Implement PMEM-WP-0015 credentialed live pilot with ops-warden routing.

Add credential routing advisories via warden route/access, live pilot evidence
helpers, managed deployment pilot probes, evaluation trend regression gates,
and expanded troubleshooting. Update operator runbook and maturity scorecard.
This commit is contained in:
2026-07-02 23:24:35 +02:00
parent bff90ec1ed
commit 29f893b905
15 changed files with 913 additions and 38 deletions

80
tests/test_pilot.py Normal file
View File

@@ -0,0 +1,80 @@
import json
from pathlib import Path
from phase_memory.pilot import (
LIVE_PILOT_REPORT_SCHEMA,
MANAGED_DEPLOYMENT_PILOT_SCHEMA,
live_pilot_report,
managed_deployment_pilot_report,
write_live_pilot_evidence,
)
from phase_memory.service_app import ServiceAppConfig
FIXTURES = Path(__file__).parent / "fixtures"
def test_managed_deployment_pilot_report_passes_local_probes(tmp_path) -> None:
report = managed_deployment_pilot_report(
ServiceAppConfig(host="127.0.0.1", port=8125, local_store_path=str(tmp_path)),
platform="local",
)
assert report["schema_version"] == MANAGED_DEPLOYMENT_PILOT_SCHEMA
assert report["valid"] is True
assert report["probes"]["health"]["ok"] is True
assert report["probes"]["ready"]["ok"] is True
assert report["local_store_mount"]["validated"] is True
assert report["rollback"]["validated"] is True
def test_live_pilot_report_redacts_secrets_and_marks_partial_live_evidence() -> None:
environ = {
"PHASE_MEMORY_MARKITECT_URL": "https://markitect.example.invalid",
"PHASE_MEMORY_MARKITECT_TOKEN": "markitect-secret-token",
"PHASE_MEMORY_KONTEXTUAL_URL": "https://kontextual.example.invalid",
"PHASE_MEMORY_KONTEXTUAL_TOKEN": "kontextual-secret-token",
}
report = live_pilot_report(
environ,
run_id="pytest",
scenarios_path=FIXTURES / "evaluation-scenarios.json",
operator_approved_fixture=True,
)
serialized = json.dumps(report, sort_keys=True)
assert report["schema_version"] == LIVE_PILOT_REPORT_SCHEMA
assert report["tooling_verified"] is True
assert report["live_evidence"]["credentialed_smoke"] is True
assert report["live_evidence"]["managed_deployment_probes"] is True
assert report["live_evidence"]["telemetry_retention"] is True
assert report["sections"]["evaluation_regression_gate"]["valid"] is True
assert "markitect-secret-token" not in serialized
assert "https://kontextual.example.invalid" not in serialized
def test_write_live_pilot_evidence_persists_redacted_artifacts(tmp_path) -> None:
report = write_live_pilot_evidence(
tmp_path,
{},
run_id="pytest",
scenarios_path=FIXTURES / "evaluation-scenarios.json",
operator_approved_fixture=True,
)
expected_files = (
"live-pilot-report.json",
"credentialed-operator-report.json",
"managed-deployment-pilot.json",
"telemetry-retention-evidence.json",
"evaluation-trend-history.json",
"evaluation-regression-gate.json",
"credential-routing-advisory.json",
)
for filename in expected_files:
assert (tmp_path / filename).exists()
serialized = "".join((tmp_path / name).read_text(encoding="utf-8") for name in expected_files)
assert report["live_evidence"]["credentialed_smoke"] is False
assert "credential_env_missing" in serialized
assert "warden access" in serialized or "warden_cli_unavailable" in serialized