feat(api): close credential escrow evidence readback
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / build-and-deploy (push) Successful in 5m34s
CD Pipeline / post-deploy-checks (push) Successful in 1m12s
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 19s
CD Pipeline / build-and-deploy (push) Successful in 5m34s
CD Pipeline / post-deploy-checks (push) Successful in 1m12s
This commit is contained in:
@@ -16,11 +16,18 @@ from typing import Any
|
||||
from src.services.backup_dr_readiness_matrix import (
|
||||
load_latest_backup_dr_readiness_matrix,
|
||||
)
|
||||
from src.services.snapshot_paths import default_security_dir
|
||||
from src.services.snapshot_paths import default_operations_dir, default_security_dir
|
||||
|
||||
_DEFAULT_SECURITY_DIR = default_security_dir(Path(__file__))
|
||||
_DEFAULT_OPERATIONS_DIR = default_operations_dir(Path(__file__))
|
||||
_OWNER_REQUEST_FILE = "credential-escrow-evidence-owner-request.snapshot.json"
|
||||
_CLOSEOUT_RECEIPT_FILE = (
|
||||
"awoooi-credential-escrow-evidence-controlled-closeout-receipt.snapshot.json"
|
||||
)
|
||||
_SCHEMA_VERSION = "credential_escrow_evidence_intake_readiness_v1"
|
||||
_CLOSEOUT_RECEIPT_SCHEMA_VERSION = (
|
||||
"credential_escrow_evidence_controlled_closeout_receipt_v1"
|
||||
)
|
||||
_VALIDATION_SCHEMA_VERSION = "credential_escrow_evidence_owner_response_validation_v1"
|
||||
_EVIDENCE_REFS_VALIDATION_SCHEMA_VERSION = (
|
||||
"credential_escrow_evidence_refs_validation_v1"
|
||||
@@ -76,9 +83,11 @@ _SECRET_VALUE_PATTERNS = {
|
||||
def load_latest_credential_escrow_evidence_intake_readiness(
|
||||
security_dir: Path | None = None,
|
||||
backup_dr_readiness_matrix: dict[str, Any] | None = None,
|
||||
operations_dir: Path | None = None,
|
||||
) -> dict[str, Any]:
|
||||
"""Load P0-005 credential escrow evidence intake readiness."""
|
||||
directory = security_dir or _DEFAULT_SECURITY_DIR
|
||||
receipt_directory = operations_dir or _DEFAULT_OPERATIONS_DIR
|
||||
path = directory / _OWNER_REQUEST_FILE
|
||||
with path.open(encoding="utf-8") as handle:
|
||||
owner_request = json.load(handle)
|
||||
@@ -89,12 +98,21 @@ def load_latest_credential_escrow_evidence_intake_readiness(
|
||||
if not isinstance(matrix, dict):
|
||||
raise ValueError("backup_dr_readiness_matrix: expected JSON object")
|
||||
|
||||
closeout_receipt_path = receipt_directory / _CLOSEOUT_RECEIPT_FILE
|
||||
closeout_receipt = _load_closeout_receipt(closeout_receipt_path)
|
||||
_require_owner_request(owner_request, str(path))
|
||||
_require_backup_rollups(matrix, "backup_dr_readiness_matrix")
|
||||
payload = _build_payload(owner_request, matrix, path)
|
||||
payload = _build_payload(
|
||||
owner_request,
|
||||
matrix,
|
||||
path,
|
||||
closeout_receipt=closeout_receipt,
|
||||
closeout_receipt_path=closeout_receipt_path if closeout_receipt else None,
|
||||
)
|
||||
_require_operation_boundaries(payload, str(path))
|
||||
_require_rollup_consistency(payload, str(path))
|
||||
_require_single_preflight_intake(payload, str(path))
|
||||
_require_payload_closeout_consistency(payload, str(path))
|
||||
return payload
|
||||
|
||||
|
||||
@@ -394,33 +412,62 @@ def _build_payload(
|
||||
owner_request: dict[str, Any],
|
||||
matrix: dict[str, Any],
|
||||
owner_request_path: Path,
|
||||
*,
|
||||
closeout_receipt: dict[str, Any] | None = None,
|
||||
closeout_receipt_path: Path | None = None,
|
||||
) -> dict[str, Any]:
|
||||
rollups = _dict(matrix.get("rollups"))
|
||||
missing_items = [_normalize_item(item) for item in _list(owner_request.get("missing_items"))]
|
||||
receipt = _dict(closeout_receipt)
|
||||
receipt_result = _dict(receipt.get("result"))
|
||||
closeout_ready = bool(receipt)
|
||||
closeout_items = _receipt_items_by_id(receipt)
|
||||
missing_items = [
|
||||
_normalize_item(item, closeout_items.get(str(_dict(item).get("item") or _dict(item).get("item_id") or "")))
|
||||
for item in _list(owner_request.get("missing_items"))
|
||||
]
|
||||
blocked_items = [
|
||||
item["item_id"]
|
||||
