feat(web): add IwoooS decision writeups
This commit is contained in:
Your Name
@@ -1887,6 +1887,49 @@
|
||||
"next": "active runtime gates=0; action buttons=false"
|
||||
}
|
||||
}
|
||||
},
|
||||
"hostOwnerDecisionRecordWriteups": {
|
||||
"title": "Host Owner Decision Record Write-Up Packets",
|
||||
"subtitle": "When a draft review outcome is ready for write-up, IwoooS can still only display formal decision record write-up fields. It does not create records, mark completed / accepted, or open runtime gates.",
|
||||
"packetLabel": "Write-up packet",
|
||||
"fieldLabel": "Required field",
|
||||
"items": {
|
||||
"decisionSummaryWriteup": {
|
||||
"title": "Decision summary write-up",
|
||||
"body": "Only organizes the human owner decision, risk acceptance boundary, and no-execution statement.",
|
||||
"field": "decision summary; write-up completed=0"
|
||||
},
|
||||
"approvedScopeWriteup": {
|
||||
"title": "Approved scope write-up",
|
||||
"body": "Only organizes hosts, networks, services, exclusions, observation intent, and expiry.",
|
||||
"field": "scope / expiry; record created=false"
|
||||
},
|
||||
"scanModeLimitsWriteup": {
|
||||
"title": "Scan mode limits write-up",
|
||||
"body": "Only organizes limits for observe-only, future active scan, or credentialed scan modes. This is not scan approval.",
|
||||
"field": "mode limits; scan authorized=false"
|
||||
},
|
||||
"credentialBoundaryWriteup": {
|
||||
"title": "Credential boundary write-up",
|
||||
"body": "Only organizes credential handling metadata, owner, retention boundary, and forbidden collection content.",
|
||||
"field": "metadata-only boundary; secret collection=false"
|
||||
},
|
||||
"maintenanceRollbackWriteup": {
|
||||
"title": "Maintenance and rollback write-up",
|
||||
"body": "Only organizes maintenance window candidates, constraints, rollback owner, recovery path, and human contact.",
|
||||
"field": "window / rollback; host update=false"
|
||||
},
|
||||
"validationEvidenceWriteup": {
|
||||
"title": "Validation evidence write-up",
|
||||
"body": "Only organizes post-check metrics, baseline, evidence pointer, and human acceptance condition.",
|
||||
"field": "metrics / evidence; accepted=0"
|
||||
},
|
||||
"runtimeGatePointerWriteup": {
|
||||
"title": "Runtime gate pointer write-up",
|
||||
"body": "Only states that future approval still needs a separate follow-up runtime gate and cannot execute from write-up.",
|
||||
"field": "runtime gate pointer; active gates=0"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"tickets": {
|
||||
|
||||
@@ -1888,6 +1888,49 @@
|
||||
"next": "active runtime gates=0;action buttons=false"
|
||||
}
|
||||
}
|
||||
},
|
||||
"hostOwnerDecisionRecordWriteups": {
|
||||
"title": "主機 Owner Decision Record Write-Up Packets",
|
||||
"subtitle": "Draft review outcome 若進入 ready for write-up,IwoooS 也只能顯示正式 decision record 撰寫欄位。不建立 record、不標示 completed / accepted、不開 runtime gate。",
|
||||
"packetLabel": "Write-up packet",
|
||||
"fieldLabel": "必要欄位",
|
||||
"items": {
|
||||
"decisionSummaryWriteup": {
|
||||
"title": "Decision summary write-up",
|
||||
"body": "只整理 owner 要做的人工作業判斷、風險接受邊界與不執行聲明。",
|
||||
"field": "decision summary;write-up completed=0"
|
||||
},
|
||||
"approvedScopeWriteup": {
|
||||
"title": "Approved scope write-up",
|
||||
"body": "只整理主機、網段、服務、排除範圍、觀察目的與到期時間。",
|
||||
"field": "scope / expiry;record created=false"
|
||||
},
|
||||
"scanModeLimitsWriteup": {
|
||||
"title": "Scan mode limits write-up",
|
||||
"body": "只整理 observe-only、future active scan 或 credentialed scan 的限制條件,不代表掃描批准。",
|
||||
"field": "mode limits;scan authorized=false"
|
||||
},
|
||||
"credentialBoundaryWriteup": {
|
||||
"title": "Credential boundary write-up",
|
||||
"body": "只整理 credential handling metadata、owner、保存邊界與不可收集內容。",
|
||||
"field": "metadata-only boundary;secret collection=false"
|
||||
},
|
||||
"maintenanceRollbackWriteup": {
|
||||
"title": "Maintenance and rollback write-up",
|
||||
"body": "只整理維護窗口候選、限制條件、rollback owner、復原路徑與人工聯絡點。",
|
||||
"field": "window / rollback;host update=false"
|
||||
},
|
||||
"validationEvidenceWriteup": {
|
||||
"title": "Validation evidence write-up",
|
||||
"body": "只整理 post-check metrics、baseline、evidence pointer 與人工驗收條件。",
|
||||
"field": "metrics / evidence;accepted=0"
|
||||
},
|
||||
"runtimeGatePointerWriteup": {
|
||||
"title": "Runtime gate pointer write-up",
|
||||
"body": "只標示若未來批准,仍要另開 follow-up runtime gate,不能由 write-up 執行。",
|
||||
"field": "runtime gate pointer;active gates=0"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"tickets": {
|
||||
|
||||
@@ -179,6 +179,13 @@ type HostOwnerDecisionRecordDraftReviewOutcomeLane = {
|
||||
tone: 'steady' | 'warn' | 'locked'
|
||||
}
|
||||
|
||||
type HostOwnerDecisionRecordWriteupPacket = {
|
||||
key: string
|
||||
packet: string
|
||||
icon: typeof ShieldCheck
|
||||
tone: 'steady' | 'warn' | 'locked'
|
||||
}
|
||||
|
||||
