wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

feat(api): expose gitea inventory preflight intake
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 0s
Details
CD Pipeline / cancel-stale-cd (push) Has been skipped
Details
CD Pipeline / tests (push) Successful in 19s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m12s
Details
CD Pipeline / post-deploy-checks (push) Successful in 54s
Details

Browse Source
This commit is contained in:
Your Name
2026-06-29 19:28:58 +08:00
parent 20717ce1ad
commit 13d164b0e0
4 changed files with 462 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
apps/api/src/services/delivery_closure_workbench.py
View File

@@ -78,6 +78,12 @@ def build_delivery_closure_workbench(
private_inventory_retired_github = _dict(
private_inventory.get("github_retired_context")
)
private_inventory_single_preflight = _dict(
private_inventory.get("authenticated_inventory_single_preflight_intake")
)
private_inventory_single_preflight_boundaries = _dict(
private_inventory_single_preflight.get("operation_boundaries")
)
cicd_baseline_readback = _dict(cicd_baseline.get("readback"))
cicd_baseline_rollups = _dict(cicd_baseline.get("rollups"))
production_deploy_readback = _dict(production_deploy.get("readback"))
@@ -533,6 +539,58 @@ def build_delivery_closure_workbench(
"owner_coverage_attestation_received_count"
)
),
"authenticated_inventory_single_preflight_intake_ready": (
private_inventory.get(
"authenticated_inventory_single_preflight_intake_ready"
)
is True
),
"authenticated_inventory_single_preflight_intake_ready_count": _int(
private_inventory_rollups.get(
"authenticated_inventory_single_preflight_intake_ready_count"
)
),
"authenticated_inventory_single_preflight_intake_schema_version": str(
private_inventory_single_preflight.get("schema_version") or ""
),
"authenticated_inventory_payload_skeleton_repo_count_floor": _int(
private_inventory_rollups.get(
"authenticated_inventory_payload_skeleton_repo_count_floor"
)
),
"authenticated_inventory_required_redaction_attestation_count": _int(
private_inventory_rollups.get(
"authenticated_inventory_required_redaction_attestation_count"
)
),
"authenticated_inventory_single_preflight_token_value_collection_allowed": (
private_inventory_single_preflight_boundaries.get(
"token_value_collection_allowed"
)
is True
),
"authenticated_inventory_single_preflight_repo_write_performed": (
private_inventory_single_preflight_boundaries.get(
"repo_write_performed"
)
is True
),
"authenticated_inventory_single_preflight_refs_sync_performed": (
private_inventory_single_preflight_boundaries.get(
"refs_sync_performed"
)
is True
),
"authenticated_inventory_single_preflight_github_api_used": (
private_inventory_single_preflight_boundaries.get("github_api_used")
is True
),
"authenticated_inventory_single_preflight_runtime_action_performed": (
private_inventory_single_preflight_boundaries.get(
"runtime_action_performed"
)
is True
),
"github_lane_excluded_from_p0_blocker_count": (
private_inventory_rollups.get(
"github_lane_excluded_from_p0_blocker_count"
@@ -794,6 +852,54 @@ def build_delivery_closure_workbench(
"owner_coverage_attestation_received_count"
)
),
"gitea_private_inventory_authenticated_single_preflight_intake_ready": (
private_inventory.get(
"authenticated_inventory_single_preflight_intake_ready"
)
is True
),
"gitea_private_inventory_authenticated_single_preflight_intake_ready_count": _int(
private_inventory_rollups.get(
"authenticated_inventory_single_preflight_intake_ready_count"
)
),
"gitea_private_inventory_authenticated_single_preflight_intake_schema_version": str(
private_inventory_single_preflight.get("schema_version") or ""
),
"gitea_private_inventory_authenticated_payload_skeleton_repo_count_floor": _int(
private_inventory_rollups.get(
"authenticated_inventory_payload_skeleton_repo_count_floor"
)
),
"gitea_private_inventory_authenticated_required_redaction_attestation_count": _int(
private_inventory_rollups.get(
"authenticated_inventory_required_redaction_attestation_count"
)
),
"gitea_private_inventory_authenticated_single_preflight_token_value_collection_allowed": (
private_inventory_single_preflight_boundaries.get(
"token_value_collection_allowed"
)
is True
),
"gitea_private_inventory_authenticated_single_preflight_repo_write_performed": (
private_inventory_single_preflight_boundaries.get("repo_write_performed")
is True
),
"gitea_private_inventory_authenticated_single_preflight_refs_sync_performed": (
private_inventory_single_preflight_boundaries.get("refs_sync_performed")
is True
),
"gitea_private_inventory_authenticated_single_preflight_github_api_used": (
private_inventory_single_preflight_boundaries.get("github_api_used")
is True
),
"gitea_private_inventory_authenticated_single_preflight_runtime_action_performed": (
private_inventory_single_preflight_boundaries.get(
"runtime_action_performed"
)
is True
),
"gitea_private_inventory_all_active_product_repos_have_owner_readiness_row": (
private_inventory_rollups.get(
"all_active_product_repos_have_gitea_owner_readiness_row"

177
apps/api/src/services/gitea_private_inventory_p0_scorecard.py
View File

@@ -17,6 +17,21 @@ _DEFAULT_OPERATIONS_DIR = default_operations_dir(Path(__file__))
_SCORECARD_FILE = "awoooi-gitea-private-inventory-p0-scorecard.snapshot.json"
_SOURCE_SCHEMA_VERSION = "awoooi_gitea_private_inventory_p0_scorecard_v1"
_API_SCHEMA_VERSION = "gitea_private_inventory_p0_scorecard_readback_v1"
_SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION = (
"gitea_authenticated_inventory_single_preflight_intake_v1"
)
_PAYLOAD_SCHEMA_VERSION = "gitea_repo_inventory_v1"
_ACCEPTED_VISIBILITY_SCOPES = ("authenticated", "admin_export")
_REQUIRED_REDACTION_ATTESTATIONS = (
"no_token_value",
"no_write_token",
"no_webhook_secret",
"no_deploy_key_private_key",
"no_runner_registration_token",
"no_cookie_or_session",
"no_gitea_db_dump",
"no_git_object_pack",
)
def load_latest_gitea_private_inventory_p0_scorecard(
@@ -34,6 +49,7 @@ def load_latest_gitea_private_inventory_p0_scorecard(
payload = _build_payload(scorecard, path)
_require_operation_boundaries(payload, str(path))
_require_rollup_consistency(payload, str(path))
_require_single_preflight_intake(payload, str(path))
return payload
@@ -50,6 +66,12 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]:
review_readiness_percent = _percent(
(len(met_criteria) / max(len(exit_criteria), 1)) * 100
)
public_repo_floor = max(4, _int(gitea_inventory.get("repo_count")))
single_preflight_intake = _build_single_preflight_intake(
generated_at=scorecard.get("generated_at"),
public_repo_floor=public_repo_floor,
owner_response_validation=owner_response_validation,
)
return {
"schema_version": _API_SCHEMA_VERSION,
@@ -72,6 +94,12 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]:
"gitea_inventory": gitea_inventory,
"authenticated_import_acceptance": import_acceptance,
"authenticated_payload_validation": payload_validation,
"authenticated_inventory_single_preflight_intake_ready": True,
"authenticated_inventory_payload_skeleton_repo_count_floor": public_repo_floor,
"authenticated_inventory_required_redaction_attestation_count": len(
_REQUIRED_REDACTION_ATTESTATIONS
),
"authenticated_inventory_single_preflight_intake": single_preflight_intake,
"coverage_attestation": coverage_attestation,
"owner_response_validation": owner_response_validation,
"product_row_coverage": product_coverage,
@@ -100,6 +128,11 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]:
"authenticated_payload_validation_blocker_count": _int(
payload_validation.get("blocker_count")
),
"authenticated_inventory_single_preflight_intake_ready_count": 1,
"authenticated_inventory_payload_skeleton_repo_count_floor": public_repo_floor,
"authenticated_inventory_required_redaction_attestation_count": len(
_REQUIRED_REDACTION_ATTESTATIONS
),
"owner_coverage_attestation_received_count": _int(
coverage_attestation.get("received_attestation_count")
),
@@ -192,6 +225,106 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]:
}
def _build_single_preflight_intake(
*,
generated_at: Any,
public_repo_floor: int,
owner_response_validation: dict[str, Any],
) -> dict[str, Any]:
return {
"schema_version": _SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION,
"generated_at": generated_at,
"workplan_id": "P0-003",
"status": "waiting_for_redacted_authenticated_or_admin_export_inventory_payload",
"payload_schema_version": _PAYLOAD_SCHEMA_VERSION,
"accepted_visibility_scopes": list(_ACCEPTED_VISIBILITY_SCOPES),
"minimum_repo_count": public_repo_floor,
"required_top_level_fields": [
"schema_version",
"status=ok",
"visibility_scope=authenticated|admin_export",
"repo_count",
"repos",
"coverage_gap_explanation",
"redaction_attestation",
],
"required_repo_fields": [
"full_name",
"name",
"owner",
"private",
"archived",
"empty",
"default_branch",
"clone_url_redacted",
"ssh_url_redacted",
],
"required_redaction_attestations": list(_REQUIRED_REDACTION_ATTESTATIONS),
"payload_skeleton": {
"schema_version": _PAYLOAD_SCHEMA_VERSION,
"status": "ok",
"visibility_scope": "admin_export",
"repo_count": "<redacted_repo_count_at_or_above_public_floor>",
"coverage_gap_explanation": "coverage_gap_explanation_here",
"repos": [
