-bff/src/adapters/behavior_normalizer.py, services/workbench-bff/src/adapters/behavior_correlator.py, services/workbench-bff/src/adapters/behavior_drift_classifier.py)
SEA-DSL emission from evidence does not exist. There are compiler stages for .sea → AST → IR → Manifest, but no code to generate .sea from evidence/assertions. (just/62-compiler.just, tools/ast_to_ir.py, tools/ir_to_manifest.py, tools/sea_new_context.py [template writer])
Projections: RDF/Turtle can be produced deterministically from IR via tools/ir_to_kgs.py. Protobuf projection is available via the SEA CLI directly from .sea models (Domainforge sea project --format protobuf), so no IR→proto compiler is required. (tools/ir_to_kgs.py, domainforge/sea-core/src/cli/project.rs)
Garage (S3-compatible) object storage has no implementation in code; no S3/MinIO/Garage client exists. A new port + adapter is required. (rg results show no S3 client code)

2) Pipeline Step Mapping Table

Step	Existing Code (paths + symbols)	Readiness	Notes
1) Evidence ingestion connectors (Okta, GitHub, CI/CD; Jira optional)	None found. Only generic HTTP + GitHub PR automation unrelated to evidence ingestion: `services/workbench-bff/src/adapters/pr_creator.py:GitHubPRCreator`	Missing	No source connectors. A new ingestion service/adapter layer required.
2) Append-only Evidence Ledger (metadata DB + raw payload object store)	Partial patterns: JSONL append-only audit logs in `services/workbench-bff/src/adapters/ops_runner.py:_get_audit_log_path`, `services/workbench-bff/src/adapters/remediation_engine.py:_log_audit`; EvidenceArtifact entity + command port exists in governance-runtime: `libs/governance-runtime/domain/src/gen/entities/evidence_artifact.py:EvidenceArtifact`, `libs/governance-runtime/application/src/gen/commands/collect_evidence_command.py:EvidenceArtifactRepositoryPort`	Partial	EvidenceArtifact repository adapter file referenced by tests but missing: `libs/governance-runtime/adapters/src/gen/evidence_artifact_repository.py` (imported in `libs/governance-runtime/adapters/tests/integration/test_evidence_artifact_repository_integration.py`). No object store.
3) Deterministic parsing of evidence → typed features	OTLP normalization: `services/workbench-bff/src/adapters/behavior_normalizer.py:BehaviorNormalizer` and parsing helpers (OTLP trace/log/metric parsing).	Partial	Works for telemetry evidence; does not cover GitHub/Okta/CI payloads.
4) Deterministic semantic compiler/inference → ObservedAssertions	Correlation & drift rules: `services/workbench-bff/src/adapters/behavior_correlator.py:BehaviorCorrelator`, `services/workbench-bff/src/adapters/behavior_drift_classifier.py`	Partial	Outputs correlation/drift, not ObservedAssertion schema. Can be mapped deterministically to ObservedAssertion.
5) Declared intent ingestion (deterministic parsing; optional LLM extraction)	None found for document parsing or LLM-assisted extraction. LLM runtime exists but not wired to intent ingestion: `services/llm-provider/src/main.py`, `services/llm-provider/src/adapters/litellm_adapter.py`	Missing	No doc/PDF parser or declared-intent pipeline.
6) Deterministic SEA-DSL emitter (.evidence_observed.sea, .declared_intent.sea, .spec.sea)	Compiler pipeline exists in reverse: `.sea → AST → IR → manifest` (`just/62-compiler.just`, `tools/ast_to_ir.py`, `tools/ir_to_manifest.py`). Template writer example: `tools/sea_new_context.py`	Missing	Need deterministic emitter to write .sea from assertions.
7) SEA-DSL projections (Protobuf + RDF/Turtle/XML)	RDF/Turtle from IR: `tools/ir_to_kgs.py` (emits RDF triples, supports SHACL). Protobuf: SEA CLI `sea project --format protobuf` (Domainforge). Knowledge Graph service: `services/knowledge-graph/src/api/routes.py`	Partial	RDF export achievable via IR pipeline; protobuf export available from `.sea` via SEA CLI.

3) Capability Inventory (by step)

Step 1: Evidence ingestion connectors

No Okta/GitHub/CI/CD connectors found in code. The only “external integration” logic is GitHub PR creation for drift remediation. (services/workbench-bff/src/adapters/pr_creator.py:GitHubPRCreator)
A2A service exists but is for agent interoperability, not ingestion. (services/a2a/src/api/routes.py:APIRouter)

Step 2: Evidence ledger

EvidenceArtifact domain model exists (can map to EvidenceEvent metadata). (libs/governance-runtime/domain/src/gen/entities/evidence_artifact.py:EvidenceArtifact)
Command port for CollectEvidence exists, but handler logic is stubbed. (libs/governance-runtime/application/src/gen/commands/collect_evidence_command.py:CollectEvidenceHandlerImpl)
EvidenceArtifact repository adapter file is missing (tests reference it). (libs/governance-runtime/adapters/tests/integration/test_evidence_artifact_repository_integration.py → libs/governance-runtime/adapters/src/gen/evidence_artifact_repository.py)
Append-only JSONL logging pattern exists and can be reused for ledger immutability. (services/workbench-bff/src/adapters/ops_runner.py:_audit_log, services/workbench-bff/src/adapters/remediation_engine.py:_log_audit)

