From 33e793bb765e97c3fd8e9aa3dcec82afc677abbc Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 19 May 2026 21:46:44 +0800
Subject: [PATCH] feat(web): add IwoooS host collection order

---
 apps/web/messages/en.json                     |  43 +++++++
 apps/web/messages/zh-TW.json                  |  43 +++++++
 apps/web/src/app/[locale]/iwooos/page.tsx     |  65 ++++++++++
 docs/LOGBOOK.md                               |  14 +++
 .../iwooos_posture_projection_v1.schema.json  |  71 +++++++++++
 docs/security/IWOOOS-POSTURE-PROJECTION.md    |  22 +++-
 .../security/SECURITY-MIRROR-STATUS-ROLLUP.md |   3 +-
 .../SECURITY-SUPPLY-CHAIN-PROGRESS.md         |   4 +-
 .../iwooos-posture-projection.snapshot.json   | 115 +++++++++++++++++-
 ...ecurity-mirror-status-rollup.snapshot.json |  12 ++
 .../security-mirror-progress-guard.py         |  85 +++++++++++++
 11 files changed, 471 insertions(+), 6 deletions(-)

diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 840bc176..876c2d60 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -1361,6 +1361,49 @@
         }
       }
     },
+    "hostEvidenceCollection": {
+      "title": "Host Evidence Collection Order",
+      "subtitle": "Orders the seven host evidence items into a recommended collection sequence. Each step only names the next reviewable item and does not change received / accepted from 0.",
+      "stepLabel": "Collection step",
+      "dependencyLabel": "Dependency",
+      "items": {
+        "scopeFirst": {
+          "title": "Define scope boundary first",
+          "body": "Confirm allowed targets, exclusions, depth, and rate limits first. No scope means no scan.",
+          "dependency": "none; this is the first host collection step"
+        },
+        "ownerSecond": {
+          "title": "Collect owner decision second",
+          "body": "Confirm who approves, the approved range, and the decision record; queue state cannot replace human control.",
+          "dependency": "requires readable scope boundary"
+        },
+        "credentialThird": {
+          "title": "Isolate credential handling",
+          "body": "If future scans need credentials, define credential source, storage boundary, redaction, and rejection first.",
+          "dependency": "requires owner decision; plaintext credential collection remains forbidden"
+        },
+        "maintenanceFourth": {
+          "title": "Schedule maintenance window",
+          "body": "Before updates, tuning, or SSH changes, confirm the window, impact scope, and notification.",
+          "dependency": "requires owner decision and change scope"
+        },
+        "rollbackFifth": {
+          "title": "Add rollback plan",
+          "body": "Every host action needs recovery for packages, settings, services, and toolchain versions.",
+          "dependency": "requires maintenance window and change list"
+        },
+        "validationSixth": {
+          "title": "Define validation metrics",
+          "body": "Define post-check metrics and failure handling lanes before execution is discussed.",
+          "dependency": "requires rollback plan"
+        },
+        "redactedSeventh": {
+          "title": "Collect redacted ingestion last",
+          "body": "Findings / scan results enter mirror only as redacted summaries, never as raw payload.",
+          "dependency": "requires validation metrics; payloads_ingested=false"
+        }
+      }
+    },
     "nextGate": {
       "title": "Next High-level Gate",
       "body": "S4.9 Gitea owner attestation response is the recommended next owner evidence. Headline progress should only increase after owner responses, redacted payload ingestion, active runtime gates, or GitHub primary readiness actually change."
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index e8c6bc63..fa56a90f 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -1362,6 +1362,49 @@
         }
       }
     },
+    "hostEvidenceCollection": {
+      "title": "主機 Evidence 收件順序",
+      "subtitle": "把七個主機 evidence 排成建議收件順序。每一步都只代表下一個可審項目，不會把 received / accepted 從 0 改掉。",
+      "stepLabel": "收件步驟",
+      "dependencyLabel": "前置依賴",
+      "items": {
+        "scopeFirst": {
+          "title": "先定義 scope boundary",
+          "body": "先確認允許目標、排除範圍、深度與速率。沒有 scope，不進 scan。",
+          "dependency": "無；這是主機收件第一步"
+        },
+        "ownerSecond": {
+          "title": "再收 owner decision",
+          "body": "確認誰批准、批准範圍與決策紀錄，不用 queue 狀態替代人控決策。",
+          "dependency": "需要 scope boundary 可讀"
+        },
+        "credentialThird": {
+          "title": "隔離 credential handling",
+          "body": "若未來要帶憑證掃描，先定義憑證來源、保存邊界、遮蔽與拒收。",
+          "dependency": "需要 owner decision；仍禁止收集憑證明文"
+        },
+        "maintenanceFourth": {
+          "title": "安排 maintenance window",
+          "body": "更新、調校或 SSH 變更前先確認窗口、影響範圍與通知。",
+          "dependency": "需要 owner decision 與變更範圍"
+        },
+        "rollbackFifth": {
+          "title": "補 rollback plan",
+          "body": "每個主機動作都要能回復套件、設定、服務與工具鏈版本。",
+          "dependency": "需要 maintenance window 與變更清單"
+        },
+        "validationSixth": {
+          "title": "定義 validation metrics",
+          "body": "先定義 post-check 指標與失敗處理 lane，再談執行。",
+          "dependency": "需要 rollback plan"
+        },
+        "redactedSeventh": {
+          "title": "最後才收 redacted ingestion",
+          "body": "finding / scan result 只用脫敏摘要進 mirror，不吃 raw payload。",
+          "dependency": "需要 validation metrics；payloads_ingested=false"
+        }
+      }
+    },
     "nextGate": {
       "title": "下一個高層 Gate",
       "body": "S4.9 Gitea owner attestation response 是目前建議先收的 owner evidence。任何 headline 提升都要等 owner response、redacted payload ingestion、active runtime gate 或 GitHub primary readiness 有真實變化。"
diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx
index 34f75785..f2bf5657 100644
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -95,6 +95,13 @@ type HostEvidenceReadinessItem = {
   tone: 'steady' | 'warn' | 'locked'
 }
 
+type HostEvidenceCollectionStep = {
+  key: string
+  step: string
+  icon: typeof ShieldCheck
+  tone: 'steady' | 'warn' | 'locked'
+}
+
 const postureMetrics: PostureMetric[] = [
   { key: 'overall', value: '58%', tone: 'warn' },
   { key: 'framework', value: '80-85%', tone: 'steady' },
@@ -216,6 +223,16 @@ const hostEvidenceReadinessItems: HostEvidenceReadinessItem[] = [
   { key: 'redactedIngestion', gate: 'S1.6', icon: ShieldCheck, tone: 'locked' },
 ]
 
+const hostEvidenceCollectionSteps: HostEvidenceCollectionStep[] = [
+  { key: 'scopeFirst', step: '01', icon: Radar, tone: 'warn' },
+  { key: 'ownerSecond', step: '02', icon: ClipboardCheck, tone: 'warn' },
+  { key: 'credentialThird', step: '03', icon: Lock, tone: 'locked' },
+  { key: 'maintenanceFourth', step: '04', icon: Clock3, tone: 'warn' },
+  { key: 'rollbackFifth', step: '05', icon: FileWarning, tone: 'warn' },
+  { key: 'validationSixth', step: '06', icon: CheckCircle2, tone: 'warn' },
+  { key: 'redactedSeventh', step: '07', icon: ShieldCheck, tone: 'locked' },
+]
+
 const evidenceItems = [
   'iwooos-posture-projection.snapshot.json',
   'security-rollout-policy.snapshot.json',
@@ -546,6 +563,34 @@ function HostEvidenceReadinessCard({ item, index }: { item: HostEvidenceReadines
   )
 }
 
+function HostEvidenceCollectionCard({ item }: { item: HostEvidenceCollectionStep }) {
+  const t = useTranslations('iwooos.hostEvidenceCollection')
+  const Icon = item.icon
+  return (
+    <div style={{ ...band, minHeight: 190, padding: 16 }}>
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12 }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 9 }}>
+          <Icon size={18} color={toneColors[item.tone]} />
+          <span style={{ fontSize: 11, color: '#87867f' }}>{t('stepLabel')}</span>
+        </div>
+        <span style={{ fontSize: 11, color: '#9b978b' }}>{item.step}</span>
+      </div>
+      <h2 style={{ fontSize: 14, margin: '12px 0 6px', color: '#141413' }}>
+        {t(`items.${item.key}.title` as never)}
+      </h2>
+      <p style={{ fontSize: 12, lineHeight: 1.55, color: '#6f6d66', margin: 0 }}>
+        {t(`items.${item.key}.body` as never)}
+      </p>
+      <div style={{ marginTop: 10, display: 'grid', gap: 5 }}>
+        <div style={{ fontSize: 11, color: '#87867f' }}>{t('dependencyLabel')}</div>
+        <div style={{ fontSize: 11, color: toneColors[item.tone], lineHeight: 1.45 }}>
+          {t(`items.${item.key}.dependency` as never)}
+        </div>
+      </div>
+    </div>
+  )
+}
+
 export default function IwoooSPage({ params }: { params: { locale: string } }) {
   const t = useTranslations('iwooos')
 
@@ -678,6 +723,26 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) {
           </div>
         </section>
 
+        <section style={{ marginBottom: 14 }}>
+          <div style={{ marginBottom: 14 }}>
+            <h2 style={{ fontSize: 16, margin: 0 }}>{t('hostEvidenceCollection.title')}</h2>
+            <p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 0', lineHeight: 1.55 }}>
+              {t('hostEvidenceCollection.subtitle')}
+            </p>
+          </div>
+          <div
+            style={{
+              display: 'grid',
+              gridTemplateColumns: 'repeat(auto-fit, minmax(210px, 1fr))',
+              gap: 12,
+            }}
+          >
+            {hostEvidenceCollectionSteps.map(item => (
+              <HostEvidenceCollectionCard key={item.key} item={item} />
+            ))}
+          </div>
+        </section>
+
         <section
           style={{
             display: 'grid',
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 541b0b72..9f3d5a81 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,17 @@
+## 2026-05-19 | 資安供應鏈 S2.17：IwoooS Host Evidence Collection Order
+
+**背景**：S2.16 已把主機動作前缺少的 evidence 顯示成 readiness board；本輪補上只讀收件順序，讓使用者知道 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion 應該先後怎麼收，不把每個缺口混成同一層。
+
+**完成**：
+- `/iwooos` 新增「主機 Evidence 收件順序」，顯示七個 collection steps 與前置依賴。
+- `iwooos_posture_projection_v1` schema / snapshot 新增 `host_evidence_collection_order` 與 `host_evidence_collection_step_count=7`，每個 step 固定 `display_mode=collection_order_only`、`received_count=0`、`accepted_count=0`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+- `security-mirror-progress-guard.py` 開始驗證七個 host evidence collection steps、順序、source item、dependency、received / accepted 仍為 0，以及 no runtime / no action button 邊界。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_17_iwooos_host_evidence_collection_order`，headline progress 仍維持 58%。
+
+**仍禁止**：
+- host evidence collection order 不代表 evidence received / accepted、active scan、credentialed scan、Kali `/execute`、SSH 登入、主機變更、Kali 更新、raw host evidence ingestion、runtime gate 或 blocking control。
+- 下一步仍需先收脫敏 scope boundary 與 owner decision，之後才談 credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion。
+
 ## 2026-05-19 | 資安供應鏈 S2.16：IwoooS Host Evidence Readiness Board
 
 **背景**：S2.15 已把主機高風險動作拆成只讀 gate matrix；本輪補上主機 evidence readiness board，讓使用者知道 active scan、credentialed scan、SSH / host change、Kali update 或 runtime blocking 前到底還缺哪些前置證據。
diff --git a/docs/schemas/iwooos_posture_projection_v1.schema.json b/docs/schemas/iwooos_posture_projection_v1.schema.json
index e49aab85..69458aca 100644
--- a/docs/schemas/iwooos_posture_projection_v1.schema.json
+++ b/docs/schemas/iwooos_posture_projection_v1.schema.json
@@ -23,6 +23,7 @@
     "host_coverage_items",
     "host_action_gate_items",
     "host_evidence_readiness_items",
+    "host_evidence_collection_order",
     "frontend_surface_coverage_groups",
     "evidence_refs",
     "allowed_frontend_outputs",
@@ -85,6 +86,7 @@
         "host_coverage_item_count",
         "host_action_gate_item_count",
         "host_evidence_readiness_item_count",
+        "host_evidence_collection_step_count",
         "action_buttons_allowed"
       ],
       "properties": {
@@ -166,6 +168,10 @@
         "host_evidence_readiness_item_count": {
           "type": "integer",
           "const": 7
+        },
+        "host_evidence_collection_step_count": {
+          "type": "integer",
+          "const": 7
         }
       },
       "additionalProperties": false
@@ -814,6 +820,71 @@
         },
         "additionalProperties": false
       }
+    },
+    "host_evidence_collection_order": {
+      "type": "array",
+      "minItems": 7,
+      "items": {
+        "type": "object",
+        "required": [
+          "step_id",
+          "display_order",
+          "source_item_id",
+          "depends_on_step_ids",
+          "collection_state",
+          "display_mode",
+          "received_count",
+          "accepted_count",
+          "runtime_execution_authorized",
+          "action_buttons_allowed",
+          "not_authorization"
+        ],
+        "properties": {
+          "step_id": {
+            "type": "string"
+          },
+          "display_order": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "source_item_id": {
+            "type": "string"
+          },
+          "depends_on_step_ids": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          },
+          "collection_state": {
+            "type": "string"
+          },
+          "display_mode": {
+            "const": "collection_order_only"
+          },
+          "received_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "accepted_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "runtime_execution_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "action_buttons_allowed": {
+            "type": "boolean",
+            "const": false
+          },
+          "not_authorization": {
+            "type": "boolean",
+            "const": true
+          }
+        },
+        "additionalProperties": false
+      }
     }
   },
   "additionalProperties": false
diff --git a/docs/security/IWOOOS-POSTURE-PROJECTION.md b/docs/security/IWOOOS-POSTURE-PROJECTION.md
index d00f4595..7dc41f49 100644
--- a/docs/security/IWOOOS-POSTURE-PROJECTION.md
+++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md
@@ -44,6 +44,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence：
 12. 3 個只讀主機覆蓋 items：Kali 112、開發主機 168、開發主機 111。
 13. 6 個主機動作 gate items：active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control。
 14. 7 個主機 evidence readiness items：scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
+15. 7 個主機 evidence collection order steps，顯示收件順序與前置依賴。
 
 ## 3.1 既有前端資安頁面整合
 
@@ -157,6 +158,24 @@ S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board
 
 每個 item 都固定 `display_mode=evidence_readiness_only`，且 `active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
 
+## 3.8 主機 Evidence 收件順序
+
+S2.17 將 S2.16 的七個主機 evidence readiness items 排成建議收件順序。這一層只回答「先收哪個、下一個依賴什麼」，不把任何 evidence 標成 received / accepted。
+
+| 順序 | 收件步驟 | Source item | 前置依賴 | 狀態 |
+|------|----------|-------------|----------|------|
+| 1 | 先定義 scope boundary | `host_scope_boundary_evidence` | 無 | `next_collection_candidate`；received=0、accepted=0 |
+| 2 | 再收 owner decision | `host_owner_decision_record_evidence` | `collect_scope_boundary_first` | `waiting_previous_step`；received=0、accepted=0 |
+| 3 | 隔離 credential handling | `host_credential_handling_evidence` | `collect_owner_decision_second` | `waiting_previous_step`；received=0、accepted=0 |
+| 4 | 安排 maintenance window | `host_maintenance_window_evidence` | `collect_owner_decision_second` | `waiting_previous_step`；received=0、accepted=0 |
+| 5 | 補 rollback plan | `host_rollback_plan_evidence` | `collect_maintenance_window_fourth` | `waiting_previous_step`；received=0、accepted=0 |
+| 6 | 定義 validation metrics | `host_validation_metrics_evidence` | `collect_rollback_plan_fifth` | `waiting_previous_step`；received=0、accepted=0 |
+| 7 | 最後才收 redacted ingestion | `host_redacted_ingestion_evidence` | `collect_validation_metrics_sixth` | `waiting_previous_step`；received=0、accepted=0 |
+
+每個 step 都固定 `display_mode=collection_order_only`，且 `runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+
+這個順序是收件提示，不是工作佇列。不得因為某個 step 顯示為下一個候選，就啟動 scan、SSH、Kali update、raw payload ingestion、runtime blocking control，或把對應 evidence 標成已收到 / 已接受。
+
 ## 4. 仍禁止
 
 IwoooS 不得提供下列輸出：
@@ -169,7 +188,8 @@ IwoooS 不得提供下列輸出：
 6. SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
 7. 套用 runtime blocking control。
 8. 將主機 evidence 標記為 received / accepted，或匯入 raw host evidence。
-9. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
+9. 推進 host collection state 或跳過 host evidence dependency。
+10. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
 
 ## 5. 驗證
 
diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
index d33256f0..66bda368 100644
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -35,7 +35,7 @@
 | Owner response validation | S4.13 已建立；四包 owner response 目前 received/accepted 皆為 0；4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示；下一個建議收件為 S4.9 Gitea owner attestation；latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`，reviewer audit emitted 仍為 0，不代表 owner response 已收到或任何執行授權 |
 | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes；LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn；`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
-| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；S2.16 已補 7 個 host evidence readiness items；仍不新增 action button |
+| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；S2.16 已補 7 個 host evidence readiness items；S2.17 已補 7 個 host evidence collection order steps；仍不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -100,6 +100,7 @@
 | S2.14 IwoooS host coverage view | framework detail | 0 | 只顯示 Kali 112 與 168 / 111 開發主機已納入 observe-only 資安視野，不代表 active scan、SSH 變更、主機更新、credentialed scan、runtime gate 或 Kali `/execute` 授權 |
 | S2.15 IwoooS host action gate matrix | framework detail | 0 | 只把 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update 與 runtime blocking control 拆成只讀 gate，不代表任何主機動作或 runtime enforcement 已批准 |
 | S2.16 IwoooS host evidence readiness board | framework detail | 0 | 只顯示主機動作前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence；received / accepted 仍為 0，不代表任何主機動作已批准 |
+| S2.17 IwoooS host evidence collection order | framework detail | 0 | 只把七個主機 evidence readiness items 排成只讀收件順序與依賴關係；received / accepted 仍為 0，不代表 active scan、SSH、Kali update、raw evidence ingestion 或 runtime control 已批准 |
 
 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：
 
diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
index 957afd64..95c0adc5 100644
--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -4,7 +4,7 @@
 |------|------|
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
-| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board |
+| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |
 
 ## 0. 本階段完成後整體進度
@@ -76,6 +76,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 | S2.14 IwoooS host coverage view | 已完成草案，將 Kali 112、開發主機 168、開發主機 111 固定為 3 個只讀 host coverage items；active scan、SSH 變更、主機更新、credentialed scan 與 runtime control 仍未批准 | 0 |
 | S2.15 IwoooS host action gate matrix | 已完成草案，將 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control 固定為 6 個只讀 gate items | 0 |
 | S2.16 IwoooS host evidence readiness board | 已完成草案，將 scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion 固定為 7 個只讀 readiness items | 0 |
+| S2.17 IwoooS host evidence collection order | 已完成草案，將七個主機 evidence readiness items 排成只讀收件順序與依賴關係；received / accepted 仍為 0 | 0 |
 
 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
 
@@ -111,6 +112,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.14 IwoooS Host Coverage View | 完成草案 | `/iwooos` 新增主機覆蓋視圖，明確顯示 Kali 112 與 168 / 111 兩台開發主機已納入 observe-only 資安視野 | 使用者能看到指定主機已納管到資安架構視圖；仍不新增 SSH、scan、update、execute、credentialed scan 或 blocking control |
 | S2.15 IwoooS Host Action Gate Matrix | 完成草案 | `/iwooos` 新增主機動作 gate 矩陣，將 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update 與 runtime blocking control 拆成只讀 gate | 使用者能看懂主機動作為什麼仍需人工批准；仍不新增任何主機操作或 runtime enforcement |
 | S2.16 IwoooS Host Evidence Readiness | 完成草案 | `/iwooos` 新增主機 evidence readiness board，顯示主機動作前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence | 使用者能看懂主機行動前置證據，不會把規劃誤認為已批准；仍不新增任何主機操作 |
+| S2.17 IwoooS Host Evidence Collection Order | 完成草案 | `/iwooos` 新增主機 evidence 收件順序，將 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion 排成只讀依賴 | 使用者能知道下一步先收什麼；仍不把任何 evidence 標成 received / accepted，也不啟動掃描、SSH、更新或 runtime control |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json
index 7e00a26d..750233ed 100644
--- a/docs/security/iwooos-posture-projection.snapshot.json
+++ b/docs/security/iwooos-posture-projection.snapshot.json
@@ -42,7 +42,8 @@
     "owner_evidence_readiness_item_count": 7,
     "host_coverage_item_count": 3,
     "host_action_gate_item_count": 6,
-    "host_evidence_readiness_item_count": 7
+    "host_evidence_readiness_item_count": 7,
+    "host_evidence_collection_step_count": 7
   },
   "progress": {
     "overall_percent": 58,
@@ -121,7 +122,8 @@
     "display_host_evidence_readiness_board",
     "display_evidence_refs",
     "display_next_gate",
-    "display_forbidden_actions"
+    "display_forbidden_actions",
+    "display_host_evidence_collection_order"
   ],
   "forbidden_frontend_outputs": [
     "add_scan_button",
@@ -146,7 +148,9 @@
     "mark_host_evidence_accepted",
     "ingest_raw_host_evidence",
     "production_deploy",
-    "treat_progress_as_authorization"
+    "treat_progress_as_authorization",
+    "advance_host_collection_state",
+    "skip_host_evidence_dependency"
   ],
   "runtime_execution_authorized": false,
   "action_buttons_allowed": false,
@@ -920,5 +924,110 @@
       "action_buttons_allowed": false,
       "not_authorization": true
     }
+  ],
+  "host_evidence_collection_order": [
+    {
+      "step_id": "collect_scope_boundary_first",
+      "display_order": 1,
+      "source_item_id": "host_scope_boundary_evidence",
+      "depends_on_step_ids": [],
+      "collection_state": "next_collection_candidate",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_owner_decision_second",
+      "display_order": 2,
+      "source_item_id": "host_owner_decision_record_evidence",
+      "depends_on_step_ids": [
+        "collect_scope_boundary_first"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_credential_handling_third",
+      "display_order": 3,
+      "source_item_id": "host_credential_handling_evidence",
+      "depends_on_step_ids": [
+        "collect_owner_decision_second"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_maintenance_window_fourth",
+      "display_order": 4,
+      "source_item_id": "host_maintenance_window_evidence",
+      "depends_on_step_ids": [
+        "collect_owner_decision_second"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_rollback_plan_fifth",
+      "display_order": 5,
+      "source_item_id": "host_rollback_plan_evidence",
+      "depends_on_step_ids": [
+        "collect_maintenance_window_fourth"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_validation_metrics_sixth",
+      "display_order": 6,
+      "source_item_id": "host_validation_metrics_evidence",
+      "depends_on_step_ids": [
+        "collect_rollback_plan_fifth"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_redacted_ingestion_seventh",
+      "display_order": 7,
+      "source_item_id": "host_redacted_ingestion_evidence",
+      "depends_on_step_ids": [
+        "collect_validation_metrics_sixth"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
   ]
 }
diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json
index eb209c85..7242390b 100644
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -708,6 +708,18 @@
       "runtime_delta": false,
       "execution_authorized": false,
       "not_authorization": true
+    },
+    {
+      "delta_id": "s2_17_iwooos_host_evidence_collection_order",
+      "display_order": 46,
+      "completed_stage": "S2.17 IwoooS host evidence collection order",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS host evidence collection order 只把 scope boundary、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion 排成只讀收件順序；received / accepted 仍為 0，沒有 active scan、SSH/host change、Kali update、raw evidence ingestion、runtime execution 或 action button 授權。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
     }
   ],
   "next_safe_actions": [
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index 1fdceb0e..de716c50 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -168,6 +168,7 @@ def validate(root: Path) -> None:
         "s2_14_iwooos_host_coverage_view",
         "s2_15_iwooos_host_action_gate_matrix",
         "s2_16_iwooos_host_evidence_readiness_board",
