From b088f77bee108cfa286fa2f576e4d557248e9583 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Wed, 20 May 2026 16:18:43 +0800
Subject: [PATCH] feat(web): show IwoooS security contracts in AwoooP

---
 apps/web/messages/en.json                     |  28 +++++
 apps/web/messages/zh-TW.json                  |  28 +++++
 .../app/[locale]/awooop/contracts/page.tsx    | 112 ++++++++++++++++++
 docs/LOGBOOK.md                               |  14 +++
 .../security/SECURITY-MIRROR-STATUS-ROLLUP.md |   2 +
 .../SECURITY-SUPPLY-CHAIN-PROGRESS.md         |   5 +-
 ...ecurity-mirror-status-rollup.snapshot.json |  31 ++++-
 .../security-mirror-progress-guard.py         |  48 ++++++++
 8 files changed, 266 insertions(+), 2 deletions(-)

diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index d6b0f561..a6e32203 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -3764,6 +3764,34 @@
         "item4": "Open the AwoooP work map"
       }
     },
+    "contracts": {
+      "securityContractCandidate": {
+        "title": "IwoooS Security Contract Read-only Candidate",
+        "subtitle": "The contract dashboard only shows the schema, snapshot, and guard semantics that IwoooS / security mirror currently depends on. This is not contract publishing and does not trigger a runtime gate.",
+        "badge": "Contract candidate",
+        "contractRefsTitle": "Read-only contract refs",
+        "boundaryLabel": "Contract Boundary",
+        "boundaryTitle": "No security contract is publishable here",
+        "boundaryDetail": "This panel does not publish contract revisions, change contract lifecycle, write to the platform contracts API, call GitHub / Gitea / Kali, or add scan, execute, deploy, primary switch, or refs actions.",
+        "openIwooos": "Open IwoooS",
+        "metrics": {
+          "totalContracts": "Total contracts",
+          "totalContractsDetail": "Security mirror currently rolls up 36 primary contracts.",
+          "readyForMirror": "Ready for mirror",
+          "readyForMirrorDetail": "33 ready, 2 partial, 1 contract-only, and 0 blocked.",
+          "partialReady": "Partial",
+          "partialReadyDetail": "Remaining gaps are owner response, payload ingestion, and source-control owner evidence.",
+          "activeRuntimeGates": "Active runtime gates",
+          "activeRuntimeGatesDetail": "Still 0; contract visibility is not runtime enforcement."
+        },
+        "contractRefs": {
+          "statusRollup": "The shared state entrypoint for AwoooP and the Security Session; it only rolls up progress and safe gates.",
+          "postureProjection": "The projection contract for IwoooS posture, host coverage, owner response focus, and forbidden actions.",
+          "ownerValidation": "The S4.9-S4.12 owner response received / accepted separation and reviewer check semantics.",
+          "rolloutPolicy": "The low-friction, observe-first rollout policy with owner review before blocking."
+        }
+      }
+    },
     "approvals": {
       "securityOwnerResponseGate": {
         "title": "IwoooS Owner Response Read-only Review Focus",
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index 4bc7cf24..a1870a63 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -3765,6 +3765,34 @@
         "item4": "查看 AwoooP 工作鏈路地圖"
       }
     },
+    "contracts": {
+      "securityContractCandidate": {
+        "title": "IwoooS 資安契約只讀候選",
+        "subtitle": "合約儀表板只顯示 IwoooS / security mirror 目前依賴的 schema、snapshot 與 guard 口徑；這不是 contract publish，也不會觸發 runtime gate。",
+        "badge": "契約候選",
+        "contractRefsTitle": "只讀 contract refs",
+        "boundaryLabel": "合約邊界",
+        "boundaryTitle": "目前沒有可發布的資安合約",
+        "boundaryDetail": "這個面板不發布 contract revision、不改合約生命週期、不寫入 platform contracts API、不呼叫 GitHub / Gitea / Kali，也不新增 scan、execute、deploy、primary switch 或 refs action。",
+        "openIwooos": "開啟 IwoooS",
+        "metrics": {
+          "totalContracts": "總 contracts",
+          "totalContractsDetail": "security mirror 目前彙整 36 個主要 contract。",
+          "readyForMirror": "Ready for mirror",
+          "readyForMirrorDetail": "33 個 ready、2 個 partial、1 個 contract-only、0 blocked。",
+          "partialReady": "Partial",
+          "partialReadyDetail": "缺口仍集中在 owner response、payload ingestion 與 source-control owner evidence。",
+          "activeRuntimeGates": "Active runtime gates",
+          "activeRuntimeGatesDetail": "仍為 0；合約可見性不等於 runtime enforcement。"
+        },
+        "contractRefs": {
+          "statusRollup": "AwoooP / Security Session 的共同狀態入口，只彙整進度與安全 gate。",
+          "postureProjection": "IwoooS 前端態勢、主機覆蓋、owner response focus 與禁止動作的投影契約。",
+          "ownerValidation": "S4.9-S4.12 owner response received / accepted 分離與 reviewer 檢查口徑。",
+          "rolloutPolicy": "低摩擦、observe-first、owner review before blocking 的 rollout policy。"
+        }
+      }
+    },
     "approvals": {
       "securityOwnerResponseGate": {
         "title": "IwoooS Owner Response 只讀審查焦點",
diff --git a/apps/web/src/app/[locale]/awooop/contracts/page.tsx b/apps/web/src/app/[locale]/awooop/contracts/page.tsx
index 25960035..206549e0 100644
--- a/apps/web/src/app/[locale]/awooop/contracts/page.tsx
+++ b/apps/web/src/app/[locale]/awooop/contracts/page.tsx
@@ -6,12 +6,16 @@
 "use client";
 
