wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

docs(security): add owner response audit retention rules

Browse Source
This commit is contained in:
Your Name
2026-05-19 12:36:13 +08:00
parent ba034582bf
commit 7f00490c58
19 changed files with 266 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
scripts/security/security-mirror-progress-guard.py
View File

@@ -109,6 +109,7 @@ def validate(root: Path) -> None:
"s4_13_owner_response_validation_reviewer_audit_display_sections",
"s4_13_owner_response_validation_reviewer_audit_collection_checks",
"s4_13_owner_response_validation_reviewer_audit_redaction_examples",
"s4_13_owner_response_validation_reviewer_audit_retention_rules",
]
assert_equal(
"progress_delta_ledger.delta_ids",
@@ -179,6 +180,11 @@ def validate(root: Path) -> None:
owner_summary["owner_response_validation_reviewer_audit_redaction_example_count"],
5,
)
assert_equal(
"owner_rollup.owner_response_validation_reviewer_audit_retention_rule_count",
owner_summary["owner_response_validation_reviewer_audit_retention_rule_count"],
5,
)
assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"])
assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"])
assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"])

44
scripts/security/source-control-owner-response-guard.py
View File

@@ -351,6 +351,14 @@ EXPECTED_ROLLUP_REVIEWER_AUDIT_REDACTION_EXAMPLES = [
"redaction-runtime-gate-counter-summary",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES = [
"retention-reviewer-start-metadata-only",
"retention-classification-summary-only",
"retention-quarantine-pointer-only",
"retention-readonly-update-targets-only",
"retention-counter-snapshot-only",
]
def load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
@@ -433,6 +441,11 @@ def validate(root: Path) -> None:
rollup_summary["owner_response_validation_reviewer_audit_redaction_example_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_REDACTION_EXAMPLES),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_retention_rule_count",
rollup_summary["owner_response_validation_reviewer_audit_retention_rule_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES),
)
assert_true("rollup.quarantine_required", rollup_summary["quarantine_required"])
assert_equal("rollup.primary_ready_count", rollup_summary["primary_ready_count"], 0)
@@ -1053,6 +1066,37 @@ def validate(root: Path) -> None:
item["not_approval"],
)
reviewer_audit_retention_rules = rollup["owner_response_validation_reviewer_audit_retention_rules"]
assert_equal(
"owner_response_validation_reviewer_audit_retention_rules.ids",
[item["rule_id"] for item in reviewer_audit_retention_rules],
EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES,
)
assert_equal(
"owner_response_validation_reviewer_audit_retention_rules.display_order",
[item["display_order"] for item in reviewer_audit_retention_rules],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES) + 1)),
)
for item in reviewer_audit_retention_rules:
assert_equal(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.retention_status",
item["retention_status"],
"metadata_retention_rule_only",
)
assert_equal(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_retention_rule_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.not_approval",
item["not_approval"],
)
first_lane = LANES[0]
first_collection_item = collection_order_by_id[first_lane["lane_id"]]
first_missing_lane = missing_lane_by_id[first_lane["lane_id"]]