const postureMetrics: PostureMetric[] = [
|
||||
{ key: 'overall', value: '58%', tone: 'warn' },
|
||||
{ key: 'framework', value: '80-85%', tone: 'steady' },
|
||||
@@ -420,6 +427,16 @@ const hostOwnerDecisionRecordDraftReviewOutcomeLanes: HostOwnerDecisionRecordDra
|
||||
{ key: 'runtimeGateStillRequired', lane: 'DV7', icon: ShieldCheck, tone: 'locked' },
|
||||
]
|
||||
|
||||
const hostOwnerDecisionRecordWriteupPackets: HostOwnerDecisionRecordWriteupPacket[] = [
|
||||
{ key: 'decisionSummaryWriteup', packet: 'WU1', icon: ClipboardCheck, tone: 'warn' },
|
||||
{ key: 'approvedScopeWriteup', packet: 'WU2', icon: Radar, tone: 'warn' },
|
||||
{ key: 'scanModeLimitsWriteup', packet: 'WU3', icon: Activity, tone: 'locked' },
|
||||
{ key: 'credentialBoundaryWriteup', packet: 'WU4', icon: Lock, tone: 'locked' },
|
||||
{ key: 'maintenanceRollbackWriteup', packet: 'WU5', icon: Clock3, tone: 'warn' },
|
||||
{ key: 'validationEvidenceWriteup', packet: 'WU6', icon: CheckCircle2, tone: 'warn' },
|
||||
{ key: 'runtimeGatePointerWriteup', packet: 'WU7', icon: ShieldCheck, tone: 'locked' },
|
||||
]
|
||||
|
||||
const evidenceItems = [
|
||||
'iwooos-posture-projection.snapshot.json',
|
||||
'security-rollout-policy.snapshot.json',
|
||||
@@ -1090,6 +1107,34 @@ function HostOwnerDecisionRecordDraftReviewOutcomeCard({
|
||||
)
|
||||
}
|
||||
|
||||
function HostOwnerDecisionRecordWriteupCard({ item }: { item: HostOwnerDecisionRecordWriteupPacket }) {
|
||||
const t = useTranslations('iwooos.hostOwnerDecisionRecordWriteups')
|
||||
const Icon = item.icon
|
||||
return (
|
||||
<div style={{ ...band, minHeight: 190, padding: 16 }}>
|
||||
<div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12 }}>
|
||||
<div style={{ display: 'flex', alignItems: 'center', gap: 9 }}>
|
||||
<Icon size={18} color={toneColors[item.tone]} />
|
||||
<span style={{ fontSize: 11, color: '#87867f' }}>{t('packetLabel')}</span>
|
||||
</div>
|
||||
<span style={{ fontSize: 11, color: '#9b978b' }}>{item.packet}</span>
|
||||
</div>
|
||||
<h2 style={{ fontSize: 14, margin: '12px 0 6px', color: '#141413' }}>
|
||||
{t(`items.${item.key}.title` as never)}
|
||||
</h2>
|
||||
<p style={{ fontSize: 12, lineHeight: 1.55, color: '#6f6d66', margin: 0 }}>
|
||||
{t(`items.${item.key}.body` as never)}
|
||||
</p>
|
||||
<div style={{ marginTop: 10, display: 'grid', gap: 5 }}>
|
||||
<div style={{ fontSize: 11, color: '#87867f' }}>{t('fieldLabel')}</div>
|
||||
<div style={{ fontSize: 11, color: toneColors[item.tone], lineHeight: 1.45 }}>
|
||||
{t(`items.${item.key}.field` as never)}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
)
|
||||
}
|
||||
|
||||
export default function IwoooSPage({ params }: { params: { locale: string } }) {
|
||||
const t = useTranslations('iwooos')
|
||||
|
||||
@@ -1462,6 +1507,26 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) {
|
||||
</div>
|
||||
</section>
|
||||
|
||||
<section style={{ marginBottom: 14 }}>
|
||||
<div style={{ marginBottom: 14 }}>
|
||||
<h2 style={{ fontSize: 16, margin: 0 }}>{t('hostOwnerDecisionRecordWriteups.title')}</h2>
|
||||
<p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 0', lineHeight: 1.55 }}>
|
||||
{t('hostOwnerDecisionRecordWriteups.subtitle')}
|
||||
</p>
|
||||
</div>
|
||||
<div
|
||||
style={{
|
||||
display: 'grid',
|
||||
gridTemplateColumns: 'repeat(auto-fit, minmax(210px, 1fr))',
|
||||
gap: 12,
|
||||
}}
|
||||
>
|
||||
{hostOwnerDecisionRecordWriteupPackets.map(item => (
|
||||
<HostOwnerDecisionRecordWriteupCard key={item.key} item={item} />
|
||||
))}
|
||||
</div>
|
||||
</section>
|
||||
|
||||
<section
|
||||
style={{
|
||||
display: 'grid',
|
||||
|
||||
@@ -1,3 +1,17 @@
|
||||
## 2026-05-20 | 資安供應鏈 S2.29:IwoooS Host Owner Decision Record Write-Up Packets
|
||||
|
||||
**背景**:S2.28 已把 decision record draft review 後的只讀 outcome lanes 顯示出來;本輪補上 ready for write-up 後的正式 decision record 撰寫欄位,避免使用者把 write-up candidate 誤讀成正式紀錄已完成、已接受或已批准。
|
||||
|
||||
**完成**:
|
||||
- `/iwooos` 新增「主機 Owner Decision Record Write-Up Packets」,顯示 decision summary、approved scope、scan mode limits、credential boundary、maintenance and rollback、validation evidence、runtime gate pointer 七個正式撰寫欄位。
|
||||
- `iwooos_posture_projection_v1` schema / snapshot 新增 `host_owner_decision_record_writeup_packets` 與 `host_owner_decision_record_writeup_packet_count=7`,每個 packet 固定 `display_mode=owner_decision_record_writeup_only`、`decision_record_writeup_completed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||||
- `security-mirror-progress-guard.py` 開始驗證七個 host owner decision record write-up packets、順序、writeup fields,以及 write-up completed / decision record / owner decision / approval record / runtime gate / raw payload / secret value / runtime / action button 仍全部鎖住。
|
||||
- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_29_iwooos_host_owner_decision_record_writeup_packets`,headline progress 仍維持 58%。
|
||||
|
||||
**仍禁止**:
|
||||
