31ce04c655
Merge the beta-ready Yao Meta Skill architecture, report, evidence gate, and release-boundary updates.\n\nRelease boundary: beta/public testing is allowed; formal world-class, fully reviewed, or superiority claims remain blocked until the pending evidence gates are accepted.
158 lines
7.5 KiB
Python
158 lines
7.5 KiB
Python
#!/usr/bin/env python3
|
|
from typing import Any
|
|
|
|
from output_review_privacy import forbidden_decision_field_paths
|
|
|
|
|
|
SCRIPT_INTERFACE = "internal-module"
|
|
SCRIPT_INTERFACE_REASON = "Imported by world_class_evidence_contract.py to validate runtime permission evidence from target-level probe rows."
|
|
|
|
|
|
def add_error(errors: list[str], condition: bool, message: str) -> None:
|
|
if not condition:
|
|
errors.append(message)
|
|
|
|
|
|
def real_int(value: Any) -> int | None:
|
|
return value if isinstance(value, int) and not isinstance(value, bool) else None
|
|
|
|
|
|
def object_list(value: Any) -> list[dict[str, Any]]:
|
|
return [item for item in value if isinstance(item, dict)] if isinstance(value, list) else []
|
|
|
|
|
|
def sorted_strings(value: Any) -> list[str]:
|
|
return sorted(str(item) for item in value) if isinstance(value, list) else []
|
|
|
|
|
|
def validate_no_raw_fields(payload: dict[str, Any], label: str, errors: list[str]) -> None:
|
|
blocked = forbidden_decision_field_paths(payload, label)
|
|
add_error(
|
|
errors,
|
|
not blocked,
|
|
f"native-permission-enforcement {label} must not include raw content, credential, secret, token, prompt, output, transcript, message, or answer-key fields: "
|
|
+ ", ".join(blocked[:8]),
|
|
)
|
|
|
|
|
|
def validate_target_rows(probes: dict[str, Any], summary: dict[str, Any], errors: list[str]) -> None:
|
|
targets = object_list(probes.get("targets", []))
|
|
target_count = real_int(summary.get("target_count"))
|
|
native_count = real_int(summary.get("native_enforcement_count"))
|
|
fail_count = real_int(summary.get("fail_count"))
|
|
expected_capabilities = sorted_strings(probes.get("expected_capabilities"))
|
|
|
|
add_error(errors, bool(targets), "native-permission-enforcement runtime probe targets must not be empty")
|
|
if target_count is not None:
|
|
add_error(errors, len(targets) == target_count, "native-permission-enforcement runtime probe targets length must equal summary.target_count")
|
|
add_error(errors, fail_count == 0, "native-permission-enforcement runtime probe summary.fail_count must be 0")
|
|
|
|
observed_native = 0
|
|
for index, target in enumerate(targets, start=1):
|
|
target_name = str(target.get("target", "")).strip() or str(index)
|
|
add_error(errors, target.get("status") == "pass", f"native-permission-enforcement target {target_name} status must be pass")
|
|
add_error(errors, not target.get("failures"), f"native-permission-enforcement target {target_name} failures must be empty")
|
|
checks = object_list(target.get("checks", []))
|
|
add_error(errors, bool(checks), f"native-permission-enforcement target {target_name} checks must not be empty")
|
|
add_error(
|
|
errors,
|
|
all(item.get("passed") is True for item in checks),
|
|
f"native-permission-enforcement target {target_name} checks must all pass",
|
|
)
|
|
native = target.get("native_enforcement") is True
|
|
if native:
|
|
observed_native += 1
|
|
add_error(
|
|
errors,
|
|
target.get("assurance") == "native-enforced",
|
|
f"native-permission-enforcement target {target_name} assurance must be native-enforced",
|
|
)
|
|
else:
|
|
add_error(
|
|
errors,
|
|
target.get("metadata_fallback_explicit") is True,
|
|
f"native-permission-enforcement fallback target {target_name} must keep metadata_fallback_explicit true",
|
|
)
|
|
add_error(
|
|
errors,
|
|
bool(target.get("residual_risks")),
|
|
f"native-permission-enforcement fallback target {target_name} must retain residual risks",
|
|
)
|
|
if expected_capabilities:
|
|
add_error(
|
|
errors,
|
|
sorted_strings(target.get("declared_capabilities")) == expected_capabilities,
|
|
f"native-permission-enforcement target {target_name} declared_capabilities must match expected_capabilities",
|
|
)
|
|
installer = target.get("installer_enforcement", {}) if isinstance(target.get("installer_enforcement"), dict) else {}
|
|
add_error(
|
|
errors,
|
|
installer.get("enforced") is True,
|
|
f"native-permission-enforcement target {target_name} installer_enforcement.enforced must be true",
|
|
)
|
|
add_error(
|
|
errors,
|
|
not installer.get("missing_capabilities"),
|
|
f"native-permission-enforcement target {target_name} installer_enforcement missing_capabilities must be empty",
|
|
)
|
|
add_error(
|
|
errors,
|
|
not installer.get("failure_details"),
|
|
f"native-permission-enforcement target {target_name} installer_enforcement failure_details must be empty",
|
|
)
|
|
|
|
add_error(errors, bool(native_count and observed_native == native_count), "native-permission-enforcement native target rows must match summary.native_enforcement_count")
|
|
add_error(errors, observed_native > 0, "native-permission-enforcement must include at least one native-enforced target row")
|
|
|
|
|
|
def validate_install_simulation_report(install: dict[str, Any], errors: list[str]) -> None:
|
|
summary = install.get("summary", {}) if isinstance(install.get("summary", {}), dict) else {}
|
|
validate_no_raw_fields(install, "install_simulation", errors)
|
|
add_error(errors, install.get("ok") is True, "native-permission-enforcement install simulation report ok must be true")
|
|
add_error(
|
|
errors,
|
|
bool(real_int(summary.get("installer_permission_enforced_count")) and summary["installer_permission_enforced_count"] > 0),
|
|
"native-permission-enforcement install simulation summary.installer_permission_enforced_count must be >0",
|
|
)
|
|
add_error(
|
|
errors,
|
|
summary.get("installer_permission_failure_count") == 0,
|
|
"native-permission-enforcement install simulation summary.installer_permission_failure_count must be 0",
|
|
)
|
|
add_error(errors, summary.get("failure_count") == 0, "native-permission-enforcement install simulation summary.failure_count must be 0")
|
|
permission_checks = [
|
|
item
|
|
for item in object_list(install.get("checks", []))
|
|
if str(item.get("id", "")).startswith("permission-") and str(item.get("id", "")).endswith(("-approved", "-target-enforcement"))
|
|
]
|
|
if permission_checks:
|
|
add_error(
|
|
errors,
|
|
all(item.get("status") == "pass" for item in permission_checks),
|
|
"native-permission-enforcement install simulation permission checks must all pass",
|
|
)
|
|
|
|
|
|
def validate_native_permission_report(probes: dict[str, Any], install: dict[str, Any], errors: list[str]) -> None:
|
|
summary = probes.get("summary", {}) if isinstance(probes.get("summary", {}), dict) else {}
|
|
validate_no_raw_fields(probes, "runtime_permission_probes", errors)
|
|
add_error(errors, probes.get("ok") is True, "native-permission-enforcement runtime probe report ok must be true")
|
|
add_error(
|
|
errors,
|
|
bool(real_int(summary.get("native_enforcement_count")) and summary["native_enforcement_count"] > 0),
|
|
"native-permission-enforcement runtime probe summary.native_enforcement_count must be >0",
|
|
)
|
|
add_error(
|
|
errors,
|
|
summary.get("failure_count") == 0,
|
|
"native-permission-enforcement runtime probe summary.failure_count must be 0",
|
|
)
|
|
add_error(
|
|
errors,
|
|
summary.get("installer_enforcement_ready") is True,
|
|
"native-permission-enforcement runtime probe summary.installer_enforcement_ready must be true",
|
|
)
|
|
validate_target_rows(probes, summary, errors)
|
|
if install:
|
|
validate_install_simulation_report(install, errors)
|