@elevasis/core 0.24.0 → 0.24.1

package/src/organization-model/types.ts

@@ -61,10 +61,18 @@ import {
   ResourceOntologyBindingSchema,
   ResourcesDomainSchema,
   ScriptResourceEntrySchema,
-  ScriptResourceLanguageSchema,
-  ScriptResourceSourceSchema,
-  WorkflowResourceEntrySchema
-} from './domains/resources'
+  ScriptResourceLanguageSchema,
+  ScriptResourceSourceSchema,
+  WorkflowResourceEntrySchema
+} from './domains/resources'
+import {
+  OmTopologyDomainSchema,
+  OmTopologyMetadataSchema,
+  OmTopologyNodeKindSchema,
+  OmTopologyNodeRefSchema,
+  OmTopologyRelationshipKindSchema,
+  OmTopologyRelationshipSchema
+} from './domains/topology'
 import {
   ActionsDomainSchema,
   ActionIdSchema,
@@ -159,13 +167,19 @@ export type OrganizationModelResourceKind = z.infer<typeof ResourceKindSchema>
 export type OrganizationModelResourceGovernanceStatus = z.infer<typeof ResourceGovernanceStatusSchema>
 export type OrganizationModelResourceOntologyBinding = z.infer<typeof ResourceOntologyBindingSchema>
 export type OrganizationModelAgentKind = z.infer<typeof AgentKindSchema>
-export type OrganizationModelScriptResourceLanguage = z.infer<typeof ScriptResourceLanguageSchema>
-export type OrganizationModelScriptResourceSource = z.infer<typeof ScriptResourceSourceSchema>
-export type OrganizationModelWorkflowResourceEntry = z.infer<typeof WorkflowResourceEntrySchema>
-export type OrganizationModelAgentResourceEntry = z.infer<typeof AgentResourceEntrySchema>
-export type OrganizationModelIntegrationResourceEntry = z.infer<typeof IntegrationResourceEntrySchema>
-export type OrganizationModelScriptResourceEntry = z.infer<typeof ScriptResourceEntrySchema>
-export type OrganizationModelActions = z.infer<typeof ActionsDomainSchema>
+export type OrganizationModelScriptResourceLanguage = z.infer<typeof ScriptResourceLanguageSchema>
+export type OrganizationModelScriptResourceSource = z.infer<typeof ScriptResourceSourceSchema>
+export type OrganizationModelWorkflowResourceEntry = z.infer<typeof WorkflowResourceEntrySchema>
+export type OrganizationModelAgentResourceEntry = z.infer<typeof AgentResourceEntrySchema>
+export type OrganizationModelIntegrationResourceEntry = z.infer<typeof IntegrationResourceEntrySchema>
+export type OrganizationModelScriptResourceEntry = z.infer<typeof ScriptResourceEntrySchema>
+export type OrganizationModelTopology = z.infer<typeof OmTopologyDomainSchema>
+export type OrganizationModelTopologyNodeKind = z.infer<typeof OmTopologyNodeKindSchema>
+export type OrganizationModelTopologyNodeRef = z.infer<typeof OmTopologyNodeRefSchema>
+export type OrganizationModelTopologyRelationshipKind = z.infer<typeof OmTopologyRelationshipKindSchema>
+export type OrganizationModelTopologyRelationship = z.infer<typeof OmTopologyRelationshipSchema>
+export type OrganizationModelTopologyMetadata = z.infer<typeof OmTopologyMetadataSchema>
+export type OrganizationModelActions = z.infer<typeof ActionsDomainSchema>
 export type OrganizationModelAction = z.infer<typeof ActionSchema>
 export type OrganizationModelActionId = z.infer<typeof ActionIdSchema>
 export type OrganizationModelActionScope = z.infer<typeof ActionScopeSchema>

package/src/platform/registry/__tests__/validation.test.ts

@@ -304,13 +304,24 @@ describe('validateResourceGovernance', () => {
     order: 20
   }
 
-  const workflowResource: ResourceEntry = {
-    id: 'lead-import',
-    kind: 'workflow',
-    systemPath: 'sys.lead-gen',
-    status: 'active',
-    order: 10
-  }
+  const workflowResource: ResourceEntry = {
+    id: 'lead-import',
+    kind: 'workflow',
+    systemPath: 'sys.lead-gen',
+    status: 'active',
+    order: 10
+  }
+
+  const actionBackedWorkflowResource: ResourceEntry = {
+    ...workflowResource,
+    ontology: {
+      actions: ['sys.lead-gen:action/import-leads'],
+      primaryAction: 'sys.lead-gen:action/import-leads',
+      reads: ['sys.lead-gen:object/company'],
+      usesCatalogs: ['sys.lead-gen:catalog/source'],
+      emits: ['sys.lead-gen:event/imported']
+    }
+  }
 
   const agentResource: ResourceEntry = {
     id: 'lead-import',
@@ -361,10 +372,42 @@ describe('validateResourceGovernance', () => {
     entryPoint: 'start'
   })
 
-  const createModel = (resources: ResourceEntry[] = [workflowResource], systems = [systemA]) => ({
-    systems: Object.fromEntries(systems.map((s) => [s.id, s])),
-    resources: Object.fromEntries(resources.map((r) => [r.id, r]))
-  })
+  const validOntology = {
+    objectTypes: {
+      'sys.lead-gen:object/company': {
+        id: 'sys.lead-gen:object/company',
+        label: 'Company'
+      }
+    },
+    actionTypes: {
+      'sys.lead-gen:action/import-leads': {
+        id: 'sys.lead-gen:action/import-leads',
+        label: 'Import leads'
+      }
+    },
+    catalogTypes: {
+      'sys.lead-gen:catalog/source': {
+        id: 'sys.lead-gen:catalog/source',
+        label: 'Source'
+      }
+    },
+    eventTypes: {
+      'sys.lead-gen:event/imported': {
+        id: 'sys.lead-gen:event/imported',
+        label: 'Imported'
+      }
+    }
+  }
+
+  const createModel = (
+    resources: ResourceEntry[] = [workflowResource],
+    systems = [systemA],
+    extras: Record<string, unknown> = {}
+  ) => ({
+    systems: Object.fromEntries(systems.map((s) => [s.id, s])),
+    resources: Object.fromEntries(resources.map((r) => [r.id, r])),
+    ...extras
+  })
 
   it('passes when code resources are descriptor-backed and match active OM Resources and Systems', () => {
     const result = validateResourceGovernance(
@@ -484,7 +527,7 @@ describe('validateResourceGovernance', () => {
     ).toThrow("Resource 'lead-import' type mismatch: code has 'workflow', OM has 'agent'")
   })
 
-  it('reports descriptor/OM system mismatches', () => {
+  it('reports descriptor/OM system mismatches', () => {
     const codeDescriptor: ResourceEntry = {
       ...workflowResource,
       systemPath: 'sys.crm'
@@ -500,8 +543,150 @@ describe('validateResourceGovernance', () => {
         createModel([workflowResource], [systemA, systemB]),
         { mode: 'strict' }
       )
-    ).toThrow("Resource 'lead-import' system mismatch: code descriptor has 'sys.crm', OM has 'sys.lead-gen'")
-  })
+    ).toThrow("Resource 'lead-import' system mismatch: code descriptor has 'sys.crm', OM has 'sys.lead-gen'")
+  })
+
+  it('reports descriptor/OM ontology mismatches', () => {
+    const codeDescriptor: ResourceEntry = {
+      ...workflowResource,
+      ontology: undefined
+    }
+
+    expect(() =>
+      validateResourceGovernance(
+        'test-org',
+        {
+          version: '1.0.0',
+          workflows: [createGovernedWorkflow(codeDescriptor)]
+        },
+        createModel([actionBackedWorkflowResource], [systemA], { ontology: validOntology }),
+        { mode: 'strict' }
+      )
+    ).toThrow("Resource 'lead-import' ontology descriptor mismatch between code and OM")
+  })
+
+  it('reports missing ontology action refs against compiled OM records', () => {
+    const resourceWithMissingAction: ResourceEntry = {
+      ...workflowResource,
+      ontology: {
+        actions: ['sys.lead-gen:action/missing'],
+        primaryAction: 'sys.lead-gen:action/missing'
+      }
+    }
+
+    expect(() =>
+      validateResourceGovernance(
+        'test-org',
+        {
+          version: '1.0.0',
+          workflows: [createGovernedWorkflow(resourceWithMissingAction)]
+        },
+        createModel([resourceWithMissingAction], [systemA], { ontology: validOntology }),
+        { mode: 'strict' }
+      )
+    ).toThrow(
+      "Resource 'lead-import' ontology.actions references missing action ontology record 'sys.lead-gen:action/missing'"
+    )
+  })
+
+  it('reports new ontology diagnostics without throwing in warn-only mode', () => {
+    const warnings: string[] = []
+    const resourceWithMissingAction: ResourceEntry = {
+      ...workflowResource,
+      ontology: {
+        actions: ['sys.lead-gen:action/missing'],
+        primaryAction: 'sys.lead-gen:action/missing'
+      }
+    }
+
+    const result = validateResourceGovernance(
+      'test-org',
+      {
+        version: '1.0.0',
+        workflows: [createGovernedWorkflow(resourceWithMissingAction)]
+      },
+      createModel([resourceWithMissingAction], [systemA], { ontology: validOntology }),
+      {
+        mode: 'warn-only',
+        onWarning: (issue) => warnings.push(issue.message)
+      }
+    )
+
+    expect(result.valid).toBe(false)
+    expect(result.issues.map((issue) => issue.type)).toContain('ontology-reference-missing')
+    expect(warnings).toContain(
+      "[test-org] Resource 'lead-import' ontology.actions references missing action ontology record 'sys.lead-gen:action/missing'."
+    )
+  })
+
+  it('reports primaryAction values outside ontology.actions', () => {
+    const resourceWithMismatchedPrimaryAction: ResourceEntry = {
+      ...workflowResource,
+      ontology: {
+        actions: ['sys.lead-gen:action/import-leads'],
+        primaryAction: 'sys.lead-gen:action/other'
+      }
+    }
+
+    expect(() =>
+      validateResourceGovernance(
+        'test-org',
+        {
+          version: '1.0.0',
+          workflows: [createGovernedWorkflow(resourceWithMismatchedPrimaryAction)]
+        },
+        createModel([resourceWithMismatchedPrimaryAction], [systemA], { ontology: validOntology }),
+        { mode: 'strict' }
+      )
+    ).toThrow("Resource 'lead-import' primaryAction 'sys.lead-gen:action/other' must be included in ontology.actions")
+  })
+
+  it('reports action-backed workflow descriptors that omit ontology.actions', () => {
+    const resourceWithoutActions: ResourceEntry = {
+      ...workflowResource,
+      ontology: {
+        reads: ['sys.lead-gen:object/company']
+      }
+    }
+
+    expect(() =>
+      validateResourceGovernance(
+        'test-org',
+        {
+          version: '1.0.0',
+          workflows: [createGovernedWorkflow(resourceWithoutActions)]
+        },
+        createModel([resourceWithoutActions], [systemA], { ontology: validOntology }),
+        { mode: 'strict' }
+      )
+    ).toThrow("Resource 'lead-import' declares ontology bindings but no ontology actions")
+  })
+
+  it('reports dangling required topology refs', () => {
+    expect(() =>
+      validateResourceGovernance(
+        'test-org',
+        {
+          version: '1.0.0',
+          workflows: [createGovernedWorkflow()]
+        },
+        createModel([workflowResource], [systemA], {
+          topology: {
+            version: 1,
+            relationships: {
+              'missing-trigger-starts-import': {
+                from: { kind: 'trigger', id: 'missing-trigger' },
+                kind: 'triggers',
+                to: { kind: 'resource', id: 'lead-import' },
+                required: true
+              }
+            }
+          }
+        }),
+        { mode: 'strict' }
+      )
+    ).toThrow("Topology relationship 'missing-trigger-starts-import' from references missing trigger 'missing-trigger'")
+  })
 
   it('reports active OM resources that reference missing Systems', () => {
     const resourceWithMissingSystem: ResourceEntry = {

package/src/platform/registry/resource-registry.ts

@@ -12,10 +12,8 @@
 import type { WorkflowDefinition } from '../../execution/engine/workflow/types'
 import type { AgentDefinition } from '../../execution/engine/agent/core/types'
 import type {
-  OrganizationModel,
-  OrganizationModelResources,
-  OrganizationModelSystems
-} from '../../organization-model/types'
+  OrganizationModel
+} from '../../organization-model/types'
 import type { ResourceEntry } from '../../organization-model/domains/resources'
 import type { SystemEntry } from '../../organization-model/domains/systems'
 import { listAllSystems } from '../../organization-model/helpers'
@@ -106,13 +104,15 @@ export interface SystemConfig {
  * Used by ResourceRegistry for discovery and Command View for visualization.
  */
 export interface DeploymentSpec {
-  /** Deployment version (semver) */
-  version: string
-  /** Optional Organization Model governance catalog used for OM-code validation */
-  organizationModel?: {
-    systems?: OrganizationModelSystems
-    resources?: OrganizationModelResources
-  }
+  /** Deployment version (semver) */
+  version: string
+  /** Optional Organization Model governance catalog used for OM-code validation */
+  organizationModel?: Partial<
+    Pick<
+      OrganizationModel,
+      'systems' | 'resources' | 'ontology' | 'topology' | 'roles' | 'policies' | 'entities' | 'actions'
+    >
+  >
   /** Workflow definitions */
   workflows?: WorkflowDefinition[]
   /** Agent definitions */

package/src/platform/registry/validation.ts

@@ -10,9 +10,11 @@ import type { ModelConfig } from '../../execution/engine/llm/model-info'
 import { validateModelConfig, ModelConfigError } from '../../execution/engine/llm/errors'
 import type { DeploymentSpec } from './resource-registry'
 import type { ResourceEntry } from '../../organization-model/domains/resources'
-import type { SystemEntry } from '../../organization-model/domains/systems'
-import type { OrganizationModel } from '../../organization-model/types'
-import { listAllSystems } from '../../organization-model/helpers'
+import type { SystemEntry } from '../../organization-model/domains/systems'
+import type { OrganizationModel } from '../../organization-model/types'
+import { listAllSystems } from '../../organization-model/helpers'
+import { compileOrganizationOntology, type OntologyKind, type ResolvedOntologyIndex } from '../../organization-model/ontology'
+import type { OmTopologyNodeRef } from '../../organization-model/domains/topology'
 import type {
   TriggerDefinition,
   ResourceRelationships,
@@ -44,13 +46,24 @@ export type ResourceGovernanceValidationIssueType =
   | 'missing-om-resource'
   | 'type-mismatch'
   | 'system-mismatch'
-  | 'missing-om-system'
-  | 'raw-resource-id'
-
-export interface ResourceGovernanceModel {
-  systems?: Record<string, SystemEntry>
-  resources?: Record<string, ResourceEntry>
-}
+  | 'missing-om-system'
+  | 'raw-resource-id'
+  | 'descriptor-mismatch'
+  | 'missing-ontology-actions'
+  | 'ontology-reference-missing'
+  | 'primary-action-mismatch'
+  | 'topology-reference-missing'
+
+export interface ResourceGovernanceModel {
+  systems?: Record<string, SystemEntry>
+  resources?: Record<string, ResourceEntry>
+  ontology?: OrganizationModel['ontology']
+  topology?: OrganizationModel['topology']
+  roles?: OrganizationModel['roles']
+  policies?: OrganizationModel['policies']
+  entities?: OrganizationModel['entities']
+  actions?: OrganizationModel['actions']
+}
 
 export interface ResourceGovernanceValidationIssue {
   type: ResourceGovernanceValidationIssueType
@@ -109,7 +122,7 @@ function emitGovernanceIssues(
   }
 }
 
-function getRuntimeResources(resources: DeploymentSpec): Array<{
+function getRuntimeResources(resources: DeploymentSpec): Array<{
   resourceId: string
   type: ResourceType
   descriptor?: ResourceEntry
@@ -130,8 +143,159 @@ function getRuntimeResources(resources: DeploymentSpec): Array<{
       type: integration.type,
       descriptor: (integration as { resource?: ResourceEntry }).resource
     }))
-  ]
-}
+  ]
+}
+
+function hasOntologySources(organizationModel: ResourceGovernanceModel): boolean {
+  return (
+    organizationModel.ontology !== undefined ||
+    organizationModel.entities !== undefined ||
+    organizationModel.actions !== undefined ||
+    Object.values(organizationModel.systems ?? {}).some(systemHasOntologySource)
+  )
+}
+
+function systemHasOntologySource(system: SystemEntry): boolean {
+  if (system.ontology !== undefined || (system.content !== undefined && Object.keys(system.content).length > 0)) return true
+  return Object.values(system.systems ?? system.subsystems ?? {}).some(systemHasOntologySource)
+}
+
+function ontologyIndexForKind(index: ResolvedOntologyIndex, kind: OntologyKind): Record<string, unknown> {
+  switch (kind) {
+    case 'object':
+      return index.objectTypes
+    case 'link':
+      return index.linkTypes
+    case 'action':
+      return index.actionTypes
+    case 'catalog':
+      return index.catalogTypes
+    case 'event':
+      return index.eventTypes
+    case 'interface':
+      return index.interfaceTypes
+    case 'value-type':
+      return index.valueTypes
+    case 'property':
+      return index.sharedProperties
+    case 'group':
+      return index.groups
+    case 'surface':
+      return index.surfaces
+  }
+}
+
+function sameJson(left: unknown, right: unknown): boolean {
+  return JSON.stringify(left ?? null) === JSON.stringify(right ?? null)
+}
+
+function addOntologyBindingIssues(
+  issues: ResourceGovernanceValidationIssue[],
+  orgName: string,
+  resource: ResourceEntry,
+  ontologyIndex: ResolvedOntologyIndex | undefined
+): void {
+  const binding = resource.ontology
+  if (binding === undefined) return
+
+  if ((resource.kind === 'workflow' || resource.kind === 'agent') && (binding.actions?.length ?? 0) === 0) {
+    addGovernanceIssue(
+      issues,
+      'missing-ontology-actions',
+      orgName,
+      resource.id,
+      `[${orgName}] Resource '${resource.id}' declares ontology bindings but no ontology actions.`
+    )
+  }
+
+  if (binding.primaryAction !== undefined && !binding.actions?.includes(binding.primaryAction)) {
+    addGovernanceIssue(
+      issues,
+      'primary-action-mismatch',
+      orgName,
+      resource.id,
+      `[${orgName}] Resource '${resource.id}' primaryAction '${binding.primaryAction}' must be included in ontology.actions.`
+    )
+  }
+
+  if (ontologyIndex === undefined) return
+
+  const validateRefs = (
+    bindingKey: 'actions' | 'primaryAction' | 'reads' | 'writes' | 'usesCatalogs' | 'emits',
+    expectedKind: OntologyKind,
+    refs: string[] | string | undefined
+  ) => {
+    const values = refs === undefined ? [] : Array.isArray(refs) ? refs : [refs]
+    const index = ontologyIndexForKind(ontologyIndex, expectedKind)
+
+    for (const ref of values) {
+      if (index[ref] !== undefined) continue
+      addGovernanceIssue(
+        issues,
+        'ontology-reference-missing',
+        orgName,
+        resource.id,
+        `[${orgName}] Resource '${resource.id}' ontology.${bindingKey} references missing ${expectedKind} ontology record '${ref}'.`
+      )
+    }
+  }
+
+  validateRefs('actions', 'action', binding.actions)
+  validateRefs('primaryAction', 'action', binding.primaryAction)
+  validateRefs('reads', 'object', binding.reads)
+  validateRefs('writes', 'object', binding.writes)
+  validateRefs('usesCatalogs', 'catalog', binding.usesCatalogs)
+  validateRefs('emits', 'event', binding.emits)
+}
+
+function addTopologyIssues(
+  issues: ResourceGovernanceValidationIssue[],
+  orgName: string,
+  deployment: DeploymentSpec,
+  organizationModel: ResourceGovernanceModel,
+  systemsById: Map<string, SystemEntry>,
+  omResourcesById: Map<string, ResourceEntry>,
+  ontologyIndex: ResolvedOntologyIndex | undefined
+): void {
+  const relationships = organizationModel.topology?.relationships
+  if (relationships === undefined) return
+
+  const rolesById = new Set(Object.keys(organizationModel.roles ?? {}))
+  const policiesById = new Set(Object.keys(organizationModel.policies ?? {}))
+  const triggerIds = new Set(deployment.triggers?.map((trigger) => trigger.resourceId) ?? [])
+  const humanCheckpointIds = new Set(deployment.humanCheckpoints?.map((checkpoint) => checkpoint.resourceId) ?? [])
+  const externalResourceIds = new Set(deployment.externalResources?.map((external) => external.resourceId) ?? [])
+
+  const topologyRefExists = (ref: OmTopologyNodeRef): boolean => {
+    if (ref.kind === 'system') return systemsById.has(ref.id)
+    if (ref.kind === 'resource') return omResourcesById.has(ref.id)
+    if (ref.kind === 'policy') return policiesById.has(ref.id)
+    if (ref.kind === 'role') return rolesById.has(ref.id)
+    if (ref.kind === 'trigger') return triggerIds.has(ref.id)
+    if (ref.kind === 'humanCheckpoint') return humanCheckpointIds.has(ref.id)
+    if (ref.kind === 'externalResource') return externalResourceIds.has(ref.id)
+    if (ref.kind === 'ontology') {
+      if (ontologyIndex === undefined) return true
+      return Object.values(ontologyIndex).some((records) => records[ref.id] !== undefined)
+    }
+    return false
+  }
+
+  for (const [relationshipId, relationship] of Object.entries(relationships)) {
+    ;(['from', 'to'] as const).forEach((side) => {
+      const ref = relationship[side]
+      if (topologyRefExists(ref)) return
+
+      addGovernanceIssue(
+        issues,
+        'topology-reference-missing',
+        orgName,
+        ref.id,
+        `[${orgName}] Topology relationship '${relationshipId}' ${side} references missing ${ref.kind} '${ref.id}'.`
+      )
+    })
+  }
+}
 
 /**
  * Validates runtime resource definitions against OM Resources and Systems.
@@ -147,9 +311,9 @@ export function validateResourceGovernance(
   options: ResourceGovernanceValidationOptions = {}
 ): ResourceGovernanceValidationResult {
   const mode = getResourceValidatorMode(options.mode)
-  const omResourcesMap = organizationModel?.resources
-  const omSystemsMap = organizationModel?.systems
-  const issues: ResourceGovernanceValidationIssue[] = []
+  const omResourcesMap = organizationModel?.resources
+  const omSystemsMap = organizationModel?.systems
+  const issues: ResourceGovernanceValidationIssue[] = []
 
   if (!omResourcesMap || !omSystemsMap) {
     return { valid: true, mode, issues }
@@ -160,12 +324,26 @@ export function validateResourceGovernance(
   const systemsById = new Map(
     listAllSystems({ systems: omSystemsMap } as OrganizationModel).map(({ path, system }) => [path, system])
   )
-  const activeOmResources = Object.values(omResourcesMap).filter((resource) => resource.status === 'active')
-  const omResourcesById = new Map(activeOmResources.map((resource) => [resource.id, resource]))
-  const runtimeResources = getRuntimeResources(deployment)
-  const runtimeResourcesById = new Map(runtimeResources.map((resource) => [resource.resourceId, resource]))
-
-  for (const resource of activeOmResources) {
+  const activeOmResources = Object.values(omResourcesMap).filter((resource) => resource.status === 'active')
+  const omResourcesById = new Map(activeOmResources.map((resource) => [resource.id, resource]))
+  const runtimeResources = getRuntimeResources(deployment)
+  const runtimeResourcesById = new Map(runtimeResources.map((resource) => [resource.resourceId, resource]))
+  const ontologyCompilation = hasOntologySources(organizationModel)
+    ? compileOrganizationOntology(organizationModel)
+    : undefined
+  const ontologyIndex = ontologyCompilation?.ontology
+
+  for (const diagnostic of ontologyCompilation?.diagnostics ?? []) {
+    addGovernanceIssue(
+      issues,
+      'ontology-reference-missing',
+      orgName,
+      diagnostic.id,
+      `[${orgName}] ${diagnostic.message}`
+    )
+  }
+
+  for (const resource of activeOmResources) {
     if (!systemsById.has(resource.systemPath)) {
       addGovernanceIssue(
         issues,
@@ -198,16 +376,28 @@ export function validateResourceGovernance(
       )
     }
 
-    if (runtimeResource.descriptor && runtimeResource.descriptor.systemPath !== resource.systemPath) {
-      addGovernanceIssue(
+    if (runtimeResource.descriptor && runtimeResource.descriptor.systemPath !== resource.systemPath) {
+      addGovernanceIssue(
         issues,
         'system-mismatch',
         orgName,
         resource.id,
         `[${orgName}] Resource '${resource.id}' system mismatch: code descriptor has '${runtimeResource.descriptor.systemPath}', OM has '${resource.systemPath}'.`
-      )
-    }
-  }
+      )
+    }
+
+    if (runtimeResource.descriptor && !sameJson(runtimeResource.descriptor.ontology, resource.ontology)) {
+      addGovernanceIssue(
+        issues,
+        'descriptor-mismatch',
+        orgName,
+        resource.id,
+        `[${orgName}] Resource '${resource.id}' ontology descriptor mismatch between code and OM.`
+      )
+    }
+
+    addOntologyBindingIssues(issues, orgName, resource, ontologyIndex)
+  }
 
   for (const runtimeResource of runtimeResources) {
     const omResource = omResourcesById.get(runtimeResource.resourceId)
@@ -242,18 +432,20 @@ export function validateResourceGovernance(
       )
     }
 
-    if (runtimeResource.descriptor.kind !== runtimeResource.type) {
-      addGovernanceIssue(
+    if (runtimeResource.descriptor.kind !== runtimeResource.type) {
+      addGovernanceIssue(
         issues,
         'type-mismatch',
         orgName,
         runtimeResource.resourceId,
         `[${orgName}] Code-side resource '${runtimeResource.resourceId}' descriptor kind '${runtimeResource.descriptor.kind}' does not match runtime type '${runtimeResource.type}'.`
-      )
-    }
-  }
-
-  emitGovernanceIssues(issues, mode, options.onWarning)
+      )
+    }
+  }
+
+  addTopologyIssues(issues, orgName, deployment, organizationModel, systemsById, omResourcesById, ontologyIndex)
+
+  emitGovernanceIssues(issues, mode, options.onWarning)
 
   return {
     valid: issues.length === 0,