feat(web): add IwoooS host collection order

2026-05-19 21:46:44 +08:00
parent c0eeca2ec6
commit 33e793bb76
11 changed files with 471 additions and 6 deletions
--- a/docs/security/IWOOOS-POSTURE-PROJECTION.md
+++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md
@@ -44,6 +44,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence：
 12. 3 個只讀主機覆蓋 items：Kali 112、開發主機 168、開發主機 111。
 13. 6 個主機動作 gate items：active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control。
 14. 7 個主機 evidence readiness items：scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
+15. 7 個主機 evidence collection order steps，顯示收件順序與前置依賴。

 ## 3.1 既有前端資安頁面整合

@@ -157,6 +158,24 @@ S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board

 每個 item 都固定 `display_mode=evidence_readiness_only`，且 `active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。

+## 3.8 主機 Evidence 收件順序
+
+S2.17 將 S2.16 的七個主機 evidence readiness items 排成建議收件順序。這一層只回答「先收哪個、下一個依賴什麼」，不把任何 evidence 標成 received / accepted。
+
+| 順序 | 收件步驟 | Source item | 前置依賴 | 狀態 |
+|------|----------|-------------|----------|------|
+| 1 | 先定義 scope boundary | `host_scope_boundary_evidence` | 無 | `next_collection_candidate`；received=0、accepted=0 |
+| 2 | 再收 owner decision | `host_owner_decision_record_evidence` | `collect_scope_boundary_first` | `waiting_previous_step`；received=0、accepted=0 |
+| 3 | 隔離 credential handling | `host_credential_handling_evidence` | `collect_owner_decision_second` | `waiting_previous_step`；received=0、accepted=0 |
+| 4 | 安排 maintenance window | `host_maintenance_window_evidence` | `collect_owner_decision_second` | `waiting_previous_step`；received=0、accepted=0 |
+| 5 | 補 rollback plan | `host_rollback_plan_evidence` | `collect_maintenance_window_fourth` | `waiting_previous_step`；received=0、accepted=0 |
+| 6 | 定義 validation metrics | `host_validation_metrics_evidence` | `collect_rollback_plan_fifth` | `waiting_previous_step`；received=0、accepted=0 |
+| 7 | 最後才收 redacted ingestion | `host_redacted_ingestion_evidence` | `collect_validation_metrics_sixth` | `waiting_previous_step`；received=0、accepted=0 |
+
+每個 step 都固定 `display_mode=collection_order_only`，且 `runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+
+這個順序是收件提示，不是工作佇列。不得因為某個 step 顯示為下一個候選，就啟動 scan、SSH、Kali update、raw payload ingestion、runtime blocking control，或把對應 evidence 標成已收到 / 已接受。
+
 ## 4. 仍禁止

 IwoooS 不得提供下列輸出：
@@ -169,7 +188,8 @@ IwoooS 不得提供下列輸出：
 6. SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
 7. 套用 runtime blocking control。
 8. 將主機 evidence 標記為 received / accepted，或匯入 raw host evidence。
-9. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
+9. 推進 host collection state 或跳過 host evidence dependency。
+10. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。

 ## 5. 驗證

--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -35,7 +35,7 @@
 | Owner response validation | S4.13 已建立；四包 owner response 目前 received/accepted 皆為 0；4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示；下一個建議收件為 S4.9 Gitea owner attestation；latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`，reviewer audit emitted 仍為 0，不代表 owner response 已收到或任何執行授權 |
 | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes；LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn；`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
-| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；S2.16 已補 7 個 host evidence readiness items；仍不新增 action button |
+| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；S2.16 已補 7 個 host evidence readiness items；S2.17 已補 7 個 host evidence collection order steps；仍不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -100,6 +100,7 @@
 | S2.14 IwoooS host coverage view | framework detail | 0 | 只顯示 Kali 112 與 168 / 111 開發主機已納入 observe-only 資安視野，不代表 active scan、SSH 變更、主機更新、credentialed scan、runtime gate 或 Kali `/execute` 授權 |
 | S2.15 IwoooS host action gate matrix | framework detail | 0 | 只把 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update 與 runtime blocking control 拆成只讀 gate，不代表任何主機動作或 runtime enforcement 已批准 |
 | S2.16 IwoooS host evidence readiness board | framework detail | 0 | 只顯示主機動作前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence；received / accepted 仍為 0，不代表任何主機動作已批准 |
+| S2.17 IwoooS host evidence collection order | framework detail | 0 | 只把七個主機 evidence readiness items 排成只讀收件順序與依賴關係；received / accepted 仍為 0，不代表 active scan、SSH、Kali update、raw evidence ingestion 或 runtime control 已批准 |

 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：

--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -4,7 +4,7 @@
 |------|------|
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
-| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board |
+| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |

 ## 0. 本階段完成後整體進度
@@ -76,6 +76,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 | S2.14 IwoooS host coverage view | 已完成草案，將 Kali 112、開發主機 168、開發主機 111 固定為 3 個只讀 host coverage items；active scan、SSH 變更、主機更新、credentialed scan 與 runtime control 仍未批准 | 0 |
 | S2.15 IwoooS host action gate matrix | 已完成草案，將 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control 固定為 6 個只讀 gate items | 0 |
 | S2.16 IwoooS host evidence readiness board | 已完成草案，將 scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion 固定為 7 個只讀 readiness items | 0 |
+| S2.17 IwoooS host evidence collection order | 已完成草案，將七個主機 evidence readiness items 排成只讀收件順序與依賴關係；received / accepted 仍為 0 | 0 |

 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。

@@ -111,6 +112,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.14 IwoooS Host Coverage View | 完成草案 | `/iwooos` 新增主機覆蓋視圖，明確顯示 Kali 112 與 168 / 111 兩台開發主機已納入 observe-only 資安視野 | 使用者能看到指定主機已納管到資安架構視圖；仍不新增 SSH、scan、update、execute、credentialed scan 或 blocking control |
 | S2.15 IwoooS Host Action Gate Matrix | 完成草案 | `/iwooos` 新增主機動作 gate 矩陣，將 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update 與 runtime blocking control 拆成只讀 gate | 使用者能看懂主機動作為什麼仍需人工批准；仍不新增任何主機操作或 runtime enforcement |
 | S2.16 IwoooS Host Evidence Readiness | 完成草案 | `/iwooos` 新增主機 evidence readiness board，顯示主機動作前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence | 使用者能看懂主機行動前置證據，不會把規劃誤認為已批准；仍不新增任何主機操作 |
+| S2.17 IwoooS Host Evidence Collection Order | 完成草案 | `/iwooos` 新增主機 evidence 收件順序，將 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion 排成只讀依賴 | 使用者能知道下一步先收什麼；仍不把任何 evidence 標成 received / accepted，也不啟動掃描、SSH、更新或 runtime control |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
--- a/docs/security/iwooos-posture-projection.snapshot.json
+++ b/docs/security/iwooos-posture-projection.snapshot.json
@@ -42,7 +42,8 @@
    "owner_evidence_readiness_item_count": 7,
    "host_coverage_item_count": 3,
    "host_action_gate_item_count": 6,
-    "host_evidence_readiness_item_count": 7
+    "host_evidence_readiness_item_count": 7,
+    "host_evidence_collection_step_count": 7
  },
  "progress": {
    "overall_percent": 58,
@@ -121,7 +122,8 @@
    "display_host_evidence_readiness_board",
    "display_evidence_refs",
    "display_next_gate",
-    "display_forbidden_actions"
+    "display_forbidden_actions",
+    "display_host_evidence_collection_order"
  ],
  "forbidden_frontend_outputs": [
    "add_scan_button",
@@ -146,7 +148,9 @@
    "mark_host_evidence_accepted",
    "ingest_raw_host_evidence",
    "production_deploy",
-    "treat_progress_as_authorization"
+    "treat_progress_as_authorization",
+    "advance_host_collection_state",
+    "skip_host_evidence_dependency"
  ],
  "runtime_execution_authorized": false,
  "action_buttons_allowed": false,
@@ -920,5 +924,110 @@
      "action_buttons_allowed": false,
      "not_authorization": true
    }
+  ],
+  "host_evidence_collection_order": [
+    {
+      "step_id": "collect_scope_boundary_first",
+      "display_order": 1,
+      "source_item_id": "host_scope_boundary_evidence",
+      "depends_on_step_ids": [],
+      "collection_state": "next_collection_candidate",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_owner_decision_second",
+      "display_order": 2,
+      "source_item_id": "host_owner_decision_record_evidence",
+      "depends_on_step_ids": [
+        "collect_scope_boundary_first"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_credential_handling_third",
+      "display_order": 3,
+      "source_item_id": "host_credential_handling_evidence",
+      "depends_on_step_ids": [
+        "collect_owner_decision_second"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_maintenance_window_fourth",
+      "display_order": 4,
+      "source_item_id": "host_maintenance_window_evidence",
+      "depends_on_step_ids": [
+        "collect_owner_decision_second"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_rollback_plan_fifth",
+      "display_order": 5,
+      "source_item_id": "host_rollback_plan_evidence",
+      "depends_on_step_ids": [
+        "collect_maintenance_window_fourth"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_validation_metrics_sixth",
+      "display_order": 6,
+      "source_item_id": "host_validation_metrics_evidence",
+      "depends_on_step_ids": [
+        "collect_rollback_plan_fifth"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "step_id": "collect_redacted_ingestion_seventh",
+      "display_order": 7,
+      "source_item_id": "host_redacted_ingestion_evidence",
+      "depends_on_step_ids": [
+        "collect_validation_metrics_sixth"
+      ],
+      "collection_state": "waiting_previous_step",
+      "display_mode": "collection_order_only",
+      "received_count": 0,
+      "accepted_count": 0,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
  ]
 }
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -708,6 +708,18 @@
      "runtime_delta": false,
      "execution_authorized": false,
      "not_authorization": true
+    },
+    {
+      "delta_id": "s2_17_iwooos_host_evidence_collection_order",
+      "display_order": 46,
+      "completed_stage": "S2.17 IwoooS host evidence collection order",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS host evidence collection order 只把 scope boundary、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion 排成只讀收件順序；received / accepted 仍為 0，沒有 active scan、SSH/host change、Kali update、raw evidence ingestion、runtime execution 或 action button 授權。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
    }
  ],
  "next_safe_actions": [