309 lines
17 KiB
Python
Executable File
309 lines
17 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
"""Validate the mirror-only security progress guardrails.
|
|
|
|
This script is intentionally read-only. It checks committed snapshots only and
|
|
does not call GitHub, Gitea, Kali, AwoooP, or any runtime API.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import argparse
|
|
import json
|
|
from pathlib import Path
|
|
from typing import Any
|
|
|
|
|
|
def load_json(path: Path) -> dict[str, Any]:
|
|
return json.loads(path.read_text(encoding="utf-8"))
|
|
|
|
|
|
def assert_equal(label: str, actual: Any, expected: Any) -> None:
|
|
if actual != expected:
|
|
raise SystemExit(f"BLOCKED {label}: expected {expected!r}, got {actual!r}")
|
|
|
|
|
|
def assert_false(label: str, actual: Any) -> None:
|
|
assert_equal(label, actual, False)
|
|
|
|
|
|
def assert_true(label: str, actual: Any) -> None:
|
|
assert_equal(label, actual, True)
|
|
|
|
|
|
def assert_contains(label: str, values: list[Any], expected: Any) -> None:
|
|
if expected not in values:
|
|
raise SystemExit(f"BLOCKED {label}: missing {expected!r}")
|
|
|
|
|
|
def validate(root: Path) -> None:
|
|
security_dir = root / "docs" / "security"
|
|
|
|
manifest = load_json(security_dir / "security-supply-chain-contract-manifest.snapshot.json")
|
|
readiness = load_json(security_dir / "security-mirror-readiness.snapshot.json")
|
|
rollup = load_json(security_dir / "security-mirror-status-rollup.snapshot.json")
|
|
acceptance = load_json(security_dir / "security-mirror-acceptance.snapshot.json")
|
|
dry_run = load_json(security_dir / "security-mirror-dry-run.snapshot.json")
|
|
owner_rollup = load_json(security_dir / "source-control-owner-response-validation-rollup.snapshot.json")
|
|
primary_gate = load_json(security_dir / "source-control-primary-readiness-gate.snapshot.json")
|
|
|
|
manifest_count = manifest["contract_count"]
|
|
readiness_summary = readiness["summary"]
|
|
rollup_summary = rollup["summary"]
|
|
|
|
assert_equal("manifest.contract_count", manifest_count, 35)
|
|
assert_equal("readiness.total_contracts", readiness_summary["total_contracts"], manifest_count)
|
|
assert_equal("rollup.total_contracts", rollup_summary["total_contracts"], manifest_count)
|
|
assert_equal("rollup.ready_for_mirror_count", rollup_summary["ready_for_mirror_count"], 32)
|
|
assert_equal("rollup.partial_ready_count", rollup_summary["partial_ready_count"], 2)
|
|
assert_equal("rollup.contract_only_count", rollup_summary["contract_only_count"], 1)
|
|
assert_equal("rollup.blocked_count", rollup_summary["blocked_count"], 0)
|
|
|
|
progress = rollup["progress_estimate"]
|
|
assert_equal("progress.overall_percent", progress["overall_percent"], 58)
|
|
assert_equal("progress.framework_percent_min", progress["framework_percent_min"], 80)
|
|
assert_equal("progress.framework_percent_max", progress["framework_percent_max"], 85)
|
|
assert_equal("progress.runtime_landing_percent_min", progress["runtime_landing_percent_min"], 35)
|
|
assert_equal("progress.runtime_landing_percent_max", progress["runtime_landing_percent_max"], 40)
|
|
assert_true("progress.not_authorization", progress["not_authorization"])
|
|
|
|
progress_display_policy = rollup["progress_display_policy"]
|
|
assert_equal("progress_display_policy.headline_percent", progress_display_policy["headline_percent"], 58)
|
|
assert_equal(
|
|
"progress_display_policy.headline_status",
|
|
progress_display_policy["headline_status"],
|
|
"holding_until_owner_response_or_runtime_gate",
|
|
)
|
|
assert_true("progress_display_policy.recent_micro_progress_visible", progress_display_policy["recent_micro_progress_visible"])
|
|
assert_false(
|
|
"progress_display_policy.runtime_execution_authorized",
|
|
progress_display_policy["runtime_execution_authorized"],
|
|
)
|
|
assert_true("progress_display_policy.not_authorization", progress_display_policy["not_authorization"])
|
|
|
|
progress_delta_ledger = rollup["progress_delta_ledger"]
|
|
expected_delta_ids = [
|
|
"s4_10_owner_response_request_packet",
|
|
"s4_10_owner_response_template_status_ledger",
|
|
"s4_10_owner_response_audit_event_templates",
|
|
"s4_10_owner_response_redaction_examples",
|
|
"s4_10_owner_response_collection_checks",
|
|
"s4_10_owner_response_intake_preflight_checks",
|
|
"s4_11_ref_truth_owner_response_request_packet",
|
|
"s4_11_ref_truth_owner_response_template_status_ledger",
|
|
"s4_11_ref_truth_owner_response_audit_event_templates",
|
|
"s4_11_ref_truth_owner_response_redaction_examples",
|
|
"s4_11_ref_truth_owner_response_collection_checks",
|
|
"s4_11_ref_truth_owner_response_intake_preflight_checks",
|
|
"s4_12_workflow_secret_name_owner_response_request_packet",
|
|
"s4_12_workflow_secret_name_owner_response_template_status_ledger",
|
|
"s4_12_workflow_secret_name_owner_response_audit_event_templates",
|
|
"s4_12_workflow_secret_name_owner_response_redaction_examples",
|
|
"s4_12_workflow_secret_name_owner_response_collection_checks",
|
|
"s4_12_workflow_secret_name_owner_response_intake_preflight_checks",
|
|
"s4_13_owner_response_validation_evidence_routing_rules",
|
|
"s4_13_owner_response_validation_display_sections",
|
|
"s4_13_owner_response_validation_state_transition_rules",
|
|
"s4_13_owner_response_validation_reviewer_checklist",
|
|
"s4_13_owner_response_validation_reviewer_outcome_lanes",
|
|
"s4_13_owner_response_validation_reviewer_audit_event_templates",
|
|
"s4_13_owner_response_validation_reviewer_audit_display_sections",
|
|
"s4_13_owner_response_validation_reviewer_audit_collection_checks",
|
|
"s4_13_owner_response_validation_reviewer_audit_redaction_examples",
|
|
"s4_13_owner_response_validation_reviewer_audit_retention_rules",
|
|
]
|
|
assert_equal(
|
|
"progress_delta_ledger.delta_ids",
|
|
[item["delta_id"] for item in progress_delta_ledger],
|
|
expected_delta_ids,
|
|
)
|
|
assert_equal(
|
|
"progress_delta_ledger.display_order",
|
|
[item["display_order"] for item in progress_delta_ledger],
|
|
list(range(1, len(expected_delta_ids) + 1)),
|
|
)
|
|
for item in progress_delta_ledger:
|
|
assert_equal(f"progress_delta_ledger.{item['delta_id']}.progress_axis", item["progress_axis"], "framework_detail")
|
|
assert_equal(f"progress_delta_ledger.{item['delta_id']}.headline_percent_delta", item["headline_percent_delta"], 0)
|
|
assert_true(f"progress_delta_ledger.{item['delta_id']}.framework_delta_visible", item["framework_delta_visible"])
|
|
assert_false(f"progress_delta_ledger.{item['delta_id']}.runtime_delta", item["runtime_delta"])
|
|
assert_false(f"progress_delta_ledger.{item['delta_id']}.execution_authorized", item["execution_authorized"])
|
|
assert_true(f"progress_delta_ledger.{item['delta_id']}.not_authorization", item["not_authorization"])
|
|
|
|
assert_false("rollup.runtime_execution_authorized", rollup["runtime_execution_authorized"])
|
|
assert_equal("rollup.active_runtime_gate_count", rollup_summary["active_runtime_gate_count"], 0)
|
|
assert_false("rollup.runtime_actions_executed", rollup_summary["runtime_actions_executed"])
|
|
assert_false("rollup.payloads_ingested", rollup_summary["payloads_ingested"])
|
|
assert_equal("rollup.github_primary_ready_count", rollup_summary["github_primary_ready_count"], 0)
|
|
assert_equal("rollup.owner_response_validation_received_count", rollup_summary["owner_response_validation_received_count"], 0)
|
|
assert_equal("rollup.owner_response_validation_accepted_count", rollup_summary["owner_response_validation_accepted_count"], 0)
|
|
assert_equal("rollup.workflow_secret_inventory_complete_count", rollup_summary["workflow_secret_inventory_complete_count"], 0)
|
|
assert_false("rollup.secret_value_collection_allowed", rollup_summary["secret_value_collection_allowed"])
|
|
assert_false("rollup.secret_value_detected", rollup_summary["secret_value_detected"])
|
|
|
|
owner_summary = owner_rollup["summary"]
|
|
assert_equal("owner_rollup.total_received_response_count", owner_summary["total_received_response_count"], 0)
|
|
assert_equal("owner_rollup.total_accepted_response_count", owner_summary["total_accepted_response_count"], 0)
|
|
assert_equal("owner_rollup.owner_response_evidence_routing_rule_count", owner_summary["owner_response_evidence_routing_rule_count"], 6)
|
|
assert_equal("owner_rollup.owner_response_validation_display_section_count", owner_summary["owner_response_validation_display_section_count"], 8)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_state_transition_rule_count",
|
|
owner_summary["owner_response_validation_state_transition_rule_count"],
|
|
7,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_checklist_count",
|
|
owner_summary["owner_response_validation_reviewer_checklist_count"],
|
|
9,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_outcome_lane_count",
|
|
owner_summary["owner_response_validation_reviewer_outcome_lane_count"],
|
|
7,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_audit_event_template_count",
|
|
owner_summary["owner_response_validation_reviewer_audit_event_template_count"],
|
|
4,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_audit_display_section_count",
|
|
owner_summary["owner_response_validation_reviewer_audit_display_section_count"],
|
|
5,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_audit_collection_check_count",
|
|
owner_summary["owner_response_validation_reviewer_audit_collection_check_count"],
|
|
6,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_audit_redaction_example_count",
|
|
owner_summary["owner_response_validation_reviewer_audit_redaction_example_count"],
|
|
5,
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.owner_response_validation_reviewer_audit_retention_rule_count",
|
|
owner_summary["owner_response_validation_reviewer_audit_retention_rule_count"],
|
|
5,
|
|
)
|
|
assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"])
|
|
assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"])
|
|
assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"])
|
|
assert_false("owner_rollup.workflow_modification_authorized", owner_summary["workflow_modification_authorized"])
|
|
assert_false("owner_rollup.github_primary_switch_authorized", owner_summary["github_primary_switch_authorized"])
|
|
assert_false("owner_rollup.action_buttons_allowed", owner_summary["action_buttons_allowed"])
|
|
|
|
next_candidate = owner_rollup["next_collection_candidate"]
|
|
assert_equal("owner_rollup.next_collection_candidate.order", next_candidate["order"], 1)
|
|
assert_equal(
|
|
"owner_rollup.next_collection_candidate.lane_id",
|
|
next_candidate["lane_id"],
|
|
"s4_9_gitea_inventory_owner_attestation_response",
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.next_collection_candidate.display_status",
|
|
next_candidate["display_status"],
|
|
"next_owner_response_required",
|
|
)
|
|
assert_equal(
|
|
"owner_rollup.next_collection_candidate.required_response_template_count",
|
|
next_candidate["required_response_template_count"],
|
|
5,
|
|
)
|
|
assert_equal("owner_rollup.next_collection_candidate.received_response_count", next_candidate["received_response_count"], 0)
|
|
assert_equal("owner_rollup.next_collection_candidate.accepted_response_count", next_candidate["accepted_response_count"], 0)
|
|
assert_equal(
|
|
"owner_rollup.next_collection_candidate.awooop_display_mode",
|
|
next_candidate["awooop_display_mode"],
|
|
"display_next_collection_item_only",
|
|
)
|
|
assert_true("owner_rollup.next_collection_candidate.blocked_until_received", next_candidate["blocked_until_received"])
|
|
assert_false("owner_rollup.next_collection_candidate.execution_authorized", next_candidate["execution_authorized"])
|
|
assert_true("owner_rollup.next_collection_candidate.not_approval", next_candidate["not_approval"])
|
|
|
|
owner_local_validation = owner_rollup["latest_local_validation"]
|
|
assert_equal("owner_rollup.latest_local_validation.status", owner_local_validation["status"], "repo_snapshot_guard_pass")
|
|
assert_equal("owner_rollup.latest_local_validation.scope", owner_local_validation["scope"], "repo_snapshot_only")
|
|
assert_equal("owner_rollup.latest_local_validation.result", owner_local_validation["result"], "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK")
|
|
assert_equal("owner_rollup.latest_local_validation.received_response_count", owner_local_validation["received_response_count"], 0)
|
|
assert_equal("owner_rollup.latest_local_validation.accepted_response_count", owner_local_validation["accepted_response_count"], 0)
|
|
assert_false("owner_rollup.latest_local_validation.runtime_actions_authorized", owner_local_validation["runtime_actions_authorized"])
|
|
assert_false("owner_rollup.latest_local_validation.repo_or_refs_actions_authorized", owner_local_validation["repo_or_refs_actions_authorized"])
|
|
assert_false("owner_rollup.latest_local_validation.workflow_or_secret_actions_authorized", owner_local_validation["workflow_or_secret_actions_authorized"])
|
|
assert_true("owner_rollup.latest_local_validation.not_authorization", owner_local_validation["not_authorization"])
|
|
|
|
primary_summary = primary_gate["summary"]
|
|
assert_equal("primary_gate.primary_ready_count", primary_summary["primary_ready_count"], 0)
|
|
assert_false("primary_gate.runtime_actions_authorized", primary_summary["runtime_actions_authorized"])
|
|
assert_false("primary_gate.github_primary_switch_authorized", primary_summary["github_primary_switch_authorized"])
|
|
assert_false("primary_gate.action_buttons_allowed", primary_summary["action_buttons_allowed"])
|
|
assert_false("primary_gate.raw_secret_storage_authorized", primary_summary["raw_secret_storage_authorized"])
|
|
|
|
acceptance_ids = [item["check_id"] for item in acceptance["acceptance_checks"]]
|
|
assert_contains("acceptance_checks", acceptance_ids, "PROGRESS_ESTIMATE_NOT_AUTHORIZATION")
|
|
assert_equal("acceptance.summary.acceptance_check_count", acceptance["summary"]["acceptance_check_count"], len(acceptance_ids))
|
|
assert_equal(
|
|
"acceptance.summary.blocking_check_count",
|
|
acceptance["summary"]["blocking_check_count"],
|
|
sum(1 for item in acceptance["acceptance_checks"] if item["blocking_if_failed"]),
|
|
)
|
|
assert_false("acceptance.runtime_execution_authorized", acceptance["runtime_execution_authorized"])
|
|
|
|
dry_run_summary = dry_run["summary"]
|
|
dry_run_step_ids = [item["step_id"] for item in dry_run["dry_run_steps"]]
|
|
assert_equal("dry_run.dry_run_status", dry_run["dry_run_status"], "contract_defined_not_executed")
|
|
assert_equal("dry_run.total_contracts", dry_run_summary["total_contracts"], manifest_count)
|
|
assert_equal("dry_run.acceptance_check_count", dry_run_summary["acceptance_check_count"], 8)
|
|
assert_false("dry_run.runtime_execution_authorized", dry_run["runtime_execution_authorized"])
|
|
assert_false("dry_run.runtime_actions_executed", dry_run_summary["runtime_actions_executed"])
|
|
assert_false("dry_run.payloads_ingested", dry_run_summary["payloads_ingested"])
|
|
assert_contains("dry_run_steps", dry_run_step_ids, "CHECK_PROGRESS_GUARD")
|
|
assert_contains("dry_run_steps", dry_run_step_ids, "CHECK_OWNER_RESPONSE_GUARD")
|
|
|
|
local_validation = dry_run["latest_local_validation"]
|
|
assert_equal("dry_run.latest_local_validation.status", local_validation["status"], "repo_snapshot_guard_pass")
|
|
assert_equal("dry_run.latest_local_validation.scope", local_validation["scope"], "repo_snapshot_only")
|
|
assert_equal(
|
|
"dry_run.latest_local_validation.result",
|
|
local_validation["result"],
|
|
"SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK",
|
|
)
|
|
assert_contains("dry_run.latest_local_validation.validated_steps", local_validation["validated_steps"], "CHECK_PROGRESS_GUARD")
|
|
assert_contains(
|
|
"dry_run.latest_local_validation.validated_steps",
|
|
local_validation["validated_steps"],
|
|
"CHECK_OWNER_RESPONSE_GUARD",
|
|
)
|
|
assert_false("dry_run.latest_local_validation.runtime_actions_executed", local_validation["runtime_actions_executed"])
|
|
assert_false("dry_run.latest_local_validation.payloads_ingested", local_validation["payloads_ingested"])
|
|
assert_false("dry_run.latest_local_validation.production_ingestion_enabled", local_validation["production_ingestion_enabled"])
|
|
assert_true("dry_run.latest_local_validation.not_authorization", local_validation["not_authorization"])
|
|
|
|
forbidden_actions = set(rollup["forbidden_actions"]) | set(acceptance["forbidden_actions"])
|
|
for action in [
|
|
"start_kali_scan",
|
|
"call_kali_execute_endpoint",
|
|
"create_github_repo",
|
|
"change_repo_visibility",
|
|
"sync_git_refs",
|
|
"switch_github_primary",
|
|
"production_deploy",
|
|
]:
|
|
assert_contains("forbidden_actions", list(forbidden_actions), action)
|
|
|
|
|
|
def main() -> None:
|
|
parser = argparse.ArgumentParser(description=__doc__)
|
|
parser.add_argument(
|
|
"--root",
|
|
default=Path(__file__).resolve().parents[2],
|
|
type=Path,
|
|
help="Repository root. Defaults to the current script's repository.",
|
|
)
|
|
args = parser.parse_args()
|
|
validate(args.root.resolve())
|
|
print("SECURITY_MIRROR_PROGRESS_GUARD_OK")
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|