 import { useState, useEffect, useCallback } from "react";
+import { useTranslations } from "next-intl";
+import { Link } from "@/i18n/routing";
 import {
+  ArrowRight,
   FileText,
   RefreshCw,
   AlertCircle,
   Filter,
   ChevronDown,
+  ShieldCheck,
 } from "lucide-react";
 import { cn } from "@/lib/utils";
 
@@ -136,6 +140,112 @@ function ContractRow({ contract }: { contract: Contract }) {
   );
 }
 
+function SecurityContractCandidatePanel() {
+  const t = useTranslations("awooop.contracts.securityContractCandidate");
+  const metrics = [
+    {
+      label: t("metrics.totalContracts"),
+      value: "36",
+      detail: t("metrics.totalContractsDetail"),
+    },
+    {
+      label: t("metrics.readyForMirror"),
+      value: "33",
+      detail: t("metrics.readyForMirrorDetail"),
+    },
+    {
+      label: t("metrics.partialReady"),
+      value: "2",
+      detail: t("metrics.partialReadyDetail"),
+    },
+    {
+      label: t("metrics.activeRuntimeGates"),
+      value: "0",
+      detail: t("metrics.activeRuntimeGatesDetail"),
+    },
+  ];
+  const contracts = [
+    {
+      name: "security_mirror_status_rollup_v1",
+      detail: t("contractRefs.statusRollup"),
+    },
+    {
+      name: "iwooos_posture_projection_v1",
+      detail: t("contractRefs.postureProjection"),
+    },
+    {
+      name: "source_control_owner_response_validation_rollup_v1",
+      detail: t("contractRefs.ownerValidation"),
+    },
+    {
+      name: "security_rollout_policy_v1",
+      detail: t("contractRefs.rolloutPolicy"),
+    },
+  ];
+
+  return (
+    <section className="overflow-hidden border border-[#e0ddd4] bg-white">
+      <div className="flex flex-wrap items-start justify-between gap-3 border-b border-[#e0ddd4] bg-[#faf9f3] px-4 py-3">
+        <div className="flex items-start gap-2">
+          <ShieldCheck className="mt-0.5 h-4 w-4 text-[#d97757]" aria-hidden="true" />
+          <div>
+            <h3 className="text-sm font-semibold text-[#141413]">{t("title")}</h3>
+            <p className="mt-1 max-w-3xl text-xs leading-5 text-[#77736a]">{t("subtitle")}</p>
+          </div>
+        </div>
+        <span className="inline-flex border border-[#9bb6d9] bg-[#eef5ff] px-2 py-0.5 text-xs font-semibold text-[#1f5b9b]">
+          {t("badge")}
+        </span>
+      </div>
+
+      <div className="grid gap-px bg-[#e0ddd4] md:grid-cols-2 xl:grid-cols-4">
+        {metrics.map((item) => (
+          <div key={item.label} className="bg-white px-4 py-3">
+            <p className="text-xs font-semibold text-[#77736a]">{item.label}</p>
+            <p className="mt-2 font-mono text-2xl font-semibold text-[#141413]">{item.value}</p>
+            <p className="mt-2 text-xs leading-5 text-[#5f5b52]">{item.detail}</p>
+          </div>
+        ))}
+      </div>
+
+      <div className="grid min-w-0 gap-4 p-4 xl:grid-cols-[1.1fr_0.9fr]">
+        <div className="min-w-0 border border-[#e0ddd4] bg-white">
+          <div className="border-b border-[#e0ddd4] bg-[#faf9f3] px-4 py-3 text-xs font-semibold text-[#141413]">
+            {t("contractRefsTitle")}
+          </div>
+          <div className="divide-y divide-[#eee9dd]">
+            {contracts.map((item) => (
+              <div key={item.name} className="px-4 py-3">
+                <p className="break-all font-mono text-xs font-semibold text-[#141413]">{item.name}</p>
+                <p className="mt-1 text-xs leading-5 text-[#5f5b52]">{item.detail}</p>
+              </div>
+            ))}
+          </div>
+        </div>
+
+        <div className="min-w-0 border border-[#e0ddd4] bg-[#faf9f3] px-4 py-3">
+          <p className="text-xs font-semibold text-[#77736a]">{t("boundaryLabel")}</p>
+          <p className="mt-2 text-sm font-semibold text-[#141413]">{t("boundaryTitle")}</p>
+          <p className="mt-2 text-xs leading-5 text-[#5f5b52]">{t("boundaryDetail")}</p>
+          <div className="mt-4 grid gap-2 font-mono text-xs text-[#141413]">
+            <span>contract_publish_authorized=false</span>
+            <span>contract_mutation_authorized=false</span>
+            <span>runtime_execution_authorized=false</span>
+            <span>action_buttons_allowed=false</span>
+          </div>
+          <Link
+            href="/iwooos"
+            className="mt-4 inline-flex items-center gap-2 border border-[#d8d3c7] bg-white px-3 py-1.5 text-xs font-semibold text-[#141413] hover:border-[#d97757]"
+          >
+            {t("openIwooos")}
+            <ArrowRight className="h-3.5 w-3.5 text-[#77736a]" aria-hidden="true" />
+          </Link>
+        </div>
+      </div>
+    </section>
+  );
+}
+
 // =============================================================================
 // Main Component
 // =============================================================================
@@ -206,6 +316,8 @@ export default function ContractsPage() {
         </button>
       </div>
 
+      <SecurityContractCandidatePanel />
+
       {/* Filters */}
       <div className="flex items-center gap-3 border border-[#e0ddd4] bg-white p-4">
         <Filter className="w-4 h-4 text-muted-foreground flex-shrink-0" aria-hidden="true" />
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 2f867256..63f4a3bc 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,17 @@
+## 2026-05-20 | 資安供應鏈 S2.56：AwoooP Contracts IwoooS Security Contract Candidate
+
+**背景**：S2.53-S2.55 已把 IwoooS 資安鏡像接到 AwoooP 首頁、工作鏈路與審批佇列；本輪把同一組只讀契約口徑放進 `/awooop/contracts`，讓使用者能在合約儀表板理解 IwoooS 依賴哪些 schema / snapshot / guard，而不是把資安狀態只看成頁面文案。
+
+**完成**：
+- `/awooop/contracts` 新增「IwoooS 資安契約只讀候選」面板，顯示 `security_mirror_status_rollup_v1`、`iwooos_posture_projection_v1`、`source_control_owner_response_validation_rollup_v1`、`security_rollout_policy_v1` 四個只讀 contract refs。
+- 面板顯示 total contracts=36、ready=33、partial=2、active runtime gates=0，並以 `/iwooos` 作為只讀入口。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_56_awooop_contracts_iwooos_security_contract_candidate`，並新增 `show_awooop_contracts_iwooos_security_contract_candidate` next safe action。
+- `security-mirror-progress-guard.py` 開始驗證 AwoooP contracts 面板、IwoooS link、四個 contract refs、四個 false 邊界與 i18n 鍵。
+
+**仍禁止**：
+- AwoooP contracts 的 S2.56 面板不代表 contract publish、contract lifecycle mutation、platform contracts API write、runtime gate、execution router、action button、Kali `/execute`、SSH 登入、主機更新、GitHub primary、Gitea/GitHub refs mutation 或 blocking control。
+- 整體資安網 headline 仍是 58%；框架 / 治理 / 文件 / schema / read-only evidence 仍約 80-85%；真正落地執行 / runtime ingestion / GitHub primary / AwoooP production landing 仍約 35-40%。
+
 ## 2026-05-20 | 資安供應鏈 S2.55：AwoooP Approvals IwoooS Owner Response Gate Candidate
 
