wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

docs(security): add follow-up runtime gate contract [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-05-13 19:02:07 +08:00
parent bb23307b7d
commit 0f1141b33e
32 changed files with 824 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/LOGBOOK.md
View File

@@ -1,3 +1,25 @@
## 2026-05-13 | 資安供應鏈 S3.4:後續 Runtime Gate 準備契約
**背景**S3.3 已建立 `security_approval_state_transition_v1`,讓 AwoooP 可顯示人工決策後的 next state。本輪補上 `security_followup_runtime_gate_v1`,定義 `approve_scope` 後若未來要進 runtime gate必須先具備哪些 minimum evidence、preflight checks、rollback / disable requirement 與仍然禁止事項。
**本次交付**
- 新增 `docs/schemas/security_followup_runtime_gate_v1.schema.json`
- 新增 `docs/security/security-followup-runtime-gate.snapshot.json`,涵蓋 8 個 gate templates全部維持 `execution_authorized=false`
- 新增 `docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md`,以繁體中文說明 follow-up runtime gate 只做準備,不啟用執行。
- 更新資安供應鏈 manifestcontract 數量從 31 增至 32。
- 更新鏡像 readiness、接收計畫、事件範例、路由矩陣、驗收契約、隔離契約、dry-run、status rollup、approval gate、approval queue、decision record、review packet、state transition、AwoooP mirror-only checklist、AwoooP handoff 與整體進度。
**累積狀態**
- 鏡像 readiness 目前為 32 個 contracts29 個 ready for mirror、2 個 partial ready、1 個 contract-only、0 個 blocked。
- Approval queue 仍是 8 items7 個 pending approval、1 個 block candidate。
- Follow-up runtime gate templates 目前 8 筆active runtime gates 0 筆approved scope 0 筆runtime actions 0 筆。
**邊界**
- 沒有新增 runtime endpoint、DB migration、model 或執行 action。
- 沒有新增執行按鈕。
- 沒有啟動 scan、呼叫 Kali `/execute`、建立 repo、修改 visibility、sync refs 或切 GitHub primary。
- 沒有保存 raw secret、token、cookie、private key 或 exploit payload。
## 2026-05-13 | 資安供應鏈 S3.3:人工決策狀態轉移契約
**背景**S3.2 已建立 `security_approval_review_packet_v1`,讓 AwoooP 可顯示 8 個人工審查封包。本輪補上 `security_approval_state_transition_v1`,定義人工 reviewer 做出 `approve_scope``reject``defer``request_more_evidence``keep_blocked` 後的 next state避免把批准 scope 誤解成可立即執行。

202
docs/schemas/security_followup_runtime_gate_v1.schema.json Normal file
View File

@@ -0,0 +1,202 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:security-followup-runtime-gate-v1",
"title": "資安供應鏈後續 Runtime Gate 準備契約 v1",
"description": "定義 Security Supply Chain 在 approve_scope 之後,若未來要進入 runtime gateAwoooP 需要顯示哪些前置條件。此契約只做準備,不授權 runtime execution。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"mode",
"runtime_execution_authorized",
"source_indexes",
"summary",
"gate_templates",
"gate_rules",
"forbidden_actions"
],
"properties": {
"schema_version": {
"const": "security_followup_runtime_gate_v1"
},
"status": {
"type": "string",
"enum": ["draft"]
},
"date": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["runtime_gate_preparation_only"]
},
"runtime_execution_authorized": {
"type": "boolean",
"const": false
},
"source_indexes": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"summary": {
"type": "object",
"required": [
"total_gate_templates",
"active_runtime_gates",
"approved_scope_count",
"runtime_actions_authorized",
"action_buttons_allowed",
"raw_secret_storage_authorized"
],
"properties": {
"total_gate_templates": {
"type": "integer",
"minimum": 0
},
"active_runtime_gates": {
"type": "integer",
"minimum": 0
},
"approved_scope_count": {
"type": "integer",
"minimum": 0
},
"runtime_actions_authorized": {
"type": "boolean",
"const": false
},
"action_buttons_allowed": {
"type": "boolean",
"const": false
},
"raw_secret_storage_authorized": {
"type": "boolean",
"const": false
}
},
"additionalProperties": false
},
"gate_templates": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": [
"template_id",
"source_packet_id",
"source_gate_id",
"action_family",
"risk",
"gate_state",
"applies_after_decision",
"minimum_required_evidence",
"required_reviewers",
"preflight_checks",
"allowed_pre_runtime_artifacts",
"rollback_or_disable_requirement",
"still_forbidden",
"execution_authorized"
],
"properties": {
"template_id": {
"type": "string"
},
"source_packet_id": {
"type": "string"
},
"source_gate_id": {
"type": "string"
},
"action_family": {
"type": "string",
"enum": [
"redacted_finding_ingestion",
"safe_web_crawl_scope",
"gitea_readonly_inventory",
"github_target_decision",
"ref_truth_review",
"credentialed_scan_exception",
"kali_full_upgrade_reboot_window",
"kali_execute_endpoint_exception"
]
},
"risk": {
"type": "string",
"enum": ["MEDIUM", "HIGH", "CRITICAL"]
},
"gate_state": {
"type": "string",
"enum": ["template_only_not_active", "waiting_approved_scope", "blocked_by_default"]
},
"applies_after_decision": {
"type": "string",
"enum": ["approve_scope", "keep_blocked"]
},
"minimum_required_evidence": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"required_reviewers": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1,
"uniqueItems": true
},
"preflight_checks": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"allowed_pre_runtime_artifacts": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"rollback_or_disable_requirement": {
"type": "string"
},
"still_forbidden": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"execution_authorized": {
"type": "boolean",
"const": false
}
},
"additionalProperties": false
}
},
"gate_rules": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"forbidden_actions": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
}
},
"additionalProperties": false
}

10
docs/schemas/security_mirror_status_rollup_v1.schema.json
View File

@@ -64,6 +64,8 @@
"approval_queue_total",
"approval_review_packet_total",
"approval_state_transition_rule_total",
"followup_runtime_gate_template_total",
"active_runtime_gate_count",
"pending_approval_count",
"block_candidate_count",
"dry_run_status",
@@ -103,6 +105,14 @@
"type": "integer",
"minimum": 0
},
"followup_runtime_gate_template_total": {
"type": "integer",
"minimum": 0
},
"active_runtime_gate_count": {
"type": "integer",
"minimum": 0
},
"pending_approval_count": {
"type": "integer",
"minimum": 0

5
docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
View File

@@ -33,6 +33,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_approval_decision_record_v1` | S3 人工決策紀錄 | Operator Console、Audit | approval-only | 只保存 approve / reject / defer / request more evidence / keep blocked 的稽核紀錄,不執行決策 |
| `security_approval_review_packet_v1` | S3 人工審查封包 | Approval queue、Operator Console、Audit | approval-only | 只顯示 review lane、required reviewers、requested decision 與 still forbidden不代表批准 |
| `security_approval_state_transition_v1` | S3 人工決策狀態轉移 | Approval queue、Operator Console、Audit | approval-only | 只顯示 decision 後 next state`approve_scope` 仍需 follow-up runtime gate |
| `security_followup_runtime_gate_v1` | S3 後續 runtime gate 準備模板 | Approval queue、Operator Console、Audit | approval-only | 只顯示 minimum evidence、preflight checks 與 rollback / disable requirement目前不啟用 runtime gate |
| `security_mirror_readiness_v1` | Security Supply Chain contract mirror readiness index | Operator Console、Runtime State、Channel Event、Audit | mirror-only | 只顯示 ready / partial / contract-only不執行 mirror item |
| `security_mirror_intake_plan_v1` | AwoooP mirror-only intake waves / destinations / acceptance gates | Operator Console、Runtime State、Channel Event、Audit、Approval Queue | mirror-only | 只照 wave 讀取與顯示,不執行 intake item |
| `security_mirror_event_v1` | AwoooP mirror-only event envelope | Operator Console、Runtime State、Channel Event、Audit、Approval Queue | mirror-only | 每筆 event 必須 `execution_authorized=false``action_buttons_allowed=false` |
@@ -95,7 +96,8 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_approval_decision_record_v1.mode=decision_record_only` | `observe` | 顯示人工決策紀錄;每筆紀錄都必須 `execution_authorized=false` |
| `security_approval_review_packet_v1.mode=approval_review_packet_only` | `approve_required` | 顯示 8 個 review packets、review lane 與 still forbidden不得當成批准或執行授權 |
| `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state不得把 transition 當 execution authorization |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 31 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates不得新增 action button |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 32 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates不得執行 wave |
| `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload明確不授權執行、不顯示執行按鈕 |
| `security_mirror_route_v1.status=draft` | `observe` | 顯示 5 個 route groups、channel policy 與 review lane不得轉成 execution router |
@@ -171,6 +173,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| Security approval decision record | `docs/security/security-approval-decision-record.snapshot.json` / `docs/security/SECURITY-APPROVAL-DECISION-RECORD.md` |
| Security approval review packet | `docs/security/security-approval-review-packet.snapshot.json` / `docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md` |
| Security approval state transition | `docs/security/security-approval-state-transition.snapshot.json` / `docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md` |
| Security follow-up runtime gate preparation | `docs/security/security-followup-runtime-gate.snapshot.json` / `docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md` |
| Security mirror readiness | `docs/security/security-mirror-readiness.snapshot.json` / `docs/security/SECURITY-MIRROR-READINESS.md` |
| Security mirror intake plan | `docs/security/security-mirror-intake-plan.snapshot.json` / `docs/security/SECURITY-MIRROR-INTAKE-PLAN.md` |
| 資安鏡像事件契約 | `docs/security/security-mirror-event-sample.snapshot.json` / `docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md` |

28
docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
View File

@@ -73,7 +73,7 @@
```text
Kali / Code Review / GitHub / Gitea / Codex
-> security_supply_chain_contract_manifest_v1
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
-> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL
-> mirror 到 AwoooP Runtime State / Channel Event / Audit
-> AwoooP Policy / Approval / Exception / Operator Console
@@ -183,6 +183,18 @@ Snapshot`docs/security/security-approval-state-transition.snapshot.json`
AwoooP 初期處理方式:只顯示 next state例如 `scope_approved_waiting_runtime_gate``closed_rejected_no_action``blocked_by_default`;不得把 transition rule 當成執行命令。
### `security_followup_runtime_gate_v1`
用途:定義 S3.4 後續 runtime gate 的準備模板,讓 AwoooP 在 `approve_scope` 後知道未來若要進一步執行,必須先看到哪些 minimum evidence、preflight checks、rollback / disable requirement 與仍然禁止事項。
Schema`docs/schemas/security_followup_runtime_gate_v1.schema.json`
Snapshot`docs/security/security-followup-runtime-gate.snapshot.json`
目前 templates8 筆,對應 redacted finding ingestion、safe web crawl、Gitea read-only inventory、GitHub target decisions、ref truth review、credentialed scan、Kali full-upgrade/reboot 與 Kali `/execute` block candidate。`active_runtime_gates=0``approved_scope_count=0``runtime_actions_authorized=false`
AwoooP 初期處理方式:只顯示準備條件與禁止事項,不新增 action button不啟用 runtime gate不執行 scan、repo、refs、deploy、secret、RBAC、NetworkPolicy 或 firewall 類動作。
### `security_mirror_readiness_v1`
用途:集中整理 Security Supply Chain contracts 的 mirror readiness讓 AwoooP 先知道哪些可 mirror、哪些 partial、哪些 contract-only。
@@ -191,7 +203,7 @@ Schema`docs/schemas/security_mirror_readiness_v1.schema.json`
Snapshot`docs/security/security-mirror-readiness.snapshot.json`
目前 readiness31 個 contracts28 個 ready for mirror2 個 partial ready1 個 contract-only0 個 blocked。所有 contract 都是 `execution_allowed=false`
目前 readiness32 個 contracts29 個 ready for mirror2 個 partial ready1 個 contract-only0 個 blocked。所有 contract 都是 `execution_allowed=false`
AwoooP 初期處理方式:先 mirror readiness index再依 readiness 分批 mirror 其他 snapshots不得把 readiness 當 execution authorization。
@@ -227,7 +239,7 @@ Schema`docs/schemas/security_mirror_route_v1.schema.json`
Snapshot`docs/security/security-mirror-route.snapshot.json`
目前 route5 個 route groups涵蓋 31 個 contracts所有 route 都是 `runtime_execution_authorized=false`
目前 route5 個 route groups涵蓋 32 個 contracts所有 route 都是 `runtime_execution_authorized=false`
AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue不把 route 轉成 execution router。
@@ -275,7 +287,7 @@ Schema`docs/schemas/security_mirror_status_rollup_v1.schema.json`
Snapshot`docs/security/security-mirror-status-rollup.snapshot.json`
目前 rollup`framework_ready_waiting_approval`31 個 contracts、28 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆decision records 目前 0 筆。
目前 rollup`framework_ready_waiting_approval`32 個 contracts、29 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 follow-up runtime gate templates 8 筆active runtime gates 0 decision records 目前 0 筆。
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence不得把 rollup 當 runtime authorization。
@@ -311,7 +323,7 @@ Schema`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 31
"contract_count": 32
}
```
@@ -726,7 +738,7 @@ Console 初期不提供高風險執行按鈕。
2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json``docs/security/security-supply-chain-contract-manifest.snapshot.json``docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry不把 manifest 當 execution router。
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json``docs/security/security-mirror-route.snapshot.json``docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 31 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queueroute 只決定目的地、channel policy 與 review lane不是 execution router。
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json``docs/security/security-mirror-route.snapshot.json``docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 32 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queueroute 只決定目的地、channel policy 與 review lane不是 execution router。
2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json``docs/security/security-mirror-acceptance.snapshot.json``docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestionblocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence不得阻擋 runtime 流程。
@@ -734,7 +746,7 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 mirror dry-run 追加:已新增 `docs/schemas/security_mirror_dry_run_v1.schema.json``docs/security/security-mirror-dry-run.snapshot.json``docs/security/SECURITY-MIRROR-DRY-RUN.md`。AwoooP 未來可用 6 個 dry-run steps 回報接入演練結果;本 snapshot 狀態為 `contract_defined_not_executed`,不得視為 production ingestion 已啟用。
2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json``docs/security/security-mirror-status-rollup.snapshot.json``docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、31 個 contracts、approval queue summary、review packet summary、state transition summary 與下一個安全 gate本契約不授權任何 runtime action。
2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json``docs/security/security-mirror-status-rollup.snapshot.json``docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、32 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary 與下一個安全 gate本契約不授權任何 runtime action。
2026-05-13 S3 approval gate 追加:已新增 `docs/schemas/security_approval_gate_v1.schema.json``docs/security/security-approval-gate.snapshot.json``docs/security/SECURITY-APPROVAL-GATE.md`。AwoooP 可用 8 個 gate items 記錄人工批准、拒絕、延後或補 evidence批准後仍需 follow-up runtime gate不得直接執行。
@@ -744,6 +756,8 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 S3 state transition 追加:已新增 `docs/schemas/security_approval_state_transition_v1.schema.json``docs/security/security-approval-state-transition.snapshot.json``docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md`。AwoooP 可顯示 5 個人工決策後 next state`approve_scope` 只進入 `scope_approved_waiting_runtime_gate`,仍不得直接執行 scan、repo、refs、deploy 或 secret 類動作。
2026-05-13 S3 follow-up runtime gate 準備追加:已新增 `docs/schemas/security_followup_runtime_gate_v1.schema.json``docs/security/security-followup-runtime-gate.snapshot.json``docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md`。AwoooP 可顯示 8 個後續 runtime gate 準備模板、minimum evidence、preflight checks 與 rollback / disable requirement目前 `active_runtime_gates=0`,不得新增 action button 或啟用 runtime gate。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:

3
docs/security/SECURITY-APPROVAL-DECISION-RECORD.md
View File

@@ -21,6 +21,8 @@ S3.2 的 `security_approval_review_packet_v1` 只負責把待審項目整理成
S3.3 的 `security_approval_state_transition_v1` 只負責把本契約中的決策轉成 next state。State transition 不是 runner也不會讓 `approve_scope` 直接變成可執行。
S3.4 的 `security_followup_runtime_gate_v1` 只負責顯示未來若要進 runtime gate 時需要的前置 evidence、preflight checks 與 rollback / disable requirement。目前沒有 active runtime gate。
## 1. 目前狀態
| 指標 | 數量 |
@@ -42,6 +44,7 @@ S3.3 的 `security_approval_state_transition_v1` 只負責把本契約中的決
5. 將拒絕、延後或補 evidence 的原因顯示給 Operator。
6. 連回原始 `security_approval_review_packet_v1`,讓 Operator 可追溯決策前看到的 evidence 與限制。
7.`security_approval_state_transition_v1` 顯示決策後狀態,例如 `scope_approved_waiting_runtime_gate``blocked_by_default`
8.`security_followup_runtime_gate_v1` 顯示後續 runtime gate 準備模板,但仍不執行。
## 3. AwoooP 不可做

3
docs/security/SECURITY-APPROVAL-GATE.md
View File

@@ -17,7 +17,7 @@
批准後最多只能進入下一步設計、草案、只讀 inventory、低噪音 scope 或人工 exception任何真正 runtime action 都還需要後續 runtime gate。
S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1` 保存。S3.2 開始,可用 `security_approval_review_packet_v1` 把 gate item 包成 review packet。S3.3 開始,決策後 next state 由 `security_approval_state_transition_v1` 定義。Gate 定義可審項目與批准範圍Review Packet 協助人工審查Decision Record 保存決策結果與 audit evidenceState Transition 避免批准被誤解成執行。
S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1` 保存。S3.2 開始,可用 `security_approval_review_packet_v1` 把 gate item 包成 review packet。S3.3 開始,決策後 next state 由 `security_approval_state_transition_v1` 定義。S3.4 開始,未來 runtime gate 的前置條件由 `security_followup_runtime_gate_v1` 顯示。Gate 定義可審項目與批准範圍Review Packet 協助人工審查Decision Record 保存決策結果與 audit evidenceState Transition 避免批准被誤解成執行Follow-up Runtime Gate 避免批准後缺少 preflight 與 rollback 條件
## 1. 目前 Gate 狀態
@@ -54,6 +54,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1`
6. 將決策結果寫成 `security_approval_decision_record_v1`,但維持 `execution_authorized=false`
7. 將 gate item 包成 `security_approval_review_packet_v1`,只顯示 review lane、required reviewers 與仍禁止事項。
8.`security_approval_state_transition_v1` 顯示 next state`approve_scope` 仍只進入 waiting runtime gate。
9.`security_followup_runtime_gate_v1` 顯示 minimum evidence、preflight checks 與 rollback / disable requirement但不啟用 runtime gate。
## 4. AwoooP 不可做

4
docs/security/SECURITY-APPROVAL-QUEUE.md
View File

@@ -15,7 +15,7 @@
它不是授權清單。所有 queue item 都只能顯示、排序、建立 approval candidate不能直接執行。
S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 開始,實際人工決策結果由 `security_approval_decision_record_v1` 保存。S3.2 開始AwoooP 可用 `security_approval_review_packet_v1` 把 queue/gate 轉成可審查封包。S3.3 開始,決策後狀態由 `security_approval_state_transition_v1` 定義。Queue 負責排序候選Gate 負責限制批准範圍Review Packet 負責讓人好審Decision Record 負責稽核紀錄State Transition 負責定義 next state。
S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 開始,實際人工決策結果由 `security_approval_decision_record_v1` 保存。S3.2 開始AwoooP 可用 `security_approval_review_packet_v1` 把 queue/gate 轉成可審查封包。S3.3 開始,決策後狀態由 `security_approval_state_transition_v1` 定義。S3.4 開始,後續 runtime gate 的準備資料由 `security_followup_runtime_gate_v1` 定義。Queue 負責排序候選Gate 負責限制批准範圍Review Packet 負責讓人好審Decision Record 負責稽核紀錄State Transition 負責定義 next stateFollow-up Runtime Gate 負責列出未來 runtime 前置條件
目前狀態:
@@ -48,7 +48,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1
3. 建立 approval candidate。
4. 保存人工決策結果與 audit evidence。
5. 依 review order 提醒下一個低摩擦 gate。
6. 將批准範圍對齊 `security_approval_gate_v1`,用 `security_approval_review_packet_v1` 顯示審查封包,再把決策結果寫入 `security_approval_decision_record_v1`,最後依 `security_approval_state_transition_v1` 顯示 next state但不觸發執行。
6. 將批准範圍對齊 `security_approval_gate_v1`,用 `security_approval_review_packet_v1` 顯示審查封包,再把決策結果寫入 `security_approval_decision_record_v1`,最後依 `security_approval_state_transition_v1` 顯示 next state並依 `security_followup_runtime_gate_v1` 顯示前置條件,但不觸發執行。
## 3. AwoooP 不可以做

5
docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md
View File

@@ -19,6 +19,8 @@
S3.3 開始,決策後的 next state 由 `security_approval_state_transition_v1` 定義。這讓 AwoooP 能顯示 `approve_scope` 後仍在等待 runtime gate而不是直接執行。
S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_followup_runtime_gate_v1` 顯示。這仍只是準備模板,不會啟用 runtime gate。
## 1. 目前狀態
| 指標 | 數量 |
@@ -50,7 +52,8 @@ S3.3 開始,決策後的 next state 由 `security_approval_state_transition_v1
3. 讓人工 reviewer 選擇 approve / reject / defer / request more evidence / keep blocked。
4. 將實際決策另寫成 `security_approval_decision_record_v1`
5.`security_approval_state_transition_v1` 顯示決策後 next state。
6. 將 packet 作為 Operator Console / Audit evidence不新增執行按鈕
6. `security_followup_runtime_gate_v1` 顯示後續 runtime gate 準備條件
7. 將 packet 作為 Operator Console / Audit evidence不新增執行按鈕。
## 4. AwoooP 不可做

6
docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md
View File

@@ -17,6 +17,8 @@
它不是 runner也不是 runtime gate。任何 transition 都必須維持 `execution_authorized=false`
S3.4 開始,`approve_scope` 後要顯示的前置 evidence、preflight checks 與 rollback / disable requirement 由 `security_followup_runtime_gate_v1` 定義。這仍只是準備模板,不代表 runtime gate 已啟用。
## 1. 決策到狀態
| Decision | Next state | 初期可做 | 仍需 runtime gate |
@@ -31,7 +33,7 @@
1. 根據人工決策更新 packet / gate / rollup 的只讀狀態。
2. 將決策寫入 `security_approval_decision_record_v1`
3.`approve_scope` 顯示 follow-up runtime gate required。
3.`approve_scope``security_followup_runtime_gate_v1` 顯示 follow-up runtime gate required 與前置條件
4.`request_more_evidence` 顯示需要補哪一類 redacted evidence。
5.`keep_blocked` 顯示 block candidate 仍未解除。
@@ -47,4 +49,6 @@
S3.3 讓 AwoooP 對人工決策有一致狀態語義,避免「批准 scope」被誤解成「可以立刻執行」。
S3.4 補上後續 runtime gate 準備模板,讓等待 gate 的狀態更具體,但目前 `active_runtime_gates=0`
這仍是低摩擦框架期。它讓流程更清楚,但不提高產品、部署或開發流程的資安阻力。

63
docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md Normal file
View File

@@ -0,0 +1,63 @@
# 資安後續 Runtime Gate 準備契約
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | 草案 |
| Schema | `docs/schemas/security_followup_runtime_gate_v1.schema.json` |
| Snapshot | `docs/security/security-followup-runtime-gate.snapshot.json` |
| 模式 | `runtime_gate_preparation_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
`security_followup_runtime_gate_v1` 是 S3.4 的後續 runtime gate 準備契約。
它只定義一件事:如果未來某個 `approve_scope` 真的要進一步走向 runtime gateAwoooP 必須先看到哪些前置 evidence、preflight checks、rollback / disable plan以及哪些動作仍然禁止。
它不是 runtime gate 本身,也不是執行授權。目前 `active_runtime_gates=0`
## 1. 目前狀態
| 指標 | 數量 |
|------|------|
| Gate templates | 8 |
| Active runtime gates | 0 |
| Approved scope count | 0 |
| Runtime actions authorized | `false` |
| Action buttons allowed | `false` |
## 2. Gate Templates
| Template | 風險 | 初期定位 |
|----------|------|----------|
| Redacted finding ingestion | MEDIUM | 只準備 ingestion adapter 的 redaction / audit 前置條件 |
| Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope |
| Gitea read-only inventory | MEDIUM | 只準備 read-only token 或 redacted export inventory |
| GitHub target decision | HIGH | 只準備 owner / visibility / canonical / workflow parity 決策 |
| Ref truth review | HIGH | 只準備 refs truth / deprecated / release tag 人工判定 |
| Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 |
| Kali full-upgrade / reboot | HIGH | 只準備維護窗口、snapshot、rollback 與 post-health |
| Kali `/execute` exception | CRITICAL | 預設 blocked只準備 disable / allowlist / audit 設計 |
## 3. AwoooP 可做
1. 顯示每個 template 需要的 minimum evidence、preflight checks、reviewers 與 rollback / disable requirement。
2. 顯示目前沒有 active runtime gate。
3.`approve_scope` 後提醒仍需要 follow-up runtime gate。
4. 對 Kali `/execute` 顯示 blocked by default。
5. 將 gate preparation 狀態寫入 Audit evidence。
## 4. AwoooP 不可做
1. 不啟用 runtime gate。
2. 不顯示 scan、execute、repo、refs、deploy、secret 類 action button。
3. 不因為 template 存在就執行 scan、Kali `/execute`、credentialed scan、repo 建立、visibility 修改、refs sync 或 GitHub primary cutover。
4. 不保存 raw secret、token、cookie、private key、credential value 或 exploit payload。
5. 不把 LOW / MEDIUM observation 變成 blocking gate。
## 5. 階段定位
S3.4 是「批准後仍不能直接做事」的保險絲。
它讓未來真正進 runtime 前的資料門檻先被定義清楚,但仍維持初期低摩擦:目前只顯示、只準備、只留痕,不執行。

2
docs/security/SECURITY-MIRROR-ACCEPTANCE.md
View File

@@ -27,7 +27,7 @@
| Check | 目的 | 失敗時是否阻擋鏡像 |
|-------|------|--------------------|
| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 31 個 contracts | 是 |
| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 32 個 contracts | 是 |
| `EVENT_ENVELOPE_REQUIRED` | 確認每筆 payload 都不可執行、不可顯示執行按鈕 | 是 |
| `ROUTE_GROUP_COVERAGE` | 確認 5 個 route groups 覆蓋所有 contracts | 是 |
| `REDACTION_ONLY` | 確認不保存 raw sensitive value | 是 |

5
docs/security/SECURITY-MIRROR-INTAKE-PLAN.md
View File

@@ -19,10 +19,10 @@
| Wave | 目的 | 主要 contracts | Exit gate |
|------|------|----------------|-----------|
| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packetstate transition | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition | 顯示 31 個 contract 且 `execution_allowed=false` |
| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packetstate transition 與 follow-up runtime gate preparation | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate | 顯示 32 個 contract 且 `execution_allowed=false` |
| `M1_kali_visibility` | 顯示 Kali 112、scan scope、approval queue | Kali status / scan scope / approval queue / finding sample | 顯示 5 個 scope groups 與 8 個 queue items沒有執行按鈕 |
| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence | migration / inventory / refs / approval board | 顯示 blocking reasonsrepo/refs actions 全 disabled |
| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / source-control board | 可留痕,不可自動批准或執行 |
| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / source-control board | 可留痕,不可自動批准或執行 |
| `M4_patch_only_backlog` | 顯示 Codex patch-only backlog lane | coding task | 只顯示 lane不接 Codex runner action |
## 2. AwoooP 可做
@@ -40,6 +40,7 @@
11. 使用 `security_approval_decision_record_v1` 保存人工決策紀錄。
12. 使用 `security_approval_review_packet_v1` 顯示 review packet、required reviewers、blocked reason、evidence refs、review order。
13. 使用 `security_approval_state_transition_v1` 顯示人工決策後的 next state但不自動執行後續動作。
14. 使用 `security_followup_runtime_gate_v1` 顯示未來 runtime gate 的準備模板,但不啟用 runtime gate。
## 3. AwoooP 不可做

7
docs/security/SECURITY-MIRROR-READINESS.md
View File

@@ -23,7 +23,7 @@
| 狀態 | 數量 | 說明 |
|------|------|------|
| `ready_for_mirror` | 28 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence |
| `ready_for_mirror` | 29 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence |
| `partial_ready` | 2 | 可 mirror但 evidence 仍不完整 |
| `contract_only` | 1 | 有 schema / handoff尚無正式 snapshot |
| `blocked` | 0 | 目前沒有禁止 mirror 的 contract |
@@ -79,7 +79,8 @@ AwoooP 可以將 ready / partial contracts mirror 到:
11. 再 mirror `security_approval_decision_record_v1`,只保存人工決策紀錄,不觸發執行。
12. 再 mirror `security_approval_review_packet_v1`只顯示人工審查封包、review lane 與仍然禁止事項。
13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。
14. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
15. 最後再 mirror source-control 相關 contracts
14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement
15. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
16. 最後再 mirror source-control 相關 contracts。
整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。

6
docs/security/SECURITY-MIRROR-ROUTE.md
View File

@@ -25,10 +25,10 @@
| Route group | 目的 | 初期 channel policy | review lane |
|-------------|------|---------------------|-------------|
| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packetstate transition 位置 | `no_channel_event` | `observe` |
| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packetstate transition 與 follow-up runtime gate 位置 | `no_channel_event` | `observe` |
| `M1_kali_visibility` | 顯示 Kali 112、111 / 168 scope、approval queue 與 finding sample | `approval_required_only` | `approval_required` |
| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異 | `low_noise_status` | `source_control_review` |
| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition 與留痕 | `approval_required_only` | `approval_required` |
| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation 與留痕 | `approval_required_only` | `approval_required` |
| `M4_patch_only_backlog` | 顯示 Code Review 後的 Codex patch-only backlog lane | `no_channel_event` | `patch_only` |
## 2. AwoooP 可做
@@ -52,7 +52,7 @@
S2.7 後AwoooP 主線只需要能讀到:
1. 31 個 contracts。
1. 32 個 contracts。
2. 5 個 route groups。
3. 所有 route group 都是 `runtime_execution_authorized=false`
4. Channel Event 初期低噪音。

7
docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
View File

@@ -19,13 +19,14 @@
| 類型 | 狀態 |
|------|------|
| Contract manifest | 31 個 contracts |
| Mirror readiness | 28 ready、2 partial、1 contract-only、0 blocked |
| Contract manifest | 32 個 contracts |
| Mirror readiness | 29 ready、2 partial、1 contract-only、0 blocked |
| Approval queue | 8 items7 pending approval、1 block candidate |
| Approval gate | S3.0 已建立0 approved、7 pending、1 block candidate |
| Decision records | S3.1 已建立;目前 0 筆決策紀錄 |
| Review packets | S3.2 已建立8 packets、7 ready for human review、1 block candidate |
| State transitions | S3.3 已建立5 個 decision options 都有 next state且都不授權執行 |
| Follow-up runtime gate templates | S3.4 已建立8 個 templates、0 個 active runtime gates |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
| Payload ingestion | `false` |
@@ -50,7 +51,7 @@
下一步仍不是 runtime enforcement。
建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1`,並由人工依序 review
建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1`,並由人工依序 review
1. redacted finding ingestion adapter。
2. safe web crawl scope。

5
docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
View File

@@ -11,7 +11,7 @@
## 0. 核心結論
目前 Security Supply Chain 已有 31 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
目前 Security Supply Chain 已有 32 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。
@@ -28,6 +28,7 @@
| `security_approval_decision_record_v1` | approval-only | S3 人工決策稽核紀錄 | `security-approval-decision-record.snapshot.json` |
| `security_approval_review_packet_v1` | approval-only | S3 人工審查封包與 review lane | `security-approval-review-packet.snapshot.json` |
| `security_approval_state_transition_v1` | approval-only | S3 人工決策狀態轉移語義 | `security-approval-state-transition.snapshot.json` |
| `security_followup_runtime_gate_v1` | approval-only | S3 後續 runtime gate 準備模板 | `security-followup-runtime-gate.snapshot.json` |
| `security_mirror_readiness_v1` | mirror-only | AwoooP mirror/read-only readiness index | `security-mirror-readiness.snapshot.json` |
| `security_mirror_intake_plan_v1` | mirror-only | AwoooP mirror-only intake waves 與 acceptance gates | `security-mirror-intake-plan.snapshot.json` |
| `security_mirror_event_v1` | mirror-only | AwoooP mirror event envelope | `security-mirror-event-sample.snapshot.json` |
@@ -56,7 +57,7 @@
1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`
2. 再讀本 manifest取得可消費 contract 與禁止動作。
3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1` 建 approval candidate / review lane / next-state display。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation display。
5. 不新增執行按鈕,不做 runtime enforcement。
## 3. 永久禁止

13
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -20,11 +20,11 @@
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
| S1.4 契約索引 | 完成草案 | 31 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.4 契約索引 | 完成草案 | 32 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
| S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate |
| S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中7 pending approval、1 block candidateAwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion再 review safe crawl / Gitea inventory |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 31 個 contracts28 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 32 個 contracts29 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror不新增 execution router |
| S2.2 AwoooP 鏡像事件信封 | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆鏡像 payload 標示 `execution_authorized=false``action_buttons_allowed=false` | AwoooP 鏡像 payload 統一信封 |
| S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | `security_mirror_route_v1` 已建立 5 個 route groups定義目的地、channel policy 與 review lane | AwoooP 消費時不猜路由、不新增執行入口 |
@@ -37,6 +37,7 @@
| S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 |
| S3.2 人工審查封包契約 | 完成草案 | `security_approval_review_packet_v1` 已建立8 個 review packets、7 ready for human review、1 block candidate、0 個 runtime action 授權 | AwoooP 可顯示 review lane不可把 packet 當批准或執行 |
| S3.3 人工決策狀態轉移契約 | 完成草案 | `security_approval_state_transition_v1` 已建立5 個 decision options 都有 next state、0 個 runtime action 授權 | AwoooP 可顯示決策後狀態,不可把 transition 當執行 |
| S3.4 後續 runtime gate 準備契約 | 完成草案 | `security_followup_runtime_gate_v1` 已建立8 個 gate templates、0 個 active runtime gates、0 個 approved scope | AwoooP 可顯示前置 evidence、preflight checks 與 rollback / disable requirement不可啟用 runtime gate |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
## 1. 已建立的主要 evidence
@@ -81,6 +82,8 @@
| Security approval review packet JSON | `docs/security/security-approval-review-packet.snapshot.json` |
| Security approval state transition | `docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md` |
| Security approval state transition JSON | `docs/security/security-approval-state-transition.snapshot.json` |
| Security follow-up runtime gate preparation | `docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md` |
| Security follow-up runtime gate preparation JSON | `docs/security/security-followup-runtime-gate.snapshot.json` |
| Security mirror readiness | `docs/security/SECURITY-MIRROR-READINESS.md` |
| Security mirror readiness JSON | `docs/security/security-mirror-readiness.snapshot.json` |
| Security mirror intake plan | `docs/security/SECURITY-MIRROR-INTAKE-PLAN.md` |
@@ -126,6 +129,6 @@
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5.`KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態與 blocked reason不新增 execution router。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件與 blocked reason不新增 execution router。

2
docs/security/security-approval-decision-record.snapshot.json
View File

@@ -9,6 +9,7 @@
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json"
],
"summary": {
@@ -29,6 +30,7 @@
"決策後的 next state 必須依 security_approval_state_transition_v1 顯示,且不得授權執行。",
"approve_scope 只代表批准該 scope 進下一步設計、草案、只讀 inventory、低噪音 scope 或人工 exception不代表可立即執行。",
"所有 decision record 都必須維持 execution_authorized=false。",
"若 decision=approve_scopeAwoooP 只能依 security_followup_runtime_gate_v1 顯示 runtime gate 準備模板,不得啟用 runtime gate。",
"任何批准後的 scan、/execute、repo、refs、deploy、secret、RBAC、NetworkPolicy、firewall 變更都必須另有 follow-up runtime gate。",
"決策紀錄不得保存 raw secret、token、cookie、private key、credential value 或 exploit payload。"
],

2
docs/security/security-approval-gate.snapshot.json
View File

@@ -6,6 +6,7 @@
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json",
"docs/security/kali-scan-scope-approval.snapshot.json",
@@ -268,6 +269,7 @@
"每個 gate item 必須記錄人工決策、reviewer、時間、evidence refs 與批准範圍。",
"每個 gate item 可被包成 security_approval_review_packet_v1但 review packet 不代表批准。",
"每個人工決策後的 next state 必須依 security_approval_state_transition_v1 顯示,且不得直接執行。",
"security_followup_runtime_gate_v1 只顯示批准後若要走 runtime gate 時的前置 evidence、preflight checks 與 rollback / disable requirement。",
"批准只代表該 scope 可進下一步設計、草案、只讀 inventory 或人工 exception不代表可立即執行 runtime action。",
"任何 scan、/execute、repo、refs、deploy、secret、RBAC、NetworkPolicy、firewall 變更都需要 follow-up runtime gate。",
"拒絕、延後或要求補 evidence 時,只更新 gate 狀態與 audit evidence不觸發修復。"

3
docs/security/security-approval-review-packet.snapshot.json
View File

@@ -9,6 +9,7 @@
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
@@ -325,7 +326,7 @@
"每個 packet 都必須對應 security_approval_gate_v1 gate item 與 security_approval_queue_v1 queue item。",
"人工決策必須另外寫入 security_approval_decision_record_v1。",
"人工決策後的 next state 必須依 security_approval_state_transition_v1 顯示。",
"即使 decision=approve_scopeexecution_authorized 仍必須是 false且仍需 follow-up runtime gate。",
"即使 decision=approve_scopeexecution_authorized 仍必須是 false且仍需依 security_followup_runtime_gate_v1 顯示後續 runtime gate 準備條件。",
"AwoooP 初期不得對 packet 顯示 scan、execute、repo、refs、deploy、secret 類 action button。"
],
"forbidden_actions": [

4
docs/security/security-approval-state-transition.snapshot.json
View File

@@ -8,6 +8,7 @@
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
@@ -34,7 +35,7 @@
"allowed_state_updates": [
"將人工決策寫入 security_approval_decision_record_v1",
"標示 approved_scope但 execution_authorized 仍維持 false",
"顯示 follow-up runtime gate required",
"依 security_followup_runtime_gate_v1 顯示 follow-up runtime gate required 與前置條件",
"更新 rollup 的 pending / approved scope 摘要"
],
"allowed_next_artifacts": [
@@ -154,6 +155,7 @@
"任何人工決策都必須先形成 security_approval_decision_record_v1。",
"任何 next_state 都不代表 runtime execution authorization。",
"approve_scope 只允許進入設計、草案、只讀 inventory、低噪音 scope 或人工 exception 的下一個文件階段。",
"security_followup_runtime_gate_v1 只顯示未來 runtime gate 的 minimum evidence、preflight checks 與 rollback / disable requirement不啟用 runtime gate。",
"真正 scan、/execute、repo、refs、deploy、secret、RBAC、NetworkPolicy、firewall 變更仍需獨立 follow-up runtime gate。",
"LOW / MEDIUM observation 不因狀態轉移而變成 blocking gate。"
],

365
docs/security/security-followup-runtime-gate.snapshot.json Normal file
View File

@@ -0,0 +1,365 @@
{
"schema_version": "security_followup_runtime_gate_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "runtime_gate_preparation_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_gate_templates": 8,
"active_runtime_gates": 0,
"approved_scope_count": 0,
"runtime_actions_authorized": false,
"action_buttons_allowed": false,
"raw_secret_storage_authorized": false
},
"gate_templates": [
{
"template_id": "runtime-gate-redacted-finding-ingestion-20260513",
"source_packet_id": "review-packet-redacted-finding-ingestion-20260513",
"source_gate_id": "gate-redacted-finding-ingestion-20260513",
"action_family": "redacted_finding_ingestion",
"risk": "MEDIUM",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"security_finding_v1 欄位對照表",
"redaction test snapshot",
"不保存 raw secret/token/cookie/private key/exploit payload 的證明",
"Audit evidence 寫入位置"
],
"required_reviewers": [
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認 payload 只含摘要與 evidence_ref",
"確認 LOW/MEDIUM finding 不會變成 blocking gate",
"確認沒有 scan trigger 或修復 trigger",
"確認沒有新增執行按鈕"
],
"allowed_pre_runtime_artifacts": [
"draft ingestion adapter design",
"draft PR",
"redacted sample payload",
"audit mapping note"
],
"rollback_or_disable_requirement": "必須有可停用 ingestion adapter 的 feature flag 或 config gate。",
"still_forbidden": [
"啟動 Kali scan",
"保存 raw sensitive value",
"自動封鎖 deploy",
"自動修復"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-safe-web-crawl-20260513",
"source_packet_id": "review-packet-safe-web-crawl-20260513",
"source_gate_id": "gate-safe-web-crawl-20260513",
"action_family": "safe_web_crawl_scope",
"risk": "MEDIUM",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"批准的 public domain / URL scope",
"scan window 與 frequency cap",
"rate limit 與 timeout",
"排除 auth flow、state-changing route 與 active fuzz 的清單"
],
"required_reviewers": [
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認只做 TLS/header/basic crawl",
"確認不帶憑證",
"確認不碰寫入型 endpoint",
"確認輸出只產生 redacted findings"
],
"allowed_pre_runtime_artifacts": [
"safe crawl target list",
"rate-limit plan",
"redacted output schema",
"maintenance-safe timing note"
],
"rollback_or_disable_requirement": "必須能立即停用 safe crawl job且不得影響產品 runtime。",
"still_forbidden": [
"active DAST fuzz",
"credentialed scan",
"auth flow 改狀態測試",
"阻擋 release"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-gitea-readonly-inventory-20260513",
"source_packet_id": "review-packet-gitea-readonly-inventory-20260513",
"source_gate_id": "gate-gitea-readonly-inventory-20260513",
"action_family": "gitea_readonly_inventory",
"risk": "MEDIUM",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"read-only token scope 或 redacted admin export 來源",
"token_present=true/false不保存 token value",
"allowed export fields checklist",
"repo list redaction proof"
],
"required_reviewers": [
"migration-engineer",
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認 token 不具 write 權限",
"確認不保存 token value",
"確認 export 不含 webhook secret / deploy key private key / repository secret value",
"確認只更新 inventory snapshot"
],
"allowed_pre_runtime_artifacts": [
"redacted admin export sample",
"read-only inventory command plan",
"updated migration matrix draft",
"audit evidence note"
],
"rollback_or_disable_requirement": "read-only token 必須可撤銷admin export 必須可刪除本地暫存原檔,只保留 redacted snapshot。",
"still_forbidden": [
"使用 write-capable token",
"建立 GitHub repo",
"sync refs",
"切 GitHub primary"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-github-target-decision-20260513",
"source_packet_id": "review-packet-github-target-decisions-20260513",
"source_gate_id": "gate-github-target-decisions-20260513",
"action_family": "github_target_decision",
"risk": "HIGH",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"repo owner / visibility / canonical decision",
"GitHub target 是否已存在的最新 probe",
"workflow parity checklist",
"rollback ADR draft"
],
"required_reviewers": [
"migration-engineer",
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認 not_found_or_private 不被當成可自動建立 repo",
"確認 visibility change 仍未授權",
"確認 refs action disabled",
"確認只更新決策草案"
],
"allowed_pre_runtime_artifacts": [
"target decision table update",
"draft reconcile ADR",
"repo owner review note",
"workflow parity checklist draft"
],
"rollback_or_disable_requirement": "任何 repo creation 或 visibility change 未來都必須有獨立 rollback / ownership ADR。",
"still_forbidden": [
"建立 GitHub repo",
"修改 visibility",
"push refs",
"delete refs",
"切 GitHub primary"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-ref-truth-review-20260513",
"source_packet_id": "review-packet-ref-truth-review-20260513",
"source_gate_id": "gate-ref-truth-review-20260513",
"action_family": "ref_truth_review",
"risk": "HIGH",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"單 repo / 單 ref owner 判定",
"真相來源與 deprecated refs 清單",
"branch/tag diff 最新 snapshot",
"不得 sync/delete 的確認"
],
"required_reviewers": [
"migration-engineer",
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認分類結果不會自動執行",
"確認 force push 禁用",
"確認 release tags 需人工保留 / 棄用判定",
"確認 GitHub primary 仍 blocked"
],
"allowed_pre_runtime_artifacts": [
"updated ref truth classification snapshot",
"manual review checklist",
"draft reconcile plan update",
"audit evidence note"
],
"rollback_or_disable_requirement": "任何 refs sync/delete 未來都必須先有可回復 refs backup 與逐 repo rollback gate。",
"still_forbidden": [
"push refs",
"delete refs",
"force push",
"切 GitHub primary"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-credentialed-scan-exception-20260513",
"source_packet_id": "review-packet-credentialed-scan-20260513",
"source_gate_id": "gate-credentialed-scan-20260513",
"action_family": "credentialed_scan_exception",
"risk": "HIGH",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"credential source 與 lifecycle不含 credential value",
"asset allowlist",
"scan window",
"audit trail 與停用方式"
],
"required_reviewers": [
"security-commander",
"vuln-verifier",
"human-owner"
],
"preflight_checks": [
"確認只對批准 asset",
"確認不保存 credential value",
"確認 scan 可立即停用",
"確認不改 firewall/RBAC/NetworkPolicy"
],
"allowed_pre_runtime_artifacts": [
"credential lifecycle design",
"asset allowlist draft",
"scan window proposal",
"audit trail plan"
],
"rollback_or_disable_requirement": "必須先有 credential revoke 與 scanner disable gate。",
"still_forbidden": [
"保存 credential value",
"擴大到未批准資產",
"自動修復",
"改 firewall/RBAC/NetworkPolicy"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-kali-full-upgrade-reboot-20260513",
"source_packet_id": "review-packet-kali-full-upgrade-reboot-20260513",
"source_gate_id": "gate-kali-full-upgrade-reboot-20260513",
"action_family": "kali_full_upgrade_reboot_window",
"risk": "HIGH",
"gate_state": "waiting_approved_scope",
"applies_after_decision": "approve_scope",
"minimum_required_evidence": [
"維護窗口",
"snapshot / backup evidence",
"rollback plan",
"post-health check list"
],
"required_reviewers": [
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認 scanner API、ssh、cron、docker health baseline",
"確認 no active scan running",
"確認 snapshot 已完成",
"確認 post-reboot health gate"
],
"allowed_pre_runtime_artifacts": [
"maintenance window proposal",
"snapshot evidence",
"rollback checklist",
"post-health checklist"
],
"rollback_or_disable_requirement": "必須有 VM / filesystem snapshot 或等效 rollback且 post-health gate 未通過不得宣告完成。",
"still_forbidden": [
"未排窗口直接 reboot",
"未 snapshot 直接 full-upgrade",
"未驗證 scanner health 就宣告完成"
],
"execution_authorized": false
},
{
"template_id": "runtime-gate-kali-execute-endpoint-20260513",
"source_packet_id": "review-packet-kali-execute-endpoint-20260513",
"source_gate_id": "gate-kali-execute-endpoint-20260513",
"action_family": "kali_execute_endpoint_exception",
"risk": "CRITICAL",
"gate_state": "blocked_by_default",
"applies_after_decision": "keep_blocked",
"minimum_required_evidence": [
"disable gate design",
"allowlist design",
"full audit trail design",
"human exception workflow"
],
"required_reviewers": [
"critic",
"security-commander",
"human-owner"
],
"preflight_checks": [
"確認 AwoooP runtime 不可直接呼叫 /execute",
"確認 command path 預設 disabled",
"確認沒有一般 MCP action route",
"確認敏感輸出不保存"
],
"allowed_pre_runtime_artifacts": [
"disable gate design note",
"allowlist draft",
"audit trail design",
"manual exception proposal"
],
"rollback_or_disable_requirement": "必須預設 disabled任何 exception 都必須可立即撤回且有完整 audit trail。",
"still_forbidden": [
"AwoooP runtime 直接呼叫 /execute",
"把 /execute 當成一般 MCP action",
"執行 shell command 自動修復",
"保存 command output 中可能含有的敏感資訊"
],
"execution_authorized": false
}
],
"gate_rules": [
"本契約只定義 follow-up runtime gate 的準備資料,不代表 runtime gate 已啟用。",
"active_runtime_gates 必須維持 0直到統帥明確批准 runtime integration。",
"任何 template 即使 gate_state=waiting_approved_scope也不得顯示執行按鈕。",
"所有 template 的 execution_authorized 必須維持 false。",
"真正 runtime action 必須另有人工批准、preflight evidence、rollback/disable plan 與 post-check。"
],
"forbidden_actions": [
"activate_runtime_gate",
"execute_runtime_gate_template",
"add_action_button",
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}

8
docs/security/security-mirror-acceptance.snapshot.json
View File

@@ -11,8 +11,8 @@
"docs/security/security-mirror-route.snapshot.json"
],
"summary": {
"total_contracts": 31,
"ready_for_mirror_count": 28,
"total_contracts": 32,
"ready_for_mirror_count": 29,
"route_group_count": 5,
"acceptance_check_count": 7,
"blocking_check_count": 4
@@ -21,7 +21,7 @@
{
"check_id": "CONTRACT_COUNT_MATCH",
"title": "契約數量一致",
"expected_result": "AwoooP 讀到 31 個 contracts且 manifest、readiness、route coverage 的 contract 集合一致。",
"expected_result": "AwoooP 讀到 32 個 contracts且 manifest、readiness、route coverage 的 contract 集合一致。",
"evidence_refs": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
@@ -60,7 +60,7 @@
{
"check_id": "ROUTE_GROUP_COVERAGE",
"title": "路由群組覆蓋",
"expected_result": "5 個 route groups 合併後涵蓋 manifest 31 個 contracts且每個 group 都有 destinations、channel_policy 與 review_lane。",
"expected_result": "5 個 route groups 合併後涵蓋 manifest 32 個 contracts且每個 group 都有 destinations、channel_policy 與 review_lane。",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"

8
docs/security/security-mirror-dry-run.snapshot.json
View File

@@ -14,8 +14,8 @@
"docs/security/security-mirror-quarantine.snapshot.json"
],
"summary": {
"total_contracts": 31,
"ready_for_mirror_count": 28,
"total_contracts": 32,
"ready_for_mirror_count": 29,
"route_group_count": 5,
"acceptance_check_count": 7,
"quarantine_lane_count": 5,
@@ -30,7 +30,7 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json"
],
"pass_condition": "看到 31 個 contracts、28 個 ready for mirror且所有 contract execution_allowed=false。",
"pass_condition": "看到 32 個 contracts、29 個 ready for mirror且所有 contract execution_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_contract",
@@ -60,7 +60,7 @@
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "route groups 合併後涵蓋 31 個 contracts沒有未知 execution route。",
"pass_condition": "route groups 合併後涵蓋 32 個 contracts沒有未知 execution route。",
"execution_allowed": false,
"blocked_actions": [
"fallback_to_execution_route",

9
docs/security/security-mirror-event-sample.snapshot.json
View File

@@ -16,8 +16,8 @@
"risk": "LOW",
"summary": "AwoooP 可 mirror Security Supply Chain readiness index但不得把 readiness 視為執行授權。",
"payload_summary": {
"total_contracts": 31,
"ready_for_mirror_count": 28,
"total_contracts": 32,
"ready_for_mirror_count": 29,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
@@ -35,7 +35,8 @@
"docs/security/SECURITY-APPROVAL-GATE.md",
"docs/security/SECURITY-APPROVAL-DECISION-RECORD.md",
"docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md",
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md"
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md",
"docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"
],
"blocked_actions": [
"execute_mirror_item",
@@ -47,7 +48,7 @@
"store_secret_value"
],
"labels": {
"phase": "S3.3",
"phase": "S3.4",
"redacted": "true",
"action_surface": "none",
"mirror_only": "true"

9
docs/security/security-mirror-intake-plan.snapshot.json
View File

@@ -17,7 +17,8 @@
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-state-transition.snapshot.json"
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"intake_waves": [
{
@@ -55,7 +56,7 @@
"execution_router",
"blocking_gate"
],
"exit_gate": "Operator Console 能顯示 31 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packetstate transition且 mirror event envelope action_buttons_allowed=false。"
"exit_gate": "Operator Console 能顯示 32 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packetstate transition 與 follow-up runtime gate preparation,且 mirror event envelope action_buttons_allowed=false。"
},
{
"wave_id": "M1_kali_visibility",
@@ -135,6 +136,7 @@
"security_approval_decision_record_v1",
"security_approval_review_packet_v1",
"security_approval_state_transition_v1",
"security_followup_runtime_gate_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
"kali_scan_scope_approval_v1"
@@ -151,6 +153,7 @@
"display_decision_record",
"display_review_packet",
"display_decision_next_state",
"display_followup_runtime_gate_template",
"display_required_reviewers",
"display_blocked_until_approved"
],
@@ -159,7 +162,7 @@
"execute_after_approval_without_new_runtime_gate",
"store_secret_value"
],
"exit_gate": "Approval candidate、S3 approval gate、decision record、review packetstate transition 可顯示與留痕,但任何批准後執行仍需要下一階段 runtime gate。"
"exit_gate": "Approval candidate、S3 approval gate、decision record、review packetstate transition 與 follow-up runtime gate preparation 可顯示與留痕,但任何批准後執行仍需要下一階段 runtime gate。"
},
{
"wave_id": "M4_patch_only_backlog",

2
docs/security/security-mirror-quarantine.snapshot.json
View File

@@ -11,7 +11,7 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json"
],
"summary": {
"total_contracts": 31,
"total_contracts": 32,
"quarantine_lane_count": 5,
"auto_retry_allowed": false,
"runtime_blocking_allowed": false

