docs(security): add owner response audit collection checks

This commit is contained in:
Your Name
2026-05-19 12:06:15 +08:00
parent fcd94b5a4b
commit f6a21be530
19 changed files with 276 additions and 40 deletions

View File

@@ -107,6 +107,7 @@ def validate(root: Path) -> None:
"s4_13_owner_response_validation_reviewer_outcome_lanes",
"s4_13_owner_response_validation_reviewer_audit_event_templates",
"s4_13_owner_response_validation_reviewer_audit_display_sections",
"s4_13_owner_response_validation_reviewer_audit_collection_checks",
]
assert_equal(
"progress_delta_ledger.delta_ids",
@@ -167,6 +168,11 @@ def validate(root: Path) -> None:
owner_summary["owner_response_validation_reviewer_audit_display_section_count"],
5,
)
assert_equal(
"owner_rollup.owner_response_validation_reviewer_audit_collection_check_count",
owner_summary["owner_response_validation_reviewer_audit_collection_check_count"],
6,
)
assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"])
assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"])
assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"])

View File

@@ -334,6 +334,15 @@ EXPECTED_ROLLUP_REVIEWER_AUDIT_DISPLAY_SECTIONS = [
"display-reviewer-audit-non-authorization-boundary",
]
EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS = [
"check-reviewer-audit-template-visible",
"check-reviewer-audit-metadata-only",
"check-reviewer-audit-forbidden-payloads-blocked",
"check-reviewer-audit-emitted-remains-zero",
"check-reviewer-audit-no-runtime-side-effect",
"check-reviewer-audit-owner-response-counts-unchanged",
]
def load_json(path: Path) -> dict[str, Any]:
return json.loads(path.read_text(encoding="utf-8"))
@@ -406,6 +415,11 @@ def validate(root: Path) -> None:
rollup_summary["owner_response_validation_reviewer_audit_display_section_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_DISPLAY_SECTIONS),
)
assert_equal(
"rollup.owner_response_validation_reviewer_audit_collection_check_count",
rollup_summary["owner_response_validation_reviewer_audit_collection_check_count"],
len(EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS),
)
assert_true("rollup.quarantine_required", rollup_summary["quarantine_required"])
assert_equal("rollup.primary_ready_count", rollup_summary["primary_ready_count"], 0)
@@ -957,6 +971,44 @@ def validate(root: Path) -> None:
item["not_approval"],
)
reviewer_audit_collection_checks = rollup["owner_response_validation_reviewer_audit_collection_checks"]
assert_equal(
"owner_response_validation_reviewer_audit_collection_checks.ids",
[item["check_id"] for item in reviewer_audit_collection_checks],
EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS,
)
assert_equal(
"owner_response_validation_reviewer_audit_collection_checks.display_order",
[item["display_order"] for item in reviewer_audit_collection_checks],
list(range(1, len(EXPECTED_ROLLUP_REVIEWER_AUDIT_COLLECTION_CHECKS) + 1)),
)
for item in reviewer_audit_collection_checks:
assert_equal(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.awooop_display_mode",
item["awooop_display_mode"],
"display_reviewer_audit_collection_check_only",
)
assert_false(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.execution_authorized",
item["execution_authorized"],
)
assert_true(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.not_approval",
item["not_approval"],
)
for blocked_interpretation in item["blocked_interpretations"]:
if blocked_interpretation in {
"create_runtime_gate",
"enqueue_execution",
"add_action_button",
"start_kali_scan",
"modify_repo_or_workflow",
}:
assert_false(
f"owner_response_validation_reviewer_audit_collection_checks.{item['check_id']}.runtime_execution_authorized",
item["execution_authorized"],
)
first_lane = LANES[0]
first_collection_item = collection_order_by_id[first_lane["lane_id"]]
first_missing_lane = missing_lane_by_id[first_lane["lane_id"]]