docs(security): add IwoooS posture projection contract

This commit is contained in:
Your Name
2026-05-19 15:18:37 +08:00
parent d8917e0d0b
commit d7e99e8ef0
25 changed files with 766 additions and 61 deletions

View File

@@ -41,23 +41,63 @@ def validate(root: Path) -> None:
manifest = load_json(security_dir / "security-supply-chain-contract-manifest.snapshot.json")
readiness = load_json(security_dir / "security-mirror-readiness.snapshot.json")
rollup = load_json(security_dir / "security-mirror-status-rollup.snapshot.json")
intake = load_json(security_dir / "security-mirror-intake-plan.snapshot.json")
event_sample = load_json(security_dir / "security-mirror-event-sample.snapshot.json")
route = load_json(security_dir / "security-mirror-route.snapshot.json")
acceptance = load_json(security_dir / "security-mirror-acceptance.snapshot.json")
dry_run = load_json(security_dir / "security-mirror-dry-run.snapshot.json")
owner_rollup = load_json(security_dir / "source-control-owner-response-validation-rollup.snapshot.json")
primary_gate = load_json(security_dir / "source-control-primary-readiness-gate.snapshot.json")
rollout_policy = load_json(security_dir / "security-rollout-policy.snapshot.json")
iwooos_projection = load_json(security_dir / "iwooos-posture-projection.snapshot.json")
manifest_count = manifest["contract_count"]
readiness_summary = readiness["summary"]
rollup_summary = rollup["summary"]
assert_equal("manifest.contract_count", manifest_count, 35)
assert_equal("manifest.contract_count", manifest_count, 36)
assert_equal("readiness.total_contracts", readiness_summary["total_contracts"], manifest_count)
assert_equal("rollup.total_contracts", rollup_summary["total_contracts"], manifest_count)
assert_equal("rollup.ready_for_mirror_count", rollup_summary["ready_for_mirror_count"], 32)
assert_equal("rollup.ready_for_mirror_count", rollup_summary["ready_for_mirror_count"], 33)
assert_equal("rollup.partial_ready_count", rollup_summary["partial_ready_count"], 2)
assert_equal("rollup.contract_only_count", rollup_summary["contract_only_count"], 1)
assert_equal("rollup.blocked_count", rollup_summary["blocked_count"], 0)
assert_contains(
"manifest.contracts",
[item["contract"] for item in manifest["contracts"]],
"iwooos_posture_projection_v1",
)
assert_contains(
"readiness.contract_readiness",
[item["contract"] for item in readiness["contract_readiness"]],
"iwooos_posture_projection_v1",
)
assert_contains(
"rollup.source_indexes",
rollup["source_indexes"],
"docs/security/iwooos-posture-projection.snapshot.json",
)
assert_equal("event_sample.payload_summary.total_contracts", event_sample["payload_summary"]["total_contracts"], manifest_count)
assert_equal(
"event_sample.payload_summary.ready_for_mirror_count",
event_sample["payload_summary"]["ready_for_mirror_count"],
readiness_summary["ready_for_mirror_count"],
)
assert_contains(
"event_sample.evidence_refs",
event_sample["evidence_refs"],
"docs/security/IWOOOS-POSTURE-PROJECTION.md",
)
assert_equal("route.summary.total_contracts", route["summary"]["total_contracts"], manifest_count)
route_contracts = sorted({contract for group in route["route_groups"] for contract in group["contracts"]})
assert_equal("route.contract_coverage", route_contracts, sorted(item["contract"] for item in manifest["contracts"]))
assert_contains(
"intake.source_indexes",
intake["source_indexes"],
"docs/security/iwooos-posture-projection.snapshot.json",
)
intake_contracts = [contract for wave in intake["intake_waves"] for contract in wave["contracts"]]
assert_contains("intake.contracts", intake_contracts, "iwooos_posture_projection_v1")
progress = rollup["progress_estimate"]
assert_equal("progress.overall_percent", progress["overall_percent"], 58)
@@ -120,6 +160,7 @@ def validate(root: Path) -> None:
"s4_13_owner_response_validation_parallel_session_recovery_outcome_lanes",
"s1_3_low_friction_non_blocking_escalation_lanes",
"s2_8_iwooos_frontend_posture_entry",
"s2_9_iwooos_posture_projection_contract",
]
assert_equal(
"progress_delta_ledger.delta_ids",
@@ -206,6 +247,123 @@ def validate(root: Path) -> None:
]:
assert_contains("rollout_policy.allowed_awooop_outputs", rollout_outputs, output)
assert_equal("iwooos_projection.schema_version", iwooos_projection["schema_version"], "iwooos_posture_projection_v1")
assert_equal("iwooos_projection.product_id", iwooos_projection["product_id"], "iwooos")
assert_equal("iwooos_projection.display_name", iwooos_projection["display_name"], "IwoooS")
assert_equal("iwooos_projection.mode", iwooos_projection["mode"], "mirror_only")
assert_false("iwooos_projection.runtime_execution_authorized", iwooos_projection["runtime_execution_authorized"])
assert_false("iwooos_projection.action_buttons_allowed", iwooos_projection["action_buttons_allowed"])
assert_true("iwooos_projection.not_authorization", iwooos_projection["not_authorization"])
assert_equal("iwooos_projection.summary.route_path", iwooos_projection["summary"]["route_path"], "/iwooos")
assert_true("iwooos_projection.summary.nav_entry_added", iwooos_projection["summary"]["nav_entry_added"])
assert_true(
"iwooos_projection.summary.command_palette_entry_added",
iwooos_projection["summary"]["command_palette_entry_added"],
)
assert_equal("iwooos_projection.summary.contract_count", iwooos_projection["summary"]["contract_count"], manifest_count)
assert_equal(
"iwooos_projection.summary.active_runtime_gate_count",
iwooos_projection["summary"]["active_runtime_gate_count"],
rollup_summary["active_runtime_gate_count"],
)
assert_equal(
"iwooos_projection.summary.owner_response_validation_received_count",
iwooos_projection["summary"]["owner_response_validation_received_count"],
rollup_summary["owner_response_validation_received_count"],
)
assert_equal(
"iwooos_projection.summary.owner_response_validation_accepted_count",
iwooos_projection["summary"]["owner_response_validation_accepted_count"],
rollup_summary["owner_response_validation_accepted_count"],
)
assert_equal(
"iwooos_projection.summary.github_primary_ready_count",
iwooos_projection["summary"]["github_primary_ready_count"],
rollup_summary["github_primary_ready_count"],
)
assert_false("iwooos_projection.summary.action_buttons_allowed", iwooos_projection["summary"]["action_buttons_allowed"])
iwooos_progress = iwooos_projection["progress"]
assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
assert_equal(
"iwooos_projection.progress.framework_percent_min",
iwooos_progress["framework_percent_min"],
progress["framework_percent_min"],
)
assert_equal(
"iwooos_projection.progress.framework_percent_max",
iwooos_progress["framework_percent_max"],
progress["framework_percent_max"],
)
assert_equal(
"iwooos_projection.progress.runtime_landing_percent_min",
iwooos_progress["runtime_landing_percent_min"],
progress["runtime_landing_percent_min"],
)
assert_equal(
"iwooos_projection.progress.runtime_landing_percent_max",
iwooos_progress["runtime_landing_percent_max"],
progress["runtime_landing_percent_max"],
)
assert_equal(
"iwooos_projection.progress.headline_status",
iwooos_progress["headline_status"],
progress_display_policy["headline_status"],
)
assert_true("iwooos_projection.progress.not_authorization", iwooos_progress["not_authorization"])
assert_equal(
"iwooos_projection.posture_pillars.ids",
[item["pillar_id"] for item in iwooos_projection["posture_pillars"]],
["exposure_posture", "source_control_supply_chain", "kali_112_mesh", "approval_boundary"],
)
assert_equal(
"iwooos_projection.posture_pillars.display_order",
[item["display_order"] for item in iwooos_projection["posture_pillars"]],
[1, 2, 3, 4],
)
for item in iwooos_projection["posture_pillars"]:
