from src.services.executor_trust_boundary_readback import ( RECEIPT_SCHEMA_VERSION, build_executor_trust_boundary_readback, ) def _verified_receipt(source_sha: str = "abc123") -> dict[str, str]: return { "schema_version": RECEIPT_SCHEMA_VERSION, "verified_source_sha": source_sha, "verified_at": "2026-07-11T01:00:00Z", "workflow_run_id": "4870", "verifier": "kubectl_auth_can_i_and_live_mount_readback", "api_service_account": "awoooi-api", "worker_service_account": "awoooi-worker", "broker_service_account": "awoooi-executor-broker", "api_mutation_denied": "true", "api_ssh_mount_absent": "true", "worker_mutation_denied": "true", "worker_ssh_mount_absent": "true", "broker_kubernetes_token_absent": "true", "broker_ssh_mount_present": "true", "legacy_executor_binding_absent": "true", "api_ssh_egress_denied": "true", "worker_ssh_egress_denied": "true", "broker_ssh_egress_allowlisted": "true", "legacy_namespace_egress_allow_absent": "true", } def test_executor_trust_boundary_requires_live_controls_and_matching_source() -> None: readback = build_executor_trust_boundary_readback( _verified_receipt(), deployed_source_sha="abc123", ) assert readback["status"] == "verified_ready" assert readback["production_boundary_verified"] is True assert readback["source_sha_matches_deployment"] is True assert readback["active_blockers"] == [] assert readback["secret_values_read"] is False def test_executor_trust_boundary_rejects_stale_or_incomplete_receipt() -> None: stale = build_executor_trust_boundary_readback( _verified_receipt("old-source"), deployed_source_sha="new-source", ) assert stale["production_boundary_verified"] is False assert "verified_source_sha_mismatch" in stale["active_blockers"] incomplete_receipt = _verified_receipt() incomplete_receipt["worker_ssh_egress_denied"] = "false" incomplete = build_executor_trust_boundary_readback( incomplete_receipt, deployed_source_sha="abc123", ) assert incomplete["production_boundary_verified"] is False assert "worker_ssh_egress_denied_not_verified" in incomplete["active_blockers"]