for item in missing_items
|
||||
if item.get("status") != "verified"
|
||||
]
|
||||
effective_missing = _int(rollups.get("credential_escrow_effective_missing_count"))
|
||||
effective_missing = (
|
||||
0
|
||||
if closeout_ready
|
||||
else _int(rollups.get("credential_escrow_effective_missing_count"))
|
||||
)
|
||||
forbidden_values = _strings(owner_request.get("forbidden_values"))
|
||||
status = str(
|
||||
rollups.get("credential_escrow_intake_status")
|
||||
or "blocked_waiting_non_secret_credential_escrow_evidence"
|
||||
)
|
||||
if effective_missing == 0 and not blocked_items:
|
||||
if closeout_ready:
|
||||
status = "closed_credential_escrow_evidence_refs_controlled_closeout"
|
||||
elif effective_missing == 0 and not blocked_items:
|
||||
status = "ready_for_escrow_marker_review"
|
||||
safe_next_step = "collect_redacted_non_secret_evidence_refs_then_rerun_preflight"
|
||||
safe_next_step = (
|
||||
str(receipt.get("safe_next_step") or "")
|
||||
if closeout_ready
|
||||
else "collect_redacted_non_secret_evidence_refs_then_rerun_preflight"
|
||||
)
|
||||
if not safe_next_step:
|
||||
safe_next_step = "continue_to_p0_006_source_to_runtime_drift_cleanup"
|
||||
rollup_readback = {
|
||||
"required_item_count": len(missing_items),
|
||||
"missing_item_count": len(blocked_items),
|
||||
"blocked_item_ids": blocked_items,
|
||||
"effective_escrow_missing_count": effective_missing,
|
||||
"owner_response_received_count": _int(
|
||||
rollups.get("credential_escrow_owner_response_received_count")
|
||||
"accepted_item_count": _int(
|
||||
receipt_result.get("accepted_item_count")
|
||||
),
|
||||
"owner_response_accepted_count": _int(
|
||||
rollups.get("credential_escrow_owner_response_accepted_count")
|
||||
"owner_response_received_count": (
|
||||
_int(receipt_result.get("owner_response_received_count"))
|
||||
if closeout_ready
|
||||
else _int(rollups.get("credential_escrow_owner_response_received_count"))
|
||||
),
|
||||
"owner_response_accepted_count": (
|
||||
_int(receipt_result.get("owner_response_accepted_count"))
|
||||
if closeout_ready
|
||||
else _int(rollups.get("credential_escrow_owner_response_accepted_count"))
|
||||
),
|
||||
"runtime_gate_count": _int(rollups.get("credential_escrow_runtime_gate_count")),
|
||||
"credential_marker_write_authorized_count": _int(
|
||||
@@ -432,6 +479,26 @@ def _build_payload(
|
||||
"forbidden_true_field_count": _int(
|
||||
rollups.get("credential_escrow_forbidden_true_field_count")
|
||||
),
|
||||
"preflight_status": (
|
||||
"ready_for_reviewer_acceptance_writeback"
|
||||
if closeout_ready
|
||||
else str(
|
||||
rollups.get("credential_escrow_preflight_status")
|
||||
or "blocked_waiting_owner_response_content"
|
||||
)
|
||||
),
|
||||
"active_gate_present": (
|
||||
False
|
||||
if closeout_ready
|
||||
else rollups.get("credential_escrow_active_gate_present") is True
|
||||
),
|
||||
"controlled_closeout_status": str(receipt.get("status") or ""),
|
||||
"controlled_closeout_redacted_receipt_writeback_ready_count": _int(
|
||||
receipt_result.get("redacted_receipt_writeback_ready_count")
|
||||
),
|
||||
"controlled_closeout_projected_effective_escrow_missing_count": _int(
|
||||
receipt_result.get("projected_effective_escrow_missing_count")
|
||||
),
|
||||
"forbidden_value_count": len(forbidden_values),
|
||||
"single_preflight_intake_ready_count": 1,
|
||||
}
|
||||
@@ -453,24 +520,51 @@ def _build_payload(
|
||||
"source_backup_dr_readiness_matrix_ref": (
|
||||
"docs/evaluations/backup_dr_readiness_matrix_2026-06-04.json"
|
||||
),
|
||||
"source_closeout_receipt_ref": (
|
||||
f"docs/operations/{closeout_receipt_path.name}"
|
||||
if closeout_receipt_path
|
||||
else ""
|
||||
),
|
||||
"single_preflight_intake_schema_version": (
|
||||
_SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION
|
||||
),
|
||||
"safe_next_step": safe_next_step,
|
||||
},
|
||||
"required_evidence_items": missing_items,
|
||||
"controlled_closeout_receipt": receipt,
|
||||
"reviewer_readiness": _build_reviewer_readiness(
|
||||
