feat(governance): persist production security readback
Some checks failed
CD Pipeline / deploy (push) Has been cancelled

This commit is contained in:
ogt
2026-07-10 19:40:04 +08:00
parent b2be34a923
commit b4284693e4
8 changed files with 155 additions and 11 deletions

View File

@@ -127,6 +127,57 @@ def test_runtime_subset_uses_commit_bound_source_receipt(tmp_path):
assert policy["evidence"]["evidence_source"] == "cd_source_receipt"
def test_runtime_receipt_advances_access_readback_without_hiding_remaining_debt(tmp_path):
from services.security_governance_review_service import (
_runtime_receipt,
)
governance = tmp_path / "governance"
governance.mkdir()
payload = {
"receipt_kind": "security_governance_runtime_receipt",
"trace_id": "secgov-test",
"run_id": "secgov-test-run",
"work_item_id": "SEC-P0-001",
"source_commit": "c" * 40,
"deployed_version": "V10.773",
"deployment_mode": "controlled_manual_fallback",
"access_control": {
"status": "pass",
"sensitive_routes_denied": True,
"security_headers_passed": True,
"secure_cookie": True,
"sensitive_route_count": 8,
"denied_route_count": 8,
"metrics_public": True,
},
"database": {"unchanged": True},
"post_verifier": {
"health_status": "healthy",
"governance_gate": "pass",
},
"cd": {
"run_id": 1095,
"status": "waiting",
"blocker": "no_ewoooc_host_runner",
},
"learning_recorded": False,
"next_machine_action": "move_metrics_behind_edge_auth_with_prometheus_canary",
}
(governance / "security_governance_runtime_receipt.json").write_text(
json.dumps(payload, ensure_ascii=False),
encoding="utf-8",
)
receipt = _runtime_receipt(tmp_path)
assert receipt["security_readback_passed"] is True
assert receipt["database_unchanged"] is True
assert receipt["metrics_public"] is True
assert receipt["cd_status"] == "waiting"
assert receipt["learning_recorded"] is False
def test_sensitive_blueprint_policy_denies_anonymous_api(monkeypatch):
import auth
from services.http_access_policy_service import enforce_http_access_policy