feat(governance): persist production security readback
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
Some checks failed
CD Pipeline / deploy (push) Has been cancelled
This commit is contained in:
@@ -127,6 +127,57 @@ def test_runtime_subset_uses_commit_bound_source_receipt(tmp_path):
|
||||
assert policy["evidence"]["evidence_source"] == "cd_source_receipt"
|
||||
|
||||
|
||||
def test_runtime_receipt_advances_access_readback_without_hiding_remaining_debt(tmp_path):
|
||||
from services.security_governance_review_service import (
|
||||
_runtime_receipt,
|
||||
)
|
||||
|
||||
governance = tmp_path / "governance"
|
||||
governance.mkdir()
|
||||
payload = {
|
||||
"receipt_kind": "security_governance_runtime_receipt",
|
||||
"trace_id": "secgov-test",
|
||||
"run_id": "secgov-test-run",
|
||||
"work_item_id": "SEC-P0-001",
|
||||
"source_commit": "c" * 40,
|
||||
"deployed_version": "V10.773",
|
||||
"deployment_mode": "controlled_manual_fallback",
|
||||
"access_control": {
|
||||
"status": "pass",
|
||||
"sensitive_routes_denied": True,
|
||||
"security_headers_passed": True,
|
||||
"secure_cookie": True,
|
||||
"sensitive_route_count": 8,
|
||||
"denied_route_count": 8,
|
||||
"metrics_public": True,
|
||||
},
|
||||
"database": {"unchanged": True},
|
||||
"post_verifier": {
|
||||
"health_status": "healthy",
|
||||
"governance_gate": "pass",
|
||||
},
|
||||
"cd": {
|
||||
"run_id": 1095,
|
||||
"status": "waiting",
|
||||
"blocker": "no_ewoooc_host_runner",
|
||||
},
|
||||
"learning_recorded": False,
|
||||
"next_machine_action": "move_metrics_behind_edge_auth_with_prometheus_canary",
|
||||
}
|
||||
(governance / "security_governance_runtime_receipt.json").write_text(
|
||||
json.dumps(payload, ensure_ascii=False),
|
||||
encoding="utf-8",
|
||||
)
|
||||
|
||||
receipt = _runtime_receipt(tmp_path)
|
||||
|
||||
assert receipt["security_readback_passed"] is True
|
||||
assert receipt["database_unchanged"] is True
|
||||
assert receipt["metrics_public"] is True
|
||||
assert receipt["cd_status"] == "waiting"
|
||||
assert receipt["learning_recorded"] is False
|
||||
|
||||
|
||||
def test_sensitive_blueprint_policy_denies_anonymous_api(monkeypatch):
|
||||
import auth
|
||||
from services.http_access_policy_service import enforce_http_access_policy
|
||||
|
||||
Reference in New Issue
Block a user