closeout_ready=closeout_ready,
|
||||
accepted_item_ids=[item["item_id"] for item in missing_items if item.get("status") == "verified"],
|
||||
missing_item_ids=blocked_items,
|
||||
current_effective_missing=_int(
|
||||
rollups.get("credential_escrow_effective_missing_count")
|
||||
),
|
||||
projected_effective_missing=effective_missing,
|
||||
redacted_receipt_writeback_ready_count=_int(
|
||||
receipt_result.get("redacted_receipt_writeback_ready_count")
|
||||
),
|
||||
safe_next_step=safe_next_step,
|
||||
),
|
||||
"single_preflight_intake_ready": True,
|
||||
"owner_response_skeleton_required_item_count": len(_REQUIRED_ITEM_ORDER),
|
||||
"owner_response_skeleton_secret_value_collection_allowed": False,
|
||||
"single_preflight_intake": _build_single_preflight_intake(
|
||||
owner_request.get("generated_at"),
|
||||
closeout_ready=closeout_ready,
|
||||
),
|
||||
"forbidden_values": forbidden_values,
|
||||
"next_actions": [
|
||||
"collect_redacted_non_secret_evidence_refs_for_all_missing_items",
|
||||
"rerun_owner_response_preflight_without_secret_values",
|
||||
"keep_credential_marker_write_closed_until_preflight_accepts_all_items",
|
||||
],
|
||||
"next_actions": (
|
||||
[
|
||||
"keep_credential_marker_write_closed_until_marker_dry_run_gate",
|
||||
"continue_to_p0_006_source_to_runtime_drift_cleanup",
|
||||
]
|
||||
if closeout_ready
|
||||
else [
|
||||
"collect_redacted_non_secret_evidence_refs_for_all_missing_items",
|
||||
"rerun_owner_response_preflight_without_secret_values",
|
||||
"keep_credential_marker_write_closed_until_preflight_accepts_all_items",
|
||||
]
|
||||
),
|
||||
"blocked_operations": [
|
||||
"credential_marker_write",
|
||||
"credential_read",
|
||||
@@ -499,12 +593,20 @@ def _build_payload(
|
||||
return payload
|
||||
|
||||
|
||||
def _build_single_preflight_intake(generated_at: Any) -> dict[str, Any]:
|
||||
def _build_single_preflight_intake(
|
||||
generated_at: Any,
|
||||
*,
|
||||
closeout_ready: bool = False,
|
||||
) -> dict[str, Any]:
|
||||
return {
|
||||
"schema_version": _SINGLE_PREFLIGHT_INTAKE_SCHEMA_VERSION,
|
||||
"generated_at": generated_at,
|
||||
"workplan_id": "P0-005",
|
||||
"status": "waiting_for_five_redacted_non_secret_evidence_refs",
|
||||
"status": (
|
||||
"completed_redacted_non_secret_evidence_refs_receipt_ready"
|
||||
if closeout_ready
|
||||
else "waiting_for_five_redacted_non_secret_evidence_refs"
|
||||
),
|
||||
"active_gate": _GATE_ID,
|
||||
"required_item_count": len(_REQUIRED_ITEM_ORDER),
|
||||
"required_item_ids": list(_REQUIRED_ITEM_ORDER),
|
||||
@@ -760,14 +862,83 @@ def _field(
|
||||
return str(payload.get(key) or defaults.get(key) or fallback)
|
||||
|
||||
|
||||
def _normalize_item(item: Any) -> dict[str, Any]:
|
||||
def _load_closeout_receipt(path: Path) -> dict[str, Any]:
|
||||
if not path.exists():
|
||||
return {}
|
||||
with path.open(encoding="utf-8") as handle:
|
||||
receipt = json.load(handle)
|
||||
if not isinstance(receipt, dict):
|
||||
raise ValueError(f"{path}: expected JSON object")
|
||||
_require_closeout_receipt(receipt, str(path))
|
||||
return receipt
|
||||
|
||||
|
||||
def _receipt_items_by_id(receipt: dict[str, Any]) -> dict[str, dict[str, Any]]:
|
||||
return {
|
||||
str(item.get("item_id") or ""): _dict(item)
|
||||
for item in _list(receipt.get("evidence_refs"))
|
||||
if isinstance(item, dict)
|
||||
}
|
||||
|
||||
|
||||
def _build_reviewer_readiness(
|
||||
*,
|
||||
closeout_ready: bool,
|
||||
accepted_item_ids: list[str],
|
||||
missing_item_ids: list[str],
|
||||
current_effective_missing: int,
|
||||
projected_effective_missing: int,
|
||||
redacted_receipt_writeback_ready_count: int,
|
||||
safe_next_step: str,
|
||||
) -> dict[str, Any]:
|
||||
return {
|
||||
"schema_version": "credential_escrow_reviewer_readiness_v1",
|
||||
"status": (
|
||||
"ready_for_reviewer_acceptance_writeback"
|
||||
if closeout_ready
|
||||
else "not_ready_for_reviewer_acceptance_writeback"
|
||||
),
|
||||
"accepted_required_item_ids": sorted(set(accepted_item_ids)),
|
