diff --git a/apps/web/src/app/[locale]/alerts/page.tsx b/apps/web/src/app/[locale]/alerts/page.tsx index 4b6a14fb..fb5a093a 100644 --- a/apps/web/src/app/[locale]/alerts/page.tsx +++ b/apps/web/src/app/[locale]/alerts/page.tsx @@ -13,6 +13,7 @@ import { AppLayout } from '@/components/layout' import { useTranslations } from 'next-intl' import { useIncidents } from '@/hooks/useIncidents' import { IncidentCard } from '@/components/incident' +import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge' import { cn } from '@/lib/utils' import { Bell, BellOff, RefreshCw, AlertTriangle, AlertCircle, Info } from 'lucide-react' @@ -119,6 +120,8 @@ export default function AlertsPage({ params }: { params: { locale: string } }) { + + {/* Severity Stats */}
diff --git a/apps/web/src/app/[locale]/authorizations/page.tsx b/apps/web/src/app/[locale]/authorizations/page.tsx index 01a39a8f..11e285aa 100644 --- a/apps/web/src/app/[locale]/authorizations/page.tsx +++ b/apps/web/src/app/[locale]/authorizations/page.tsx @@ -11,6 +11,7 @@ import { AppLayout } from '@/components/layout' import { LiveApprovalPanel } from '@/components/approval/live-approval-panel' +import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge' export default function AuthorizationsPage({ params, @@ -19,7 +20,10 @@ export default function AuthorizationsPage({ }) { return ( - +
+ + +
) } diff --git a/apps/web/src/app/[locale]/governance/page.tsx b/apps/web/src/app/[locale]/governance/page.tsx index 36bc568d..b22d48d9 100644 --- a/apps/web/src/app/[locale]/governance/page.tsx +++ b/apps/web/src/app/[locale]/governance/page.tsx @@ -17,6 +17,7 @@ import { useTranslations } from 'next-intl' import { ShieldCheck } from 'lucide-react' import { AppLayout } from '@/components/layout' import { PageTabs, type TabConfig } from '@/components/layout/page-tabs' +import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge' import { GlassCard } from '@/components/ui/glass-card' import { SloTab } from './tabs/slo-tab' import { EventsTab } from './tabs/events-tab' @@ -43,6 +44,8 @@ export default function GovernancePage({ params }: { params: { locale: string }
+ + ) diff --git a/apps/web/src/components/layout/page-tabs.tsx b/apps/web/src/components/layout/page-tabs.tsx index 97497347..463cf358 100644 --- a/apps/web/src/components/layout/page-tabs.tsx +++ b/apps/web/src/components/layout/page-tabs.tsx @@ -134,6 +134,9 @@ export function PageTabs({ tabs, defaultTab, syncWithUrl = true }: PageTabsProps background: '#fff', flexShrink: 0, padding: '0 20px', + maxWidth: '100%', + overflowX: 'auto', + WebkitOverflowScrolling: 'touch', }} > {tabs.map(tab => { diff --git a/apps/web/src/components/panels/ErrorsPanel.tsx b/apps/web/src/components/panels/ErrorsPanel.tsx index 66a318ae..9f1fe956 100644 --- a/apps/web/src/components/panels/ErrorsPanel.tsx +++ b/apps/web/src/components/panels/ErrorsPanel.tsx @@ -8,6 +8,7 @@ import { useTranslations } from 'next-intl' import { useErrors } from '@/hooks/useErrors' import { useUXAudit } from '@/hooks/useUXAudit' +import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge' import { ErrorOverviewCard, RecentIssuesList, @@ -28,7 +29,7 @@ export function ErrorsPanel() { return (
-
+
@@ -41,6 +42,7 @@ export function ErrorsPanel() { {loading ? t('loading') : t('refresh')}
+ {error &&

{error}

}
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 5556bab1..f722d075 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,19 @@ +## 2026-05-20 | 資安供應鏈 S2.60:Security Control Pages IwoooS Reverse Bridge + +**背景**:S2.59 已讓安全 / 合規頁反向顯示 IwoooS;本輪把同一個只讀橋接延伸到告警、錯誤、授權與治理頁面,補上資安處理鏈路中的訊號、稽核、人控與治理證據視角。 + +**完成**: +- `/alerts` 新增 IwoooS 只讀橋接,讓 active incident 訊號能被使用者理解為資安網的一部分。 +- `/errors` 的 `ErrorsPanel` 新增 IwoooS 只讀橋接,讓錯誤追蹤與 UX audit 回到 IwoooS 的 mirror-only 語境。 +- `/authorizations` 新增 IwoooS 只讀橋接,保留 HITL / multi-sig 人控邊界,但不把橋接當批准。 +- `/governance` 新增 IwoooS 只讀橋接,讓 SLO、governance events 與 queue 成為資安治理證據面。 +- 手機窄版同步修正 `ErrorsPanel` 標題列換行與 `PageTabs` 橫向收納,避免橋接可見後既有內容造成水平溢位。 +- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_60_security_control_pages_iwooos_reverse_bridge`,並新增 `show_security_control_pages_iwooos_reverse_bridge` next safe action。 + +**仍禁止**: +- S2.60 的反向橋接不代表 owner response received / accepted、runtime authorization、active runtime gate、alert blocker、scan、repair、approve、deploy、GitHub primary、Gitea/GitHub refs mutation、Kali `/execute`、SSH 登入、主機更新或 blocking control。 +- 整體資安網 headline 仍是 58%;框架 / 治理 / 文件 / schema / read-only evidence 仍約 80-85%;真正落地執行 / runtime ingestion / GitHub primary / AwoooP production landing 仍約 35-40%。 + ## 2026-05-20 | 資安供應鏈 S2.59:Existing Security Pages IwoooS Reverse Bridge **背景**:S2.10 已把前端既有資安相關頁面收進 IwoooS 只讀索引,S2.53-S2.58 也把 IwoooS 狀態放進 AwoooP;本輪補上反向橋接,讓使用者在原本的 SecurityPanel、CompliancePanel、`/security` 與 `/compliance` 也能看到這些頁面已被納入 IwoooS 資安網,但不把既有頁面升級成執行控制台。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 8b3937e8..aa2dad1c 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -41,6 +41,7 @@ | AwoooP tenants IwoooS tenant scope candidate | S2.57 已把 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111 與 S4.9-S4.12 owner response waiting 放進 `/awooop/tenants` 只讀面板;host coverage=3、tenant policy changes=0、tenant_migration_mode_changed=false;仍不改 migration mode、不改 tenant policy、不寫 platform tenants API、不新增 action button | | AwoooP runs IwoooS run state candidate | S2.58 已把 security mirror Run State 候選放進 `/awooop/runs` 只讀面板;security runs=0、active runtime gates=0、owner accepted=0、security_run_created=false、execution_router_linked=false;仍不建立 platform run、不接 execution router、不新增 action button | | Existing security pages IwoooS reverse bridge | S2.59 已把 `SecurityPanel`、`CompliancePanel`、standalone `/security` 與 `/compliance` 反向接上 IwoooS 只讀橋接;headline=58%、framework=80-85%、runtime gates=0、action buttons=0;仍不新增 scan、repair、approve、deploy 或 blocking control | +| Security control pages IwoooS reverse bridge | S2.60 已把 `/alerts`、`/errors`、`/authorizations` 與 `/governance` 反向接上 IwoooS 只讀橋接;headline=58%、framework=80-85%、runtime gates=0、action buttons=0;仍不新增 alert blocker、scan、repair、approve、deploy 或 blocking control | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -148,6 +149,7 @@ | S2.57 AwoooP tenants IwoooS tenant scope candidate | framework detail | 0 | 只把 AWOOOI first tenant、IwoooS security mirror、host coverage=3 與 owner response waiting 放進 AwoooP 租戶管理只讀視野;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 migration mode change、tenant policy mutation、runtime gate、execution router 或 action button | | S2.58 AwoooP runs IwoooS run state candidate | framework detail | 0 | 只把 security mirror Run State、read-only dry-run-only、owner response waiting 與 active runtime gates 0 放進 AwoooP Run 監控只讀視野;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 platform run、execution router、runtime gate、execution queue 或 action button | | S2.59 existing security pages IwoooS reverse bridge | framework detail | 0 | 只把 SecurityPanel、CompliancePanel、standalone `/security` 與 `/compliance` 反向接上 IwoooS 只讀橋接;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把既有頁面的可見性當 owner response、runtime gate、掃描、修復、批准或部署 | +| S2.60 security control pages IwoooS reverse bridge | framework detail | 0 | 只把 `/alerts`、`/errors`、`/authorizations` 與 `/governance` 反向接上 IwoooS 只讀橋接;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把告警、錯誤、授權或治理頁面的可見性當 owner response、runtime gate、掃描、修復、批准、部署或 blocking control | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 9a231832..4f349762 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -5,7 +5,7 @@ | 日期 | 2026-05-17 | | 狀態 | S0/S1 read-only evidence 建置中 | | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | -| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 | +| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.59 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.60 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。 @@ -122,6 +122,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons | S2.57 AwoooP tenants IwoooS tenant scope candidate | 已完成草案,將 AWOOOI first tenant、IwoooS security mirror、host coverage=3 與 owner response waiting 放進 AwoooP 租戶管理只讀面板;tenant_migration_mode_changed=false、tenant policy changes 仍為 0 | 0 | | S2.58 AwoooP runs IwoooS run state candidate | 已完成草案,將 security mirror Run State、read-only dry-run-only、owner response waiting 與 active runtime gates 0 放進 AwoooP Run 監控只讀面板;security_run_created=false、execution_router_linked=false | 0 | | S2.59 existing security pages IwoooS reverse bridge | 已完成草案,將 SecurityPanel、CompliancePanel、standalone `/security` 與 `/compliance` 反向顯示 IwoooS 只讀納管狀態;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 | +| S2.60 security control pages IwoooS reverse bridge | 已完成草案,將 `/alerts`、`/errors`、`/authorizations` 與 `/governance` 反向顯示 IwoooS 只讀納管狀態;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -200,6 +201,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.57 AwoooP Tenants IwoooS Tenant Scope Candidate | 完成草案 | `/awooop/tenants` 新增 IwoooS 租戶資安範圍只讀候選,顯示 AWOOOI 第一租戶、IwoooS、host coverage=3、tenant policy changes=0,並連到 `/iwooos` | 使用者能在租戶管理理解資安網保護範圍;面板仍不是 migration mode change、tenant policy mutation、runtime gate、execution router、action button 或 headline 加分 | | S2.58 AwoooP Runs IwoooS Run State Candidate | 完成草案 | `/awooop/runs` 新增 IwoooS Run State 只讀候選,顯示 run visibility=read-only、security runs=0、active runtime gates=0、owner accepted=0,並連到 `/iwooos` | 使用者能在 Run 監控理解資安網仍是只讀候選;面板仍不是 platform run created、execution router linked、runtime gate、execution queue、action button 或 headline 加分 | | S2.59 Existing Security Pages IwoooS Reverse Bridge | 完成草案 | `SecurityPanel`、`CompliancePanel`、standalone `/security` 與 `/compliance` 新增 IwoooS 只讀橋接,顯示 58%、80-85%、runtime gates=0、action buttons=0,並連到 `/iwooos` | 使用者回到原本安全 / 合規頁也能知道它們已納入 IwoooS;橋接仍不是 owner response、runtime authorization、scan、repair、approve、deploy 或 blocking control | +| S2.60 Security Control Pages IwoooS Reverse Bridge | 完成草案 | `/alerts`、`/errors`、`/authorizations` 與 `/governance` 新增 IwoooS 只讀橋接,顯示 58%、80-85%、runtime gates=0、action buttons=0,並連到 `/iwooos` | 使用者能在告警、錯誤、授權與治理流程中看見資安網邊界;橋接仍不是 alert blocker、owner response、runtime authorization、scan、repair、approve、deploy 或 blocking control | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 381e5422..f37ddbb9 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -1178,6 +1178,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_60_security_control_pages_iwooos_reverse_bridge", + "display_order": 89, + "completed_stage": "S2.60 security control pages IwoooS reverse bridge", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "Alerts、ErrorsPanel、Authorizations 與 Governance 只新增 IwoooS 只讀橋接;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,沒有新增告警阻擋、簽核批准、修復、部署或 runtime gate。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -1326,6 +1338,22 @@ "把 /security、/compliance 或 SecurityPanel 的可見性當成 owner response received / accepted" ] }, + { + "action_id": "show_security_control_pages_iwooos_reverse_bridge", + "title": "告警、錯誤、授權與治理頁面顯示 IwoooS 只讀橋接", + "mode": "observe", + "source_contract": "security_mirror_status_rollup_v1", + "allowed_processing": [ + "在 /alerts、/errors、/authorizations 與 /governance 顯示 IwoooS 只讀橋接", + "顯示 headline 58%、framework 80-85%、runtime gates=0、action buttons=0", + "連到 /iwooos 只讀入口,不新增 scan、execute、repair、approve、deploy、primary switch、refs action、alert blocker 或 runtime gate" + ], + "blocked_processing": [ + "把告警、錯誤、授權或治理頁面的橋接面板當成 runtime authorization", + "從告警、錯誤、授權或治理頁面新增掃描、修復、批准、部署、告警阻擋或 blocking control", + "把 /alerts、/errors、/authorizations 或 /governance 的可見性當成 owner response received / accepted" + ] + }, { "action_id": "mirror_low_friction_non_blocking_lanes", "title": "AwoooP 顯示低摩擦非阻擋升級分流", @@ -1698,7 +1726,8 @@ "S2.56 新增 AwoooP contracts IwoooS security contract candidate;AwoooP 合約儀表板以只讀候選顯示 security_mirror_status_rollup_v1、iwooos_posture_projection_v1、source_control_owner_response_validation_rollup_v1、security_rollout_policy_v1、total contracts=36、ready=33、partial=2、active runtime gates=0;contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 