Step 3: Deterministic parsing to typed features

OTLP parsing + normalization is deterministic and includes PII scrubbing and cardinality checks. (services/workbench-bff/src/adapters/behavior_normalizer.py:BehaviorNormalizer)
BehaviorEvidence model captures structured evidence from traces/logs/metrics. (services/workbench-bff/src/models.py:BehaviorEvidenceModel)

Step 4: Deterministic inference to ObservedAssertions

Correlation from evidence → spec nodes with deterministic + heuristic scoring. (services/workbench-bff/src/adapters/behavior_correlator.py:BehaviorCorrelator)
Drift classification rules for observed vs expected behavior. (services/workbench-bff/src/adapters/behavior_drift_classifier.py)
Knowledge Graph projection of behavior evidence is supported (not ObservedAssertion schema). (services/knowledge-graph/src/adapters/oxigraph_adapter.py:_project_behavior_evidence)

Step 5: Declared intent ingestion

No document parsers or intent extractors found. LLM provider exists but is generic. (services/llm-provider/src/adapters/litellm_adapter.py:LiteLLMAdapter)

Step 6: SEA-DSL emission

SEA compiler pipeline exists but only for parsing/compilation of .sea → AST/IR/manifest. (just/62-compiler.just, tools/ast_to_ir.py, tools/ir_to_manifest.py)
Template-based writer exists for creating starter .sea files (not evidence-based). (tools/sea_new_context.py:write)

Step 7: Projections (protobuf, RDF)

RDF/Turtle projection from IR exists and is deterministic. (tools/ir_to_kgs.py:_ir_to_triples, _compute_snapshot_id)
Protobuf projection not implemented (only mentioned in docs). (docs/handbooks/SEA_DSL_Handbook/Syntax_Reference.md)

4) Gap Analysis (what’s missing or incomplete)

Missing source connectors for Okta, GitHub, CI/CD (and Jira). No adapters or ingestion services exist. (rg results; no code paths)
Evidence ledger missing: No object store integration, no append-only metadata DB model. Only EvidenceArtifact entity exists without repository. (libs/governance-runtime/domain/src/gen/entities/evidence_artifact.py, missing adapter file referenced by tests)
CollectEvidence handler is stubbed (no _execute_logic). (libs/governance-runtime/application/src/gen/commands/collect_evidence_command.py:CollectEvidenceHandlerImpl)
Behavior correlation API uses mock data and simulated scans, so ingestion path is not wired. (services/workbench-bff/src/api/behavior_routes.py)
SEA-DSL emitter missing for Observed/Declared snapshots and spec files. (tools/sea_new_context.py is only template writer)
Protobuf projection handled by SEA CLI (Domainforge); no IR-based emitter required.
Garage/S3 adapter missing (no S3 client in codebase). (rg search)

5) Minimal-Change Implementation Plan (ordered checklist)

1) Define append-only evidence ledger models in a new handwritten module (avoid src/gen/**):

Create services/workbench-bff/src/adapters/evidence_ledger.py or a new services/evidence-ledger/ module.
Use SQLAlchemy patterns from services/workbench-bff/src/api/database.py and services/workbench-bff/src/adapters/behavior_indexer.py.
Add EvidenceEvent table with insert-only semantics and hash chain (pattern from services/workbench-bff/src/api/audit.py:AuditEvent._compute_hash).

2) Implement EvidenceArtifact repository adapter (handwritten)

Place in non-generated path, e.g. libs/governance-runtime/adapters/src/evidence_artifact_repository.py.
Implement EvidenceArtifactRepositoryPort from libs/governance-runtime/application/src/gen/commands/collect_evidence_command.py.
Use EvidenceArtifact domain model libs/governance-runtime/domain/src/gen/entities/evidence_artifact.py:EvidenceArtifact.

3) Wire CollectEvidence handler with deterministic logic

Create handwritten handler in libs/governance-runtime/application/src/collect_evidence_handler_impl.py and bind it in your HTTP route wiring (avoid editing generated routes in libs/governance-runtime/adapters/src/gen/http/routes.py).
Logic: compute hash of raw payload, write metadata to ledger DB, store raw payload to object store, and persist EvidenceArtifact.

4) Add connector adapters (deterministic)

Create one adapter module per source (Okta/GitHub/CI) under libs/<ctx>/adapters/ or a new services/evidence-ingest/ service.
Use httpx (already used in repo) for HTTP calls, avoid new frameworks. (services/policy-gateway/src/api/routes.py uses httpx)
Normalize each source into EvidenceEvent + raw payload storage reference.