||||
"missing_required_item_ids": missing_item_ids,
|
||||
"current_effective_escrow_missing_count": current_effective_missing,
|
||||
"projected_effective_escrow_missing_count": projected_effective_missing,
|
||||
"redacted_receipt_writeback_ready_count": redacted_receipt_writeback_ready_count,
|
||||
"credential_marker_write_authorized_count": 0,
|
||||
"runtime_gate_count": 0,
|
||||
"secret_value_collection_allowed": False,
|
||||
"payload_persisted": False,
|
||||
"safe_next_step": safe_next_step,
|
||||
"blocked_operations": [
|
||||
"credential_marker_write",
|
||||
"credential_read",
|
||||
"secret_plaintext_export",
|
||||
"backup_execution",
|
||||
"restore_execution",
|
||||
"offsite_sync_execution",
|
||||
"workflow_dispatch",
|
||||
"host_or_k8s_write",
|
||||
],
|
||||
}
|
||||
|
||||
|
||||
def _normalize_item(
|
||||
item: Any,
|
||||
closeout_item: dict[str, Any] | None = None,
|
||||
) -> dict[str, Any]:
|
||||
data = _dict(item)
|
||||
receipt_item = _dict(closeout_item)
|
||||
verified = bool(receipt_item)
|
||||
return {
|
||||
"item_id": str(data.get("item") or data.get("item_id") or ""),
|
||||
"status": str(data.get("status") or "missing"),
|
||||
"status": "verified" if verified else str(data.get("status") or "missing"),
|
||||
"allowed_evidence_id_types": _strings(data.get("allowed_evidence_id_types")),
|
||||
"contains_secret_value_allowed": False,
|
||||
"required_non_secret_evidence_ref": True,
|
||||
"non_secret_evidence_ref": str(receipt_item.get("non_secret_evidence_ref") or ""),
|
||||
"recovery_owner": str(receipt_item.get("recovery_owner") or ""),
|
||||
"reviewer": str(receipt_item.get("reviewer") or ""),
|
||||
"last_reviewed_at": str(receipt_item.get("last_reviewed_at") or ""),
|
||||
"controlled_closeout_receipt_accepted": verified,
|
||||
}
|
||||
|
||||
|
||||
@@ -878,6 +1049,116 @@ def _require_single_preflight_intake(payload: dict[str, Any], label: str) -> Non
|
||||
)
|
||||
|
||||
|
||||
def _require_payload_closeout_consistency(payload: dict[str, Any], label: str) -> None:
|
||||
receipt = _dict(payload.get("controlled_closeout_receipt"))
|
||||
if not receipt:
|
||||
return
|
||||
rollups = _dict(payload.get("rollups"))
|
||||
reviewer = _dict(payload.get("reviewer_readiness"))
|
||||
if payload.get("status") != "closed_credential_escrow_evidence_refs_controlled_closeout":
|
||||
raise ValueError(f"{label}: closeout payload status mismatch")
|
||||
if rollups.get("missing_item_count") != 0:
|
||||
raise ValueError(f"{label}: closeout missing_item_count must be zero")
|
||||
if rollups.get("effective_escrow_missing_count") != 0:
|
||||
raise ValueError(f"{label}: closeout effective missing count must be zero")
|
||||
if rollups.get("owner_response_accepted_count") != 1:
|
||||
raise ValueError(f"{label}: closeout accepted count must be one")
|
||||
if (
|
||||
reviewer.get("status")
|
||||
!= "ready_for_reviewer_acceptance_writeback"
|
||||
):
|
||||
raise ValueError(f"{label}: closeout reviewer readiness mismatch")
|
||||
if reviewer.get("credential_marker_write_authorized_count") != 0:
|
||||
raise ValueError(f"{label}: closeout marker write must remain closed")
|
||||
if reviewer.get("secret_value_collection_allowed") is not False:
|
||||
raise ValueError(f"{label}: closeout secret collection must remain false")
|
||||
|
||||
|
||||
def _require_closeout_receipt(receipt: dict[str, Any], label: str) -> None:
|
||||
if receipt.get("schema_version") != _CLOSEOUT_RECEIPT_SCHEMA_VERSION:
|
||||
raise ValueError(f"{label}: controlled closeout receipt schema mismatch")
|
||||
if receipt.get("workplan_id") != "P0-005":
|
||||
raise ValueError(f"{label}: workplan_id must be P0-005")
|
||||
if receipt.get("status") != "ready_for_p0_005_controlled_closeout":
|
||||
raise ValueError(f"{label}: controlled closeout receipt status mismatch")
|
||||
sensitive_hits = _find_sensitive_strings(receipt)
|
||||
if sensitive_hits:
|
||||
raise ValueError(f"{label}: sensitive strings present: {sensitive_hits}")
|
||||
forbidden_hits = _find_forbidden_booleans(receipt)
