docs(security): add parallel session recovery checks

2026-05-19 14:10:26 +08:00
parent 8976b752c4
commit b8d4171147
19 changed files with 287 additions and 42 deletions
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -115,6 +115,7 @@ def validate(root: Path) -> None:
        "s4_13_owner_response_validation_reviewer_audit_handoff_checks",
        "s4_13_owner_response_validation_parallel_session_sync_checks",
        "s4_13_owner_response_validation_parallel_session_conflict_lanes",
+        "s4_13_owner_response_validation_parallel_session_recovery_checks",
    ]
    assert_equal(
        "progress_delta_ledger.delta_ids",
@@ -215,6 +216,11 @@ def validate(root: Path) -> None:
        owner_summary["owner_response_validation_parallel_session_conflict_lane_count"],
        6,
    )
+    assert_equal(
+        "owner_rollup.owner_response_validation_parallel_session_recovery_check_count",
+        owner_summary["owner_response_validation_parallel_session_recovery_check_count"],
+        6,
+    )
    assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"])
    assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"])
    assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"])
--- a/scripts/security/source-control-owner-response-guard.py
+++ b/scripts/security/source-control-owner-response-guard.py
@@ -404,6 +404,15 @@ EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES = [
    "conflict-next-focus-drift",
 ]

+EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS = [
+    "check-recovery-fetch-and-compare-branch",
+    "check-recovery-read-latest-ledger",
+    "check-recovery-rerun-readonly-guards",
+    "check-recovery-review-staged-diff-only",
+    "check-recovery-keep-runtime-flags-false",
+    "check-recovery-record-next-focus-s4-9",
+]
+

 def load_json(path: Path) -> dict[str, Any]:
    return json.loads(path.read_text(encoding="utf-8"))
@@ -516,6 +525,11 @@ def validate(root: Path) -> None:
        rollup_summary["owner_response_validation_parallel_session_conflict_lane_count"],
        len(EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES),
    )
+    assert_equal(
+        "rollup.owner_response_validation_parallel_session_recovery_check_count",
+        rollup_summary["owner_response_validation_parallel_session_recovery_check_count"],
+        len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS),
+    )
    assert_true("rollup.quarantine_required", rollup_summary["quarantine_required"])
    assert_equal("rollup.primary_ready_count", rollup_summary["primary_ready_count"], 0)

@@ -1403,6 +1417,56 @@ def validate(root: Path) -> None:
                    item["execution_authorized"],
                )

+    parallel_session_recovery_checks = rollup["owner_response_validation_parallel_session_recovery_checks"]
+    assert_equal(
+        "owner_response_validation_parallel_session_recovery_checks.ids",
+        [item["check_id"] for item in parallel_session_recovery_checks],
+        EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS,
+    )
+    assert_equal(
+        "owner_response_validation_parallel_session_recovery_checks.display_order",
+        [item["display_order"] for item in parallel_session_recovery_checks],
+        list(range(1, len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS) + 1)),
+    )
+    for item in parallel_session_recovery_checks:
+        assert_equal(
+            f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.awooop_display_mode",
+            item["awooop_display_mode"],
+            "display_parallel_session_recovery_check_only",
+        )
+        assert_false(
+            f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.execution_authorized",
+            item["execution_authorized"],
+        )
+        assert_true(
+            f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.not_approval",
+            item["not_approval"],
+        )
+        for blocked in item["blocked_interpretations"]:
+            if blocked in {
+                "auto_rebase_after_conflict",
+                "auto_merge_after_conflict",
+                "force_push_after_conflict",
+                "continue_from_pre_conflict_context",
+                "treat_ledger_read_as_authorization",
+                "treat_guard_pass_as_owner_response",
+                "treat_guard_pass_as_runtime_gate",
+                "treat_guard_pass_as_primary_approval",
+                "overwrite_other_session_changes",
+                "drop_unreviewed_changes",
+                "stage_runtime_or_secret_change_from_recovery",
+                "create_action_button_after_recovery",
+                "enqueue_runtime_job_after_recovery",
+                "start_kali_or_repo_action_after_recovery",
+                "auto_collect_owner_response_after_recovery",
+                "mark_s4_9_received_after_recovery",
+                "create_followup_runtime_gate_after_recovery",
+            }:
+                assert_false(
+                    f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.runtime_execution_authorized",
+                    item["execution_authorized"],
+                )
+
    first_lane = LANES[0]
    first_collection_item = collection_order_by_id[first_lane["lane_id"]]
    first_missing_lane = missing_lane_by_id[first_lane["lane_id"]]