wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 5 Packages Projects Releases Wiki Activity
Files
5343d4627bc0c765e6045eb0ecdb5b55869fb310
awoooi/scripts/security/source-control-owner-response-guard.py
Your Name 4abc1fb893
All checks were successful
Code Review / ai-code-review (push) Successful in 15s
Details
fix(iwooos): 固定 s4.9 缺口稽核
2026-06-14 22:31:27 +08:00

2002 lines
94 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
"""Validate source-control owner response packets stay read-only.
This is a repo-snapshot-only guard. It reads committed JSON snapshots and does
not call GitHub, Gitea, AwoooP, Kali, or any runtime API.
"""
from __future__ import annotations
import argparse
import json
from pathlib import Path
from typing import Any
EXPECTED_ROLLUP_DATE = "2026-06-13"
EXPECTED_TEMPLATE_COUNT_FORMULA = "5 + 9 + 5 + 5 = 24"
STALE_TEMPLATE_COUNT_FORMULA = "5 + 7 + 5 + 5 = 22"
EXPECTED_GAP_AUDIT_GITEA_MAIN = "8795c08d"
EXPECTED_GAP_AUDIT_DEPLOY_MARKER = "605fde43"
EXPECTED_GAP_AUDIT_TENANTS_REDACTION_COMMIT = "4bbc5269"
EXPECTED_GAP_AUDIT_GAP_IDS = [
"s49_owner_response_absent",
"s49_dispatch_audit_event_absent",
"s49_reviewer_outcome_absent",
"public_surface_identity_leak_risk",
"raw_namespace_internal_evidence_misroute_risk",
"latest_basis_staleness_risk",
"parallel_session_conflict_risk",
"release_worktree_memory_index_absent",
]
EXPECTED_GAP_AUDIT_NEW_RULE_IDS = [
"public_surface_redaction_gate",
"s49_gap_audit_snapshot_required",
"raw_evidence_private_boundary",
"owner_response_counts_are_runtime_locked",
"dispatch_received_accepted_separation",
"parallel_session_basis_refresh",
"memory_index_startup_exception",
]
EXPECTED_GAP_AUDIT_ADJUSTMENT_IDS = [
"low_friction_but_p0_stop_the_bleed",
"internal_evidence_not_product_copy",
"awooop_approval_not_security_acceptance",
"nginx_config_control_first",
"owner_response_language_not_execution",
"public_verification_required_after_frontend_change",
"agent_bounty_c0_runtime_boundary",
]
EXPECTED_GAP_AUDIT_WORK_PRIORITIES = [
"P0-1",
"P0-2",
"P0-3",
"P0-4",
"P0-5",
"P1-1",
"P1-2",
"P1-3",
"P1-4",
]
LANES = [
{
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
"path": "gitea-inventory-owner-attestation-response.snapshot.json",
"expected_templates": 5,
"false_flags": [
"token_value_collection_allowed",
"raw_secret_allowed",
"repo_write_allowed",
"refs_sync_allowed",
"github_primary_switch_authorized",
"action_buttons_allowed",
],
"expected_preflight_checks": [
"preflight-known-attestation-item",
"preflight-required-owner-fields",
"preflight-allowed-decision",
"preflight-redacted-evidence-only",
"preflight-no-execution-request",
"preflight-all-five-items-before-accepted",
],
"expected_outcome_lanes": [
"ready_for_owner_review",
"request_more_evidence",
"quarantine_sensitive_payload",
"reject_execution_request",
"keep_waiting_owner_response",
],
"expected_request_packet_id": "s4_9_gitea_owner_attestation_response_request",
"expected_request_template_ids": [
"response-public-only-vs-local-gitea-gap",
"response-org-user-endpoint-identity",
"response-internal-110-adjacent-scope",
"response-repo-owner-canonical-scope",
"response-legacy-or-inaccessible-disposition",
],
"expected_collection_checks": [
"collection-request-packet-displayed",
"collection-read-only-submission-mode",
"collection-five-template-tracking",
"collection-redacted-evidence-only",
"collection-no-approval-language",
"collection-audit-metadata-only",
],
"expected_template_statuses": [
"response-public-only-vs-local-gitea-gap",
"response-org-user-endpoint-identity",
"response-internal-110-adjacent-scope",
"response-repo-owner-canonical-scope",
"response-legacy-or-inaccessible-disposition",
],
"expected_audit_event_templates": [
"audit-owner-response-request-shown",
"audit-owner-response-received-metadata",
"audit-owner-response-outcome-classified",
],
"expected_redaction_examples": [
"redaction-existing-doc-ref",
"redaction-owner-decision-metadata",
"redaction-private-url-metadata",
"redaction-api-export-summary",
"redaction-quarantine-pointer",
],
"expected_display_sections": [
"display-owner-response-summary",
"display-owner-response-request-packet",
"display-template-status-ledger",
"display-audit-event-templates",
"display-redaction-examples",
"display-collection-checks",
"display-preflight-and-outcome-lanes",
"display-acceptance-and-rejection-rules",
],
"expected_handoff_queue_ids": [
"publicGap",
"namespaceIdentity",
"adjacentScope",
"canonicalOwner",
"legacyDisposition",
],
"expected_handoff_queue_template_ids": [
"response-public-only-vs-local-gitea-gap",
"response-org-user-endpoint-identity",
"response-internal-110-adjacent-scope",
"response-repo-owner-canonical-scope",
"response-legacy-or-inaccessible-disposition",
],
"expected_handoff_queue_required_field_counts": [6, 6, 6, 8, 7],
"expected_metadata_intake_field_ids": [
"ownerRoleTeam",
"decision",
"decisionReason",
"affectedScope",
"redactedEvidenceRefs",
"followupOwner",
],
"expected_metadata_intake_source_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"evidence_refs",
"followup_owner",
],
},
{
"lane_id": "s4_10_github_target_owner_decision_response",
"path": "github-target-owner-decision-response.snapshot.json",
"expected_templates": 9,
"false_flags": [
"repo_creation_authorized",
"visibility_change_authorized",
"refs_sync_authorized",
"github_primary_switch_authorized",
"secret_value_collection_allowed",
"action_buttons_allowed",
],
"expected_request_packet_id": "s4_10_github_target_owner_decision_response_request",
"expected_request_template_ids": [
"target-awoooi-refs-blocked",
"target-clawbot-v5-refs-blocked",
"target-wooo-aiops-refs-blocked",
"target-wooo-infra-config-internal-remote",
"target-ewoooc-private-or-new",
"target-bitan-pharmacy-private-or-new",
"target-tsenyang-website-private-or-new",
"target-vibework-private-or-new",
"target-agent-bounty-protocol-private-or-new",
],
"expected_template_statuses": [
"target-awoooi-refs-blocked",
"target-clawbot-v5-refs-blocked",
"target-wooo-aiops-refs-blocked",
"target-wooo-infra-config-internal-remote",
"target-ewoooc-private-or-new",
"target-bitan-pharmacy-private-or-new",
"target-tsenyang-website-private-or-new",
"target-vibework-private-or-new",
"target-agent-bounty-protocol-private-or-new",
],
"expected_audit_event_templates": [
"audit-github-target-response-request-shown",
"audit-github-target-response-received-metadata",
"audit-github-target-response-outcome-classified",
],
"expected_redaction_examples": [
"redaction-github-target-doc-ref",
"redaction-owner-visibility-canonical-metadata",
"redaction-private-target-access-metadata",
"redaction-refs-truth-dependency-summary",
"redaction-github-target-quarantine-pointer",
],
"expected_collection_checks": [
"collection-github-target-request-packet-displayed",
"collection-github-target-read-only-submission-mode",
"collection-nine-target-template-tracking",
"collection-github-target-redacted-evidence-only",
"collection-github-target-no-approval-language",
"collection-github-target-audit-metadata-only",
],
"expected_preflight_checks": [
"preflight-known-github-target",
"preflight-required-github-target-owner-fields",
"preflight-allowed-github-target-decision",
"preflight-github-target-redacted-evidence-only",
"preflight-no-source-control-execution-request",
"preflight-all-nine-targets-before-accepted",
],
},
{
"lane_id": "s4_11_ref_truth_owner_response",
"path": "source-control-ref-truth-owner-response.snapshot.json",
"expected_templates": 5,
"expected_request_packet_id": "s4_11_ref_truth_owner_response_request",
"expected_request_template_ids": [
"response-main-branch-truth-source",
"response-active-dev-branch-truth-source",
"response-drift-deprecated-candidate-batch",
"response-release-tag-retention",
"response-github-only-ref-review",
],
"expected_template_statuses": [
"response-main-branch-truth-source",
"response-active-dev-branch-truth-source",
"response-drift-deprecated-candidate-batch",
"response-release-tag-retention",
"response-github-only-ref-review",
],
"expected_audit_event_templates": [
"audit-ref-truth-response-request-shown",
"audit-ref-truth-response-received-metadata",
"audit-ref-truth-response-outcome-classified",
],
"expected_redaction_examples": [
"redaction-ref-truth-existing-doc-ref",
"redaction-main-branch-truth-metadata",
"redaction-deprecated-batch-disposition",
"redaction-release-tag-retention-metadata",
"redaction-ref-truth-quarantine-pointer",
],
"expected_collection_checks": [
"collection-ref-truth-request-packet-displayed",
"collection-ref-truth-read-only-submission-mode",
"collection-five-ref-truth-template-tracking",
"collection-ref-truth-redacted-evidence-only",
"collection-ref-truth-no-approval-language",
"collection-ref-truth-audit-metadata-only",
],
"expected_preflight_checks": [
"preflight-known-ref-truth-lane",
"preflight-required-ref-truth-owner-fields",
"preflight-allowed-ref-truth-decision",
"preflight-ref-truth-redacted-evidence-only",
"preflight-no-refs-execution-request",
"preflight-all-five-ref-truth-lanes-before-accepted",
],
"false_flags": [
"refs_sync_authorized",
"refs_delete_authorized",
"force_push_authorized",
"github_primary_switch_authorized",
"secret_value_collection_allowed",
"action_buttons_allowed",
],
},
{
"lane_id": "s4_12_workflow_secret_name_owner_response",
