feat(smoke): monitor pchome signing issuer closeout
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
This commit is contained in:
@@ -280,6 +280,23 @@ def build_scheduled_automation_health_summary(
|
||||
auto_policy_signing_issuer_guard_details = (
|
||||
auto_policy_signing_issuer_guard.get("details") or {}
|
||||
)
|
||||
auto_policy_signing_issuer_closeout = _find_check(
|
||||
source_result,
|
||||
"PChome auto-policy signing issuer closeout",
|
||||
)
|
||||
auto_policy_signing_issuer_closeout_details = (
|
||||
auto_policy_signing_issuer_closeout.get("details") or {}
|
||||
)
|
||||
if (
|
||||
not auto_policy_signing_issuer_closeout
|
||||
or not auto_policy_signing_issuer_closeout_details
|
||||
):
|
||||
auto_policy_signing_issuer_closeout = (
|
||||
_pchome_auto_policy_signing_issuer_closeout_check()
|
||||
)
|
||||
auto_policy_signing_issuer_closeout_details = (
|
||||
auto_policy_signing_issuer_closeout.get("details") or {}
|
||||
)
|
||||
surface_readback = _find_check(source_result, "AI surface HTML readback")
|
||||
surface_details = surface_readback.get("details") or {}
|
||||
sitewide_readback = _find_check(source_result, "Sitewide UI/UX Agent readback")
|
||||
@@ -1057,6 +1074,178 @@ def build_scheduled_automation_health_summary(
|
||||
"writes_database": False,
|
||||
},
|
||||
},
|
||||
{
|
||||
"key": "pchome_auto_policy_signing_issuer_closeout",
|
||||
"label": "PChome auto-policy signing issuer closeout",
|
||||
"status": auto_policy_signing_issuer_closeout.get("status") or "warning",
|
||||
"summary": (
|
||||
auto_policy_signing_issuer_closeout.get("summary")
|
||||
or "PChome auto-policy signing issuer closeout has no latest check."
|
||||
),
|
||||
"next_machine_action": auto_policy_signing_issuer_closeout_details.get(
|
||||
"next_machine_action"
|
||||
)
|
||||
or (
|
||||
"continue_pchome_auto_policy_signing_issuer_closeout_monitoring"
|
||||
if auto_policy_signing_issuer_closeout.get("status") == "ok"
|
||||
else "refresh_pchome_auto_policy_signing_issuer_closeout"
|
||||
),
|
||||
"details": {
|
||||
"policy": auto_policy_signing_issuer_closeout_details.get("policy"),
|
||||
"result": auto_policy_signing_issuer_closeout_details.get("result"),
|
||||
"signing_issuer_closeout_ready_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_issuer_closeout_ready_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_issuer_closeout_check_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_issuer_closeout_check_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_issuer_closeout_pass_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_issuer_closeout_pass_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_issuer_closeout_waiting_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_issuer_closeout_waiting_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_issuer_guard_ready_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_issuer_guard_ready_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_issuer_guard_check_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_issuer_guard_check_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_decision_input_requirement_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_decision_input_requirement_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signing_decision_rejection_reason_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signing_decision_rejection_reason_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"required_issuer_evidence_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"required_issuer_evidence_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"nonsecret_authorization_claim_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"nonsecret_authorization_claim_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"post_apply_verifier_required_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"post_apply_verifier_required_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"same_run_truth_required_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"same_run_truth_required_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"reads_secret_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get("reads_secret_count")
|
||||
or 0
|
||||
),
|
||||
"executes_sql_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get("executes_sql_count")
|
||||
or 0
|
||||
),
|
||||
"writes_database_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"writes_database_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"signs_database_apply_authorization_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signs_database_apply_authorization_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"primary_human_gate_count": int(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"primary_human_gate_count"
|
||||
)
|
||||
or 0
|
||||
),
|
||||
"manual_review_mode": auto_policy_signing_issuer_closeout_details.get(
|
||||
"manual_review_mode"
|
||||
),
|
||||
"payload_source": auto_policy_signing_issuer_closeout_details.get(
|
||||
"payload_source"
|
||||
),
|
||||
"execute_fetch": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get("execute_fetch")
|
||||
),
|
||||
"outbound_network": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get("outbound_network")
|
||||
),
|
||||
"business_data_source": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"business_data_source"
|
||||
)
|
||||
),
|
||||
"ready_for_database_apply_now": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"ready_for_database_apply_now"
|
||||
)
|
||||
),
|
||||
"issues_database_apply_authorization": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"issues_database_apply_authorization"
|
||||
)
|
||||
),
|
||||
"signs_database_apply_authorization": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"signs_database_apply_authorization"
|
||||
)
|
||||
),
|
||||
"secret_material_included": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"secret_material_included"
|
||||
)
|
||||
),
|
||||
"secret_material_required_in_preview": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"secret_material_required_in_preview"
|
||||
)
|
||||
),
|
||||
"ready_for_future_final_signable_request_package": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"ready_for_future_final_signable_request_package"
|
||||
)
|
||||
),
|
||||
"permits_future_final_signable_request_package_lane": bool(
|
||||
auto_policy_signing_issuer_closeout_details.get(
|
||||
"permits_future_final_signable_request_package_lane"
|
||||
)
|
||||
),
|
||||
"writes_database": False,
|
||||
},
|
||||
},
|
||||
{
|
||||
"key": "ai_surface_html_readback",
|
||||
"label": "AI surface HTML readback",
|
||||
@@ -3048,6 +3237,241 @@ def _pchome_auto_policy_signing_issuer_guard_check() -> Dict[str, Any]:
|
||||
)
|
||||
|
||||
|
||||
def _pchome_auto_policy_signing_issuer_closeout_check() -> Dict[str, Any]:
|
||||
"""Read-only monitor for the final signable request closeout package."""
|
||||
try:
|
||||
from services import pchome_mapping_backlog_service as backlog
|
||||
from services.ai_exception_contract import (
|
||||
LEGACY_REVIEW_REQUIRED_COUNT_KEY,
|
||||
PRIMARY_HUMAN_GATE_COUNT_KEY,
|
||||
)
|
||||
|
||||
payload = _pchome_auto_policy_decision_preflight_contract_payload()
|
||||
closeout = (
|
||||
backlog.build_pchome_auto_policy_db_apply_authorization_signing_issuer_closeout(
|
||||
payload,
|
||||
batch_size=max(1, min(_PCHOME_AUTO_POLICY_DECISION_PREFLIGHT_BATCH_SIZE, 50)),
|
||||
execute_fetch=True,
|
||||
timeout_seconds=max(
|
||||
1,
|
||||
min(_PCHOME_AUTO_POLICY_DECISION_PREFLIGHT_TIMEOUT_SECONDS, 30),
|
||||
),
|
||||
http_get=_pchome_auto_policy_machine_fetch_evidence_get,
|
||||
)
|
||||
)
|
||||
summary = closeout.get("summary") or {}
|
||||
issuer_closeout = closeout.get("future_authorization_signing_issuer_closeout") or {}
|
||||
package = closeout.get("final_signable_request_package") or {}
|
||||
contract = closeout.get("signing_issuer_closeout_contract") or {}
|
||||
safety = closeout.get("safety") or {}
|
||||
result = str(closeout.get("result") or "UNKNOWN")
|
||||
|
||||
closeout_ready_count = int(
|
||||
summary.get("authorization_signing_issuer_closeout_ready_count") or 0
|
||||
)
|
||||
check_count = int(summary.get("signing_issuer_closeout_check_count") or 0)
|
||||
pass_count = int(summary.get("signing_issuer_closeout_pass_count") or 0)
|
||||
waiting_count = int(summary.get("signing_issuer_closeout_waiting_count") or 0)
|
||||
guard_ready_count = int(
|
||||
summary.get("authorization_signing_issuer_guard_ready_count") or 0
|
||||
)
|
||||
guard_check_count = int(summary.get("signing_issuer_guard_check_count") or 0)
|
||||
input_requirement_count = int(
|
||||
summary.get("signing_decision_input_requirement_count") or 0
|
||||
)
|
||||
rejection_reason_count = int(
|
||||
summary.get("signing_decision_rejection_reason_count") or 0
|
||||
)
|
||||
required_evidence_count = int(summary.get("required_issuer_evidence_count") or 0)
|
||||
nonsecret_claim_count = int(summary.get("nonsecret_authorization_claim_count") or 0)
|
||||
verifier_required_count = int(summary.get("post_apply_verifier_required_count") or 0)
|
||||
same_run_truth_count = int(summary.get("same_run_truth_required_count") or 0)
|
||||
reads_secret_count = int(summary.get("reads_secret_count") or 0)
|
||||
executes_script_count = int(summary.get("executes_script_count") or 0)
|
||||
executes_sql_count = int(summary.get("executes_sql_count") or 0)
|
||||
writes_database_count = int(summary.get("writes_database_count") or 0)
|
||||
signs_database_apply_authorization_count = int(
|
||||
summary.get("signs_database_apply_authorization_count") or 0
|
||||
)
|
||||
primary_human_gate_count = int(summary.get(PRIMARY_HUMAN_GATE_COUNT_KEY) or 0)
|
||||
manual_review_required_count = int(summary.get(LEGACY_REVIEW_REQUIRED_COUNT_KEY) or 0)
|
||||
side_effect_count = (
|
||||
reads_secret_count
|
||||
+ executes_script_count
|
||||
+ executes_sql_count
|
||||
+ writes_database_count
|
||||
+ signs_database_apply_authorization_count
|
||||
)
|
||||
risk_detected = any(
|
||||
[
|
||||
side_effect_count,
|
||||
primary_human_gate_count,
|
||||
manual_review_required_count,
|
||||
safety.get("reads_secret_in_preview") is not False,
|
||||
safety.get("executes_script") is not False,
|
||||
safety.get("executes_endpoint") is not False,
|
||||
safety.get("executes_migration") is not False,
|
||||
safety.get("executes_sql") is not False,
|
||||
safety.get("writes_database") is not False,
|
||||
safety.get("signs_database_apply_authorization") is not False,
|
||||
issuer_closeout.get("ready_for_database_apply_now") is not False,
|
||||
issuer_closeout.get("issues_database_apply_authorization") is not False,
|
||||
issuer_closeout.get("signs_database_apply_authorization") is not False,
|
||||
package.get("ready_for_database_apply_now") is not False,
|
||||
package.get("issues_database_apply_authorization") is not False,
|
||||
package.get("signs_database_apply_authorization") is not False,
|
||||
package.get("secret_material_included") is not False,
|
||||
package.get("secret_material_required_in_preview") is not False,
|
||||
package.get("reads_secret_in_preview") is not False,
|
||||
package.get("executes_sql_in_preview") is not False,
|
||||
package.get("writes_database_in_preview") is not False,
|
||||
contract.get("issues_database_apply_authorization") is not False,
|
||||
contract.get("ready_for_database_apply_now") is not False,
|
||||
contract.get("signs_database_apply_authorization") is not False,
|
||||
contract.get("writes_database") is not False,
|
||||
contract.get("secret_material_required_in_preview") is not False,
|
||||
]
|
||||
)
|
||||
closeout_contract_present = (
|
||||
closeout_ready_count == 1
|
||||
and guard_ready_count == 1
|
||||
and check_count >= 12
|
||||
and pass_count == check_count
|
||||
and waiting_count == 0
|
||||
and guard_check_count == 12
|
||||
and input_requirement_count == 10
|
||||
and rejection_reason_count == 11
|
||||
and required_evidence_count == 9
|
||||
and nonsecret_claim_count == 8
|
||||
and verifier_required_count == 1
|
||||
and same_run_truth_count == 1
|
||||
and issuer_closeout.get("ready_for_future_signing_issuer_closeout") is True
|
||||
and (
|
||||
issuer_closeout.get("can_enter_future_final_signable_request_package_lane")
|
||||
is True
|
||||
)
|
||||
and package.get("authorization_material_type") == "final_signable_request_package"
|
||||
and package.get("ready_for_future_final_signable_request_package") is True
|
||||
and package.get("hash_matches") is True
|
||||
and package.get("requires_post_apply_verifier") is True
|
||||
and package.get("requires_fresh_production_truth_in_same_run") is True
|
||||
and contract.get("machine_verifiable") is True
|
||||
and contract.get("permits_future_final_signable_request_package_lane") is True
|
||||
and safety.get("manual_review_mode") == "exception_only"
|
||||
)
|
||||
|
||||
if risk_detected:
|
||||
status = "critical"
|
||||
summary_text = (
|
||||
"PChome auto-policy signing issuer closeout 偵測到 secret、SQL、DB write、"
|
||||
"簽發授權或人工主 gate 風險"
|
||||
)
|
||||
next_machine_action = (
|
||||
"halt_pchome_auto_policy_signing_issuer_closeout_and_inspect_risk"
|
||||
)
|
||||
elif closeout_contract_present:
|
||||
status = "ok"
|
||||
summary_text = (
|
||||
"PChome auto-policy signing issuer closeout 已自動完成 "
|
||||
f"{pass_count}/{check_count} checks,final signable package 已綁定,authorization signing=0"
|
||||
)
|
||||
next_machine_action = "continue_to_pchome_auto_policy_signing_execution_preflight_lane"
|
||||
else:
|
||||
status = "warning"
|
||||
summary_text = "PChome auto-policy signing issuer closeout 尚未達自動監控契約"
|
||||
next_machine_action = "refresh_pchome_auto_policy_signing_issuer_closeout"
|
||||
|
||||
return _check(
|
||||
"PChome auto-policy signing issuer closeout",
|
||||
status,
|
||||
summary_text,
|
||||
{
|
||||
"policy": closeout.get("policy"),
|
||||
"result": result,
|
||||
"source_policy": closeout.get("source_policy"),
|
||||
"signing_issuer_closeout_ready_count": closeout_ready_count,
|
||||
"signing_issuer_closeout_check_count": check_count,
|
||||
"signing_issuer_closeout_pass_count": pass_count,
|
||||
"signing_issuer_closeout_waiting_count": waiting_count,
|
||||
"signing_issuer_guard_ready_count": guard_ready_count,
|
||||
"signing_issuer_guard_check_count": guard_check_count,
|
||||
"signing_decision_input_requirement_count": input_requirement_count,
|
||||
"signing_decision_rejection_reason_count": rejection_reason_count,
|
||||
"required_issuer_evidence_count": required_evidence_count,
|
||||
"nonsecret_authorization_claim_count": nonsecret_claim_count,
|
||||
"post_apply_verifier_required_count": verifier_required_count,
|
||||
"same_run_truth_required_count": same_run_truth_count,
|
||||
"reads_secret_count": reads_secret_count,
|
||||
"executes_script_count": executes_script_count,
|
||||
"executes_sql_count": executes_sql_count,
|
||||
"writes_database_count": writes_database_count,
|
||||
"signs_database_apply_authorization_count": (
|
||||
signs_database_apply_authorization_count
|
||||
),
|
||||
"primary_human_gate_count": primary_human_gate_count,
|
||||
"manual_review_required_count": manual_review_required_count,
|
||||
"manual_review_mode": safety.get("manual_review_mode"),
|
||||
"payload_source": "local_contract_fixture",
|
||||
"machine_fetch_evidence_source": "local_schema_fixture",
|
||||
"http_get_adapter": "_pchome_auto_policy_machine_fetch_evidence_get",
|
||||
"execute_fetch": True,
|
||||
"outbound_network": False,
|
||||
"business_data_source": False,
|
||||
"ready_for_database_apply_now": bool(
|
||||
issuer_closeout.get("ready_for_database_apply_now")
|
||||
or package.get("ready_for_database_apply_now")
|
||||
or contract.get("ready_for_database_apply_now")
|
||||
),
|
||||
"issues_database_apply_authorization": bool(
|
||||
issuer_closeout.get("issues_database_apply_authorization")
|
||||
or package.get("issues_database_apply_authorization")
|
||||
or contract.get("issues_database_apply_authorization")
|
||||
),
|
||||
"signs_database_apply_authorization": bool(
|
||||
issuer_closeout.get("signs_database_apply_authorization")
|
||||
or package.get("signs_database_apply_authorization")
|
||||
or contract.get("signs_database_apply_authorization")
|
||||
),
|
||||
"secret_material_included": bool(package.get("secret_material_included")),
|
||||
"secret_material_required_in_preview": bool(
|
||||
package.get("secret_material_required_in_preview")
|
||||
or contract.get("secret_material_required_in_preview")
|
||||
),
|
||||
"ready_for_future_final_signable_request_package": bool(
|
||||
package.get("ready_for_future_final_signable_request_package")
|
||||
),
|
||||
"permits_future_final_signable_request_package_lane": bool(
|
||||
contract.get("permits_future_final_signable_request_package_lane")
|
||||
),
|
||||
"requires_post_apply_verifier": bool(
|
||||
package.get("requires_post_apply_verifier")
|
||||
),
|
||||
"requires_fresh_production_truth": bool(
|
||||
package.get("requires_fresh_production_truth_in_same_run")
|
||||
),
|
||||
"writes_database": False,
|
||||
"next_machine_action": next_machine_action,
|
||||
},
|
||||
)
|
||||
except Exception as exc:
|
||||
return _check(
|
||||
"PChome auto-policy signing issuer closeout",
|
||||
"warning",
|
||||
f"PChome auto-policy signing issuer closeout 例行監控暫時無法讀取:{exc}",
|
||||
{
|
||||
"writes_database": False,
|
||||
"writes_database_count": 0,
|
||||
"signs_database_apply_authorization_count": 0,
|
||||
"primary_human_gate_count": 0,
|
||||
"execute_fetch": True,
|
||||
"outbound_network": False,
|
||||
"business_data_source": False,
|
||||
"payload_source": "local_contract_fixture",
|
||||
"next_machine_action": "refresh_pchome_auto_policy_signing_issuer_closeout",
|
||||
},
|
||||
)
|
||||
|
||||
|
||||
def _ai_surface_html_readback_check() -> Dict[str, Any]:
|
||||
"""Read-only AI product surface guardrail readback."""
|
||||
try:
|
||||
@@ -3282,6 +3706,7 @@ def collect_ai_automation_smoke(*, record_history: bool = True, history_limit: i
|
||||
_pchome_auto_policy_signing_decision_preflight_check(),
|
||||
_pchome_auto_policy_signing_decision_closeout_check(),
|
||||
_pchome_auto_policy_signing_issuer_guard_check(),
|
||||
_pchome_auto_policy_signing_issuer_closeout_check(),
|
||||
_ai_surface_html_readback_check(),
|
||||
_sitewide_ui_ux_agent_check(),
|
||||
_sitewide_visual_qa_check(),
|
||||
|
||||
Reference in New Issue
Block a user