feat(governance): 新增 P2-145 owner response 驗收門檻
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m30s
CD Pipeline / build-and-deploy (push) Successful in 4m47s
CD Pipeline / post-deploy-checks (push) Successful in 1m33s

This commit is contained in:
Your Name
2026-06-14 16:02:35 +08:00
parent 12cd1eb6db
commit 386dbd078e
12 changed files with 1434 additions and 4 deletions

View File

@@ -142,6 +142,9 @@ from src.services.ai_agent_result_capture_release_decision_owner_response_prefli
from src.services.ai_agent_result_capture_release_decision_owner_response_readback import (
load_latest_ai_agent_result_capture_release_decision_owner_response_readback,
)
from src.services.ai_agent_result_capture_release_decision_owner_response_acceptance_gate import (
load_latest_ai_agent_result_capture_release_decision_owner_response_acceptance_gate,
)
from src.services.ai_agent_result_capture_owner_promotion_review import (
load_latest_ai_agent_result_capture_owner_promotion_review,
)
@@ -2490,6 +2493,38 @@ async def get_agent_result_capture_release_decision_owner_response_readback() ->
) from exc
@router.get(
"/agent-result-capture-release-decision-owner-response-acceptance-gate",
response_model=dict[str, Any],
summary="取得 AI Agent result capture release decision owner response acceptance gate",
description=(
"讀取最新已提交的 P2-145 release decision owner response acceptance gate"
"此端點只建立 P2-144 readback 後的驗收門檻,"
"不把未收到或未遮罩回覆視為正式收件、接受、拒絕或 release authorization"
"不寫 reviewer queue、Gateway queue、receipt、result capture、learning 或 PlayBook trust"
"不送 Telegram、不呼叫 Bot API、不讀 secret、不執行 production 寫入。"
),
)
async def get_agent_result_capture_release_decision_owner_response_acceptance_gate() -> dict[str, Any]:
"""Return the latest read-only release decision owner-response acceptance gate."""
try:
payload = await asyncio.to_thread(
load_latest_ai_agent_result_capture_release_decision_owner_response_acceptance_gate
)
return redact_public_lan_topology(payload)
except FileNotFoundError as exc:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=str(exc),
) from exc
except (json.JSONDecodeError, ValueError) as exc:
logger.error("ai_agent_result_capture_release_decision_owner_response_acceptance_gate_invalid", error=str(exc))
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="AI Agent result capture release decision owner response acceptance gate 無效",
) from exc
@router.get(
"/agent-owner-approved-fixture-dry-run",
response_model=dict[str, Any],

View File

@@ -0,0 +1,383 @@
"""
AI Agent result capture release decision owner-response acceptance gate snapshot.
Loads the latest committed P2-145 owner-response acceptance gate package. This
module only validates the gate definition; it never treats a missing response as
receipt, approval, reviewer queue write, Gateway queue write, Telegram send,
Bot API call, result capture, learning, PlayBook trust, secret read,
production write, or destructive operation.
"""
from __future__ import annotations
import json
import re
from pathlib import Path
from typing import Any
from src.services.snapshot_paths import default_evaluations_dir
_DEFAULT_EVALUATIONS_DIR = default_evaluations_dir(Path(__file__))
_SNAPSHOT_PATTERN = "ai_agent_result_capture_release_decision_owner_response_acceptance_gate_*.json"
_SCHEMA_VERSION = "ai_agent_result_capture_release_decision_owner_response_acceptance_gate_v1"
_RUNTIME_AUTHORITY = "result_capture_release_decision_owner_response_acceptance_gate_only_no_live_write"
def load_latest_ai_agent_result_capture_release_decision_owner_response_acceptance_gate(
evaluations_dir: Path | None = None,
) -> dict[str, Any]:
"""Load the newest committed release decision owner-response acceptance gate."""
directory = evaluations_dir or _DEFAULT_EVALUATIONS_DIR
candidates = sorted(directory.glob(_SNAPSHOT_PATTERN))
if not candidates:
raise FileNotFoundError(
f"no AI Agent result capture release decision owner response acceptance gate snapshots found in {directory}"
)
latest = candidates[-1]
with latest.open(encoding="utf-8") as handle:
payload = json.load(handle)
if not isinstance(payload, dict):
raise ValueError(f"{latest}: expected JSON object")
label = str(latest)
_require_schema(payload, label)
_require_prior(payload, label)
_require_truth(payload, label)
_require_acceptance_gate_lanes(payload, label)
_require_validation_checks(payload, label)
_require_rejection_guards(payload, label)
_require_actions(payload, label)
_require_display_redaction(payload, label)
_require_no_forbidden_display_terms(payload, label)
_require_rollup_consistency(payload, label)
return payload
def _require_schema(payload: dict[str, Any], label: str) -> None:
if payload.get("schema_version") != _SCHEMA_VERSION:
raise ValueError(f"{label}: expected schema_version={_SCHEMA_VERSION}")
status = payload.get("program_status") or {}
expected = {
"current_priority": "P2",
"current_task_id": "P2-145",
"next_task_id": "P2-146",
"read_only_mode": True,
"runtime_authority": _RUNTIME_AUTHORITY,
"overall_completion_percent": 100,
}
mismatches = _mismatches(status, expected)
if mismatches:
raise ValueError(f"{label}: program_status mismatch: {mismatches}")
if not status.get("status_note"):
raise ValueError(f"{label}: program_status.status_note is required")
def _require_prior(payload: dict[str, Any], label: str) -> None:
prior = payload.get("prior_owner_response_readback") or {}
expected = {
"schema_version": "ai_agent_result_capture_release_decision_owner_response_readback_v1",
"current_task_id": "P2-144",
"next_task_id": "P2-145",
"response_readback_lane_count": 5,
"required_owner_field_count": 18,
"readback_validation_check_count": 6,
"readback_rejection_guard_count": 6,
"operator_action_count": 5,
"waiting_external_response_count": 5,
"no_external_response_received_count": 5,
"approval_required_subtotal": 12,
"blocked_and_critical_subtotal": 12,
}
expected.update(_owner_response_zero_counts())
mismatches = _mismatches(prior, expected)
if mismatches:
raise ValueError(f"{label}: prior_owner_response_readback mismatch: {mismatches}")
if not prior.get("readiness_note"):
raise ValueError(f"{label}: prior_owner_response_readback.readiness_note is required")
def _require_truth(payload: dict[str, Any], label: str) -> None:
truth = payload.get("owner_response_acceptance_truth") or {}
required_true = {
"p2_144_readback_loaded",
"p2_143_preflight_baseline_preserved",
"owner_response_acceptance_gate_ready",
"acceptance_gate_only_mode",
"no_acceptable_external_response",
"requires_redacted_payload",
"requires_complete_owner_fields",
"rejection_policy_preserved",
}
missing = sorted(field for field in required_true if truth.get(field) is not True)
if missing:
raise ValueError(f"{label}: owner response acceptance flags must remain true: {missing}")
required_false = {
"owner_response_received",
"owner_response_accepted",
"owner_response_rejected",
"redacted_payload_ingested",
"owner_release_authorized",
"owner_release_approved",
"owner_review_approved",
"owner_decision_approved",
"verifier_decision_approved",
"maintenance_window_approved",
"rollback_owner_confirmed",
"post_release_verifier_ready",
"final_release_candidate_approved",
"final_release_candidate_passed",
"release_decision_passed",
"release_authorization_granted",
"release_authorization_passed",
"rollback_release_passed",
"live_apply_release_passed",
"writer_apply_enabled",
"execution_apply_enabled",
"receipt_write_enabled",
"reviewer_queue_write_enabled",
"gateway_queue_write_enabled",
"telegram_send_enabled",
"bot_api_call_enabled",
"report_receipt_write_enabled",
"result_capture_write_enabled",
"learning_write_enabled",
"playbook_trust_write_enabled",
"production_write_enabled",
"secret_read_enabled",
"destructive_operation_enabled",
}
unsafe = sorted(field for field in required_false if truth.get(field) is not False)
if unsafe:
raise ValueError(f"{label}: owner response live/send/write flags must remain false: {unsafe}")
non_zero = sorted(field for field in _owner_response_zero_counts() if truth.get(field) != 0)
if non_zero:
raise ValueError(f"{label}: owner response live counters must remain zero: {non_zero}")
if not truth.get("truth_note"):
raise ValueError(f"{label}: owner_response_acceptance_truth.truth_note is required")
def _require_acceptance_gate_lanes(payload: dict[str, Any], label: str) -> None:
items = payload.get("acceptance_gate_lanes") or []
_require_ids(
items,
"gate_id",
{
"owner_release_acceptance_gate",
"verifier_acceptance_gate",
"rollback_owner_acceptance_gate",
"maintenance_window_acceptance_gate",
"live_apply_acceptance_gate",
},
label,
"acceptance gate lanes",
)
for item in items:
item_id = item.get("gate_id")
expected = {
"current_task_id": "P2-145",
"target_next_task_id": "P2-146",
"acceptance_status": "blocked_no_external_response",
"acceptance_decision": "not_evaluated",
"response_received": False,
"acceptance_passed": False,
"acceptance_rejected": False,
"redacted_payload_ingested": False,
"runtime_write_allowed": False,
"telegram_send_allowed": False,
}
mismatches = _mismatches(item, expected)
if mismatches:
raise ValueError(f"{label}: acceptance gate lane {item_id} mismatch: {mismatches}")
required_fields = item.get("required_fields") or []
if not isinstance(required_fields, list) or not required_fields:
raise ValueError(f"{label}: acceptance gate lane {item_id}.required_fields is required")
if not item.get("source_readback_id"):
raise ValueError(f"{label}: acceptance gate lane {item_id}.source_readback_id is required")
if not item.get("acceptance_summary"):
raise ValueError(f"{label}: acceptance gate lane {item_id}.acceptance_summary is required")
if not _is_redacted_sha256(item.get("evidence_hash")):
raise ValueError(f"{label}: acceptance gate lane {item_id}.evidence_hash must be redacted sha256")
def _require_validation_checks(payload: dict[str, Any], label: str) -> None:
items = payload.get("acceptance_validation_checks") or []
_require_count(items, 6, label, "acceptance validation checks")
allowed = {"blocked_no_external_response", "not_satisfied", "blocked_by_policy"}
for item in items:
item_id = item.get("check_id")
if item.get("status") not in allowed:
raise ValueError(f"{label}: acceptance validation check {item_id} status is invalid")
if item.get("runtime_write_allowed") is not False:
raise ValueError(f"{label}: acceptance validation check {item_id} must keep runtime_write_allowed=false")
if not item.get("requirement"):
raise ValueError(f"{label}: acceptance validation check {item_id}.requirement is required")
def _require_rejection_guards(payload: dict[str, Any], label: str) -> None:
items = payload.get("acceptance_rejection_guards") or []
_require_count(items, 6, label, "acceptance rejection guards")
for item in items:
item_id = item.get("guard_id")
if item.get("status") != "active":
raise ValueError(f"{label}: acceptance rejection guard {item_id} status must remain active")
if item.get("runtime_write_allowed") is not False:
raise ValueError(f"{label}: acceptance rejection guard {item_id} must keep runtime_write_allowed=false")
if not item.get("reason"):
raise ValueError(f"{label}: acceptance rejection guard {item_id}.reason is required")
def _require_actions(payload: dict[str, Any], label: str) -> None:
items = payload.get("operator_actions") or []
_require_count(items, 5, label, "operator actions")
for item in items:
item_id = str(item.get("action_id"))
stale_ids = {"p2_139", "p2_140", "p2_141", "p2_142", "p2_143"}
if any(stale_id in item_id for stale_id in stale_ids):
raise ValueError(f"{label}: operator action {item_id} must not point back to stale release gates")
if item.get("runtime_write_allowed") is not False:
raise ValueError(f"{label}: operator action {item_id} must keep runtime_write_allowed=false")
if item.get("status") not in {"ready_for_operator_review", "approval_required"}:
raise ValueError(f"{label}: operator action {item_id} status is invalid")
if not item.get("operator_instruction"):
raise ValueError(f"{label}: operator action {item_id}.operator_instruction is required")
def _require_display_redaction(payload: dict[str, Any], label: str) -> None:
contract = payload.get("display_redaction_contract") or {}
expected = {
"redaction_required": True,
"raw_prompt_display_allowed": False,
"private_reasoning_display_allowed": False,
"secret_value_display_allowed": False,
"raw_runtime_payload_display_allowed": False,