- host owner decision record write-up packets 不代表 write-up completed、decision record created、owner decision received / accepted、approved、approval record created、runtime gate opened、raw payload ingestion、secret value collection、active scan、credentialed scan、Kali `/execute`、SSH 登入、主機變更、Kali 更新或 blocking control。
|
||||
- 真正人工 owner decision、正式決策紀錄、批准與後續 runtime gate 仍需脫敏 evidence、人工簽核與獨立 runtime gate。
|
||||
|
||||
## 2026-05-19 | 資安供應鏈 S2.28:IwoooS Host Owner Decision Record Draft Review Outcome Lanes
|
||||
|
||||
**背景**:S2.27 已把 decision record 草稿進入正式人審前的只讀核對項顯示出來;本輪補上核對後的只讀結果分流,避免使用者把 draft review checklist 誤讀成 review 已通過或 decision record 已建立。
|
||||
|
||||
@@ -35,6 +35,7 @@
|
||||
"host_owner_decision_record_draft_packets",
|
||||
"host_owner_decision_record_draft_review_checklist_items",
|
||||
"host_owner_decision_record_draft_review_outcome_lanes",
|
||||
"host_owner_decision_record_writeup_packets",
|
||||
"frontend_surface_coverage_groups",
|
||||
"evidence_refs",
|
||||
"allowed_frontend_outputs",
|
||||
@@ -109,6 +110,7 @@
|
||||
"host_owner_decision_record_draft_packet_count",
|
||||
"host_owner_decision_record_draft_review_checklist_item_count",
|
||||
"host_owner_decision_record_draft_review_outcome_lane_count",
|
||||
"host_owner_decision_record_writeup_packet_count",
|
||||
"action_buttons_allowed"
|
||||
],
|
||||
"properties": {
|
||||
@@ -238,6 +240,10 @@
|
||||
"host_owner_decision_record_draft_review_outcome_lane_count": {
|
||||
"type": "integer",
|
||||
"const": 7
|
||||
},
|
||||
"host_owner_decision_record_writeup_packet_count": {
|
||||
"type": "integer",
|
||||
"const": 7
|
||||
}
|
||||
},
|
||||
"additionalProperties": false
|
||||
@@ -1881,6 +1887,98 @@
|
||||
},
|
||||
"additionalProperties": false
|
||||
}
|
||||
},
|
||||
"host_owner_decision_record_writeup_packets": {
|
||||
"type": "array",
|
||||
"minItems": 7,
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"packet_id",
|
||||
"display_order",
|
||||
"source_lane_id",
|
||||
"writeup_field",
|
||||
"required_decision_metadata",
|
||||
"display_mode",
|
||||
"decision_record_writeup_completed_count",
|
||||
"decision_record_created",
|
||||
"owner_decision_received_count",
|
||||
"owner_decision_accepted_count",
|
||||
"owner_approval_record_created",
|
||||
"runtime_gate_opened",
|
||||
"raw_payload_allowed",
|
||||
"secret_value_collection_allowed",
|
||||
"runtime_execution_authorized",
|
||||
"action_buttons_allowed",
|
||||
"not_authorization"
|
||||
],
|
||||
"properties": {
|
||||
"packet_id": {
|
||||
"type": "string"
|
||||
},
|
||||
"display_order": {
|
||||
"type": "integer",
|
||||
"minimum": 1
|
||||
},
|
||||
"source_lane_id": {
|
||||
"type": "string"
|
||||
},
|
||||
"writeup_field": {
|
||||
"type": "string"
|
||||
},
|
||||
"required_decision_metadata": {
|
||||
"type": "string"
|
||||
},
|
||||
"display_mode": {
|
||||
"const": "owner_decision_record_writeup_only"
|
||||
},
|
||||
"decision_record_writeup_completed_count": {
|
||||
"type": "integer",
|
||||
"const": 0
|
||||
},
|
||||
"decision_record_created": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"owner_decision_received_count": {
|
||||
"type": "integer",
|
||||
"const": 0
|
||||
},
|
||||
"owner_decision_accepted_count": {
|
||||
"type": "integer",
|
||||
"const": 0
|
||||
},
|
||||
"owner_approval_record_created": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"runtime_gate_opened": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"raw_payload_allowed": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"secret_value_collection_allowed": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"runtime_execution_authorized": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"action_buttons_allowed": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"not_authorization": {
|
||||
"type": "boolean",
|
||||
"const": true
|
||||
}
|
||||
},
|
||||
"additionalProperties": false
|
||||
}
|
||||
}
|
||||
},
|
||||
"additionalProperties": false
|
||||
|
||||
@@ -56,6 +56,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence:
|
||||
24. 7 個 host owner decision record draft packets,顯示 formal decision record 候選需要的草稿欄位。
|
||||
25. 7 個 host owner decision record draft review checklist items,顯示草稿欄位進入正式決策紀錄前仍需只讀核對的條件。
|
||||
26. 7 個 host owner decision record draft review outcome lanes,顯示草稿核對後的只讀結果分流。
|
||||
27. 7 個 host owner decision record write-up packets,顯示正式 decision record 撰寫欄位,但不建立 record、不標記 completed / accepted、不開 runtime gate。
|
||||
|
||||
## 3.1 既有前端資安頁面整合
|
||||
|
||||
@@ -385,6 +386,24 @@ S2.28 將 decision record draft review checklist 後可能出現的結果拆成
|
||||
|
||||
這個 outcome board 不代表 draft review 已通過、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把草稿核對後的下一步說清楚。
|
||||
|
||||
## 3.20 Host Owner Decision Record Write-Up Packets
|
||||
|
||||
S2.29 將 ready for decision record write-up 後需要整理的正式撰寫欄位拆成七個只讀 packets。這一層只回答「若未來要寫正式 decision record,需要哪些欄位」,不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||||
|
||||
| 順序 | Write-up packet | 來源 lane | 必要欄位 |
|
||||
|------|-----------------|-----------|----------|
|
||||
| 1 | Decision summary write-up | ready for decision record write-up | human decision summary、risk acceptance boundary、no-execution statement |
|
||||
| 2 | Approved scope write-up | ready for decision record write-up | host / network / service / exclusion / observation intent / expiry |
|
||||
| 3 | Scan mode limits write-up | scan mode ambiguous | observe-only、future active scan、credentialed scan limits |
|
||||
| 4 | Credential boundary write-up | credential boundary incomplete | metadata-only credential owner、retention boundary、forbidden collection |
|
||||
| 5 | Maintenance and rollback write-up | maintenance constraints incomplete | maintenance window、constraints、rollback owner、recovery path、human contact |
|
||||
| 6 | Validation evidence write-up | runtime gate required | post-check metrics、baseline、evidence pointer、human acceptance condition |
|
||||
| 7 | Runtime gate pointer write-up | runtime gate required | separate follow-up runtime gate pointer;active gate=0 |
|
||||
|
||||
每個 packet 都固定 `display_mode=owner_decision_record_writeup_only`、`decision_record_writeup_completed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||||
|
||||
這個 write-up board 不代表 formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把正式撰寫欄位先說清楚,並保留後續人工批准與 runtime gate 的分離。
|
||||
|
||||
## 4. 仍禁止
|
||||
|
||||
IwoooS 不得提供下列輸出:
|
||||
@@ -410,7 +429,8 @@ IwoooS 不得提供下列輸出:
|
||||
19. 從 owner decision record draft 建立 host owner decision record、標記 record created,或從 draft 開 runtime gate。
|
||||
20. 把 owner decision record draft review 當成 approval、標記 draft review passed、從 draft review 建立 decision record,或從 draft review 開 runtime gate。
|
||||
21. 把 owner decision record draft review outcome 當成 approval、標記 draft review outcome passed、從 draft review outcome 建立 decision record,或從 draft review outcome 開 runtime gate。
|
||||
22. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
|
||||
22. 從 owner decision record write-up 建立 decision record、標記 write-up completed、標記 decision record accepted,或從 write-up 開 runtime gate。
|
||||
23. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
|
||||
|
||||
## 5. 驗證
|
||||
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
| Owner response validation | S4.13 已建立;四包 owner response 目前 received/accepted 皆為 0;4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示;下一個建議收件為 S4.9 Gitea owner attestation;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`,reviewer audit emitted 仍為 0,不代表 owner response 已收到或任何執行授權 |
|
||||
| Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes;LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn;`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
|
||||
| IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口;顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs;不新增執行按鈕 |
|
||||
| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`;S2.10 已把 10 個既有前端資安相關頁面納入 projection;S2.11 已補 4 個 coverage groups 與 5 個 conflict controls;S2.12 已補 6 個只讀 operator journey steps;S2.13 已補 7 個 owner evidence readiness items;S2.14 已補 3 個 host coverage items:Kali 112、開發主機 168、開發主機 111;S2.15 已補 6 個 host action gate items;S2.16 已補 7 個 host evidence readiness items;S2.17 已補 7 個 host evidence collection order steps;S2.18 已補 7 個 host evidence intake preflight checks;S2.19 已補 7 個 host evidence review outcome lanes;S2.20 已補 7 個 host evidence review handoff packets;S2.21 已補 7 個 host evidence reviewer checklist items;S2.22 已補 7 個 host evidence reviewer outcome lanes;S2.23 已補 7 個 host owner decision candidate packets;S2.24 已補 7 個 host owner decision review checklist items;S2.25 已補 7 個 host owner decision review outcome lanes;S2.26 已補 7 個 host owner decision record draft packets;S2.27 已補 7 個 host owner decision record draft review checklist items;S2.28 已補 7 個 host owner decision record draft review outcome lanes;仍不新增 action button |
|
||||
| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`;S2.10 已把 10 個既有前端資安相關頁面納入 projection;S2.11 已補 4 個 coverage groups 與 5 個 conflict controls;S2.12 已補 6 個只讀 operator journey steps;S2.13 已補 7 個 owner evidence readiness items;S2.14 已補 3 個 host coverage items:Kali 112、開發主機 168、開發主機 111;S2.15 已補 6 個 host action gate items;S2.16 已補 7 個 host evidence readiness items;S2.17 已補 7 個 host evidence collection order steps;S2.18 已補 7 個 host evidence intake preflight checks;S2.19 已補 7 個 host evidence review outcome lanes;S2.20 已補 7 個 host evidence review handoff packets;S2.21 已補 7 個 host evidence reviewer checklist items;S2.22 已補 7 個 host evidence reviewer outcome lanes;S2.23 已補 7 個 host owner decision candidate packets;S2.24 已補 7 個 host owner decision review checklist items;S2.25 已補 7 個 host owner decision review outcome lanes;S2.26 已補 7 個 host owner decision record draft packets;S2.27 已補 7 個 host owner decision record draft review checklist items;S2.28 已補 7 個 host owner decision record draft review outcome lanes;S2.29 已補 7 個 host owner decision record write-up packets;仍不新增 action button |
|
||||
| Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion |
|
||||
| Runtime actions | `false` |
|
||||
| Payload ingestion | `false` |
|
||||
@@ -112,6 +112,7 @@
|
||||
| S2.26 IwoooS host owner decision record draft packets | framework detail | 0 | 只顯示 formal decision record 需要的七個草稿欄位;decision record created、accepted count、approval record、runtime gate、raw payload、secret value、runtime execution 與 action button 仍全部鎖住 |
|
||||
| S2.27 IwoooS host owner decision record draft review checklist | framework detail | 0 | 只顯示 decision record 草稿進人審前的七個核對項;review passed、decision record created、accepted count、approval record、runtime gate、raw payload、secret value、runtime execution 與 action button 仍全部鎖住 |
|
||||
| S2.28 IwoooS host owner decision record draft review outcome lanes | framework detail | 0 | 只顯示 decision record 草稿核對後的七個只讀結果分流;review passed、decision record created、accepted count、approval record、runtime gate、raw payload、secret value、runtime execution 與 action button 仍全部鎖住 |
|
||||
| S2.29 IwoooS host owner decision record write-up packets | framework detail | 0 | 只顯示 formal decision record 需要的七個撰寫欄位;write-up completed、decision record created、accepted count、approval record、runtime gate、raw payload、secret value、runtime execution 與 action button 仍全部鎖住 |
|
||||
|
||||
headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence:
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|------|------|
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | S0/S1 read-only evidence 建置中 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets |
|
||||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||||
|
||||
## 0. 本階段完成後整體進度
|
||||
@@ -88,6 +88,7 @@ python3 scripts/security/security-mirror-progress-guard.py
|
||||
| S2.26 IwoooS host owner decision record draft packets | 已完成草案,將 scope statement、scan mode、credential boundary、maintenance constraints、rollback owner、validation metrics 與 runtime gate pointer 顯示成七個只讀 decision record 草稿包 | 0 |
|
||||
| S2.27 IwoooS host owner decision record draft review checklist | 已完成草案,將 scope statement complete、scan mode still not approval、credential boundary metadata only、maintenance constraints readable、rollback owner readable、validation metrics linked 與 runtime gate still closed 顯示成七個只讀草稿核對項 | 0 |
|
||||
| S2.28 IwoooS host owner decision record draft review outcome lanes | 已完成草案,將 ready for write-up、scope draft incomplete、scan mode ambiguous、credential boundary incomplete、maintenance constraints incomplete、rollback owner incomplete 與 runtime gate still required 顯示成七個只讀草稿核對結果分流 | 0 |
|
||||
| S2.29 IwoooS host owner decision record write-up packets | 已完成草案,將 decision summary、approved scope、scan mode limits、credential boundary、maintenance / rollback、validation evidence 與 runtime gate pointer 顯示成七個只讀正式撰寫欄位 | 0 |
|
||||
|
||||
headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
|
||||
|
||||
@@ -135,6 +136,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
|
||||
| S2.26 IwoooS Host Owner Decision Record Draft Packets | 完成草案 | `/iwooos` 新增主機 owner decision record draft packets,顯示 scope statement、scan mode、credential boundary、maintenance constraints、rollback owner、validation metrics、runtime gate pointer 七個草稿欄位 | 使用者能理解 formal decision record 草稿需要哪些 metadata;仍不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate、不執行主機動作 |
|
||||
| S2.27 IwoooS Host Owner Decision Record Draft Review Checklist | 完成草案 | `/iwooos` 新增主機 owner decision record draft review checklist,顯示 scope statement complete、scan mode still not approval、credential boundary metadata only、maintenance constraints readable、rollback owner readable、validation metrics linked、runtime gate still closed 七個核對項 | 使用者能理解 formal decision record 草稿進人審前仍需核對哪些條件;仍不標記 review passed、不建立 decision record、不標記 accepted、不開 runtime gate、不執行主機動作 |
|
||||
| S2.28 IwoooS Host Owner Decision Record Draft Review Outcome Lanes | 完成草案 | `/iwooos` 新增主機 owner decision record draft review outcome lanes,顯示 ready for decision record write-up、scope draft incomplete、scan mode ambiguous、credential boundary incomplete、maintenance constraints incomplete、rollback owner incomplete、runtime gate still required 七個分流 | 使用者能理解 draft review 後下一步;仍不標記 review passed、不建立 decision record、不標記 accepted、不開 runtime gate、不執行主機動作 |
|
||||
| S2.29 IwoooS Host Owner Decision Record Write-Up Packets | 完成草案 | `/iwooos` 新增主機 owner decision record write-up packets,顯示 decision summary、approved scope、scan mode limits、credential boundary、maintenance / rollback、validation evidence、runtime gate pointer 七個正式撰寫欄位 | 使用者能理解 ready for write-up 仍只是欄位整理;仍不標記 write-up completed、不建立 decision record、不標記 accepted、不開 runtime gate、不執行主機動作 |
|
||||
| S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate |
|
||||
| S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item |
|
||||
| S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 |
