feat(web): add IwoooS evidence readiness

2026-05-19 20:56:04 +08:00
parent e5a444ed9c
commit bcf7f6448c
11 changed files with 447 additions and 5 deletions
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -1218,6 +1218,48 @@
        }
      }
    },
+    "evidenceReadiness": {
+      "title": "Owner Evidence Readiness",
+      "subtitle": "Shows the evidence that can actually move headline progress. Every item is waiting for collection or human decision and does not trigger execution from the frontend.",
+      "unlockLabel": "Unlock condition",
+      "items": {
+        "giteaOwnerAttestation": {
+          "title": "Gitea owner attestation",
+          "body": "The recommended first collection item is S4.9, covering Gitea inventory coverage and owner disposition.",
+          "unlock": "redacted owner response received and accepted"
+        },
+        "githubTargetOwner": {
+          "title": "GitHub target owner",
+          "body": "Confirms GitHub targets, visibility, canonical owner, and whether repos can enter primary readiness.",
+          "unlock": "S4.10 owner response accepted"
+        },
+        "refsTruthOwner": {
+          "title": "Refs truth owner",
+          "body": "Confirms truth for main/dev, deprecated drift, release tags, and GitHub-only refs.",
+          "unlock": "S4.11 refs truth response accepted"
+        },
+        "workflowSecretOwner": {
+          "title": "Workflow / secret name owner",
+          "body": "Confirms workflow, webhook, runner, deploy key, branch protection, and secret name parity.",
+          "unlock": "S4.12 workflow / secret response accepted"
+        },
+        "redactedFindingIngestion": {
+          "title": "Redacted finding ingestion",
+          "body": "Kali findings and security findings must enter mirror as redacted payloads before any runtime path.",
+          "unlock": "human-approved redacted finding ingestion"
+        },
+        "kaliScanScope": {
+          "title": "Kali scan scope",
+          "body": "Kali 112, 111, and 168 remain observe-only; active scan and /execute require separate approval.",
+          "unlock": "scan scope approval plus follow-up gate"
+        },
+        "followupRuntimeGate": {
+          "title": "Follow-up runtime gate",
+          "body": "Real execution waits for a human decision record and a separate follow-up runtime gate.",
+          "unlock": "decision record accepted; active gates remain 0"
+        }
+      }
+    },
    "nextGate": {
      "title": "Next High-level Gate",
      "body": "S4.9 Gitea owner attestation response is the recommended next owner evidence. Headline progress should only increase after owner responses, redacted payload ingestion, active runtime gates, or GitHub primary readiness actually change."
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -1219,6 +1219,48 @@
        }
      }
    },
+    "evidenceReadiness": {
+      "title": "Owner Evidence Readiness",
+      "subtitle": "這裡顯示 headline 進度下一步真正需要的 evidence。每一項都是等待收件或人工決策，不會從前端直接觸發任何執行。",
+      "unlockLabel": "解除條件",
+      "items": {
+        "giteaOwnerAttestation": {
+          "title": "Gitea owner attestation",
+          "body": "目前建議先收 S4.9，補齊 Gitea 清冊覆蓋與 owner 判定。",
+          "unlock": "收到並接受脫敏 owner response"
+        },
+        "githubTargetOwner": {
+          "title": "GitHub target owner",
+          "body": "確認 GitHub target、visibility、canonical owner 與 repo 是否可進 primary readiness。",
+          "unlock": "S4.10 owner response accepted"
+        },
+        "refsTruthOwner": {
+          "title": "Refs truth owner",
+          "body": "確認 main/dev truth、deprecated drift、release tags 與 GitHub-only refs 的真相來源。",
+          "unlock": "S4.11 refs truth response accepted"
+        },
+        "workflowSecretOwner": {
+          "title": "Workflow / secret name owner",
+          "body": "確認 workflow、webhook、runner、deploy key、branch protection、secret name parity。",
+          "unlock": "S4.12 workflow / secret response accepted"
+        },
+        "redactedFindingIngestion": {
+          "title": "Redacted finding ingestion",
+          "body": "Kali finding 與安全發現需要先以脫敏 payload 進入 mirror，不能直接進 runtime。",
+          "unlock": "人工批准後接收脫敏 finding"
+        },
+        "kaliScanScope": {
+          "title": "Kali scan scope",
+          "body": "Kali 112、111、168 目前仍是 observe-only；active scan 與 /execute 仍需獨立批准。",
+          "unlock": "scan scope approval + follow-up gate"
+        },
+        "followupRuntimeGate": {
+          "title": "Follow-up runtime gate",
+          "body": "所有實際執行都要等人工 decision record 後，另開 follow-up runtime gate。",
+          "unlock": "decision record accepted，active gate 仍為 0"
+        }
+      }
+    },
    "nextGate": {
      "title": "下一個高層 Gate",
      "body": "S4.9 Gitea owner attestation response 是目前建議先收的 owner evidence。任何 headline 提升都要等 owner response、redacted payload ingestion、active runtime gate 或 GitHub primary readiness 有真實變化。"
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -67,6 +67,13 @@ type JourneyStep = {
  tone: 'steady' | 'warn' | 'locked'
 }

+type EvidenceReadinessItem = {
+  key: string
+  lane: string
+  icon: typeof ShieldCheck
+  tone: 'steady' | 'warn' | 'locked'
+}
+
 const postureMetrics: PostureMetric[] = [
  { key: 'overall', value: '58%', tone: 'warn' },
  { key: 'framework', value: '80-85%', tone: 'steady' },
@@ -153,6 +160,16 @@ const journeySteps: JourneyStep[] = [
  { key: 'runtimeGate', icon: ShieldCheck, tone: 'locked' },
 ]

+const evidenceReadinessItems: EvidenceReadinessItem[] = [
+  { key: 'giteaOwnerAttestation', lane: 'S4.9', icon: GitBranch, tone: 'warn' },
+  { key: 'githubTargetOwner', lane: 'S4.10', icon: GitBranch, tone: 'warn' },
+  { key: 'refsTruthOwner', lane: 'S4.11', icon: GitBranch, tone: 'warn' },
+  { key: 'workflowSecretOwner', lane: 'S4.12', icon: Lock, tone: 'warn' },
+  { key: 'redactedFindingIngestion', lane: 'S1.6', icon: FileWarning, tone: 'warn' },
+  { key: 'kaliScanScope', lane: 'S1.6', icon: Activity, tone: 'locked' },
+  { key: 'followupRuntimeGate', lane: 'S3.4', icon: ShieldCheck, tone: 'locked' },
+]
+
 const evidenceItems = [
  'iwooos-posture-projection.snapshot.json',
  'security-rollout-policy.snapshot.json',
@@ -371,6 +388,34 @@ function JourneyStepCard({ item, index }: { item: JourneyStep; index: number })
  )
 }

+function EvidenceReadinessCard({ item, index }: { item: EvidenceReadinessItem; index: number }) {
+  const t = useTranslations('iwooos.evidenceReadiness')
+  const Icon = item.icon
+  return (
+    <div style={{ ...band, minHeight: 176, padding: 16 }}>
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12 }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 9 }}>
+          <Icon size={18} color={toneColors[item.tone]} />
+          <span style={{ fontSize: 11, color: '#87867f' }}>{item.lane}</span>
+        </div>
+        <span style={{ fontSize: 11, color: '#9b978b' }}>{String(index + 1).padStart(2, '0')}</span>
+      </div>
+      <h2 style={{ fontSize: 14, margin: '12px 0 6px', color: '#141413' }}>
+        {t(`items.${item.key}.title` as never)}
+      </h2>
+      <p style={{ fontSize: 12, lineHeight: 1.55, color: '#6f6d66', margin: 0 }}>
+        {t(`items.${item.key}.body` as never)}
+      </p>
+      <div style={{ marginTop: 10, display: 'grid', gap: 5 }}>
+        <div style={{ fontSize: 11, color: '#87867f' }}>{t('unlockLabel')}</div>
+        <div style={{ fontSize: 11, color: toneColors[item.tone], lineHeight: 1.45 }}>
+          {t(`items.${item.key}.unlock` as never)}
+        </div>
+      </div>
+    </div>
+  )
+}
+
 export default function IwoooSPage({ params }: { params: { locale: string } }) {
  const t = useTranslations('iwooos')

@@ -423,6 +468,26 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) {
          </div>
        </section>

+        <section style={{ marginBottom: 14 }}>
+          <div style={{ marginBottom: 14 }}>
+            <h2 style={{ fontSize: 16, margin: 0 }}>{t('evidenceReadiness.title')}</h2>
+            <p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 0', lineHeight: 1.55 }}>
+              {t('evidenceReadiness.subtitle')}
+            </p>
+          </div>
+          <div
+            style={{
+              display: 'grid',
+              gridTemplateColumns: 'repeat(auto-fit, minmax(210px, 1fr))',
+              gap: 12,
+            }}
+          >
+            {evidenceReadinessItems.map((item, index) => (
+              <EvidenceReadinessCard key={item.key} item={item} index={index} />
+            ))}
+          </div>
+        </section>
+
        <section
          style={{
            display: 'grid',
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,17 @@
+## 2026-05-19 | 資安供應鏈 S2.13：IwoooS Owner Evidence Readiness Board
+
+**背景**：S2.12 已把使用者可見的資安處理旅程固定成只讀流程；本輪補上 owner evidence readiness board，讓使用者能看懂 headline 進度下一步真正等待哪些 owner response / approval gate，而不是誤以為 58% 卡住。
+
+**完成**：
+- `/iwooos` 新增「Owner Evidence Readiness」區塊，顯示 7 個只讀 readiness items：S4.9 Gitea owner attestation、S4.10 GitHub target owner、S4.11 refs truth owner、S4.12 workflow / secret owner、redacted finding ingestion、Kali scan scope、follow-up runtime gate。
+- `iwooos_posture_projection_v1` schema / snapshot 新增 `owner_evidence_readiness_items` 與 `owner_evidence_readiness_item_count=7`，每個 item 固定 `received_count=0`、`accepted_count=0`、`display_mode=readiness_only`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+- `security-mirror-progress-guard.py` 開始驗證 7 個 readiness items、順序、received / accepted 仍為 0，以及 no runtime / no action button 邊界。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_13_iwooos_owner_evidence_readiness_board`，headline progress 仍維持 58%。
+
+**仍禁止**：
+- readiness board 不代表 owner response received / accepted、runtime authorization、Kali active scan、Code Review blocking gate、deploy approval、repo / refs / workflow / secret / runner / primary switch 授權。
+- IwoooS 仍只做 read-only projection 與可理解度提升；headline 要上升仍需 owner evidence、人工決策、redacted ingestion、active runtime gate 或 GitHub primary readiness 的真實變化。
+
 ## 2026-05-19 | 資安供應鏈 S2.12：IwoooS Operator Journey Projection

 **背景**：S2.11 已讓 IwoooS 能說清楚既有資安頁面的責任面與衝突邊界；本輪進一步把使用者可見的資安處理流程固定成只讀旅程，避免下一步被誤解成可直接執行的自動化 queue。
--- a/docs/schemas/iwooos_posture_projection_v1.schema.json
+++ b/docs/schemas/iwooos_posture_projection_v1.schema.json
@@ -19,6 +19,7 @@
    "existing_frontend_surfaces",
    "frontend_surface_conflict_controls",
    "operator_journey_steps",
+    "owner_evidence_readiness_items",
    "frontend_surface_coverage_groups",
    "evidence_refs",
    "allowed_frontend_outputs",
@@ -77,6 +78,7 @@
        "frontend_surface_coverage_group_count",
        "frontend_surface_conflict_control_count",
        "operator_journey_step_count",
+        "owner_evidence_readiness_item_count",
        "action_buttons_allowed"
      ],
      "properties": {
@@ -142,6 +144,10 @@
        "operator_journey_step_count": {
          "type": "integer",
          "const": 6
+        },
+        "owner_evidence_readiness_item_count": {
+          "type": "integer",
+          "const": 7
        }
      },
      "additionalProperties": false
@@ -492,6 +498,72 @@
        },
        "additionalProperties": false
      }
+    },
+    "owner_evidence_readiness_items": {
+      "type": "array",
+      "minItems": 7,
+      "items": {
+        "type": "object",
+        "required": [
+          "item_id",
+          "display_order",
+          "stage_id",
+          "source_contract",
+          "readiness_state",
+          "received_count",
+          "accepted_count",
+          "display_mode",
+          "unlock_condition",
+          "runtime_execution_authorized",
+          "action_buttons_allowed",
+          "not_authorization"
+        ],
+        "properties": {
+          "item_id": {
+            "type": "string"
+          },
+          "display_order": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "stage_id": {
+            "type": "string"
+          },
+          "source_contract": {
+            "type": "string"
+          },
+          "readiness_state": {
+            "type": "string"
+          },
+          "received_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "accepted_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "display_mode": {
+            "const": "readiness_only"
+          },
+          "unlock_condition": {
+            "type": "string"
+          },
+          "runtime_execution_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "action_buttons_allowed": {
+            "type": "boolean",
+            "const": false
+          },
+          "not_authorization": {
+            "type": "boolean",
+            "const": true
+          }
+        },
+        "additionalProperties": false
+      }
    }
  },
  "additionalProperties": false
--- a/docs/security/IWOOOS-POSTURE-PROJECTION.md
+++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md
@@ -40,6 +40,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence：
 8. 10 個既有前端資安相關頁面索引。
 9. 4 個前端資安責任面與 5 個重疊 / 衝突控制。
 10. 6 個只讀資安處理旅程階段。
+11. 7 個 owner evidence readiness items。

 ## 3.1 既有前端資安頁面整合

@@ -94,6 +95,22 @@ S2.12 將使用者可見的資安處理流程固定為 6 個只讀階段：

 這個旅程是 status projection，不是 execution queue。任何 active scan、repair、deploy、GitHub primary、repo / refs / workflow / runner 或 secret 變更，都仍需獨立批准與後續 runtime gate。

+## 3.4 Owner Evidence Readiness
+
+S2.13 將 headline 進度下一步真正需要的 evidence 顯示成只讀 readiness board。
+
+| 順序 | Evidence item | 目前狀態 | 解除條件 |
+|------|---------------|----------|----------|
+| 1 | S4.9 Gitea owner attestation response | next collection candidate；received=0、accepted=0 | 收到並接受脫敏 owner response |
+| 2 | S4.10 GitHub target owner response | waiting owner response；received=0、accepted=0 | GitHub target owner response accepted |
+| 3 | S4.11 refs truth owner response | waiting owner response；received=0、accepted=0 | refs truth owner response accepted |
+| 4 | S4.12 workflow / secret name owner response | waiting owner response；received=0、accepted=0 | workflow / secret owner response accepted |
+| 5 | Redacted finding ingestion | approval required；received=0、accepted=0 | 人工批准後接收脫敏 finding |
+| 6 | Kali scan scope approval | approval required；received=0、accepted=0 | scan scope approval + follow-up runtime gate |
+| 7 | Follow-up runtime gate | locked until human decision；active gate=0 | decision record accepted 後另開 runtime gate |
+
+這個 board 只說明「還缺什麼」，不代表已收到 evidence、已接受 evidence、已批准、已可掃描、已可修復、已可部署或已可切 GitHub primary。
+
 ## 4. 仍禁止

 IwoooS 不得提供下列輸出：
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -35,7 +35,7 @@
 | Owner response validation | S4.13 已建立；四包 owner response 目前 received/accepted 皆為 0；4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示；下一個建議收件為 S4.9 Gitea owner attestation；latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`，reviewer audit emitted 仍為 0，不代表 owner response 已收到或任何執行授權 |
 | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes；LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn；`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
-| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；仍不新增 action button |
+| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；仍不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -96,6 +96,7 @@
 | S2.10 IwoooS existing frontend surface integration | framework detail | 0 | 只把既有前端資安頁面整理成只讀索引，不代表 owner response、production ingestion、approval、runtime gate、Kali scan、Code Review gate 或 execution authorization |
 | S2.11 IwoooS surface coverage boundary matrix | framework detail | 0 | 只把既有前端資安頁面分成訊號、人工控制、治理稽核與工程審查四面，並顯示重疊 / 衝突控制，不代表 runtime gate、deploy approval、Kali scan 或 Code Review blocking 授權 |
 | S2.12 IwoooS operator journey projection | framework detail | 0 | 只把資安處理旅程顯示成 read-only status projection，不代表 execution queue、runtime gate、deploy approval、Kali scan 或 Code Review blocking 授權 |
+| S2.13 IwoooS owner evidence readiness board | framework detail | 0 | 只顯示 headline 進度下一步需要的 owner evidence / approval gate，received / accepted 仍為 0，不代表 owner response received、approval、runtime gate、Kali scan 或 GitHub primary 授權 |

 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：

--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -4,7 +4,7 @@
 |------|------|
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
-| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 |
+| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |

 ## 0. 本階段完成後整體進度
@@ -72,6 +72,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 | S2.10 IwoooS existing frontend surface integration | 已完成草案，將前端既有 `/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors`、`/authorizations`、`/governance`、`/alert-operation-logs`、`/awooop/approvals`、`/code-review` 收成 IwoooS 只讀索引 | 0 |
 | S2.11 IwoooS surface coverage boundary matrix | 已完成草案，將 10 個既有前端資安頁面分成訊號與暴露面、人工控制、治理與稽核、工程審查四面，並補 5 個重疊 / 衝突控制 | 0 |
 | S2.12 IwoooS operator journey projection | 已完成草案，將讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate 固定為 6 個只讀旅程階段 | 0 |
+| S2.13 IwoooS owner evidence readiness board | 已完成草案，將 S4.9 / S4.10 / S4.11 / S4.12 owner response、redacted finding ingestion、Kali scan scope、follow-up runtime gate 固定為 7 個只讀 readiness items | 0 |

 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。

@@ -103,6 +104,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.10 IwoooS 既有前端資安頁面整合 | 完成草案 | `/iwooos` 新增既有資安頁面索引，涵蓋安全合規、舊安全、舊合規、告警、錯誤與 UX 稽核、授權中心、AI 治理、告警操作日誌、AwoooP approvals、AI Code Review | 使用者能從 IwoooS 看懂原本資安能力散在哪些頁面；仍只做 link-only 顯示，不新增 scan / execute / repair / blocking gate |
 | S2.11 IwoooS 覆蓋與邊界矩陣 | 完成草案 | `/iwooos` 新增 coverage / boundary matrix，分成 signals、human control、governance audit、engineering review 四組，並顯示 preserve owner、no runtime lift、Code Review not deploy gate、AwoooP approval not security approval、frontend index not Kali caller 五條控制 | 使用者能理解重疊頁面的責任分界；仍不新增 runtime、Kali、deploy 或 blocking control |
 | S2.12 IwoooS 只讀資安處理旅程 | 完成草案 | `/iwooos` 新增 6 階段處理旅程：讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate | 使用者能理解資安工作下一步，但每一步都是 status projection，不是 execution queue 或 action button |
+| S2.13 IwoooS Owner Evidence Readiness | 完成草案 | `/iwooos` 新增 owner evidence readiness board，顯示下一步真正影響 headline progress 的 7 個 evidence / gate 缺口 | 使用者能理解為什麼 58% 不應灌水提高；全部 received / accepted 仍為 0，不新增執行控制 |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
--- a/docs/security/iwooos-posture-projection.snapshot.json
+++ b/docs/security/iwooos-posture-projection.snapshot.json
@@ -38,7 +38,8 @@
    "existing_frontend_surface_count": 10,
    "frontend_surface_coverage_group_count": 4,
    "frontend_surface_conflict_control_count": 5,
-    "operator_journey_step_count": 6
+    "operator_journey_step_count": 6,
+    "owner_evidence_readiness_item_count": 7
  },
  "progress": {
    "overall_percent": 58,
@@ -111,6 +112,7 @@
    "display_frontend_surface_coverage_matrix",
    "display_frontend_surface_conflict_controls",
    "display_operator_journey_steps",
+    "display_owner_evidence_readiness_board",
    "display_evidence_refs",
    "display_next_gate",
    "display_forbidden_actions"
@@ -494,5 +496,105 @@
      "action_buttons_allowed": false,
      "not_authorization": true
    }
+  ],
+  "owner_evidence_readiness_items": [
+    {
+      "item_id": "s4_9_gitea_owner_attestation_response",
+      "display_order": 1,
+      "stage_id": "S4.9",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "next_collection_candidate",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "redacted_owner_response_received_and_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s4_10_github_target_owner_response",
+      "display_order": 2,
+      "stage_id": "S4.10",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "waiting_owner_response",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "github_target_owner_response_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s4_11_refs_truth_owner_response",
+      "display_order": 3,
+      "stage_id": "S4.11",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "waiting_owner_response",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "refs_truth_owner_response_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s4_12_workflow_secret_owner_response",
+      "display_order": 4,
+      "stage_id": "S4.12",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "waiting_owner_response",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "workflow_secret_name_owner_response_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s1_6_redacted_finding_ingestion",
+      "display_order": 5,
+      "stage_id": "S1.6",
+      "source_contract": "security_finding_v1",
+      "readiness_state": "approval_required",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "human_approved_redacted_finding_ingestion",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s1_6_kali_scan_scope_approval",
+      "display_order": 6,
+      "stage_id": "S1.6",
+      "source_contract": "kali_scan_scope_approval_v1",
+      "readiness_state": "approval_required",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "scan_scope_approval_and_followup_runtime_gate",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s3_4_followup_runtime_gate",
+      "display_order": 7,
+      "stage_id": "S3.4",
+      "source_contract": "security_followup_runtime_gate_v1",
+      "readiness_state": "locked_until_human_decision",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "decision_record_accepted_then_separate_runtime_gate",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
  ]
 }
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -660,6 +660,18 @@
      "runtime_delta": false,
      "execution_authorized": false,
      "not_authorization": true
+    },
+    {
+      "delta_id": "s2_13_iwooos_owner_evidence_readiness_board",
+      "display_order": 42,
+      "completed_stage": "S2.13 IwoooS owner evidence readiness board",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS owner evidence readiness board 只顯示下一步需要收哪些 owner evidence / approval gate，所有 received / accepted 仍為 0，不代表 owner response received、production ingestion、approval、runtime gate、Kali scan、Code Review gating 或 execution authorization。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
    }
  ],
  "next_safe_actions": [
@@ -739,7 +751,8 @@
        "顯示 forbidden actions 與 next gate，但不提供 action button",
        "顯示 10 個既有前端資安相關頁面索引：security-compliance、security、compliance、alerts、errors、authorizations、governance、alert-operation-logs、AwoooP approvals、code-review",
        "顯示 4 個 frontend surface coverage groups 與 5 個 conflict controls，協助判讀既有資安頁面的責任邊界",
-        "顯示 6 個 operator journey steps：讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate"
+        "顯示 6 個 operator journey steps：讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate",
+        "顯示 7 個 owner evidence readiness items：S4.9、S4.10、S4.11、S4.12、redacted finding ingestion、Kali scan scope、follow-up runtime gate"
      ],
      "blocked_processing": [
        "新增 scan / execute / repair button",
@@ -747,7 +760,8 @@
        "把前端 contract count 當成 GitHub primary、Kali scan 或 repo / refs action approval",
        "把既有頁面索引當成 scan、execute、repair、approval、Kali active scan、Code Review gating 或 runtime gate 授權",
        "把 coverage group 或 conflict control 當成 runtime gate、deploy approval、Kali active scan 或 Code Review blocking 授權",
-        "把 operator journey step 當成執行流程、自動化 queue、runtime gate、approval 或 deploy 授權"
+        "把 operator journey step 當成執行流程、自動化 queue、runtime gate、approval 或 deploy 授權",
+        "把 owner evidence readiness item 當成已收到 evidence、已批准、runtime gate、Kali active scan 或 GitHub primary 授權"
      ]
    },
    {
@@ -798,6 +812,22 @@
        "新增 scan / execute / repair / repo / refs / workflow / runner / primary action button"
      ]
    },
+    {
+      "action_id": "show_iwooos_owner_evidence_readiness",
+      "title": "IwoooS 顯示 owner evidence readiness board",
+      "mode": "observe",
+      "source_contract": "iwooos_posture_projection_v1",
+      "allowed_processing": [
+        "顯示 S4.9 / S4.10 / S4.11 / S4.12 owner response readiness",
+        "顯示 redacted finding ingestion、Kali scan scope 與 follow-up runtime gate 仍需人工批准",
+        "保留 received=0、accepted=0、active runtime gates=0 的只讀狀態"
+      ],
+      "blocked_processing": [
+        "把 readiness board 當成 owner response received 或 accepted",
+        "把 readiness board 當成 approval、runtime gate、Kali active scan、repo / refs / workflow / runner / primary 授權",
+        "新增 scan / execute / repair / deploy action button"
+      ]
+    },
    {
      "action_id": "mirror_approval_review_packets",
      "title": "AwoooP 顯示 8 個人工審查封包",
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -164,6 +164,7 @@ def validate(root: Path) -> None:
        "s2_10_iwooos_existing_frontend_surface_integration",
        "s2_11_iwooos_surface_coverage_boundary_matrix",
        "s2_12_iwooos_operator_journey_projection",
+        "s2_13_iwooos_owner_evidence_readiness_board",
    ]
    assert_equal(
        "progress_delta_ledger.delta_ids",
@@ -323,6 +324,15 @@ def validate(root: Path) -> None:
        "wait_for_human_decision",
        "prepare_followup_runtime_gate",
    ]
+    expected_iwooos_evidence_readiness_item_ids = [
+        "s4_9_gitea_owner_attestation_response",
+        "s4_10_github_target_owner_response",
+        "s4_11_refs_truth_owner_response",
+        "s4_12_workflow_secret_owner_response",
+        "s1_6_redacted_finding_ingestion",
+        "s1_6_kali_scan_scope_approval",
+        "s3_4_followup_runtime_gate",
+    ]
    assert_equal(
        "iwooos_projection.summary.frontend_surface_coverage_group_count",
        iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
@@ -338,6 +348,11 @@ def validate(root: Path) -> None:
        iwooos_projection["summary"]["operator_journey_step_count"],
        len(expected_iwooos_journey_step_ids),
    )
+    assert_equal(
+        "iwooos_projection.summary.owner_evidence_readiness_item_count",
+        iwooos_projection["summary"]["owner_evidence_readiness_item_count"],
+        len(expected_iwooos_evidence_readiness_item_ids),
+    )
    iwooos_progress = iwooos_projection["progress"]
    assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
    assert_equal(
@@ -501,6 +516,45 @@ def validate(root: Path) -> None:
            f"iwooos_projection.operator_journey_steps.{item['step_id']}.not_authorization",
            item["not_authorization"],
        )
+    iwooos_evidence_readiness = iwooos_projection["owner_evidence_readiness_items"]
+    assert_equal(
+        "iwooos_projection.owner_evidence_readiness_items.ids",
+        [item["item_id"] for item in iwooos_evidence_readiness],
+        expected_iwooos_evidence_readiness_item_ids,
+    )
+    assert_equal(
+        "iwooos_projection.owner_evidence_readiness_items.display_order",
+        [item["display_order"] for item in iwooos_evidence_readiness],
+        list(range(1, len(expected_iwooos_evidence_readiness_item_ids) + 1)),
+    )
+    for item in iwooos_evidence_readiness:
+        assert_equal(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.display_mode",
+            item["display_mode"],
+            "readiness_only",
+        )
+        assert_equal(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.received_count",
+            item["received_count"],
+            0,
+        )
+        assert_equal(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.accepted_count",
+            item["accepted_count"],
+            0,
+        )
+        assert_false(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.runtime_execution_authorized",
+            item["runtime_execution_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.action_buttons_allowed",
+            item["action_buttons_allowed"],
+        )
+        assert_true(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.not_authorization",
+            item["not_authorization"],
+        )
    assert_equal(
        "iwooos_projection.non_blocking_lane_ids",
        iwooos_projection["non_blocking_lane_ids"],
@@ -522,6 +576,7 @@ def validate(root: Path) -> None:
        "display_frontend_surface_coverage_matrix",
        "display_frontend_surface_conflict_controls",
        "display_operator_journey_steps",
+        "display_owner_evidence_readiness_board",
        "display_evidence_refs",
        "display_forbidden_actions",
    ]: