feat(truth): emit derived rollups + per-project open_high_critical#77
Merged
Conversation
Add a top-level `rollups` block (risk-tier counts, security high+critical totals, decision counts) and the per-project `security.open_high_critical` field to portfolio-truth-latest.json, so downstream consumers read the auditor's derived risk/security logic instead of re-implementing it — the #1 cross-tool drift risk. - New PortfolioTruthRollups dataclass, computed in __post_init__ from the project list so it can never drift from the source data - SecurityFields.to_dict now includes the open_high_critical property - Schema 0.6.0 -> 0.7.0 (additive, backward-compatible) Verified: ruff check clean; 2493 passed, 2 skipped.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
First half of the T3-3 cross-repo drift fix. PortfolioCommandCenter currently re-implements this auditor's risk/security logic in three places (
openHighCriticalin TS, a Rust tally inlib.rs, anddecisionModel). This PR makes the auditor emit the derived rollups intoportfolio-truth-latest.jsonso PCC can read them and delete its mirrors (PR-B, separate repo).Changes (additive — schema 0.6.0 → 0.7.0)
rollupsblock:risk_tier_counts(elevated/moderate/baseline/deferred),security(scanned_count, repos_with_open_high_critical, total_open_high, total_open_critical),decision(decision_needed_count, default_attention_count).security.open_high_critical: the existing@propertyis now included into_dict().PortfolioTruthRollupsis computed in__post_init__from the project list, so it can never drift from the source data.Backward-compatible: only adds keys; existing readers are untouched.
Verification
ruff check src/ tests/— cleanuv run pytest -q— 2493 passed, 2 skippedCross-repo sequencing
This is PR-A. After merge, regenerate
portfolio-truth-latest.json(audit run) so the live file is 0.7.0, then PR-B in PortfolioCommandCenter consumes the new fields and deletes the duplicatedopenHighCritical+ simplifies the Rust history tally (prefer rollups, fallback compute for pre-0.7.0 snapshots).