diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 8797e3ba..c1e6e6cc 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -1218,6 +1218,48 @@
         }
       }
     },
+    "evidenceReadiness": {
+      "title": "Owner Evidence Readiness",
+      "subtitle": "Shows the evidence that can actually move headline progress. Every item is waiting for collection or human decision and does not trigger execution from the frontend.",
+      "unlockLabel": "Unlock condition",
+      "items": {
+        "giteaOwnerAttestation": {
+          "title": "Gitea owner attestation",
+          "body": "The recommended first collection item is S4.9, covering Gitea inventory coverage and owner disposition.",
+          "unlock": "redacted owner response received and accepted"
+        },
+        "githubTargetOwner": {
+          "title": "GitHub target owner",
+          "body": "Confirms GitHub targets, visibility, canonical owner, and whether repos can enter primary readiness.",
+          "unlock": "S4.10 owner response accepted"
+        },
+        "refsTruthOwner": {
+          "title": "Refs truth owner",
+          "body": "Confirms truth for main/dev, deprecated drift, release tags, and GitHub-only refs.",
+          "unlock": "S4.11 refs truth response accepted"
+        },
+        "workflowSecretOwner": {
+          "title": "Workflow / secret name owner",
+          "body": "Confirms workflow, webhook, runner, deploy key, branch protection, and secret name parity.",
+          "unlock": "S4.12 workflow / secret response accepted"
+        },
+        "redactedFindingIngestion": {
+          "title": "Redacted finding ingestion",
+          "body": "Kali findings and security findings must enter mirror as redacted payloads before any runtime path.",
+          "unlock": "human-approved redacted finding ingestion"
+        },
+        "kaliScanScope": {
+          "title": "Kali scan scope",
+          "body": "Kali 112, 111, and 168 remain observe-only; active scan and /execute require separate approval.",
+          "unlock": "scan scope approval plus follow-up gate"
+        },
+        "followupRuntimeGate": {
+          "title": "Follow-up runtime gate",
+          "body": "Real execution waits for a human decision record and a separate follow-up runtime gate.",
+          "unlock": "decision record accepted; active gates remain 0"
+        }
+      }
+    },
     "nextGate": {
       "title": "Next High-level Gate",
       "body": "S4.9 Gitea owner attestation response is the recommended next owner evidence. Headline progress should only increase after owner responses, redacted payload ingestion, active runtime gates, or GitHub primary readiness actually change."
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index f01c6e0b..6418e030 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -1219,6 +1219,48 @@
         }
       }
     },
+    "evidenceReadiness": {
+      "title": "Owner Evidence Readiness",
+      "subtitle": "這裡顯示 headline 進度下一步真正需要的 evidence。每一項都是等待收件或人工決策，不會從前端直接觸發任何執行。",
+      "unlockLabel": "解除條件",
+      "items": {
+        "giteaOwnerAttestation": {
+          "title": "Gitea owner attestation",
+          "body": "目前建議先收 S4.9，補齊 Gitea 清冊覆蓋與 owner 判定。",
+          "unlock": "收到並接受脫敏 owner response"
+        },
+        "githubTargetOwner": {
+          "title": "GitHub target owner",
+          "body": "確認 GitHub target、visibility、canonical owner 與 repo 是否可進 primary readiness。",
+          "unlock": "S4.10 owner response accepted"
+        },
+        "refsTruthOwner": {
+          "title": "Refs truth owner",
+          "body": "確認 main/dev truth、deprecated drift、release tags 與 GitHub-only refs 的真相來源。",
+          "unlock": "S4.11 refs truth response accepted"
+        },
+        "workflowSecretOwner": {
+          "title": "Workflow / secret name owner",
+          "body": "確認 workflow、webhook、runner、deploy key、branch protection、secret name parity。",
+          "unlock": "S4.12 workflow / secret response accepted"
+        },
+        "redactedFindingIngestion": {
+          "title": "Redacted finding ingestion",
+          "body": "Kali finding 與安全發現需要先以脫敏 payload 進入 mirror，不能直接進 runtime。",
+          "unlock": "人工批准後接收脫敏 finding"
+        },
+        "kaliScanScope": {
+          "title": "Kali scan scope",
+          "body": "Kali 112、111、168 目前仍是 observe-only；active scan 與 /execute 仍需獨立批准。",
+          "unlock": "scan scope approval + follow-up gate"
+        },
+        "followupRuntimeGate": {
+          "title": "Follow-up runtime gate",
+          "body": "所有實際執行都要等人工 decision record 後，另開 follow-up runtime gate。",
+          "unlock": "decision record accepted，active gate 仍為 0"
+        }
+      }
+    },
     "nextGate": {
       "title": "下一個高層 Gate",
       "body": "S4.9 Gitea owner attestation response 是目前建議先收的 owner evidence。任何 headline 提升都要等 owner response、redacted payload ingestion、active runtime gate 或 GitHub primary readiness 有真實變化。"
diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx
index a1aa1b0a..4fa2407d 100644
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -67,6 +67,13 @@ type JourneyStep = {
   tone: 'steady' | 'warn' | 'locked'
 }
 
+type EvidenceReadinessItem = {
+  key: string
+  lane: string
+  icon: typeof ShieldCheck
+  tone: 'steady' | 'warn' | 'locked'
+}
+
 const postureMetrics: PostureMetric[] = [
   { key: 'overall', value: '58%', tone: 'warn' },
   { key: 'framework', value: '80-85%', tone: 'steady' },
@@ -153,6 +160,16 @@ const journeySteps: JourneyStep[] = [
   { key: 'runtimeGate', icon: ShieldCheck, tone: 'locked' },
 ]
 
+const evidenceReadinessItems: EvidenceReadinessItem[] = [
+  { key: 'giteaOwnerAttestation', lane: 'S4.9', icon: GitBranch, tone: 'warn' },
+  { key: 'githubTargetOwner', lane: 'S4.10', icon: GitBranch, tone: 'warn' },
+  { key: 'refsTruthOwner', lane: 'S4.11', icon: GitBranch, tone: 'warn' },
+  { key: 'workflowSecretOwner', lane: 'S4.12', icon: Lock, tone: 'warn' },
+  { key: 'redactedFindingIngestion', lane: 'S1.6', icon: FileWarning, tone: 'warn' },
+  { key: 'kaliScanScope', lane: 'S1.6', icon: Activity, tone: 'locked' },
+  { key: 'followupRuntimeGate', lane: 'S3.4', icon: ShieldCheck, tone: 'locked' },
+]
+
 const evidenceItems = [
   'iwooos-posture-projection.snapshot.json',
   'security-rollout-policy.snapshot.json',
@@ -371,6 +388,34 @@ function JourneyStepCard({ item, index }: { item: JourneyStep; index: number })
   )
 }
 
+function EvidenceReadinessCard({ item, index }: { item: EvidenceReadinessItem; index: number }) {
+  const t = useTranslations('iwooos.evidenceReadiness')
+  const Icon = item.icon
+  return (
+    <div style={{ ...band, minHeight: 176, padding: 16 }}>
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12 }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 9 }}>
+          <Icon size={18} color={toneColors[item.tone]} />
+          <span style={{ fontSize: 11, color: '#87867f' }}>{item.lane}</span>
+        </div>
+        <span style={{ fontSize: 11, color: '#9b978b' }}>{String(index + 1).padStart(2, '0')}</span>
+      </div>
+      <h2 style={{ fontSize: 14, margin: '12px 0 6px', color: '#141413' }}>
+        {t(`items.${item.key}.title` as never)}
+      </h2>
+      <p style={{ fontSize: 12, lineHeight: 1.55, color: '#6f6d66', margin: 0 }}>
+        {t(`items.${item.key}.body` as never)}
+      </p>
+      <div style={{ marginTop: 10, display: 'grid', gap: 5 }}>
+        <div style={{ fontSize: 11, color: '#87867f' }}>{t('unlockLabel')}</div>
+        <div style={{ fontSize: 11, color: toneColors[item.tone], lineHeight: 1.45 }}>
+          {t(`items.${item.key}.unlock` as never)}
+        </div>
+      </div>
+    </div>
+  )
+}
+
 export default function IwoooSPage({ params }: { params: { locale: string } }) {
   const t = useTranslations('iwooos')
 
@@ -423,6 +468,26 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) {
           </div>
         </section>
 
+        <section style={{ marginBottom: 14 }}>
+          <div style={{ marginBottom: 14 }}>
+            <h2 style={{ fontSize: 16, margin: 0 }}>{t('evidenceReadiness.title')}</h2>
+            <p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 0', lineHeight: 1.55 }}>
+              {t('evidenceReadiness.subtitle')}
+            </p>
+          </div>
+          <div
+            style={{
+              display: 'grid',
+              gridTemplateColumns: 'repeat(auto-fit, minmax(210px, 1fr))',
+              gap: 12,
+            }}
+          >
+            {evidenceReadinessItems.map((item, index) => (
+              <EvidenceReadinessCard key={item.key} item={item} index={index} />
+            ))}
+          </div>
+        </section>
+
         <section
           style={{
             display: 'grid',
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 0dc22e0d..a6533246 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,17 @@
+## 2026-05-19 | 資安供應鏈 S2.13：IwoooS Owner Evidence Readiness Board
+
+**背景**：S2.12 已把使用者可見的資安處理旅程固定成只讀流程；本輪補上 owner evidence readiness board，讓使用者能看懂 headline 進度下一步真正等待哪些 owner response / approval gate，而不是誤以為 58% 卡住。
+
+**完成**：
+- `/iwooos` 新增「Owner Evidence Readiness」區塊，顯示 7 個只讀 readiness items：S4.9 Gitea owner attestation、S4.10 GitHub target owner、S4.11 refs truth owner、S4.12 workflow / secret owner、redacted finding ingestion、Kali scan scope、follow-up runtime gate。
+- `iwooos_posture_projection_v1` schema / snapshot 新增 `owner_evidence_readiness_items` 與 `owner_evidence_readiness_item_count=7`，每個 item 固定 `received_count=0`、`accepted_count=0`、`display_mode=readiness_only`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+- `security-mirror-progress-guard.py` 開始驗證 7 個 readiness items、順序、received / accepted 仍為 0，以及 no runtime / no action button 邊界。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_13_iwooos_owner_evidence_readiness_board`，headline progress 仍維持 58%。
+
+**仍禁止**：
+- readiness board 不代表 owner response received / accepted、runtime authorization、Kali active scan、Code Review blocking gate、deploy approval、repo / refs / workflow / secret / runner / primary switch 授權。
+- IwoooS 仍只做 read-only projection 與可理解度提升；headline 要上升仍需 owner evidence、人工決策、redacted ingestion、active runtime gate 或 GitHub primary readiness 的真實變化。
+
 ## 2026-05-19 | 資安供應鏈 S2.12：IwoooS Operator Journey Projection
 
 **背景**：S2.11 已讓 IwoooS 能說清楚既有資安頁面的責任面與衝突邊界；本輪進一步把使用者可見的資安處理流程固定成只讀旅程，避免下一步被誤解成可直接執行的自動化 queue。
diff --git a/docs/schemas/iwooos_posture_projection_v1.schema.json b/docs/schemas/iwooos_posture_projection_v1.schema.json
index ea6d8720..83126ea5 100644
--- a/docs/schemas/iwooos_posture_projection_v1.schema.json
+++ b/docs/schemas/iwooos_posture_projection_v1.schema.json
@@ -19,6 +19,7 @@
     "existing_frontend_surfaces",
     "frontend_surface_conflict_controls",
     "operator_journey_steps",
+    "owner_evidence_readiness_items",
     "frontend_surface_coverage_groups",
     "evidence_refs",
     "allowed_frontend_outputs",
@@ -77,6 +78,7 @@
         "frontend_surface_coverage_group_count",
         "frontend_surface_conflict_control_count",
         "operator_journey_step_count",
+        "owner_evidence_readiness_item_count",
         "action_buttons_allowed"
       ],
       "properties": {
@@ -142,6 +144,10 @@
         "operator_journey_step_count": {
           "type": "integer",
           "const": 6
+        },
+        "owner_evidence_readiness_item_count": {
+          "type": "integer",
+          "const": 7
         }
       },
       "additionalProperties": false
@@ -492,6 +498,72 @@
         },
         "additionalProperties": false
       }
+    },
+    "owner_evidence_readiness_items": {
+      "type": "array",
+      "minItems": 7,
+      "items": {
+        "type": "object",
+        "required": [
+          "item_id",
+          "display_order",
+          "stage_id",
+          "source_contract",
+          "readiness_state",
+          "received_count",
+          "accepted_count",
+          "display_mode",
+          "unlock_condition",
+          "runtime_execution_authorized",
+          "action_buttons_allowed",
+          "not_authorization"
+        ],
+        "properties": {
+          "item_id": {
+            "type": "string"
+          },
+          "display_order": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "stage_id": {
+            "type": "string"
+          },
+          "source_contract": {
+            "type": "string"
+          },
+          "readiness_state": {
+            "type": "string"
+          },
+          "received_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "accepted_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "display_mode": {
+            "const": "readiness_only"
+          },
+          "unlock_condition": {
+            "type": "string"
+          },
+          "runtime_execution_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "action_buttons_allowed": {
+            "type": "boolean",
+            "const": false
+          },
+          "not_authorization": {
+            "type": "boolean",
+            "const": true
+          }
+        },
+        "additionalProperties": false
+      }
     }
   },
   "additionalProperties": false
diff --git a/docs/security/IWOOOS-POSTURE-PROJECTION.md b/docs/security/IWOOOS-POSTURE-PROJECTION.md
index 7eb47c1e..a9be64b2 100644
--- a/docs/security/IWOOOS-POSTURE-PROJECTION.md
+++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md
@@ -40,6 +40,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence：
 8. 10 個既有前端資安相關頁面索引。
 9. 4 個前端資安責任面與 5 個重疊 / 衝突控制。
 10. 6 個只讀資安處理旅程階段。
+11. 7 個 owner evidence readiness items。
 
 ## 3.1 既有前端資安頁面整合
 
@@ -94,6 +95,22 @@ S2.12 將使用者可見的資安處理流程固定為 6 個只讀階段：
 
 這個旅程是 status projection，不是 execution queue。任何 active scan、repair、deploy、GitHub primary、repo / refs / workflow / runner 或 secret 變更，都仍需獨立批准與後續 runtime gate。
 
+## 3.4 Owner Evidence Readiness
+
+S2.13 將 headline 進度下一步真正需要的 evidence 顯示成只讀 readiness board。
+
+| 順序 | Evidence item | 目前狀態 | 解除條件 |
+|------|---------------|----------|----------|
+| 1 | S4.9 Gitea owner attestation response | next collection candidate；received=0、accepted=0 | 收到並接受脫敏 owner response |
+| 2 | S4.10 GitHub target owner response | waiting owner response；received=0、accepted=0 | GitHub target owner response accepted |
+| 3 | S4.11 refs truth owner response | waiting owner response；received=0、accepted=0 | refs truth owner response accepted |
+| 4 | S4.12 workflow / secret name owner response | waiting owner response；received=0、accepted=0 | workflow / secret owner response accepted |
+| 5 | Redacted finding ingestion | approval required；received=0、accepted=0 | 人工批准後接收脫敏 finding |
+| 6 | Kali scan scope approval | approval required；received=0、accepted=0 | scan scope approval + follow-up runtime gate |
+| 7 | Follow-up runtime gate | locked until human decision；active gate=0 | decision record accepted 後另開 runtime gate |
+
+這個 board 只說明「還缺什麼」，不代表已收到 evidence、已接受 evidence、已批准、已可掃描、已可修復、已可部署或已可切 GitHub primary。
+
 ## 4. 仍禁止
 
 IwoooS 不得提供下列輸出：
diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
index 5904d388..e3aadfb2 100644
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -35,7 +35,7 @@
 | Owner response validation | S4.13 已建立；四包 owner response 目前 received/accepted 皆為 0；4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示；下一個建議收件為 S4.9 Gitea owner attestation；latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`，reviewer audit emitted 仍為 0，不代表 owner response 已收到或任何執行授權 |
 | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes；LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn；`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
-| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；仍不新增 action button |
+| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；仍不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -96,6 +96,7 @@
 | S2.10 IwoooS existing frontend surface integration | framework detail | 0 | 只把既有前端資安頁面整理成只讀索引，不代表 owner response、production ingestion、approval、runtime gate、Kali scan、Code Review gate 或 execution authorization |
 | S2.11 IwoooS surface coverage boundary matrix | framework detail | 0 | 只把既有前端資安頁面分成訊號、人工控制、治理稽核與工程審查四面，並顯示重疊 / 衝突控制，不代表 runtime gate、deploy approval、Kali scan 或 Code Review blocking 授權 |
 | S2.12 IwoooS operator journey projection | framework detail | 0 | 只把資安處理旅程顯示成 read-only status projection，不代表 execution queue、runtime gate、deploy approval、Kali scan 或 Code Review blocking 授權 |
+| S2.13 IwoooS owner evidence readiness board | framework detail | 0 | 只顯示 headline 進度下一步需要的 owner evidence / approval gate，received / accepted 仍為 0，不代表 owner response received、approval、runtime gate、Kali scan 或 GitHub primary 授權 |
 
 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：
 
diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
index 4414e479..5e801964 100644
--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -4,7 +4,7 @@
 |------|------|
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
-| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 |
+| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |
 
 ## 0. 本階段完成後整體進度
@@ -72,6 +72,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 | S2.10 IwoooS existing frontend surface integration | 已完成草案，將前端既有 `/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors`、`/authorizations`、`/governance`、`/alert-operation-logs`、`/awooop/approvals`、`/code-review` 收成 IwoooS 只讀索引 | 0 |
 | S2.11 IwoooS surface coverage boundary matrix | 已完成草案，將 10 個既有前端資安頁面分成訊號與暴露面、人工控制、治理與稽核、工程審查四面，並補 5 個重疊 / 衝突控制 | 0 |
 | S2.12 IwoooS operator journey projection | 已完成草案，將讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate 固定為 6 個只讀旅程階段 | 0 |
+| S2.13 IwoooS owner evidence readiness board | 已完成草案，將 S4.9 / S4.10 / S4.11 / S4.12 owner response、redacted finding ingestion、Kali scan scope、follow-up runtime gate 固定為 7 個只讀 readiness items | 0 |
 
 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
 
@@ -103,6 +104,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.10 IwoooS 既有前端資安頁面整合 | 完成草案 | `/iwooos` 新增既有資安頁面索引，涵蓋安全合規、舊安全、舊合規、告警、錯誤與 UX 稽核、授權中心、AI 治理、告警操作日誌、AwoooP approvals、AI Code Review | 使用者能從 IwoooS 看懂原本資安能力散在哪些頁面；仍只做 link-only 顯示，不新增 scan / execute / repair / blocking gate |
 | S2.11 IwoooS 覆蓋與邊界矩陣 | 完成草案 | `/iwooos` 新增 coverage / boundary matrix，分成 signals、human control、governance audit、engineering review 四組，並顯示 preserve owner、no runtime lift、Code Review not deploy gate、AwoooP approval not security approval、frontend index not Kali caller 五條控制 | 使用者能理解重疊頁面的責任分界；仍不新增 runtime、Kali、deploy 或 blocking control |
 | S2.12 IwoooS 只讀資安處理旅程 | 完成草案 | `/iwooos` 新增 6 階段處理旅程：讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate | 使用者能理解資安工作下一步，但每一步都是 status projection，不是 execution queue 或 action button |
+| S2.13 IwoooS Owner Evidence Readiness | 完成草案 | `/iwooos` 新增 owner evidence readiness board，顯示下一步真正影響 headline progress 的 7 個 evidence / gate 缺口 | 使用者能理解為什麼 58% 不應灌水提高；全部 received / accepted 仍為 0，不新增執行控制 |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json
index 1965bbcb..dc752118 100644
--- a/docs/security/iwooos-posture-projection.snapshot.json
+++ b/docs/security/iwooos-posture-projection.snapshot.json
@@ -38,7 +38,8 @@
     "existing_frontend_surface_count": 10,
     "frontend_surface_coverage_group_count": 4,
     "frontend_surface_conflict_control_count": 5,
-    "operator_journey_step_count": 6
+    "operator_journey_step_count": 6,
+    "owner_evidence_readiness_item_count": 7
   },
   "progress": {
     "overall_percent": 58,
@@ -111,6 +112,7 @@
     "display_frontend_surface_coverage_matrix",
     "display_frontend_surface_conflict_controls",
     "display_operator_journey_steps",
+    "display_owner_evidence_readiness_board",
     "display_evidence_refs",
     "display_next_gate",
     "display_forbidden_actions"
@@ -494,5 +496,105 @@
       "action_buttons_allowed": false,
       "not_authorization": true
     }
+  ],
+  "owner_evidence_readiness_items": [
+    {
+      "item_id": "s4_9_gitea_owner_attestation_response",
+      "display_order": 1,
+      "stage_id": "S4.9",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "next_collection_candidate",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "redacted_owner_response_received_and_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s4_10_github_target_owner_response",
+      "display_order": 2,
+      "stage_id": "S4.10",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "waiting_owner_response",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "github_target_owner_response_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s4_11_refs_truth_owner_response",
+      "display_order": 3,
+      "stage_id": "S4.11",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "waiting_owner_response",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "refs_truth_owner_response_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s4_12_workflow_secret_owner_response",
+      "display_order": 4,
+      "stage_id": "S4.12",
+      "source_contract": "source_control_owner_response_validation_rollup_v1",
+      "readiness_state": "waiting_owner_response",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "workflow_secret_name_owner_response_accepted",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s1_6_redacted_finding_ingestion",
+      "display_order": 5,
+      "stage_id": "S1.6",
+      "source_contract": "security_finding_v1",
+      "readiness_state": "approval_required",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "human_approved_redacted_finding_ingestion",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s1_6_kali_scan_scope_approval",
+      "display_order": 6,
+      "stage_id": "S1.6",
+      "source_contract": "kali_scan_scope_approval_v1",
+      "readiness_state": "approval_required",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "scan_scope_approval_and_followup_runtime_gate",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "s3_4_followup_runtime_gate",
+      "display_order": 7,
+      "stage_id": "S3.4",
+      "source_contract": "security_followup_runtime_gate_v1",
+      "readiness_state": "locked_until_human_decision",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "readiness_only",
+      "unlock_condition": "decision_record_accepted_then_separate_runtime_gate",
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
   ]
 }
diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json
index 45fb4c3f..f3e36efe 100644
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -660,6 +660,18 @@
       "runtime_delta": false,
       "execution_authorized": false,
       "not_authorization": true
+    },
+    {
+      "delta_id": "s2_13_iwooos_owner_evidence_readiness_board",
+      "display_order": 42,
+      "completed_stage": "S2.13 IwoooS owner evidence readiness board",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS owner evidence readiness board 只顯示下一步需要收哪些 owner evidence / approval gate，所有 received / accepted 仍為 0，不代表 owner response received、production ingestion、approval、runtime gate、Kali scan、Code Review gating 或 execution authorization。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
     }
   ],
   "next_safe_actions": [
@@ -739,7 +751,8 @@
         "顯示 forbidden actions 與 next gate，但不提供 action button",
         "顯示 10 個既有前端資安相關頁面索引：security-compliance、security、compliance、alerts、errors、authorizations、governance、alert-operation-logs、AwoooP approvals、code-review",
         "顯示 4 個 frontend surface coverage groups 與 5 個 conflict controls，協助判讀既有資安頁面的責任邊界",
-        "顯示 6 個 operator journey steps：讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate"
+        "顯示 6 個 operator journey steps：讀態勢、開既有頁面、判讀非阻擋分流、收 owner evidence、等待人工決策、準備後續 runtime gate",
+        "顯示 7 個 owner evidence readiness items：S4.9、S4.10、S4.11、S4.12、redacted finding ingestion、Kali scan scope、follow-up runtime gate"
       ],
       "blocked_processing": [
         "新增 scan / execute / repair button",
@@ -747,7 +760,8 @@
         "把前端 contract count 當成 GitHub primary、Kali scan 或 repo / refs action approval",
         "把既有頁面索引當成 scan、execute、repair、approval、Kali active scan、Code Review gating 或 runtime gate 授權",
         "把 coverage group 或 conflict control 當成 runtime gate、deploy approval、Kali active scan 或 Code Review blocking 授權",
-        "把 operator journey step 當成執行流程、自動化 queue、runtime gate、approval 或 deploy 授權"
+        "把 operator journey step 當成執行流程、自動化 queue、runtime gate、approval 或 deploy 授權",
+        "把 owner evidence readiness item 當成已收到 evidence、已批准、runtime gate、Kali active scan 或 GitHub primary 授權"
       ]
     },
     {
@@ -798,6 +812,22 @@
         "新增 scan / execute / repair / repo / refs / workflow / runner / primary action button"
       ]
     },
+    {
+      "action_id": "show_iwooos_owner_evidence_readiness",
+      "title": "IwoooS 顯示 owner evidence readiness board",
+      "mode": "observe",
+      "source_contract": "iwooos_posture_projection_v1",
+      "allowed_processing": [
+        "顯示 S4.9 / S4.10 / S4.11 / S4.12 owner response readiness",
+        "顯示 redacted finding ingestion、Kali scan scope 與 follow-up runtime gate 仍需人工批准",
+        "保留 received=0、accepted=0、active runtime gates=0 的只讀狀態"
+      ],
+      "blocked_processing": [
