From 13d164b0e0d520fe023306abe0d0e1e338a72bff Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 29 Jun 2026 19:28:58 +0800 Subject: [PATCH] feat(api): expose gitea inventory preflight intake --- .../services/delivery_closure_workbench.py | 106 +++++++++++ .../gitea_private_inventory_p0_scorecard.py | 177 ++++++++++++++++++ .../test_delivery_closure_workbench_api.py | 114 +++++++++++ ...itea_private_inventory_p0_scorecard_api.py | 65 +++++++ 4 files changed, 462 insertions(+) diff --git a/apps/api/src/services/delivery_closure_workbench.py b/apps/api/src/services/delivery_closure_workbench.py index 05e92461..a07c490e 100644 --- a/apps/api/src/services/delivery_closure_workbench.py +++ b/apps/api/src/services/delivery_closure_workbench.py @@ -78,6 +78,12 @@ def build_delivery_closure_workbench( private_inventory_retired_github = _dict( private_inventory.get("github_retired_context") ) + private_inventory_single_preflight = _dict( + private_inventory.get("authenticated_inventory_single_preflight_intake") + ) + private_inventory_single_preflight_boundaries = _dict( + private_inventory_single_preflight.get("operation_boundaries") + ) cicd_baseline_readback = _dict(cicd_baseline.get("readback")) cicd_baseline_rollups = _dict(cicd_baseline.get("rollups")) production_deploy_readback = _dict(production_deploy.get("readback")) @@ -533,6 +539,58 @@ def build_delivery_closure_workbench( "owner_coverage_attestation_received_count" ) ), + "authenticated_inventory_single_preflight_intake_ready": ( + private_inventory.get( + "authenticated_inventory_single_preflight_intake_ready" + ) + is True + ), + "authenticated_inventory_single_preflight_intake_ready_count": _int( + private_inventory_rollups.get( + "authenticated_inventory_single_preflight_intake_ready_count" + ) + ), + "authenticated_inventory_single_preflight_intake_schema_version": str( + private_inventory_single_preflight.get("schema_version") or "" + ), + "authenticated_inventory_payload_skeleton_repo_count_floor": _int( + private_inventory_rollups.get( + "authenticated_inventory_payload_skeleton_repo_count_floor" + ) + ), + "authenticated_inventory_required_redaction_attestation_count": _int( + private_inventory_rollups.get( + "authenticated_inventory_required_redaction_attestation_count" + ) + ), + "authenticated_inventory_single_preflight_token_value_collection_allowed": ( + private_inventory_single_preflight_boundaries.get( + "token_value_collection_allowed" + ) + is True + ), + "authenticated_inventory_single_preflight_repo_write_performed": ( + private_inventory_single_preflight_boundaries.get( + "repo_write_performed" + ) + is True + ), + "authenticated_inventory_single_preflight_refs_sync_performed": ( + private_inventory_single_preflight_boundaries.get( + "refs_sync_performed" + ) + is True + ), + "authenticated_inventory_single_preflight_github_api_used": ( + private_inventory_single_preflight_boundaries.get("github_api_used") + is True + ), + "authenticated_inventory_single_preflight_runtime_action_performed": ( + private_inventory_single_preflight_boundaries.get( + "runtime_action_performed" + ) + is True + ), "github_lane_excluded_from_p0_blocker_count": ( private_inventory_rollups.get( "github_lane_excluded_from_p0_blocker_count" @@ -794,6 +852,54 @@ def build_delivery_closure_workbench( "owner_coverage_attestation_received_count" ) ), + "gitea_private_inventory_authenticated_single_preflight_intake_ready": ( + private_inventory.get( + "authenticated_inventory_single_preflight_intake_ready" + ) + is True + ), + "gitea_private_inventory_authenticated_single_preflight_intake_ready_count": _int( + private_inventory_rollups.get( + "authenticated_inventory_single_preflight_intake_ready_count" + ) + ), + "gitea_private_inventory_authenticated_single_preflight_intake_schema_version": str( + private_inventory_single_preflight.get("schema_version") or "" + ), + "gitea_private_inventory_authenticated_payload_skeleton_repo_count_floor": _int( + private_inventory_rollups.get( + "authenticated_inventory_payload_skeleton_repo_count_floor" + ) + ), + "gitea_private_inventory_authenticated_required_redaction_attestation_count": _int( + private_inventory_rollups.get( + "authenticated_inventory_required_redaction_attestation_count" + ) + ), + "gitea_private_inventory_authenticated_single_preflight_token_value_collection_allowed": ( + private_inventory_single_preflight_boundaries.get( + "token_value_collection_allowed" + ) + is