|
||||
if forbidden_hits:
|
||||
raise ValueError(f"{label}: forbidden boolean fields true: {forbidden_hits}")
|
||||
|
||||
result = _dict(receipt.get("result"))
|
||||
if _int(result.get("required_item_count")) != len(_REQUIRED_ITEM_ORDER):
|
||||
raise ValueError(f"{label}: required item count mismatch")
|
||||
if _int(result.get("accepted_item_count")) != len(_REQUIRED_ITEM_ORDER):
|
||||
raise ValueError(f"{label}: accepted item count mismatch")
|
||||
if _int(result.get("missing_required_item_count")) != 0:
|
||||
raise ValueError(f"{label}: missing item count must be zero")
|
||||
if _int(result.get("owner_response_received_count")) != 1:
|
||||
raise ValueError(f"{label}: owner response received count must be one")
|
||||
if _int(result.get("owner_response_accepted_count")) != 1:
|
||||
raise ValueError(f"{label}: owner response accepted count must be one")
|
||||
if _int(result.get("projected_effective_escrow_missing_count")) != 0:
|
||||
raise ValueError(f"{label}: projected missing count must be zero")
|
||||
if _int(result.get("redacted_receipt_writeback_ready_count")) != 1:
|
||||
raise ValueError(f"{label}: redacted receipt writeback count must be one")
|
||||
if _int(result.get("runtime_gate_count")) != 0:
|
||||
raise ValueError(f"{label}: runtime gate must remain zero")
|
||||
if _int(result.get("credential_marker_write_authorized_count")) != 0:
|
||||
raise ValueError(f"{label}: marker write must remain closed")
|
||||
if result.get("secret_value_collection_allowed") is not False:
|
||||
raise ValueError(f"{label}: secret value collection must remain false")
|
||||
if _int(result.get("forbidden_true_field_count")) != 0:
|
||||
raise ValueError(f"{label}: forbidden true field count must be zero")
|
||||
|
||||
items = [_dict(item) for item in _list(receipt.get("evidence_refs"))]
|
||||
item_ids = [str(item.get("item_id") or "") for item in items]
|
||||
if item_ids != list(_REQUIRED_ITEM_ORDER):
|
||||
raise ValueError(f"{label}: evidence ref item order mismatch")
|
||||
for item in items:
|
||||
item_id = str(item.get("item_id") or "")
|
||||
for key in (
|
||||
"non_secret_evidence_ref",
|
||||
"recovery_owner",
|
||||
"reviewer",
|
||||
"last_reviewed_at",
|
||||
):
|
||||
if _is_placeholder(item.get(key)):
|
||||
raise ValueError(f"{label}: {item_id}.{key} missing")
|
||||
if item.get("contains_secret_value") is not False:
|
||||
raise ValueError(f"{label}: {item_id}.contains_secret_value must be false")
|
||||
|
||||
writeback = _dict(receipt.get("writeback"))
|
||||
if writeback.get("source_readiness_written") is not True:
|
||||
raise ValueError(f"{label}: source readiness writeback missing")
|
||||
if writeback.get("production_runtime_write_requested") is not False:
|
||||
raise ValueError(f"{label}: production runtime write request must remain false")
|
||||
if writeback.get("production_runtime_write_performed") is not False:
|
||||
raise ValueError(f"{label}: production runtime write must remain false")
|
||||
|
||||
boundaries = _dict(receipt.get("operation_boundaries"))
|
||||
if boundaries.get("source_readiness_written") is not True:
|
||||
raise ValueError(f"{label}: source readiness boundary missing")
|
||||
blocked_flags = {
|
||||
"payload_persisted",
|
||||
"backup_execution_performed",
|
||||
"restore_execution_performed",
|
||||
"offsite_sync_execution_performed",
|
||||
"credential_marker_write_performed",
|
||||
"credential_read_performed",
|
||||
"secret_plaintext_read",
|
||||
"secret_value_collection_allowed",
|
||||
"workflow_trigger_performed",
|
||||
"host_or_k8s_write_performed",
|
||||
"raw_session_or_sqlite_read_performed",
|
||||
"runtime_action_performed",
|
||||
}
|
||||
open_flags = sorted(flag for flag in blocked_flags if boundaries.get(flag) is not False)
|
||||
if open_flags:
|
||||
raise ValueError(f"{label}: closeout boundaries opened: {open_flags}")
|
||||
|
||||
|
||||
def _dict(value: Any) -> dict[str, Any]:
|
||||
return value if isinstance(value, dict) else {}
|
||||
|
||||
|
||||
@@ -109,6 +109,10 @@ def build_delivery_closure_workbench(
