{"id":51123269,"url":"https://github.com/jeranaias/tessera","last_synced_at":"2026-06-25T05:01:13.031Z","repository":{"id":360306896,"uuid":"1249542483","full_name":"jeranaias/tessera","owner":"jeranaias","description":"Tessera — a domain-agnostic, signed conformance gate. Checklist-as-code for cross-cutting compliance (MOSA flagship pack; cyber/RMF demo). Apache-2.0. Concept \u0026 design by Tony Maida.","archived":false,"fork":false,"pushed_at":"2026-05-25T20:59:29.000Z","size":71,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-25T22:29:13.346Z","etag":null,"topics":["compliance","conformance","defense","mbse","mosa","open-policy-agent","rego","sbom"],"latest_commit_sha":null,"homepage":null,"language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jeranaias.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-25T20:14:21.000Z","updated_at":"2026-05-25T20:59:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jeranaias/tessera","commit_stats":null,"previous_names":["jeranaias/tessera"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/jeranaias/tessera","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeranaias%2Ftessera","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeranaias%2Ftessera/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeranaias%2Ftessera/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeranaias%2Ftessera/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jeranaias","download_url":"https://codeload.github.com/jeranaias/tessera/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jeranaias%2Ftessera/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34760219,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-25T02:00:05.521Z","response_time":101,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","conformance","defense","mbse","mosa","open-policy-agent","rego","sbom"],"created_at":"2026-06-25T05:01:12.042Z","updated_at":"2026-06-25T05:01:13.020Z","avatar_url":"https://github.com/jeranaias.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Tessera\n\n[![CI](https://github.com/jeranaias/tessera/actions/workflows/ci.yml/badge.svg)](https://github.com/jeranaias/tessera/actions/workflows/ci.yml)\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n[![Status: rough draft](https://img.shields.io/badge/status-rough%20draft-orange.svg)](#status--honest-scope)\n[![Built with Rego + Go](https://img.shields.io/badge/built%20with-Rego%20%2B%20Go-00ADD8.svg)](#whats-in-the-box)\n\n**A domain-agnostic, signed conformance gate — checklist-as-code for cross-cutting\ncompliance concerns. MOSA is the first pack; it is not the only one.**\n\n\u003e *Tessera* — a single tile in a mosaic, and a Roman token of proof or\n\u003e authorization. Both meanings are the point: programs are assembled from\n\u003e **modular tiles**, and Tessera issues a **signed token** that says whether the\n\u003e assembly conforms.\n\n\u003e **Concept \u0026 design: Tony Maida**, building on the UAF \"Domain Overlay\" construct\n\u003e (see [`AUTHORS.md`](AUTHORS.md)). This repo is an open-source (Apache-2.0)\n\u003e implementation, reduced to its most sustainable form.\n\u003e\n\u003e 📋 **Read [`docs/VIABILITY.md`](docs/VIABILITY.md) first.** It says plainly what\n\u003e this is and is *not*. Short version: this is **not \"the answer to MOSA\"** — it's\n\u003e a narrow, useful *verification-and-attestation* layer. Honesty about scope is\n\u003e the point.\n\n---\n\n## What is this, in plain English?\n\nA \"Domain Overlay\" is a cross-cutting check you can lay over a program — for\n**MOSA**, **cybersecurity**, **nuclear surety**, or any compliance concern —\n*without* touching the underlying system. You add it to get a verdict; you remove\nit and nothing breaks.\n\nTessera makes that concrete and cheap:\n\n1. A program writes a small **manifest** (a \"parts list\" / declaration of facts).\n2. You run one binary against it with a chosen **pack** of rules.\n3. You get a **signed pass/fail receipt** — like a nutrition label or a TSA\n   checklist, but for \"did this program actually follow the rules?\"\n\nNo portal. No central database. No team keeping a website alive. Just a file, a\nchecker, and a receipt an auditor can verify. It runs offline (air-gap friendly).\n\n## Why a pack engine, not a platform?\n\nEfforts that try to *enforce compliance at scale* by building a central platform\n(import everyone's models, run dashboards, host a portal) **die** — someone has\nto fund, police, and operate them forever. Everything that actually scaled did\nthe opposite and shipped **content, not a platform**: security checklists\n(STIGs/CIS), software ingredient labels (SBOM), code scanners (Semgrep/Trivy).\n\nSo Tessera is an **engine + packs**:\n\n- The **engine** (`tessera`) is ~300 lines of Go. It knows nothing about any\n  domain. It loads a pack, evaluates its rules against a manifest, and signs the\n  result.\n- A **pack** is pure content: a rules file (Rego), a reusable library (YAML), a\n  manifest schema, and examples. Adding a domain = adding a folder. No new code.