Add credential lane readiness proposals

2026-06-27 23:30:29 +02:00
parent 815b124ab1
commit aee0dcefad
13 changed files with 425 additions and 25 deletions
--- a/tests/test_credential_change.py
+++ b/tests/test_credential_change.py
@@ -22,7 +22,11 @@ class CredentialChangeTests(unittest.TestCase):
    def setUp(self) -> None:
        self.sample = (
            REPO_DIR
-            / "credential-change-requests/CCR-2026-0001-whynot-design-npm-token.yaml"
+            / "credential-change-requests/CCR-2026-0001-whynot-design-npm-publish.yaml"
+        )
+        self.issue_core = (
+            REPO_DIR
+            / "credential-change-requests/CCR-2026-0002-issue-core-ingestion-api-key.yaml"
        )

    def test_sample_ccr_validates_with_bound_claim_warning(self) -> None:
@@ -30,13 +34,38 @@ class CredentialChangeTests(unittest.TestCase):
        self.assertEqual(errors, [])
        self.assertIn("bound claim is not confirmed", warnings[0])

+    def test_all_repo_ccrs_validate(self) -> None:
+        for path in sorted((REPO_DIR / "credential-change-requests").glob("*.yaml")):
+            with self.subTest(path=path.name):
+                _ccr, errors, _warnings = credential_change.validate_ccr(path)
+                self.assertEqual(errors, [])
+
    def test_render_summary_contains_review_fields(self) -> None:
        ccr, _errors, warnings = credential_change.validate_ccr(self.sample)
        rendered = credential_change.render_summary(ccr, warnings)
        self.assertIn("whynot-design npm publish token lane", rendered)
        self.assertIn("platform/workloads/whynot-design/whynot-design/npm-publish", rendered)
+        self.assertIn("whynot-design-npm-publish", rendered)
+        self.assertIn("readiness: template resolvable=False", rendered)
        self.assertIn("approve | deny | needs_changes", rendered)

+    def test_status_payload_marks_template_not_resolvable(self) -> None:
+        ccr, _errors, warnings = credential_change.validate_ccr(self.sample)
+        payload = credential_change.status_payload(ccr, warnings)
+        self.assertFalse(payload["apply_allowed"])
+        self.assertFalse(payload["frontdoor_resolvable"])
+        self.assertEqual(payload["access_frontdoor"]["readiness"], "template")
+        self.assertEqual(payload["access_frontdoor"]["catalog_id"], "whynot-design-npm-publish")
+        self.assertIn("front door is marked resolvable=false", payload["frontdoor_blockers"])
+
+    def test_kubernetes_auth_payload_uses_service_account_bounds(self) -> None:
+        ccr, errors, _warnings = credential_change.validate_ccr(self.issue_core)
+        self.assertEqual(errors, [])
+        payload = credential_change.auth_payload(ccr)
+        self.assertEqual(payload["bound_service_account_names"], ["issue-core"])
+        self.assertEqual(payload["bound_service_account_namespaces"], ["issue-core"])
+        self.assertNotIn("bound_claims", payload)
+
    def test_apply_plan_refuses_unapproved_ccr(self) -> None:
        with self.assertRaises(SystemExit):
            credential_change.command_apply_plan(type("Args", (), {"ref": str(self.sample)})())