From 9de8469e8f6254522eecf044d2d36a0e1af9ec2b Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 19 May 2026 18:04:07 +0800
Subject: [PATCH] feat(web): add IwoooS coverage matrix

---
 apps/web/messages/en.json                     |  46 +++++++
 apps/web/messages/zh-TW.json                  |  46 +++++++
 apps/web/src/app/[locale]/iwooos/page.tsx     | 129 ++++++++++++++++++
 docs/LOGBOOK.md                               |  15 ++
 .../iwooos_posture_projection_v1.schema.json  | 116 ++++++++++++++++
 docs/security/IWOOOS-POSTURE-PROJECTION.md    |  20 +++
 .../security/SECURITY-MIRROR-STATUS-ROLLUP.md |   3 +-
 .../SECURITY-SUPPLY-CHAIN-PROGRESS.md         |   4 +-
 .../iwooos-posture-projection.snapshot.json   | 118 +++++++++++++++-
 ...ecurity-mirror-status-rollup.snapshot.json |  34 ++++-
 .../security-mirror-progress-guard.py         |  86 ++++++++++++
 11 files changed, 612 insertions(+), 5 deletions(-)

diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 90932d31..b3b4d270 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -1135,6 +1135,52 @@
         }
       }
     },
+    "coverage": {
+      "title": "Coverage and Boundary Matrix",
+      "subtitle": "Groups the 10 existing security surfaces into four responsibility planes so IwoooS can show where to read signals, human control, governance audit, and engineering review.",
+      "groups": {
+        "signals": {
+          "title": "Signals and Exposure",
+          "body": "Collects security, compliance, alert, error, and UX audit signals; observations stay visible without becoming blockers."
+        },
+        "humanControl": {
+          "title": "Human Control Boundary",
+          "body": "Keeps HITL, multi-sig, and AwoooP approvals visible; runtime gates still require human decisions."
+        },
+        "governanceAudit": {
+          "title": "Governance and Audit",
+          "body": "Governance events, SLOs, remediation queues, and operation logs are evidence surfaces, not execution authorization."
+        },
+        "engineeringReview": {
+          "title": "Engineering Review",
+          "body": "Code Review remains a non-blocking review pipeline for risk grading and coding follow-up, not deploy approval."
+        }
+      },
+      "conflicts": {
+        "title": "Overlap and Conflict Controls",
+        "subtitle": "The same security signal can appear on multiple pages. IwoooS only organizes entrypoints and does not change ownership or authority.",
+        "preserveOwnership": {
+          "title": "Preserve Route Ownership",
+          "body": "Each route remains owned by its original page and API contract; IwoooS does not move write authority."
+        },
+        "noRuntimeLift": {
+          "title": "No Runtime Lift",
+          "body": "The coverage matrix can show coverage and gaps, but cannot create scan, execute, repair, or blocking gates."
+        },
+        "codeReviewNotDeployGate": {
+          "title": "Code Review Is Not Deploy Approval",
+          "body": "AI Code Review can grade risk and propose coding follow-up, but cannot become deploy approval by itself."
+        },
+        "awooopNotSecurityApproval": {
+          "title": "AwoooP Approval Is Not Security Approval",
+          "body": "The AwoooP approval queue can show human gate state, but security gates still require decision records and follow-up runtime gates."
+        },
+        "kaliNotCalled": {
+          "title": "Frontend Index Does Not Call Kali",
+          "body": "Kali 112 remains observe-only; active scan or /execute must go through human approval and follow-up gates."
+        }
+      }
+    },
     "nextGate": {
       "title": "Next High-level Gate",
       "body": "S4.9 Gitea owner attestation response is the recommended next owner evidence. Headline progress should only increase after owner responses, redacted payload ingestion, active runtime gates, or GitHub primary readiness actually change."
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index 1404e62e..a5723aa5 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -1136,6 +1136,52 @@
         }
       }
     },
+    "coverage": {
+      "title": "覆蓋與邊界矩陣",
+      "subtitle": "把 10 個既有資安頁面分成四個責任面，讓 IwoooS 能說清楚哪裡看訊號、哪裡做人工控制、哪裡看治理稽核、哪裡看工程審查。",
+      "groups": {
+        "signals": {
+          "title": "訊號與暴露面",
+          "body": "集中安全、合規、告警、錯誤與 UX 稽核訊號；只顯示風險，不把觀察結果直接升成阻擋。"
+        },
+        "humanControl": {
+          "title": "人工控制邊界",
+          "body": "保留 HITL、multi-sig 與 AwoooP approvals 的人控位置；沒有人工決策就不啟動 runtime gate。"
+        },
+        "governanceAudit": {
+          "title": "治理與稽核",
+          "body": "治理事件、SLO、補救佇列與操作日誌用來看流程證據，不把 audit event 當執行授權。"
+        },
+        "engineeringReview": {
+          "title": "工程審查",
+          "body": "Code Review 維持 non-blocking review pipeline，用於風險分級與後續修復建議，不直接等同 deploy approval。"
+        }
+      },
+      "conflicts": {
+        "title": "重疊與衝突控制",
+        "subtitle": "同一個資安訊號可能在多個頁面出現，IwoooS 只做入口整理，不改變原始頁面的責任與權限。",
+        "preserveOwnership": {
+          "title": "保留原頁 owner",
+          "body": "每個 route 繼續由原本頁面與 API contract 負責，IwoooS 不搬移資料寫入權。"
+        },
+        "noRuntimeLift": {
+          "title": "不把只讀索引升成 runtime",
+          "body": "coverage matrix 只能顯示覆蓋與缺口，不建立 scan、execute、repair 或 blocking gate。"
+        },
+        "codeReviewNotDeployGate": {
+          "title": "Code Review 不等於部署批准",
+          "body": "AI Code Review 可以提供風險分級與 coding follow-up，但不能直接變成 deploy approval。"
+        },
+        "awooopNotSecurityApproval": {
+          "title": "AwoooP approvals 不等於資安批准",
+          "body": "AwoooP 審批佇列可顯示人控狀態，但資安 gate 仍需對應決策紀錄與 follow-up runtime gate。"
+        },
+        "kaliNotCalled": {
+          "title": "前端索引不呼叫 Kali",
+          "body": "Kali 112 維持 observe-only；任何 active scan 或 /execute 都必須走人工批准與後續 gate。"
+        }
+      }
+    },
     "nextGate": {
       "title": "下一個高層 Gate",
       "body": "S4.9 Gitea owner attestation response 是目前建議先收的 owner evidence。任何 headline 提升都要等 owner response、redacted payload ingestion、active runtime gate 或 GitHub primary readiness 有真實變化。"
diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx
index e135ecf8..32dfa0af 100644
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -48,6 +48,19 @@ type SecuritySurface = {
   tone: 'steady' | 'warn' | 'locked'
 }
 