True + ), + "gitea_private_inventory_authenticated_single_preflight_repo_write_performed": ( + private_inventory_single_preflight_boundaries.get("repo_write_performed") + is True + ), + "gitea_private_inventory_authenticated_single_preflight_refs_sync_performed": ( + private_inventory_single_preflight_boundaries.get("refs_sync_performed") + is True + ), + "gitea_private_inventory_authenticated_single_preflight_github_api_used": ( + private_inventory_single_preflight_boundaries.get("github_api_used") + is True + ), + "gitea_private_inventory_authenticated_single_preflight_runtime_action_performed": ( + private_inventory_single_preflight_boundaries.get( + "runtime_action_performed" + ) + is True + ), "gitea_private_inventory_all_active_product_repos_have_owner_readiness_row": ( private_inventory_rollups.get( "all_active_product_repos_have_gitea_owner_readiness_row" diff --git a/apps/api/src/services/gitea_private_inventory_p0_scorecard.py b/apps/api/src/services/gitea_private_inventory_p0_scorecard.py index 424f0a86..4a2362ee 100644 --- a/apps/api/src/services/gitea_private_inventory_p0_scorecard.py +++ b/apps/api/src/services/gitea_private_inventory_p0_scorecard.py @@ -17,6 +17,21 @@ _DEFAULT_OPERATIONS_DIR = default_operations_dir(Path(__file__)) _SCORECARD_FILE = "awoooi-gitea-private-inventory-p0-scorecard.snapshot.json" _SOURCE_SCHEMA_VERSION = "awoooi_gitea_private_inventory_p0_scorecard_v1" _API_SCHEMA_VERSION = "gitea_private_inventory_p0_scorecard_readback_v1" +_SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION = ( + "gitea_authenticated_inventory_single_preflight_intake_v1" +) +_PAYLOAD_SCHEMA_VERSION = "gitea_repo_inventory_v1" +_ACCEPTED_VISIBILITY_SCOPES = ("authenticated", "admin_export") +_REQUIRED_REDACTION_ATTESTATIONS = ( + "no_token_value", + "no_write_token", + "no_webhook_secret", + "no_deploy_key_private_key", + "no_runner_registration_token", + "no_cookie_or_session", + "no_gitea_db_dump", + "no_git_object_pack", +) def load_latest_gitea_private_inventory_p0_scorecard( @@ -34,6 +49,7 @@ def load_latest_gitea_private_inventory_p0_scorecard( payload = _build_payload(scorecard, path) _require_operation_boundaries(payload, str(path)) _require_rollup_consistency(payload, str(path)) + _require_single_preflight_intake(payload, str(path)) return payload @@ -50,6 +66,12 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]: review_readiness_percent = _percent( (len(met_criteria) / max(len(exit_criteria), 1)) * 100 ) + public_repo_floor = max(4, _int(gitea_inventory.get("repo_count"))) + single_preflight_intake = _build_single_preflight_intake( + generated_at=scorecard.get("generated_at"), + public_repo_floor=public_repo_floor, + owner_response_validation=owner_response_validation, + ) return { "schema_version": _API_SCHEMA_VERSION, @@ -72,6 +94,12 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]: "gitea_inventory": gitea_inventory, "authenticated_import_acceptance": import_acceptance, "authenticated_payload_validation": payload_validation, + "authenticated_inventory_single_preflight_intake_ready": True, + "authenticated_inventory_payload_skeleton_repo_count_floor": public_repo_floor, + "authenticated_inventory_required_redaction_attestation_count": len( + _REQUIRED_REDACTION_ATTESTATIONS + ), + "authenticated_inventory_single_preflight_intake": single_preflight_intake, "coverage_attestation": coverage_attestation, "owner_response_validation": owner_response_validation, "product_row_coverage": product_coverage, @@ -100,6 +128,11 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]: "authenticated_payload_validation_blocker_count": _int( payload_validation.get("blocker_count") ), + "authenticated_inventory_single_preflight_intake_ready_count": 1, + "authenticated_inventory_payload_skeleton_repo_count_floor": public_repo_floor, + "authenticated_inventory_required_redaction_attestation_count": len( + _REQUIRED_REDACTION_ATTESTATIONS + ), "owner_coverage_attestation_received_count": _int( coverage_attestation.get("received_attestation_count") ), @@ -192,6 +225,106 @@ def _build_payload(scorecard: dict[str, Any], path: Path) -> dict[str, Any]: } +def _build_single_preflight_intake( + *, + generated_at: Any, + public_repo_floor: int, + owner_response_validation: dict[str, Any], +) -> dict[str, Any]: + return { + "schema_version": _SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION, + "generated_at": generated_at, + "workplan_id": "P0-003", + "status": "waiting_for_redacted_authenticated_or_admin_export_inventory_payload", + "payload_schema_version": _PAYLOAD_SCHEMA_VERSION, + "accepted_visibility_scopes": list(_ACCEPTED_VISIBILITY_SCOPES), + "minimum_repo_count": public_repo_floor, + "required_top_level_fields": [ + "schema_version", + "status=ok", + "visibility_scope=authenticated|admin_export", + "repo_count", + "repos", + "coverage_gap_explanation", + "redaction_attestation", + ], + "required_repo_fields": [ + "full_name", + "name", + "owner", + "private", + "archived", + "empty", + "default_branch", + "clone_url_redacted", + "ssh_url_redacted", + ], + "required_redaction_attestations": list(_REQUIRED_REDACTION_ATTESTATIONS), + "payload_skeleton": { + "schema_version": _PAYLOAD_SCHEMA_VERSION, + "status": "ok", + "visibility_scope": "admin_export", + "repo_count": "", + "coverage_gap_explanation": "coverage_gap_explanation_here", + "repos": [ + { + "full_name": "owner/repo-name", + "name": "repo-name", + "owner": {"login": "owner"}, + "private": True, + "archived": False, + "empty": False, + "default_branch": "main", + "clone_url_redacted": "https://gitea.example/owner/repo-name.git", + "ssh_url_redacted": "ssh://git@gitea.example/owner/repo-name.git", + } + ], + "redaction_attestation": { + key: "confirm_true_without_secret_values_here" + for key in _REQUIRED_REDACTION_ATTESTATIONS + }, + "repo_write_allowed": False, + "refs_sync_allowed": False, + "github_primary_switch_authorized": False, + "runtime_execution_authorized": False, + }, + "single_preflight_command": ( + "python3 scripts/security/gitea-authenticated-inventory-payload-validator.py " + "--input " + "--output " + ), + "owner_response_packet_ref": str( + owner_response_validation.get("response_packet") or "" + ), + "owner_response_lane_id": str( + owner_response_validation.get("lane_id") or "" + ), + "exit_criteria": [ + "validation_status=accepted_for_private_inventory_review_only", + "accepted_payload_count=1", + "projected_gitea_repo_inventory_status=ok", + "projected_gitea_visibility_scope=authenticated|admin_export", + "token_value_collection_allowed=false", + "repo_write_allowed=false", + "refs_sync_allowed=false", + "github_primary_switch_authorized=false", + ], + "operation_boundaries": { + "payload_persisted": False, + "gitea_api_called": False, + "gitea_write_performed": False, + "repo_write_performed": False, + "refs_sync_performed": False, + "github_api_used": False, + "github_cli_used": False, + "secret_plaintext_read": False, + "token_value_collection_allowed": False, + "runtime_action_performed": False, + "raw_session_or_sqlite_read_performed": False, + }, + } + + def _require_source_scorecard(payload: dict[str, Any], label: str) -> None: if payload.get("schema_version") != _SOURCE_SCHEMA_VERSION: raise ValueError(f"{label}: schema_version must be {_SOURCE_SCHEMA_VERSION}") @@ -305,6 +438,50 @@ def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None: raise ValueError(f"{label}: next owner response validation lane mismatch") +def _require_single_preflight_intake(payload: dict[str, Any], label: str) -> None: + intake = _dict(payload.get("authenticated_inventory_single_preflight_intake")) + if intake.get("schema_version") != _SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION: + raise ValueError(f"{label}: single preflight intake schema mismatch") + if intake.get("payload_schema_version") != _PAYLOAD_SCHEMA_VERSION: + raise ValueError(f"{label}: payload schema version mismatch") + if intake.get("accepted_visibility_scopes") != list(_ACCEPTED_VISIBILITY_SCOPES): + raise ValueError(f"{label}: accepted visibility scopes mismatch") + if intake.get("minimum_repo_count") != payload.get( + "authenticated_inventory_payload_skeleton_repo_count_floor" + ): + raise ValueError(f"{label}: minimum repo count mismatch") + if intake.get("required_redaction_attestations") != list( + _REQUIRED_REDACTION_ATTESTATIONS + ): + raise ValueError(f"{label}: redaction attestation order mismatch") + skeleton = _dict(intake.get("payload_skeleton")) + if skeleton.get("repo_write_allowed") is not False: + raise ValueError(f"{label}: skeleton repo write must remain false") + if skeleton.get("refs_sync_allowed") is not False: + raise ValueError(f"{label}: skeleton refs sync must remain false") + if skeleton.get("github_primary_switch_authorized") is not False: + raise ValueError(f"{label}: skeleton github switch must remain false") + if skeleton.get("runtime_execution_authorized") is not False: + raise ValueError(f"{label}: skeleton runtime execution must remain false") + boundaries = _dict(intake.get("operation_boundaries")) + blocked_flags = { + "payload_persisted", + "gitea_api_called", + "gitea_write_performed", + "repo_write_performed", + "refs_sync_performed", + "github_api_used", + "github_cli_used", + "secret_plaintext_read", + "token_value_collection_allowed", + "runtime_action_performed", + "raw_session_or_sqlite_read_performed", + } + open_flags = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False) + if open_flags: + raise ValueError(f"{label}: single preflight boundaries opened: {open_flags}") + + def _met_exit_criteria( scorecard: dict[str, Any], gitea_inventory: dict[str, Any], diff --git a/apps/api/tests/test_delivery_closure_workbench_api.py b/apps/api/tests/test_delivery_closure_workbench_api.py index 55b6721c..f4a9cbdf 100644 --- a/apps/api/tests/test_delivery_closure_workbench_api.py +++ b/apps/api/tests/test_delivery_closure_workbench_api.py @@ -41,6 +41,63 @@ def test_delivery_closure_workbench_uses_gitea_private_inventory_lane(): assert lanes["gitea_private_inventory"]["metric"]["expected_product_count"] == 11 assert lanes["gitea_private_inventory"]["metric"]["present_product_row_count"] == 11 assert lanes["gitea_private_inventory"]["metric"]["missing_product_row_count"] == 0 + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_intake_ready" + ] + is True + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_intake_ready_count" + ] + == 1 + ) + assert lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_intake_schema_version" + ] == "gitea_authenticated_inventory_single_preflight_intake_v1" + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_payload_skeleton_repo_count_floor" + ] + == 4 + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_required_redaction_attestation_count" + ] + == 8 + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_token_value_collection_allowed" + ] + is False + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_repo_write_performed" + ] + is False + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_refs_sync_performed" + ] + is False + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_github_api_used" + ] + is False + ) + assert ( + lanes["gitea_private_inventory"]["metric"][ + "authenticated_inventory_single_preflight_runtime_action_performed" + ] + is False + ) assert ( lanes["gitea_private_inventory"]["metric"][ "github_lane_excluded_from_p0_blocker_count" @@ -136,6 +193,63 @@ def _assert_delivery_workbench_shape(data: dict): ] == 0 ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_intake_ready" + ] + is True + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_intake_ready_count" + ] + == 1 + ) + assert data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_intake_schema_version" + ] == "gitea_authenticated_inventory_single_preflight_intake_v1" + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_payload_skeleton_repo_count_floor" + ] + == 4 + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_required_redaction_attestation_count" + ] + == 8 + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_token_value_collection_allowed" + ] + is False + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_repo_write_performed" + ] + is False + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_refs_sync_performed" + ] + is False + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_github_api_used" + ] + is False + ) + assert ( + data["summary"][ + "gitea_private_inventory_authenticated_single_preflight_runtime_action_performed" + ] + is False + ) assert ( data["summary"][ "gitea_private_inventory_all_active_product_repos_have_owner_readiness_row" diff --git a/apps/api/tests/test_gitea_private_inventory_p0_scorecard_api.py b/apps/api/tests/test_gitea_private_inventory_p0_scorecard_api.py index 96ef6ba4..6b9a3e27 100644 --- a/apps/api/tests/test_gitea_private_inventory_p0_scorecard_api.py +++ b/apps/api/tests/test_gitea_private_inventory_p0_scorecard_api.py @@ -31,6 +31,23 @@ def test_gitea_private_inventory_p0_scorecard_reports_active_gitea_blocker(): assert payload["rollups"]["authenticated_payload_validation_status"] == "needs_supplement" assert payload["rollups"]["authenticated_payload_validation_accepted_count"] == 0 assert payload["rollups"]["authenticated_payload_validation_blocker_count"] == 4 + assert ( + payload["rollups"][ + "authenticated_inventory_single_preflight_intake_ready_count" + ] + == 1 + ) + assert ( + payload["rollups"][ + "authenticated_inventory_required_redaction_attestation_count" + ] + == 8 + ) + assert payload["authenticated_inventory_single_preflight_intake_ready"] is True + assert ( + payload["authenticated_inventory_payload_skeleton_repo_count_floor"] + == 4 + ) assert payload["rollups"]["owner_coverage_attestation_received_count"] == 0 assert payload["rollups"]["owner_response_validation_received_count"] == 0 assert payload["rollups"]["owner_response_validation_accepted_count"] == 0 @@ -54,6 +71,50 @@ def test_gitea_private_inventory_p0_scorecard_reports_active_gitea_blocker(): assert "gitea_authenticated_inventory_payload_not_accepted" in payload["active_blockers"] +def test_gitea_private_inventory_p0_scorecard_exposes_single_preflight_intake(): + payload = load_latest_gitea_private_inventory_p0_scorecard() + + intake = payload["authenticated_inventory_single_preflight_intake"] + assert ( + intake["schema_version"] + == "gitea_authenticated_inventory_single_preflight_intake_v1" + ) + assert intake["workplan_id"] == "P0-003" + assert intake["payload_schema_version"] == "gitea_repo_inventory_v1" + assert intake["accepted_visibility_scopes"] == ["authenticated", "admin_export"] + assert intake["minimum_repo_count"] == 4 + assert len(intake["required_redaction_attestations"]) == 8 + assert "no_token_value" in intake["required_redaction_attestations"] + assert "no_gitea_db_dump" in intake["required_redaction_attestations"] + assert "gitea-authenticated-inventory-payload-validator.py" in ( + intake["single_preflight_command"] + ) + assert ( + intake["owner_response_lane_id"] + == "s4_9_gitea_inventory_owner_attestation_response" + ) + assert ( + intake["owner_response_packet_ref"] + == "docs/security/gitea-inventory-owner-attestation-response.snapshot.json" + ) + assert "accepted_payload_count=1" in intake["exit_criteria"] + + skeleton = intake["payload_skeleton"] + assert skeleton["schema_version"] == "gitea_repo_inventory_v1" + assert skeleton["status"] == "ok" + assert skeleton["visibility_scope"] == "admin_export" + assert skeleton["repo_write_allowed"] is False + assert skeleton["refs_sync_allowed"] is False + assert skeleton["github_primary_switch_authorized"] is False + assert skeleton["runtime_execution_authorized"] is False + assert len(skeleton["redaction_attestation"]) == 8 + assert intake["operation_boundaries"]["payload_persisted"] is False + assert intake["operation_boundaries"]["gitea_api_called"] is False + assert intake["operation_boundaries"]["token_value_collection_allowed"] is False + assert intake["operation_boundaries"]["github_api_used"] is False + assert intake["operation_boundaries"]["runtime_action_performed"] is False + + def test_gitea_private_inventory_p0_scorecard_endpoint_returns_readback(): app = FastAPI() app.include_router(router, prefix="/api/v1") @@ -82,6 +143,10 @@ def test_gitea_private_inventory_p0_scorecard_endpoint_returns_readback(): assert data["operation_boundaries"]["github_cli_allowed"] is False assert data["operation_boundaries"]["raw_session_or_sqlite_read_allowed"] is False assert data["authenticated_payload_validation"]["accepted_payload_count"] == 0 + assert data["authenticated_inventory_single_preflight_intake_ready"] is True + assert data["authenticated_inventory_single_preflight_intake"][ + "minimum_repo_count" + ] == 4 def test_gitea_authenticated_inventory_payload_validator_accepts_redacted_admin_export():