fix(iwooos): 鎖住 owner gate 與 tenants 前台遮罩
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m30s
CD Pipeline / build-and-deploy (push) Successful in 3m49s
CD Pipeline / post-deploy-checks (push) Successful in 1m55s

This commit is contained in:
Your Name
2026-06-15 06:42:25 +08:00
parent 4fd9704d28
commit 3496a6be65
5 changed files with 638 additions and 35 deletions

View File

@@ -0,0 +1,360 @@
#!/usr/bin/env python3
"""驗證 IwoooS / S4.9 owner gate 維持只讀收件邊界。
本 guard 只讀取 repo 內的 S4.9 / source-control owner response snapshot
與 Markdown 規範,不送 request、不收 response、不呼叫 Gitea / GitHub /
AwoooP、不修改 repo / refs / workflow / secret / runner也不開 runtime gate。
"""
from __future__ import annotations
import argparse
import json
from pathlib import Path
from typing import Any
REQUIRED_DOCS = [
"docs/security/S4-9-OWNER-RESPONSE-GATE-CURRENT-GAP-AUDIT.md",
"docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md",
"docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md",
"docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md",
"docs/security/S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md",
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md",
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
]
CANONICAL_FIELDS = [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
]
S4_9_TEMPLATES = [
"response-public-only-vs-local-gitea-gap",
"response-org-user-endpoint-identity",
"response-internal-110-adjacent-scope",
"response-repo-owner-canonical-scope",
"response-legacy-or-inaccessible-disposition",
]
OWNER_PACKET_SPECS = [
{
"label": "s4.9 gitea owner attestation response",
"path": "docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"schema": "gitea_inventory_owner_attestation_response_v1",
"status": "draft_waiting_owner_response",
"template_count": 5,
"expected_template_ids": S4_9_TEMPLATES,
"summary_counts": {
"owner_response_request_packet_count": 1,
"response_template_count": 5,
"owner_response_template_status_count": 5,
"intake_preflight_check_count": 6,
"intake_outcome_lane_count": 5,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"owner_response_metadata_intake_required_count": 6,
"owner_response_metadata_intake_received_count": 0,
"owner_response_metadata_intake_accepted_count": 0,
"owner_response_metadata_intake_runtime_gate_count": 0,
"owner_response_intake_handoff_queue_count": 5,
"owner_response_intake_handoff_queue_received_count": 0,
"owner_response_intake_handoff_queue_accepted_count": 0,
"owner_response_intake_handoff_queue_runtime_gate_count": 0,
},
"false_flags": [
"runtime_execution_authorized",
"action_buttons_allowed",
"token_value_collection_allowed",
"raw_secret_allowed",
"repo_write_allowed",
"refs_sync_allowed",
"github_primary_switch_authorized",
"owner_response_metadata_intake_raw_payload_allowed",
"owner_response_metadata_intake_secret_plaintext_allowed",
"owner_response_metadata_intake_action_buttons_allowed",
"owner_response_intake_handoff_queue_raw_payload_allowed",
"owner_response_intake_handoff_queue_action_buttons_allowed",
],
},
{
"label": "s4.10 github target owner decision response",
"path": "docs/security/github-target-owner-decision-response.snapshot.json",
"schema": "github_target_owner_decision_response_v1",
"status": "draft_waiting_owner_response",
"template_count": 9,
"summary_counts": {
"owner_response_request_packet_count": 1,
"response_template_count": 9,
"owner_response_template_status_count": 9,
"intake_preflight_check_count": 6,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
},
"false_flags": [
"runtime_execution_authorized",
"action_buttons_allowed",
"repo_creation_authorized",
"visibility_change_authorized",
"refs_sync_authorized",
"github_primary_switch_authorized",
"secret_value_collection_allowed",
"target_owner_request_dispatch_authorized",
],
},
{
"label": "s4.11 ref truth owner response",
"path": "docs/security/source-control-ref-truth-owner-response.snapshot.json",
"schema": "source_control_ref_truth_owner_response_v1",
"status": "draft_waiting_owner_response",
"template_count": 5,
"summary_counts": {
"owner_response_request_packet_count": 1,
"response_template_count": 5,
"owner_response_template_status_count": 5,
"intake_preflight_check_count": 6,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
},
"false_flags": [
"runtime_execution_authorized",
"action_buttons_allowed",
"refs_sync_authorized",
"refs_delete_authorized",
"force_push_authorized",
"github_primary_switch_authorized",
"secret_value_collection_allowed",
],
},
{
"label": "s4.12 workflow secret owner response",
"path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"schema": "source_control_workflow_secret_name_owner_response_v1",
"status": "draft_waiting_owner_response",
"template_count": 5,
"summary_counts": {
"owner_response_request_packet_count": 1,
"response_template_count": 5,
"owner_response_template_status_count": 5,
"intake_preflight_check_count": 6,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
},
"false_flags": [
"runtime_execution_authorized",
"action_buttons_allowed",
"workflow_modification_authorized",
"repo_secret_change_authorized",
"runner_change_authorized",
"webhook_modification_authorized",
"branch_protection_change_authorized",
"deploy_key_change_authorized",
"github_hosted_runner_enable_authorized",
"secret_value_collection_allowed",
"secret_value_or_hash_collection_allowed",
"workflow_secret_owner_request_dispatch_authorized",
"write_token_allowed",
],
},
]
def load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
def fail(message: str) -> None:
raise SystemExit(f"BLOCKED {message}")
def assert_equal(label: str, actual: Any, expected: Any) -> None:
if actual != expected:
fail(f"{label}: expected {expected!r}, got {actual!r}")
def assert_contains(label: str, values: list[Any], expected: Any) -> None:
if expected not in values:
fail(f"{label}: missing {expected!r}")
def assert_text_contains(label: str, text: str, expected: str) -> None:
if expected not in text:
fail(f"{label}: missing {expected!r}")
def assert_path_exists(root: Path, relative_path: str) -> None:
if not (root / relative_path).exists():
fail(f"path missing: {relative_path}")
def summary_value(data: dict[str, Any], key: str) -> Any:
summary = data.get("summary", {})
if key in summary:
return summary[key]
return data.get(key)
def assert_false_summary_flag(label: str, data: dict[str, Any], key: str) -> None:
value = summary_value(data, key)
assert_equal(f"{label}.{key}", value, False)
def validate_docs(root: Path) -> None:
for relative_path in REQUIRED_DOCS:
assert_path_exists(root, relative_path)
canonical_text = (root / "docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md").read_text(
encoding="utf-8"
)
intake_text = (root / "docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md").read_text(
encoding="utf-8"
)
gap_text = (root / "docs/security/S4-9-OWNER-RESPONSE-GATE-CURRENT-GAP-AUDIT.md").read_text(
encoding="utf-8"
)
for field in CANONICAL_FIELDS:
assert_text_contains("canonical_envelope.fields", canonical_text, field)
assert_text_contains("intake_form.fields", intake_text, field)
for template_id in S4_9_TEMPLATES:
assert_text_contains("canonical_envelope.templates", canonical_text, template_id)
assert_text_contains("intake_form.templates", intake_text, template_id)
for marker in [
"request_sent=false",
"received_response_count=0",
"accepted_response_count=0",
"runtime_execution_authorized=false",
"action_buttons_allowed=false",
]:
assert_text_contains("canonical_envelope.zero_boundary", canonical_text, marker)
assert_text_contains("intake_form.zero_boundary", intake_text, marker)
assert_text_contains("gap_audit.owner_gate_zero", gap_text, "S4.9 owner response gate 仍是 `0%`")
def validate_gap_audit(root: Path) -> None:
gap = load_json(root / "docs/security/s4-9-owner-response-gap-audit.snapshot.json")
summary = gap["summary"]
assert_equal("gap.schema_version", gap["schema_version"], "s4_9_owner_response_gap_audit_v1")
assert_equal("gap.status", gap["status"], "gap_audit_ready_owner_gate_zero")
assert_equal("gap.summary.current_requirement_gap_count", summary["current_requirement_gap_count"], 8)
assert_equal("gap.summary.new_rule_count", summary["new_rule_count"], 7)
assert_equal("gap.summary.rule_adjustment_count", summary["rule_adjustment_count"], 7)
assert_equal("gap.summary.priority_work_item_count", summary["priority_work_item_count"], 9)
for key in [
"request_sent_count",
"owner_response_received_count",
"owner_response_accepted_count",
"owner_response_rejected_count",
"runtime_gate_count",
]:
assert_equal(f"gap.summary.{key}", summary[key], 0)
assert_equal("gap.summary.public_surface_raw_namespace_allowed", summary["public_surface_raw_namespace_allowed"], False)
assert_equal(
"gap.summary.work_session_transcript_public_allowed",
summary["work_session_transcript_public_allowed"],
False,
)
false_boundaries = gap["false_boundaries"]
for key, value in false_boundaries.items():
if value is not False:
fail(f"gap.false_boundaries.{key}: expected false, got {value!r}")
def validate_owner_packet(root: Path, spec: dict[str, Any]) -> None:
data = load_json(root / spec["path"])
label = spec["label"]
assert_equal(f"{label}.schema_version", data.get("schema_version"), spec["schema"])
assert_equal(f"{label}.status", data.get("status"), spec["status"])
assert_equal(f"{label}.runtime_execution_authorized", data.get("runtime_execution_authorized"), False)
for key, expected in spec["summary_counts"].items():
assert_equal(f"{label}.summary.{key}", summary_value(data, key), expected)
for key in spec["false_flags"]:
assert_false_summary_flag(label, data, key)
templates = data.get("response_templates", [])
if not isinstance(templates, list):
fail(f"{label}.response_templates: expected list")
assert_equal(f"{label}.response_templates.count", len(templates), spec["template_count"])
if "expected_template_ids" in spec:
template_ids = [item.get("template_id") or item.get("id") for item in templates]
for template_id in spec["expected_template_ids"]:
assert_contains(f"{label}.response_templates", template_ids, template_id)
def validate_rollup(root: Path) -> None:
rollup = load_json(root / "docs/security/source-control-owner-response-validation-rollup.snapshot.json")
summary = rollup["summary"]
assert_equal("rollup.schema_version", rollup["schema_version"], "source_control_owner_response_validation_rollup_v1")
assert_equal("rollup.status", rollup["status"], "draft_waiting_owner_responses")
assert_equal("rollup.summary.response_packet_count", summary["response_packet_count"], 4)
assert_equal("rollup.summary.total_response_template_count", summary["total_response_template_count"], 24)
assert_equal("rollup.summary.total_acceptance_check_count", summary["total_acceptance_check_count"], 32)
assert_equal("rollup.summary.total_rejection_rule_count", summary["total_rejection_rule_count"], 40)
assert_equal("rollup.summary.validation_lane_count", summary["validation_lane_count"], 4)
assert_equal("rollup.summary.owner_response_validation_reviewer_checklist_count", summary["owner_response_validation_reviewer_checklist_count"], 9)
assert_equal("rollup.summary.owner_response_validation_reviewer_outcome_lane_count", summary["owner_response_validation_reviewer_outcome_lane_count"], 7)
for key in [
"total_received_response_count",
"total_accepted_response_count",
"total_rejected_response_count",
"primary_ready_count",
]:
assert_equal(f"rollup.summary.{key}", summary[key], 0)
for key in [
"runtime_execution_authorized",
"action_buttons_allowed",
"repo_creation_authorized",
"visibility_change_authorized",
"refs_sync_authorized",
"refs_delete_authorized",
"workflow_modification_authorized",
"runner_enablement_authorized",
"secret_value_collection_allowed",
"github_primary_switch_authorized",
"force_push_authorized",
"write_token_allowed",
]:
assert_false_summary_flag("rollup", rollup, key)
def validate(root: Path) -> None:
validate_docs(root)
validate_gap_audit(root)
validate_rollup(root)
for spec in OWNER_PACKET_SPECS:
validate_owner_packet(root, spec)
def main() -> None:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument(
"--root",
default=Path(__file__).resolve().parents[2],
type=Path,
help="Repository root. Defaults to the current script's repository.",
)
args = parser.parse_args()
validate(args.root.resolve())
print("IWOOOS_OWNER_GATE_GUARD_OK")
if __name__ == "__main__":
main()

View File

@@ -77,6 +77,8 @@ def validate(root: Path) -> None:
security_dir = root / "docs" / "security"
config_control_guard = runpy.run_path(str(root / "scripts" / "security" / "iwooos-config-control-guard.py"))
config_control_guard["validate"](root)
owner_gate_guard = runpy.run_path(str(root / "scripts" / "security" / "iwooos-owner-gate-guard.py"))
owner_gate_guard["validate"](root)
manifest = load_json(security_dir / "security-supply-chain-contract-manifest.snapshot.json")
readiness = load_json(security_dir / "security-mirror-readiness.snapshot.json")
@@ -11982,12 +11984,28 @@ def validate(root: Path) -> None:
for text in [
"sourcePublicScopeCode(index)",
"assetPublicCode(index)",
"routePublicCode(index)",
"tenantPublicCode(index)",
"tenantPublicName(tenant, index)",
"tenantBudgetState(tenant)",
"isPublicAssetTextSafe",
"lookupPublicProductName",
"publicChineseAssetText",
"assetPublicProductName(item, index)",
"routePublicProductName(route, index)",
"sourcePublicProductName(repo, index)",
"sourceRepos.map((repo, index)",
"sourceRiskLabel(repo.risk, t)",
"sourceReadinessLabel(repo.readiness_state, t)",
"sourceActionLabel(repo.readiness_state, t)",
"redactedScope",
"nextControl",
"租戶代號",
"公開名稱",
"預算狀態",
"已提交證據參照",
"完整證據路徑保留在只讀台帳與 guard",
]:
assert_text_contains("awooop_tenants_page.source_namespace_redaction", awooop_tenants_page, text)
for text in [
@@ -12005,6 +12023,16 @@ def validate(root: Path) -> None:
"repo_owner_namespace_redacted=true",
"raw_repository_namespace_visible=false",
"public_api_raw_repo_namespace_allowed=false",
"{tenant.display_name || \"--\"}",
"budget?.toLocaleString",
"minimumFractionDigits",
"專案 ID",
"預算上限 (USD)",
"{item.project_id}",
"publicAssetText(item.product_name, item.project_id)",
"publicAssetText(route.product_name, route.product_id)",
"evidence_refs.map((ref)",
"{ref}",
]:
assert_text_not_contains("awooop_tenants_page.raw_source_control_status_render", awooop_tenants_page, text)
assert_text_not_contains(
@@ -24964,7 +24992,7 @@ def validate(root: Path) -> None:
assert_equal(
"dry_run.latest_local_validation.result",
local_validation["result"],
"SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK; IWOOOS_CONFIG_CONTROL_GUARD_OK",
"SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK; IWOOOS_CONFIG_CONTROL_GUARD_OK; IWOOOS_OWNER_GATE_GUARD_OK",
)
assert_contains("dry_run.latest_local_validation.validated_steps", local_validation["validated_steps"], "CHECK_PROGRESS_GUARD")
assert_contains(
@@ -24972,6 +25000,11 @@ def validate(root: Path) -> None:
local_validation["validated_steps"],
"CHECK_OWNER_RESPONSE_GUARD",
)
assert_contains(
"dry_run.latest_local_validation.validated_steps",
local_validation["validated_steps"],
"CHECK_OWNER_GATE_GUARD",
)
assert_contains(
"dry_run.latest_local_validation.validated_steps",
local_validation["validated_steps"],