fix(security): align alert guards with controlled apply
Some checks failed
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m38s
CD Pipeline / build-and-deploy (push) Successful in 5m32s
CD Pipeline / post-deploy-checks (push) Successful in 1m30s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled

This commit is contained in:
Your Name
2026-06-26 19:30:40 +08:00
parent cf5a83d58e
commit 1591969578
8 changed files with 24 additions and 21 deletions

View File

@@ -1007,7 +1007,7 @@ ARTIFACT_SPECS = [
"ai_signal_lanes": 7,
"host_resource_lanes": 6,
"blocked_raw_output_markers": 12,
"required_output_markers": 6,
"required_output_markers": 7,
},
"summary_counts": {
"source_formatter_marker_count": 11,
@@ -1016,7 +1016,7 @@ ARTIFACT_SPECS = [
"ai_signal_lane_count": 7,
"host_resource_lane_count": 6,
"blocked_raw_output_marker_count": 12,
"required_output_marker_count": 6,
"required_output_marker_count": 7,
"telegram_send_authorized_count": 0,
"bot_api_call_authorized_count": 0,
"raw_payload_storage_allowed_count": 0,

View File

@@ -15596,13 +15596,14 @@ def validate(root: Path) -> None:
assert_text_contains("code_review_page.codex_handoff_structure", code_review_page, text)
for text in [
"審查後 Coding 工作橋接",
"Codex 工作草稿",
"Codex 工作候選分類",
"可交給 Codex 起草",
"需人工批准後接手",
"受控自動接手",
"禁止自動轉工作",
"前端體驗、測試補洞、文件同步、低風險重構",
"Kali 更新、掃描、GitHub primary、正式部署",
"維持只讀候選與人工閘門",
"Kali 主機變更、掃描、正式推版、主要來源切換、執行期閘門",
"allowlist 內由 AI 受控修補與驗證",
"auto merge、secret、force push 與 destructive action 仍硬封鎖",
]:
assert_text_contains("code_review_page.codex_handoff_read_only", code_review_surface_text, text)
assert_text_contains("iwooos_page.surface_connection_board", iwooos_projection_page, "surfaceConnectionStatuses")

View File

@@ -127,10 +127,11 @@ BLOCKED_RAW_OUTPUT_MARKERS = [
REQUIRED_OUTPUT_MARKERS = [
"ai_automation_alert_card_v1",
"AI 自動化判讀",
"runtime_write_gate=0",
"candidate_only",
"controlled_playbook_queue",
"runtime_write_gate=controlled",
"Top evidence",
"禁止事項",
"allowlisted PlayBook",
]
EXECUTION_BOUNDARIES = {