awoooi/scripts/security/security-mirror-progress-guard.py

#!/usr/bin/env python3
"""Validate the mirror-only security progress guardrails.

This script is intentionally read-only. It checks committed snapshots only and
does not call GitHub, Gitea, Kali, AwoooP, or any runtime API.
"""

from __future__ import annotations

import argparse
import json
from pathlib import Path
from typing import Any


def load_json(path: Path) -> dict[str, Any]:
    return json.loads(path.read_text(encoding="utf-8"))


def assert_equal(label: str, actual: Any, expected: Any) -> None:
    if actual != expected:
        raise SystemExit(f"BLOCKED {label}: expected {expected!r}, got {actual!r}")


def assert_false(label: str, actual: Any) -> None:
    assert_equal(label, actual, False)


def assert_true(label: str, actual: Any) -> None:
    assert_equal(label, actual, True)


def assert_contains(label: str, values: list[Any], expected: Any) -> None:
    if expected not in values:
        raise SystemExit(f"BLOCKED {label}: missing {expected!r}")


def validate(root: Path) -> None:
    security_dir = root / "docs" / "security"

    manifest = load_json(security_dir / "security-supply-chain-contract-manifest.snapshot.json")
    readiness = load_json(security_dir / "security-mirror-readiness.snapshot.json")
    rollup = load_json(security_dir / "security-mirror-status-rollup.snapshot.json")
    intake = load_json(security_dir / "security-mirror-intake-plan.snapshot.json")
    event_sample = load_json(security_dir / "security-mirror-event-sample.snapshot.json")
    route = load_json(security_dir / "security-mirror-route.snapshot.json")
    acceptance = load_json(security_dir / "security-mirror-acceptance.snapshot.json")
    dry_run = load_json(security_dir / "security-mirror-dry-run.snapshot.json")
    owner_rollup = load_json(security_dir / "source-control-owner-response-validation-rollup.snapshot.json")
    primary_gate = load_json(security_dir / "source-control-primary-readiness-gate.snapshot.json")
    rollout_policy = load_json(security_dir / "security-rollout-policy.snapshot.json")
    iwooos_projection = load_json(security_dir / "iwooos-posture-projection.snapshot.json")

    manifest_count = manifest["contract_count"]
    readiness_summary = readiness["summary"]
    rollup_summary = rollup["summary"]

    assert_equal("manifest.contract_count", manifest_count, 36)
    assert_equal("readiness.total_contracts", readiness_summary["total_contracts"], manifest_count)
    assert_equal("rollup.total_contracts", rollup_summary["total_contracts"], manifest_count)
    assert_equal("rollup.ready_for_mirror_count", rollup_summary["ready_for_mirror_count"], 33)
    assert_equal("rollup.partial_ready_count", rollup_summary["partial_ready_count"], 2)
    assert_equal("rollup.contract_only_count", rollup_summary["contract_only_count"], 1)
    assert_equal("rollup.blocked_count", rollup_summary["blocked_count"], 0)
    assert_contains(
        "manifest.contracts",
        [item["contract"] for item in manifest["contracts"]],
        "iwooos_posture_projection_v1",
    )
    assert_contains(
        "readiness.contract_readiness",
        [item["contract"] for item in readiness["contract_readiness"]],
        "iwooos_posture_projection_v1",
    )
    assert_contains(
        "rollup.source_indexes",
        rollup["source_indexes"],
        "docs/security/iwooos-posture-projection.snapshot.json",
    )
    assert_equal("event_sample.payload_summary.total_contracts", event_sample["payload_summary"]["total_contracts"], manifest_count)
    assert_equal(
        "event_sample.payload_summary.ready_for_mirror_count",
        event_sample["payload_summary"]["ready_for_mirror_count"],
        readiness_summary["ready_for_mirror_count"],
    )
    assert_contains(
        "event_sample.evidence_refs",
        event_sample["evidence_refs"],
        "docs/security/IWOOOS-POSTURE-PROJECTION.md",
    )
    assert_equal("route.summary.total_contracts", route["summary"]["total_contracts"], manifest_count)
    route_contracts = sorted({contract for group in route["route_groups"] for contract in group["contracts"]})
    assert_equal("route.contract_coverage", route_contracts, sorted(item["contract"] for item in manifest["contracts"]))
    assert_contains(
        "intake.source_indexes",
        intake["source_indexes"],
        "docs/security/iwooos-posture-projection.snapshot.json",
    )
    intake_contracts = [contract for wave in intake["intake_waves"] for contract in wave["contracts"]]
    assert_contains("intake.contracts", intake_contracts, "iwooos_posture_projection_v1")

    progress = rollup["progress_estimate"]
    assert_equal("progress.overall_percent", progress["overall_percent"], 58)
    assert_equal("progress.framework_percent_min", progress["framework_percent_min"], 80)
    assert_equal("progress.framework_percent_max", progress["framework_percent_max"], 85)
    assert_equal("progress.runtime_landing_percent_min", progress["runtime_landing_percent_min"], 35)
    assert_equal("progress.runtime_landing_percent_max", progress["runtime_landing_percent_max"], 40)
    assert_true("progress.not_authorization", progress["not_authorization"])

    progress_display_policy = rollup["progress_display_policy"]
    assert_equal("progress_display_policy.headline_percent", progress_display_policy["headline_percent"], 58)
    assert_equal(
        "progress_display_policy.headline_status",
        progress_display_policy["headline_status"],
        "holding_until_owner_response_or_runtime_gate",
    )
    assert_true("progress_display_policy.recent_micro_progress_visible", progress_display_policy["recent_micro_progress_visible"])
    assert_false(
        "progress_display_policy.runtime_execution_authorized",
        progress_display_policy["runtime_execution_authorized"],
    )
    assert_true("progress_display_policy.not_authorization", progress_display_policy["not_authorization"])

    progress_delta_ledger = rollup["progress_delta_ledger"]
    expected_delta_ids = [
        "s4_10_owner_response_request_packet",
        "s4_10_owner_response_template_status_ledger",
        "s4_10_owner_response_audit_event_templates",
        "s4_10_owner_response_redaction_examples",
        "s4_10_owner_response_collection_checks",
        "s4_10_owner_response_intake_preflight_checks",
        "s4_11_ref_truth_owner_response_request_packet",
        "s4_11_ref_truth_owner_response_template_status_ledger",
        "s4_11_ref_truth_owner_response_audit_event_templates",
        "s4_11_ref_truth_owner_response_redaction_examples",
        "s4_11_ref_truth_owner_response_collection_checks",
        "s4_11_ref_truth_owner_response_intake_preflight_checks",
        "s4_12_workflow_secret_name_owner_response_request_packet",
        "s4_12_workflow_secret_name_owner_response_template_status_ledger",
        "s4_12_workflow_secret_name_owner_response_audit_event_templates",
        "s4_12_workflow_secret_name_owner_response_redaction_examples",
        "s4_12_workflow_secret_name_owner_response_collection_checks",
        "s4_12_workflow_secret_name_owner_response_intake_preflight_checks",
        "s4_13_owner_response_validation_evidence_routing_rules",
        "s4_13_owner_response_validation_display_sections",
        "s4_13_owner_response_validation_state_transition_rules",
        "s4_13_owner_response_validation_reviewer_checklist",
        "s4_13_owner_response_validation_reviewer_outcome_lanes",
        "s4_13_owner_response_validation_reviewer_audit_event_templates",
        "s4_13_owner_response_validation_reviewer_audit_display_sections",
        "s4_13_owner_response_validation_reviewer_audit_collection_checks",
        "s4_13_owner_response_validation_reviewer_audit_redaction_examples",
        "s4_13_owner_response_validation_reviewer_audit_retention_rules",
        "s4_13_owner_response_validation_reviewer_audit_retention_checks",
        "s4_13_owner_response_validation_reviewer_audit_handoff_packets",
        "s4_13_owner_response_validation_reviewer_audit_handoff_checks",
        "s4_13_owner_response_validation_parallel_session_sync_checks",
        "s4_13_owner_response_validation_parallel_session_conflict_lanes",
        "s4_13_owner_response_validation_parallel_session_recovery_checks",
        "s4_13_owner_response_validation_parallel_session_recovery_outcome_lanes",
        "s1_3_low_friction_non_blocking_escalation_lanes",
        "s2_8_iwooos_frontend_posture_entry",
        "s2_9_iwooos_posture_projection_contract",
        "s2_10_iwooos_existing_frontend_surface_integration",
        "s2_11_iwooos_surface_coverage_boundary_matrix",
    ]
    assert_equal(
        "progress_delta_ledger.delta_ids",
        [item["delta_id"] for item in progress_delta_ledger],
        expected_delta_ids,
    )
    assert_equal(
        "progress_delta_ledger.display_order",
        [item["display_order"] for item in progress_delta_ledger],
        list(range(1, len(expected_delta_ids) + 1)),
    )
    for item in progress_delta_ledger:
        assert_equal(f"progress_delta_ledger.{item['delta_id']}.progress_axis", item["progress_axis"], "framework_detail")
        assert_equal(f"progress_delta_ledger.{item['delta_id']}.headline_percent_delta", item["headline_percent_delta"], 0)
        assert_true(f"progress_delta_ledger.{item['delta_id']}.framework_delta_visible", item["framework_delta_visible"])
        assert_false(f"progress_delta_ledger.{item['delta_id']}.runtime_delta", item["runtime_delta"])
        assert_false(f"progress_delta_ledger.{item['delta_id']}.execution_authorized", item["execution_authorized"])
        assert_true(f"progress_delta_ledger.{item['delta_id']}.not_authorization", item["not_authorization"])

    assert_false("rollup.runtime_execution_authorized", rollup["runtime_execution_authorized"])
    assert_equal("rollup.active_runtime_gate_count", rollup_summary["active_runtime_gate_count"], 0)
    assert_false("rollup.runtime_actions_executed", rollup_summary["runtime_actions_executed"])
    assert_false("rollup.payloads_ingested", rollup_summary["payloads_ingested"])
    assert_equal("rollup.github_primary_ready_count", rollup_summary["github_primary_ready_count"], 0)
    assert_equal("rollup.owner_response_validation_received_count", rollup_summary["owner_response_validation_received_count"], 0)
    assert_equal("rollup.owner_response_validation_accepted_count", rollup_summary["owner_response_validation_accepted_count"], 0)
    assert_equal("rollup.workflow_secret_inventory_complete_count", rollup_summary["workflow_secret_inventory_complete_count"], 0)
    assert_false("rollup.secret_value_collection_allowed", rollup_summary["secret_value_collection_allowed"])
    assert_false("rollup.secret_value_detected", rollup_summary["secret_value_detected"])

    assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1")
    assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe")
    assert_equal("rollout_policy.enforcement_level", rollout_policy["enforcement_level"], "mirror_only")
    assert_equal("rollout_policy.non_blocking_escalation_lane_count", rollout_policy["non_blocking_escalation_lane_count"], 7)
    expected_low_friction_lane_ids = [
        "lane-low-medium-observation",
        "lane-owner-response-missing",
        "lane-mirror-data-incomplete",
        "lane-source-control-drift-draft",
        "lane-kali-observe-finding",
        "lane-workflow-secret-name-gap",
        "lane-progress-display-holding",
    ]
    non_blocking_lanes = rollout_policy["non_blocking_escalation_lanes"]
    assert_equal(
        "rollout_policy.non_blocking_escalation_lanes.ids",
        [item["lane_id"] for item in non_blocking_lanes],
        expected_low_friction_lane_ids,
    )
    assert_equal(
        "rollout_policy.non_blocking_escalation_lanes.display_order",
        [item["display_order"] for item in non_blocking_lanes],
        list(range(1, len(expected_low_friction_lane_ids) + 1)),
    )
    for item in non_blocking_lanes:
        if item["initial_mode"] not in {"observe", "warn"}:
            raise SystemExit(
                f"BLOCKED rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.initial_mode: "
                f"expected observe/warn, got {item['initial_mode']!r}"
            )
        assert_true(
            f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.owner_review_required_before_blocking",
            item["owner_review_required_before_blocking"],
        )
        assert_false(
            f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.runtime_blocking_allowed",
            item["runtime_blocking_allowed"],
        )
        assert_equal(
            f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.awooop_display_mode",
            item["awooop_display_mode"],
            "display_low_friction_non_blocking_lane_only",
        )
        assert_true(
            f"rollout_policy.non_blocking_escalation_lanes.{item['lane_id']}.not_authorization",
            item["not_authorization"],
        )
    rollout_outputs = rollout_policy["allowed_awooop_outputs"]
    for output in [
        "display_non_blocking_escalation_lanes",
        "create_followup_without_blocking",
        "show_owner_review_required_before_blocking",
        "keep_runtime_blocking_false",
    ]:
        assert_contains("rollout_policy.allowed_awooop_outputs", rollout_outputs, output)

    assert_equal("iwooos_projection.schema_version", iwooos_projection["schema_version"], "iwooos_posture_projection_v1")
    assert_equal("iwooos_projection.product_id", iwooos_projection["product_id"], "iwooos")
    assert_equal("iwooos_projection.display_name", iwooos_projection["display_name"], "IwoooS")
    assert_equal("iwooos_projection.mode", iwooos_projection["mode"], "mirror_only")
    assert_false("iwooos_projection.runtime_execution_authorized", iwooos_projection["runtime_execution_authorized"])
    assert_false("iwooos_projection.action_buttons_allowed", iwooos_projection["action_buttons_allowed"])
    assert_true("iwooos_projection.not_authorization", iwooos_projection["not_authorization"])
    assert_equal("iwooos_projection.summary.route_path", iwooos_projection["summary"]["route_path"], "/iwooos")
    assert_true("iwooos_projection.summary.nav_entry_added", iwooos_projection["summary"]["nav_entry_added"])
    assert_true(
        "iwooos_projection.summary.command_palette_entry_added",
        iwooos_projection["summary"]["command_palette_entry_added"],
    )
    assert_equal("iwooos_projection.summary.contract_count", iwooos_projection["summary"]["contract_count"], manifest_count)
    assert_equal(
        "iwooos_projection.summary.active_runtime_gate_count",
        iwooos_projection["summary"]["active_runtime_gate_count"],
        rollup_summary["active_runtime_gate_count"],
    )
    assert_equal(
        "iwooos_projection.summary.owner_response_validation_received_count",
        iwooos_projection["summary"]["owner_response_validation_received_count"],
        rollup_summary["owner_response_validation_received_count"],
    )
    assert_equal(
        "iwooos_projection.summary.owner_response_validation_accepted_count",
        iwooos_projection["summary"]["owner_response_validation_accepted_count"],
        rollup_summary["owner_response_validation_accepted_count"],
    )
    assert_equal(
        "iwooos_projection.summary.github_primary_ready_count",
        iwooos_projection["summary"]["github_primary_ready_count"],
        rollup_summary["github_primary_ready_count"],
    )
    assert_false("iwooos_projection.summary.action_buttons_allowed", iwooos_projection["summary"]["action_buttons_allowed"])
    expected_iwooos_surface_ids = [
        "security_compliance",
        "legacy_security",
        "legacy_compliance",
        "alerts",
        "errors",
        "authorizations",
        "governance",
        "alert_operation_logs",
        "awooop_approvals",
        "code_review",
    ]
    assert_equal(
        "iwooos_projection.summary.existing_frontend_surface_count",
        iwooos_projection["summary"]["existing_frontend_surface_count"],
        len(expected_iwooos_surface_ids),
    )
    expected_iwooos_coverage_group_ids = [
        "signals_and_exposure",
        "human_control_boundary",
        "governance_and_audit",
        "engineering_review",
    ]
    expected_iwooos_conflict_control_ids = [
        "preserve_original_route_ownership",
        "no_runtime_lift_from_index",
        "code_review_not_deploy_gate",
        "awooop_approval_not_security_approval",
        "frontend_index_does_not_call_kali",
    ]
    assert_equal(
        "iwooos_projection.summary.frontend_surface_coverage_group_count",
        iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
        len(expected_iwooos_coverage_group_ids),
    )
    assert_equal(
        "iwooos_projection.summary.frontend_surface_conflict_control_count",
        iwooos_projection["summary"]["frontend_surface_conflict_control_count"],
        len(expected_iwooos_conflict_control_ids),
    )
    iwooos_progress = iwooos_projection["progress"]
    assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
    assert_equal(
        "iwooos_projection.progress.framework_percent_min",
        iwooos_progress["framework_percent_min"],
        progress["framework_percent_min"],
    )
    assert_equal(
        "iwooos_projection.progress.framework_percent_max",
        iwooos_progress["framework_percent_max"],
        progress["framework_percent_max"],
    )
    assert_equal(
        "iwooos_projection.progress.runtime_landing_percent_min",
        iwooos_progress["runtime_landing_percent_min"],
        progress["runtime_landing_percent_min"],
    )
    assert_equal(
        "iwooos_projection.progress.runtime_landing_percent_max",
        iwooos_progress["runtime_landing_percent_max"],
        progress["runtime_landing_percent_max"],
    )
    assert_equal(
        "iwooos_projection.progress.headline_status",
        iwooos_progress["headline_status"],
        progress_display_policy["headline_status"],
    )
    assert_true("iwooos_projection.progress.not_authorization", iwooos_progress["not_authorization"])
    assert_equal(
        "iwooos_projection.posture_pillars.ids",
        [item["pillar_id"] for item in iwooos_projection["posture_pillars"]],
        ["exposure_posture", "source_control_supply_chain", "kali_112_mesh", "approval_boundary"],
    )
    assert_equal(
        "iwooos_projection.posture_pillars.display_order",
        [item["display_order"] for item in iwooos_projection["posture_pillars"]],
        [1, 2, 3, 4],
    )
    for item in iwooos_projection["posture_pillars"]:
        assert_equal(f"iwooos_projection.posture_pillars.{item['pillar_id']}.display_mode", item["display_mode"], "posture_only")
        assert_false(
            f"iwooos_projection.posture_pillars.{item['pillar_id']}.runtime_execution_authorized",
            item["runtime_execution_authorized"],
        )
        assert_true(f"iwooos_projection.posture_pillars.{item['pillar_id']}.not_authorization", item["not_authorization"])
    iwooos_surfaces = iwooos_projection["existing_frontend_surfaces"]
    assert_equal(
        "iwooos_projection.existing_frontend_surfaces.ids",
        [item["surface_id"] for item in iwooos_surfaces],
        expected_iwooos_surface_ids,
    )
    assert_equal(
        "iwooos_projection.existing_frontend_surfaces.display_order",
        [item["display_order"] for item in iwooos_surfaces],
        list(range(1, len(expected_iwooos_surface_ids) + 1)),
    )
    for item in iwooos_surfaces:
        assert_equal(
            f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.display_mode",
            item["display_mode"],
            "link_only",
        )
        assert_false(
            f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.runtime_execution_authorized",
            item["runtime_execution_authorized"],
        )
        assert_false(
            f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.action_buttons_allowed",
            item["action_buttons_allowed"],
        )
        assert_true(
            f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.not_authorization",
            item["not_authorization"],
        )
    iwooos_coverage_groups = iwooos_projection["frontend_surface_coverage_groups"]
    assert_equal(
        "iwooos_projection.frontend_surface_coverage_groups.ids",
        [item["group_id"] for item in iwooos_coverage_groups],
        expected_iwooos_coverage_group_ids,
    )
    assert_equal(
        "iwooos_projection.frontend_surface_coverage_groups.display_order",
        [item["display_order"] for item in iwooos_coverage_groups],
        list(range(1, len(expected_iwooos_coverage_group_ids) + 1)),
    )
    covered_surface_ids = sorted({surface_id for item in iwooos_coverage_groups for surface_id in item["surface_ids"]})
    assert_equal("iwooos_projection.frontend_surface_coverage_groups.coverage", covered_surface_ids, sorted(expected_iwooos_surface_ids))
    for item in iwooos_coverage_groups:
        assert_equal(
            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.display_mode",
            item["display_mode"],
            "coverage_only",
        )
        assert_false(
            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.runtime_execution_authorized",
            item["runtime_execution_authorized"],
        )
        assert_false(
            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.action_buttons_allowed",
            item["action_buttons_allowed"],
        )
        assert_true(
            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.not_authorization",
            item["not_authorization"],
        )
    iwooos_conflict_controls = iwooos_projection["frontend_surface_conflict_controls"]
    assert_equal(
        "iwooos_projection.frontend_surface_conflict_controls.ids",
        [item["control_id"] for item in iwooos_conflict_controls],
        expected_iwooos_conflict_control_ids,
    )
    assert_equal(
        "iwooos_projection.frontend_surface_conflict_controls.display_order",
        [item["display_order"] for item in iwooos_conflict_controls],
        list(range(1, len(expected_iwooos_conflict_control_ids) + 1)),
    )
    for item in iwooos_conflict_controls:
        assert_equal(
            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.display_mode",
            item["display_mode"],
            "conflict_control_only",
        )
        assert_false(
            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.runtime_execution_authorized",
            item["runtime_execution_authorized"],
        )
        assert_false(
            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.action_buttons_allowed",
            item["action_buttons_allowed"],
        )
        assert_true(
            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.not_authorization",
            item["not_authorization"],
        )
    assert_equal(
        "iwooos_projection.non_blocking_lane_ids",
        iwooos_projection["non_blocking_lane_ids"],
        expected_low_friction_lane_ids,
    )
    for evidence_ref in [
        "docs/security/iwooos-posture-projection.snapshot.json",
        "docs/security/security-rollout-policy.snapshot.json",
        "docs/security/security-mirror-status-rollup.snapshot.json",
        "docs/security/source-control-owner-response-validation-rollup.snapshot.json",
        "docs/security/kali-integration-status.snapshot.json",
    ]:
        assert_contains("iwooos_projection.evidence_refs", iwooos_projection["evidence_refs"], evidence_ref)
    for output in [
        "display_security_posture",
        "display_progress_estimate",
        "display_non_blocking_lanes",
        "display_existing_frontend_security_surfaces",
        "display_frontend_surface_coverage_matrix",
        "display_frontend_surface_conflict_controls",
        "display_evidence_refs",
        "display_forbidden_actions",
    ]:
        assert_contains("iwooos_projection.allowed_frontend_outputs", iwooos_projection["allowed_frontend_outputs"], output)
    for output in [
        "add_scan_button",
        "add_execute_button",
        "add_repair_button",
        "start_kali_scan",
        "call_kali_execute_endpoint",
        "create_github_repo",
        "sync_git_refs",
        "modify_workflow_or_secret",
        "enable_runner",
        "switch_github_primary",
        "production_deploy",
        "treat_progress_as_authorization",
    ]:
        assert_contains("iwooos_projection.forbidden_frontend_outputs", iwooos_projection["forbidden_frontend_outputs"], output)

    owner_summary = owner_rollup["summary"]
    assert_equal("owner_rollup.total_received_response_count", owner_summary["total_received_response_count"], 0)
    assert_equal("owner_rollup.total_accepted_response_count", owner_summary["total_accepted_response_count"], 0)
    assert_equal("owner_rollup.owner_response_evidence_routing_rule_count", owner_summary["owner_response_evidence_routing_rule_count"], 6)
    assert_equal("owner_rollup.owner_response_validation_display_section_count", owner_summary["owner_response_validation_display_section_count"], 8)
    assert_equal(
        "owner_rollup.owner_response_validation_state_transition_rule_count",
        owner_summary["owner_response_validation_state_transition_rule_count"],
        7,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_checklist_count",
        owner_summary["owner_response_validation_reviewer_checklist_count"],
        9,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_outcome_lane_count",
        owner_summary["owner_response_validation_reviewer_outcome_lane_count"],
        7,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_event_template_count",
        owner_summary["owner_response_validation_reviewer_audit_event_template_count"],
        4,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_display_section_count",
        owner_summary["owner_response_validation_reviewer_audit_display_section_count"],
        5,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_collection_check_count",
        owner_summary["owner_response_validation_reviewer_audit_collection_check_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_redaction_example_count",
        owner_summary["owner_response_validation_reviewer_audit_redaction_example_count"],
        5,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_retention_rule_count",
        owner_summary["owner_response_validation_reviewer_audit_retention_rule_count"],
        5,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_retention_check_count",
        owner_summary["owner_response_validation_reviewer_audit_retention_check_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_handoff_packet_count",
        owner_summary["owner_response_validation_reviewer_audit_handoff_packet_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_reviewer_audit_handoff_check_count",
        owner_summary["owner_response_validation_reviewer_audit_handoff_check_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_parallel_session_sync_check_count",
        owner_summary["owner_response_validation_parallel_session_sync_check_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_parallel_session_conflict_lane_count",
        owner_summary["owner_response_validation_parallel_session_conflict_lane_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_parallel_session_recovery_check_count",
        owner_summary["owner_response_validation_parallel_session_recovery_check_count"],
        6,
    )
    assert_equal(
        "owner_rollup.owner_response_validation_parallel_session_recovery_outcome_lane_count",
        owner_summary["owner_response_validation_parallel_session_recovery_outcome_lane_count"],
        7,
    )
    assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"])
    assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"])
    assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"])
    assert_false("owner_rollup.workflow_modification_authorized", owner_summary["workflow_modification_authorized"])
    assert_false("owner_rollup.github_primary_switch_authorized", owner_summary["github_primary_switch_authorized"])
    assert_false("owner_rollup.action_buttons_allowed", owner_summary["action_buttons_allowed"])

    next_candidate = owner_rollup["next_collection_candidate"]
    assert_equal("owner_rollup.next_collection_candidate.order", next_candidate["order"], 1)
    assert_equal(
        "owner_rollup.next_collection_candidate.lane_id",
        next_candidate["lane_id"],
        "s4_9_gitea_inventory_owner_attestation_response",
    )
    assert_equal(
        "owner_rollup.next_collection_candidate.display_status",
        next_candidate["display_status"],
        "next_owner_response_required",
    )
    assert_equal(
        "owner_rollup.next_collection_candidate.required_response_template_count",
        next_candidate["required_response_template_count"],
        5,
    )
    assert_equal("owner_rollup.next_collection_candidate.received_response_count", next_candidate["received_response_count"], 0)
    assert_equal("owner_rollup.next_collection_candidate.accepted_response_count", next_candidate["accepted_response_count"], 0)
    assert_equal(
        "owner_rollup.next_collection_candidate.awooop_display_mode",
        next_candidate["awooop_display_mode"],
        "display_next_collection_item_only",
    )
    assert_true("owner_rollup.next_collection_candidate.blocked_until_received", next_candidate["blocked_until_received"])
    assert_false("owner_rollup.next_collection_candidate.execution_authorized", next_candidate["execution_authorized"])
    assert_true("owner_rollup.next_collection_candidate.not_approval", next_candidate["not_approval"])

    owner_local_validation = owner_rollup["latest_local_validation"]
    assert_equal("owner_rollup.latest_local_validation.status", owner_local_validation["status"], "repo_snapshot_guard_pass")
    assert_equal("owner_rollup.latest_local_validation.scope", owner_local_validation["scope"], "repo_snapshot_only")
    assert_equal("owner_rollup.latest_local_validation.result", owner_local_validation["result"], "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK")
    assert_equal("owner_rollup.latest_local_validation.received_response_count", owner_local_validation["received_response_count"], 0)
    assert_equal("owner_rollup.latest_local_validation.accepted_response_count", owner_local_validation["accepted_response_count"], 0)
    assert_false("owner_rollup.latest_local_validation.runtime_actions_authorized", owner_local_validation["runtime_actions_authorized"])
    assert_false("owner_rollup.latest_local_validation.repo_or_refs_actions_authorized", owner_local_validation["repo_or_refs_actions_authorized"])
    assert_false("owner_rollup.latest_local_validation.workflow_or_secret_actions_authorized", owner_local_validation["workflow_or_secret_actions_authorized"])
    assert_true("owner_rollup.latest_local_validation.not_authorization", owner_local_validation["not_authorization"])

    primary_summary = primary_gate["summary"]
    assert_equal("primary_gate.primary_ready_count", primary_summary["primary_ready_count"], 0)
    assert_false("primary_gate.runtime_actions_authorized", primary_summary["runtime_actions_authorized"])
    assert_false("primary_gate.github_primary_switch_authorized", primary_summary["github_primary_switch_authorized"])
    assert_false("primary_gate.action_buttons_allowed", primary_summary["action_buttons_allowed"])
    assert_false("primary_gate.raw_secret_storage_authorized", primary_summary["raw_secret_storage_authorized"])

    acceptance_ids = [item["check_id"] for item in acceptance["acceptance_checks"]]
    assert_equal("acceptance.total_contracts", acceptance["summary"]["total_contracts"], manifest_count)
    assert_equal(
        "acceptance.ready_for_mirror_count",
        acceptance["summary"]["ready_for_mirror_count"],
        readiness_summary["ready_for_mirror_count"],
    )
    assert_contains("acceptance_checks", acceptance_ids, "PROGRESS_ESTIMATE_NOT_AUTHORIZATION")
    assert_equal("acceptance.summary.acceptance_check_count", acceptance["summary"]["acceptance_check_count"], len(acceptance_ids))
    assert_equal(
        "acceptance.summary.blocking_check_count",
        acceptance["summary"]["blocking_check_count"],
        sum(1 for item in acceptance["acceptance_checks"] if item["blocking_if_failed"]),
    )
    assert_false("acceptance.runtime_execution_authorized", acceptance["runtime_execution_authorized"])

    dry_run_summary = dry_run["summary"]
    dry_run_step_ids = [item["step_id"] for item in dry_run["dry_run_steps"]]
    assert_equal("dry_run.dry_run_status", dry_run["dry_run_status"], "contract_defined_not_executed")
    assert_equal("dry_run.total_contracts", dry_run_summary["total_contracts"], manifest_count)
    assert_equal(
        "dry_run.ready_for_mirror_count",
        dry_run_summary["ready_for_mirror_count"],
        readiness_summary["ready_for_mirror_count"],
    )
    assert_equal("dry_run.acceptance_check_count", dry_run_summary["acceptance_check_count"], 8)
    assert_false("dry_run.runtime_execution_authorized", dry_run["runtime_execution_authorized"])
    assert_false("dry_run.runtime_actions_executed", dry_run_summary["runtime_actions_executed"])
    assert_false("dry_run.payloads_ingested", dry_run_summary["payloads_ingested"])
    assert_contains("dry_run_steps", dry_run_step_ids, "CHECK_PROGRESS_GUARD")
    assert_contains("dry_run_steps", dry_run_step_ids, "CHECK_OWNER_RESPONSE_GUARD")

    local_validation = dry_run["latest_local_validation"]
    assert_equal("dry_run.latest_local_validation.status", local_validation["status"], "repo_snapshot_guard_pass")
    assert_equal("dry_run.latest_local_validation.scope", local_validation["scope"], "repo_snapshot_only")
    assert_equal(
        "dry_run.latest_local_validation.result",
        local_validation["result"],
        "SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK",
    )
    assert_contains("dry_run.latest_local_validation.validated_steps", local_validation["validated_steps"], "CHECK_PROGRESS_GUARD")
    assert_contains(
        "dry_run.latest_local_validation.validated_steps",
        local_validation["validated_steps"],
        "CHECK_OWNER_RESPONSE_GUARD",
    )
    assert_false("dry_run.latest_local_validation.runtime_actions_executed", local_validation["runtime_actions_executed"])
    assert_false("dry_run.latest_local_validation.payloads_ingested", local_validation["payloads_ingested"])
    assert_false("dry_run.latest_local_validation.production_ingestion_enabled", local_validation["production_ingestion_enabled"])
    assert_true("dry_run.latest_local_validation.not_authorization", local_validation["not_authorization"])

    forbidden_actions = (
        set(rollup["forbidden_actions"])
        | set(acceptance["forbidden_actions"])
        | set(iwooos_projection["forbidden_frontend_outputs"])
    )
    for action in [
        "start_kali_scan",
        "call_kali_execute_endpoint",
        "create_github_repo",
        "change_repo_visibility",
        "sync_git_refs",
        "switch_github_primary",
        "production_deploy",
    ]:
        assert_contains("forbidden_actions", list(forbidden_actions), action)


def main() -> None:
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument(
        "--root",
        default=Path(__file__).resolve().parents[2],
        type=Path,
        help="Repository root. Defaults to the current script's repository.",
    )
    args = parser.parse_args()
    validate(args.root.resolve())
    print("SECURITY_MIRROR_PROGRESS_GUARD_OK")


if __name__ == "__main__":
    main()