feat(governance): expose credential escrow intake readiness

This commit is contained in:
Your Name
2026-06-29 13:47:57 +08:00
parent 9362588ced
commit cecfa54575
6 changed files with 425 additions and 0 deletions

View File

@@ -0,0 +1,133 @@
from __future__ import annotations
import json
import pytest
from fastapi import FastAPI
from fastapi.testclient import TestClient
from src.api.v1.agents import router
from src.services.credential_escrow_evidence_intake_readiness import (
load_latest_credential_escrow_evidence_intake_readiness,
)
def test_credential_escrow_evidence_intake_reports_p0_blocker():
payload = load_latest_credential_escrow_evidence_intake_readiness()
assert payload["schema_version"] == "credential_escrow_evidence_intake_readiness_v1"
assert payload["priority"] == "P0-005"
assert payload["status"] == "blocked_waiting_non_secret_credential_escrow_evidence"
assert payload["rollups"]["required_item_count"] == 5
assert payload["rollups"]["missing_item_count"] == 5
assert payload["rollups"]["effective_escrow_missing_count"] == 5
assert payload["rollups"]["owner_response_received_count"] == 0
assert payload["rollups"]["owner_response_accepted_count"] == 0
assert payload["rollups"]["runtime_gate_count"] == 0
assert payload["rollups"]["credential_marker_write_authorized_count"] == 0
assert payload["rollups"]["secret_value_collection_allowed"] is False
assert payload["operation_boundaries"]["credential_marker_write_allowed"] is False
assert payload["operation_boundaries"]["credential_read_allowed"] is False
assert payload["operation_boundaries"]["secret_plaintext_allowed"] is False
assert payload["operation_boundaries"]["raw_session_or_sqlite_read_allowed"] is False
assert "restic_repository_password" in payload["rollups"]["blocked_item_ids"]
assert all(
item["contains_secret_value_allowed"] is False
for item in payload["required_evidence_items"]
)
def test_credential_escrow_evidence_intake_endpoint_returns_readiness():
app = FastAPI()
app.include_router(router, prefix="/api/v1")
client = TestClient(app)
response = client.get("/api/v1/agents/credential-escrow-evidence-intake-readiness")
assert response.status_code == 200
data = response.json()
assert data["priority"] == "P0-005"
assert data["rollups"]["missing_item_count"] == 5
assert data["operation_boundaries"]["restore_execution_allowed"] is False
assert data["operation_boundaries"]["workflow_trigger_allowed"] is False
def test_credential_escrow_evidence_intake_rejects_secret_collection(tmp_path):
security_dir = tmp_path / "security"
security_dir.mkdir()
owner_request = {
"scope": "credential_escrow_evidence_owner_request",
"generated_at": "2026-06-29T00:00:00+08:00",
"missing_items": [
{
"item": "restic_repository_password",
"status": "missing",
"allowed_evidence_id_types": ["vault_item_id"],
}
],
"forbidden_values": ["password"],
"gates": {
"secret_value_collection_authorized": True,
"marker_write_completed": False,
},
}
(security_dir / "credential-escrow-evidence-owner-request.snapshot.json").write_text(
json.dumps(owner_request),
encoding="utf-8",
)
with pytest.raises(ValueError, match="secret value collection"):
load_latest_credential_escrow_evidence_intake_readiness(
security_dir,
backup_dr_readiness_matrix=_backup_matrix(),
)
def test_credential_escrow_evidence_intake_rejects_marker_write_authorization(tmp_path):
security_dir = tmp_path / "security"
security_dir.mkdir()
owner_request = {
"scope": "credential_escrow_evidence_owner_request",
"generated_at": "2026-06-29T00:00:00+08:00",
"missing_items": [
{
"item": "restic_repository_password",
"status": "missing",
"allowed_evidence_id_types": ["vault_item_id"],
}
],
"forbidden_values": ["password"],
"gates": {
"secret_value_collection_authorized": False,
"marker_write_completed": False,
},
}
(security_dir / "credential-escrow-evidence-owner-request.snapshot.json").write_text(
json.dumps(owner_request),
encoding="utf-8",
)
matrix = _backup_matrix()
matrix["rollups"]["credential_marker_write_authorized_count"] = 1
with pytest.raises(ValueError, match="credential marker write"):
load_latest_credential_escrow_evidence_intake_readiness(
security_dir,
backup_dr_readiness_matrix=matrix,
)
def _backup_matrix() -> dict:
return {
"rollups": {
"credential_escrow_intake_status": (
"blocked_waiting_non_secret_credential_escrow_evidence"
),
"credential_escrow_effective_missing_count": 1,
"credential_escrow_owner_response_received_count": 0,
"credential_escrow_owner_response_accepted_count": 0,
"credential_escrow_runtime_gate_count": 0,
"credential_marker_write_authorized_count": 0,
"credential_escrow_secret_value_collection_allowed": False,
"credential_escrow_forbidden_true_field_count": 0,
}
}