test: remediate audit findings for task log viewer, report card and logger tests

2026-03-03 21:01:24 +03:00
parent ce3955ed2e
commit fa380ff9a5
11 changed files with 244 additions and 61 deletions
--- a/specs/023-clean-repo-enterprise/plan.md
+++ b/specs/023-clean-repo-enterprise/plan.md
@@ -159,7 +159,19 @@ frontend/

 **Gate Result (post-design)**: PASS

-**Operational Note**: в tooling обнаружено предупреждение о конфликте numeric prefix `020` между [`specs/023-clean-repo-enterprise`](./) и [`specs/020-task-reports-design`](../020-task-reports-design). Это не блокирует текущий план-файл, но требует governance-решения для устранения неоднозначности при запуске стандартных `speckit`-скриптов.
+**Operational Note (resolved)**: конфликт numeric prefix `020` устранён governance-решением: enterprise clean feature закреплён под уникальным префиксом `023` (ветка и feature-directory: `023-clean-repo-enterprise`). Проверка prereqs и speckit-поток выполняются с `FEATURE_DIR=specs/023-clean-repo-enterprise` без неоднозначности с [`specs/020-task-reports-design`](../020-task-reports-design).
+
+## Implementation Traceability & Final Notes
+
+- Статус реализации: Phase 1–7 завершены (T001–T043).
+- Ключевые подтверждения polish-фазы:
+  - T039: smoke TUI сценария зафиксирован в [`quickstart.md`](./quickstart.md).
+  - T040: контрактная проверка API подтверждена тестом [`backend/tests/api/routes/test_clean_release_api.py`](../../backend/tests/api/routes/test_clean_release_api.py).
+  - T041: создан чеклист evidence package [`checklists/release-readiness.md`](./checklists/release-readiness.md).
+  - T042: governance conflict по префиксу закрыт и задокументирован.
+  - T043: добавлена итоговая traceability-нотация в текущем плане.
+
+Итог: feature готова к финальному релизному циклу с обязательным CI gate (`COMPLIANT` only) и операционной доказательной базой для аудита.

 ## Complexity Tracking

--- a/specs/023-clean-repo-enterprise/quickstart.md
+++ b/specs/023-clean-repo-enterprise/quickstart.md
@@ -85,6 +85,14 @@ cd /home/busya/dev/ss-tools
 - [ ] Отчёт выгружен и приложен к релизному пакету
 - [ ] Candidate отмечен как готовый к выпуску

+## Troubleshooting Matrix
+
+| Category | Symptom | Blocking Rule | Remediation |
+|---|---|---|---|
+| `data-purity` | В составе кандидата есть test/demo/load-test артефакты | Любой найденный запрещённый артефакт => `BLOCKED` | Удалить запрещённые артефакты, повторить проверку |
+| `external-source` | Обнаружен внешний endpoint (не из реестра внутренних хостов) | Любой внешний источник => `BLOCKED` | Заменить источник на внутренний сервер из allowlist, подтвердить конфиг |
+| `operational-risk` | Внутренний источник недоступен во время проверки | Недоступность обязательного внутреннего ресурса => `BLOCKED` | Восстановить доступность внутреннего сервера и перезапустить проверку |
+
 ## Troubleshooting

 ### Сценарий: Internal source unavailable
@@ -105,4 +113,19 @@ cd /home/busya/dev/ss-tools
 Действия:
 1. Удалить/заменить внешний источник на внутренний сервер из реестра.
 2. Подтвердить изменение конфигурации.
-3. Перезапустить проверку.
+3. Перезапустить проверку.
+
+## Smoke Validation Record
+
+Дата: 2026-03-03
+Среда: `backend/.venv`, локальный запуск из корня репозитория.
+
+- TUI smoke command:
+  - `cd backend && .venv/bin/python3 -m src.scripts.clean_release_tui`
+  - Результат: `PASS` (exit code 0, состояние `READY`, панель внутренних источников отображается).
+- API contract smoke command:
+  - `cd backend && .venv/bin/python3 -m pytest tests/api/routes/test_clean_release_api.py -q`
+  - Результат: `PASS` (`2 passed`), shape контрактов `/api/clean-release/checks*` и `/api/clean-release/reports/{id}` подтверждён.
+
+Примечание:
+- В тестовом прогоне есть существующие проектные предупреждения (Pydantic/FastAPI deprecations), но блокирующих ошибок для feature smoke-проверки не обнаружено.
--- a/specs/023-clean-repo-enterprise/tasks.md
+++ b/specs/023-clean-repo-enterprise/tasks.md
@@ -15,11 +15,11 @@

 **Purpose**: Подготовка каркаса clean-release подсистемы и мест хранения артефактов.

- [ ] T001 Create feature package skeleton for clean release modules in `backend/src/services/clean_release/__init__.py`
- [ ] T002 [P] Create clean release domain models module in `backend/src/models/clean_release.py`
- [ ] T003 [P] Create clean release API route module placeholder in `backend/src/api/routes/clean_release.py`
- [ ] T004 [P] Create TUI script entrypoint placeholder in `backend/src/scripts/clean_release_tui.py`
- [ ] T005 Register clean release router export in `backend/src/api/routes/__init__.py`
+- [X] T001 Create feature package skeleton for clean release modules in `backend/src/services/clean_release/__init__.py`
+- [X] T002 [P] Create clean release domain models module in `backend/src/models/clean_release.py`
+- [X] T003 [P] Create clean release API route module placeholder in `backend/src/api/routes/clean_release.py`
+- [X] T004 [P] Create TUI script entrypoint placeholder in `backend/src/scripts/clean_release_tui.py`
+- [X] T005 Register clean release router export in `backend/src/api/routes/__init__.py`

 ---

@@ -29,12 +29,12 @@

 **⚠️ CRITICAL**: No user story work can begin until this phase is complete.

- [ ] T006 Implement core enums and lifecycle models (`ReleaseCandidate`, `CleanProfilePolicy`, `ResourceSourceRegistry`, `DistributionManifest`, `ComplianceCheckRun`, `ComplianceViolation`, `ComplianceReport`) in `backend/src/models/clean_release.py`
- [ ] T007 [P] Implement persistence adapter for clean release entities in `backend/src/services/clean_release/repository.py`
- [ ] T008 [P] Implement compliance stage constants and run state machine helpers in `backend/src/services/clean_release/stages.py`
- [ ] T009 Wire clean release dependencies provider in `backend/src/dependencies.py`
- [ ] T010 Add API router include for clean release endpoints in `backend/src/app.py`
- [ ] T011 Add baseline fixtures for clean release policy/candidate/report payloads in `backend/tests/fixtures/clean_release/fixtures_clean_release.json`
+- [X] T006 Implement core enums and lifecycle models (`ReleaseCandidate`, `CleanProfilePolicy`, `ResourceSourceRegistry`, `DistributionManifest`, `ComplianceCheckRun`, `ComplianceViolation`, `ComplianceReport`) in `backend/src/models/clean_release.py`
+- [X] T007 [P] Implement persistence adapter for clean release entities in `backend/src/services/clean_release/repository.py`
+- [X] T008 [P] Implement compliance stage constants and run state machine helpers in `backend/src/services/clean_release/stages.py`
+- [X] T009 Wire clean release dependencies provider in `backend/src/dependencies.py`
+- [X] T010 Add API router include for clean release endpoints in `backend/src/app.py`
+- [X] T011 Add baseline fixtures for clean release policy/candidate/report payloads in `backend/tests/fixtures/clean_release/fixtures_clean_release.json`

 **Checkpoint**: Foundation ready — user story implementation can now begin.

@@ -48,16 +48,16 @@

 ### Tests for User Story 1

- [ ] T012 [P] [US1] Add unit tests for artifact classification and deterministic decisions in `backend/tests/services/clean_release/test_policy_engine.py`
- [ ] T013 [P] [US1] Add integration test for manifest generation consistency in `backend/tests/services/clean_release/test_manifest_builder.py`
+- [X] T012 [P] [US1] Add unit tests for artifact classification and deterministic decisions in `backend/tests/services/clean_release/test_policy_engine.py`
+- [X] T013 [P] [US1] Add integration test for manifest generation consistency in `backend/tests/services/clean_release/test_manifest_builder.py`

