diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 06d884925..2b17b2123 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -261,12 +261,24 @@ jobs: ;; docs/awooop/TELEGRAM-INCIDENT-NOTIFICATION-MODEL.md) ;; + docs/security/TELEGRAM-NOTIFICATION-EGRESS-INVENTORY.md) + ;; + docs/security/TELEGRAM-NOTIFICATION-EGRESS-MIGRATION-PLAN-DRAFT.md) + ;; + docs/security/TELEGRAM-NOTIFICATION-EGRESS-NO-NEW-BYPASS-GUARD.md) + ;; + docs/security/TELEGRAM-NOTIFICATION-EGRESS-OWNER-REQUEST-DRAFT.md) + ;; + docs/security/TELEGRAM-NOTIFICATION-EGRESS-OWNER-RESPONSE-ACCEPTANCE.md) + ;; docs/security/telegram-notification-egress-inventory.snapshot.json) ;; docs/security/telegram-notification-egress-owner-request-draft.snapshot.json) ;; docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json) ;; + docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json) + ;; docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json) ;; docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md) @@ -593,10 +605,16 @@ jobs: ;; scripts/ops/backup-alert-label-contract-check.py) ;; + scripts/ops/backup-from-110.sh) + ;; scripts/ops/backup-health-textfile-exporter.py) ;; scripts/ops/docker-disk-pressure-retention-cleanup.py) ;; + scripts/ops/docker-health-monitor.sh) + ;; + scripts/ops/dr-drill.sh) + ;; scripts/ops/gitea-queue-hook-backlog-playbook.py) ;; scripts/ops/host-runaway-process-exporter.py) @@ -605,6 +623,10 @@ jobs: ;; scripts/ops/host-sustained-load-evidence.py) ;; + scripts/ops/notify-awoooi-ops.sh) + ;; + scripts/ops/pg-backup.sh) + ;; scripts/ops/tests/test_backup_health_textfile_exporter.py) ;; scripts/ops/tests/test_docker_disk_pressure_retention_cleanup.py) @@ -709,6 +731,12 @@ jobs: ;; scripts/security/gitea-authenticated-inventory-payload-validator.py) ;; + scripts/security/security-mirror-progress-guard.py) + ;; + scripts/security/telegram-notification-egress-no-new-bypass-guard.py) + ;; + scripts/security/telegram-notification-egress-owner-response-acceptance.py) + ;; scripts/security/tests/test_gitea_private_inventory_p0_scorecard.py) ;; scripts/security/tests/test_gitea_authenticated_inventory_payload_validator.py) @@ -866,7 +894,10 @@ jobs: ../../scripts/ops/host-sustained-load-controller.py \ ../../scripts/ops/host-sustained-load-evidence.py \ ../../scripts/security/gitea-private-inventory-p0-scorecard.py \ - ../../scripts/security/gitea-authenticated-inventory-payload-validator.py + ../../scripts/security/gitea-authenticated-inventory-payload-validator.py \ + ../../scripts/security/security-mirror-progress-guard.py \ + ../../scripts/security/telegram-notification-egress-no-new-bypass-guard.py \ + ../../scripts/security/telegram-notification-egress-owner-response-acceptance.py python3.11 -c "import yaml; yaml.safe_load(open('../../ops/monitoring/alerts-unified.yml')); print('alerts-unified YAML OK')" python3.11 -c "import yaml; yaml.safe_load(open('../../ops/monitoring/alerts.yml')); print('alerts YAML OK')" python3.11 -c "import yaml; yaml.safe_load(open('../../ops/reboot-recovery/full-stack-cold-start-baseline.yml')); print('full-stack-cold-start-baseline YAML OK')" @@ -899,7 +930,12 @@ jobs: ../../scripts/reboot-recovery/apply-credential-escrow-closeout-receipt-to-110.sh \ ../../scripts/backup/backup-awoooi-frequent.sh \ ../../scripts/backup/backup-status.sh \ - ../../scripts/backup/gitea-repo-bundle-backup.sh + ../../scripts/backup/gitea-repo-bundle-backup.sh \ + ../../scripts/ops/backup-from-110.sh \ + ../../scripts/ops/docker-health-monitor.sh \ + ../../scripts/ops/dr-drill.sh \ + ../../scripts/ops/notify-awoooi-ops.sh \ + ../../scripts/ops/pg-backup.sh bash -n ../../scripts/reboot-recovery/apply-credential-escrow-closeout-receipt-to-110.sh DATABASE_URL="${DATABASE_URL:-postgresql+asyncpg://ci:ci@localhost/ci}" \ PYTHONFAULTHANDLER=1 python3.11 -m pytest \ diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py index fe6d1d6ee..c47273ead 100644 --- a/ops/runner/test_cd_controlled_runtime_profile.py +++ b/ops/runner/test_cd_controlled_runtime_profile.py @@ -189,9 +189,15 @@ def test_telegram_alert_ai_automation_matrix_stays_on_controlled_runtime_profile text = _workflow_text() expected_sources = [ "docs/awooop/TELEGRAM-INCIDENT-NOTIFICATION-MODEL.md)", + "docs/security/TELEGRAM-NOTIFICATION-EGRESS-INVENTORY.md)", + "docs/security/TELEGRAM-NOTIFICATION-EGRESS-MIGRATION-PLAN-DRAFT.md)", + "docs/security/TELEGRAM-NOTIFICATION-EGRESS-NO-NEW-BYPASS-GUARD.md)", + "docs/security/TELEGRAM-NOTIFICATION-EGRESS-OWNER-REQUEST-DRAFT.md)", + "docs/security/TELEGRAM-NOTIFICATION-EGRESS-OWNER-RESPONSE-ACCEPTANCE.md)", "docs/security/telegram-notification-egress-inventory.snapshot.json)", "docs/security/telegram-notification-egress-owner-request-draft.snapshot.json)", "docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json)", + "docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json)", "docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json)", "apps/api/src/services/channel_hub.py)", "apps/api/src/services/telegram_alert_ai_automation_matrix.py)", @@ -199,12 +205,28 @@ def test_telegram_alert_ai_automation_matrix_stays_on_controlled_runtime_profile "apps/api/tests/test_ai_agent_report_truth_actionability_review.py)", "apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py)", "apps/api/tests/test_telegram_alert_ai_automation_matrix_api.py)", + "scripts/ops/backup-from-110.sh)", + "scripts/ops/docker-health-monitor.sh)", + "scripts/ops/dr-drill.sh)", + "scripts/ops/notify-awoooi-ops.sh)", + "scripts/ops/pg-backup.sh)", + "scripts/security/security-mirror-progress-guard.py)", + "scripts/security/telegram-notification-egress-no-new-bypass-guard.py)", + "scripts/security/telegram-notification-egress-owner-response-acceptance.py)", "src/services/channel_hub.py", "src/services/telegram_alert_ai_automation_matrix.py", "tests/test_channel_hub_grouped_alert_events.py", "tests/test_ai_agent_report_truth_actionability_review.py", "tests/test_ai_agent_report_truth_actionability_review_api.py", "tests/test_telegram_alert_ai_automation_matrix_api.py", + "../../scripts/security/security-mirror-progress-guard.py", + "../../scripts/security/telegram-notification-egress-no-new-bypass-guard.py", + "../../scripts/security/telegram-notification-egress-owner-response-acceptance.py", + "../../scripts/ops/backup-from-110.sh", + "../../scripts/ops/docker-health-monitor.sh", + "../../scripts/ops/dr-drill.sh", + "../../scripts/ops/notify-awoooi-ops.sh", + "../../scripts/ops/pg-backup.sh", ] for source in expected_sources: assert source in text