 **背景**：S2.53 / S2.54 已把 IwoooS 資安鏡像放進 AwoooP 首頁與工作鏈路；本輪補上 `/awooop/approvals` 的只讀審批視野，讓使用者在審批佇列也能看見下一個 owner response 收件焦點，但不把它混成真正 approval record。
diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
index 8d6a6514..f9941ca9 100644
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -37,6 +37,7 @@
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
 | IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；S2.16 已補 7 個 host evidence readiness items；S2.17 已補 7 個 host evidence collection order steps；S2.18 已補 7 個 host evidence intake preflight checks；S2.19 已補 7 個 host evidence review outcome lanes；S2.20 已補 7 個 host evidence review handoff packets；S2.21 已補 7 個 host evidence reviewer checklist items；S2.22 已補 7 個 host evidence reviewer outcome lanes；S2.23 已補 7 個 host owner decision candidate packets；S2.24 已補 7 個 host owner decision review checklist items；S2.25 已補 7 個 host owner decision review outcome lanes；S2.26 已補 7 個 host owner decision record draft packets；S2.27 已補 7 個 host owner decision record draft review checklist items；S2.28 已補 7 個 host owner decision record draft review outcome lanes；S2.29 已補 7 個 host owner decision record write-up packets；S2.30 已補 7 個 host owner decision record write-up review checklist items；S2.31 已補 7 個 host owner decision record write-up review outcome lanes；S2.32 已補 7 個 host owner decision record formal candidate packets；S2.33 已補 7 個 host owner decision record formal candidate review checklist items；S2.34 已補 8 個 host owner decision record formal candidate review outcome lanes；S2.35 已補 8 個 host owner decision record formal record queue packets；S2.36 已補 8 個 host owner decision record formal record queue review checklist items；S2.37 已補 8 個 host owner decision record formal record queue review outcome lanes；S2.38 已補 8 個 host owner decision record human handoff readiness packets；S2.39 已補 8 個 host owner decision record human handoff readiness review checklist items；S2.40 已補 9 個 host owner decision record human handoff readiness review outcome lanes；S2.41 已補 9 個 host owner decision record human record owner review candidate packets；S2.42 已補 9 個 host owner decision record human record owner review candidate checklist items；S2.43 已補 9 個 host owner decision record human record owner review candidate outcome lanes；S2.44 已補 9 個 host owner decision record human record owner review preparation packets；S2.45 已補 9 個 host owner decision record human record owner review preparation checklist items；S2.46 已補 6 條 progress acceleration lanes，顯示 58% holding 原因與下一個高層解鎖 gate；S2.47 已補 4 個 owner response next-action focus items，顯示 S4.9 為下一個收件焦點且 S4.10-S4.12 依序排隊；S2.48 已補 6 個 S4.9 owner response preflight checks，讓下一個 P0 owner response 的可收件條件可見；S2.49 已補 5 個 S4.9 owner response request templates，讓 owner 要逐項回覆的五題可見；S2.50 已補 5 個 progress hold movement gates，解釋為什麼 58% 仍維持且五個真實 movement signal 都是 0 / false；S2.51 已補 6 個 AwoooP read-only landing readiness items，讓另一個 AwoooP Session 可照 snapshot / evidence / guard / route / forbidden outputs 接入；S2.52 已補 6 個 AwoooP cross-session handoff packets，固定 PR / branch anchor、progress semantics、guard commands、forbidden runtime actions、read-only inputs 與 next coordination gate；S2.53 已把 IwoooS / security mirror 狀態放進 AwoooP 首頁只讀候選面板，顯示 58%、80-85%、35-40%、active gates 0 與四個接入檢查；S2.54 已把 IwoooS / security mirror 狀態放進 AwoooP 工作鏈路觀察項；仍不新增 action button |
 | AwoooP approvals IwoooS owner response focus | S2.55 已把 S4.9-S4.12 owner response 下一個人工收件焦點放進 `/awooop/approvals` 只讀面板；received=0、accepted=0、active runtime gates=0、headline=58%、approval_record_created=false；仍不新增 approve、execute、deploy、primary switch、refs action 或 runtime gate |
+| AwoooP contracts IwoooS security contract candidate | S2.56 已把四個 security mirror contract refs 放進 `/awooop/contracts` 只讀面板；total contracts=36、ready=33、partial=2、active runtime gates=0、contract_publish_authorized=false；仍不發布 contract revision、不改 lifecycle、不寫 platform contracts API、不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -140,6 +141,7 @@
 | S2.53 AwoooP home IwoooS security mirror candidate | framework detail | 0 | 只把 IwoooS / security mirror 狀態放進 AwoooP 首頁只讀候選面板；production_landing_enabled=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false，不把候選面板當 production landing、runtime gate、execution router 或 action button |
 | S2.54 AwoooP work-items IwoooS security mirror candidate | framework detail | 0 | 只把 IwoooS / security mirror 狀態放進 AwoooP 工作鏈路觀察項；production_landing_enabled=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false，不把觀察項當 production landing、runtime gate、execution router、scan、execute、repair、deploy、primary switch 或 refs action |
 | S2.55 AwoooP approvals IwoooS owner response gate candidate | framework detail | 0 | 只把 S4.9-S4.12 owner response 下一個人工收件焦點放進 AwoooP 審批視野；approval_record_created=false、owner_response_accepted_count=0、runtime_execution_authorized=false、action_buttons_allowed=false，不把面板當 approval record、runtime gate、execution router 或 action button |
+| S2.56 AwoooP contracts IwoooS security contract candidate | framework detail | 0 | 只把四個 security mirror contract refs 放進 AwoooP 合約儀表板只讀視野；contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false，不把面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button |
 
 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：
 
diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
index 94ef90a6..1f990a71 100644
--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -5,6 +5,7 @@
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
 | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
+| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |
 
 ## 0. 本階段完成後整體進度
@@ -27,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 
 ### 0.2 Headline 58% 不代表停滯
 
-近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry，以及 S2.9-S2.55 IwoooS posture projection contract 都是有效進展，但它們是 framework detail，不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%，避免把只讀框架誤算成已落地執行。
+近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry，以及 S2.9-S2.56 IwoooS / AwoooP security projection contract 都是有效進展，但它們是 framework detail，不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%，避免把只讀框架誤算成已落地執行。
 
 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate：owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false，所以 headline 不應被灌水提高。
 
@@ -117,6 +118,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate：owner respons
 | S2.53 AwoooP home IwoooS security mirror candidate | 已完成草案，將 IwoooS / security mirror headline、framework、runtime、active gates 與四個接入檢查放入 AwoooP 首頁只讀候選面板；production_landing_enabled 仍為 false | 0 |
 | S2.54 AwoooP work-items IwoooS security mirror candidate | 已完成草案，將 IwoooS / security mirror 顯示成 AwoooP 工作鏈路的觀察期只讀工作項；production_landing_enabled 仍為 false，active runtime gates 仍為 0 | 0 |
 | S2.55 AwoooP approvals IwoooS owner response gate candidate | 已完成草案，將 S4.9-S4.12 owner response 下一個人工收件焦點放進 AwoooP 審批佇列的只讀面板；approval_record_created=false、runtime gate 仍為 0 | 0 |
+| S2.56 AwoooP contracts IwoooS security contract candidate | 已完成草案，將四個 security mirror contract refs 放進 AwoooP 合約儀表板只讀面板；contract_publish_authorized=false、runtime gate 仍為 0 | 0 |
 
 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
 
@@ -191,6 +193,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.53 AwoooP Home IwoooS Security Mirror Candidate | 完成草案 | `/awooop` 首頁新增 IwoooS 資安鏡像候選面板，顯示 58%、80-85%、35-40%、0 active runtime gates 與 projection / guard / owner response / production landing 四個檢查 | 使用者能在 AwoooP 首頁直接感受到資安網狀態；候選面板仍不是 production landing enabled、execution router、runtime gate、action button 或 headline 加分 |
 | S2.54 AwoooP Work-Items IwoooS Security Mirror Candidate | 完成草案 | `/awooop/work-items` 新增 S2.54 IwoooS 資安鏡像只讀工作項，顯示 58%、80-85%、35-40%、active runtime gates=0、owner response waiting 與 false 邊界，並連到 `/iwooos` | 使用者能在工作鏈路追蹤資安網，而不是只看首頁摘要；觀察項仍不是 production landing enabled、execution router、runtime gate、action button 或 headline 加分 |
 | S2.55 AwoooP Approvals IwoooS Owner Response Gate Candidate | 完成草案 | `/awooop/approvals` 新增 IwoooS owner response 只讀審查焦點，顯示 S4.9-S4.12 收件順序、received=0、accepted=0、active runtime gates=0、headline=58%，並連到 `/iwooos` | 使用者能在審批佇列理解下一個人工收件焦點；面板仍不是 approval record、runtime gate、execution router、action button 或 headline 加分 |
+| S2.56 AwoooP Contracts IwoooS Security Contract Candidate | 完成草案 | `/awooop/contracts` 新增 IwoooS 資安契約只讀候選，顯示四個 security mirror contract refs、36 total、33 ready、2 partial、active runtime gates=0，並連到 `/iwooos` | 使用者能在合約儀表板理解資安網背後的契約來源；面板仍不是 contract publish、lifecycle mutation、runtime gate、execution router、action button 或 headline 加分 |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json
index 4cc599db..2a02f9fd 100644
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -1130,6 +1130,18 @@
       "runtime_delta": false,
       "execution_authorized": false,
       "not_authorization": true
+    },
+    {
+      "delta_id": "s2_56_awooop_contracts_iwooos_security_contract_candidate",
+      "display_order": 85,
+      "completed_stage": "S2.56 AwoooP contracts IwoooS security contract candidate",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "AwoooP contracts IwoooS security contract candidate 只把 security_mirror_status_rollup_v1、iwooos_posture_projection_v1、source_control_owner_response_validation_rollup_v1 與 security_rollout_policy_v1 放進合約儀表板只讀視野；contract_publish_authorized=false，runtime gate 仍未啟用。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
     }
   ],
   "next_safe_actions": [
@@ -1214,6 +1226,22 @@
         "從 AwoooP approvals 面板建立 runtime gate、approve action、GitHub/Gitea action、Kali action 或 refs action"
       ]
     },
+    {
+      "action_id": "show_awooop_contracts_iwooos_security_contract_candidate",
+      "title": "AwoooP 合約儀表板顯示 IwoooS 資安契約候選",
+      "mode": "observe",
+      "source_contract": "security_mirror_status_rollup_v1",
+      "allowed_processing": [
+        "在 /awooop/contracts 顯示 security mirror 的四個只讀 contract refs",
+        "顯示 total contracts=36、ready=33、partial=2、active runtime gates=0",
+        "連到 /iwooos 只讀入口，不發布 contract revision、不改 lifecycle、不新增 scan、execute、deploy、primary switch、refs action 或 runtime gate"
+      ],
+      "blocked_processing": [
+        "把 AwoooP contracts 面板當成 contract_publish_authorized",
+        "從 AwoooP contracts 面板寫入 platform contracts API 或修改 contract lifecycle",
+        "從 AwoooP contracts 面板建立 runtime gate、GitHub/Gitea action、Kali action、secret action 或 refs action"
+      ]
+    },
     {
       "action_id": "mirror_low_friction_non_blocking_lanes",
       "title": "AwoooP 顯示低摩擦非阻擋升級分流",
@@ -1582,7 +1610,8 @@
     "S2.52 新增 IwoooS AwoooP cross-session handoff packets；awooop_cross_session_handoff_packet_count=6，顯示 PR/branch anchor、progress semantics、required guard commands、forbidden runtime actions、read-only inputs 與 next coordination gate；production_landing_enabled=false、execution_router_linked=false、progress_change_applied=false，不把 handoff 當 merge、deploy、primary switch、refs mutation、guard skip 或 production consumption。",
     "S2.53 新增 AwoooP home IwoooS security mirror candidate；AwoooP 首頁以只讀候選方式顯示 headline 58%、framework 80-85%、runtime 35-40%、active runtime gates 0 與四個接入檢查；production_landing_enabled=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false，不把首頁候選面板當 production landing、runtime gate、execution router 或 action button。",
     "S2.54 新增 AwoooP work-items IwoooS security mirror candidate；AwoooP 工作鏈路以觀察期只讀工作項顯示 S2.54、IwoooS / security mirror、headline 58%、framework 80-85%、runtime 35-40%、active runtime gates 0 與 owner response waiting；production_landing_enabled=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false，不把工作項當 production landing、runtime gate、execution router 或 action button。",
-    "S2.55 新增 AwoooP approvals IwoooS owner response gate candidate；AwoooP 審批佇列以只讀焦點顯示 S4.9-S4.12 owner response 收件順序、received=0、accepted=0、active runtime gates=0、headline=58%；approval_record_created=false、owner_response_accepted_count=0、runtime_execution_authorized=false、action_buttons_allowed=false，不把 approvals 面板當 owner response received/accepted、approval record、runtime gate、execution router 或 action button。"
+    "S2.55 新增 AwoooP approvals IwoooS owner response gate candidate；AwoooP 審批佇列以只讀焦點顯示 S4.9-S4.12 owner response 收件順序、received=0、accepted=0、active runtime gates=0、headline=58%；approval_record_created=false、owner_response_accepted_count=0、runtime_execution_authorized=false、action_buttons_allowed=false，不把 approvals 面板當 owner response received/accepted、approval record、runtime gate、execution router 或 action button。",
+    "S2.56 新增 AwoooP contracts IwoooS security contract candidate；AwoooP 合約儀表板以只讀候選顯示 security_mirror_status_rollup_v1、iwooos_posture_projection_v1、source_control_owner_response_validation_rollup_v1、security_rollout_policy_v1、total contracts=36、ready=33、partial=2、active runtime gates=0；contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false，不把 contracts 面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button。"
   ],
   "forbidden_actions": [
     "start_kali_scan",
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index e16b9fcf..140fe2a5 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -64,6 +64,9 @@ def validate(root: Path) -> None:
     awooop_approvals_page = (
         root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "approvals" / "page.tsx"
     ).read_text(encoding="utf-8")
+    awooop_contracts_page = (
+        root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "contracts" / "page.tsx"
+    ).read_text(encoding="utf-8")
     web_messages_zh = load_json(root / "apps" / "web" / "messages" / "zh-TW.json")
     web_messages_en = load_json(root / "apps" / "web" / "messages" / "en.json")
 
@@ -223,6 +226,7 @@ def validate(root: Path) -> None:
         "s2_53_awooop_home_iwooos_security_mirror_candidate",
         "s2_54_awooop_work_items_iwooos_security_mirror_candidate",
         "s2_55_awooop_approvals_iwooos_owner_response_gate_candidate",
+        "s2_56_awooop_contracts_iwooos_security_contract_candidate",
     ]
     assert_equal(
         "progress_delta_ledger.delta_ids",
@@ -267,6 +271,11 @@ def validate(root: Path) -> None:
         [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)],
         "show_awooop_approvals_iwooos_owner_response_gate_candidate",
     )
+    assert_contains(
+        "rollup.next_safe_actions.action_ids",
+        [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)],
+        "show_awooop_contracts_iwooos_security_contract_candidate",
+    )
 
     assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1")
     assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe")
@@ -4890,6 +4899,45 @@ def validate(root: Path) -> None:
             key,
         )
 
+    assert_text_contains("awooop_contracts_page.security_contract_candidate_panel", awooop_contracts_page, "SecurityContractCandidatePanel")
+    assert_text_contains("awooop_contracts_page.iwooos_link", awooop_contracts_page, 'href="/iwooos"')
+    for text in [
+        "contract_publish_authorized=false",
+        "contract_mutation_authorized=false",
+        "runtime_execution_authorized=false",
+        "action_buttons_allowed=false",
+    ]:
+        assert_text_contains("awooop_contracts_page.security_contract_boundary", awooop_contracts_page, text)
+    for text in [
+        "security_mirror_status_rollup_v1",
+        "iwooos_posture_projection_v1",
+        "source_control_owner_response_validation_rollup_v1",
+        "security_rollout_policy_v1",
+    ]:
+        assert_text_contains("awooop_contracts_page.security_contract_refs", awooop_contracts_page, text)
+    for key in [
+        "title",
+        "subtitle",
+        "badge",
+        "contractRefsTitle",
+        "boundaryLabel",
+        "boundaryTitle",
+        "boundaryDetail",
+        "openIwooos",
+        "metrics",
+        "contractRefs",
+    ]:
+        assert_contains(
+            "web_messages.zh-TW.awooop.contracts.securityContractCandidate",
+            list(web_messages_zh["awooop"]["contracts"]["securityContractCandidate"].keys()),
+            key,
+        )
+        assert_contains(
+            "web_messages.en.awooop.contracts.securityContractCandidate",
+            list(web_messages_en["awooop"]["contracts"]["securityContractCandidate"].keys()),
+            key,
+        )
+
     owner_summary = owner_rollup["summary"]
     assert_equal("owner_rollup.total_received_response_count", owner_summary["total_received_response_count"], 0)
     assert_equal("owner_rollup.total_accepted_response_count", owner_summary["total_accepted_response_count"], 0)