+        "把 readiness board 當成 owner response received 或 accepted",
+        "把 readiness board 當成 approval、runtime gate、Kali active scan、repo / refs / workflow / runner / primary 授權",
+        "新增 scan / execute / repair / deploy action button"
+      ]
+    },
     {
       "action_id": "mirror_approval_review_packets",
       "title": "AwoooP 顯示 8 個人工審查封包",
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index fb29fadc..1db5b6bd 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -164,6 +164,7 @@ def validate(root: Path) -> None:
         "s2_10_iwooos_existing_frontend_surface_integration",
         "s2_11_iwooos_surface_coverage_boundary_matrix",
         "s2_12_iwooos_operator_journey_projection",
+        "s2_13_iwooos_owner_evidence_readiness_board",
     ]
     assert_equal(
         "progress_delta_ledger.delta_ids",
@@ -323,6 +324,15 @@ def validate(root: Path) -> None:
         "wait_for_human_decision",
         "prepare_followup_runtime_gate",
     ]
+    expected_iwooos_evidence_readiness_item_ids = [
+        "s4_9_gitea_owner_attestation_response",
+        "s4_10_github_target_owner_response",
+        "s4_11_refs_truth_owner_response",
+        "s4_12_workflow_secret_owner_response",
+        "s1_6_redacted_finding_ingestion",
+        "s1_6_kali_scan_scope_approval",
+        "s3_4_followup_runtime_gate",
+    ]
     assert_equal(
         "iwooos_projection.summary.frontend_surface_coverage_group_count",
         iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
@@ -338,6 +348,11 @@ def validate(root: Path) -> None:
         iwooos_projection["summary"]["operator_journey_step_count"],
         len(expected_iwooos_journey_step_ids),
     )
+    assert_equal(
+        "iwooos_projection.summary.owner_evidence_readiness_item_count",
+        iwooos_projection["summary"]["owner_evidence_readiness_item_count"],
+        len(expected_iwooos_evidence_readiness_item_ids),
+    )
     iwooos_progress = iwooos_projection["progress"]
     assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
     assert_equal(
@@ -501,6 +516,45 @@ def validate(root: Path) -> None:
             f"iwooos_projection.operator_journey_steps.{item['step_id']}.not_authorization",
             item["not_authorization"],
         )
+    iwooos_evidence_readiness = iwooos_projection["owner_evidence_readiness_items"]
+    assert_equal(
+        "iwooos_projection.owner_evidence_readiness_items.ids",
+        [item["item_id"] for item in iwooos_evidence_readiness],
+        expected_iwooos_evidence_readiness_item_ids,
+    )
+    assert_equal(
+        "iwooos_projection.owner_evidence_readiness_items.display_order",
+        [item["display_order"] for item in iwooos_evidence_readiness],
+        list(range(1, len(expected_iwooos_evidence_readiness_item_ids) + 1)),
+    )
+    for item in iwooos_evidence_readiness:
+        assert_equal(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.display_mode",
+            item["display_mode"],
+            "readiness_only",
+        )
+        assert_equal(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.received_count",
+            item["received_count"],
+            0,
+        )
+        assert_equal(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.accepted_count",
+            item["accepted_count"],
+            0,
+        )
+        assert_false(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.runtime_execution_authorized",
+            item["runtime_execution_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.action_buttons_allowed",
+            item["action_buttons_allowed"],
+        )
+        assert_true(
+            f"iwooos_projection.owner_evidence_readiness_items.{item['item_id']}.not_authorization",
+            item["not_authorization"],
+        )
     assert_equal(
         "iwooos_projection.non_blocking_lane_ids",
         iwooos_projection["non_blocking_lane_ids"],
@@ -522,6 +576,7 @@ def validate(root: Path) -> None:
         "display_frontend_surface_coverage_matrix",
         "display_frontend_surface_conflict_controls",
         "display_operator_journey_steps",
+        "display_owner_evidence_readiness_board",
         "display_evidence_refs",
         "display_forbidden_actions",
     ]: