feat(web): show owner response validation rollup

2026-05-21 11:47:20 +08:00
parent f592a13274
commit f4c3befa70
9 changed files with 641 additions and 68 deletions
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -289,6 +289,7 @@ def validate(root: Path) -> None:
        "s2_69_awooop_runs_github_primary_readiness_boundary",
        "s2_70_traditional_chinese_security_surface_wording_guard",
        "s2_71_awooop_run_detail_traditional_chinese_wording_guard",
+        "s2_72_awooop_home_owner_response_validation_rollup",
    ]
    assert_equal(
        "progress_delta_ledger.delta_ids",
@@ -318,6 +319,11 @@ def validate(root: Path) -> None:
    assert_equal("rollup.workflow_secret_inventory_complete_count", rollup_summary["workflow_secret_inventory_complete_count"], 0)
    assert_false("rollup.secret_value_collection_allowed", rollup_summary["secret_value_collection_allowed"])
    assert_false("rollup.secret_value_detected", rollup_summary["secret_value_detected"])
+    assert_contains(
+        "rollup.next_safe_actions.action_ids",
+        [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)],
+        "mirror_owner_response_validation_rollup",
+    )
    assert_contains(
        "rollup.next_safe_actions.action_ids",
        [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)],
@@ -482,6 +488,76 @@ def validate(root: Path) -> None:
    ]:
        assert_text_not_contains("web_messages.zh-TW.awooop_run_detail_wording", zh_awooop_run_detail_text, forbidden)

+    zh_awooop_home_security_text = json.dumps(
+        {
+            "securityMirror": web_messages_zh["awooop"]["home"]["securityMirror"],
+            "githubPrimaryReadiness": web_messages_zh["awooop"]["home"]["githubPrimaryReadiness"],
+            "ownerResponseValidation": web_messages_zh["awooop"]["home"]["ownerResponseValidation"],
+        },
+        ensure_ascii=False,
+    )
+    for forbidden in [
+        "secret value",
+        "secret 明文",
+        "received / accepted",
+        "0 received",
+        "0 accepted",
+        "Production landing",
+        "production landing",
+        "runtime ingestion",
+        "deployment proof",
+        "evidence refs",
+        "Workflow / secret",
+        "workflow / secret",
+        "ready count",
+        "Owner Response Validation",
+        "Response Packets",
+        "Owner Attestation",
+        "Owner Decision",
+        "Owner Response",
+        "Reviewer Checklist",
+        "Reviewer Outcomes",
+        "Cross-Packet Checks",
+        "owner evidence",
+        "owner response",
+        "owner attestation",
+        "owner decision",
+        "checklist items",
+        "outcome lanes",
+    ]:
+        assert_text_not_contains(
+            "web_messages.zh-TW.awooop_home_security_wording",
+            zh_awooop_home_security_text,
+            forbidden,
+        )
+
+    zh_awooop_owner_response_validation_text = json.dumps(
+        web_messages_zh["awooop"]["home"]["ownerResponseValidation"],
+        ensure_ascii=False,
+    )
+    for forbidden in [
+        "Owner Response Validation",
+        "Response Packets",
+        "Owner Attestation",
+        "Owner Decision",
+        "Owner Response",
+        "Reviewer Checklist",
+        "Reviewer Outcomes",
+        "Cross-Packet Checks",
+        "owner evidence",
+        "owner response",
+        "owner attestation",
+        "owner decision",
+        "secret value",
+        "checklist items",
+        "outcome lanes",
+    ]:
+        assert_text_not_contains(
+            "web_messages.zh-TW.awooop_owner_response_validation_wording",
+            zh_awooop_owner_response_validation_text,
+            forbidden,
+        )
+
    assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1")
    assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe")
    assert_equal("rollout_policy.enforcement_level", rollout_policy["enforcement_level"], "mirror_only")
@@ -5209,6 +5285,66 @@ def validate(root: Path) -> None:
            key,
        )

+    assert_text_contains(
+        "awooop_home_page.owner_response_validation_panel",
+        awooop_home_page,
+        "OwnerResponseValidationRollupPanel",
+    )
+    assert_text_contains(
+        "awooop_home_page.owner_response_validation_packets",
+        awooop_home_page,
+        "ownerResponseValidationPackets",
+    )
+    assert_text_contains(
+        "awooop_home_page.owner_response_validation_checks",
+        awooop_home_page,
+        "ownerResponseValidationChecks",
+    )
+    assert_text_contains("awooop_home_page.owner_response_validation_iwooos_link", awooop_home_page, 'href="/iwooos"')
+    for text in [
+        "source_control_owner_response_validation_rollup_v1",
+        "S4.9",
+        "S4.10",
+        "S4.11",
+        "S4.12",
+        "owner_response_validation_received_count=0",
+        "owner_response_validation_accepted_count=0",
+        "owner_response_validation_rejected_count=0",
+        "repo_creation_authorized=false",
+        "refs_sync_authorized=false",
+        "workflow_modification_authorized=false",
+        "secret_value_collection_allowed=false",
+        "github_primary_switch_authorized=false",
+        "runtime_execution_authorized=false",
+        "action_buttons_allowed=false",
+    ]:
+        assert_text_contains("awooop_home_page.owner_response_validation_boundary", awooop_home_page, text)
+    for key in [
+        "title",
+        "subtitle",
+        "badge",
+        "openIwooos",
+        "packetsTitle",
+        "validationTitle",
+        "boundaryLabel",
+        "boundaryTitle",
+        "boundaryDetail",
+        "fields",
+        "metrics",
+        "packets",
+        "checks",
+    ]:
+        assert_contains(
+            "web_messages.zh-TW.awooop.home.ownerResponseValidation",
+            list(web_messages_zh["awooop"]["home"]["ownerResponseValidation"].keys()),
+            key,
+        )
+        assert_contains(
+            "web_messages.en.awooop.home.ownerResponseValidation",
+            list(web_messages_en["awooop"]["home"]["ownerResponseValidation"].keys()),
+            key,
+        )
+
    assert_text_contains("awooop_work_items_page.security_mirror_item", awooop_work_items_page, "iwooosSecurityMirror")
    assert_text_contains("awooop_work_items_page.github_primary_item", awooop_work_items_page, "githubPrimaryReadiness")
    assert_text_contains(