+        "s2_17_iwooos_host_evidence_collection_order",
     ]
     assert_equal(
         "progress_delta_ledger.delta_ids",
@@ -358,6 +359,15 @@ def validate(root: Path) -> None:
         "host_validation_metrics_evidence",
         "host_redacted_ingestion_evidence",
     ]
+    expected_iwooos_host_evidence_collection_step_ids = [
+        "collect_scope_boundary_first",
+        "collect_owner_decision_second",
+        "collect_credential_handling_third",
+        "collect_maintenance_window_fourth",
+        "collect_rollback_plan_fifth",
+        "collect_validation_metrics_sixth",
+        "collect_redacted_ingestion_seventh",
+    ]
     assert_equal(
         "iwooos_projection.summary.frontend_surface_coverage_group_count",
         iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
@@ -393,6 +403,11 @@ def validate(root: Path) -> None:
         iwooos_projection["summary"]["host_evidence_readiness_item_count"],
         len(expected_iwooos_host_evidence_readiness_item_ids),
     )
+    assert_equal(
+        "iwooos_projection.summary.host_evidence_collection_step_count",
+        iwooos_projection["summary"]["host_evidence_collection_step_count"],
+        len(expected_iwooos_host_evidence_collection_step_ids),
+    )
     iwooos_progress = iwooos_projection["progress"]
     assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
     assert_equal(
@@ -732,6 +747,73 @@ def validate(root: Path) -> None:
             f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.not_authorization",
             item["not_authorization"],
         )
+    iwooos_host_evidence_collection_order = iwooos_projection["host_evidence_collection_order"]
+    assert_equal(
+        "iwooos_projection.host_evidence_collection_order.ids",
+        [item["step_id"] for item in iwooos_host_evidence_collection_order],
+        expected_iwooos_host_evidence_collection_step_ids,
+    )
+    assert_equal(
+        "iwooos_projection.host_evidence_collection_order.display_order",
+        [item["display_order"] for item in iwooos_host_evidence_collection_order],
+        list(range(1, len(expected_iwooos_host_evidence_collection_step_ids) + 1)),
+    )
+    expected_iwooos_host_evidence_collection_source_ids = [
+        "host_scope_boundary_evidence",
+        "host_owner_decision_record_evidence",
+        "host_credential_handling_evidence",
+        "host_maintenance_window_evidence",
+        "host_rollback_plan_evidence",
+        "host_validation_metrics_evidence",
+        "host_redacted_ingestion_evidence",
+    ]
+    assert_equal(
+        "iwooos_projection.host_evidence_collection_order.source_item_ids",
+        [item["source_item_id"] for item in iwooos_host_evidence_collection_order],
+        expected_iwooos_host_evidence_collection_source_ids,
+    )
+    expected_iwooos_host_evidence_collection_dependencies = [
+        [],
+        ["collect_scope_boundary_first"],
+        ["collect_owner_decision_second"],
+        ["collect_owner_decision_second"],
+        ["collect_maintenance_window_fourth"],
+        ["collect_rollback_plan_fifth"],
+        ["collect_validation_metrics_sixth"],
+    ]
+    assert_equal(
+        "iwooos_projection.host_evidence_collection_order.depends_on_step_ids",
+        [item["depends_on_step_ids"] for item in iwooos_host_evidence_collection_order],
+        expected_iwooos_host_evidence_collection_dependencies,
+    )
+    for item in iwooos_host_evidence_collection_order:
+        assert_equal(
+            f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.display_mode",
+            item["display_mode"],
+            "collection_order_only",
+        )
+        assert_equal(
+            f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.received_count",
+            item["received_count"],
+            0,
+        )
+        assert_equal(
+            f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.accepted_count",
+            item["accepted_count"],
+            0,
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.runtime_execution_authorized",
+            item["runtime_execution_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.action_buttons_allowed",
+            item["action_buttons_allowed"],
+        )
+        assert_true(
+            f"iwooos_projection.host_evidence_collection_order.{item['step_id']}.not_authorization",
+            item["not_authorization"],
+        )
     assert_equal(
         "iwooos_projection.non_blocking_lane_ids",
         iwooos_projection["non_blocking_lane_ids"],
@@ -757,6 +839,7 @@ def validate(root: Path) -> None:
         "display_host_coverage_view",
         "display_host_action_gate_matrix",
         "display_host_evidence_readiness_board",
+        "display_host_evidence_collection_order",
         "display_evidence_refs",
         "display_forbidden_actions",
     ]:
@@ -780,6 +863,8 @@ def validate(root: Path) -> None:
         "mark_host_evidence_received",
         "mark_host_evidence_accepted",
         "ingest_raw_host_evidence",
+        "advance_host_collection_state",
+        "skip_host_evidence_dependency",
         "apply_runtime_blocking_control",
         "switch_github_primary",
         "production_deploy",