{
"full_name": "owner/repo-name",
"name": "repo-name",
"owner": {"login": "owner"},
"private": True,
"archived": False,
"empty": False,
"default_branch": "main",
"clone_url_redacted": "https://gitea.example/owner/repo-name.git",
"ssh_url_redacted": "ssh://git@gitea.example/owner/repo-name.git",
}
],
"redaction_attestation": {
key: "confirm_true_without_secret_values_here"
for key in _REQUIRED_REDACTION_ATTESTATIONS
},
"repo_write_allowed": False,
"refs_sync_allowed": False,
"github_primary_switch_authorized": False,
"runtime_execution_authorized": False,
},
"single_preflight_command": (
"python3 scripts/security/gitea-authenticated-inventory-payload-validator.py "
"--input <redacted-authenticated-or-admin-export.json> "
"--output <validation.json>"
),
"owner_response_packet_ref": str(
owner_response_validation.get("response_packet") or ""
),
"owner_response_lane_id": str(
owner_response_validation.get("lane_id") or ""
),
"exit_criteria": [
"validation_status=accepted_for_private_inventory_review_only",
"accepted_payload_count=1",
"projected_gitea_repo_inventory_status=ok",
"projected_gitea_visibility_scope=authenticated|admin_export",
"token_value_collection_allowed=false",
"repo_write_allowed=false",
"refs_sync_allowed=false",
"github_primary_switch_authorized=false",
],
"operation_boundaries": {
"payload_persisted": False,
"gitea_api_called": False,
"gitea_write_performed": False,
"repo_write_performed": False,
"refs_sync_performed": False,
"github_api_used": False,
"github_cli_used": False,
"secret_plaintext_read": False,
"token_value_collection_allowed": False,
"runtime_action_performed": False,
"raw_session_or_sqlite_read_performed": False,
},
}
def _require_source_scorecard(payload: dict[str, Any], label: str) -> None:
if payload.get("schema_version") != _SOURCE_SCHEMA_VERSION:
raise ValueError(f"{label}: schema_version must be {_SOURCE_SCHEMA_VERSION}")
@@ -305,6 +438,50 @@ def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
raise ValueError(f"{label}: next owner response validation lane mismatch")
def _require_single_preflight_intake(payload: dict[str, Any], label: str) -> None:
intake = _dict(payload.get("authenticated_inventory_single_preflight_intake"))
if intake.get("schema_version") != _SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION:
raise ValueError(f"{label}: single preflight intake schema mismatch")
if intake.get("payload_schema_version") != _PAYLOAD_SCHEMA_VERSION:
raise ValueError(f"{label}: payload schema version mismatch")
if intake.get("accepted_visibility_scopes") != list(_ACCEPTED_VISIBILITY_SCOPES):
raise ValueError(f"{label}: accepted visibility scopes mismatch")
if intake.get("minimum_repo_count") != payload.get(
"authenticated_inventory_payload_skeleton_repo_count_floor"
):
raise ValueError(f"{label}: minimum repo count mismatch")
if intake.get("required_redaction_attestations") != list(
_REQUIRED_REDACTION_ATTESTATIONS
):
raise ValueError(f"{label}: redaction attestation order mismatch")
skeleton = _dict(intake.get("payload_skeleton"))
if skeleton.get("repo_write_allowed") is not False:
raise ValueError(f"{label}: skeleton repo write must remain false")
if skeleton.get("refs_sync_allowed") is not False:
raise ValueError(f"{label}: skeleton refs sync must remain false")
if skeleton.get("github_primary_switch_authorized") is not False:
raise ValueError(f"{label}: skeleton github switch must remain false")
if skeleton.get("runtime_execution_authorized") is not False:
raise ValueError(f"{label}: skeleton runtime execution must remain false")
boundaries = _dict(intake.get("operation_boundaries"))
blocked_flags = {
"payload_persisted",
"gitea_api_called",
"gitea_write_performed",
"repo_write_performed",
"refs_sync_performed",
"github_api_used",
"github_cli_used",
"secret_plaintext_read",
"token_value_collection_allowed",
"runtime_action_performed",
"raw_session_or_sqlite_read_performed",
}
open_flags = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
if open_flags:
raise ValueError(f"{label}: single preflight boundaries opened: {open_flags}")
def _met_exit_criteria(
scorecard: dict[str, Any],
gitea_inventory: dict[str, Any],