5) Reuse BehaviorNormalizer for telemetry evidence

Add a connector that ingests OTLP/observability exports and passes them through BehaviorNormalizer for deterministic features. (services/workbench-bff/src/adapters/behavior_normalizer.py:BehaviorNormalizer)

6) Define ObservedAssertion & DeclaredAssertion schemas

Add JSON schemas under schemas/events/ mirroring required fields, reusing schemas/events/governance/evidence-artifact.schema.json as structure reference.

7) Implement deterministic SEA-DSL emitter

New tool: tools/emit_sea_from_assertions.py that writes .evidence_observed.sea, .declared_intent.sea, .spec.sea using stable ordering and formatting (pattern from tools/sea_new_context.py).

8) RDF projection via existing pipeline

Use just sea-parse → tools/ast_to_ir.py → tools/ir_to_kgs.py to output RDF/Turtle.

9) Use SEA CLI for protobuf projection

Use sea project --format protobuf directly on .sea models (Domainforge). No IR-based emitter needed.

6) Garage Object Storage Plan (config + code touchpoints)

No existing S3/Garage integration found. Add a generic ObjectStore port + GarageS3 adapter.

Port interface (new, deterministic, minimal):
- put_bytes(key: str, bytes: bytes, content_type: str) -> str
- get_bytes(key: str) -> bytes
- exists(key: str) -> bool
Adapter: GarageS3ObjectStoreAdapter using S3-compatible API.
Config (env vars):
- GARAGE_S3_ENDPOINT, GARAGE_S3_REGION, GARAGE_S3_ACCESS_KEY, GARAGE_S3_SECRET_KEY, GARAGE_S3_BUCKET, GARAGE_S3_PATH_STYLE.
Touchpoints:
- Evidence ledger writer: store raw payload in Garage, store raw_ref URI in ledger.
- Evidence ingestion adapters: use object store adapter to persist raw payloads.
Minimal dependency suggestion:
- Use boto3 (Python) or aws-sdk-s3 (Rust) only if needed; otherwise implement basic signed S3 requests with httpx (more work but no extra deps). No existing S3 clients are present.

7) Canonical Schemas (reuse or propose)

Reuse (existing):

schemas/events/governance/evidence-artifact.schema.json → base for EvidenceEvent metadata (artifactId, artifactType, evidenceHash, submittedAt, contentRef).
libs/governance-runtime/domain/src/gen/entities/evidence_artifact.py:EvidenceArtifact → append-only entity for evidence metadata.
services/workbench-bff/src/models.py:BehaviorEvidenceModel → deterministic feature model for telemetry evidence.

Propose (new, minimal):

schemas/events/evidence/evidence-event.schema.json (aligned to your EvidenceEvent shape).
schemas/events/assertions/observed-assertion.schema.json and declared-assertion.schema.json (aligned to provided target shapes).

8) SEA-DSL Emission Strategy

Goal: deterministic .sea emission from Observed/Declared assertions with stable ordering.

Emitter location: tools/emit_sea_from_assertions.py (new, handwritten).
Inputs:
- ObservedAssertions JSON (append-only ledger slice)
- DeclaredAssertions JSON
- Spec policies/metrics config (YAML/JSON)
Output:
- docs/specs/<ctx>/<ctx>.evidence_observed.sea
- docs/specs/<ctx>/<ctx>.declared_intent.sea
- docs/specs/<ctx>/<ctx>.spec.sea
Determinism:
- Sort entities, instances, and fields by stable keys.
- Normalize floats (confidence) to fixed precision.
- Use stable, reproducible IDs (hashes) for instance names.
Validation:
- Use existing pipeline to validate: just sea-validate, just sea-parse, tools/ast_to_ir.py.

9) Test & Verification Plan

Minimal tests to prove the pipeline:

1) Connector ingests sample payload → EvidenceEvent written

Test file: services/workbench-bff/tests/test_evidence_ledger.py (new)
Fixture: tests/fixtures/evidence/github_sample.json (new)
Command: just test-python (or pytest services/workbench-bff/tests/test_evidence_ledger.py -v)

2) Compiler produces stable ObservedAssertions

Test file: services/workbench-bff/tests/test_observed_assertions.py (new)
Use BehaviorNormalizer + correlator deterministically (services/workbench-bff/src/adapters/behavior_normalizer.py, behavior_correlator.py).
Command: pytest services/workbench-bff/tests/test_observed_assertions.py -v

3) SEA emitter produces deterministic .sea files

Test file: tools/tests/test_sea_emitter_determinism.py (new)
Run emitter twice on same input and compare output.
Command: pytest tools/tests/test_sea_emitter_determinism.py -v

4) SEA validation passes

Command: just sea-validate docs/specs/<ctx>/<ctx>.evidence_observed.sea
Command: just sea-parse docs/specs/<ctx>/<ctx>.evidence_observed.sea

Assumptions

The external sea CLI used in just/62-compiler.just is available in the environment; it is not part of this repo. (just/62-compiler.just:sea-validate, sea-parse)
Evidence ingestion and ledger should be built in Python for maximal reuse of existing patterns (FastAPI + SQLAlchemy in services/workbench-bff).
Garage will be deployed separately and accessed via S3 API; no existing infrastructure wiring is present in infra/ for Garage.