|
||||
|
||||
@@ -54,7 +54,8 @@
|
||||
"host_owner_decision_review_outcome_lane_count": 7,
|
||||
"host_owner_decision_record_draft_packet_count": 7,
|
||||
"host_owner_decision_record_draft_review_checklist_item_count": 7,
|
||||
"host_owner_decision_record_draft_review_outcome_lane_count": 7
|
||||
"host_owner_decision_record_draft_review_outcome_lane_count": 7,
|
||||
"host_owner_decision_record_writeup_packet_count": 7
|
||||
},
|
||||
"progress": {
|
||||
"overall_percent": 58,
|
||||
@@ -145,7 +146,8 @@
|
||||
"display_host_owner_decision_review_outcome_lanes",
|
||||
"display_host_owner_decision_record_draft_packets",
|
||||
"display_host_owner_decision_record_draft_review_checklist",
|
||||
"display_host_owner_decision_record_draft_review_outcome_lanes"
|
||||
"display_host_owner_decision_record_draft_review_outcome_lanes",
|
||||
"display_host_owner_decision_record_writeup_packets"
|
||||
],
|
||||
"forbidden_frontend_outputs": [
|
||||
"add_scan_button",
|
||||
@@ -208,7 +210,11 @@
|
||||
"treat_host_owner_decision_record_draft_review_outcome_as_approval",
|
||||
"mark_host_owner_decision_record_draft_review_outcome_passed",
|
||||
"create_host_owner_decision_record_from_draft_review_outcome",
|
||||
"open_runtime_gate_from_owner_decision_record_draft_review_outcome"
|
||||
"open_runtime_gate_from_owner_decision_record_draft_review_outcome",
|
||||
"create_host_owner_decision_record_from_writeup",
|
||||
"mark_host_owner_decision_record_writeup_completed",
|
||||
"mark_host_owner_decision_record_accepted_from_writeup",
|
||||
"open_runtime_gate_from_owner_decision_record_writeup"
|
||||
],
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
@@ -2580,5 +2586,140 @@
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
}
|
||||
],
|
||||
"host_owner_decision_record_writeup_packets": [
|
||||
{
|
||||
"packet_id": "host_decision_record_summary_writeup_packet",
|
||||
"display_order": 1,
|
||||
"source_lane_id": "host_decision_record_ready_for_writeup_outcome_lane",
|
||||
"writeup_field": "decision_summary",
|
||||
"required_decision_metadata": "human_decision_summary_risk_acceptance_boundary_and_no_execution_statement",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"packet_id": "host_decision_record_scope_writeup_packet",
|
||||
"display_order": 2,
|
||||
"source_lane_id": "host_decision_record_ready_for_writeup_outcome_lane",
|
||||
"writeup_field": "approved_scope_statement",
|
||||
"required_decision_metadata": "host_network_service_exclusion_observation_intent_and_expiry",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"packet_id": "host_decision_record_scan_mode_limits_writeup_packet",
|
||||
"display_order": 3,
|
||||
"source_lane_id": "host_decision_record_scan_mode_ambiguous_outcome_lane",
|
||||
"writeup_field": "scan_mode_limits_statement",
|
||||
"required_decision_metadata": "observe_only_future_active_or_credentialed_scan_limits",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"packet_id": "host_decision_record_credential_boundary_writeup_packet",
|
||||
"display_order": 4,
|
||||
"source_lane_id": "host_decision_record_credential_boundary_incomplete_outcome_lane",
|
||||
"writeup_field": "credential_boundary_statement",
|
||||
"required_decision_metadata": "metadata_only_credential_owner_retention_boundary_and_forbidden_collection",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"packet_id": "host_decision_record_maintenance_rollback_writeup_packet",
|
||||
"display_order": 5,
|
||||
"source_lane_id": "host_decision_record_maintenance_constraints_incomplete_outcome_lane",
|
||||
"writeup_field": "maintenance_and_rollback_statement",
|
||||
"required_decision_metadata": "maintenance_window_constraints_rollback_owner_recovery_path_and_human_contact",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"packet_id": "host_decision_record_validation_evidence_writeup_packet",
|
||||
"display_order": 6,
|
||||
"source_lane_id": "host_decision_record_runtime_gate_required_outcome_lane",
|
||||
"writeup_field": "validation_evidence_statement",
|
||||
"required_decision_metadata": "post_check_metrics_baseline_evidence_pointer_and_human_acceptance_condition",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"packet_id": "host_decision_record_runtime_gate_pointer_writeup_packet",
|
||||
"display_order": 7,
|
||||
"source_lane_id": "host_decision_record_runtime_gate_required_outcome_lane",
|
||||
"writeup_field": "runtime_gate_pointer_statement",
|
||||
"required_decision_metadata": "separate_followup_runtime_gate_pointer_with_active_gate_zero",
|
||||
"display_mode": "owner_decision_record_writeup_only",
|
||||
"decision_record_writeup_completed_count": 0,
|
||||
"decision_record_created": false,
|
||||
"owner_decision_received_count": 0,
|
||||
"owner_decision_accepted_count": 0,
|
||||
"owner_approval_record_created": false,
|
||||
"runtime_gate_opened": false,
|
||||
"raw_payload_allowed": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"not_authorization": true
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@@ -840,6 +840,16 @@
|
||||
"runtime_delta": false,
|
||||
"execution_authorized": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"delta_id": "s2_29_iwooos_host_owner_decision_record_writeup_packets",
|
||||
"display_order": 58,
|
||||
"progress_axis": "framework_detail",
|
||||
"headline_percent_delta": 0,
|
||||
"framework_delta_visible": true,
|
||||
"runtime_delta": false,
|
||||
"execution_authorized": false,
|
||||
"not_authorization": true
|
||||
}
|
||||
],
|
||||
"next_safe_actions": [
|
||||
@@ -1217,7 +1227,8 @@
|
||||
"S4.11 已新增 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 refs sync、delete、force push 或 GitHub primary approval。",
|
||||
"S4.12 只新增 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、audit_events_emitted=0、response_template_count=5、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。",
|
||||
"S4.13 只新增 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 parallel session recovery outcome lanes;response_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、owner_response_evidence_routing_rule_count=6、owner_response_validation_display_section_count=8、owner_response_validation_state_transition_rule_count=7、owner_response_validation_reviewer_checklist_count=9、owner_response_validation_reviewer_outcome_lane_count=7、owner_response_validation_reviewer_audit_event_template_count=4、owner_response_validation_reviewer_audit_display_section_count=5、owner_response_validation_reviewer_audit_collection_check_count=6、owner_response_validation_reviewer_audit_redaction_example_count=5、owner_response_validation_reviewer_audit_retention_rule_count=5、owner_response_validation_reviewer_audit_retention_check_count=6、owner_response_validation_reviewer_audit_handoff_packet_count=6、owner_response_validation_reviewer_audit_handoff_check_count=6、owner_response_validation_parallel_session_sync_check_count=6、owner_response_validation_parallel_session_conflict_lane_count=6、owner_response_validation_parallel_session_recovery_check_count=6、owner_response_validation_parallel_session_recovery_outcome_lane_count=7、reviewer_audit_events_emitted=0、next_collection_candidate=S4.9,不把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 或 parallel session recovery outcome lanes 當 approval、runtime gate、production ingestion 或 execution authorization。",
|
||||
"S1.3 只新增 7 條 low-friction non-blocking escalation lanes;non_blocking_escalation_lane_count=7、owner_review_required_before_blocking=true、runtime_blocking_allowed=false,不把 LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 或 headline holding 直接變 blocking gate、runtime enforcement 或 action button。"
|
||||
"S1.3 只新增 7 條 low-friction non-blocking escalation lanes;non_blocking_escalation_lane_count=7、owner_review_required_before_blocking=true、runtime_blocking_allowed=false,不把 LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 或 headline holding 直接變 blocking gate、runtime enforcement 或 action button。",
|
||||
"S2.29 只新增 IwoooS host owner decision record write-up packets;host_owner_decision_record_writeup_packet_count=7、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false,不把 write-up packet 當正式決策紀錄、完成、接受、批准或 runtime gate。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"start_kali_scan",
|
||||
|
||||
@@ -180,6 +180,7 @@ def validate(root: Path) -> None:
|
||||
"s2_26_iwooos_host_owner_decision_record_draft_packets",
|
||||
"s2_27_iwooos_host_owner_decision_record_draft_review_checklist",
|
||||
"s2_28_iwooos_host_owner_decision_record_draft_review_outcome_lanes",
|
||||
"s2_29_iwooos_host_owner_decision_record_writeup_packets",
|
||||
]
|
||||
assert_equal(
|
||||
"progress_delta_ledger.delta_ids",
|
||||
@@ -478,6 +479,15 @@ def validate(root: Path) -> None:
|
||||
"host_decision_record_rollback_owner_incomplete_outcome_lane",
|
||||
"host_decision_record_runtime_gate_required_outcome_lane",
|
||||
]
|
||||
expected_iwooos_host_owner_decision_record_writeup_packet_ids = [
|
||||
"host_decision_record_summary_writeup_packet",
|
||||
"host_decision_record_scope_writeup_packet",
|
||||
"host_decision_record_scan_mode_limits_writeup_packet",
|
||||
"host_decision_record_credential_boundary_writeup_packet",
|
||||
"host_decision_record_maintenance_rollback_writeup_packet",
|
||||
"host_decision_record_validation_evidence_writeup_packet",
|
||||
"host_decision_record_runtime_gate_pointer_writeup_packet",
|
||||
]
|
||||
assert_equal(
|
||||
"iwooos_projection.summary.frontend_surface_coverage_group_count",
|
||||
iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
|
||||
@@ -573,6 +583,11 @@ def validate(root: Path) -> None:
|
||||
iwooos_projection["summary"]["host_owner_decision_record_draft_review_outcome_lane_count"],
|
||||
len(expected_iwooos_host_owner_decision_record_draft_review_outcome_lane_ids),
|
||||
)
|
||||
assert_equal(
|
||||
