stage-exp-a explore: public payload builder + tests

2026-06-07 01:11:17 +02:00
parent 925bf76a0b
commit 56466c334d
2 changed files with 298 additions and 0 deletions
--- a/tests/test_network_view.py
+++ b/tests/test_network_view.py
@@ -18,6 +18,7 @@ from psyc.lines.network_view import (
    NetworkNode,
    NetworkView,
    build_admin_view,
+    build_explore_view,
    build_local_view,
    build_public_view,
    build_transitive_view,
@@ -623,6 +624,49 @@ def test_admin_view_recent_translog_per_peer(fresh_db, fed_dir):
        assert set(row.keys()) == {"id", "entry_type", "timestamp", "hash"}


+def test_explore_view_omits_ioc_values_case_ids_and_raw_json(fresh_db, fed_dir):
+    """The public explore payload must NEVER expose IOC values, case_ids, or raw_json.
+
+    This is the load-bearing transparency-vs-leakage contract that lives at
+    the network-view layer — anyone can audit who's talking to whom and how
+    much, but never *what* they're saying.
+    """
+    fp, pem = _make_peer_pubkey()
+    federation.register_peer("trusted.example", fp, pem, status="trusted")
+    now_iso = datetime.now(timezone.utc).isoformat()
+    db.record_signal(dict(
+        peer_fingerprint=fp,
+        signal_type="ioc",
+        signal_id="evil-domain-do-not-leak.com",
+        signal_hash="ioc-hash-leak",
+        received_at=now_iso,
+        raw_json=json.dumps({"type": "domain", "value": "evil-domain-do-not-leak.com"}),
+    ))
+    db.record_signal(dict(
+        peer_fingerprint=fp,
+        signal_type="case",
+        signal_id="CASE-SECRET-42",
+        signal_hash="case-hash-leak",
+        received_at=now_iso,
+        raw_json=json.dumps({"severity": "critical", "case_id": "CASE-SECRET-42"}),
+    ))
+    with patch.object(network_view, "_fetch_peer_explore", return_value=None), \
+         patch.object(network_view, "_fetch_peer_network", return_value=None):
+        payload = build_explore_view()
+    flat = json.dumps(payload, default=str)
+    assert "evil-domain-do-not-leak.com" not in flat
+    assert "CASE-SECRET-42" not in flat
+    assert "raw_json" not in flat
+    # Sector-leaking breakdowns must not appear either.
+    assert "severity_breakdown" not in flat
+    assert "ioc_type_breakdown" not in flat
+    # And peer rows carry only public-safe counts.
+    for p in payload.get("peers", []):
+        assert "severity_breakdown" not in p
+        assert "ioc_type_breakdown" not in p
+        assert "recent_translog" not in p
+
+
 def test_public_view_still_has_no_stats(fresh_db, fed_dir):
    """Public payload must not surface admin-only enrichments — sensitive.