feat(security): add GitHub private backup evidence gate

This commit is contained in:
ogt
2026-06-26 17:45:00 +08:00
parent 59485d519c
commit 5d6b128854
10 changed files with 1621 additions and 0 deletions

View File

@@ -704,6 +704,11 @@ export const apiClient = {
return handleResponse<GiteaWorkflowRunnerHealthSnapshot>(res)
},
async getGithubTargetPrivateBackupEvidenceGate() {
const res = await fetch(`${API_BASE_URL}/agents/github-target-private-backup-evidence-gate`)
return handleResponse<GithubTargetPrivateBackupEvidenceGateSnapshot>(res)
},
async getObservabilityContractMatrix() {
const res = await fetch(`${API_BASE_URL}/agents/observability-contract-matrix`)
return handleResponse<ObservabilityContractMatrixSnapshot>(res)
@@ -12587,6 +12592,87 @@ export interface GiteaWorkflowRunnerHealthSnapshot {
approval_boundaries: Record<string, false>
}
export interface GithubTargetPrivateBackupEvidenceGateSnapshot {
schema_version: 'github_target_private_backup_evidence_gate_v1'
generated_at: string
status:
| 'blocked_public_visibility_and_safe_credential_evidence_required'
| 'blocked_private_visibility_and_safe_credential_evidence_required'
mode: 'read_only_private_backup_evidence_gate'
source_reviews: Record<string, string>
summary: {
target_decision_count: number
approval_required_target_count: number
approval_package_item_count: number
public_probe_visible_target_count: number
not_found_or_private_target_count: number
private_backup_verified_count: number
private_visibility_evidence_missing_count: number
safe_credential_required_count: number
safe_credential_accepted_evidence_count: number
owner_response_received_count: number
owner_response_accepted_count: number
execution_ready_count: number
blocked_target_count: number
external_scope_target_count: number
forbidden_action_count: number
repo_creation_authorized: false
visibility_change_authorized: false
refs_sync_authorized: false
github_primary_switch_authorized: false
workflow_modification_authorized: false
workflow_trigger_authorized: false
secret_value_collection_allowed: false
private_clone_url_collection_allowed: false
not_found_or_private_as_absent_allowed: false
public_repo_allowed: false
}
targets: Array<{
github_repo: string
source_key: string
approval_required: boolean
probe_status: string
target_state: string
risk: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL' | string
visibility_evidence_status:
| 'external_scope_not_backup_target'
| 'blocked_public_probe_visible_private_evidence_required'
| 'blocked_private_or_absent_not_verified'
| 'blocked_probe_status_unknown'
private_backup_verified: false
private_visibility_owner_evidence_ref: string | null
safe_credential_evidence_status: string
safe_credential_evidence_ref: string | null
owner_response_accepted: false
refs_sync_ready: false
execution_ready: false
blockers: string[]
evidence_refs: string[]
forbidden_actions: string[]
repo_creation_authorized: false
visibility_change_authorized: false
refs_sync_authorized: false
github_primary_switch_authorized: false
secret_values_collected: false
}>
acceptance_requirements: string[]
rejection_rules: string[]
operation_boundaries: {
read_only_api_allowed: true
github_api_write_allowed: false
gitea_api_write_allowed: false
repo_creation_allowed: false
visibility_change_allowed: false
refs_sync_allowed: false
workflow_modification_allowed: false
workflow_trigger_allowed: false
github_primary_switch_allowed: false
secret_value_collection_allowed: false
private_clone_url_collection_allowed: false
}
authorization_flags: Record<string, false>
}
export interface ObservabilityContractMatrixSnapshot {
schema_version: 'observability_contract_matrix_v1'
generated_at: string