wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

docs(security): add mirror status rollup contract [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-05-13 12:28:41 +08:00
parent e36c1c562b
commit 6b0e5fdb59
21 changed files with 569 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
docs/LOGBOOK.md
View File

@@ -1,3 +1,25 @@
## 2026-05-13 | 資安供應鏈 S2.7AwoooP 鏡像狀態彙整契約
**背景**S2.6 已建立 `security_mirror_dry_run_v1`,讓 AwoooP 未來可回報 mirror-only 接入演練。本輪補上 `security_mirror_status_rollup_v1`,讓 AwoooP 主線與 Security Supply Chain Session 用同一份狀態摘要同步目前階段、下一個 gate 與禁止事項,避免把 dry-run、approval queue 或 readiness 誤讀成執行授權。
**本次交付**
- 新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json`
- 新增 `docs/security/security-mirror-status-rollup.snapshot.json`,彙整 S0-S4 階段狀態、approval queue summary 與下一個安全 gate。
- 新增 `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`,以繁體中文說明 AwoooP 可做 / 不可做與下一個安全 gate。
- 更新資安供應鏈 manifestcontract 數量從 26 增至 27。
- 更新鏡像 readiness、接收計畫、事件範例、路由矩陣、驗收契約、隔離契約、dry-run、AwoooP mirror-only checklist、AwoooP handoff 與整體進度。
**累積狀態**
- 鏡像 readiness 目前為 27 個 contracts24 個 ready for mirror、2 個 partial ready、1 個 contract-only、0 個 blocked。
- Approval queue 仍為 8 個 items7 個 pending approval、1 個 block candidate。
- `security_mirror_status_rollup_v1` 只顯示狀態與下一個 gate不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。
**邊界**
- 沒有新增 runtime endpoint、DB migration、model 或執行 action。
- 沒有新增執行按鈕。
- 沒有啟動 scan、呼叫 Kali `/execute`、建立 repo、修改 visibility、sync refs 或切 GitHub primary。
- 沒有保存 raw secret、token、cookie、private key 或 exploit payload。
## 2026-05-13 | 資安供應鏈 S2.6AwoooP 鏡像 Dry-run 報告契約
**背景**S2.5 已建立 `security_mirror_quarantine_v1`,讓 AwoooP 可隔離驗收失敗的 mirror payload。本輪補上 dry-run 報告契約,讓 AwoooP 未來做 mirror-only 接入演練時有一致回報格式;本輪不代表 AwoooP 已實際執行 dry-run。

208
docs/schemas/security_mirror_status_rollup_v1.schema.json Normal file
View File

@@ -0,0 +1,208 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:security-mirror-status-rollup-v1",
"title": "資安供應鏈鏡像狀態彙整契約 v1",
"description": "定義 AwoooP mirror-only 資安供應鏈接入狀態、下一個安全 gate 與跨 Session 同步摘要。此契約不授權 runtime execution。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"mode",
"rollup_status",
"runtime_execution_authorized",
"source_indexes",
"summary",
"phase_status",
"next_safe_actions",
"session_sync_notes",
"forbidden_actions"
],
"properties": {
"schema_version": {
"const": "security_mirror_status_rollup_v1"
},
"status": {
"type": "string",
"enum": ["draft"]
},
"date": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["mirror_only"]
},
"rollup_status": {
"type": "string",
"enum": [
"framework_ready_waiting_approval",
"mirror_ingestion_ready",
"mirror_ingestion_warn",
"blocked"
]
},
"runtime_execution_authorized": {
"type": "boolean",
"const": false
},
"source_indexes": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"summary": {
"type": "object",
"required": [
"total_contracts",
"ready_for_mirror_count",
"partial_ready_count",
"contract_only_count",
"blocked_count",
"approval_queue_total",
"pending_approval_count",
"block_candidate_count",
"dry_run_status",
"runtime_actions_executed",
"payloads_ingested"
],
"properties": {
"total_contracts": {
"type": "integer",
"minimum": 0
},
"ready_for_mirror_count": {
"type": "integer",
"minimum": 0
},
"partial_ready_count": {
"type": "integer",
"minimum": 0
},
"contract_only_count": {
"type": "integer",
"minimum": 0
},
"blocked_count": {
"type": "integer",
"minimum": 0
},
"approval_queue_total": {
"type": "integer",
"minimum": 0
},
"pending_approval_count": {
"type": "integer",
"minimum": 0
},
"block_candidate_count": {
"type": "integer",
"minimum": 0
},
"dry_run_status": {
"type": "string"
},
"runtime_actions_executed": {
"type": "boolean",
"const": false
},
"payloads_ingested": {
"type": "boolean",
"const": false
}
},
"additionalProperties": false
},
"phase_status": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": [
"phase_id",
"state",
"current_result",
"next_gate"
],
"properties": {
"phase_id": {
"type": "string"
},
"state": {
"type": "string",
"enum": ["completed", "in_progress", "draft_ready", "not_started", "blocked"]
},
"current_result": {
"type": "string"
},
"next_gate": {
"type": "string"
}
},
"additionalProperties": false
}
},
"next_safe_actions": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": [
"action_id",
"title",
"mode",
"source_contract",
"allowed_processing",
"blocked_processing"
],
"properties": {
"action_id": {
"type": "string"
},
"title": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["observe", "approval_required", "block_candidate"]
},
"source_contract": {
"type": "string"
},
"allowed_processing": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"blocked_processing": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
}
},
"additionalProperties": false
}
},
"session_sync_notes": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
},
"forbidden_actions": {
"type": "array",
"items": {
"type": "string"
},
"minItems": 1
}
},
"additionalProperties": false
}

5
docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
View File

@@ -36,6 +36,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_mirror_acceptance_v1` | AwoooP 鏡像驗收契約 | Operator Console、Runtime State、Audit | mirror-only | 只驗收 contract count、event envelope、route coverage、redaction不作 runtime blocker |
| `security_mirror_quarantine_v1` | AwoooP 鏡像隔離契約 | Operator Console、Audit | mirror-only | 只隔離驗收失敗 payload、顯示 recovery request 與 retry gate不作 runtime blocker |
| `security_mirror_dry_run_v1` | AwoooP 鏡像 dry-run 報告契約 | Operator Console、Audit | mirror-only | 只回報接入演練結果;不得轉成 production ingestion |
| `security_mirror_status_rollup_v1` | AwoooP 鏡像狀態彙整契約 | Operator Console、Runtime State、Audit | mirror-only | 只顯示階段狀態、下一個 gate 與禁止事項;不得視為 runtime authorization |
| `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge |
| `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary |
| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 不保存 token value、不刪除或停用 Gitea repo |
@@ -86,13 +87,14 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `kali_integration_status_v1.status=partial_runtime_health_integrated` | `observe` | 顯示 Kali 112 health、更新紀錄、缺口與 approval gates不得直接掃描 |
| `kali_scan_scope_approval_v1.status=draft_waiting_approval` | `approve_required` | 顯示 Kali 112、111/168、核心主機、公開網站 scope 與 gate不得執行 scan |
| `security_approval_queue_v1.status=draft` | `approve_required` | 顯示 8 個 queue items、review order 與 blocked reason不得執行 item |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 26 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 27 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates不得執行 wave |
| `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload明確不授權執行、不顯示執行按鈕 |
| `security_mirror_route_v1.status=draft` | `observe` | 顯示 5 個 route groups、channel policy 與 review lane不得轉成 execution router |
| `security_mirror_acceptance_v1.status=draft` | `observe` | 顯示 7 個 acceptance checks只可驗收鏡像資料不得阻擋 runtime |
| `security_mirror_quarantine_v1.status=draft` | `observe` | 顯示 5 個 quarantine lanes、recovery request 與 retry gate不得自動重試失敗 payload |
| `security_mirror_dry_run_v1.dry_run_status=contract_defined_not_executed` | `observe` | 顯示 6 個 dry-run steps不得視為 production ingestion 已啟用 |
| `security_mirror_status_rollup_v1.rollup_status=framework_ready_waiting_approval` | `observe` | 顯示 S0-S4 階段、approval queue summary 與下一個 gate不得新增 execution action |
| `coding_task_v1.risk=LOW|MEDIUM` | `warn` | 可排入 Codex patch-only backlog |
| `coding_task_v1.risk=HIGH|CRITICAL` | `approve_required` | 必須指定 `critic``vuln-verifier` |
| `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason不允許切 primary |
@@ -164,6 +166,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| 資安鏡像驗收契約 | `docs/security/security-mirror-acceptance.snapshot.json` / `docs/security/SECURITY-MIRROR-ACCEPTANCE.md` |
| 資安鏡像隔離契約 | `docs/security/security-mirror-quarantine.snapshot.json` / `docs/security/SECURITY-MIRROR-QUARANTINE.md` |
| 資安鏡像 dry-run 報告契約 | `docs/security/security-mirror-dry-run.snapshot.json` / `docs/security/SECURITY-MIRROR-DRY-RUN.md` |
| 資安鏡像狀態彙整契約 | `docs/security/security-mirror-status-rollup.snapshot.json` / `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md` |
| 本機 repo canonical lineage snapshot | `docs/security/local-repo-canonical-ewoooc-momo.snapshot.json` / `docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md` |
| Internal 110 refs snapshot | `docs/security/git-remote-refs-bitan-tsenyang.snapshot.json` / `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md` |
| wooo-infra-config refs snapshot | `docs/security/git-remote-refs-wooo-infra-config.snapshot.json` / `docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md` |

30
docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
View File

@@ -73,7 +73,7 @@
```text
Kali / Code Review / GitHub / Gitea / Codex
-> security_supply_chain_contract_manifest_v1
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
-> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL
-> mirror 到 AwoooP Runtime State / Channel Event / Audit
-> AwoooP Policy / Approval / Exception / Operator Console
@@ -131,7 +131,7 @@ Schema`docs/schemas/security_approval_queue_v1.schema.json`
Snapshot`docs/security/security-approval-queue.snapshot.json`
目前 queue8 items6 個 pending approval2 個 block candidate。建議先 review redacted Kali finding ingestion再 review safe web crawl 與 Gitea read-only inventory。
目前 queue8 items7 個 pending approval1 個 block candidate。建議先 review redacted Kali finding ingestion再 review safe web crawl 與 Gitea read-only inventory。
AwoooP 初期處理方式:只顯示 review order、blocked reason、required reviewers 與 evidence refs可建立 approval candidate但不得執行 queue item。
@@ -143,7 +143,7 @@ Schema`docs/schemas/security_mirror_readiness_v1.schema.json`
Snapshot`docs/security/security-mirror-readiness.snapshot.json`
目前 readiness26 個 contracts23 個 ready for mirror2 個 partial ready1 個 contract-only0 個 blocked。所有 contract 都是 `execution_allowed=false`
目前 readiness27 個 contracts24 個 ready for mirror2 個 partial ready1 個 contract-only0 個 blocked。所有 contract 都是 `execution_allowed=false`
AwoooP 初期處理方式:先 mirror readiness index再依 readiness 分批 mirror 其他 snapshots不得把 readiness 當 execution authorization。
@@ -179,7 +179,7 @@ Schema`docs/schemas/security_mirror_route_v1.schema.json`
Snapshot`docs/security/security-mirror-route.snapshot.json`
目前 route5 個 route groups涵蓋 26 個 contracts所有 route 都是 `runtime_execution_authorized=false`
目前 route5 個 route groups涵蓋 27 個 contracts所有 route 都是 `runtime_execution_authorized=false`
AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue不把 route 轉成 execution router。
@@ -219,6 +219,18 @@ Snapshot`docs/security/security-mirror-dry-run.snapshot.json`
AwoooP 初期處理方式:只顯示 dry-run 報告與各 step 狀態;不得轉成 production ingestion 或任何 runtime action。
### `security_mirror_status_rollup_v1`
用途:定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要,彙整 S0-S4、contract readiness、approval queue summary、dry-run 狀態與下一個安全 gate。
Schema`docs/schemas/security_mirror_status_rollup_v1.schema.json`
Snapshot`docs/security/security-mirror-status-rollup.snapshot.json`
目前 rollup`framework_ready_waiting_approval`27 個 contracts、24 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidate。
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence不得把 rollup 當 runtime authorization。
### `security_rollout_policy_v1`
用途:定義 Security Supply Chain 初期的低摩擦 rollout policy避免把 observation 全部變成 blocking controls。
@@ -251,7 +263,7 @@ Schema`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 26
"contract_count": 27
}
```
@@ -525,6 +537,7 @@ Schema`docs/schemas/approval_required_event_v1.schema.json`
- 將 GitHub target repo-by-repo package mirror 成 approval queue draft。
- 將低摩擦 rollout policy mirror 成 read-only policy。
- 將 contract manifest mirror 成 contract registry。
- 將 status rollup mirror 成跨 Session 共同狀態入口。
禁止:
@@ -665,7 +678,7 @@ Console 初期不提供高風險執行按鈕。
2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json``docs/security/security-supply-chain-contract-manifest.snapshot.json``docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry不把 manifest 當 execution router。
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json``docs/security/security-mirror-route.snapshot.json``docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 26 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queueroute 只決定目的地、channel policy 與 review lane不是 execution router。
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json``docs/security/security-mirror-route.snapshot.json``docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 27 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queueroute 只決定目的地、channel policy 與 review lane不是 execution router。
2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json``docs/security/security-mirror-acceptance.snapshot.json``docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestionblocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence不得阻擋 runtime 流程。
@@ -673,6 +686,8 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 mirror dry-run 追加:已新增 `docs/schemas/security_mirror_dry_run_v1.schema.json``docs/security/security-mirror-dry-run.snapshot.json``docs/security/SECURITY-MIRROR-DRY-RUN.md`。AwoooP 未來可用 6 個 dry-run steps 回報接入演練結果;本 snapshot 狀態為 `contract_defined_not_executed`,不得視為 production ingestion 已啟用。
2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json``docs/security/security-mirror-status-rollup.snapshot.json``docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、27 個 contracts、approval queue summary 與下一個安全 gate本契約不授權任何 runtime action。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:
@@ -723,6 +738,8 @@ Console 初期不提供高風險執行按鈕。
- [security_rollout_policy_v1 snapshot](/Users/ogt/awoooi/docs/security/security-rollout-policy.snapshot.json)
- [Security Supply Chain contract manifest](/Users/ogt/awoooi/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md)
- [security_supply_chain_contract_manifest_v1 snapshot](/Users/ogt/awoooi/docs/security/security-supply-chain-contract-manifest.snapshot.json)
- [資安鏡像狀態彙整契約](/Users/ogt/awoooi/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md)
- [security_mirror_status_rollup_v1 snapshot](/Users/ogt/awoooi/docs/security/security-mirror-status-rollup.snapshot.json)
- [Source Control ref truth classification](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md)
- [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json)
- [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md)
@@ -751,6 +768,7 @@ Console 初期不提供高風險執行按鈕。
- [github_target_repo_approval_package_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_repo_approval_package_v1.schema.json)
- [security_rollout_policy_v1 schema](/Users/ogt/awoooi/docs/schemas/security_rollout_policy_v1.schema.json)
- [security_supply_chain_contract_manifest_v1 schema](/Users/ogt/awoooi/docs/schemas/security_supply_chain_contract_manifest_v1.schema.json)
- [security_mirror_status_rollup_v1 schema](/Users/ogt/awoooi/docs/schemas/security_mirror_status_rollup_v1.schema.json)
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
- [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json)
- [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json)

2
docs/security/SECURITY-MIRROR-ACCEPTANCE.md
View File

@@ -27,7 +27,7 @@
| Check | 目的 | 失敗時是否阻擋鏡像 |
|-------|------|--------------------|
| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 26 個 contracts | 是 |
| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 27 個 contracts | 是 |
| `EVENT_ENVELOPE_REQUIRED` | 確認每筆 payload 都不可執行、不可顯示執行按鈕 | 是 |
| `ROUTE_GROUP_COVERAGE` | 確認 5 個 route groups 覆蓋所有 contracts | 是 |
| `REDACTION_ONLY` | 確認不保存 raw sensitive value | 是 |

11
docs/security/SECURITY-MIRROR-INTAKE-PLAN.md
View File

@@ -19,7 +19,7 @@
| Wave | 目的 | 主要 contracts | Exit gate |
|------|------|----------------|-----------|
| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約dry-run 報告格式 | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run | 顯示 26 個 contract 且 `execution_allowed=false` |
| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約dry-run 報告格式與 status rollup | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup | 顯示 27 個 contract 且 `execution_allowed=false` |
| `M1_kali_visibility` | 顯示 Kali 112、scan scope、approval queue | Kali status / scan scope / approval queue / finding sample | 顯示 5 個 scope groups 與 8 個 queue items沒有執行按鈕 |
| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence | migration / inventory / refs / approval board | 顯示 blocking reasonsrepo/refs actions 全 disabled |
| `M3_approval_candidates` | 顯示 approval candidates 與人工決策留痕 | approval events / approval queue / source-control board | 可留痕,不可自動批准或執行 |
@@ -33,10 +33,11 @@
4. 使用 `security_mirror_acceptance_v1` 驗收 contract count、event envelope、route coverage 與 redaction。
5. 使用 `security_mirror_quarantine_v1` 隔離驗收失敗 payload 並顯示 retry gate。
6. 使用 `security_mirror_dry_run_v1` 回報接入演練結果。
7. 將 ready / partial contracts mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence。
8.approval-only contracts mirror 到 Approval Queue。
9. 顯示 required reviewers、blocked reason、evidence refs、review order
10. 記錄人工決策結果,但不自動執行後續動作
7. 使用 `security_mirror_status_rollup_v1` 顯示跨 Session 狀態與下一個 gate。
8.ready / partial contracts mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence。
9. 將 approval-only contracts mirror 到 Approval Queue
10. 顯示 required reviewers、blocked reason、evidence refs、review order
11. 記錄人工決策結果,但不自動執行後續動作。
## 3. AwoooP 不可做

2
docs/security/SECURITY-MIRROR-QUARANTINE.md
View File

@@ -32,7 +32,7 @@
3. 將隔離 metadata 寫入 Audit evidence。
4. 等新的 snapshot commit 後重新驗收。
5. 對非 runtime 風險保留 observe / warn。
6. 將隔離狀態提供給 `security_mirror_dry_run_v1` dry-run 報告。
6. 將隔離狀態提供給 `security_mirror_dry_run_v1` dry-run 報告`security_mirror_status_rollup_v1` 狀態彙整
## 3. AwoooP 不可做

11
docs/security/SECURITY-MIRROR-READINESS.md
View File

@@ -23,7 +23,7 @@
| 狀態 | 數量 | 說明 |
|------|------|------|
| `ready_for_mirror` | 23 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence |
| `ready_for_mirror` | 24 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence |
| `partial_ready` | 2 | 可 mirror但 evidence 仍不完整 |
| `contract_only` | 1 | 有 schema / handoff尚無正式 snapshot |
| `blocked` | 0 | 目前沒有禁止 mirror 的 contract |
@@ -72,9 +72,10 @@ AwoooP 可以將 ready / partial contracts mirror 到:
4. 再 mirror `security_mirror_acceptance_v1`,驗收 contract count、event envelope、route coverage 與 redaction。
5. 再 mirror `security_mirror_quarantine_v1`,定義驗收失敗時的隔離與 retry gate。
6. 再 mirror `security_mirror_dry_run_v1`,定義接入演練回報格式。
7. 再 mirror `security_mirror_intake_plan_v1`,照 wave 執行 read-only intake。
8. 再 mirror `security_approval_queue_v1`,只顯示 review order
9. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
10. 最後再 mirror source-control 相關 contracts
7. 再 mirror `security_mirror_status_rollup_v1`,顯示跨 Session 狀態與下一個 gate。
8. 再 mirror `security_mirror_intake_plan_v1`,照 wave 執行 read-only intake
9. 再 mirror `security_approval_queue_v1`,只顯示 review order
10. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
11. 最後再 mirror source-control 相關 contracts。
整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。

6
docs/security/SECURITY-MIRROR-ROUTE.md
View File

@@ -25,7 +25,7 @@
| Route group | 目的 | 初期 channel policy | review lane |
|-------------|------|---------------------|-------------|
| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run | `no_channel_event` | `observe` |
| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup | `no_channel_event` | `observe` |
| `M1_kali_visibility` | 顯示 Kali 112、111 / 168 scope、approval queue 與 finding sample | `approval_required_only` | `approval_required` |
| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異 | `low_noise_status` | `source_control_review` |
| `M3_approval_candidates` | 顯示人工批准候選與留痕 | `approval_required_only` | `approval_required` |
@@ -50,9 +50,9 @@
## 4. 驗收
S2.4AwoooP 主線只需要能讀到:
S2.7AwoooP 主線只需要能讀到:
1. 26 個 contracts。
1. 27 個 contracts。
2. 5 個 route groups。
3. 所有 route group 都是 `runtime_execution_authorized=false`
4. Channel Event 初期低噪音。

57
docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md Normal file
View File

@@ -0,0 +1,57 @@
# 資安鏡像狀態彙整契約
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | 草案 |
| Schema | `docs/schemas/security_mirror_status_rollup_v1.schema.json` |
| Snapshot | `docs/security/security-mirror-status-rollup.snapshot.json` |
| 模式 | `mirror_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
`security_mirror_status_rollup_v1` 是 AwoooP 與 Security Supply Chain Session 的共同狀態入口。
它只彙整目前框架、鏡像契約、approval queue 與下一個安全 gate不授權任何 scan、execute、repo、refs、deploy 或 secret 類動作。
## 1. 目前狀態
| 類型 | 狀態 |
|------|------|
| Contract manifest | 27 個 contracts |
| Mirror readiness | 24 ready、2 partial、1 contract-only、0 blocked |
| Approval queue | 8 items7 pending approval、1 block candidate |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
| Payload ingestion | `false` |
## 2. AwoooP 可做
1. 顯示 S0 到 S4 的階段狀態。
2. 顯示 contract readiness、approval queue summary 與下一個 gate。
3. 將彙整結果寫入 Audit evidence。
4. 低噪音通知階段完成、blocked reason 或人工批准必要事件。
5. 把下一步限制在 `observe` / `approval_required` / `block_candidate`
## 3. AwoooP 不可做
1. 不把 rollup 當成 runtime authorization。
2. 不新增 scan、execute、repo、refs、deploy、secret 類 action button。
3. 不把 LOW / MEDIUM observation 變成 blocking gate。
4. 不把 approval queue 接成 runner。
5. 不把 GitHub primary、refs sync 或 Kali `/execute` 當成已批准。
## 4. 下一個安全 gate
下一步仍不是 runtime enforcement。
建議先讓 AwoooP 主線只讀消費本 rollup並由人工依序 review
1. redacted finding ingestion adapter。
2. safe web crawl scope。
3. Gitea private/internal read-only inventory。
4. GitHub target / owner / visibility / canonical。
5. Kali `/execute` 維持 block candidate。
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence不得由本 rollup 自動觸發。

3
docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
View File

@@ -11,7 +11,7 @@
## 0. 核心結論
目前 Security Supply Chain 已有 26 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
目前 Security Supply Chain 已有 27 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。
@@ -31,6 +31,7 @@
| `security_mirror_acceptance_v1` | mirror-only | AwoooP 只讀鏡像接入驗收 checks | `security-mirror-acceptance.snapshot.json` |
| `security_mirror_quarantine_v1` | mirror-only | AwoooP 鏡像驗收失敗隔離與 retry gate | `security-mirror-quarantine.snapshot.json` |
| `security_mirror_dry_run_v1` | mirror-only | AwoooP 鏡像接入演練回報格式 | `security-mirror-dry-run.snapshot.json` |
| `security_mirror_status_rollup_v1` | mirror-only | AwoooP / Security Supply Chain 跨 Session 狀態總覽 | `security-mirror-status-rollup.snapshot.json` |
| `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot |
| `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi``clawbot-v5``wooo-aiops` |
| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory | public-only / blocked endpoint snapshots |

11
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -20,17 +20,18 @@
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
| S1.4 契約索引 | 完成草案 | 26 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.4 契約索引 | 完成草案 | 27 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
| S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate |
| S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中7 pending approval、1 block candidateAwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion再 review safe crawl / Gitea inventory |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 26 個 contracts23 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 27 個 contracts24 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror不新增 execution router |
| S2.2 AwoooP 鏡像事件信封 | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆鏡像 payload 標示 `execution_authorized=false``action_buttons_allowed=false` | AwoooP 鏡像 payload 統一信封 |
| S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | `security_mirror_route_v1` 已建立 5 個 route groups定義目的地、channel policy 與 review lane | AwoooP 消費時不猜路由、不新增執行入口 |
| S2.4 AwoooP 鏡像驗收契約 | 完成草案 | `security_mirror_acceptance_v1` 已建立 7 個 acceptance checksblocking 只針對鏡像資料不完整或未脫敏 | AwoooP 接入時可驗收,不升級成 runtime enforcement |
| S2.5 AwoooP 鏡像隔離契約 | 完成草案 | `security_mirror_quarantine_v1` 已建立 5 個 quarantine lanes失敗 payload 必須等新 snapshot commit 後才能 retry | AwoooP 可隔離壞資料,不阻擋 runtime |
| S2.6 AwoooP 鏡像 dry-run 報告契約 | 完成草案 | `security_mirror_dry_run_v1` 已建立 6 個 dry-run steps目前狀態為 contract defined not executed | AwoooP 未來可回報演練結果,但不啟動 production ingestion |
| S2.7 AwoooP 鏡像狀態彙整契約 | 完成草案 | `security_mirror_status_rollup_v1` 已建立,彙整 S0-S4、approval queue summary 與下一個安全 gate | 兩個 Session 用同一份 rollup 同步,不誤啟執行面 |
| S3 approval gate | 未開始 | 已定義哪些動作要進 approval | 不得繞過人工批准 |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
@@ -82,6 +83,8 @@
| 資安鏡像隔離契約 JSON | `docs/security/security-mirror-quarantine.snapshot.json` |
| 資安鏡像 dry-run 報告契約 | `docs/security/SECURITY-MIRROR-DRY-RUN.md` |
| 資安鏡像 dry-run 報告契約 JSON | `docs/security/security-mirror-dry-run.snapshot.json` |
| 資安鏡像狀態彙整契約 | `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md` |
| 資安鏡像狀態彙整契約 JSON | `docs/security/security-mirror-status-rollup.snapshot.json` |
| 低摩擦 rollout policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` |
| 低摩擦 rollout policy JSON | `docs/security/security-rollout-policy.snapshot.json` |
| Security Supply Chain contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` |
@@ -111,6 +114,6 @@
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5.`KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_supply_chain_contract_manifest_v1`,顯示 review order 與 blocked reason不新增 execution router。

8
docs/security/security-mirror-acceptance.snapshot.json
View File

@@ -11,8 +11,8 @@
"docs/security/security-mirror-route.snapshot.json"
],
"summary": {
"total_contracts": 26,
"ready_for_mirror_count": 23,
"total_contracts": 27,
"ready_for_mirror_count": 24,
"route_group_count": 5,
"acceptance_check_count": 7,
"blocking_check_count": 4
@@ -21,7 +21,7 @@
{
"check_id": "CONTRACT_COUNT_MATCH",
"title": "契約數量一致",
"expected_result": "AwoooP 讀到 26 個 contracts且 manifest、readiness、route coverage 的 contract 集合一致。",
"expected_result": "AwoooP 讀到 27 個 contracts且 manifest、readiness、route coverage 的 contract 集合一致。",
"evidence_refs": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
@@ -60,7 +60,7 @@
{
"check_id": "ROUTE_GROUP_COVERAGE",
"title": "路由群組覆蓋",
"expected_result": "5 個 route groups 合併後涵蓋 manifest 26 個 contracts且每個 group 都有 destinations、channel_policy 與 review_lane。",
"expected_result": "5 個 route groups 合併後涵蓋 manifest 27 個 contracts且每個 group 都有 destinations、channel_policy 與 review_lane。",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"

8
docs/security/security-mirror-dry-run.snapshot.json
View File

@@ -14,8 +14,8 @@
"docs/security/security-mirror-quarantine.snapshot.json"
],
"summary": {
"total_contracts": 26,
"ready_for_mirror_count": 23,
"total_contracts": 27,
"ready_for_mirror_count": 24,
"route_group_count": 5,
"acceptance_check_count": 7,
"quarantine_lane_count": 5,
@@ -30,7 +30,7 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json"
],
"pass_condition": "看到 26 個 contracts、23 個 ready for mirror且所有 contract execution_allowed=false。",
"pass_condition": "看到 27 個 contracts、24 個 ready for mirror且所有 contract execution_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_contract",
@@ -60,7 +60,7 @@
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "route groups 合併後涵蓋 26 個 contracts沒有未知 execution route。",
"pass_condition": "route groups 合併後涵蓋 27 個 contracts沒有未知 execution route。",
"execution_allowed": false,
"blocked_actions": [
"fallback_to_execution_route",

9
docs/security/security-mirror-event-sample.snapshot.json
View File

@@ -16,8 +16,8 @@
"risk": "LOW",
"summary": "AwoooP 可 mirror Security Supply Chain readiness index但不得把 readiness 視為執行授權。",
"payload_summary": {
"total_contracts": 26,
"ready_for_mirror_count": 23,
"total_contracts": 27,
"ready_for_mirror_count": 24,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
@@ -30,7 +30,8 @@
"docs/security/SECURITY-MIRROR-ROUTE.md",
"docs/security/SECURITY-MIRROR-ACCEPTANCE.md",
"docs/security/SECURITY-MIRROR-QUARANTINE.md",
"docs/security/SECURITY-MIRROR-DRY-RUN.md"
"docs/security/SECURITY-MIRROR-DRY-RUN.md",
"docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md"
],
"blocked_actions": [
"execute_mirror_item",
@@ -42,7 +43,7 @@
"store_secret_value"
],
"labels": {
"phase": "S2.6",
"phase": "S2.7",
"redacted": "true",
"action_surface": "none",
"mirror_only": "true"

13
docs/security/security-mirror-intake-plan.snapshot.json
View File

@@ -12,12 +12,13 @@
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-dry-run.snapshot.json"
"docs/security/security-mirror-dry-run.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json"
],
"intake_waves": [
{
"wave_id": "M0_index_bootstrap",
"title": "載入 readiness、manifest、低摩擦 policy、鏡像路由、驗收、隔離dry-run 契約",
"title": "載入 readiness、manifest、低摩擦 policy、鏡像路由、驗收、隔離dry-run 與狀態彙整契約",
"contracts": [
"security_mirror_readiness_v1",
"security_supply_chain_contract_manifest_v1",
@@ -26,7 +27,8 @@
"security_mirror_route_v1",
"security_mirror_acceptance_v1",
"security_mirror_quarantine_v1",
"security_mirror_dry_run_v1"
"security_mirror_dry_run_v1",
"security_mirror_status_rollup_v1"
],
"destinations": [
"operator_console",
@@ -41,14 +43,15 @@
"依 security_mirror_route_v1 分流目的地與 review lane",
"依 security_mirror_acceptance_v1 驗收鏡像資料完整性與脫敏狀態",
"依 security_mirror_quarantine_v1 隔離驗收失敗 payload",
"依 security_mirror_dry_run_v1 回報接入演練結果"
"依 security_mirror_dry_run_v1 回報接入演練結果",
"依 security_mirror_status_rollup_v1 顯示跨 Session 狀態與下一個 gate"
],
"blocked_processing": [
"runtime_enforcement",
"execution_router",
"blocking_gate"
],
"exit_gate": "Operator Console 能顯示 26 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes6 個 dry-run steps且 mirror event envelope action_buttons_allowed=false。"
"exit_gate": "Operator Console 能顯示 27 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes6 個 dry-run steps 與 status rollup,且 mirror event envelope action_buttons_allowed=false。"
},
{
"wave_id": "M1_kali_visibility",

2
docs/security/security-mirror-quarantine.snapshot.json
View File

@@ -11,7 +11,7 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json"
],
"summary": {
"total_contracts": 26,
"total_contracts": 27,
"quarantine_lane_count": 5,
"auto_retry_allowed": false,
"runtime_blocking_allowed": false

14
docs/security/security-mirror-readiness.snapshot.json
View File

@@ -5,8 +5,8 @@
"default_enforcement_level": "mirror_only",
"runtime_execution_authorized": false,
"summary": {
"total_contracts": 26,
"ready_for_mirror_count": 23,
"total_contracts": 27,
"ready_for_mirror_count": 24,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0
@@ -139,6 +139,16 @@
"human_docs": ["docs/security/SECURITY-MIRROR-DRY-RUN.md"],
"notes": "提供 AwoooP mirror-only 接入演練回報格式;目前為 contract_defined_not_executed。"
},
{
"contract": "security_mirror_status_rollup_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": ["docs/security/security-mirror-status-rollup.snapshot.json"],
"human_docs": ["docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md"],
"notes": "提供 AwoooP / Security Supply Chain 跨 Session 狀態總覽、下一個 gate 與禁止事項;不授權執行。"
},
{
"contract": "coding_task_v1",
"readiness": "contract_only",

12
docs/security/security-mirror-route.snapshot.json
View File

@@ -11,7 +11,7 @@
"docs/security/security-mirror-event-sample.snapshot.json"
],
"summary": {
"total_contracts": 26,
"total_contracts": 27,
"route_group_count": 5,
"channel_event_policy": "初期只對階段完成、blocked 狀態或需要人工批准的高風險候選發低噪音事件LOW / MEDIUM observation 不發阻擋事件。",
"approval_queue_policy": "只有 approval-only、suggest-only 或 blocked-until-approved 項目可進 approval queueapproval queue 不代表可執行。"
@@ -28,7 +28,8 @@
"security_mirror_route_v1",
"security_mirror_acceptance_v1",
"security_mirror_quarantine_v1",
"security_mirror_dry_run_v1"
"security_mirror_dry_run_v1",
"security_mirror_status_rollup_v1"
],
"destinations": [
"operator_console",
@@ -44,7 +45,8 @@
"要求所有鏡像 payload 使用 security_mirror_event_v1 信封",
"顯示 security_mirror_acceptance_v1 驗收結果",
"顯示 security_mirror_quarantine_v1 隔離 lane 與 retry gate",
"顯示 security_mirror_dry_run_v1 dry-run steps"
"顯示 security_mirror_dry_run_v1 dry-run steps",
"顯示 security_mirror_status_rollup_v1 跨 Session 狀態與下一個 gate"
],
"blocked_processing": [
"新增執行按鈕",
@@ -52,7 +54,7 @@
"runtime blocking",
"自動批准任何 queue item"
],
"exit_gate": "AwoooP 可顯示 26 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps且所有 route 都維持 runtime_execution_authorized=false。"
"exit_gate": "AwoooP 可顯示 27 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps 與 status rollup,且所有 route 都維持 runtime_execution_authorized=false。"
},
{
"wave_id": "M1_kali_visibility",
@@ -189,7 +191,7 @@
"acceptance_gates": [
{
"gate_id": "ROUTE_COVERS_ALL_CONTRACTS",
"requirement": "route_groups 合併後必須涵蓋 manifest 的 26 個 contracts。"
"requirement": "route_groups 合併後必須涵蓋 manifest 的 27 個 contracts。"
},
{
"gate_id": "NO_EXECUTION_SURFACE",

165
docs/security/security-mirror-status-rollup.snapshot.json Normal file
View File

@@ -0,0 +1,165 @@
{
"schema_version": "security_mirror_status_rollup_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"rollup_status": "framework_ready_waiting_approval",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-mirror-intake-plan.snapshot.json",
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-dry-run.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_contracts": 27,
"ready_for_mirror_count": 24,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
"approval_queue_total": 8,
"pending_approval_count": 7,
"block_candidate_count": 1,
"dry_run_status": "contract_defined_not_executed",
"runtime_actions_executed": false,
"payloads_ingested": false
},
"phase_status": [
{
"phase_id": "S0_contracts_and_boundaries",
"state": "completed",
"current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立。",
"next_gate": "AwoooP 只讀 mirror 消費。"
},
{
"phase_id": "S1_readonly_inventory",
"state": "in_progress",
"current_result": "已完成多項 read-only evidenceGitea private/internal 全量 repo list 仍需批准後補齊。",
"next_gate": "只讀 token 或 redacted admin export approval。"
},
{
"phase_id": "S2_mirror_only_consumption",
"state": "draft_ready",
"current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
"next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence不新增 execution router。"
},
{
"phase_id": "S3_approval_gate",
"state": "not_started",
"current_result": "Approval queue 已列出 8 個候選,其中 7 pending approval、1 block candidate。",
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventory。"
},
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向,但 refs / tags / workflow / secret 名稱尚未全量驗證。",
"next_gate": "SHA/tag/workflow parity、rollback ADR 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
{
"action_id": "mirror_status_rollup_to_awooop",
"title": "AwoooP 顯示資安供應鏈總覽",
"mode": "observe",
"source_contract": "security_mirror_status_rollup_v1",
"allowed_processing": [
"顯示階段狀態、contract readiness、approval queue summary",
"顯示下一個 gate",
"寫入 audit evidence"
],
"blocked_processing": [
"把 rollup 當成 runtime authorization",
"新增 scan / execute / repo / refs action button",
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "review_redacted_finding_ingestion",
"title": "先審 redacted finding ingestion adapter",
"mode": "approval_required",
"source_contract": "security_approval_queue_v1",
"allowed_processing": [
"人工審查是否可設計 redacted security_finding_v1 ingestion",
"維持只接收摘要與 evidence_ref",
"保留 patch-only / review gate"
],
"blocked_processing": [
"保存 raw secret/token/cookie/private key/exploit payload",
"讓 AwoooP 直接啟動 scan",
"自動修復或自動封鎖 deploy"
]
},
{
"action_id": "review_gitea_readonly_inventory",
"title": "審查 Gitea private/internal 只讀 inventory",
"mode": "approval_required",
"source_contract": "gitea_repo_inventory_v1",
"allowed_processing": [
"使用 read-only token 或 redacted admin export 補齊 repo list",
"只保存 token_present=true/false",
"更新 migration matrix 與 decision table"
],
"blocked_processing": [
"保存 token value",
"使用 write-capable token",
"建立 GitHub repo 或 sync refs"
]
},
{
"action_id": "review_github_target_decisions",
"title": "逐 repo 審 GitHub target / owner / visibility / canonical",
"mode": "approval_required",
"source_contract": "source_control_approval_board_v1",
"allowed_processing": [
"逐 repo 更新 owner / visibility / canonical decision",
"產生 draft reconcile plan 或 ADR",
"維持 refs action disabled"
],
"blocked_processing": [
"建立 repo",
"修改 visibility",
"push / delete refs",
"切 GitHub primary"
]
},
{
"action_id": "keep_kali_execute_blocked",
"title": "Kali /execute 維持 block candidate",
"mode": "block_candidate",
"source_contract": "kali_scan_scope_approval_v1",
"allowed_processing": [
"只設計 disable / allowlist / audit gate",
"保留人工 exception 記錄",
"持續顯示 blocked reason"
],
"blocked_processing": [
"AwoooP runtime 直接呼叫 /execute",
"把 /execute 當成一般 MCP action",
"執行 shell command 自動修復"
]
}
],
"session_sync_notes": [
"本 rollup 是跨 Session 的共同讀取入口,避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
"S2.7 仍屬框架期;它讓狀態可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
"下一個可安全推進的工作是 AwoooP read-only UI / audit evidence 消費,或人工 review queue不可直接跳到執行面。"
],
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}

24
docs/security/security-supply-chain-contract-manifest.snapshot.json
View File

@@ -2,7 +2,7 @@
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 26,
"contract_count": 27,
"contracts": [
{
"contract": "security_rollout_policy_v1",
@@ -101,7 +101,7 @@
"switch_github_primary",
"store_secret_value"
],
"notes": "整理 26 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
"notes": "整理 27 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
},
{
"contract": "security_mirror_intake_plan_v1",
@@ -220,6 +220,26 @@
],
"notes": "定義 AwoooP mirror-only 接入演練回報格式;本 snapshot 只表示契約已定義,尚未代表 AwoooP 已執行 dry-run。"
},
{
"contract": "security_mirror_status_rollup_v1",
"schema_path": "docs/schemas/security_mirror_status_rollup_v1.schema.json",
"snapshot_paths": ["docs/security/security-mirror-status-rollup.snapshot.json"],
"human_docs": ["docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md"],
"consumer": "AwoooP Operator Console / Runtime State / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": ["mirror_status_rollup", "display_phase_status", "display_next_safe_gate"],
"forbidden_actions": [
"execute_rollup_action",
"runtime_authorization",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要;只顯示階段、下一個 gate 與禁止事項,不授權執行。"
},
{
"contract": "coding_task_v1",
"schema_path": "docs/schemas/coding_task_v1.schema.json",