"internal_collaboration_content_display_allowed": False,
}
mismatches = _mismatches(contract, expected)
if mismatches:
raise ValueError(f"{label}: display_redaction_contract mismatch: {mismatches}")
if not contract.get("frontend_display_policy"):
raise ValueError(f"{label}: display_redaction_contract.frontend_display_policy is required")
def _require_rollup_consistency(payload: dict[str, Any], label: str) -> None:
rollups = payload.get("rollups") or {}
lanes = payload.get("acceptance_gate_lanes") or []
required_owner_field_count = sum(len(item.get("required_fields") or []) for item in lanes)
expected = {
"acceptance_gate_lane_count": len(lanes),
"required_owner_field_count": required_owner_field_count,
"acceptance_validation_check_count": len(payload.get("acceptance_validation_checks") or []),
"acceptance_rejection_guard_count": len(payload.get("acceptance_rejection_guards") or []),
"operator_action_count": len(payload.get("operator_actions") or []),
"blocked_no_external_response_count": len(lanes),
"acceptance_ready_count": 0,
"no_acceptable_external_response_count": len(lanes),
"approval_required_subtotal": 12,
"blocked_and_critical_subtotal": 12,
}
expected.update(_owner_response_zero_counts())
mismatches = _mismatches(rollups, expected)
if mismatches:
raise ValueError(f"{label}: rollups mismatch: {mismatches}")
def _require_no_forbidden_display_terms(payload: Any, label: str) -> None:
forbidden = {
"work_window_transcript",
"internal_collaboration_transcript",
"raw_prompt",
"private_reasoning",
"chain_of_thought",
"authorization_header",
"secret_value",
"工作視窗",
"內部協作",
"原始提示詞",
"私有推理",
"raw runtime payload",
"authorization header",
}
found = sorted(term for term in forbidden if _contains_term(payload, term))
if found:
raise ValueError(f"{label}: forbidden display terms leaked: {found}")
def _contains_term(value: Any, term: str) -> bool:
if isinstance(value, str):
return term.lower() in value.lower()
if isinstance(value, dict):
return any(_contains_term(child, term) for child in value.values())
if isinstance(value, list):
return any(_contains_term(child, term) for child in value)
return False
def _owner_response_zero_counts() -> dict[str, int]:
return {
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"owner_response_rejected_count": 0,
"redacted_payload_ingested_count": 0,
**_zero_count_expectations(),
}
def _zero_count_expectations() -> dict[str, int]:
return {
"owner_release_authorized_count": 0,
"owner_release_approved_count": 0,
"owner_review_approved_count": 0,
"owner_decision_approved_count": 0,
"verifier_decision_approved_count": 0,
"maintenance_window_approved_count": 0,
"rollback_owner_confirmed_count": 0,
"post_release_verifier_ready_count": 0,
"final_release_candidate_approved_count": 0,
"final_release_candidate_pass_count": 0,
"release_decision_pass_count": 0,
"release_authorization_granted_count": 0,
"release_authorization_pass_count": 0,
"rollback_release_pass_count": 0,
"live_apply_release_pass_count": 0,
"writer_apply_count": 0,
"execution_apply_count": 0,
"receipt_write_count": 0,
"reviewer_queue_write_count": 0,
"gateway_queue_write_count": 0,
"telegram_send_count": 0,
"bot_api_call_count": 0,
"report_receipt_write_count": 0,
"result_capture_write_count": 0,
"learning_write_count": 0,
"playbook_trust_write_count": 0,
"production_write_count": 0,
"secret_read_count": 0,
"destructive_operation_count": 0,
}
def _require_ids(items: list[dict[str, Any]], field: str, expected_ids: set[str], label: str, group_name: str) -> None:
actual_ids = {str(item.get(field)) for item in items}
if actual_ids != expected_ids:
raise ValueError(f"{label}: {group_name} ids mismatch: expected={sorted(expected_ids)} actual={sorted(actual_ids)}")
def _require_count(items: list[Any], expected: int, label: str, group_name: str) -> None:
if len(items) != expected:
raise ValueError(f"{label}: expected {expected} {group_name}, got {len(items)}")
def _is_redacted_sha256(value: Any) -> bool:
return isinstance(value, str) and re.fullmatch(r"sha256:[0-9a-f]{64}", value) is not None
def _mismatches(payload: dict[str, Any], expected: dict[str, Any]) -> dict[str, dict[str, Any]]:
return {
key: {"expected": expected_value, "actual": payload.get(key)}
for key, expected_value in expected.items()
if payload.get(key) != expected_value
}