14
docs/security/security-mirror-readiness.snapshot.json
View File

@@ -5,8 +5,8 @@
"default_enforcement_level": "mirror_only",
"runtime_execution_authorized": false,
"summary": {
"total_contracts": 31,
"ready_for_mirror_count": 28,
"total_contracts": 32,
"ready_for_mirror_count": 29,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0
@@ -109,6 +109,16 @@
"human_docs": ["docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md"],
"notes": "可 mirror S3 人工決策狀態轉移語義approve_scope 仍只進 waiting runtime gate不授權執行。"
},
{
"contract": "security_followup_runtime_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": ["docs/security/security-followup-runtime-gate.snapshot.json"],
"human_docs": ["docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"],
"notes": "可 mirror S3 後續 runtime gate 準備模板、preflight checks 與 rollback/disable requirement目前 active_runtime_gates=0。"
},
{
"contract": "security_mirror_readiness_v1",
"readiness": "ready_for_mirror",

12
docs/security/security-mirror-route.snapshot.json
View File

@@ -11,7 +11,7 @@
"docs/security/security-mirror-event-sample.snapshot.json"
],
"summary": {
"total_contracts": 31,
"total_contracts": 32,
"route_group_count": 5,
"channel_event_policy": "初期只對階段完成、blocked 狀態或需要人工批准的高風險候選發低噪音事件LOW / MEDIUM observation 不發阻擋事件。",
"approval_queue_policy": "只有 approval-only、suggest-only 或 blocked-until-approved 項目可進 approval queueapproval queue 不代表可執行。"
@@ -47,7 +47,7 @@
"顯示 security_mirror_quarantine_v1 隔離 lane 與 retry gate",
"顯示 security_mirror_dry_run_v1 dry-run steps",
"顯示 security_mirror_status_rollup_v1 跨 Session 狀態與下一個 gate",
"顯示 S3 review packetstate transition contract 位置"
"顯示 S3 review packetstate transition 與 follow-up runtime gate preparation contract 位置"
],
"blocked_processing": [
"新增執行按鈕",
@@ -55,7 +55,7 @@
"runtime blocking",
"自動批准任何 queue item"
],
"exit_gate": "AwoooP 可顯示 31 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packetstate transition且所有 route 都維持 runtime_execution_authorized=false。"
"exit_gate": "AwoooP 可顯示 32 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packetstate transition 與 follow-up runtime gate preparation,且所有 route 都維持 runtime_execution_authorized=false。"
},
{
"wave_id": "M1_kali_visibility",
@@ -141,6 +141,7 @@
"security_approval_decision_record_v1",
"security_approval_review_packet_v1",
"security_approval_state_transition_v1",
"security_followup_runtime_gate_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
"kali_scan_scope_approval_v1"
@@ -158,6 +159,7 @@
"顯示人工 decision record 與 execution_authorized=false",
"顯示人工 review packet、review lane 與 action_buttons_allowed=false",
"顯示人工 decision next state且 approve_scope 仍需 follow-up runtime gate",
"顯示 follow-up runtime gate template且 active_runtime_gates=0",
"顯示 required reviewers",
"顯示 blocked_until_approved",
"記錄人工決策結果"
@@ -168,7 +170,7 @@
"把人工批准記錄轉成 runtime executor",
"保存 token 或 secret value"
],
"exit_gate": "Approval candidate、S3 approval gate、decision record、review packetstate transition 可顯示與留痕,但批准後執行仍需要下一階段 runtime gate。"
"exit_gate": "Approval candidate、S3 approval gate、decision record、review packetstate transition 與 follow-up runtime gate preparation 可顯示與留痕,但批准後執行仍需要下一階段 runtime gate。"
},
{
"wave_id": "M4_patch_only_backlog",
@@ -200,7 +202,7 @@
"acceptance_gates": [
{
"gate_id": "ROUTE_COVERS_ALL_CONTRACTS",
"requirement": "route_groups 合併後必須涵蓋 manifest 的 31 個 contracts。"
"requirement": "route_groups 合併後必須涵蓋 manifest 的 32 個 contracts。"
},
{
"gate_id": "NO_EXECUTION_SURFACE",

30
docs/security/security-mirror-status-rollup.snapshot.json
View File

@@ -18,17 +18,20 @@
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_contracts": 31,
"ready_for_mirror_count": 28,
"total_contracts": 32,
"ready_for_mirror_count": 29,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
"approval_queue_total": 8,
"approval_review_packet_total": 8,
"approval_state_transition_rule_total": 5,
"followup_runtime_gate_template_total": 8,
"active_runtime_gate_count": 0,
"pending_approval_count": 7,
"block_candidate_count": 1,
"dry_run_status": "contract_defined_not_executed",
@@ -57,8 +60,8 @@
{
"phase_id": "S3_approval_gate",
"state": "draft_ready",
"current_result": "Approval queue 已列出 8 個候選security_approval_gate_v1 已定義人工 gatesecurity_approval_decision_record_v1 已定義決策紀錄格式security_approval_review_packet_v1 已定義人工審查封包security_approval_state_transition_v1 已定義決策狀態轉移語義。",
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventoryreview packet、decision recordstate transition 都不等於執行授權。"
"current_result": "Approval queue 已列出 8 個候選security_approval_gate_v1 已定義人工 gatesecurity_approval_decision_record_v1 已定義決策紀錄格式security_approval_review_packet_v1 已定義人工審查封包security_approval_state_transition_v1 已定義決策狀態轉移語義security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板。",
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventoryreview packet、decision recordstate transition 與 follow-up runtime gate template 都不等於執行授權。"
},
{
"phase_id": "S4_migration_execution",
@@ -116,6 +119,22 @@
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "mirror_followup_runtime_gate_templates",
"title": "AwoooP 顯示後續 runtime gate 準備模板",
"mode": "approval_required",
"source_contract": "security_followup_runtime_gate_v1",
"allowed_processing": [
"顯示 minimum evidence、preflight checks 與 rollback/disable requirement",
"顯示 active_runtime_gates=0",
"提醒 approve_scope 後仍需獨立 runtime gate"
],
"blocked_processing": [
"啟用 runtime gate",
"新增 scan / execute / repo / refs action button",
"把 template 當成執行授權"
]
},
{
"action_id": "review_redacted_finding_ingestion",
"title": "先審 redacted finding ingestion adapter",
@@ -188,7 +207,8 @@
"S2/S3 目前仍屬框架期;狀態與人工 gate 可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
"S3.1 只新增人工決策紀錄格式;決策紀錄仍維持 execution_authorized=false不可直接跳到執行面。",
"S3.2 只新增人工審查封包格式review packet 只讓 AwoooP 顯示與準備人審,不代表批准。",
"S3.3 只新增人工決策狀態轉移語義approve_scope 只進入 waiting runtime gate不代表可立即執行。"
"S3.3 只新增人工決策狀態轉移語義approve_scope 只進入 waiting runtime gate不代表可立即執行。",
"S3.4 只新增後續 runtime gate 準備模板active_runtime_gates=0不新增 action button。"
],
"forbidden_actions": [
"start_kali_scan",

24
docs/security/security-supply-chain-contract-manifest.snapshot.json
View File

@@ -2,7 +2,7 @@
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 31,
"contract_count": 32,
"contracts": [
{
"contract": "security_rollout_policy_v1",
@@ -167,6 +167,26 @@
],
"notes": "定義 S3.3 人工決策狀態轉移語義approve_scope 仍只進入 waiting runtime gate不授權執行。"
},
{
"contract": "security_followup_runtime_gate_v1",
"schema_path": "docs/schemas/security_followup_runtime_gate_v1.schema.json",
"snapshot_paths": ["docs/security/security-followup-runtime-gate.snapshot.json"],
"human_docs": ["docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"],
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": ["mirror_runtime_gate_template", "display_preflight_checks", "display_rollback_or_disable_requirement"],
"forbidden_actions": [
"activate_runtime_gate",
"execute_runtime_gate_template",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 S3.4 後續 runtime gate 準備資料;目前 active_runtime_gates=0不授權任何執行。"
},
{
"contract": "security_mirror_readiness_v1",
"schema_path": "docs/schemas/security_mirror_readiness_v1.schema.json",
@@ -183,7 +203,7 @@
"switch_github_primary",
"store_secret_value"
],
"notes": "整理 31 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
"notes": "整理 32 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
},
{
"contract": "security_mirror_intake_plan_v1",