contracts 面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button。", "S2.57 新增 AwoooP tenants IwoooS tenant scope candidate;AwoooP 租戶管理以只讀候選顯示 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111、S4.9-S4.12 owner response waiting、host coverage=3、tenant policy changes=0;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 tenants 面板當 tenant migration、policy mutation、runtime gate、execution router 或 action button。", "S2.58 新增 AwoooP runs IwoooS run state candidate;AwoooP Run 監控以只讀候選顯示 security_mirror_run_state_candidate、read_only_dry_run_only、S4.9-S4.12 owner response waiting、active runtime gates 0、security runs=0、owner accepted=0;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 runs 面板當 platform run、execution router、runtime gate、execution queue 或 action button。", - "S2.59 新增既有安全 / 合規頁面 IwoooS reverse bridge;SecurityPanel、CompliancePanel、standalone /security 與 /compliance 反向顯示 IwoooS 只讀納管狀態、headline 58%、framework 80-85%、runtime gates=0、action buttons=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把既有頁面的可見性當 owner response、runtime gate、掃描、修復、批准或部署。" + "S2.59 新增既有安全 / 合規頁面 IwoooS reverse bridge;SecurityPanel、CompliancePanel、standalone /security 與 /compliance 反向顯示 IwoooS 只讀納管狀態、headline 58%、framework 80-85%、runtime gates=0、action buttons=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把既有頁面的可見性當 owner response、runtime gate、掃描、修復、批准或部署。", + "S2.60 新增資安控制頁面 IwoooS reverse bridge;/alerts、/errors、/authorizations 與 /governance 反向顯示 IwoooS 只讀納管狀態、headline 58%、framework 80-85%、runtime gates=0、action buttons=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把告警、錯誤、授權或治理頁面的可見性當 owner response、runtime gate、掃描、修復、批准、部署或 blocking control。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 8206730e..4de2f768 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -85,6 +85,18 @@ def validate(root: Path) -> None: standalone_compliance_page = ( root / "apps" / "web" / "src" / "app" / "[locale]" / "compliance" / "page.tsx" ).read_text(encoding="utf-8") + alerts_page = (root / "apps" / "web" / "src" / "app" / "[locale]" / "alerts" / "page.tsx").read_text( + encoding="utf-8" + ) + authorizations_page = ( + root / "apps" / "web" / "src" / "app" / "[locale]" / "authorizations" / "page.tsx" + ).read_text(encoding="utf-8") + governance_page = ( + root / "apps" / "web" / "src" / "app" / "[locale]" / "governance" / "page.tsx" + ).read_text(encoding="utf-8") + errors_panel = (root / "apps" / "web" / "src" / "components" / "panels" / "ErrorsPanel.tsx").read_text( + encoding="utf-8" + ) iwooos_bridge = ( root / "apps" / "web" / "src" / "components" / "security" / "iwooos-read-only-bridge.tsx" ).read_text(encoding="utf-8") @@ -251,6 +263,7 @@ def validate(root: Path) -> None: "s2_57_awooop_tenants_iwooos_tenant_scope_candidate", "s2_58_awooop_runs_iwooos_run_state_candidate", "s2_59_existing_security_pages_iwooos_reverse_bridge", + "s2_60_security_control_pages_iwooos_reverse_bridge", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -315,6 +328,11 @@ def validate(root: Path) -> None: [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], "show_existing_security_pages_iwooos_reverse_bridge", ) + assert_contains( + "rollup.next_safe_actions.action_ids", + [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], + "show_security_control_pages_iwooos_reverse_bridge", + ) assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1") assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe") @@ -5081,6 +5099,14 @@ def validate(root: Path) -> None: ]: assert_text_contains("existing_security_pages.iwooos_bridge_import", source_text, "IwoooSReadOnlyBridge") assert_text_contains("existing_security_pages.iwooos_bridge_render", source_text, "") + for source_text in [ + alerts_page, + authorizations_page, + governance_page, + errors_panel, + ]: + assert_text_contains("security_control_pages.iwooos_bridge_import", source_text, "IwoooSReadOnlyBridge") + assert_text_contains("security_control_pages.iwooos_bridge_render", source_text, "") for key in [ "title", "subtitle",