+type CoverageGroup = {
+  key: string
+  count: string
+  icon: typeof ShieldCheck
+  tone: 'steady' | 'warn' | 'locked'
+  surfaces: string
+}
+
+type ConflictControl = {
+  key: string
+  tone: 'steady' | 'warn' | 'locked'
+}
+
 const postureMetrics: PostureMetric[] = [
   { key: 'overall', value: '58%', tone: 'warn' },
   { key: 'framework', value: '80-85%', tone: 'steady' },
@@ -86,6 +99,45 @@ const existingSecuritySurfaces: SecuritySurface[] = [
   { key: 'codeReview', href: '/code-review', icon: SearchCheck, tone: 'warn' },
 ]
 
+const coverageGroups: CoverageGroup[] = [
+  {
+    key: 'signals',
+    count: '5',
+    icon: Radar,
+    tone: 'warn',
+    surfaces: '/security-compliance, /security, /compliance, /alerts, /errors',
+  },
+  {
+    key: 'humanControl',
+    count: '2',
+    icon: Lock,
+    tone: 'locked',
+    surfaces: '/authorizations, /awooop/approvals',
+  },
+  {
+    key: 'governanceAudit',
+    count: '2',
+    icon: ListChecks,
+    tone: 'steady',
+    surfaces: '/governance, /alert-operation-logs',
+  },
+  {
+    key: 'engineeringReview',
+    count: '1',
+    icon: SearchCheck,
+    tone: 'warn',
+    surfaces: '/code-review',
+  },
+]
+
+const conflictControls: ConflictControl[] = [
+  { key: 'preserveOwnership', tone: 'steady' },
+  { key: 'noRuntimeLift', tone: 'locked' },
+  { key: 'codeReviewNotDeployGate', tone: 'warn' },
+  { key: 'awooopNotSecurityApproval', tone: 'locked' },
+  { key: 'kaliNotCalled', tone: 'locked' },
+]
+
 const evidenceItems = [
   'iwooos-posture-projection.snapshot.json',
   'security-rollout-policy.snapshot.json',
@@ -239,6 +291,48 @@ function SurfaceCard({ item, locale }: { item: SecuritySurface; locale: string }
   )
 }
 
+function CoverageCard({ item }: { item: CoverageGroup }) {
+  const t = useTranslations('iwooos.coverage')
+  const Icon = item.icon
+  return (
+    <div style={{ ...band, minHeight: 154, padding: 16 }}>
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12 }}>
+        <Icon size={18} color={toneColors[item.tone]} />
+        <span style={{ fontSize: 24, fontWeight: 700, color: toneColors[item.tone] }}>{item.count}</span>
+      </div>
+      <h2 style={{ fontSize: 14, margin: '12px 0 6px', color: '#141413' }}>{t(`groups.${item.key}.title` as never)}</h2>
+      <p style={{ fontSize: 12, lineHeight: 1.55, color: '#6f6d66', margin: 0 }}>
+        {t(`groups.${item.key}.body` as never)}
+      </p>
+      <div style={{ fontSize: 11, color: '#87867f', marginTop: 10, lineHeight: 1.45 }}>{item.surfaces}</div>
+    </div>
+  )
+}
+
+function ConflictRow({ item, index }: { item: ConflictControl; index: number }) {
+  const t = useTranslations('iwooos.coverage.conflicts')
+  return (
+    <div
+      style={{
+        display: 'grid',
+        gridTemplateColumns: '34px minmax(0, 1fr)',
+        gap: 10,
+        alignItems: 'start',
+        padding: '10px 0',
+        borderBottom: index === conflictControls.length - 1 ? 'none' : '0.5px solid #eee9dd',
+      }}
+    >
+      <ToneDot tone={item.tone} />
+      <div>
+        <div style={{ fontSize: 13, fontWeight: 700, color: '#141413' }}>{t(`${item.key}.title` as never)}</div>
+        <div style={{ fontSize: 11, color: '#6f6d66', marginTop: 3, lineHeight: 1.45 }}>
+          {t(`${item.key}.body` as never)}
+        </div>
+      </div>
+    </div>
+  )
+}
+
 export default function IwoooSPage({ params }: { params: { locale: string } }) {
   const t = useTranslations('iwooos')
 
@@ -273,6 +367,41 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) {
           </div>
         </section>
 
+        <section
+          style={{
+            display: 'grid',
+            gridTemplateColumns: 'repeat(auto-fit, minmax(260px, 1fr))',
+            gap: 14,
+            marginBottom: 14,
+          }}
+        >
+          <div>
+            <div style={{ marginBottom: 14 }}>
+              <h2 style={{ fontSize: 16, margin: 0 }}>{t('coverage.title')}</h2>
+              <p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 0', lineHeight: 1.55 }}>
+                {t('coverage.subtitle')}
+              </p>
+            </div>
+            <div
+              style={{
+                display: 'grid',
+                gridTemplateColumns: 'repeat(auto-fit, minmax(190px, 1fr))',
+                gap: 12,
+              }}
+            >
+              {coverageGroups.map(item => <CoverageCard key={item.key} item={item} />)}
+            </div>
+          </div>
+
+          <div style={{ ...band, padding: 16 }}>
+            <h2 style={{ fontSize: 15, margin: 0 }}>{t('coverage.conflicts.title')}</h2>
+            <p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 8px', lineHeight: 1.55 }}>
+              {t('coverage.conflicts.subtitle')}
+            </p>
+            {conflictControls.map((item, index) => <ConflictRow key={item.key} item={item} index={index} />)}
+          </div>
+        </section>
+
         <section
           style={{
             display: 'grid',
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 8381eba9..719e5a54 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,18 @@
+## 2026-05-19 | 資安供應鏈 S2.11：IwoooS Surface Coverage Boundary Matrix
+
+**背景**：S2.10 已把既有前端資安頁面納入 IwoooS，但使用者仍需要更專業地理解這些頁面的責任分工與重疊邊界，避免把「可見」誤讀成「可執行」或「已批准」。
+
+**完成**：
+- `/iwooos` 新增「覆蓋與邊界矩陣」，將 10 個既有資安頁面分成四個責任面：訊號與暴露面、人工控制邊界、治理與稽核、工程審查。
+- `/iwooos` 新增 5 條重疊與衝突控制：保留原頁 owner、不把只讀索引升成 runtime、Code Review 不等於 deploy approval、AwoooP approval 不等於資安批准、前端索引不呼叫 Kali。
+- `iwooos_posture_projection_v1` schema / snapshot 新增 `frontend_surface_coverage_groups`、`frontend_surface_conflict_controls` 與對應 count。
+- `security-mirror-progress-guard.py` 開始驗證 4 個 coverage groups、5 個 conflict controls、全 surface 覆蓋與 no runtime / no action button 邊界。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_11_iwooos_surface_coverage_boundary_matrix`，headline progress 仍維持 58%。
+
+**仍禁止**：
+- 覆蓋矩陣不代表 runtime authorization、Kali active scan、Code Review blocking gate、deploy approval、repo / refs / workflow / secret / runner / primary switch 授權。
+- IwoooS 仍只做 read-only projection 與可理解度提升，不搬移原頁資料寫入權，也不新增任何執行按鈕。
+
 ## 2026-05-19 | 資安供應鏈 S2.10：IwoooS Existing Frontend Security Surface Integration
 
 **背景**：統帥提醒 IwoooS 不能只顯示新建的資安態勢，也要把前端原本已有的資訊安全相關頁面資訊整合起來，避免使用者覺得資安工作和既有產品能力是兩條線。
diff --git a/docs/schemas/iwooos_posture_projection_v1.schema.json b/docs/schemas/iwooos_posture_projection_v1.schema.json
index 8fe0708d..3c50419c 100644
--- a/docs/schemas/iwooos_posture_projection_v1.schema.json
+++ b/docs/schemas/iwooos_posture_projection_v1.schema.json
@@ -17,6 +17,8 @@
     "posture_pillars",
     "non_blocking_lane_ids",
     "existing_frontend_surfaces",
+    "frontend_surface_conflict_controls",
+    "frontend_surface_coverage_groups",
     "evidence_refs",
     "allowed_frontend_outputs",
     "forbidden_frontend_outputs",
@@ -71,6 +73,8 @@
         "owner_response_validation_accepted_count",
         "github_primary_ready_count",
         "existing_frontend_surface_count",
+        "frontend_surface_coverage_group_count",
+        "frontend_surface_conflict_control_count",
         "action_buttons_allowed"
       ],
       "properties": {
@@ -124,6 +128,14 @@
         "existing_frontend_surface_count": {
           "type": "integer",
           "const": 10
+        },
+        "frontend_surface_coverage_group_count": {
+          "type": "integer",
+          "const": 4
+        },
+        "frontend_surface_conflict_control_count": {
+          "type": "integer",
+          "const": 5
         }
       },
       "additionalProperties": false
@@ -314,6 +326,110 @@
         },
         "additionalProperties": false
       }
+    },
+    "frontend_surface_coverage_groups": {
+      "type": "array",
+      "minItems": 4,
+      "items": {
+        "type": "object",
+        "required": [
+          "group_id",
+          "display_order",
+          "responsibility_plane",
+          "surface_ids",
+          "display_mode",
+          "overlap_control",
+          "runtime_execution_authorized",
+          "action_buttons_allowed",
+          "not_authorization"
+        ],
+        "properties": {
+          "group_id": {
+            "type": "string"
+          },
+          "display_order": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "responsibility_plane": {
+            "type": "string"
+          },
+          "surface_ids": {
+            "type": "array",
+            "minItems": 1,
+            "items": {
+              "type": "string"
+            }
+          },
+          "display_mode": {
+            "const": "coverage_only"
+          },
+          "overlap_control": {
+            "type": "string"
+          },
+          "runtime_execution_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "action_buttons_allowed": {
+            "type": "boolean",
+            "const": false
+          },
+          "not_authorization": {
+            "type": "boolean",
+            "const": true
+          }
+        },
+        "additionalProperties": false
+      }
+    },
+    "frontend_surface_conflict_controls": {
+      "type": "array",
+      "minItems": 5,
+      "items": {
+        "type": "object",
+        "required": [
+          "control_id",
+          "display_order",
+          "control_scope",
+          "blocked_misread",
+          "display_mode",
+          "runtime_execution_authorized",
+          "action_buttons_allowed",
+          "not_authorization"
+        ],
+        "properties": {
+          "control_id": {
+            "type": "string"
+          },
+          "display_order": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "control_scope": {
+            "type": "string"
+          },
+          "blocked_misread": {
+            "type": "string"
+          },
+          "display_mode": {
+            "const": "conflict_control_only"
+          },
+          "runtime_execution_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "action_buttons_allowed": {
+            "type": "boolean",
+            "const": false
+          },
+          "not_authorization": {
+            "type": "boolean",
+            "const": true
+          }
+        },
+        "additionalProperties": false
+      }
     }
   },
   "additionalProperties": false
diff --git a/docs/security/IWOOOS-POSTURE-PROJECTION.md b/docs/security/IWOOOS-POSTURE-PROJECTION.md
index f097385a..b0092feb 100644
--- a/docs/security/IWOOOS-POSTURE-PROJECTION.md
+++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md
@@ -38,6 +38,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence：
 6. 7 條 non-blocking lanes。
 7. evidence refs 與下一個高層 gate。
 8. 10 個既有前端資安相關頁面索引。
+9. 4 個前端資安責任面與 5 個重疊 / 衝突控制。
 
 ## 3.1 既有前端資安頁面整合
 
@@ -58,6 +59,25 @@ S2.10 將前端原本已存在的資安相關頁面收進 IwoooS，只作為 rou
 
 這些 route 仍保留原本功能與 owner 邊界；IwoooS 只提供可見索引，不把任何頁面升級成 scan、execute、repair、blocking gate、deploy approval 或 runtime authorization。
 
+## 3.2 覆蓋與邊界矩陣
+
+S2.11 將 10 個既有前端資安頁面分成四個責任面，讓使用者看懂「訊號在哪裡、人工控制在哪裡、治理稽核在哪裡、工程審查在哪裡」。
+
+| 責任面 | Route | 邊界 |
+|--------|-------|------|
+| 訊號與暴露面 | `/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors` | 顯示風險、事件、錯誤、UX audit 與合規訊號，不把 observation 直接升 blocking |
+| 人工控制邊界 | `/authorizations`、`/awooop/approvals` | 顯示 HITL / multi-sig / AwoooP approvals；不等於資安 runtime gate 已批准 |
+| 治理與稽核 | `/governance`、`/alert-operation-logs` | 顯示治理事件、SLO、補救佇列與操作日誌；audit event 不是執行授權 |
+| 工程審查 | `/code-review` | 顯示 AI Code Review pipeline；review 結果可產生 follow-up，不等於 deploy approval |
+
+重疊 / 衝突控制：
+
+1. IwoooS 保留原 route owner，不搬移資料寫入權。
+2. 覆蓋矩陣不得升級成 runtime gate。
+3. Code Review link 不等於 deploy approval。
+4. AwoooP approval 狀態不等於資安 approval decision record。
+5. 前端索引不得呼叫 Kali active scan 或 `/execute`。
+
 ## 4. 仍禁止
 
 IwoooS 不得提供下列輸出：
diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
index 21e86d2f..3a730281 100644
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -35,7 +35,7 @@
 | Owner response validation | S4.13 已建立；四包 owner response 目前 received/accepted 皆為 0；4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示；下一個建議收件為 S4.9 Gitea owner attestation；latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`，reviewer audit emitted 仍為 0，不代表 owner response 已收到或任何執行授權 |
 | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes；LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn；`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
-| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection，只做 route / source / read-only mode 索引；仍不新增 action button |
+| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；仍不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -94,6 +94,7 @@
 | S2.8 IwoooS frontend posture entry | framework detail | 0 | 只把 mirror-only 資安態勢呈現在前端，不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization |
 | S2.9 IwoooS posture projection contract | framework detail | 0 | 只把前端顯示資料固定成可驗證契約，不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization |
 | S2.10 IwoooS existing frontend surface integration | framework detail | 0 | 只把既有前端資安頁面整理成只讀索引，不代表 owner response、production ingestion、approval、runtime gate、Kali scan、Code Review gate 或 execution authorization |
+| S2.11 IwoooS surface coverage boundary matrix | framework detail | 0 | 只把既有前端資安頁面分成訊號、人工控制、治理稽核與工程審查四面，並顯示重疊 / 衝突控制，不代表 runtime gate、deploy approval、Kali scan 或 Code Review blocking 授權 |
 
 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：
 
diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
index 1d54a43e..a9dea89f 100644
--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -4,7 +4,7 @@
 |------|------|
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
-| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract |
+| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |
 
 ## 0. 本階段完成後整體進度
@@ -70,6 +70,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 | S2.8 IwoooS frontend posture entry | 已完成草案，新增 `/iwooos` read-only Security Posture / Exposure 入口，顯示 58%、35 contracts、Kali / source-control / approval boundary 與 non-blocking lanes | 0 |
 | S2.9 IwoooS posture projection contract | 已完成草案，新增 `iwooos_posture_projection_v1`，把 `/iwooos` 的 posture、progress、lanes、evidence refs 與 forbidden actions 固定成可驗證 snapshot | 0 |
 | S2.10 IwoooS existing frontend surface integration | 已完成草案，將前端既有 `/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors`、`/authorizations`、`/governance`、`/alert-operation-logs`、`/awooop/approvals`、`/code-review` 收成 IwoooS 只讀索引 | 0 |
+| S2.11 IwoooS surface coverage boundary matrix | 已完成草案，將 10 個既有前端資安頁面分成訊號與暴露面、人工控制、治理與稽核、工程審查四面，並補 5 個重疊 / 衝突控制 | 0 |
 
 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
 
@@ -99,6 +100,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.8 IwoooS 前端態勢入口 | 完成草案 | 已新增 `/iwooos`、Sidebar 入口與 Command Palette 入口；以 Security Posture / Exposure Management 方式顯示目前資安網狀態、Kali 112、source-control supply chain、approval boundary、non-blocking lanes 與 evidence refs | 使用者可看懂資安網進度與邊界，但不新增執行按鈕 |
 | S2.9 IwoooS 前端投影契約 | 完成草案 | `iwooos_posture_projection_v1` 已建立，manifest / readiness / route / acceptance / dry-run / event sample 已同步 36 contracts / 33 ready 口徑；guard 會驗證 no action button、no runtime authorization 與 7 條 non-blocking lanes | IwoooS 顯示資料不再只是頁面常數，而是可被 AwoooP / Security Session 驗證的只讀契約 |
 | S2.10 IwoooS 既有前端資安頁面整合 | 完成草案 | `/iwooos` 新增既有資安頁面索引，涵蓋安全合規、舊安全、舊合規、告警、錯誤與 UX 稽核、授權中心、AI 治理、告警操作日誌、AwoooP approvals、AI Code Review | 使用者能從 IwoooS 看懂原本資安能力散在哪些頁面；仍只做 link-only 顯示，不新增 scan / execute / repair / blocking gate |
+| S2.11 IwoooS 覆蓋與邊界矩陣 | 完成草案 | `/iwooos` 新增 coverage / boundary matrix，分成 signals、human control、governance audit、engineering review 四組，並顯示 preserve owner、no runtime lift、Code Review not deploy gate、AwoooP approval not security approval、frontend index not Kali caller 五條控制 | 使用者能理解重疊頁面的責任分界；仍不新增 runtime、Kali、deploy 或 blocking control |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json
index d61b90cd..540deeaa 100644
--- a/docs/security/iwooos-posture-projection.snapshot.json
+++ b/docs/security/iwooos-posture-projection.snapshot.json
@@ -35,7 +35,9 @@
     "owner_response_validation_accepted_count": 0,
     "github_primary_ready_count": 0,
     "action_buttons_allowed": false,
-    "existing_frontend_surface_count": 10
+    "existing_frontend_surface_count": 10,
+    "frontend_surface_coverage_group_count": 4,
+    "frontend_surface_conflict_control_count": 5
   },
   "progress": {
     "overall_percent": 58,
@@ -105,6 +107,8 @@
     "display_progress_estimate",
     "display_non_blocking_lanes",
     "display_existing_frontend_security_surfaces",
+    "display_frontend_surface_coverage_matrix",
+    "display_frontend_surface_conflict_controls",
     "display_evidence_refs",
     "display_next_gate",
     "display_forbidden_actions"
@@ -293,5 +297,117 @@
       "action_buttons_allowed": false,
       "not_authorization": true
     }
+  ],
+  "frontend_surface_coverage_groups": [
+    {
+      "group_id": "signals_and_exposure",
+      "display_order": 1,
+      "responsibility_plane": "detect_and_measure",
+      "surface_ids": [
+        "security_compliance",
+        "legacy_security",
+        "legacy_compliance",
+        "alerts",
+        "errors"
+      ],
+      "display_mode": "coverage_only",
+      "overlap_control": "original_surface_retains_ownership",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "group_id": "human_control_boundary",
+      "display_order": 2,
+      "responsibility_plane": "human_gate_visibility",
+      "surface_ids": [
+        "authorizations",
+        "awooop_approvals"
+      ],
+      "display_mode": "coverage_only",
+      "overlap_control": "approval_state_not_runtime_authorization",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "group_id": "governance_and_audit",
+      "display_order": 3,
+      "responsibility_plane": "governance_evidence",
+      "surface_ids": [
+        "governance",
+        "alert_operation_logs"
+      ],
+      "display_mode": "coverage_only",
+      "overlap_control": "audit_event_not_execution_authorization",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "group_id": "engineering_review",
+      "display_order": 4,
+      "responsibility_plane": "code_review_followup",
+      "surface_ids": [
+        "code_review"
+      ],
+      "display_mode": "coverage_only",
+      "overlap_control": "code_review_not_deploy_approval",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
+  ],
+  "frontend_surface_conflict_controls": [
+    {
+      "control_id": "preserve_original_route_ownership",
+      "display_order": 1,
+      "control_scope": "route_ownership",
+      "blocked_misread": "iwooos_replaces_original_surface_owner",
+      "display_mode": "conflict_control_only",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "control_id": "no_runtime_lift_from_index",
+      "display_order": 2,
+      "control_scope": "runtime_authority",
+      "blocked_misread": "coverage_matrix_creates_runtime_gate",
+      "display_mode": "conflict_control_only",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "control_id": "code_review_not_deploy_gate",
+      "display_order": 3,
+      "control_scope": "engineering_review",
+      "blocked_misread": "code_review_link_is_deploy_approval",
+      "display_mode": "conflict_control_only",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "control_id": "awooop_approval_not_security_approval",
+      "display_order": 4,
+      "control_scope": "approval_semantics",
+      "blocked_misread": "awooop_approval_equals_security_gate_approval",
+      "display_mode": "conflict_control_only",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "control_id": "frontend_index_does_not_call_kali",
+      "display_order": 5,
+      "control_scope": "kali_boundary",
+      "blocked_misread": "frontend_index_authorizes_active_scan_or_execute",
+      "display_mode": "conflict_control_only",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
   ]
 }
diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json
index 32237b35..5a6a8313 100644
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -636,6 +636,18 @@
       "runtime_delta": false,
       "execution_authorized": false,
       "not_authorization": true
+    },
+    {
+      "delta_id": "s2_11_iwooos_surface_coverage_boundary_matrix",
+      "display_order": 40,
+      "completed_stage": "S2.11 IwoooS surface coverage boundary matrix",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS coverage boundary matrix 只把 10 個既有前端資安頁面分組並顯示重疊 / 衝突控制，不代表 owner response received、production ingestion、approval、runtime gate、Kali scan、Code Review gating 或 execution authorization。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
     }
   ],
   "next_safe_actions": [
@@ -713,13 +725,15 @@
         "顯示 58% headline、36 contracts、33 ready、0 active runtime gates",
         "顯示 4 個 posture pillars、7 條 non-blocking lanes 與 evidence refs",
         "顯示 forbidden actions 與 next gate，但不提供 action button",
-        "顯示 10 個既有前端資安相關頁面索引：security-compliance、security、compliance、alerts、errors、authorizations、governance、alert-operation-logs、AwoooP approvals、code-review"
+        "顯示 10 個既有前端資安相關頁面索引：security-compliance、security、compliance、alerts、errors、authorizations、governance、alert-operation-logs、AwoooP approvals、code-review",
+        "顯示 4 個 frontend surface coverage groups 與 5 個 conflict controls，協助判讀既有資安頁面的責任邊界"
       ],
       "blocked_processing": [
         "新增 scan / execute / repair button",
         "把 posture projection 當成 runtime authorization",
         "把前端 contract count 當成 GitHub primary、Kali scan 或 repo / refs action approval",
-        "把既有頁面索引當成 scan、execute、repair、approval、Kali active scan、Code Review gating 或 runtime gate 授權"
+        "把既有頁面索引當成 scan、execute、repair、approval、Kali active scan、Code Review gating 或 runtime gate 授權",
+        "把 coverage group 或 conflict control 當成 runtime gate、deploy approval、Kali active scan 或 Code Review blocking 授權"
       ]
     },
     {
@@ -738,6 +752,22 @@
         "把 Code Review 頁面連結當成 blocking gate 或 deploy approval"
       ]
     },
+    {
+      "action_id": "show_iwooos_surface_coverage_boundary_matrix",
+      "title": "IwoooS 顯示前端資安覆蓋與邊界矩陣",
+      "mode": "observe",
+      "source_contract": "iwooos_posture_projection_v1",
+      "allowed_processing": [
+        "顯示 signals / human control / governance audit / engineering review 四個責任面",
+        "顯示 preserve ownership、no runtime lift、Code Review not deploy gate、AwoooP approval not security approval、frontend index not Kali caller 五個衝突控制",
+        "只更新前端可理解度與 read-only projection evidence"
+      ],
+      "blocked_processing": [
+        "把 coverage matrix 當成 runtime authorization",
+        "把 overlap control 當成 approval 或 deploy gate",
+        "新增 scan / execute / repair / Kali / repo / refs / workflow / runner / primary action button"
+      ]
+    },
     {
       "action_id": "mirror_approval_review_packets",
       "title": "AwoooP 顯示 8 個人工審查封包",
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index 0b218219..3f6a360f 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -162,6 +162,7 @@ def validate(root: Path) -> None:
         "s2_8_iwooos_frontend_posture_entry",
         "s2_9_iwooos_posture_projection_contract",
         "s2_10_iwooos_existing_frontend_surface_integration",
+        "s2_11_iwooos_surface_coverage_boundary_matrix",
     ]
     assert_equal(
         "progress_delta_ledger.delta_ids",
@@ -300,6 +301,29 @@ def validate(root: Path) -> None:
         iwooos_projection["summary"]["existing_frontend_surface_count"],
         len(expected_iwooos_surface_ids),
     )
+    expected_iwooos_coverage_group_ids = [
+        "signals_and_exposure",
+        "human_control_boundary",
+        "governance_and_audit",
+        "engineering_review",
+    ]
+    expected_iwooos_conflict_control_ids = [
+        "preserve_original_route_ownership",
+        "no_runtime_lift_from_index",
+        "code_review_not_deploy_gate",
+        "awooop_approval_not_security_approval",
+        "frontend_index_does_not_call_kali",
+    ]
+    assert_equal(
+        "iwooos_projection.summary.frontend_surface_coverage_group_count",
+        iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
+        len(expected_iwooos_coverage_group_ids),
+    )
+    assert_equal(
+        "iwooos_projection.summary.frontend_surface_conflict_control_count",
+        iwooos_projection["summary"]["frontend_surface_conflict_control_count"],
+        len(expected_iwooos_conflict_control_ids),
+    )
     iwooos_progress = iwooos_projection["progress"]
     assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
     assert_equal(
@@ -374,6 +398,66 @@ def validate(root: Path) -> None:
             f"iwooos_projection.existing_frontend_surfaces.{item['surface_id']}.not_authorization",
             item["not_authorization"],
         )
+    iwooos_coverage_groups = iwooos_projection["frontend_surface_coverage_groups"]
+    assert_equal(
+        "iwooos_projection.frontend_surface_coverage_groups.ids",
+        [item["group_id"] for item in iwooos_coverage_groups],
+        expected_iwooos_coverage_group_ids,
+    )
+    assert_equal(
+        "iwooos_projection.frontend_surface_coverage_groups.display_order",
+        [item["display_order"] for item in iwooos_coverage_groups],
+        list(range(1, len(expected_iwooos_coverage_group_ids) + 1)),
+    )
+    covered_surface_ids = sorted({surface_id for item in iwooos_coverage_groups for surface_id in item["surface_ids"]})
+    assert_equal("iwooos_projection.frontend_surface_coverage_groups.coverage", covered_surface_ids, sorted(expected_iwooos_surface_ids))
+    for item in iwooos_coverage_groups:
+        assert_equal(
+            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.display_mode",
+            item["display_mode"],
+            "coverage_only",
+        )
+        assert_false(
+            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.runtime_execution_authorized",
+            item["runtime_execution_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.action_buttons_allowed",
+            item["action_buttons_allowed"],
+        )
+        assert_true(
+            f"iwooos_projection.frontend_surface_coverage_groups.{item['group_id']}.not_authorization",
+            item["not_authorization"],
+        )
+    iwooos_conflict_controls = iwooos_projection["frontend_surface_conflict_controls"]
+    assert_equal(
+        "iwooos_projection.frontend_surface_conflict_controls.ids",
+        [item["control_id"] for item in iwooos_conflict_controls],
+        expected_iwooos_conflict_control_ids,
+    )
+    assert_equal(
+        "iwooos_projection.frontend_surface_conflict_controls.display_order",
+        [item["display_order"] for item in iwooos_conflict_controls],
+        list(range(1, len(expected_iwooos_conflict_control_ids) + 1)),
+    )
+    for item in iwooos_conflict_controls:
+        assert_equal(
+            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.display_mode",
+            item["display_mode"],
+            "conflict_control_only",
+        )
+        assert_false(
+            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.runtime_execution_authorized",
+            item["runtime_execution_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.action_buttons_allowed",
+            item["action_buttons_allowed"],
+        )
+        assert_true(
+            f"iwooos_projection.frontend_surface_conflict_controls.{item['control_id']}.not_authorization",
+            item["not_authorization"],
+        )
     assert_equal(
         "iwooos_projection.non_blocking_lane_ids",
         iwooos_projection["non_blocking_lane_ids"],
@@ -392,6 +476,8 @@ def validate(root: Path) -> None:
         "display_progress_estimate",
         "display_non_blocking_lanes",
         "display_existing_frontend_security_surfaces",
+        "display_frontend_surface_coverage_matrix",
+        "display_frontend_surface_conflict_controls",
         "display_evidence_refs",
         "display_forbidden_actions",
     ]: