#!/usr/bin/env python3 """Validate the mirror-only security progress guardrails. This script is intentionally read-only. It checks committed snapshots only and does not call GitHub, Gitea, Kali, AwoooP, or any runtime API. """ from __future__ import annotations import argparse import json from pathlib import Path from typing import Any def load_json(path: Path) -> dict[str, Any]: return json.loads(path.read_text(encoding="utf-8")) def assert_equal(label: str, actual: Any, expected: Any) -> None: if actual != expected: raise SystemExit(f"BLOCKED {label}: expected {expected!r}, got {actual!r}") def assert_false(label: str, actual: Any) -> None: assert_equal(label, actual, False) def assert_true(label: str, actual: Any) -> None: assert_equal(label, actual, True) def assert_contains(label: str, values: list[Any], expected: Any) -> None: if expected not in values: raise SystemExit(f"BLOCKED {label}: missing {expected!r}") def validate(root: Path) -> None: security_dir = root / "docs" / "security" manifest = load_json(security_dir / "security-supply-chain-contract-manifest.snapshot.json") readiness = load_json(security_dir / "security-mirror-readiness.snapshot.json") rollup = load_json(security_dir / "security-mirror-status-rollup.snapshot.json") intake = load_json(security_dir / "security-mirror-intake-plan.snapshot.json") event_sample = load_json(security_dir / "security-mirror-event-sample.snapshot.json") route = load_json(security_dir / "security-mirror-route.snapshot.json") acceptance = load_json(security_dir / "security-mirror-acceptance.snapshot.json") dry_run = load_json(security_dir / "security-mirror-dry-run.snapshot.json") owner_rollup = load_json(security_dir / "source-control-owner-response-validation-rollup.snapshot.json") primary_gate = load_json(security_dir / "source-control-primary-readiness-gate.snapshot.json") rollout_policy = load_json(security_dir / "security-rollout-policy.snapshot.json") iwooos_projection = load_json(security_dir / "iwooos-posture-projection.snapshot.json") manifest_count = manifest["contract_count"] readiness_summary = readiness["summary"] rollup_summary = rollup["summary"] assert_equal("manifest.contract_count", manifest_count, 36) assert_equal("readiness.total_contracts", readiness_summary["total_contracts"], manifest_count) assert_equal("rollup.total_contracts", rollup_summary["total_contracts"], manifest_count) assert_equal("rollup.ready_for_mirror_count", rollup_summary["ready_for_mirror_count"], 33) assert_equal("rollup.partial_ready_count", rollup_summary["partial_ready_count"], 2) assert_equal("rollup.contract_only_count", rollup_summary["contract_only_count"], 1) assert_equal("rollup.blocked_count", rollup_summary["blocked_count"], 0) assert_contains( "manifest.contracts", [item["contract"] for item in manifest["contracts"]], "iwooos_posture_projection_v1", ) assert_contains( "readiness.contract_readiness", [item["contract"] for item in readiness["contract_readiness"]], "iwooos_posture_projection_v1", ) assert_contains( "rollup.source_indexes", rollup["source_indexes"], "docs/security/iwooos-posture-projection.snapshot.json", ) assert_equal("event_sample.payload_summary.total_contracts", event_sample["payload_summary"]["total_contracts"], manifest_count) assert_equal( "event_sample.payload_summary.ready_for_mirror_count", event_sample["payload_summary"]["ready_for_mirror_count"], readiness_summary["ready_for_mirror_count"], ) assert_contains( "event_sample.evidence_refs", event_sample["evidence_refs"], "docs/security/IWOOOS-POSTURE-PROJECTION.md", ) assert_equal("route.summary.total_contracts", route["summary"]["total_contracts"], manifest_count) route_contracts = sorted({contract for group in route["route_groups"] for contract in group["contracts"]}) assert_equal("route.contract_coverage", route_contracts, sorted(item["contract"] for item in manifest["contracts"])) assert_contains( "intake.source_indexes", intake["source_indexes"], "docs/security/iwooos-posture-projection.snapshot.json", ) intake_contracts = [contract for wave in intake["intake_waves"] for contract in wave["contracts"]] assert_contains("intake.contracts", intake_contracts, "iwooos_posture_projection_v1") progress = rollup["progress_estimate"] assert_equal("progress.overall_percent", progress["overall_percent"], 58) assert_equal("progress.framework_percent_min", progress["framework_percent_min"], 80) assert_equal("progress.framework_percent_max", progress["framework_percent_max"], 85) assert_equal("progress.runtime_landing_percent_min", progress["runtime_landing_percent_min"], 35) assert_equal("progress.runtime_landing_percent_max", progress["runtime_landing_percent_max"], 40) assert_true("progress.not_authorization", progress["not_authorization"]) progress_display_policy = rollup["progress_display_policy"] assert_equal("progress_display_policy.headline_percent", progress_display_policy["headline_percent"], 58) assert_equal( "progress_display_policy.headline_status", progress_display_policy["headline_status"], "holding_until_owner_response_or_runtime_gate", ) assert_true("progress_display_policy.recent_micro_progress_visible", progress_display_policy["recent_micro_progress_visible"]) assert_false( "progress_display_policy.runtime_execution_authorized", progress_display_policy["runtime_execution_authorized"], ) assert_true("progress_display_policy.not_authorization", progress_display_policy["not_authorization"]) progress_delta_ledger = rollup["progress_delta_ledger"] expected_delta_ids = [ "s4_10_owner_response_request_packet", "s4_10_owner_response_template_status_ledger", "s4_10_owner_response_audit_event_templates", "s4_10_owner_response_redaction_examples", "s4_10_owner_response_collection_checks", "s4_10_owner_response_intake_preflight_checks", "s4_11_ref_truth_owner_response_request_packet", "s4_11_ref_truth_owner_response_template_status_ledger", "s4_11_ref_truth_owner_response_audit_event_templates", "s4_11_ref_truth_owner_response_redaction_examples", "s4_11_ref_truth_owner_response_collection_checks", "s4_11_ref_truth_owner_response_intake_preflight_checks", "s4_12_workflow_secret_name_owner_response_request_packet", "s4_12_workflow_secret_name_owner_response_template_status_ledger", "s4_12_workflow_secret_name_owner_response_audit_event_templates", "s4_12_workflow_secret_name_owner_response_redaction_examples", "s4_12_workflow_secret_name_owner_response_collection_checks", "s4_12_workflow_secret_name_owner_response_intake_preflight_checks", "s4_13_owner_response_validation_evidence_routing_rules", "s4_13_owner_response_validation_display_sections", "s4_13_owner_response_validation_state_transition_rules", "s4_13_owner_response_validation_reviewer_checklist", "s4_13_owner_response_validation_reviewer_outcome_lanes", "s4_13_owner_response_validation_reviewer_audit_event_templates", "s4_13_owner_response_validation_reviewer_audit_display_sections", "s4_13_owner_response_validation_reviewer_audit_collection_checks", "s4_13_owner_response_validation_reviewer_audit_redaction_examples", "s4_13_owner_response_validation_reviewer_audit_retention_rules", "s4_13_owner_response_validation_reviewer_audit_retention_checks", "s4_13_owner_response_validation_reviewer_audit_handoff_packets", "s4_13_owner_response_validation_reviewer_audit_handoff_checks", "s4_13_owner_response_validation_parallel_session_sync_checks", "s4_13_owner_response_validation_parallel_session_conflict_lanes", "s4_13_owner_response_validation_parallel_session_recovery_checks", "s4_13_owner_response_validation_parallel_session_recovery_outcome_lanes", "s1_3_low_friction_non_blocking_escalation_lanes", "s2_8_iwooos_frontend_posture_entry", "s2_9_iwooos_posture_projection_contract", "s2_10_iwooos_existing_frontend_surface_integration", "s2_11_iwooos_surface_coverage_boundary_matrix", "s2_12_iwooos_operator_journey_projection", "s2_13_iwooos_owner_evidence_readiness_board", "s2_14_iwooos_host_coverage_view", "s2_15_iwooos_host_action_gate_matrix", "s2_16_iwooos_host_evidence_readiness_board", "s2_17_iwooos_host_evidence_collection_order", ] assert_equal( "progress_delta_ledger.delta_ids", [item["delta_id"] for item in progress_delta_ledger], expected_delta_ids, ) assert_equal( "progress_delta_ledger.display_order", [item["display_order"] for item in progress_delta_ledger], list(range(1, len(expected_delta_ids) + 1)), ) for item in progress_delta_ledger: assert_equal(f"progress_delta_ledger.{item['delta_id']}.progress_axis", item["progress_axis"], "framework_detail") assert_equal(f"progress_delta_ledger.{item['delta_id']}.headline_percent_delta", item["headline_percent_delta"], 0) assert_true(f"progress_delta_ledger.{item['delta_id']}.framework_delta_visible", item["framework_delta_visible"]) assert_false(f"progress_delta_ledger.{item['delta_id']}.runtime_delta", item["runtime_delta"]) assert_false(f"progress_delta_ledger.{item['delta_id']}.execution_authorized", item["execution_authorized"]) assert_true(f"progress_delta_ledger.{item['delta_id']}.not_authorization", item["not_authorization"]) assert_false("rollup.runtime_execution_authorized", rollup["runtime_execution_authorized"]) assert_equal("rollup.active_runtime_gate_count", rollup_summary["active_runtime_gate_count"], 0) assert_false("rollup.runtime_actions_executed", rollup_summary["runtime_actions_executed"]) assert_false("rollup.payloads_ingested", rollup_summary["payloads_ingested"]) assert_equal("rollup.github_primary_ready_count", rollup_summary["github_primary_ready_count"], 0) assert_equal("rollup.owner_response_validation_received_count", rollup_summary["owner_response_validation_received_count"], 0) assert_equal("rollup.owner_response_validation_accepted_count", rollup_summary["owner_response_validation_accepted_count"], 0) assert_equal("rollup.workflow_secret_inventory_complete_count", rollup_summary["workflow_secret_inventory_complete_count"], 0) assert_false("rollup.secret_value_collection_allowed", rollup_summary["secret_value_collection_allowed"]) assert_false("rollup.secret_value_detected", rollup_summary["secret_value_detected"]) assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1") assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe") assert_equal("rollout_policy.enforcement_level", rollout_policy["enforcement_level"], "mirror_only") assert_equal("rollout_policy.non_blocking_escalation_lane_count", rollout_policy["non_blocking_escalation_lane_count"], 7) expected_low_friction_lane_ids = [ "lane-low-medium-observation", "lane-owner-response-missing", "lane-mirror-data-incomplete", "lane-source-control-drift-draft", "lane-kali-observe-finding", "lane-workflow-secret-name-gap", "lane-progress-display-holding", ] non_blocking_lanes = rollout_policy["non_blocking_escalation_lanes"] assert_equal( "rollout_policy.non_blocking_escalation_lanes.ids", [item["lane_id"] for item in non_blocking_lanes], expected_low_friction_lane_ids, ) assert_equal( "rollout_policy.non_blocking_escalation_lanes.display_order", [item["display_order"] for item in non_blocking_lanes], list(range(1, len(expected_low_friction_lane_ids) + 1)), ) for item in non_blocking_lanes: if item["initial_mode"] not in {"observe", "warn"}: raise SystemExit( f"BLOCKED rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.initial_mode: " f"expected observe/warn, got {item['initial_mode']!r}" ) assert_true( f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.owner_review_required_before_blocking", item["owner_review_required_before_blocking"], ) assert_false( f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.runtime_blocking_allowed", item["runtime_blocking_allowed"], ) assert_equal( f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.awooop_display_mode", item["awooop_display_mode"], "display_low_friction_non_blocking_lane_only", ) assert_true( f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.not_authorization", item["not_authorization"], ) rollout_outputs = rollout_policy["allowed_awooop_outputs"] for output in [ "display_non_blocking_escalation_lanes", "create_followup_without_blocking", "show_owner_review_required_before_blocking", "keep_runtime_blocking_false", ]: assert_contains("rollout_policy.allowed_awooop_outputs", rollout_outputs, output) assert_equal("iwooos_projection.schema_version", iwooos_projection["schema_version"], "iwooos_posture_projection_v1") assert_equal("iwooos_projection.product_id", iwooos_projection["product_id"], "iwooos") assert_equal("iwooos_projection.display_name", iwooos_projection["display_name"], "IwoooS") assert_equal("iwooos_projection.mode", iwooos_projection["mode"], "mirror_only") assert_false("iwooos_projection.runtime_execution_authorized", iwooos_projection["runtime_execution_authorized"]) assert_false("iwooos_projection.action_buttons_allowed", iwooos_projection["action_buttons_allowed"]) assert_true("iwooos_projection.not_authorization", iwooos_projection["not_authorization"]) assert_equal("iwooos_projection.summary.route_path", iwooos_projection["summary"]["route_path"], "/iwooos") assert_true("iwooos_projection.summary.nav_entry_added", iwooos_projection["summary"]["nav_entry_added"]) assert_true( "iwooos_projection.summary.command_palette_entry_added", iwooos_projection["summary"]["command_palette_entry_added"], ) assert_equal("iwooos_projection.summary.contract_count", iwooos_projection["summary"]["contract_count"], manifest_count) assert_equal( "iwooos_projection.summary.active_runtime_gate_count", iwooos_projection["summary"]["active_runtime_gate_count"], rollup_summary["active_runtime_gate_count"], ) assert_equal( "iwooos_projection.summary.owner_response_validation_received_count", iwooos_projection["summary"]["owner_response_validation_received_count"], rollup_summary["owner_response_validation_received_count"], ) assert_equal( "iwooos_projection.summary.owner_response_validation_accepted_count", iwooos_projection["summary"]["owner_response_validation_accepted_count"], rollup_summary["owner_response_validation_accepted_count"], ) assert_equal( "iwooos_projection.summary.github_primary_ready_count", iwooos_projection["summary"]["github_primary_ready_count"], rollup_summary["github_primary_ready_count"], ) assert_false("iwooos_projection.summary.action_buttons_allowed", iwooos_projection["summary"]["action_buttons_allowed"]) expected_iwooos_surface_ids = [ "security_compliance", "legacy_security", "legacy_compliance", "alerts", "errors", "authorizations", "governance", "alert_operation_logs", "awooop_approvals", "code_review", ] assert_equal( "iwooos_projection.summary.existing_frontend_surface_count", iwooos_projection["summary"]["existing_frontend_surface_count"], len(expected_iwooos_surface_ids), ) expected_iwooos_coverage_group_ids = [ "signals_and_exposure", "human_control_boundary", "governance_and_audit", "engineering_review", ] expected_iwooos_conflict_control_ids = [ "preserve_original_route_ownership", "no_runtime_lift_from_index", "code_review_not_deploy_gate", "awooop_approval_not_security_approval", "frontend_index_does_not_call_kali", ] expected_iwooos_journey_step_ids = [ "read_current_posture", "open_existing_security_surface", "triage_non_blocking_lane", "collect_owner_evidence", "wait_for_human_decision", "prepare_followup_runtime_gate", ] expected_iwooos_evidence_readiness_item_ids = [ "s4_9_gitea_owner_attestation_response", "s4_10_github_target_owner_response", "s4_11_refs_truth_owner_response", "s4_12_workflow_secret_owner_response", "s1_6_redacted_finding_ingestion", "s1_6_kali_scan_scope_approval", "s3_4_followup_runtime_gate", ] expected_iwooos_host_coverage_item_ids = [ "kali_112_security_host", "dev_168_development_host", "dev_111_development_host", ] expected_iwooos_host_action_gate_item_ids = [ "host_active_scan_gate", "host_credentialed_scan_gate", "kali_execute_gate", "ssh_host_change_gate", "kali_host_update_gate", "runtime_blocking_control_gate", ] expected_iwooos_host_evidence_readiness_item_ids = [ "host_scope_boundary_evidence", "host_owner_decision_record_evidence", "host_credential_handling_evidence", "host_maintenance_window_evidence", "host_rollback_plan_evidence", "host_validation_metrics_evidence", "host_redacted_ingestion_evidence", ] expected_iwooos_host_evidence_collection_step_ids = [ "collect_scope_boundary_first", "collect_owner_decision_second", "collect_credential_handling_third", "collect_maintenance_window_fourth", "collect_rollback_plan_fifth", "collect_validation_metrics_sixth", "collect_redacted_ingestion_seventh", ] assert_equal( "iwooos_projection.summary.frontend_surface_coverage_group_count", iwooos_projection["summary"]["frontend_surface_coverage_group_count"], len(expected_iwooos_coverage_group_ids), ) assert_equal( "iwooos_projection.summary.frontend_surface_conflict_control_count", iwooos_projection["summary"]["frontend_surface_conflict_control_count"], len(expected_iwooos_conflict_control_ids), ) assert_equal( "iwooos_projection.summary.operator_journey_step_count", iwooos_projection["summary"]["operator_journey_step_count"], len(expected_iwooos_journey_step_ids), ) assert_equal( "iwooos_projection.summary.owner_evidence_readiness_item_count", iwooos_projection["summary"]["owner_evidence_readiness_item_count"], len(expected_iwooos_evidence_readiness_item_ids), ) assert_equal( "iwooos_projection.summary.host_coverage_item_count", iwooos_projection["summary"]["host_coverage_item_count"], len(expected_iwooos_host_coverage_item_ids), ) assert_equal( "iwooos_projection.summary.host_action_gate_item_count", iwooos_projection["summary"]["host_action_gate_item_count"], len(expected_iwooos_host_action_gate_item_ids), ) assert_equal( "iwooos_projection.summary.host_evidence_readiness_item_count", iwooos_projection["summary"]["host_evidence_readiness_item_count"], len(expected_iwooos_host_evidence_readiness_item_ids), ) assert_equal( "iwooos_projection.summary.host_evidence_collection_step_count", iwooos_projection["summary"]["host_evidence_collection_step_count"], len(expected_iwooos_host_evidence_collection_step_ids), ) iwooos_progress = iwooos_projection["progress"] assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"]) assert_equal( "iwooos_projection.progress.framework_percent_min", iwooos_progress["framework_percent_min"], progress["framework_percent_min"], ) assert_equal( "iwooos_projection.progress.framework_percent_max", iwooos_progress["framework_percent_max"], progress["framework_percent_max"], ) assert_equal( "iwooos_projection.progress.runtime_landing_percent_min", iwooos_progress["runtime_landing_percent_min"], progress["runtime_landing_percent_min"], ) assert_equal( "iwooos_projection.progress.runtime_landing_percent_max", iwooos_progress["runtime_landing_percent_max"], progress["runtime_landing_percent_max"], ) assert_equal( "iwooos_projection.progress.headline_status", iwooos_progress["headline_status"], progress_display_policy["headline_status"], ) assert_true("iwooos_projection.progress.not_authorization", iwooos_progress["not_authorization"]) assert_equal( "iwooos_projection.posture_pillars.ids", [item["pillar_id"] for item in iwooos_projection["posture_pillars"]], ["exposure_posture", "source_control_supply_chain", "kali_112_mesh", "approval_boundary"], ) assert_equal( "iwooos_projection.posture_pillars.display_order", [item["display_order"] for item in iwooos_projection["posture_pillars"]], [1, 2, 3, 4], ) for item in iwooos_projection["posture_pillars"]: assert_equal(f"iwooos_projection.posture_pillars.{item['pillar_id']}.display_mode", item["display_mode"], "posture_only") assert_false( f"iwooos_projection.posture_pillars.{item['pillar_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_true(f"iwooos_projection.posture_pillars.{item['pillar_id']}.not_authorization", item["not_authorization"]) iwooos_surfaces = iwooos_projection["existing_frontend_surfaces"] assert_equal( "iwooos_projection.existing_frontend_surfaces.ids", [item["surface_id"] for item in iwooos_surfaces], expected_iwooos_surface_ids, ) assert_equal( "iwooos_projection.existing_frontend_surfaces.display_order", [item["display_order"] for item in iwooos_surfaces], list(range(1, len(expected_iwooos_surface_ids) + 1)), ) for item in iwooos_surfaces: assert_equal( f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.display_mode", item["display_mode"], "link_only", ) assert_false( f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.not_authorization", item["not_authorization"], ) iwooos_coverage_groups = iwooos_projection["frontend_surface_coverage_groups"] assert_equal( "iwooos_projection.frontend_surface_coverage_groups.ids", [item["group_id"] for item in iwooos_coverage_groups], expected_iwooos_coverage_group_ids, ) assert_equal( "iwooos_projection.frontend_surface_coverage_groups.display_order", [item["display_order"] for item in iwooos_coverage_groups], list(range(1, len(expected_iwooos_coverage_group_ids) + 1)), ) covered_surface_ids = sorted({surface_id for item in iwooos_coverage_groups for surface_id in item["surface_ids"]}) assert_equal("iwooos_projection.frontend_surface_coverage_groups.coverage", covered_surface_ids, sorted(expected_iwooos_surface_ids)) for item in iwooos_coverage_groups: assert_equal( f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.display_mode", item["display_mode"], "coverage_only", ) assert_false( f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.not_authorization", item["not_authorization"], ) iwooos_conflict_controls = iwooos_projection["frontend_surface_conflict_controls"] assert_equal( "iwooos_projection.frontend_surface_conflict_controls.ids", [item["control_id"] for item in iwooos_conflict_controls], expected_iwooos_conflict_control_ids, ) assert_equal( "iwooos_projection.frontend_surface_conflict_controls.display_order", [item["display_order"] for item in iwooos_conflict_controls], list(range(1, len(expected_iwooos_conflict_control_ids) + 1)), ) for item in iwooos_conflict_controls: assert_equal( f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.display_mode", item["display_mode"], "conflict_control_only", ) assert_false( f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.not_authorization", item["not_authorization"], ) iwooos_journey_steps = iwooos_projection["operator_journey_steps"] assert_equal( "iwooos_projection.operator_journey_steps.ids", [item["step_id"] for item in iwooos_journey_steps], expected_iwooos_journey_step_ids, ) assert_equal( "iwooos_projection.operator_journey_steps.display_order", [item["display_order"] for item in iwooos_journey_steps], list(range(1, len(expected_iwooos_journey_step_ids) + 1)), ) for item in iwooos_journey_steps: assert_equal( f"iwooos_projection.operator_journey_steps.{item['step_id']}.display_mode", item["display_mode"], "journey_only", ) assert_false( f"iwooos_projection.operator_journey_steps.{item['step_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.operator_journey_steps.{item['step_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.operator_journey_steps.{item['step_id']}.not_authorization", item["not_authorization"], ) iwooos_evidence_readiness = iwooos_projection["owner_evidence_readiness_items"] assert_equal( "iwooos_projection.owner_evidence_readiness_items.ids", [item["item_id"] for item in iwooos_evidence_readiness], expected_iwooos_evidence_readiness_item_ids, ) assert_equal( "iwooos_projection.owner_evidence_readiness_items.display_order", [item["display_order"] for item in iwooos_evidence_readiness], list(range(1, len(expected_iwooos_evidence_readiness_item_ids) + 1)), ) for item in iwooos_evidence_readiness: assert_equal( f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.display_mode", item["display_mode"], "readiness_only", ) assert_equal( f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.received_count", item["received_count"], 0, ) assert_equal( f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.accepted_count", item["accepted_count"], 0, ) assert_false( f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.not_authorization", item["not_authorization"], ) iwooos_host_coverage = iwooos_projection["host_coverage_items"] assert_equal( "iwooos_projection.host_coverage_items.ids", [item["host_id"] for item in iwooos_host_coverage], expected_iwooos_host_coverage_item_ids, ) assert_equal( "iwooos_projection.host_coverage_items.display_order", [item["display_order"] for item in iwooos_host_coverage], list(range(1, len(expected_iwooos_host_coverage_item_ids) + 1)), ) for item in iwooos_host_coverage: assert_equal( f"iwooos_projection.host_coverage_items.{item['host_id']}.display_mode", item["display_mode"], "coverage_only", ) assert_false( f"iwooos_projection.host_coverage_items.{item['host_id']}.active_scan_authorized", item["active_scan_authorized"], ) assert_false( f"iwooos_projection.host_coverage_items.{item['host_id']}.ssh_change_authorized", item["ssh_change_authorized"], ) assert_false( f"iwooos_projection.host_coverage_items.{item['host_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.host_coverage_items.{item['host_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.host_coverage_items.{item['host_id']}.not_authorization", item["not_authorization"], ) iwooos_host_action_gates = iwooos_projection["host_action_gate_items"] assert_equal( "iwooos_projection.host_action_gate_items.ids", [item["action_id"] for item in iwooos_host_action_gates], expected_iwooos_host_action_gate_item_ids, ) assert_equal( "iwooos_projection.host_action_gate_items.display_order", [item["display_order"] for item in iwooos_host_action_gates], list(range(1, len(expected_iwooos_host_action_gate_item_ids) + 1)), ) for item in iwooos_host_action_gates: assert_equal( f"iwooos_projection.host_action_gate_items.{item['action_id']}.display_mode", item["display_mode"], "gate_only", ) assert_false( f"iwooos_projection.host_action_gate_items.{item['action_id']}.active_scan_authorized", item["active_scan_authorized"], ) assert_false( f"iwooos_projection.host_action_gate_items.{item['action_id']}.credentialed_scan_authorized", item["credentialed_scan_authorized"], ) assert_false( f"iwooos_projection.host_action_gate_items.{item['action_id']}.ssh_change_authorized", item["ssh_change_authorized"], ) assert_false( f"iwooos_projection.host_action_gate_items.{item['action_id']}.host_update_authorized", item["host_update_authorized"], ) assert_false( f"iwooos_projection.host_action_gate_items.{item['action_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.host_action_gate_items.{item['action_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.host_action_gate_items.{item['action_id']}.not_authorization", item["not_authorization"], ) iwooos_host_evidence_readiness = iwooos_projection["host_evidence_readiness_items"] assert_equal( "iwooos_projection.host_evidence_readiness_items.ids", [item["item_id"] for item in iwooos_host_evidence_readiness], expected_iwooos_host_evidence_readiness_item_ids, ) assert_equal( "iwooos_projection.host_evidence_readiness_items.display_order", [item["display_order"] for item in iwooos_host_evidence_readiness], list(range(1, len(expected_iwooos_host_evidence_readiness_item_ids) + 1)), ) for item in iwooos_host_evidence_readiness: assert_equal( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.display_mode", item["display_mode"], "evidence_readiness_only", ) assert_equal( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.received_count", item["received_count"], 0, ) assert_equal( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.accepted_count", item["accepted_count"], 0, ) assert_false( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.active_scan_authorized", item["active_scan_authorized"], ) assert_false( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.credentialed_scan_authorized", item["credentialed_scan_authorized"], ) assert_false( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.ssh_change_authorized", item["ssh_change_authorized"], ) assert_false( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.host_update_authorized", item["host_update_authorized"], ) assert_false( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.not_authorization", item["not_authorization"], ) iwooos_host_evidence_collection_order = iwooos_projection["host_evidence_collection_order"] assert_equal( "iwooos_projection.host_evidence_collection_order.ids", [item["step_id"] for item in iwooos_host_evidence_collection_order], expected_iwooos_host_evidence_collection_step_ids, ) assert_equal( "iwooos_projection.host_evidence_collection_order.display_order", [item["display_order"] for item in iwooos_host_evidence_collection_order], list(range(1, len(expected_iwooos_host_evidence_collection_step_ids) + 1)), ) expected_iwooos_host_evidence_collection_source_ids = [ "host_scope_boundary_evidence", "host_owner_decision_record_evidence", "host_credential_handling_evidence", "host_maintenance_window_evidence", "host_rollback_plan_evidence", "host_validation_metrics_evidence", "host_redacted_ingestion_evidence", ] assert_equal( "iwooos_projection.host_evidence_collection_order.source_item_ids", [item["source_item_id"] for item in iwooos_host_evidence_collection_order], expected_iwooos_host_evidence_collection_source_ids, ) expected_iwooos_host_evidence_collection_dependencies = [ [], ["collect_scope_boundary_first"], ["collect_owner_decision_second"], ["collect_owner_decision_second"], ["collect_maintenance_window_fourth"], ["collect_rollback_plan_fifth"], ["collect_validation_metrics_sixth"], ] assert_equal( "iwooos_projection.host_evidence_collection_order.depends_on_step_ids", [item["depends_on_step_ids"] for item in iwooos_host_evidence_collection_order], expected_iwooos_host_evidence_collection_dependencies, ) for item in iwooos_host_evidence_collection_order: assert_equal( f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.display_mode", item["display_mode"], "collection_order_only", ) assert_equal( f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.received_count", item["received_count"], 0, ) assert_equal( f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.accepted_count", item["accepted_count"], 0, ) assert_false( f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.runtime_execution_authorized", item["runtime_execution_authorized"], ) assert_false( f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.action_buttons_allowed", item["action_buttons_allowed"], ) assert_true( f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.not_authorization", item["not_authorization"], ) assert_equal( "iwooos_projection.non_blocking_lane_ids", iwooos_projection["non_blocking_lane_ids"], expected_low_friction_lane_ids, ) for evidence_ref in [ "docs/security/iwooos-posture-projection.snapshot.json", "docs/security/security-rollout-policy.snapshot.json", "docs/security/security-mirror-status-rollup.snapshot.json", "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/kali-integration-status.snapshot.json", ]: assert_contains("iwooos_projection.evidence_refs", iwooos_projection["evidence_refs"], evidence_ref) for output in [ "display_security_posture", "display_progress_estimate", "display_non_blocking_lanes", "display_existing_frontend_security_surfaces", "display_frontend_surface_coverage_matrix", "display_frontend_surface_conflict_controls", "display_operator_journey_steps", "display_owner_evidence_readiness_board", "display_host_coverage_view", "display_host_action_gate_matrix", "display_host_evidence_readiness_board", "display_host_evidence_collection_order", "display_evidence_refs", "display_forbidden_actions", ]: assert_contains("iwooos_projection.allowed_frontend_outputs", iwooos_projection["allowed_frontend_outputs"], output) for output in [ "add_scan_button", "add_execute_button", "add_repair_button", "start_kali_scan", "call_kali_execute_endpoint", "create_github_repo", "sync_git_refs", "modify_workflow_or_secret", "enable_runner", "ssh_to_host", "open_ssh_session", "update_kali_host", "auto_update_host", "run_host_package_upgrade", "credentialed_scan_host", "mark_host_evidence_received", "mark_host_evidence_accepted", "ingest_raw_host_evidence", "advance_host_collection_state", "skip_host_evidence_dependency", "apply_runtime_blocking_control", "switch_github_primary", "production_deploy", "treat_progress_as_authorization", ]: assert_contains("iwooos_projection.forbidden_frontend_outputs", iwooos_projection["forbidden_frontend_outputs"], output) owner_summary = owner_rollup["summary"] assert_equal("owner_rollup.total_received_response_count", owner_summary["total_received_response_count"], 0) assert_equal("owner_rollup.total_accepted_response_count", owner_summary["total_accepted_response_count"], 0) assert_equal("owner_rollup.owner_response_evidence_routing_rule_count", owner_summary["owner_response_evidence_routing_rule_count"], 6) assert_equal("owner_rollup.owner_response_validation_display_section_count", owner_summary["owner_response_validation_display_section_count"], 8) assert_equal( "owner_rollup.owner_response_validation_state_transition_rule_count", owner_summary["owner_response_validation_state_transition_rule_count"], 7, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_checklist_count", owner_summary["owner_response_validation_reviewer_checklist_count"], 9, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_outcome_lane_count", owner_summary["owner_response_validation_reviewer_outcome_lane_count"], 7, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_event_template_count", owner_summary["owner_response_validation_reviewer_audit_event_template_count"], 4, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_display_section_count", owner_summary["owner_response_validation_reviewer_audit_display_section_count"], 5, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_collection_check_count", owner_summary["owner_response_validation_reviewer_audit_collection_check_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_redaction_example_count", owner_summary["owner_response_validation_reviewer_audit_redaction_example_count"], 5, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_retention_rule_count", owner_summary["owner_response_validation_reviewer_audit_retention_rule_count"], 5, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_retention_check_count", owner_summary["owner_response_validation_reviewer_audit_retention_check_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_handoff_packet_count", owner_summary["owner_response_validation_reviewer_audit_handoff_packet_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_reviewer_audit_handoff_check_count", owner_summary["owner_response_validation_reviewer_audit_handoff_check_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_parallel_session_sync_check_count", owner_summary["owner_response_validation_parallel_session_sync_check_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_parallel_session_conflict_lane_count", owner_summary["owner_response_validation_parallel_session_conflict_lane_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_parallel_session_recovery_check_count", owner_summary["owner_response_validation_parallel_session_recovery_check_count"], 6, ) assert_equal( "owner_rollup.owner_response_validation_parallel_session_recovery_outcome_lane_count", owner_summary["owner_response_validation_parallel_session_recovery_outcome_lane_count"], 7, ) assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"]) assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"]) assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"]) assert_false("owner_rollup.workflow_modification_authorized", owner_summary["workflow_modification_authorized"]) assert_false("owner_rollup.github_primary_switch_authorized", owner_summary["github_primary_switch_authorized"]) assert_false("owner_rollup.action_buttons_allowed", owner_summary["action_buttons_allowed"]) next_candidate = owner_rollup["next_collection_candidate"] assert_equal("owner_rollup.next_collection_candidate.order", next_candidate["order"], 1) assert_equal( "owner_rollup.next_collection_candidate.lane_id", next_candidate["lane_id"], "s4_9_gitea_inventory_owner_attestation_response", ) assert_equal( "owner_rollup.next_collection_candidate.display_status", next_candidate["display_status"], "next_owner_response_required", ) assert_equal( "owner_rollup.next_collection_candidate.required_response_template_count", next_candidate["required_response_template_count"], 5, ) assert_equal("owner_rollup.next_collection_candidate.received_response_count", next_candidate["received_response_count"], 0) assert_equal("owner_rollup.next_collection_candidate.accepted_response_count", next_candidate["accepted_response_count"], 0) assert_equal( "owner_rollup.next_collection_candidate.awooop_display_mode", next_candidate["awooop_display_mode"], "display_next_collection_item_only", ) assert_true("owner_rollup.next_collection_candidate.blocked_until_received", next_candidate["blocked_until_received"]) assert_false("owner_rollup.next_collection_candidate.execution_authorized", next_candidate["execution_authorized"]) assert_true("owner_rollup.next_collection_candidate.not_approval", next_candidate["not_approval"]) owner_local_validation = owner_rollup["latest_local_validation"] assert_equal("owner_rollup.latest_local_validation.status", owner_local_validation["status"], "repo_snapshot_guard_pass") assert_equal("owner_rollup.latest_local_validation.scope", owner_local_validation["scope"], "repo_snapshot_only") assert_equal("owner_rollup.latest_local_validation.result", owner_local_validation["result"], "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK") assert_equal("owner_rollup.latest_local_validation.received_response_count", owner_local_validation["received_response_count"], 0) assert_equal("owner_rollup.latest_local_validation.accepted_response_count", owner_local_validation["accepted_response_count"], 0) assert_false("owner_rollup.latest_local_validation.runtime_actions_authorized", owner_local_validation["runtime_actions_authorized"]) assert_false("owner_rollup.latest_local_validation.repo_or_refs_actions_authorized", owner_local_validation["repo_or_refs_actions_authorized"]) assert_false("owner_rollup.latest_local_validation.workflow_or_secret_actions_authorized", owner_local_validation["workflow_or_secret_actions_authorized"]) assert_true("owner_rollup.latest_local_validation.not_authorization", owner_local_validation["not_authorization"]) primary_summary = primary_gate["summary"] assert_equal("primary_gate.primary_ready_count", primary_summary["primary_ready_count"], 0) assert_false("primary_gate.runtime_actions_authorized", primary_summary["runtime_actions_authorized"]) assert_false("primary_gate.github_primary_switch_authorized", primary_summary["github_primary_switch_authorized"]) assert_false("primary_gate.action_buttons_allowed", primary_summary["action_buttons_allowed"]) assert_false("primary_gate.raw_secret_storage_authorized", primary_summary["raw_secret_storage_authorized"]) acceptance_ids = [item["check_id"] for item in acceptance["acceptance_checks"]] assert_equal("acceptance.total_contracts", acceptance["summary"]["total_contracts"], manifest_count) assert_equal( "acceptance.ready_for_mirror_count", acceptance["summary"]["ready_for_mirror_count"], readiness_summary["ready_for_mirror_count"], ) assert_contains("acceptance_checks", acceptance_ids, "PROGRESS_ESTIMATE_NOT_AUTHORIZATION") assert_equal("acceptance.summary.acceptance_check_count", acceptance["summary"]["acceptance_check_count"], len(acceptance_ids)) assert_equal( "acceptance.summary.blocking_check_count", acceptance["summary"]["blocking_check_count"], sum(1 for item in acceptance["acceptance_checks"] if item["blocking_if_failed"]), ) assert_false("acceptance.runtime_execution_authorized", acceptance["runtime_execution_authorized"]) dry_run_summary = dry_run["summary"] dry_run_step_ids = [item["step_id"] for item in dry_run["dry_run_steps"]] assert_equal("dry_run.dry_run_status", dry_run["dry_run_status"], "contract_defined_not_executed") assert_equal("dry_run.total_contracts", dry_run_summary["total_contracts"], manifest_count) assert_equal( "dry_run.ready_for_mirror_count", dry_run_summary["ready_for_mirror_count"], readiness_summary["ready_for_mirror_count"], ) assert_equal("dry_run.acceptance_check_count", dry_run_summary["acceptance_check_count"], 8) assert_false("dry_run.runtime_execution_authorized", dry_run["runtime_execution_authorized"]) assert_false("dry_run.runtime_actions_executed", dry_run_summary["runtime_actions_executed"]) assert_false("dry_run.payloads_ingested", dry_run_summary["payloads_ingested"]) assert_contains("dry_run_steps", dry_run_step_ids, "CHECK_PROGRESS_GUARD") assert_contains("dry_run_steps", dry_run_step_ids, "CHECK_OWNER_RESPONSE_GUARD") local_validation = dry_run["latest_local_validation"] assert_equal("dry_run.latest_local_validation.status", local_validation["status"], "repo_snapshot_guard_pass") assert_equal("dry_run.latest_local_validation.scope", local_validation["scope"], "repo_snapshot_only") assert_equal( "dry_run.latest_local_validation.result", local_validation["result"], "SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK", ) assert_contains("dry_run.latest_local_validation.validated_steps", local_validation["validated_steps"], "CHECK_PROGRESS_GUARD") assert_contains( "dry_run.latest_local_validation.validated_steps", local_validation["validated_steps"], "CHECK_OWNER_RESPONSE_GUARD", ) assert_false("dry_run.latest_local_validation.runtime_actions_executed", local_validation["runtime_actions_executed"]) assert_false("dry_run.latest_local_validation.payloads_ingested", local_validation["payloads_ingested"]) assert_false("dry_run.latest_local_validation.production_ingestion_enabled", local_validation["production_ingestion_enabled"]) assert_true("dry_run.latest_local_validation.not_authorization", local_validation["not_authorization"]) forbidden_actions = ( set(rollup["forbidden_actions"]) | set(acceptance["forbidden_actions"]) | set(iwooos_projection["forbidden_frontend_outputs"]) ) for action in [ "start_kali_scan", "call_kali_execute_endpoint", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "production_deploy", ]: assert_contains("forbidden_actions", list(forbidden_actions), action) def main() -> None: parser = argparse.ArgumentParser(description=__doc__) parser.add_argument( "--root", default=Path(__file__).resolve().parents[2], type=Path, help="Repository root. Defaults to the current script's repository.", ) args = parser.parse_args() validate(args.root.resolve()) print("SECURITY_MIRROR_PROGRESS_GUARD_OK") if __name__ == "__main__": main()