feat(governance): automate identity and comparison coverage

This commit is contained in:
ogt
2026-07-14 16:15:41 +08:00
parent 2dcc2122c4
commit 4bfb9dbefd
31 changed files with 2763 additions and 578 deletions

View File

@@ -60,6 +60,16 @@ Any missing stage produces `partial` or `degraded`, never completed.
- `scripts/ops/report_security_governance_review.py --strict` is the source release gate.
- `/api/ai-automation/security-governance-review` is the protected production readback.
### 4.1 Database identity controlled cutover
- `services/auth_identity_service.py` is the single policy for auth mode, trusted proxy CIDRs, role tiers and session identity versioning.
- `login_history` is the durable login/audit/lockout source; process-local counters are not authoritative.
- `auto` starts with bounded hybrid authority so the current operator is not locked out. Only successful database authentication by an active admin counts toward promotion; two durable success receipts are required by default.
- Once the threshold is reached, effective authority becomes database-only without a manual review gate. Legacy shared sessions are revoked on their next request and cannot inherit an admin role from missing fields.
- Any password, role, active-state or identity timestamp change invalidates the signed session through its durable identity version.
- Account creation, identity updates, password changes, account disablement and permission changes must commit their no-secret `login_history` audit event in the same database transaction; failures roll back both the mutation and its audit.
- `scripts/ops/report_auth_identity_governance.py` returns counts and control state only; it must never return password hashes, secret values or raw sessions.
### 5. Legacy policy sunset
| Legacy policy | Owner | Expiry | Replacement | Verifier |