assert_equal(f"iwooos_projection.posture_pillars.{item['pillar_id']}.display_mode", item["display_mode"], "posture_only")
assert_false(
f"iwooos_projection.posture_pillars.{item['pillar_id']}.runtime_execution_authorized",
item["runtime_execution_authorized"],
)
assert_true(f"iwooos_projection.posture_pillars.{item['pillar_id']}.not_authorization", item["not_authorization"])
assert_equal(
"iwooos_projection.non_blocking_lane_ids",
iwooos_projection["non_blocking_lane_ids"],
expected_low_friction_lane_ids,
)
for evidence_ref in [
"docs/security/iwooos-posture-projection.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"docs/security/kali-integration-status.snapshot.json",
]:
assert_contains("iwooos_projection.evidence_refs", iwooos_projection["evidence_refs"], evidence_ref)
for output in [
"display_security_posture",
"display_progress_estimate",
"display_non_blocking_lanes",
"display_evidence_refs",
"display_forbidden_actions",
]:
assert_contains("iwooos_projection.allowed_frontend_outputs", iwooos_projection["allowed_frontend_outputs"], output)
for output in [
"add_scan_button",
"add_execute_button",
"add_repair_button",
"start_kali_scan",
"call_kali_execute_endpoint",
"create_github_repo",
"sync_git_refs",
"modify_workflow_or_secret",
"enable_runner",
"switch_github_primary",
"production_deploy",
"treat_progress_as_authorization",
]:
assert_contains("iwooos_projection.forbidden_frontend_outputs", iwooos_projection["forbidden_frontend_outputs"], output)
owner_summary = owner_rollup["summary"]
assert_equal("owner_rollup.total_received_response_count", owner_summary["total_received_response_count"], 0)
assert_equal("owner_rollup.total_accepted_response_count", owner_summary["total_accepted_response_count"], 0)
@@ -340,6 +498,12 @@ def validate(root: Path) -> None:
assert_false("primary_gate.raw_secret_storage_authorized", primary_summary["raw_secret_storage_authorized"])
acceptance_ids = [item["check_id"] for item in acceptance["acceptance_checks"]]
assert_equal("acceptance.total_contracts", acceptance["summary"]["total_contracts"], manifest_count)
assert_equal(
"acceptance.ready_for_mirror_count",
acceptance["summary"]["ready_for_mirror_count"],
readiness_summary["ready_for_mirror_count"],
)
assert_contains("acceptance_checks", acceptance_ids, "PROGRESS_ESTIMATE_NOT_AUTHORIZATION")
assert_equal("acceptance.summary.acceptance_check_count", acceptance["summary"]["acceptance_check_count"], len(acceptance_ids))
assert_equal(
@@ -353,6 +517,11 @@ def validate(root: Path) -> None:
dry_run_step_ids = [item["step_id"] for item in dry_run["dry_run_steps"]]
assert_equal("dry_run.dry_run_status", dry_run["dry_run_status"], "contract_defined_not_executed")
assert_equal("dry_run.total_contracts", dry_run_summary["total_contracts"], manifest_count)
assert_equal(
"dry_run.ready_for_mirror_count",
dry_run_summary["ready_for_mirror_count"],
readiness_summary["ready_for_mirror_count"],
)
assert_equal("dry_run.acceptance_check_count", dry_run_summary["acceptance_check_count"], 8)
assert_false("dry_run.runtime_execution_authorized", dry_run["runtime_execution_authorized"])
assert_false("dry_run.runtime_actions_executed", dry_run_summary["runtime_actions_executed"])
@@ -379,7 +548,11 @@ def validate(root: Path) -> None:
assert_false("dry_run.latest_local_validation.production_ingestion_enabled", local_validation["production_ingestion_enabled"])
assert_true("dry_run.latest_local_validation.not_authorization", local_validation["not_authorization"])
forbidden_actions = set(rollup["forbidden_actions"]) | set(acceptance["forbidden_actions"])
forbidden_actions = (
set(rollup["forbidden_actions"])
| set(acceptance["forbidden_actions"])
| set(iwooos_projection["forbidden_frontend_outputs"])
)
for action in [
"start_kali_scan",
"call_kali_execute_endpoint",