Deterministic compiler for governance policies into CRI-CORE contract artifacts.
Project description
title: "CRI-CORE Contract Compiler - Repository Overview" filetype: "documentation" type: "overview" domain: "governance-tooling" version: "0.3.0" doi: "TBD-0.3.0" status: "Stable (Protocol-Aligned)" created: "2026-03-11" updated: "2026-05-03"
author: name: "Waveframe Labs" email: "swright@waveframelabs.org"
maintainer: name: "Waveframe Labs" url: "https://waveframelabs.org"
license: "Apache-2.0"
ai_assisted: "partial"
CRI-CORE Contract Compiler
The CRI-CORE Contract Compiler is a deterministic compiler for governance policies into CRI-CORE contract artifacts.
It bridges governance design and runtime enforcement by converting a human-authored JSON policy into a stable, machine-readable compiled contract. The compiled contract is a required input to CRI-CORE and defines the governance constraints evaluated at the execution boundary.
The compiler does not execute governance logic, make runtime decisions, or enforce policy. Its role is limited to producing reproducible contract artifacts with a stable structure and deterministic hash.
Installation
Install from PyPI:
pip install cricore-contract-compiler
Requires Python 3.9 or later.
CLI Usage
Compile a governance policy into a compiled contract artifact:
cricore-compile-policy policy.json compiled_contract.json
The output is a deterministic JSON artifact that includes compiler metadata, compiled governance requirements, invariants, and a contract hash.
Python Usage
The compiler can also be used programmatically:
from compiler.compile_policy import compile_policy
policy = {
"contract_id": "finance-policy",
"contract_version": "0.3.0",
"authority": {
"required_roles": ["proposer", "reviewer"]
},
"approvals": {
"thresholds": [
{
"field": "amount",
"operator": ">",
"value": 1000,
"requires_role": "approver"
}
]
},
"artifacts": {
"required": ["proposal", "approval"]
},
"stages": {
"allowed_transitions": [
{"from": "proposed", "to": "approved"}
]
},
"constraints": [
{
"type": "separation_of_duties",
"roles": ["proposer", "reviewer"]
}
]
}
compiled_contract = compile_policy(policy)
Policy Input
Policies are JSON objects with a required contract identity:
{
"contract_id": "finance-policy",
"contract_version": "0.3.0"
}
The compiler currently recognizes these optional sections:
authority.required_roles: list of role names required by the contract.approvals.thresholds: list of threshold-based approval requirements.artifacts.required: list of required governance artifact names.stages.allowed_transitions: list of allowed lifecycle transition objects.constraints: list of explicit structural constraints.
contract_version must follow semantic version format: X.Y.Z.
Compiled Output
The compiled contract always includes these top-level sections:
{
"contract_id": "finance-policy",
"contract_version": "0.3.0",
"authority_requirements": {},
"approval_requirements": {},
"artifact_requirements": {},
"stage_requirements": {},
"invariants": {},
"contract_hash": "..."
}
The required core identity fields of every compiled contract are:
contract_idcontract_versioncontract_hash
These are the only identity fields emitted by the compiler. The compiler does
not emit aliases such as id or version.
The compiler maps policy fields into compiled contract fields as follows:
policy.authority.required_rolesbecomesauthority_requirements.required_roles.policy.approvals.thresholdsbecomesapproval_requirements.thresholds.policy.artifacts.requiredbecomesartifact_requirements.required_artifacts.policy.stages.allowed_transitionsbecomesstage_requirements.allowed_transitions.constraints[type="separation_of_duties"]becomesinvariants.separation_of_duties.
Empty compiled sections remain present as empty objects to keep the contract shape stable for downstream validation and hashing.
Contract Identity Guarantee
The compiler produces a deterministic contract identity composed of:
contract_idcontract_versioncontract_hash
The contract_hash is computed from the canonical compiled contract structure
using sorted JSON serialization.
For identical policy inputs, the compiler guarantees identical contract hashes.
This identity is used by downstream systems (e.g., CRI-CORE) to verify that a proposal references the exact contract used for evaluation. Mismatches result in enforcement failure.
Contract Pass-Through Requirement
Compiled contracts must be passed through downstream systems without modification.
In particular:
- Contract identity fields (
contract_id,contract_version,contract_hash) must not be altered. - Downstream components must not recompute or overwrite the contract hash.
CRI-CORE enforces this at evaluation time. Any mismatch between a proposal's declared contract hash and the compiled contract hash will result in a blocked decision.
Determinism
Compiled contracts are hashed with SHA-256 after canonicalizing the compiled structure using sorted JSON keys.
This ensures:
- identical policy inputs produce identical compiled outputs
- identical compiled outputs produce identical contract hashes
This determinism is required for reproducible enforcement and contract identity verification in CRI-CORE.
Written artifacts also include _compiler metadata:
{
"_compiler": {
"tool": "cricore-contract-compiler",
"version": "0.2.0",
"contract_hash": "..."
}
}
Validation
The compiler performs minimal compile-time validation for:
- Policy root type.
- Required
contract_id. - Required semantic
contract_version. authority.required_rolesas a list of strings.approvals.thresholdsas a list of threshold objects.artifacts.requiredas a list of strings.stages.allowed_transitionsas a list of transition objects.- Separation-of-duties constraints with at least two roles.
The JSON schema in schema/policy.schema.json defines the supported policy
surface. Runtime enforcement remains outside this package.
Position in the Governance Pipeline
Governance Policy
|
Contract Compiler
|
Compiled Contract
|
Proposal Normalizer
|
CRI-CORE Kernel
|
Commit Decision
The compiler sits upstream of CRI-CORE runtime enforcement. It produces the structural contract artifact that downstream systems can evaluate.
Role in the Execution Protocol
The compiler is responsible for defining governance constraints in a deterministic, machine-readable form.
Within the CRI-CORE execution model:
- The compiler defines contract identity and constraints
- The proposal normalizer constructs canonical proposals referencing the contract
- CRI-CORE evaluates whether the proposed action is admissible
The compiler does not participate in runtime evaluation. It defines the contract that runtime enforcement depends on.
Non-Responsibilities
The compiler does not:
- Execute governance validation.
- Interpret policy semantics beyond structural compilation.
- Perform runtime decision logic.
- Enforce governance rules.
- Modify or interpret proposal data at runtime.
All runtime enforcement is handled by CRI-CORE or other downstream systems.
Forward Compatibility
Compiled contracts may include additional sections beyond those currently enforced by CRI-CORE (e.g., approval requirements, artifact requirements, stage constraints, invariants).
These fields are preserved for forward compatibility and may be enforced by future versions of the execution pipeline.
Project Status
Version 0.3.0 aligns the compiler with the CRI-CORE structured execution model,
ensuring deterministic contract identity, stable output structure, and compatibility
with downstream proposal normalization and enforcement.
License
Apache-2.0
Copyright 2026 Waveframe Labs.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cricore_contract_compiler-0.3.0.tar.gz.
File metadata
- Download URL: cricore_contract_compiler-0.3.0.tar.gz
- Upload date:
- Size: 14.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4b0d50c7e2c4a12f48590a1f7f7e153dee44e850d8c5c802d20df06958f21e60
|
|
| MD5 |
2d4671163e24ab0bf9f2cd4bc3a14ef8
|
|
| BLAKE2b-256 |
f17529eaa20ac43044a4e0ce5cea68fd0c2420d5d85aa52ad1e2842784c8921e
|
File details
Details for the file cricore_contract_compiler-0.3.0-py3-none-any.whl.
File metadata
- Download URL: cricore_contract_compiler-0.3.0-py3-none-any.whl
- Upload date:
- Size: 13.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b0bd0a72fb9db0379a42f8c284b0a66a17b58a3caa2a7761f05efcf4ec49fa5c
|
|
| MD5 |
dc3a98674b926ab776a540496e3567ad
|
|
| BLAKE2b-256 |
2b5b209e49ea17843b0fcab44817169c79a97a8298d05d7694f5c84b87e36c00
|