feat(api): validate gitea private inventory payloads
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 2m46s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 2m46s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
This commit is contained in:
@@ -7,6 +7,9 @@ from fastapi import FastAPI
|
||||
from fastapi.testclient import TestClient
|
||||
|
||||
from src.api.v1.agents import router
|
||||
from src.services.gitea_authenticated_inventory_payload_validation import (
|
||||
validate_gitea_authenticated_inventory_payload,
|
||||
)
|
||||
from src.services.gitea_private_inventory_p0_scorecard import (
|
||||
load_latest_gitea_private_inventory_p0_scorecard,
|
||||
)
|
||||
@@ -25,6 +28,9 @@ def test_gitea_private_inventory_p0_scorecard_reports_active_gitea_blocker():
|
||||
assert payload["rollups"]["gitea_repo_inventory_status"] == "partial"
|
||||
assert payload["rollups"]["gitea_visibility_scope"] == "public_only"
|
||||
assert payload["rollups"]["accepted_inventory_payload_count"] == 0
|
||||
assert payload["rollups"]["authenticated_payload_validation_status"] == "needs_supplement"
|
||||
assert payload["rollups"]["authenticated_payload_validation_accepted_count"] == 0
|
||||
assert payload["rollups"]["authenticated_payload_validation_blocker_count"] == 4
|
||||
assert payload["rollups"]["owner_coverage_attestation_received_count"] == 0
|
||||
assert payload["rollups"]["owner_response_validation_received_count"] == 0
|
||||
assert payload["rollups"]["owner_response_validation_accepted_count"] == 0
|
||||
@@ -44,6 +50,7 @@ def test_gitea_private_inventory_p0_scorecard_reports_active_gitea_blocker():
|
||||
assert payload["rollups"]["github_lane_excluded_from_p0_blocker_count"] is True
|
||||
assert payload["github_retired_context"]["status"] == "stopped_retired_do_not_use"
|
||||
assert payload["github_retired_context"]["excluded_from_active_p0_blocker_math"] is True
|
||||
assert payload["authenticated_payload_validation"]["status"] == "needs_supplement"
|
||||
assert "gitea_authenticated_inventory_payload_not_accepted" in payload["active_blockers"]
|
||||
|
||||
|
||||
@@ -74,6 +81,89 @@ def test_gitea_private_inventory_p0_scorecard_endpoint_returns_readback():
|
||||
assert data["operation_boundaries"]["github_api_allowed"] is False
|
||||
assert data["operation_boundaries"]["github_cli_allowed"] is False
|
||||
assert data["operation_boundaries"]["raw_session_or_sqlite_read_allowed"] is False
|
||||
assert data["authenticated_payload_validation"]["accepted_payload_count"] == 0
|
||||
|
||||
|
||||
def test_gitea_authenticated_inventory_payload_validator_accepts_redacted_admin_export():
|
||||
payload = validate_gitea_authenticated_inventory_payload(
|
||||
_valid_authenticated_inventory_payload(),
|
||||
scorecard=_scorecard_readback(),
|
||||
)
|
||||
|
||||
assert payload["schema_version"] == "gitea_authenticated_inventory_payload_validation_v1"
|
||||
assert payload["status"] == "accepted_for_private_inventory_review_only"
|
||||
assert payload["result"]["accepted_payload_count"] == 1
|
||||
assert payload["result"]["repo_count"] == 4
|
||||
assert payload["result"]["current_active_blocker_count"] == 4
|
||||
assert payload["result"]["projected_active_blocker_count"] == 1
|
||||
assert payload["result"]["projected_accepted_inventory_payload_count"] == 1
|
||||
assert payload["result"]["projected_gitea_repo_inventory_status"] == "ok"
|
||||
assert payload["result"]["projected_gitea_visibility_scope"] == "admin_export"
|
||||
assert payload["result"]["runtime_gate_count"] == 0
|
||||
assert payload["operation_boundaries"]["payload_persisted"] is False
|
||||
assert payload["operation_boundaries"]["gitea_api_called"] is False
|
||||
assert payload["operation_boundaries"]["repo_write_performed"] is False
|
||||
assert payload["operation_boundaries"]["refs_sync_performed"] is False
|
||||
assert payload["operation_boundaries"]["github_api_used"] is False
|
||||
assert payload["operation_boundaries"]["secret_plaintext_read"] is False
|
||||
assert (
|
||||
payload["reviewer_readiness"]["status"]
|
||||
== "ready_for_owner_coverage_attestation_review"
|
||||
)
|
||||
assert payload["reviewer_readiness"]["redacted_inventory_receipt_writeback_ready_count"] == 1
|
||||
assert payload["reviewer_readiness"]["owner_coverage_attestation_still_required_count"] == 1
|
||||
assert payload["reviewer_readiness"]["repo_write_authorized_count"] == 0
|
||||
|
||||
|
||||
def test_gitea_authenticated_inventory_payload_endpoint_validates_without_persisting():
|
||||
app = FastAPI()
|
||||
app.include_router(router, prefix="/api/v1")
|
||||
client = TestClient(app)
|
||||
|
||||
response = client.post(
|
||||
"/api/v1/agents/gitea-private-inventory-p0-scorecard/validate-authenticated-inventory-payload",
|
||||
json=_valid_authenticated_inventory_payload(),
|
||||
)
|
||||
|
||||
assert response.status_code == 200
|
||||
data = response.json()
|
||||
assert data["status"] == "accepted_for_private_inventory_review_only"
|
||||
assert data["result"]["accepted_payload_count"] == 1
|
||||
assert data["result"]["projected_active_blocker_count"] == 1
|
||||
assert data["reviewer_readiness"]["redacted_inventory_receipt_writeback_ready_count"] == 1
|
||||
assert data["operation_boundaries"]["payload_persisted"] is False
|
||||
assert data["operation_boundaries"]["gitea_write_performed"] is False
|
||||
assert data["operation_boundaries"]["raw_session_or_sqlite_read_performed"] is False
|
||||
|
||||
|
||||
def test_gitea_authenticated_inventory_payload_validator_quarantines_secret_material():
|
||||
payload = _valid_authenticated_inventory_payload()
|
||||
payload["repos"][0]["clone_url_redacted"] = "https://user:password@example.test/repo.git"
|
||||
|
||||
validation = validate_gitea_authenticated_inventory_payload(
|
||||
payload,
|
||||
scorecard=_scorecard_readback(),
|
||||
)
|
||||
|
||||
assert validation["status"] == "quarantined_sensitive_payload"
|
||||
assert validation["result"]["accepted_payload_count"] == 0
|
||||
assert validation["result"]["sensitive_payload_hit_count"] >= 1
|
||||
assert validation["operation_boundaries"]["payload_persisted"] is False
|
||||
|
||||
|
||||
def test_gitea_authenticated_inventory_payload_validator_rejects_execution_request():
|
||||
payload = _valid_authenticated_inventory_payload()
|
||||
payload["repo_write_allowed"] = True
|
||||
|
||||
validation = validate_gitea_authenticated_inventory_payload(
|
||||
payload,
|
||||
scorecard=_scorecard_readback(),
|
||||
)
|
||||
|
||||
assert validation["status"] == "rejected_execution_request"
|
||||
assert validation["result"]["accepted_payload_count"] == 0
|
||||
assert validation["result"]["forbidden_true_field_count"] == 1
|
||||
assert validation["operation_boundaries"]["repo_write_performed"] is False
|
||||
|
||||
|
||||
def test_gitea_private_inventory_p0_scorecard_rejects_github_reactivation(tmp_path):
|
||||
@@ -208,3 +298,71 @@ def _scorecard_payload() -> dict:
|
||||
"then_validate_import_acceptance_and_owner_attestation"
|
||||
),
|
||||
}
|
||||
|
||||
|
||||
def _scorecard_readback() -> dict:
|
||||
return {
|
||||
"status": "blocked_waiting_gitea_authenticated_or_owner_export_inventory",
|
||||
"active_blockers": [
|
||||
"gitea_repo_inventory_status_not_ok",
|
||||
"gitea_visibility_scope_public_only_or_unknown",
|
||||
"gitea_authenticated_inventory_payload_not_accepted",
|
||||
"gitea_owner_coverage_attestation_not_received",
|
||||
],
|
||||
"rollups": {
|
||||
"accepted_inventory_payload_count": 0,
|
||||
"owner_coverage_attestation_accepted_count": 0,
|
||||
"gitea_repo_inventory_status": "partial",
|
||||
"gitea_visibility_scope": "public_only",
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
def _valid_authenticated_inventory_payload() -> dict:
|
||||
repos = [
|
||||
_repo("wooo/awoooi"),
|
||||
_repo("wooo/ewoooc"),
|
||||
_repo("wooo/agent-bounty-protocol"),
|
||||
_repo("wooo/2026FIFAWorldCup"),
|
||||
]
|
||||
return {
|
||||
"schema_version": "gitea_repo_inventory_v1",
|
||||
"base_url": "https://gitea.wooo.work",
|
||||
"org": "wooo",
|
||||
"visibility_scope": "admin_export",
|
||||
"token_present": False,
|
||||
"status": "ok",
|
||||
"repo_count": len(repos),
|
||||
"repos": repos,
|
||||
"coverage_gap_explanation": {
|
||||
"public_only_vs_admin_export": "admin export includes all in-scope repos",
|
||||
"internal_110_adjacent_scope": "covered by owner scope decision",
|
||||
"org_user_endpoint_identity": "wooo namespace owner confirmed",
|
||||
},
|
||||
"redaction_attestation": {
|
||||
"no_token_value": True,
|
||||
"no_write_token": True,
|
||||
"no_webhook_secret": True,
|
||||
"no_deploy_key_private_key": True,
|
||||
"no_runner_registration_token": True,
|
||||
"no_cookie_or_session": True,
|
||||
"no_gitea_db_dump": True,
|
||||
"no_git_object_pack": True,
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
def _repo(full_name: str) -> dict:
|
||||
_, name = full_name.split("/", 1)
|
||||
return {
|
||||
"gitea_repo": full_name,
|
||||
"name": name,
|
||||
"owner": "wooo",
|
||||
"private": False,
|
||||
"empty": False,
|
||||
"archived": False,
|
||||
"default_branch": "main",
|
||||
"clone_url_redacted": f"https://gitea.wooo.work/{full_name}.git",
|
||||
"ssh_url_redacted": f"ssh://gitea.wooo.work/{full_name}.git",
|
||||
"github_repo_candidate": "",
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user