"iwooos_projection.summary.host_owner_decision_record_writeup_packet_count",
|
||||
iwooos_projection["summary"]["host_owner_decision_record_writeup_packet_count"],
|
||||
len(expected_iwooos_host_owner_decision_record_writeup_packet_ids),
|
||||
)
|
||||
iwooos_progress = iwooos_projection["progress"]
|
||||
assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
|
||||
assert_equal(
|
||||
@@ -1752,6 +1767,86 @@ def validate(root: Path) -> None:
|
||||
f"iwooos_projection.host_owner_decision_record_draft_review_outcome_lanes.{item['lane_id']}.not_authorization",
|
||||
item["not_authorization"],
|
||||
)
|
||||
iwooos_host_owner_decision_record_writeup_packets = iwooos_projection[
|
||||
"host_owner_decision_record_writeup_packets"
|
||||
]
|
||||
assert_equal(
|
||||
"iwooos_projection.host_owner_decision_record_writeup_packets.ids",
|
||||
[item["packet_id"] for item in iwooos_host_owner_decision_record_writeup_packets],
|
||||
expected_iwooos_host_owner_decision_record_writeup_packet_ids,
|
||||
)
|
||||
assert_equal(
|
||||
"iwooos_projection.host_owner_decision_record_writeup_packets.display_order",
|
||||
[item["display_order"] for item in iwooos_host_owner_decision_record_writeup_packets],
|
||||
list(range(1, len(expected_iwooos_host_owner_decision_record_writeup_packet_ids) + 1)),
|
||||
)
|
||||
expected_iwooos_host_owner_decision_record_writeup_fields = [
|
||||
"decision_summary",
|
||||
"approved_scope_statement",
|
||||
"scan_mode_limits_statement",
|
||||
"credential_boundary_statement",
|
||||
"maintenance_and_rollback_statement",
|
||||
"validation_evidence_statement",
|
||||
"runtime_gate_pointer_statement",
|
||||
]
|
||||
assert_equal(
|
||||
"iwooos_projection.host_owner_decision_record_writeup_packets.writeup_fields",
|
||||
[item["writeup_field"] for item in iwooos_host_owner_decision_record_writeup_packets],
|
||||
expected_iwooos_host_owner_decision_record_writeup_fields,
|
||||
)
|
||||
for item in iwooos_host_owner_decision_record_writeup_packets:
|
||||
assert_equal(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.display_mode",
|
||||
item["display_mode"],
|
||||
"owner_decision_record_writeup_only",
|
||||
)
|
||||
assert_equal(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.decision_record_writeup_completed_count",
|
||||
item["decision_record_writeup_completed_count"],
|
||||
0,
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.decision_record_created",
|
||||
item["decision_record_created"],
|
||||
)
|
||||
assert_equal(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.owner_decision_received_count",
|
||||
item["owner_decision_received_count"],
|
||||
0,
|
||||
)
|
||||
assert_equal(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.owner_decision_accepted_count",
|
||||
item["owner_decision_accepted_count"],
|
||||
0,
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.owner_approval_record_created",
|
||||
item["owner_approval_record_created"],
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.runtime_gate_opened",
|
||||
item["runtime_gate_opened"],
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.raw_payload_allowed",
|
||||
item["raw_payload_allowed"],
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.secret_value_collection_allowed",
|
||||
item["secret_value_collection_allowed"],
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.runtime_execution_authorized",
|
||||
item["runtime_execution_authorized"],
|
||||
)
|
||||
assert_false(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.action_buttons_allowed",
|
||||
item["action_buttons_allowed"],
|
||||
)
|
||||
assert_true(
|
||||
f"iwooos_projection.host_owner_decision_record_writeup_packets.{item['packet_id']}.not_authorization",
|
||||
item["not_authorization"],
|
||||
)
|
||||
assert_equal(
|
||||
"iwooos_projection.non_blocking_lane_ids",
|
||||
iwooos_projection["non_blocking_lane_ids"],
|
||||
@@ -1789,6 +1884,7 @@ def validate(root: Path) -> None:
|
||||
"display_host_owner_decision_record_draft_packets",
|
||||
"display_host_owner_decision_record_draft_review_checklist",
|
||||
"display_host_owner_decision_record_draft_review_outcome_lanes",
|
||||
"display_host_owner_decision_record_writeup_packets",
|
||||
"display_evidence_refs",
|
||||
"display_forbidden_actions",
|
||||
]:
|
||||
@@ -1850,6 +1946,10 @@ def validate(root: Path) -> None:
|
||||
"mark_host_owner_decision_record_draft_review_outcome_passed",
|
||||
"create_host_owner_decision_record_from_draft_review_outcome",
|
||||
"open_runtime_gate_from_owner_decision_record_draft_review_outcome",
|
||||
"create_host_owner_decision_record_from_writeup",
|
||||
"mark_host_owner_decision_record_writeup_completed",
|
||||
"mark_host_owner_decision_record_accepted_from_writeup",
|
||||
"open_runtime_gate_from_owner_decision_record_writeup",
|
||||
"apply_runtime_blocking_control",
|
||||
"switch_github_primary",
|
||||
"production_deploy",
|
||||
|
||||
Reference in New Issue
Block a user