114
apps/api/tests/test_delivery_closure_workbench_api.py
View File

@@ -41,6 +41,63 @@ def test_delivery_closure_workbench_uses_gitea_private_inventory_lane():
assert lanes["gitea_private_inventory"]["metric"]["expected_product_count"] == 11
assert lanes["gitea_private_inventory"]["metric"]["present_product_row_count"] == 11
assert lanes["gitea_private_inventory"]["metric"]["missing_product_row_count"] == 0
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_intake_ready"
]
is True
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_intake_ready_count"
]
== 1
)
assert lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_intake_schema_version"
] == "gitea_authenticated_inventory_single_preflight_intake_v1"
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_payload_skeleton_repo_count_floor"
]
== 4
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_required_redaction_attestation_count"
]
== 8
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_token_value_collection_allowed"
]
is False
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_repo_write_performed"
]
is False
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_refs_sync_performed"
]
is False
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_github_api_used"
]
is False
)
assert (
lanes["gitea_private_inventory"]["metric"][
"authenticated_inventory_single_preflight_runtime_action_performed"
]
is False
)
assert (
lanes["gitea_private_inventory"]["metric"][
"github_lane_excluded_from_p0_blocker_count"
@@ -136,6 +193,63 @@ def _assert_delivery_workbench_shape(data: dict):
]
== 0
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_intake_ready"
]
is True
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_intake_ready_count"
]
== 1
)
assert data["summary"][
"gitea_private_inventory_authenticated_single_preflight_intake_schema_version"
] == "gitea_authenticated_inventory_single_preflight_intake_v1"
assert (
data["summary"][
"gitea_private_inventory_authenticated_payload_skeleton_repo_count_floor"
]
== 4
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_required_redaction_attestation_count"
]
== 8
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_token_value_collection_allowed"
]
is False
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_repo_write_performed"
]
is False
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_refs_sync_performed"
]
is False
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_github_api_used"
]
is False
)
assert (
data["summary"][
"gitea_private_inventory_authenticated_single_preflight_runtime_action_performed"
]
is False
)
assert (
data["summary"][
"gitea_private_inventory_all_active_product_repos_have_owner_readiness_row"

65
apps/api/tests/test_gitea_private_inventory_p0_scorecard_api.py
View File

@@ -31,6 +31,23 @@ def test_gitea_private_inventory_p0_scorecard_reports_active_gitea_blocker():
assert payload["rollups"]["authenticated_payload_validation_status"] == "needs_supplement"
assert payload["rollups"]["authenticated_payload_validation_accepted_count"] == 0
assert payload["rollups"]["authenticated_payload_validation_blocker_count"] == 4
assert (
payload["rollups"][
"authenticated_inventory_single_preflight_intake_ready_count"
]
== 1
)
assert (
payload["rollups"][
"authenticated_inventory_required_redaction_attestation_count"
]
== 8
)
assert payload["authenticated_inventory_single_preflight_intake_ready"] is True
assert (
payload["authenticated_inventory_payload_skeleton_repo_count_floor"]
== 4
)
assert payload["rollups"]["owner_coverage_attestation_received_count"] == 0
assert payload["rollups"]["owner_response_validation_received_count"] == 0
assert payload["rollups"]["owner_response_validation_accepted_count"] == 0
@@ -54,6 +71,50 @@ def test_gitea_private_inventory_p0_scorecard_reports_active_gitea_blocker():
assert "gitea_authenticated_inventory_payload_not_accepted" in payload["active_blockers"]
def test_gitea_private_inventory_p0_scorecard_exposes_single_preflight_intake():
payload = load_latest_gitea_private_inventory_p0_scorecard()
intake = payload["authenticated_inventory_single_preflight_intake"]
assert (
intake["schema_version"]
== "gitea_authenticated_inventory_single_preflight_intake_v1"
)
assert intake["workplan_id"] == "P0-003"
assert intake["payload_schema_version"] == "gitea_repo_inventory_v1"
assert intake["accepted_visibility_scopes"] == ["authenticated", "admin_export"]
assert intake["minimum_repo_count"] == 4
assert len(intake["required_redaction_attestations"]) == 8
assert "no_token_value" in intake["required_redaction_attestations"]
assert "no_gitea_db_dump" in intake["required_redaction_attestations"]
assert "gitea-authenticated-inventory-payload-validator.py" in (
intake["single_preflight_command"]
)
assert (
intake["owner_response_lane_id"]
== "s4_9_gitea_inventory_owner_attestation_response"
)
assert (
intake["owner_response_packet_ref"]
== "docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
)
assert "accepted_payload_count=1" in intake["exit_criteria"]
skeleton = intake["payload_skeleton"]
assert skeleton["schema_version"] == "gitea_repo_inventory_v1"
assert skeleton["status"] == "ok"
assert skeleton["visibility_scope"] == "admin_export"
assert skeleton["repo_write_allowed"] is False
assert skeleton["refs_sync_allowed"] is False
assert skeleton["github_primary_switch_authorized"] is False
assert skeleton["runtime_execution_authorized"] is False
assert len(skeleton["redaction_attestation"]) == 8
assert intake["operation_boundaries"]["payload_persisted"] is False
assert intake["operation_boundaries"]["gitea_api_called"] is False
assert intake["operation_boundaries"]["token_value_collection_allowed"] is False
assert intake["operation_boundaries"]["github_api_used"] is False
assert intake["operation_boundaries"]["runtime_action_performed"] is False
def test_gitea_private_inventory_p0_scorecard_endpoint_returns_readback():
app = FastAPI()
app.include_router(router, prefix="/api/v1")
@@ -82,6 +143,10 @@ def test_gitea_private_inventory_p0_scorecard_endpoint_returns_readback():
assert data["operation_boundaries"]["github_cli_allowed"] is False
assert data["operation_boundaries"]["raw_session_or_sqlite_read_allowed"] is False
assert data["authenticated_payload_validation"]["accepted_payload_count"] == 0
assert data["authenticated_inventory_single_preflight_intake_ready"] is True
assert data["authenticated_inventory_single_preflight_intake"][
"minimum_repo_count"
] == 4
def test_gitea_authenticated_inventory_payload_validator_accepts_redacted_admin_export():