\n\nThis repo ships **two packs** to prove the point:\n\n| Pack | What it checks | Status |\n|---|---|---|\n| [`packs/mosa`](packs/mosa) | Modular Open Systems Approach conformance | Flagship |\n| [`packs/cyber-rmf`](packs/cyber-rmf) | NIST 800-53 / RMF control coverage | **Demonstration only** — proves the engine is domain-agnostic |\n\n## How it works\n\n```\n   Your model / system                      A pack (pure content)\n   (UAF / SysML / docs)                  ┌──────────────────────────┐\n            │                            │  pack.yaml  (descriptor)  │\n            │  you summarize the         │  library/   (data)        │\n            │  relevant facts            │  rules/     (Rego)        │\n            ▼                            └────────────┬─────────────┘\n   ┌──────────────────┐      tessera            ┌─────▼───────────┐    ┌──────────────────┐\n   │  manifest         │ ──────────────────────▶│  rules engine    │──▶ │  signed receipt   │\n   │  (a small file)   │   --pack packs/mosa     │  (OPA, embedded) │    │  pass/fail +      │\n   └──────────────────┘                         └──────────────────┘    │  metrics + sig    │\n   the program's OWN sidecar                                             └──────────────────┘\n   — references the model,                                               feed it to a CI gate\n     never changes it\n```\n\nThe manifest borrows the **SBOM** idea: instead of forcing programs to dump full\nengineering models into a central system, each program emits a *tiny* file with\nonly the facts the rules need. It's the program's own file — add it and the\noverlay view exists; delete it and nothing breaks. That is \"non-disruptive\noverlay,\" made concrete.\n\n## Try it in 30 seconds\n\n```bash\n# build the engine (one static binary; first build downloads dependencies)\ngo build -o tessera.exe ./cmd/tessera\n\n# check the MOSA pack and write a signed receipt\n./tessera.exe check --pack packs/mosa \\\n  --manifest packs/mosa/examples/example-radio/manifest.yaml --out receipt.json\n\n# independently verify that receipt (signature + digest + optional chain)\n./tessera.exe verify receipt.json\n\n# the SAME binary, a different pack — no engine code changed\n./tessera.exe check --pack packs/cyber-rmf \\\n  --manifest packs/cyber-rmf/examples/example-system/manifest.yaml\n```\n\nOther commands: `tessera packs` lists available packs, `tessera version` prints\nthe version. Prebuilt binaries are attached to each\n[release](https://github.com/jeranaias/tessera/releases).\n\nReal output from the MOSA example (an illustrative software-defined radio):\n\n```\n[mosa] Modular Open Systems Approach (MOSA): FAIL\n  metrics: mosa_index=64 open_std_coverage_pct=67 modularity_score_pct=75 conformance_verified_pct=50 ...\n  [DENY] KEY_IFACE_NO_OPEN_STD (IF-CTRL-CRYPTO): key interface \"IF-CTRL-CRYPTO\" references no open standard from the library\n  [WARN] KEY_IFACE_UNDOCUMENTED (IF-CTRL-CRYPTO): key interface \"IF-CTRL-CRYPTO\" is not marked documented\n  [WARN] MODULE_NON_SEVERABLE (M-CRYPTO): module \"M-CRYPTO\" is non-severable (vendor-lock / tech-refresh risk)\n```\n\n**In English:** the example radio is mostly good but **fails** because one\nimportant connection (control app ↔ crypto box) runs over a *proprietary* bus\ninstead of an open standard — exactly the vendor lock-in MOSA exists to prevent.\nExit code `2` means \"don't pass the milestone until this is fixed.\" The\n`receipt.json` carries the score, every finding, an **Ed25519 signature**, and\nthe previous receipt's fingerprint, so receipts form a tamper-evident chain.\n\n## The honest caveat (the one that matters)\n\nThe manifest is **self-declared**. A signed receipt proves \"the program *asserted*\nX and X passes the rules\" — **not** that the assertion matches the real system.\nThat makes today's output **attestation, not verification.** Closing that gap means\nderiving the manifest from the actual model or build — which the **first adapter\nnow does** (see below). See [`docs/VIABILITY.md`](docs/VIABILITY.md) for the full,\nunsparing assessment, the GAO context, and the existing-tooling landscape.\n\n## From declared to derived (the adapter)\n\nA hand-written manifest can lie; a manifest **derived from the model** cannot lie\nabout what the model says. [`adapters/sysmlv2/`](adapters/sysmlv2) reads a\n**SysML v2** model and emits a MOSA-BOM, so the facts come from engineering, not\nassertion:\n\n```bash\n# derive a manifest from a SysML v2 model, then gate it — one pipe\npython adapters/sysmlv2/sysml2bom.py adapters/sysmlv2/examples/radio.sysml \\\n  | ./tessera.exe --pack packs/mosa --manifest -\n```\n\nThe model marks the control↔crypto link as running on a proprietary bus, so the\n*derived* manifest reflects that and the gate fails it — no one had to remember to\ndeclare it. It's a documented SysML v2 *subset* parser (pure-Python, stdlib only,\nair-gap friendly); objectives/requirements derivation and XMI/Capella adapters are\nnext. This is the single most important step toward real verification.