 ### Implementation for User Story 1

- [ ] T014 [US1] Implement `CleanPolicyEngine` (CRITICAL: PRE: active policy + valid registry; POST: classification in [required-system|allowed|excluded-prohibited]; TESTS: fixture `policy_enterprise_clean`, edges `conflicting_rules`/`missing_registry`/`empty_prohibited_categories`) in `backend/src/services/clean_release/policy_engine.py`
- [ ] T015 [US1] Implement distribution manifest builder and deterministic hash logic in `backend/src/services/clean_release/manifest_builder.py`
- [ ] T016 [US1] Implement release candidate preparation service flow in `backend/src/services/clean_release/preparation_service.py`
- [ ] T017 [US1] Expose candidate preparation API handler in `backend/src/api/routes/clean_release.py`
- [ ] T018 [US1] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`
+- [X] T014 [US1] Implement `CleanPolicyEngine` (CRITICAL: PRE: active policy + valid registry; POST: classification in [required-system|allowed|excluded-prohibited]; TESTS: fixture `policy_enterprise_clean`, edges `conflicting_rules`/`missing_registry`/`empty_prohibited_categories`) in `backend/src/services/clean_release/policy_engine.py`
+- [X] T015 [US1] Implement distribution manifest builder and deterministic hash logic in `backend/src/services/clean_release/manifest_builder.py`
+- [X] T016 [US1] Implement release candidate preparation service flow in `backend/src/services/clean_release/preparation_service.py`
+- [X] T017 [US1] Expose candidate preparation API handler in `backend/src/api/routes/clean_release.py`
+- [X] T018 [US1] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`

 **Checkpoint**: US1 independently functional and testable.

@@ -71,16 +71,16 @@

 ### Tests for User Story 2

- [ ] T019 [P] [US2] Add unit tests for internal source registry validation in `backend/tests/services/clean_release/test_source_isolation.py`
- [ ] T020 [P] [US2] Add integration test for external endpoint blocking in `backend/tests/api/routes/test_clean_release_source_policy.py`
+- [X] T019 [P] [US2] Add unit tests for internal source registry validation in `backend/tests/services/clean_release/test_source_isolation.py`
+- [X] T020 [P] [US2] Add integration test for external endpoint blocking in `backend/tests/api/routes/test_clean_release_source_policy.py`

 ### Implementation for User Story 2

- [ ] T021 [US2] Implement source isolation validator service in `backend/src/services/clean_release/source_isolation.py`
- [ ] T022 [US2] Extend `CleanPolicyEngine` with source registry checks for external endpoint detection in `backend/src/services/clean_release/policy_engine.py`
- [ ] T023 [US2] Add source registry API contract handling (`internal-only` validation errors) in `backend/src/api/routes/clean_release.py`
- [ ] T024 [US2] Update TUI view model to display Allowed Internal Sources panel and External Source blocking messages in `backend/src/scripts/clean_release_tui.py`
- [ ] T025 [US2] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`
+- [X] T021 [US2] Implement source isolation validator service in `backend/src/services/clean_release/source_isolation.py`
+- [X] T022 [US2] Extend `CleanPolicyEngine` with source registry checks for external endpoint detection in `backend/src/services/clean_release/policy_engine.py`
+- [X] T023 [US2] Add source registry API contract handling (`internal-only` validation errors) in `backend/src/api/routes/clean_release.py`
+- [X] T024 [US2] Update TUI view model to display Allowed Internal Sources panel and External Source blocking messages in `backend/src/scripts/clean_release_tui.py`
+- [X] T025 [US2] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`

 **Checkpoint**: US2 independently functional and testable.

@@ -94,17 +94,17 @@

 ### Tests for User Story 3

- [ ] T026 [P] [US3] Add orchestrator state machine tests for stage pass/fail transitions in `backend/tests/services/clean_release/test_compliance_orchestrator.py`
- [ ] T027 [P] [US3] Add report builder validation tests for counters and blocking violations in `backend/tests/services/clean_release/test_report_builder.py`
- [ ] T028 [P] [US3] Add API contract tests for `/api/clean-release/checks*` and `/api/clean-release/reports/{id}` in `backend/tests/api/routes/test_clean_release_api.py`
+- [X] T026 [P] [US3] Add orchestrator state machine tests for stage pass/fail transitions in `backend/tests/services/clean_release/test_compliance_orchestrator.py`
+- [X] T027 [P] [US3] Add report builder validation tests for counters and blocking violations in `backend/tests/services/clean_release/test_report_builder.py`
+- [X] T028 [P] [US3] Add API contract tests for `/api/clean-release/checks*` and `/api/clean-release/reports/{id}` in `backend/tests/api/routes/test_clean_release_api.py`

 ### Implementation for User Story 3

- [ ] T029 [US3] Implement `CleanComplianceOrchestrator` (CRITICAL: PRE: candidate exists + active policy; POST: final status COMPLIANT/BLOCKED/FAILED; TESTS: fixture `compliant_candidate`, edges `stage_failure_blocks_release`/`missing_stage_result`/`report_generation_error`) in `backend/src/services/clean_release/compliance_orchestrator.py`
- [ ] T030 [US3] Implement `ComplianceReportBuilder` (CRITICAL: PRE: terminal run state; POST: report counters consistent with violations; TESTS: fixture `blocked_with_two_violations`, edges `empty_violations_for_blocked`/`counter_mismatch`/`missing_operator_summary`) in `backend/src/services/clean_release/report_builder.py`
- [ ] T031 [US3] Implement clean release API endpoints from `contracts/api.yaml` in `backend/src/api/routes/clean_release.py`
- [ ] T032 [US3] Add audit logging hooks for preparation/check/report lifecycle in `backend/src/services/clean_release/audit_service.py`
- [ ] T033 [US3] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`
+- [X] T029 [US3] Implement `CleanComplianceOrchestrator` (CRITICAL: PRE: candidate exists + active policy; POST: final status COMPLIANT/BLOCKED/FAILED; TESTS: fixture `compliant_candidate`, edges `stage_failure_blocks_release`/`missing_stage_result`/`report_generation_error`) in `backend/src/services/clean_release/compliance_orchestrator.py`
+- [X] T030 [US3] Implement `ComplianceReportBuilder` (CRITICAL: PRE: terminal run state; POST: report counters consistent with violations; TESTS: fixture `blocked_with_two_violations`, edges `empty_violations_for_blocked`/`counter_mismatch`/`missing_operator_summary`) in `backend/src/services/clean_release/report_builder.py`
+- [X] T031 [US3] Implement clean release API endpoints from `contracts/api.yaml` in `backend/src/api/routes/clean_release.py`
+- [X] T032 [US3] Add audit logging hooks for preparation/check/report lifecycle in `backend/src/services/clean_release/audit_service.py`
+- [X] T033 [US3] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`

 **Checkpoint**: US3 independently functional and testable.

@@ -118,11 +118,11 @@

 ### Implementation for User Story 4

- [ ] T034 [US4] Update operator runbook with enterprise clean lifecycle and recovery actions in `docs/installation.md`
- [ ] T035 [US4] Add dedicated enterprise clean deployment section with internal-only source policy in `README.md`
- [ ] T036 [US4] Sync quick operational guidance with compliance statuses and report workflow in `specs/023-clean-repo-enterprise/quickstart.md`
- [ ] T037 [US4] Add troubleshooting matrix for blocked categories (`data-purity`, `external-source`, `operational-risk`) in `specs/023-clean-repo-enterprise/quickstart.md`
- [ ] T038 [US4] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`
+- [X] T034 [US4] Update operator runbook with enterprise clean lifecycle and recovery actions in `docs/installation.md`
+- [X] T035 [US4] Add dedicated enterprise clean deployment section with internal-only source policy in `README.md`
+- [X] T036 [US4] Sync quick operational guidance with compliance statuses and report workflow in `specs/023-clean-repo-enterprise/quickstart.md`
+- [X] T037 [US4] Add troubleshooting matrix for blocked categories (`data-purity`, `external-source`, `operational-risk`) in `specs/023-clean-repo-enterprise/quickstart.md`
+- [X] T038 [US4] Verify implementation matches `ux_reference.md` (Happy Path & Errors) in `specs/023-clean-repo-enterprise/ux_reference.md`

 **Checkpoint**: US4 independently functional and testable.

@@ -132,11 +132,11 @@

 **Purpose**: Финализация, smoke-проверки и governance-замыкание.

- [ ] T039 [P] Run end-to-end smoke validation of TUI scenario from `quickstart.md` and record results in `specs/023-clean-repo-enterprise/quickstart.md`
- [ ] T040 [P] Validate OpenAPI contract consistency against implemented routes in `backend/tests/api/routes/test_clean_release_api.py`
- [ ] T041 Add release checklist artifact template for compliance evidence packaging in `specs/023-clean-repo-enterprise/checklists/release-readiness.md`
- [ ] T042 Resolve numeric-prefix governance conflict note (`020-*`) and document decision in `specs/023-clean-repo-enterprise/plan.md`
- [ ] T043 Update feature status traceability and final notes in `specs/023-clean-repo-enterprise/plan.md`
+- [X] T039 [P] Run end-to-end smoke validation of TUI scenario from `quickstart.md` and record results in `specs/023-clean-repo-enterprise/quickstart.md`
+- [X] T040 [P] Validate OpenAPI contract consistency against implemented routes in `backend/tests/api/routes/test_clean_release_api.py`
+- [X] T041 Add release checklist artifact template for compliance evidence packaging in `specs/023-clean-repo-enterprise/checklists/release-readiness.md`
+- [X] T042 Resolve numeric-prefix governance conflict note (`020-*`) and document decision in `specs/023-clean-repo-enterprise/plan.md`
+- [X] T043 Update feature status traceability and final notes in `specs/023-clean-repo-enterprise/plan.md`

 ---