docs(security): add owner response audit templates

2026-05-19 11:04:34 +08:00
parent 06adeecbe2
commit ebefc7d3bc
19 changed files with 309 additions and 40 deletions
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -105,6 +105,7 @@ def validate(root: Path) -> None:
        "s4_13_owner_response_validation_state_transition_rules",
        "s4_13_owner_response_validation_reviewer_checklist",
        "s4_13_owner_response_validation_reviewer_outcome_lanes",
+        "s4_13_owner_response_validation_reviewer_audit_event_templates",
    ]
    assert_equal(
        "progress_delta_ledger.delta_ids",
@@ -155,6 +156,11 @@ def validate(root: Path) -> None:
        owner_summary["owner_response_validation_reviewer_outcome_lane_count"],
        7,
    )
+    assert_equal(
+        "owner_rollup.owner_response_validation_reviewer_audit_event_template_count",
+        owner_summary["owner_response_validation_reviewer_audit_event_template_count"],
+        4,
+    )
    assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"])
    assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"])
    assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"])
--- a/scripts/security/source-control-owner-response-guard.py
+++ b/scripts/security/source-control-owner-response-guard.py
@@ -319,6 +319,13 @@ EXPECTED_ROLLUP_REVIEWER_OUTCOME_LANES = [
    "outcome-waiting-followup-runtime-gate",
 ]

+EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES = [
+    "audit-reviewer-outcome-review-opened",
+    "audit-reviewer-outcome-classified",
+    "audit-reviewer-quarantine-or-reject-recorded",
+    "audit-reviewer-readonly-update-noted",
+]
+

 def load_json(path: Path) -> dict[str, Any]:
    return json.loads(path.read_text(encoding="utf-8"))
@@ -381,6 +388,11 @@ def validate(root: Path) -> None:
        rollup_summary["owner_response_validation_reviewer_outcome_lane_count"],
        len(EXPECTED_ROLLUP_REVIEWER_OUTCOME_LANES),
    )
+    assert_equal(
+        "rollup.owner_response_validation_reviewer_audit_event_template_count",
+        rollup_summary["owner_response_validation_reviewer_audit_event_template_count"],
+        len(EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES),
+    )
    assert_true("rollup.quarantine_required", rollup_summary["quarantine_required"])
    assert_equal("rollup.primary_ready_count", rollup_summary["primary_ready_count"], 0)

@@ -861,6 +873,46 @@ def validate(root: Path) -> None:
                    item["execution_authorized"],
                )

+    reviewer_audit_event_templates = rollup["owner_response_validation_reviewer_audit_event_templates"]
+    assert_equal(
+        "owner_response_validation_reviewer_audit_event_templates.ids",
+        [item["event_template_id"] for item in reviewer_audit_event_templates],
+        EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES,
+    )
+    assert_equal(
+        "owner_response_validation_reviewer_audit_event_templates.display_order",
+        [item["display_order"] for item in reviewer_audit_event_templates],
+        list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES) + 1)),
+    )
+    for item in reviewer_audit_event_templates:
+        assert_equal(
+            f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.event_status",
+            item["event_status"],
+            "template_only_not_emitted",
+        )
+        assert_equal(
+            f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.emitted_event_count",
+            item["emitted_event_count"],
+            0,
+        )
+        assert_false(
+            f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.stored_raw_payload_allowed",
+            item["stored_raw_payload_allowed"],
+        )
+        assert_equal(
+            f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.awooop_display_mode",
+            item["awooop_display_mode"],
+            "display_reviewer_audit_template_only",
+        )
+        assert_false(
+            f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.execution_authorized",
+            item["execution_authorized"],
+        )
+        assert_true(
+            f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.not_approval",
+            item["not_approval"],
+        )
+
    first_lane = LANES[0]
    first_collection_item = collection_order_by_id[first_lane["lane_id"]]
    first_missing_lane = missing_lane_by_id[first_lane["lane_id"]]