\n\n## Sign, verify, and waive\n\nEvery `check` emits a signed receipt; `verify` checks it independently — a\nsignature nobody can verify is theater:\n\n```bash\n./tessera.exe verify receipt.json                 # digest + signature + report verdict\n./tessera.exe verify receipt.json --key \u003cpubkey\u003e  # REQUIRE a specific signer (pin trust)\n./tessera.exe verify r1.json r2.json r3.json      # verify a CHAIN links cleanly over time\n```\n\n`verify` recomputes the report's digest, checks the Ed25519 signature, and (with\n`--key`) refuses any receipt not signed by the key you trust. Tampering with the\nreport — e.g. flipping a `FAIL` to `PASS` — breaks the digest *and* the signature,\nso `verify` exits non-zero.\n\n**Waivers** honor MOSA's \"to the maximum extent practicable.\" A non-severable\nmodule or a proprietary key interface is sometimes legitimately justified (GFE\ncrypto, safety). A waiver doesn't hide the finding — it records it as `WAIVED`\nwith an **approver**, a **justification**, and an **expiry**, and lets the gate pass:\n\n```bash\n./tessera.exe check --pack packs/mosa \\\n  --manifest packs/mosa/examples/example-radio/manifest.yaml \\\n  --waivers  packs/mosa/examples/example-radio/waivers.yaml\n# -\u003e PASS, with [WAIVED] KEY_IFACE_NO_OPEN_STD recorded in the signed receipt\n```\n\nExpired waivers (`expires` \u003c today) are ignored, so exceptions can't quietly\nbecome permanent.\n\n## What's in the box\n\n```\ntessera/\n├── README.md                       ← you are here\n├── AUTHORS.md                      ← concept \u0026 design credit (Tony Maida) + provenance\n├── docs/VIABILITY.md               ← honest \"is this viable?\" assessment — read it\n├── docs/CONOPS.md                  ← how a program uses it across a milestone + trust model\n├── cmd/tessera/main.go             ← the engine (Go; embeds OPA; ~300 lines, domain-agnostic)\n├── rulestest/                      ← `go test` harness that runs EVERY pack's rules\n├── adapters/sysmlv2/               ← derive a manifest FROM a SysML v2 model (gap-closer)\n├── adapters/xmi/                   ← derive FROM real UML/SysML XMI (Papyrus/Cameo); real test model\n\n├── .github/workflows/ci.yml        ← CI gate: build, test, both packs, adapter, end-to-end\n└── packs/\n    ├── mosa/                       ← flagship pack\n    │   ├── pack.yaml               ←   descriptor (rules dir, library dir, Rego query)\n    │   ├── schema/manifest.schema.json\n    │   ├── library/                ←   open-standards registry, MOSA objectives, severability\n    │   ├── rules/                  ←   conformance rules (Rego) + unit tests\n    │   └── examples/\n    └── cyber-rmf/                  ← DEMONSTRATION pack (proves multi-domain)\n        ├── pack.yaml\n        ├── schema/  library/  rules/  examples/\n        └── README.md               ←   \"this is a stub, not a real RMF tool\"\n```\n\n## Adding a new domain\n\nNo engine changes. Copy a pack folder, then edit three things:\n\n1. `library/*.yaml` — your reference data (approved standards, control catalog, …)\n2. `rules/*.rego` — your `deny` / `warn` rules and `result` (+ tests)\n3. `pack.yaml` — point `query` at your Rego entrypoint (e.g. `data.yourpack.result`)\n\nSee [`CONTRIBUTING.md`](CONTRIBUTING.md).\n\n## Status / honest scope\n\nRough draft, but it runs and it's tested in CI. Real and working today:\n\n- **engine** (`check` + `verify`), embedding OPA; one static binary\n- **manifest schema validation** — malformed manifests are rejected with precise errors\n- **signed receipts** + independent **verification** (digest, Ed25519 signature, key pinning, chain linkage)\n- **signed, expiring, attributed waivers** (\"to the maximum extent practicable\")\n- **SARIF output** (`--sarif`) — findings surface in GitHub code scanning / IDEs\n- **stakeholder reports** (`tessera report --role peo|pm|engineer`) — role-tailored markdown from a receipt\n- **cost/risk → value** — total cost, cost locked behind non-severable modules, high-risk advisories\n- **MOSA pack** + **cyber-RMF** demonstration pack (multi-domain, content-only)\n- **model adapters** — derive a manifest from a **SysML v2** model *or* a real **UML/SysML XMI** (Papyrus/Cameo) export (attestation → verification)\n\n**Deferred** (and named honestly in [`docs/VIABILITY.md`](docs/VIABILITY.md)):\nderiving objectives/requirements in the adapter, UAF/SysML 1.x XMI + Capella\nadapters, dashboards, and an optional cost-benefit module. The cyber-RMF pack is\na demonstration, not a production RMF tool.\n\n## License\n\nApache-2.0. See [`LICENSE`](LICENSE) and [`NOTICE`](NOTICE).\nConcept \u0026 design by **Tony Maida** — see [`AUTHORS.md`](AUTHORS.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjeranaias%2Ftessera","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjeranaias%2Ftessera","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjeranaias%2Ftessera/lists"}