|
||||
)
|
||||
credential_intake_rollups = _dict(credential_escrow_intake.get("rollups"))
|
||||
credential_intake_readback = _dict(credential_escrow_intake.get("readback"))
|
||||
credential_closeout_receipt = _dict(
|
||||
credential_escrow_intake.get("controlled_closeout_receipt")
|
||||
)
|
||||
credential_closeout_result = _dict(credential_closeout_receipt.get("result"))
|
||||
single_preflight_intake = _dict(
|
||||
credential_escrow_intake.get("single_preflight_intake")
|
||||
)
|
||||
@@ -121,10 +125,34 @@ def build_delivery_closure_workbench(
|
||||
)
|
||||
reboot_blockers = _int(reboot_rollups.get("active_blocker_count"))
|
||||
credential_escrow_required_items = _int(
|
||||
backup_rollups.get("credential_escrow_required_item_count")
|
||||
credential_intake_rollups.get("required_item_count")
|
||||
if "required_item_count" in credential_intake_rollups
|
||||
else backup_rollups.get("credential_escrow_required_item_count")
|
||||
)
|
||||
credential_escrow_missing_items = _int(
|
||||
backup_rollups.get("credential_escrow_effective_missing_count")
|
||||
credential_intake_rollups.get("effective_escrow_missing_count")
|
||||
if "effective_escrow_missing_count" in credential_intake_rollups
|
||||
else backup_rollups.get("credential_escrow_effective_missing_count")
|
||||
)
|
||||
credential_escrow_status = str(
|
||||
credential_escrow_intake.get("status")
|
||||
or backup_rollups.get("credential_escrow_intake_status")
|
||||
or "blocked_waiting_non_secret_credential_escrow_evidence"
|
||||
)
|
||||
credential_escrow_preflight_status = str(
|
||||
credential_intake_rollups.get("preflight_status")
|
||||
or backup_rollups.get("credential_escrow_preflight_status")
|
||||
or ""
|
||||
)
|
||||
credential_escrow_active_gate_present = (
|
||||
credential_intake_rollups.get("active_gate_present")
|
||||
if "active_gate_present" in credential_intake_rollups
|
||||
else backup_rollups.get("credential_escrow_active_gate_present")
|
||||
) is True
|
||||
credential_escrow_safe_next_step = str(
|
||||
credential_intake_readback.get("safe_next_step")
|
||||
or credential_escrow_intake.get("safe_next_step")
|
||||
or ""
|
||||
)
|
||||
credential_escrow_completion = _percent(
|
||||
(
|
||||
@@ -503,49 +531,56 @@ def build_delivery_closure_workbench(
|
||||
},
|
||||
{
|
||||
"id": "credential_escrow",
|
||||
"source_id": "backup_dr_credential_escrow",
|
||||
"source_id": "credential_escrow_evidence_intake_readiness",
|
||||
"completion_percent": credential_escrow_completion,
|
||||
"status": str(
|
||||
backup_rollups.get("credential_escrow_intake_status")
|
||||
or "blocked_waiting_non_secret_credential_escrow_evidence"
|
||||
),
|
||||
"status": credential_escrow_status,
|
||||
"blocker_count": credential_escrow_missing_items,
|
||||
"metric": {
|
||||
"kind": "credential_escrow_evidence",
|
||||
"workplan_id": "P0-005",
|
||||
"required_item_count": credential_escrow_required_items,
|
||||
"effective_missing_count": credential_escrow_missing_items,
|
||||
"active_gate_present": backup_rollups.get(
|
||||
"credential_escrow_active_gate_present"
|
||||
)
|
||||
is True,
|
||||
"preflight_status": str(
|
||||
backup_rollups.get("credential_escrow_preflight_status") or ""
|
||||
"active_gate_present": credential_escrow_active_gate_present,
|
||||
"preflight_status": credential_escrow_preflight_status,
|
||||
"accepted_item_count": _int(
|
||||
credential_intake_rollups.get("accepted_item_count")
|
||||
),
|
||||
"owner_response_received_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_owner_response_received_count"
|
||||
)
|
||||
credential_intake_rollups.get("owner_response_received_count")
|
||||
),
|
||||
"owner_response_accepted_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_owner_response_accepted_count"
|
||||
)
|
||||
credential_intake_rollups.get("owner_response_accepted_count")
|
||||
),
|
||||
"runtime_gate_count": _int(
|
||||
backup_rollups.get("credential_escrow_runtime_gate_count")
|
||||
credential_intake_rollups.get("runtime_gate_count")
|
||||
),
|
||||
"secret_value_collection_allowed": (
|
||||
backup_rollups.get(
|
||||
"credential_escrow_secret_value_collection_allowed"
|
||||
)
|
||||
credential_intake_rollups.get("secret_value_collection_allowed")
|
||||
is True
|
||||
),
|
||||
"credential_marker_write_authorized_count": _int(
|
||||
backup_rollups.get("credential_marker_write_authorized_count")
|
||||
credential_intake_rollups.get(
|
||||
"credential_marker_write_authorized_count"
|
||||
)
|
||||
),
|
||||
"forbidden_true_field_count": _int(
|
||||
backup_rollups.get("credential_escrow_forbidden_true_field_count")
|
||||
credential_intake_rollups.get("forbidden_true_field_count")
|
||||
),
|
||||
"controlled_closeout_status": str(
|
||||
credential_intake_rollups.get("controlled_closeout_status") or ""
|
||||
),
|
||||
"controlled_closeout_redacted_receipt_writeback_ready_count": _int(
|
||||
credential_intake_rollups.get(
|
||||
"controlled_closeout_redacted_receipt_writeback_ready_count"
|
||||
)
|
||||
),
|
||||
"controlled_closeout_source_ref": str(
|
||||
credential_intake_readback.get("source_closeout_receipt_ref") or ""
|
||||
),
|
||||
"controlled_closeout_projected_effective_missing_count": _int(
|
||||
credential_closeout_result.get(
|
||||
"projected_effective_escrow_missing_count"
|
||||
)
|
||||
),
|
||||
"single_preflight_intake_ready": (
|
||||
credential_escrow_intake.get("single_preflight_intake_ready")
|
||||
@@ -596,7 +631,7 @@ def build_delivery_closure_workbench(
|
||||
),
|
||||
},
|
||||
"href": "/operations",
|
||||
"next_action": "collect_redacted_non_secret_evidence_refs_then_rerun_preflight",
|
||||
"next_action": credential_escrow_safe_next_step,
|
||||
},
|
||||
{
|
||||
"id": "gitea_private_inventory",
|
||||
@@ -807,46 +842,44 @@ def build_delivery_closure_workbench(
|
||||
or ""
|
||||
),
|
||||
"credential_escrow_intake_status": str(
|
||||
backup_rollups.get("credential_escrow_intake_status") or ""
|
||||
credential_escrow_status
|
||||
),
|
||||
"credential_escrow_active_gate_present": backup_rollups.get(
|
||||
"credential_escrow_active_gate_present"
|
||||
)
|
||||
is True,
|
||||
"credential_escrow_preflight_status": str(
|
||||
backup_rollups.get("credential_escrow_preflight_status") or ""
|
||||
"credential_escrow_active_gate_present": (
|
||||
credential_escrow_active_gate_present
|
||||
),
|
||||
"credential_escrow_required_item_count": _int(
|
||||
backup_rollups.get("credential_escrow_required_item_count")
|
||||
),
|
||||
"credential_escrow_effective_missing_count": _int(
|
||||
backup_rollups.get("credential_escrow_effective_missing_count")
|
||||
"credential_escrow_preflight_status": credential_escrow_preflight_status,
|
||||
"credential_escrow_required_item_count": credential_escrow_required_items,
|
||||
"credential_escrow_effective_missing_count": credential_escrow_missing_items,
|
||||
"credential_escrow_accepted_item_count": _int(
|
||||
credential_intake_rollups.get("accepted_item_count")
|
||||
),
|
||||
"credential_escrow_owner_response_received_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_owner_response_received_count"
|
||||
)
|
||||
credential_intake_rollups.get("owner_response_received_count")
|
||||
),
|
||||
"credential_escrow_owner_response_accepted_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_owner_response_accepted_count"
|
||||
)
|
||||
credential_intake_rollups.get("owner_response_accepted_count")
|
||||
),
|
||||
"credential_escrow_runtime_gate_count": _int(
|
||||
backup_rollups.get("credential_escrow_runtime_gate_count")
|
||||
credential_intake_rollups.get("runtime_gate_count")
|
||||
),
|
||||
"credential_escrow_secret_value_collection_allowed": (
|
||||
backup_rollups.get(
|
||||
"credential_escrow_secret_value_collection_allowed"
|
||||
)
|
||||
credential_intake_rollups.get("secret_value_collection_allowed")
|
||||
is True
|
||||
),
|
||||
"credential_marker_write_authorized_count": _int(
|
||||
backup_rollups.get("credential_marker_write_authorized_count")
|
||||
credential_intake_rollups.get(
|
||||
"credential_marker_write_authorized_count"
|
||||
)
|
||||
),
|
||||
"credential_escrow_forbidden_true_field_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_forbidden_true_field_count"
|
||||
credential_intake_rollups.get("forbidden_true_field_count")
|
||||
),
|
||||
"credential_escrow_controlled_closeout_status": str(
|
||||
credential_intake_rollups.get("controlled_closeout_status") or ""
|
||||
),
|
||||
"credential_escrow_redacted_receipt_writeback_ready_count": _int(
|
||||
credential_intake_rollups.get(
|
||||
"controlled_closeout_redacted_receipt_writeback_ready_count"
|
||||
)
|
||||
),
|
||||
"credential_escrow_single_preflight_intake_ready": (
|
||||
@@ -1312,45 +1345,48 @@ def build_delivery_closure_workbench(
|
||||
or ""
|
||||
),
|
||||
"backup_credential_escrow_intake_status": str(
|
||||
backup_rollups.get("credential_escrow_intake_status") or ""
|
||||
credential_escrow_status
|
||||
),
|
||||
"backup_credential_escrow_active_gate_present": backup_rollups.get(
|
||||
"credential_escrow_active_gate_present"
|
||||
)
|
||||
is True,
|
||||
"backup_credential_escrow_preflight_status": str(
|
||||
backup_rollups.get("credential_escrow_preflight_status") or ""
|
||||
"backup_credential_escrow_active_gate_present": (
|
||||
credential_escrow_active_gate_present
|
||||
),
|
||||
"backup_credential_escrow_required_item_count": _int(
|
||||
backup_rollups.get("credential_escrow_required_item_count")
|
||||
),
|
||||
"backup_credential_escrow_effective_missing_count": _int(
|
||||
backup_rollups.get("credential_escrow_effective_missing_count")
|
||||
"backup_credential_escrow_preflight_status": credential_escrow_preflight_status,
|
||||
"backup_credential_escrow_required_item_count": credential_escrow_required_items,
|
||||
"backup_credential_escrow_effective_missing_count": credential_escrow_missing_items,
|
||||
"backup_credential_escrow_accepted_item_count": _int(
|
||||
credential_intake_rollups.get("accepted_item_count")
|
||||
),
|
||||
"backup_credential_escrow_owner_response_received_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_owner_response_received_count"
|
||||
)
|
||||
credential_intake_rollups.get("owner_response_received_count")
|
||||
),
|
||||
"backup_credential_escrow_owner_response_accepted_count": _int(
|
||||
backup_rollups.get(
|
||||
"credential_escrow_owner_response_accepted_count"
|
||||
)
|
||||
credential_intake_rollups.get("owner_response_accepted_count")
|
||||
),
|
||||
"backup_credential_escrow_runtime_gate_count": _int(
|
||||
backup_rollups.get("credential_escrow_runtime_gate_count")
|
||||
credential_intake_rollups.get("runtime_gate_count")
|
||||
),
|
||||
"backup_credential_escrow_secret_value_collection_allowed": (
|
||||
backup_rollups.get(
|
||||
"credential_escrow_secret_value_collection_allowed"
|
||||
)
|
||||
credential_intake_rollups.get("secret_value_collection_allowed")
|
||||
is True
|
||||
),
|
||||
"backup_credential_marker_write_authorized_count": _int(
|
||||
backup_rollups.get("credential_marker_write_authorized_count")
|
||||
credential_intake_rollups.get(
|
||||
"credential_marker_write_authorized_count"
|
||||
)
|
||||
),
|
||||
"backup_credential_escrow_forbidden_true_field_count": _int(
|
||||
backup_rollups.get("credential_escrow_forbidden_true_field_count")
|
||||
credential_intake_rollups.get("forbidden_true_field_count")
|
||||
),
|
||||
"backup_credential_escrow_controlled_closeout_status": str(
|
||||
credential_intake_rollups.get("controlled_closeout_status") or ""
|
||||
),
|
||||
"backup_credential_escrow_redacted_receipt_writeback_ready_count": _int(
|
||||
credential_intake_rollups.get(
|
||||
"controlled_closeout_redacted_receipt_writeback_ready_count"
|
||||
)
|
||||
),
|
||||
"backup_credential_escrow_closeout_receipt_ref": str(
|
||||
credential_intake_readback.get("source_closeout_receipt_ref") or ""
|
||||
),
|
||||
"backup_credential_escrow_single_preflight_intake_ready": (
|
||||
credential_escrow_intake.get("single_preflight_intake_ready") is True
|
||||
|
||||
Reference in New Issue
Block a user