feat(security): expand canonical asset coverage
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 4m3s
CD Pipeline / build-and-deploy (push) Failing after 10m5s
CD Pipeline / post-deploy-checks (push) Has been skipped

This commit is contained in:
ogt
2026-07-14 12:42:33 +08:00
parent 36778b35df
commit d734362768
7 changed files with 1134 additions and 130 deletions

File diff suppressed because it is too large Load Diff

View File

@@ -745,6 +745,9 @@ def build_iwooos_security_asset_control_plane(
for row in automation_source
if str(_value(row, "status", "")) == "failed"
)
# Aggregate stage receipts cannot prove that every stage belongs to one
# trace. Keep strict runtime completion closed until a same-run join exists.
same_run_closed_loop_proven = False
relationship_count = int(_value(relationship_row, "relationship_count", 0) or 0)
orphan_asset_count = int(
@@ -972,6 +975,39 @@ def build_iwooos_security_asset_control_plane(
sum(domain["controlled_percent"] for domain in security_program_domains)
/ len(security_program_domains)
)
strict_runtime_closure_percent = 100 if same_run_closed_loop_proven else 0
completion_dimensions = [
{
"dimension_id": "asset_scope",
"completion_percent": type_coverage_percent,
},
{
"dimension_id": "nist_control",
"completion_percent": overall_control_percent,
},
{
"dimension_id": "security_program",
"completion_percent": security_program_percent,
},
{
"dimension_id": "siem_pipeline",
"completion_percent": _percent(siem_observed_stages, len(_SIEM_STAGES)),
},
{
"dimension_id": "ai_loop_stages",
"completion_percent": _percent(
observed_automation_stages, len(_AI_LOOP_STAGES)
),
},
{
"dimension_id": "strict_same_run_runtime_closure",
"completion_percent": strict_runtime_closure_percent,
},
]
overall_security_completion_percent = round(
sum(row["completion_percent"] for row in completion_dimensions)
/ len(completion_dimensions)
)
return {
"schema_version": _SCHEMA_VERSION,
@@ -1012,6 +1048,9 @@ def build_iwooos_security_asset_control_plane(
if domain["status"] == "controlled"
),
"security_program_controlled_percent": security_program_percent,
"overall_security_completion_percent": (
overall_security_completion_percent
),
"siem_stage_count": len(_SIEM_STAGES),
"siem_observed_stage_count": siem_observed_stages,
"siem_stage_coverage_percent": _percent(
@@ -1031,6 +1070,13 @@ def build_iwooos_security_asset_control_plane(
"compliance_dimensions": compliance,
"nist_csf_functions": control_functions,
"security_program_domains": security_program_domains,
"completion": {
"method": "equal_weighted_runtime_conservative_v1",
"dimension_count": len(completion_dimensions),
"overall_percent": overall_security_completion_percent,
"strict_runtime_closure_percent": strict_runtime_closure_percent,
"dimensions": completion_dimensions,
},
"siem": {**siem, "pipeline": siem_pipeline},
"ai_automation": {
"window_hours": _WINDOW_HOURS,
@@ -1042,7 +1088,7 @@ def build_iwooos_security_asset_control_plane(
"verified_remediation_receipt_count": verified_receipts,
"rollback_receipt_count": rollback_receipts,
"failed_operation_count": failed_operations,
"same_run_closed_loop_proven": False,
"same_run_closed_loop_proven": same_run_closed_loop_proven,
"same_run_closed_loop_count": 0,
},
"security_audit": audit,
@@ -1093,6 +1139,7 @@ def build_unavailable_iwooos_security_asset_control_plane(
"security_program_domain_count": 16,
"security_program_controlled_domain_count": 0,
"security_program_controlled_percent": 0,
"overall_security_completion_percent": 0,
"siem_stage_count": len(_SIEM_STAGES),
"siem_observed_stage_count": 0,
"siem_stage_coverage_percent": 0,
@@ -1175,6 +1222,23 @@ def build_unavailable_iwooos_security_asset_control_plane(
("compliance_audit", "合規、稽核與證據保存"),
)
],
"completion": {
"method": "equal_weighted_runtime_conservative_v1",
"dimension_count": 6,
"overall_percent": 0,
"strict_runtime_closure_percent": 0,
"dimensions": [
{"dimension_id": dimension_id, "completion_percent": 0}
for dimension_id in (
"asset_scope",
"nist_control",
"security_program",
"siem_pipeline",
"ai_loop_stages",
"strict_same_run_runtime_closure",
)
],
},
"siem": {
"pipeline": [
{