"path": "source-control-workflow-secret-name-owner-response.snapshot.json",
"expected_templates": 5,
"false_flags": [
"secret_value_collection_allowed",
"write_token_allowed",
"workflow_modification_authorized",
"webhook_modification_authorized",
"runner_change_authorized",
"deploy_key_change_authorized",
"branch_protection_change_authorized",
"repo_secret_change_authorized",
"github_hosted_runner_enable_authorized",
"refs_sync_authorized",
"github_primary_switch_authorized",
"action_buttons_allowed",
],
"expected_request_packet_id": "s4_12_workflow_secret_name_owner_response_request",
"expected_request_template_ids": [
"response-webhook-redacted-export",
"response-runner-label-owner",
"response-deploy-key-redacted-export",
"response-branch-protection-codeowners",
"response-repository-secret-name-parity",
],
"expected_template_statuses": [
"response-webhook-redacted-export",
"response-runner-label-owner",
"response-deploy-key-redacted-export",
"response-branch-protection-codeowners",
"response-repository-secret-name-parity",
],
"expected_audit_event_templates": [
"audit-workflow-secret-response-request-shown",
"audit-workflow-secret-response-received-metadata",
"audit-workflow-secret-response-outcome-classified",
],
"expected_redaction_examples": [
"redaction-webhook-redacted-host-metadata",
"redaction-runner-label-owner-metadata",
"redaction-deploy-key-name-scope-metadata",
"redaction-branch-protection-codeowners-metadata",
"redaction-secret-name-parity-quarantine-pointer",
],
"expected_collection_checks": [
"collection-workflow-secret-request-packet-displayed",
"collection-workflow-secret-read-only-submission-mode",
"collection-five-workflow-secret-template-tracking",
"collection-workflow-secret-redacted-evidence-only",
"collection-workflow-secret-no-approval-language",
"collection-workflow-secret-audit-metadata-only",
],
"expected_preflight_checks": [
"preflight-known-workflow-secret-lane",
"preflight-required-workflow-secret-owner-fields",
"preflight-allowed-workflow-secret-decision",
"preflight-workflow-secret-redacted-evidence-only",
"preflight-no-workflow-secret-execution-request",
"preflight-all-five-workflow-secret-lanes-before-accepted",
],
},
]
EXPECTED_ROLLUP_EVIDENCE_ROUTING_RULES = [
"evidence-routing-known-lane",
"evidence-routing-required-fields",
"evidence-routing-sensitive-payload",
"evidence-routing-execution-request",
"evidence-routing-cross-packet-conflict",
"evidence-routing-accepted-metadata",
]
EXPECTED_ROLLUP_DISPLAY_SECTIONS = [
"display-validation-summary",
"display-missing-response-lanes",
"display-owner-response-collection-order",
"display-next-collection-candidate",
"display-cross-packet-acceptance-checks",
"display-evidence-routing-rules",
"display-quarantine-and-forbidden-actions",
"display-latest-local-validation",
]
EXPECTED_ROLLUP_STATE_TRANSITION_RULES = [
"transition-waiting-to-received-pending-validation",
"transition-missing-required-fields-to-request-more-evidence",
"transition-sensitive-payload-to-mirror-quarantine",
"transition-execution-request-to-hard-rejected",
"transition-cross-packet-conflict-to-owner-review",
"transition-validation-pass-to-read-only-update",
"transition-post-update-stays-waiting-runtime-gate",
]
EXPECTED_ROLLUP_REVIEWER_CHECKLIST = [
"checklist-confirm-lane-and-template",
"checklist-confirm-required-owner-fields",
"checklist-confirm-redacted-evidence-refs",
"checklist-confirm-source-packet-preflight",
"checklist-confirm-cross-packet-consistency",
"checklist-confirm-no-sensitive-payload",
"checklist-confirm-no-execution-intent",
"checklist-confirm-read-only-update-scope",
"checklist-confirm-followup-runtime-gate-still-required",
]
EXPECTED_ROLLUP_REVIEWER_OUTCOME_LANES = [
"outcome-keep-waiting-owner-response",
"outcome-request-more-evidence",
"outcome-mirror-quarantine-sensitive-payload",
"outcome-hard-reject-execution-request",
"outcome-cross-packet-owner-review",
"outcome-read-only-update-candidate",
"outcome-waiting-followup-runtime-gate",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES = [
"audit-reviewer-outcome-review-opened",
"audit-reviewer-outcome-classified",
"audit-reviewer-quarantine-or-reject-recorded",
"audit-reviewer-readonly-update-noted",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_DISPLAY_SECTIONS = [
"display-reviewer-audit-template-summary",
"display-reviewer-audit-metadata-fields",
"display-reviewer-audit-forbidden-payloads",
"display-reviewer-audit-emission-status",
"display-reviewer-audit-non-authorization-boundary",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS = [
"check-reviewer-audit-template-visible",
"check-reviewer-audit-metadata-only",
"check-reviewer-audit-forbidden-payloads-blocked",
"check-reviewer-audit-emitted-remains-zero",
"check-reviewer-audit-no-runtime-side-effect",
"check-reviewer-audit-owner-response-counts-unchanged",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_REDACTION_EXAMPLES = [
"redaction-reviewer-role-lane-template-metadata",
"redaction-classification-reason-summary",
"redaction-quarantine-pointer",
"redaction-readonly-update-targets",
"redaction-runtime-gate-counter-summary",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES = [
"retention-reviewer-start-metadata-only",
"retention-classification-summary-only",
"retention-quarantine-pointer-only",
"retention-readonly-update-targets-only",
"retention-counter-snapshot-only",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_CHECKS = [
"check-reviewer-audit-retention-rules-visible",
"check-reviewer-audit-retained-metadata-only",
"check-reviewer-audit-raw-payloads-blocked",
"check-reviewer-audit-secret-retention-blocked",
"check-reviewer-audit-counter-snapshot-only",
"check-reviewer-audit-no-runtime-retention-side-effect",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_PACKETS = [
"handoff-current-counters-and-boundary",
"handoff-required-source-packets",
"handoff-safe-display-fields",
"handoff-forbidden-runtime-interpretations",
"handoff-next-owner-response-focus",
"handoff-post-review-followup-gates",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_CHECKS = [
"check-handoff-packets-visible",
"check-handoff-counters-remain-zero",
"check-handoff-source-packets-required",
"check-handoff-safe-display-only",
"check-handoff-runtime-interpretations-blocked",
"check-handoff-next-focus-not-received",
]
EXPECTED_ROLLUP_PARALLEL_SESSION_SYNC_CHECKS = [
"check-parallel-session-same-pr-branch",
"check-parallel-session-latest-delta-visible",
"check-parallel-session-owner-response-counters-zero",
"check-parallel-session-runtime-flags-false",
"check-parallel-session-source-control-mutations-blocked",
"check-parallel-session-next-focus-stays-s4-9",
]
EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES = [
"conflict-stale-or-diverged-branch",
"conflict-stale-progress-delta",
"conflict-owner-response-counter-drift",
"conflict-runtime-flag-drift",
"conflict-source-control-mutation-request",
"conflict-next-focus-drift",
]
EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS = [
"check-recovery-fetch-and-compare-branch",
"check-recovery-read-latest-ledger",
"check-recovery-rerun-readonly-guards",
"check-recovery-review-staged-diff-only",
"check-recovery-keep-runtime-flags-false",
"check-recovery-record-next-focus-s4-9",
]
EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_OUTCOME_LANES = [
"outcome-recovery-ready-readonly",
"outcome-recovery-branch-still-diverged",
"outcome-recovery-ledger-still-stale",
"outcome-recovery-guard-failed",
"outcome-recovery-diff-out-of-scope",
"outcome-recovery-runtime-flag-drift",
"outcome-recovery-next-focus-drift",
]
def load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
def fail(label: str, actual: Any, expected: Any) -> None:
raise SystemExit(f"BLOCKED {label}: expected {expected!r}, got {actual!r}")
def assert_equal(label: str, actual: Any, expected: Any) -> None:
if actual != expected:
fail(label, actual, expected)
def assert_false(label: str, actual: Any) -> None:
assert_equal(label, actual, False)
def assert_true(label: str, actual: Any) -> None:
assert_equal(label, actual, True)
def assert_contains(label: str, text: str, expected: str) -> None:
if expected not in text:
raise SystemExit(f"BLOCKED {label}: missing {expected!r}")
def assert_not_contains(label: str, text: str, forbidden: str) -> None:
if forbidden in text:
raise SystemExit(f"BLOCKED {label}: forbidden {forbidden!r}")
def validate_markdown_consistency(security_dir: Path) -> None:
rollup_doc = (security_dir / "SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md").read_text(
encoding="utf-8"
)
gap_audit_doc = (security_dir / "S4-9-OWNER-RESPONSE-GATE-CURRENT-GAP-AUDIT.md").read_text(
encoding="utf-8"
)
assert_contains("rollup_doc.date", rollup_doc, EXPECTED_ROLLUP_DATE)
assert_contains("rollup_doc.total_template_formula", rollup_doc, EXPECTED_TEMPLATE_COUNT_FORMULA)
assert_contains("rollup_doc.total_template_display", rollup_doc, "24 templates")
assert_not_contains("rollup_doc.stale_date", rollup_doc, "2026-06-04")
assert_not_contains("rollup_doc.stale_formula", rollup_doc, STALE_TEMPLATE_COUNT_FORMULA)
assert_not_contains("rollup_doc.stale_display", rollup_doc, "22 templates")
assert_contains("gap_audit_doc.latest_baseline_present", gap_audit_doc, "gitea/main=")
assert_contains("gap_audit_doc.latest_baseline_8795", gap_audit_doc, EXPECTED_GAP_AUDIT_GITEA_MAIN)
assert_contains("gap_audit_doc.latest_deploy_marker", gap_audit_doc, EXPECTED_GAP_AUDIT_DEPLOY_MARKER)
assert_contains("gap_audit_doc.machine_readable_snapshot", gap_audit_doc, "s4-9-owner-response-gap-audit.snapshot.json")
assert_contains("gap_audit_doc.public_surface_redaction", gap_audit_doc, "Public surface redaction")
assert_not_contains("gap_audit_doc.stale_baseline_b615", gap_audit_doc, "b615bde5")
assert_not_contains("gap_audit_doc.stale_baseline_f1bad", gap_audit_doc, "f1bad81d")
assert_not_contains("gap_audit_doc.stale_baseline_b17a", gap_audit_doc, "b17a28c2")
assert_not_contains("gap_audit_doc.stale_baseline_2afb", gap_audit_doc, "2afb7c0a")
assert_contains("gap_audit_doc.rollup_consistency", gap_audit_doc, "S4.13 rollup 文件一致性")
def validate(root: Path) -> None:
security_dir = root / "docs" / "security"
validate_markdown_consistency(security_dir)
gap_audit = load_json(security_dir / "s4-9-owner-response-gap-audit.snapshot.json")
rollup = load_json(security_dir / "source-control-owner-response-validation-rollup.snapshot.json")
rollup_summary = rollup["summary"]
gap_summary = gap_audit["summary"]
assert_equal("gap_audit.schema_version", gap_audit["schema_version"], "s4_9_owner_response_gap_audit_v1")
assert_equal("gap_audit.status", gap_audit["status"], "gap_audit_ready_owner_gate_zero")
assert_equal("gap_audit.mode", gap_audit["mode"], "read_only_gap_audit_no_runtime_action")
assert_equal("gap_audit.basis.gitea_main_commit", gap_audit["basis"]["gitea_main_commit"], EXPECTED_GAP_AUDIT_GITEA_MAIN)
assert_equal(
"gap_audit.basis.latest_runtime_deploy_marker",
gap_audit["basis"]["latest_runtime_deploy_marker"],
EXPECTED_GAP_AUDIT_DEPLOY_MARKER,
)
assert_equal(
"gap_audit.basis.latest_tenants_redaction_commit",
gap_audit["basis"]["latest_tenants_redaction_commit"],
EXPECTED_GAP_AUDIT_TENANTS_REDACTION_COMMIT,
)
assert_equal("gap_audit.basis.source_control_rollup_templates", gap_audit["basis"]["source_control_rollup_templates"], 24)
assert_true(
"gap_audit.basis.production_verification_required_for_frontend_changes",
gap_audit["basis"]["production_verification_required_for_frontend_changes"],
)
assert_equal("gap_audit.current_requirement_gap_count", gap_summary["current_requirement_gap_count"], 8)
assert_equal("gap_audit.active_blocker_count", gap_summary["active_blocker_count"], 3)
assert_equal("gap_audit.new_rule_count", gap_summary["new_rule_count"], len(EXPECTED_GAP_AUDIT_NEW_RULE_IDS))
assert_equal(
"gap_audit.rule_adjustment_count",
gap_summary["rule_adjustment_count"],
len(EXPECTED_GAP_AUDIT_ADJUSTMENT_IDS),
)
assert_equal(
"gap_audit.priority_work_item_count",
gap_summary["priority_work_item_count"],
len(EXPECTED_GAP_AUDIT_WORK_PRIORITIES),
)
assert_equal("gap_audit.s4_9_owner_response_gate_percent", gap_summary["s4_9_owner_response_gate_percent"], 0)
assert_equal("gap_audit.request_sent_count", gap_summary["request_sent_count"], 0)
assert_equal("gap_audit.owner_response_received_count", gap_summary["owner_response_received_count"], 0)
assert_equal("gap_audit.owner_response_accepted_count", gap_summary["owner_response_accepted_count"], 0)
assert_equal("gap_audit.owner_response_rejected_count", gap_summary["owner_response_rejected_count"], 0)
assert_equal("gap_audit.runtime_gate_count", gap_summary["runtime_gate_count"], 0)
assert_true("gap_audit.public_surface_redaction_guard_ready", gap_summary["public_surface_redaction_guard_ready"])
assert_false("gap_audit.public_surface_raw_namespace_allowed", gap_summary["public_surface_raw_namespace_allowed"])
assert_false(
"gap_audit.work_session_transcript_public_allowed",
gap_summary["work_session_transcript_public_allowed"],
)
assert_equal(
"gap_audit.gap_ids",
[item["gap_id"] for item in gap_audit["current_requirement_gaps"]],
EXPECTED_GAP_AUDIT_GAP_IDS,
)
assert_equal(
"gap_audit.new_rule_ids",
[item["rule_id"] for item in gap_audit["new_rules_required"]],
EXPECTED_GAP_AUDIT_NEW_RULE_IDS,
)
assert_equal(
"gap_audit.adjustment_ids",
[item["adjustment_id"] for item in gap_audit["rule_adjustments_required"]],
EXPECTED_GAP_AUDIT_ADJUSTMENT_IDS,
)
assert_equal(
"gap_audit.priority_work_queue",
[item["priority"] for item in gap_audit["priority_work_queue"]],
EXPECTED_GAP_AUDIT_WORK_PRIORITIES,
)
for key, value in gap_audit["false_boundaries"].items():
assert_false(f"gap_audit.false_boundaries.{key}", value)
redaction = gap_audit["public_surface_redaction_requirements"]
for marker in ["source_scope_id", "source_namespace_redacted", "public_api_raw_repo_namespace_allowed"]:
if marker not in redaction["required_fields_or_markers"]:
raise SystemExit(f"BLOCKED gap_audit.public_surface_redaction_requirements: missing {marker!r}")
for forbidden in ["raw repository owner namespace", "工作視窗對話內容", "approval chat phrase"]:
if forbidden not in redaction["forbidden_display"]:
raise SystemExit(f"BLOCKED gap_audit.public_surface_redaction_forbidden_display: missing {forbidden!r}")
assert_equal("rollup.status", rollup["status"], "draft_waiting_owner_responses")
assert_equal("rollup.date", rollup["date"], EXPECTED_ROLLUP_DATE)
assert_false("rollup.runtime_execution_authorized", rollup["runtime_execution_authorized"])
assert_equal("rollup.response_packet_count", rollup_summary["response_packet_count"], len(LANES))
assert_equal("rollup.validation_lane_count", rollup_summary["validation_lane_count"], len(LANES))
assert_equal("rollup.total_response_template_count", rollup_summary["total_response_template_count"], 24)
assert_equal("rollup.total_received_response_count", rollup_summary["total_received_response_count"], 0)
assert_equal("rollup.total_accepted_response_count", rollup_summary["total_accepted_response_count"], 0)
assert_equal("rollup.total_rejected_response_count", rollup_summary["total_rejected_response_count"], 0)
assert_equal("rollup.total_acceptance_check_count", rollup_summary["total_acceptance_check_count"], 32)
assert_equal("rollup.total_rejection_rule_count", rollup_summary["total_rejection_rule_count"], 40)
assert_equal(
"rollup.owner_response_evidence_routing_rule_count",
rollup_summary["owner_response_evidence_routing_rule_count"],
len(EXPECTED_ROLLUP_EVIDENCE_ROUTING_RULES),
)
assert_equal(
"rollup.owner_response_validation_display_section_count",
rollup_summary["owner_response_validation_display_section_count"],
len(EXPECTED_ROLLUP_DISPLAY_SECTIONS),
)
assert_equal(
"rollup.owner_response_validation_state_transition_rule_count",
rollup_summary["owner_response_validation_state_transition_rule_count"],
len(EXPECTED_ROLLUP_STATE_TRANSITION_RULES),
)
assert_equal(
"rollup.owner_response_validation_reviewer_checklist_count",
rollup_summary["owner_response_validation_reviewer_checklist_count"],
len(EXPECTED_ROLLUP_REVIEWER_CHECKLIST),
)
assert_equal(
"rollup.owner_response_validation_reviewer_outcome_lane_count",
rollup_summary["owner_response_validation_reviewer_outcome_lane_count"],
len(EXPECTED_ROLLUP_REVIEWER_OUTCOME_LANES),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_event_template_count",
rollup_summary["owner_response_validation_reviewer_audit_event_template_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_display_section_count",
rollup_summary["owner_response_validation_reviewer_audit_display_section_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_DISPLAY_SECTIONS),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_collection_check_count",
rollup_summary["owner_response_validation_reviewer_audit_collection_check_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_redaction_example_count",
rollup_summary["owner_response_validation_reviewer_audit_redaction_example_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_REDACTION_EXAMPLES),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_retention_rule_count",
rollup_summary["owner_response_validation_reviewer_audit_retention_rule_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_retention_check_count",
rollup_summary["owner_response_validation_reviewer_audit_retention_check_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_CHECKS),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_handoff_packet_count",
rollup_summary["owner_response_validation_reviewer_audit_handoff_packet_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_PACKETS),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_handoff_check_count",
rollup_summary["owner_response_validation_reviewer_audit_handoff_check_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_CHECKS),
)
assert_equal(
"rollup.owner_response_validation_parallel_session_sync_check_count",
rollup_summary["owner_response_validation_parallel_session_sync_check_count"],
len(EXPECTED_ROLLUP_PARALLEL_SESSION_SYNC_CHECKS),
)
assert_equal(
"rollup.owner_response_validation_parallel_session_conflict_lane_count",
rollup_summary["owner_response_validation_parallel_session_conflict_lane_count"],
len(EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES),
)
assert_equal(
"rollup.owner_response_validation_parallel_session_recovery_check_count",
rollup_summary["owner_response_validation_parallel_session_recovery_check_count"],
len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS),
)
assert_equal(
"rollup.owner_response_validation_parallel_session_recovery_outcome_lane_count",
rollup_summary["owner_response_validation_parallel_session_recovery_outcome_lane_count"],
len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_OUTCOME_LANES),
)
assert_true("rollup.quarantine_required", rollup_summary["quarantine_required"])
assert_equal("rollup.primary_ready_count", rollup_summary["primary_ready_count"], 0)
for flag in [
"runtime_execution_authorized",
"token_value_collection_allowed",
"secret_value_collection_allowed",
"write_token_allowed",
"repo_creation_authorized",
"visibility_change_authorized",
"gitea_repo_write_authorized",
"refs_sync_authorized",
"refs_delete_authorized",
"force_push_authorized",
"workflow_modification_authorized",
"runner_enablement_authorized",
"github_hosted_runner_enable_authorized",
"github_primary_switch_authorized",
"action_buttons_allowed",
]:
assert_false(f"rollup.{flag}", rollup_summary[flag])
lane_by_id = {lane["lane_id"]: lane for lane in rollup["validation_lanes"]}
missing_lane_by_id = {lane["lane_id"]: lane for lane in rollup["missing_response_lanes"]}
collection_order_by_id = {item["lane_id"]: item for item in rollup["owner_response_collection_order"]}
next_collection_candidate = rollup["next_collection_candidate"]
total_templates = 0
total_acceptance_checks = 0
total_rejection_rules = 0
for index, lane in enumerate(LANES, start=1):
snapshot = load_json(security_dir / lane["path"])
summary = snapshot["summary"]
rollup_lane = lane_by_id[lane["lane_id"]]
missing_lane = missing_lane_by_id[lane["lane_id"]]
collection_item = collection_order_by_id[lane["lane_id"]]
assert_equal(f"{lane['lane_id']}.status", summary["owner_response_status"], "waiting_owner_response")
assert_equal(f"{lane['lane_id']}.response_template_count", summary["response_template_count"], lane["expected_templates"])
assert_equal(f"{lane['lane_id']}.received_response_count", summary["received_response_count"], 0)
assert_equal(f"{lane['lane_id']}.accepted_response_count", summary["accepted_response_count"], 0)
assert_equal(f"{lane['lane_id']}.rejected_response_count", summary["rejected_response_count"], 0)
assert_equal(f"{lane['lane_id']}.acceptance_check_count", summary["acceptance_check_count"], 8)
assert_equal(f"{lane['lane_id']}.rejection_rule_count", summary["rejection_rule_count"], 10)
expected_template_statuses = lane.get("expected_template_statuses")
if expected_template_statuses is not None:
template_statuses = snapshot["owner_response_template_statuses"]
assert_equal(
f"{lane['lane_id']}.owner_response_template_status_count",
summary["owner_response_template_status_count"],
len(expected_template_statuses),
)
assert_equal(
f"{lane['lane_id']}.owner_response_template_status_ids",
[item["template_id"] for item in template_statuses],
expected_template_statuses,
)
assert_equal(
f"{lane['lane_id']}.owner_response_template_status_display_order",
[item["display_order"] for item in template_statuses],
list(range(1, len(expected_template_statuses) + 1)),
)
for item in template_statuses:
assert_equal(
f"{lane['lane_id']}.{item['template_id']}.collection_status",
item["collection_status"],
"waiting_owner_response",
)
assert_equal(
f"{lane['lane_id']}.{item['template_id']}.request_status",
item["request_status"],
"request_ready_not_sent",
)
assert_equal(f"{lane['lane_id']}.{item['template_id']}.received_response_count", item["received_response_count"], 0)
assert_equal(f"{lane['lane_id']}.{item['template_id']}.accepted_response_count", item["accepted_response_count"], 0)
assert_equal(f"{lane['lane_id']}.{item['template_id']}.rejected_response_count", item["rejected_response_count"], 0)
assert_equal(
f"{lane['lane_id']}.{item['template_id']}.latest_outcome_lane",
item["latest_outcome_lane"],
"keep_waiting_owner_response",
)
assert_equal(
f"{lane['lane_id']}.{item['template_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_template_status_only",
)
assert_false(
f"{lane['lane_id']}.{item['template_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.{item['template_id']}.not_approval", item["not_approval"])
expected_audit_event_templates = lane.get("expected_audit_event_templates")
if expected_audit_event_templates is not None:
audit_event_templates = snapshot["owner_response_audit_event_templates"]
assert_equal(
f"{lane['lane_id']}.owner_response_audit_event_template_count",
summary["owner_response_audit_event_template_count"],
len(expected_audit_event_templates),
)
assert_equal(
f"{lane['lane_id']}.owner_response_audit_event_template_ids",
[item["event_template_id"] for item in audit_event_templates],
expected_audit_event_templates,
)
assert_equal(
f"{lane['lane_id']}.owner_response_audit_event_display_order",
[item["display_order"] for item in audit_event_templates],
list(range(1, len(expected_audit_event_templates) + 1)),
)
for item in audit_event_templates:
assert_equal(
f"{lane['lane_id']}.{item['event_template_id']}.event_status",
item["event_status"],
"template_only_not_emitted",
)
assert_equal(f"{lane['lane_id']}.{item['event_template_id']}.emitted_event_count", item["emitted_event_count"], 0)
assert_false(
f"{lane['lane_id']}.{item['event_template_id']}.stored_raw_payload_allowed",
item["stored_raw_payload_allowed"],
)
assert_equal(
f"{lane['lane_id']}.{item['event_template_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_audit_template_only",
)
assert_false(
f"{lane['lane_id']}.{item['event_template_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.{item['event_template_id']}.not_approval", item["not_approval"])
expected_redaction_examples = lane.get("expected_redaction_examples")
if expected_redaction_examples is not None:
redaction_examples = snapshot["owner_response_redaction_examples"]
assert_equal(
f"{lane['lane_id']}.owner_response_redaction_example_count",
summary["owner_response_redaction_example_count"],
len(expected_redaction_examples),
)
assert_equal(
f"{lane['lane_id']}.owner_response_redaction_example_ids",
[item["example_id"] for item in redaction_examples],
expected_redaction_examples,
)
assert_equal(
f"{lane['lane_id']}.owner_response_redaction_example_display_order",
[item["display_order"] for item in redaction_examples],
list(range(1, len(expected_redaction_examples) + 1)),
)
for item in redaction_examples:
assert_equal(
f"{lane['lane_id']}.{item['example_id']}.example_status",
item["example_status"],
"template_example_only",
)
assert_false(
f"{lane['lane_id']}.{item['example_id']}.stored_raw_payload_allowed",
item["stored_raw_payload_allowed"],
)
assert_equal(
f"{lane['lane_id']}.{item['example_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_redaction_example_only",
)
assert_false(
f"{lane['lane_id']}.{item['example_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.{item['example_id']}.not_approval", item["not_approval"])
expected_display_sections = lane.get("expected_display_sections")
if expected_display_sections is not None:
display_sections = snapshot["owner_response_display_sections"]
assert_equal(
f"{lane['lane_id']}.owner_response_display_section_count",
summary["owner_response_display_section_count"],
len(expected_display_sections),
)
assert_equal(
f"{lane['lane_id']}.owner_response_display_section_ids",
[item["section_id"] for item in display_sections],
expected_display_sections,
)
assert_equal(
f"{lane['lane_id']}.owner_response_display_section_order",
[item["display_order"] for item in display_sections],
list(range(1, len(expected_display_sections) + 1)),
)
for item in display_sections:
assert_equal(
f"{lane['lane_id']}.{item['section_id']}.section_status",
item["section_status"],
"display_contract_only",
)
assert_false(
f"{lane['lane_id']}.{item['section_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.{item['section_id']}.not_approval", item["not_approval"])
expected_handoff_queue_ids = lane.get("expected_handoff_queue_ids")
if expected_handoff_queue_ids is not None:
handoff_queue = snapshot["owner_response_intake_handoff_queue"]
expected_handoff_queue_template_ids = lane["expected_handoff_queue_template_ids"]
expected_handoff_queue_required_field_counts = lane["expected_handoff_queue_required_field_counts"]
assert_equal(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_count",
summary["owner_response_intake_handoff_queue_count"],
len(expected_handoff_queue_ids),
)
for count_key in [
"owner_response_intake_handoff_queue_ready_count",
"owner_response_intake_handoff_queue_received_count",
"owner_response_intake_handoff_queue_accepted_count",
"owner_response_intake_handoff_queue_runtime_gate_count",
]:
assert_equal(f"{lane['lane_id']}.{count_key}", summary[count_key], 0)
assert_false(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_raw_payload_allowed",
summary["owner_response_intake_handoff_queue_raw_payload_allowed"],
)
assert_false(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_action_buttons_allowed",
summary["owner_response_intake_handoff_queue_action_buttons_allowed"],
)
assert_equal(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_ids",
[item["handoff_lane_id"] for item in handoff_queue],
expected_handoff_queue_ids,
)
assert_equal(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_display_order",
[item["display_order"] for item in handoff_queue],
list(range(1, len(expected_handoff_queue_ids) + 1)),
)
assert_equal(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_source_template_ids",
[item["source_template_id"] for item in handoff_queue],
expected_handoff_queue_template_ids,
)
assert_equal(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_template_labels",
[item["template_label"] for item in handoff_queue],
[f"D{index}" for index in range(1, len(expected_handoff_queue_ids) + 1)],
)
assert_equal(
f"{lane['lane_id']}.owner_response_intake_handoff_queue_required_field_counts",
[item["required_owner_field_count"] for item in handoff_queue],
expected_handoff_queue_required_field_counts,
)
for item in handoff_queue:
assert_equal(
f"{lane['lane_id']}.{item['handoff_lane_id']}.handoff_status",
item["handoff_status"],
"waiting_owner_response_metadata",
)
for count_key in [
"received_response_count",
"accepted_response_count",
"runtime_gate_count",
]:
assert_equal(
f"{lane['lane_id']}.{item['handoff_lane_id']}.{count_key}",
item[count_key],
0,
)
for false_key in [
"raw_payload_allowed",
"secret_plaintext_allowed",
"action_buttons_allowed",
"execution_authorized",
]:
assert_false(
f"{lane['lane_id']}.{item['handoff_lane_id']}.{false_key}",
item[false_key],
)
assert_true(
f"{lane['lane_id']}.{item['handoff_lane_id']}.not_approval",
item["not_approval"],
)
for forbidden_action in [
"mark_received_from_handoff_queue",
"mark_accepted_from_handoff_queue",
"store_owner_response_raw_body",
]:
assert_true(
f"{lane['lane_id']}.{item['handoff_lane_id']}.still_forbidden.{forbidden_action}",
forbidden_action in item["still_forbidden"],
)
expected_metadata_intake_field_ids = lane.get("expected_metadata_intake_field_ids")
if expected_metadata_intake_field_ids is not None:
metadata_envelope = snapshot["owner_response_metadata_intake_envelope"]
expected_metadata_intake_source_fields = lane["expected_metadata_intake_source_fields"]
assert_equal(
f"{lane['lane_id']}.owner_response_metadata_intake_field_count",
summary["owner_response_metadata_intake_field_count"],
len(expected_metadata_intake_field_ids),
)
assert_equal(
f"{lane['lane_id']}.owner_response_metadata_intake_required_count",
summary["owner_response_metadata_intake_required_count"],
len(expected_metadata_intake_field_ids),
)
for count_key in [
"owner_response_metadata_intake_filled_count",
"owner_response_metadata_intake_received_count",
"owner_response_metadata_intake_accepted_count",
"owner_response_metadata_intake_runtime_gate_count",
]:
assert_equal(f"{lane['lane_id']}.{count_key}", summary[count_key], 0)
assert_true(
f"{lane['lane_id']}.owner_response_metadata_intake_redacted_ref_required",
summary["owner_response_metadata_intake_redacted_ref_required"],
)
for false_key in [
"owner_response_metadata_intake_raw_payload_allowed",
"owner_response_metadata_intake_secret_plaintext_allowed",
"owner_response_metadata_intake_action_buttons_allowed",
]:
assert_false(f"{lane['lane_id']}.{false_key}", summary[false_key])
assert_equal(
f"{lane['lane_id']}.owner_response_metadata_intake_field_ids",
[item["field_id"] for item in metadata_envelope],
expected_metadata_intake_field_ids,
)
assert_equal(
f"{lane['lane_id']}.owner_response_metadata_intake_display_order",
[item["display_order"] for item in metadata_envelope],
list(range(1, len(expected_metadata_intake_field_ids) + 1)),
)
assert_equal(
f"{lane['lane_id']}.owner_response_metadata_intake_source_fields",
[item["source_required_field"] for item in metadata_envelope],
expected_metadata_intake_source_fields,
)
for item in metadata_envelope:
assert_equal(
f"{lane['lane_id']}.{item['field_id']}.field_status",
item["field_status"],
"waiting_owner_response_metadata",
)
assert_true(f"{lane['lane_id']}.{item['field_id']}.required", item["required"])
for count_key in [
"filled_count",
"received_response_count",
"accepted_response_count",
"runtime_gate_count",
]:
assert_equal(
f"{lane['lane_id']}.{item['field_id']}.{count_key}",
item[count_key],
0,
)
assert_true(
f"{lane['lane_id']}.{item['field_id']}.redacted_reference_required",
item["redacted_reference_required"],
)
for false_key in [
"raw_payload_allowed",
"secret_plaintext_allowed",
"action_buttons_allowed",
"execution_authorized",
]:
assert_false(
f"{lane['lane_id']}.{item['field_id']}.{false_key}",
item[false_key],
)
assert_true(f"{lane['lane_id']}.{item['field_id']}.not_approval", item["not_approval"])
for forbidden_action in [
"mark_received_from_metadata_envelope",
"mark_accepted_from_metadata_envelope",
]:
assert_true(
f"{lane['lane_id']}.{item['field_id']}.still_forbidden.{forbidden_action}",
forbidden_action in item["still_forbidden"],
)
expected_request_packet_id = lane.get("expected_request_packet_id")
if expected_request_packet_id is not None:
request_packet = snapshot["owner_response_request_packet"]
expected_request_template_ids = lane["expected_request_template_ids"]
assert_equal(
f"{lane['lane_id']}.owner_response_request_packet_count",
summary["owner_response_request_packet_count"],
1,
)
assert_equal(
f"{lane['lane_id']}.owner_response_request_packet_id",
request_packet["request_id"],
expected_request_packet_id,
)
assert_equal(
f"{lane['lane_id']}.owner_response_request_display_status",
request_packet["display_status"],
"ready_to_request_owner_response",
)
assert_equal(
f"{lane['lane_id']}.owner_response_request_template_ids",
request_packet["requested_template_ids"],
expected_request_template_ids,
)
assert_equal(
f"{lane['lane_id']}.owner_response_request_awooop_display_mode",
request_packet["awooop_display_mode"],
"display_owner_response_request_only",
)
assert_false(
f"{lane['lane_id']}.owner_response_request_execution_authorized",
request_packet["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.owner_response_request_not_approval", request_packet["not_approval"])
expected_collection_checks = lane.get("expected_collection_checks")
if expected_collection_checks is not None:
collection_checks = snapshot["owner_response_collection_checks"]
assert_equal(
f"{lane['lane_id']}.owner_response_collection_check_count",
summary["owner_response_collection_check_count"],
len(expected_collection_checks),
)
assert_equal(
f"{lane['lane_id']}.owner_response_collection_check_ids",
[item["check_id"] for item in collection_checks],
expected_collection_checks,
)
assert_equal(
f"{lane['lane_id']}.owner_response_collection_display_order",
[item["display_order"] for item in collection_checks],
list(range(1, len(expected_collection_checks) + 1)),
)
for item in collection_checks:
assert_true(f"{lane['lane_id']}.{item['check_id']}.required", item["required"])
assert_false(
f"{lane['lane_id']}.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.{item['check_id']}.not_approval", item["not_approval"])
expected_preflight_checks = lane.get("expected_preflight_checks")
if expected_preflight_checks is not None:
intake_preflight_checks = snapshot["intake_preflight_checks"]
assert_equal(
f"{lane['lane_id']}.intake_preflight_check_count",
summary["intake_preflight_check_count"],
len(expected_preflight_checks),
)
assert_equal(
f"{lane['lane_id']}.intake_preflight_check_ids",
[item["check_id"] for item in intake_preflight_checks],
expected_preflight_checks,
)
assert_equal(
f"{lane['lane_id']}.intake_preflight_display_order",
[item["display_order"] for item in intake_preflight_checks],
list(range(1, len(expected_preflight_checks) + 1)),
)
for item in intake_preflight_checks:
assert_true(f"{lane['lane_id']}.{item['check_id']}.required", item["required"])
assert_false(
f"{lane['lane_id']}.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
expected_outcome_lanes = lane.get("expected_outcome_lanes")
if expected_outcome_lanes is not None:
intake_outcome_lanes = snapshot["intake_outcome_lanes"]
assert_equal(
f"{lane['lane_id']}.intake_outcome_lane_count",
summary["intake_outcome_lane_count"],
len(expected_outcome_lanes),
)
assert_equal(
f"{lane['lane_id']}.intake_outcome_lane_ids",
[item["lane_id"] for item in intake_outcome_lanes],
expected_outcome_lanes,
)
assert_equal(
f"{lane['lane_id']}.intake_outcome_display_order",
[item["display_order"] for item in intake_outcome_lanes],
list(range(1, len(expected_outcome_lanes) + 1)),
)
for item in intake_outcome_lanes:
assert_false(
f"{lane['lane_id']}.{item['lane_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"{lane['lane_id']}.{item['lane_id']}.not_approval", item["not_approval"])
assert_false(f"{lane['lane_id']}.runtime_execution_authorized", snapshot["runtime_execution_authorized"])
assert_false(f"{lane['lane_id']}.rollup_execution_authorized", rollup_lane["execution_authorized"])
assert_equal(
f"{lane['lane_id']}.rollup_response_template_count",
rollup_lane["response_template_count"],
lane["expected_templates"],
)
assert_equal(f"{lane['lane_id']}.rollup_received_response_count", rollup_lane["received_response_count"], 0)
assert_equal(f"{lane['lane_id']}.rollup_accepted_response_count", rollup_lane["accepted_response_count"], 0)
assert_equal(f"{lane['lane_id']}.rollup_rejected_response_count", rollup_lane["rejected_response_count"], 0)
assert_equal(f"{lane['lane_id']}.missing_current_status", missing_lane["current_status"], "waiting_owner_response")
assert_equal(
f"{lane['lane_id']}.missing_response_template_count",
missing_lane["response_template_count"],
lane["expected_templates"],
)
assert_equal(f"{lane['lane_id']}.missing_received_response_count", missing_lane["received_response_count"], 0)
assert_equal(f"{lane['lane_id']}.missing_accepted_response_count", missing_lane["accepted_response_count"], 0)
assert_equal(f"{lane['lane_id']}.missing_awooop_display_mode", missing_lane["awooop_display_mode"], "observe_missing_response")
assert_equal(f"{lane['lane_id']}.collection_order", collection_item["order"], index)
assert_equal(
f"{lane['lane_id']}.collection_awooop_action",
collection_item["awooop_action"],
"display_next_collection_item",
)
assert_true(f"{lane['lane_id']}.collection_blocked_until_received", collection_item["blocked_until_received"])
assert_false(f"{lane['lane_id']}.collection_execution_authorized", collection_item["execution_authorized"])
for flag in lane["false_flags"]:
assert_false(f"{lane['lane_id']}.{flag}", summary[flag])
total_templates += summary["response_template_count"]
total_acceptance_checks += summary["acceptance_check_count"]
total_rejection_rules += summary["rejection_rule_count"]
assert_equal("source_packets.total_templates", total_templates, rollup_summary["total_response_template_count"])
assert_equal("source_packets.total_acceptance_checks", total_acceptance_checks, rollup_summary["total_acceptance_check_count"])
assert_equal("source_packets.total_rejection_rules", total_rejection_rules, rollup_summary["total_rejection_rule_count"])
assert_equal("missing_response_lanes.count", len(missing_lane_by_id), len(LANES))
assert_equal("owner_response_collection_order.count", len(collection_order_by_id), len(LANES))
cross_packet_checks = {item["check_id"]: item for item in rollup["cross_packet_acceptance_checks"]}
assert_equal(
"cross_packet_acceptance_checks.template_counts_match.pass_condition",
cross_packet_checks["template_counts_match"]["pass_condition"],
EXPECTED_TEMPLATE_COUNT_FORMULA,
)
assert_not_contains(
"rollup.snapshot.stale_template_count_formula",
json.dumps(rollup, ensure_ascii=False),
STALE_TEMPLATE_COUNT_FORMULA,
)
evidence_routing_rules = rollup["owner_response_evidence_routing_rules"]
assert_equal(
"owner_response_evidence_routing_rules.ids",
[item["rule_id"] for item in evidence_routing_rules],
EXPECTED_ROLLUP_EVIDENCE_ROUTING_RULES,
)
assert_equal(
"owner_response_evidence_routing_rules.display_order",
[item["display_order"] for item in evidence_routing_rules],
list(range(1, len(EXPECTED_ROLLUP_EVIDENCE_ROUTING_RULES) + 1)),
)
for item in evidence_routing_rules:
assert_equal(
f"owner_response_evidence_routing_rules.{item['rule_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_evidence_route_only",
)
assert_false(
f"owner_response_evidence_routing_rules.{item['rule_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"owner_response_evidence_routing_rules.{item['rule_id']}.not_approval", item["not_approval"])
display_sections = rollup["owner_response_validation_display_sections"]
assert_equal(
"owner_response_validation_display_sections.ids",
[item["section_id"] for item in display_sections],
EXPECTED_ROLLUP_DISPLAY_SECTIONS,
)
assert_equal(
"owner_response_validation_display_sections.display_order",
[item["display_order"] for item in display_sections],
list(range(1, len(EXPECTED_ROLLUP_DISPLAY_SECTIONS) + 1)),
)
for item in display_sections:
assert_equal(
f"owner_response_validation_display_sections.{item['section_id']}.section_status",
item["section_status"],
"display_contract_only",
)
assert_equal(
f"owner_response_validation_display_sections.{item['section_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_validation_section_only",
)
assert_false(
f"owner_response_validation_display_sections.{item['section_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"owner_response_validation_display_sections.{item['section_id']}.not_approval", item["not_approval"])
state_transition_rules = rollup["owner_response_validation_state_transition_rules"]
assert_equal(
"owner_response_validation_state_transition_rules.ids",
[item["rule_id"] for item in state_transition_rules],
EXPECTED_ROLLUP_STATE_TRANSITION_RULES,
)
assert_equal(
"owner_response_validation_state_transition_rules.display_order",
[item["display_order"] for item in state_transition_rules],
list(range(1, len(EXPECTED_ROLLUP_STATE_TRANSITION_RULES) + 1)),
)
for item in state_transition_rules:
assert_equal(
f"owner_response_validation_state_transition_rules.{item['rule_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_state_transition_rule_only",
)
assert_false(
f"owner_response_validation_state_transition_rules.{item['rule_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"owner_response_validation_state_transition_rules.{item['rule_id']}.not_approval", item["not_approval"])
for blocked_update in item["blocked_updates"]:
if blocked_update in {"create_runtime_gate", "enqueue_execution", "add_action_button"}:
assert_false(
f"owner_response_validation_state_transition_rules.{item['rule_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
reviewer_checklist = rollup["owner_response_validation_reviewer_checklist"]
assert_equal(
"owner_response_validation_reviewer_checklist.ids",
[item["checklist_id"] for item in reviewer_checklist],
EXPECTED_ROLLUP_REVIEWER_CHECKLIST,
)
assert_equal(
"owner_response_validation_reviewer_checklist.display_order",
[item["display_order"] for item in reviewer_checklist],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_CHECKLIST) + 1)),
)
for item in reviewer_checklist:
assert_equal(
f"owner_response_validation_reviewer_checklist.{item['checklist_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_checklist_only",
)
assert_false(
f"owner_response_validation_reviewer_checklist.{item['checklist_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(f"owner_response_validation_reviewer_checklist.{item['checklist_id']}.not_approval", item["not_approval"])
reviewer_outcome_lanes = rollup["owner_response_validation_reviewer_outcome_lanes"]
assert_equal(
"owner_response_validation_reviewer_outcome_lanes.ids",
[item["outcome_lane_id"] for item in reviewer_outcome_lanes],
EXPECTED_ROLLUP_REVIEWER_OUTCOME_LANES,
)
assert_equal(
"owner_response_validation_reviewer_outcome_lanes.display_order",
[item["display_order"] for item in reviewer_outcome_lanes],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_OUTCOME_LANES) + 1)),
)
for item in reviewer_outcome_lanes:
assert_equal(
f"owner_response_validation_reviewer_outcome_lanes.{item['outcome_lane_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_outcome_lane_only",
)
assert_false(
f"owner_response_validation_reviewer_outcome_lanes.{item['outcome_lane_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_outcome_lanes.{item['outcome_lane_id']}.not_approval",
item["not_approval"],
)
for blocked_update in item["blocked_updates"]:
if blocked_update in {"create_runtime_gate", "enqueue_execution", "add_action_button"}:
assert_false(
f"owner_response_validation_reviewer_outcome_lanes.{item['outcome_lane_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
reviewer_audit_event_templates = rollup["owner_response_validation_reviewer_audit_event_templates"]
assert_equal(
"owner_response_validation_reviewer_audit_event_templates.ids",
[item["event_template_id"] for item in reviewer_audit_event_templates],
EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES,
)
assert_equal(
"owner_response_validation_reviewer_audit_event_templates.display_order",
[item["display_order"] for item in reviewer_audit_event_templates],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_EVENT_TEMPLATES) + 1)),
)
for item in reviewer_audit_event_templates:
assert_equal(
f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.event_status",
item["event_status"],
"template_only_not_emitted",
)
assert_equal(
f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.emitted_event_count",
item["emitted_event_count"],
0,
)
assert_false(
f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.stored_raw_payload_allowed",
item["stored_raw_payload_allowed"],
)
assert_equal(
f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_template_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_event_templates.{item['event_template_id']}.not_approval",
item["not_approval"],
)
reviewer_audit_display_sections = rollup["owner_response_validation_reviewer_audit_display_sections"]
assert_equal(
"owner_response_validation_reviewer_audit_display_sections.ids",
[item["section_id"] for item in reviewer_audit_display_sections],
EXPECTED_ROLLUP_REVIEWER_AUDIT_DISPLAY_SECTIONS,
)
assert_equal(
"owner_response_validation_reviewer_audit_display_sections.display_order",
[item["display_order"] for item in reviewer_audit_display_sections],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_DISPLAY_SECTIONS) + 1)),
)
for item in reviewer_audit_display_sections:
assert_equal(
f"owner_response_validation_reviewer_audit_display_sections.{item['section_id']}.section_status",
item["section_status"],
"display_contract_only",
)
assert_equal(
f"owner_response_validation_reviewer_audit_display_sections.{item['section_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_section_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_display_sections.{item['section_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_display_sections.{item['section_id']}.not_approval",
item["not_approval"],
)
reviewer_audit_collection_checks = rollup["owner_response_validation_reviewer_audit_collection_checks"]
assert_equal(
"owner_response_validation_reviewer_audit_collection_checks.ids",
[item["check_id"] for item in reviewer_audit_collection_checks],
EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS,
)
assert_equal(
"owner_response_validation_reviewer_audit_collection_checks.display_order",
[item["display_order"] for item in reviewer_audit_collection_checks],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS) + 1)),
)
for item in reviewer_audit_collection_checks:
assert_equal(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_collection_check_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.not_approval",
item["not_approval"],
)
for blocked_interpretation in item["blocked_interpretations"]:
if blocked_interpretation in {
"create_runtime_gate",
"enqueue_execution",
"add_action_button",
"start_kali_scan",
"modify_repo_or_workflow",
}:
assert_false(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
reviewer_audit_redaction_examples = rollup["owner_response_validation_reviewer_audit_redaction_examples"]
assert_equal(
"owner_response_validation_reviewer_audit_redaction_examples.ids",
[item["example_id"] for item in reviewer_audit_redaction_examples],
EXPECTED_ROLLUP_REVIEWER_AUDIT_REDACTION_EXAMPLES,
)
assert_equal(
"owner_response_validation_reviewer_audit_redaction_examples.display_order",
[item["display_order"] for item in reviewer_audit_redaction_examples],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_REDACTION_EXAMPLES) + 1)),
)
for item in reviewer_audit_redaction_examples:
assert_equal(
f"owner_response_validation_reviewer_audit_redaction_examples.{item['example_id']}.redaction_status",
item["redaction_status"],
"example_only_not_response",
)
assert_equal(
f"owner_response_validation_reviewer_audit_redaction_examples.{item['example_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_redaction_example_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_redaction_examples.{item['example_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_redaction_examples.{item['example_id']}.not_approval",
item["not_approval"],
)
reviewer_audit_retention_rules = rollup["owner_response_validation_reviewer_audit_retention_rules"]
assert_equal(
"owner_response_validation_reviewer_audit_retention_rules.ids",
[item["rule_id"] for item in reviewer_audit_retention_rules],
EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES,
)
assert_equal(
"owner_response_validation_reviewer_audit_retention_rules.display_order",
[item["display_order"] for item in reviewer_audit_retention_rules],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_RULES) + 1)),
)
for item in reviewer_audit_retention_rules:
assert_equal(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.retention_status",
item["retention_status"],
"metadata_retention_rule_only",
)
assert_equal(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_retention_rule_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_retention_rules.{item['rule_id']}.not_approval",
item["not_approval"],
)
reviewer_audit_retention_checks = rollup["owner_response_validation_reviewer_audit_retention_checks"]
assert_equal(
"owner_response_validation_reviewer_audit_retention_checks.ids",
[item["check_id"] for item in reviewer_audit_retention_checks],
EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_CHECKS,
)
assert_equal(
"owner_response_validation_reviewer_audit_retention_checks.display_order",
[item["display_order"] for item in reviewer_audit_retention_checks],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_RETENTION_CHECKS) + 1)),
)
for item in reviewer_audit_retention_checks:
assert_equal(
f"owner_response_validation_reviewer_audit_retention_checks.{item['check_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_retention_check_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_retention_checks.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_retention_checks.{item['check_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_interpretations"]:
if blocked in {
"enable_audit_storage_from_check",
"store_raw_owner_response_for_retention",
"retain_token_value",
"treat_retention_check_pass_as_runtime_gate",
"create_runtime_gate_from_retention_check",
"create_execution_queue_from_retention_check",
"add_action_button_from_retention_check",
"start_scan_from_retention_check",
}:
assert_false(
f"owner_response_validation_reviewer_audit_retention_checks.{item['check_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
reviewer_audit_handoff_packets = rollup["owner_response_validation_reviewer_audit_handoff_packets"]
assert_equal(
"owner_response_validation_reviewer_audit_handoff_packets.ids",
[item["packet_id"] for item in reviewer_audit_handoff_packets],
EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_PACKETS,
)
assert_equal(
"owner_response_validation_reviewer_audit_handoff_packets.display_order",
[item["display_order"] for item in reviewer_audit_handoff_packets],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_PACKETS) + 1)),
)
for item in reviewer_audit_handoff_packets:
assert_equal(
f"owner_response_validation_reviewer_audit_handoff_packets.{item['packet_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_handoff_packet_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_handoff_packets.{item['packet_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_handoff_packets.{item['packet_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_interpretations"]:
if blocked in {
"treat_handoff_as_runtime_gate",
"increase_received_or_accepted_count",
"accept_owner_response_from_handoff_only",
"skip_source_packet_preflight",
"create_action_button_from_handoff",
"enqueue_runtime_job_from_handoff",
"start_scan_or_repo_action_from_handoff",
"mark_s4_9_received_from_handoff",
"treat_handoff_complete_as_primary_ready",
"treat_handoff_complete_as_payload_ingested",
"treat_handoff_complete_as_runtime_approved",
}:
assert_false(
f"owner_response_validation_reviewer_audit_handoff_packets.{item['packet_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
reviewer_audit_handoff_checks = rollup["owner_response_validation_reviewer_audit_handoff_checks"]
assert_equal(
"owner_response_validation_reviewer_audit_handoff_checks.ids",
[item["check_id"] for item in reviewer_audit_handoff_checks],
EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_CHECKS,
)
assert_equal(
"owner_response_validation_reviewer_audit_handoff_checks.display_order",
[item["display_order"] for item in reviewer_audit_handoff_checks],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_HANDOFF_CHECKS) + 1)),
)
for item in reviewer_audit_handoff_checks:
assert_equal(
f"owner_response_validation_reviewer_audit_handoff_checks.{item['check_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_handoff_check_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_handoff_checks.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_handoff_checks.{item['check_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_interpretations"]:
if blocked in {
"treat_handoff_check_as_runtime_ready",
"treat_handoff_check_pass_as_owner_response_received",
"treat_handoff_check_pass_as_owner_response_accepted",
"treat_handoff_check_pass_as_audit_event_emitted",
"treat_handoff_check_pass_as_runtime_gate",
"accept_owner_response_from_handoff_only",
"skip_source_packet_preflight",
"render_raw_owner_response",
"create_action_button_from_handoff_check",
"enqueue_runtime_job_from_handoff_check",
"start_scan_or_repo_action_from_handoff_check",
"switch_primary_from_handoff_check",
"mark_s4_9_received_from_handoff_check",
"mark_s4_9_accepted_from_handoff_check",
"create_followup_runtime_gate_from_handoff_check",
}:
assert_false(
f"owner_response_validation_reviewer_audit_handoff_checks.{item['check_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
parallel_session_sync_checks = rollup["owner_response_validation_parallel_session_sync_checks"]
assert_equal(
"owner_response_validation_parallel_session_sync_checks.ids",
[item["check_id"] for item in parallel_session_sync_checks],
EXPECTED_ROLLUP_PARALLEL_SESSION_SYNC_CHECKS,
)
assert_equal(
"owner_response_validation_parallel_session_sync_checks.display_order",
[item["display_order"] for item in parallel_session_sync_checks],
list(range(1, len(EXPECTED_ROLLUP_PARALLEL_SESSION_SYNC_CHECKS) + 1)),
)
for item in parallel_session_sync_checks:
assert_equal(
f"owner_response_validation_parallel_session_sync_checks.{item['check_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_parallel_session_sync_check_only",
)
assert_false(
f"owner_response_validation_parallel_session_sync_checks.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_parallel_session_sync_checks.{item['check_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_interpretations"]:
if blocked in {
"treat_parallel_session_as_runtime_owner",
"merge_without_branch_sync",
"treat_delta_visibility_as_authorization",
"treat_parallel_sync_as_owner_response_received",
"treat_parallel_sync_as_owner_response_accepted",
"treat_parallel_sync_as_audit_event_emitted",
"treat_parallel_sync_as_runtime_gate",
"treat_sync_complete_as_runtime_authorized",
"create_action_button_from_parallel_sync",
"enqueue_runtime_job_from_parallel_sync",
"start_kali_or_repo_action_from_parallel_sync",
"create_repo_from_parallel_sync",
"sync_refs_from_parallel_sync",
"modify_workflow_or_secret_from_parallel_sync",
"switch_primary_from_parallel_sync",
"auto_collect_owner_response_from_parallel_sync",
"mark_s4_9_received_from_parallel_sync",
"mark_s4_9_accepted_from_parallel_sync",
"create_followup_runtime_gate_from_parallel_sync",
}:
assert_false(
f"owner_response_validation_parallel_session_sync_checks.{item['check_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
parallel_session_conflict_lanes = rollup["owner_response_validation_parallel_session_conflict_lanes"]
assert_equal(
"owner_response_validation_parallel_session_conflict_lanes.ids",
[item["lane_id"] for item in parallel_session_conflict_lanes],
EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES,
)
assert_equal(
"owner_response_validation_parallel_session_conflict_lanes.display_order",
[item["display_order"] for item in parallel_session_conflict_lanes],
list(range(1, len(EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES) + 1)),
)
for item in parallel_session_conflict_lanes:
assert_equal(
f"owner_response_validation_parallel_session_conflict_lanes.{item['lane_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_parallel_session_conflict_lane_only",
)
assert_false(
f"owner_response_validation_parallel_session_conflict_lanes.{item['lane_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_parallel_session_conflict_lanes.{item['lane_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_actions"]:
if blocked in {
"auto_merge_diverged_branch",
"force_push_to_reconcile_sessions",
"overwrite_other_session_changes",
"continue_from_stale_delta",
"treat_stale_delta_as_authorization",
"auto_accept_counter_drift",
"mark_owner_response_received_without_source_packet",
"create_runtime_gate_from_counter_drift",
"treat_true_flag_as_approved",
"create_action_button_from_flag_drift",
"enqueue_runtime_job_from_flag_drift",
"create_repo_from_conflict_lane",
"sync_refs_from_conflict_lane",
"modify_workflow_secret_runner_from_conflict_lane",
"disable_gitea_or_switch_primary_from_conflict_lane",
"auto_collect_owner_response_from_focus_drift",
"mark_later_lane_accepted_from_focus_drift",
"create_followup_runtime_gate_from_focus_drift",
}:
assert_false(
f"owner_response_validation_parallel_session_conflict_lanes.{item['lane_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
parallel_session_recovery_checks = rollup["owner_response_validation_parallel_session_recovery_checks"]
assert_equal(
"owner_response_validation_parallel_session_recovery_checks.ids",
[item["check_id"] for item in parallel_session_recovery_checks],
EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS,
)
assert_equal(
"owner_response_validation_parallel_session_recovery_checks.display_order",
[item["display_order"] for item in parallel_session_recovery_checks],
list(range(1, len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS) + 1)),
)
for item in parallel_session_recovery_checks:
assert_equal(
f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_parallel_session_recovery_check_only",
)
assert_false(
f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_interpretations"]:
if blocked in {
"auto_rebase_after_conflict",
"auto_merge_after_conflict",
"force_push_after_conflict",
"continue_from_pre_conflict_context",
"treat_ledger_read_as_authorization",
"treat_guard_pass_as_owner_response",
"treat_guard_pass_as_runtime_gate",
"treat_guard_pass_as_primary_approval",
"overwrite_other_session_changes",
"drop_unreviewed_changes",
"stage_runtime_or_secret_change_from_recovery",
"create_action_button_after_recovery",
"enqueue_runtime_job_after_recovery",
"start_kali_or_repo_action_after_recovery",
"auto_collect_owner_response_after_recovery",
"mark_s4_9_received_after_recovery",
"create_followup_runtime_gate_after_recovery",
}:
assert_false(
f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
parallel_session_recovery_outcome_lanes = rollup[
"owner_response_validation_parallel_session_recovery_outcome_lanes"
]
assert_equal(
"owner_response_validation_parallel_session_recovery_outcome_lanes.ids",
[item["lane_id"] for item in parallel_session_recovery_outcome_lanes],
EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_OUTCOME_LANES,
)
assert_equal(
"owner_response_validation_parallel_session_recovery_outcome_lanes.display_order",
[item["display_order"] for item in parallel_session_recovery_outcome_lanes],
list(range(1, len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_OUTCOME_LANES) + 1)),
)
for item in parallel_session_recovery_outcome_lanes:
assert_equal(
f"owner_response_validation_parallel_session_recovery_outcome_lanes.{item['lane_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_parallel_session_recovery_outcome_lane_only",
)
assert_false(
f"owner_response_validation_parallel_session_recovery_outcome_lanes.{item['lane_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_parallel_session_recovery_outcome_lanes.{item['lane_id']}.not_approval",
item["not_approval"],
)
for blocked in item["blocked_interpretations"]:
if blocked in {
"treat_recovery_ready_as_merge_approval",
"treat_recovery_ready_as_owner_response",
"treat_recovery_ready_as_runtime_gate",
"auto_rebase_still_diverged_branch",
"auto_merge_still_diverged_branch",
"force_push_still_diverged_branch",
"continue_from_stale_ledger",
"skip_latest_logbook_after_recovery",
"mark_response_received_from_stale_handoff",
"ignore_guard_failure",
"treat_guard_failure_as_runtime_incident",
"open_action_button_from_guard_failure",
"stage_out_of_scope_diff",
"commit_out_of_scope_diff",
"drop_out_of_scope_diff_without_review",
"accept_runtime_flag_drift",
"create_action_button_from_flag_drift",
"enqueue_runtime_job_from_flag_drift",
"advance_next_focus_without_owner_response",
"mark_later_packet_received_after_recovery",
"create_followup_gate_from_focus_drift",
}:
assert_false(
f"owner_response_validation_parallel_session_recovery_outcome_lanes.{item['lane_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
first_lane = LANES[0]
first_collection_item = collection_order_by_id[first_lane["lane_id"]]
first_missing_lane = missing_lane_by_id[first_lane["lane_id"]]
assert_equal("next_collection_candidate.order", next_collection_candidate["order"], 1)
assert_equal("next_collection_candidate.lane_id", next_collection_candidate["lane_id"], first_lane["lane_id"])
assert_equal(
"next_collection_candidate.display_status",
next_collection_candidate["display_status"],
"next_owner_response_required",
)
assert_equal(
"next_collection_candidate.source_contract",
next_collection_candidate["source_contract"],
first_missing_lane["source_contract"],
)
assert_equal(
"next_collection_candidate.required_packet",
next_collection_candidate["required_packet"],
first_collection_item["required_packet"],
)
assert_equal(
"next_collection_candidate.required_response_template_count",
next_collection_candidate["required_response_template_count"],
first_lane["expected_templates"],
)
assert_equal("next_collection_candidate.received_response_count", next_collection_candidate["received_response_count"], 0)
assert_equal("next_collection_candidate.accepted_response_count", next_collection_candidate["accepted_response_count"], 0)
assert_equal(
"next_collection_candidate.minimum_response",
next_collection_candidate["minimum_response"],
first_collection_item["minimum_response"],
)
assert_equal(
"next_collection_candidate.awooop_display_mode",
next_collection_candidate["awooop_display_mode"],
"display_next_collection_item_only",
)
assert_true("next_collection_candidate.blocked_until_received", next_collection_candidate["blocked_until_received"])
assert_false("next_collection_candidate.execution_authorized", next_collection_candidate["execution_authorized"])
assert_true("next_collection_candidate.not_approval", next_collection_candidate["not_approval"])
assert_equal(
"next_collection_candidate.still_forbidden",
next_collection_candidate["still_forbidden"],
first_collection_item["still_forbidden"],
)
local_validation = rollup["latest_local_validation"]
assert_equal("rollup.latest_local_validation.status", local_validation["status"], "repo_snapshot_guard_pass")
assert_equal("rollup.latest_local_validation.date", local_validation["date"], EXPECTED_ROLLUP_DATE)
assert_equal("rollup.latest_local_validation.scope", local_validation["scope"], "repo_snapshot_only")
assert_equal("rollup.latest_local_validation.result", local_validation["result"], "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK")
assert_equal("rollup.latest_local_validation.received_response_count", local_validation["received_response_count"], 0)
assert_equal("rollup.latest_local_validation.accepted_response_count", local_validation["accepted_response_count"], 0)
assert_false("rollup.latest_local_validation.runtime_actions_authorized", local_validation["runtime_actions_authorized"])
assert_false("rollup.latest_local_validation.repo_or_refs_actions_authorized", local_validation["repo_or_refs_actions_authorized"])
assert_false("rollup.latest_local_validation.workflow_or_secret_actions_authorized", local_validation["workflow_or_secret_actions_authorized"])
assert_true("rollup.latest_local_validation.not_authorization", local_validation["not_authorization"])
def main() -> None:
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument(
"--root",
default=Path(__file__).resolve().parents[2],
type=Path,
help="Repository root. Defaults to the current script's repository.",
)
args = parser.parse_args()
validate(args.root.resolve())
print("SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK")
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink