diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 8f2eafc5..840bc176 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -1319,6 +1319,48 @@
         }
       }
     },
+    "hostEvidenceReadiness": {
+      "title": "Host Evidence Readiness",
+      "subtitle": "Lists the evidence required before host scans, updates, SSH changes, or runtime blocking can proceed. These items are waiting for collection and do not mean approval.",
+      "evidenceLabel": "Required evidence",
+      "items": {
+        "scopeBoundary": {
+          "title": "Scope boundary",
+          "body": "Confirms allowed targets, exclusions, scan depth, and rate limits for 112, 168, and 111.",
+          "evidence": "requires redacted scan scope approval; received=0, accepted=0"
+        },
+        "ownerDecision": {
+          "title": "Owner decision record",
+          "body": "Every host action needs human control; IwoooS visibility or AwoooP queue status cannot replace a decision.",
+          "evidence": "requires accepted decision record; active runtime gates=0"
+        },
+        "credentialHandling": {
+          "title": "Credential handling",
+          "body": "Credentialed scans require defined credential source, storage boundary, redaction, and rejection rules.",
+          "evidence": "credential material collection is forbidden; credentialed scan=false"
+        },
+        "maintenanceWindow": {
+          "title": "Maintenance window",
+          "body": "Kali updates, host tuning, or SSH changes need a maintenance window to avoid disrupting development and product flow.",
+          "evidence": "requires window, impact scope, notification, and recovery criteria"
+        },
+        "rollbackPlan": {
+          "title": "Rollback plan",
+          "body": "Every host change needs a recovery path covering packages, settings, services, and toolchain versions.",
+          "evidence": "requires rollback owner, steps, and validation method"
+        },
+        "validationMetrics": {
+          "title": "Validation metrics",
+          "body": "Host actions need post-check metrics to confirm scanners, monitoring, services, and user flows did not regress.",
+          "evidence": "requires post-check metrics and failure lane"
+        },
+        "redactedIngestion": {
+          "title": "Redacted ingestion",
+          "body": "Host findings or scan results may only enter mirror as redacted summaries, not raw runtime input.",
+          "evidence": "requires redacted payload acceptance; payloads_ingested=false"
+        }
+      }
+    },
     "nextGate": {
       "title": "Next High-level Gate",
       "body": "S4.9 Gitea owner attestation response is the recommended next owner evidence. Headline progress should only increase after owner responses, redacted payload ingestion, active runtime gates, or GitHub primary readiness actually change."
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index 6a12004c..e8c6bc63 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -1320,6 +1320,48 @@
         }
       }
     },
+    "hostEvidenceReadiness": {
+      "title": "主機 Evidence Readiness",
+      "subtitle": "列出主機掃描、更新、SSH 變更或 runtime blocking 前必須補齊的 evidence。這些項目目前都只是待收件，不代表已批准。",
+      "evidenceLabel": "需要 Evidence",
+      "items": {
+        "scopeBoundary": {
+          "title": "Scope boundary",
+          "body": "確認 112、168、111 的允許目標、排除範圍、掃描深度與速率限制。",
+          "evidence": "需要脫敏 scan scope approval；received=0、accepted=0"
+        },
+        "ownerDecision": {
+          "title": "Owner decision record",
+          "body": "每個主機動作都需要人控決策，不能用 IwoooS 可見狀態或 AwoooP queue 取代。",
+          "evidence": "需要 accepted decision record；目前 active runtime gates=0"
+        },
+        "credentialHandling": {
+          "title": "Credential handling",
+          "body": "帶憑證掃描前要先定義憑證來源、保存邊界、遮蔽方式與拒收規則。",
+          "evidence": "禁止收集憑證明文；目前 credentialed scan=false"
+        },
+        "maintenanceWindow": {
+          "title": "Maintenance window",
+          "body": "Kali 更新、主機調校或 SSH 變更都需要維護窗口，避免影響開發與產品流程。",
+          "evidence": "需要窗口、影響範圍、通知與回復標準"
+        },
+        "rollbackPlan": {
+          "title": "Rollback plan",
+          "body": "任何主機變更都要能回復，包含套件、設定、服務與工具鏈版本。",
+          "evidence": "需要 rollback owner、步驟與驗證方式"
+        },
+        "validationMetrics": {
+          "title": "Validation metrics",
+          "body": "主機動作後要有驗證指標，確認掃描器、監控、服務與使用者流程沒有退化。",
+          "evidence": "需要 post-check 指標與失敗處理 lane"
+        },
+        "redactedIngestion": {
+          "title": "Redacted ingestion",
+          "body": "主機 finding 或掃描結果只能以脫敏摘要進入 mirror，不能直接把 raw payload 當 runtime input。",
+          "evidence": "需要 redacted payload acceptance；payloads_ingested=false"
+        }
+      }
+    },
     "nextGate": {
       "title": "下一個高層 Gate",
       "body": "S4.9 Gitea owner attestation response 是目前建議先收的 owner evidence。任何 headline 提升都要等 owner response、redacted payload ingestion、active runtime gate 或 GitHub primary readiness 有真實變化。"
diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx
index 5932dd88..34f75785 100644
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -88,6 +88,13 @@ type HostActionGateItem = {
   tone: 'steady' | 'warn' | 'locked'
 }
 
+type HostEvidenceReadinessItem = {
+  key: string
+  gate: string
+  icon: typeof ShieldCheck
+  tone: 'steady' | 'warn' | 'locked'
+}
+
 const postureMetrics: PostureMetric[] = [
   { key: 'overall', value: '58%', tone: 'warn' },
   { key: 'framework', value: '80-85%', tone: 'steady' },
@@ -199,6 +206,16 @@ const hostActionGateItems: HostActionGateItem[] = [
   { key: 'runtimeBlocking', gate: 'S3.4', icon: ShieldCheck, tone: 'locked' },
 ]
 
+const hostEvidenceReadinessItems: HostEvidenceReadinessItem[] = [
+  { key: 'scopeBoundary', gate: 'S1.6', icon: Radar, tone: 'warn' },
+  { key: 'ownerDecision', gate: 'S3.1', icon: ClipboardCheck, tone: 'warn' },
+  { key: 'credentialHandling', gate: 'S1.6', icon: Lock, tone: 'locked' },
+  { key: 'maintenanceWindow', gate: 'S3.4', icon: Clock3, tone: 'warn' },
+  { key: 'rollbackPlan', gate: 'S3.4', icon: FileWarning, tone: 'warn' },
+  { key: 'validationMetrics', gate: 'S3.4', icon: CheckCircle2, tone: 'warn' },
+  { key: 'redactedIngestion', gate: 'S1.6', icon: ShieldCheck, tone: 'locked' },
+]
+
 const evidenceItems = [
   'iwooos-posture-projection.snapshot.json',
   'security-rollout-policy.snapshot.json',
@@ -501,6 +518,34 @@ function HostActionGateCard({ item, index }: { item: HostActionGateItem; index:
   )
 }
 
+function HostEvidenceReadinessCard({ item, index }: { item: HostEvidenceReadinessItem; index: number }) {
+  const t = useTranslations('iwooos.hostEvidenceReadiness')
+  const Icon = item.icon
+  return (
+    <div style={{ ...band, minHeight: 184, padding: 16 }}>
+      <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12 }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 9 }}>
+          <Icon size={18} color={toneColors[item.tone]} />
+          <span style={{ fontSize: 11, color: '#87867f' }}>{item.gate}</span>
+        </div>
+        <span style={{ fontSize: 11, color: '#9b978b' }}>{String(index + 1).padStart(2, '0')}</span>
+      </div>
+      <h2 style={{ fontSize: 14, margin: '12px 0 6px', color: '#141413' }}>
+        {t(`items.${item.key}.title` as never)}
+      </h2>
+      <p style={{ fontSize: 12, lineHeight: 1.55, color: '#6f6d66', margin: 0 }}>
+        {t(`items.${item.key}.body` as never)}
+      </p>
+      <div style={{ marginTop: 10, display: 'grid', gap: 5 }}>
+        <div style={{ fontSize: 11, color: '#87867f' }}>{t('evidenceLabel')}</div>
+        <div style={{ fontSize: 11, color: toneColors[item.tone], lineHeight: 1.45 }}>
+          {t(`items.${item.key}.evidence` as never)}
+        </div>
+      </div>
+    </div>
+  )
+}
+
 export default function IwoooSPage({ params }: { params: { locale: string } }) {
   const t = useTranslations('iwooos')
 
@@ -613,6 +658,26 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) {
           </div>
         </section>
 
+        <section style={{ marginBottom: 14 }}>
+          <div style={{ marginBottom: 14 }}>
+            <h2 style={{ fontSize: 16, margin: 0 }}>{t('hostEvidenceReadiness.title')}</h2>
+            <p style={{ fontSize: 12, color: '#6f6d66', margin: '6px 0 0', lineHeight: 1.55 }}>
+              {t('hostEvidenceReadiness.subtitle')}
+            </p>
+          </div>
+          <div
+            style={{
+              display: 'grid',
+              gridTemplateColumns: 'repeat(auto-fit, minmax(210px, 1fr))',
+              gap: 12,
+            }}
+          >
+            {hostEvidenceReadinessItems.map((item, index) => (
+              <HostEvidenceReadinessCard key={item.key} item={item} index={index} />
+            ))}
+          </div>
+        </section>
+
         <section
           style={{
             display: 'grid',
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index f1419323..541b0b72 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,17 @@
+## 2026-05-19 | 資安供應鏈 S2.16：IwoooS Host Evidence Readiness Board
+
+**背景**：S2.15 已把主機高風險動作拆成只讀 gate matrix；本輪補上主機 evidence readiness board，讓使用者知道 active scan、credentialed scan、SSH / host change、Kali update 或 runtime blocking 前到底還缺哪些前置證據。
+
+**完成**：
+- `/iwooos` 新增「主機 Evidence Readiness」，顯示 scope boundary、owner decision record、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion 七個只讀 readiness items。
+- `iwooos_posture_projection_v1` schema / snapshot 新增 `host_evidence_readiness_items` 與 `host_evidence_readiness_item_count=7`，每個 item 固定 `received_count=0`、`accepted_count=0`、`display_mode=evidence_readiness_only`、`active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+- `security-mirror-progress-guard.py` 開始驗證七個 host evidence readiness items、順序、received / accepted 仍為 0，以及所有主機動作授權旗標皆為 false。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_16_iwooos_host_evidence_readiness_board`，headline progress 仍維持 58%。
+
+**仍禁止**：
+- host evidence readiness board 不代表 evidence received / accepted、active scan、credentialed scan、Kali `/execute`、SSH 登入、主機變更、Kali 更新、raw host evidence ingestion、runtime gate 或 blocking control。
+- 真正主機掃描、更新或調校仍需人工批准、scope approval、credential handling、變更計畫、rollback evidence、post-check metrics 與後續 runtime gate。
+
 ## 2026-05-19 | 資安供應鏈 S2.15：IwoooS Host Action Gate Matrix
 
 **背景**：S2.14 已把 Kali 112 與兩台開發主機 168 / 111 納入 IwoooS 可見資安視野；本輪補上主機動作 gate matrix，避免「主機已納管」被誤讀成「可以直接掃描、登入、更新或阻擋」。
diff --git a/docs/schemas/iwooos_posture_projection_v1.schema.json b/docs/schemas/iwooos_posture_projection_v1.schema.json
index 9f0645aa..e49aab85 100644
--- a/docs/schemas/iwooos_posture_projection_v1.schema.json
+++ b/docs/schemas/iwooos_posture_projection_v1.schema.json
@@ -22,6 +22,7 @@
     "owner_evidence_readiness_items",
     "host_coverage_items",
     "host_action_gate_items",
+    "host_evidence_readiness_items",
     "frontend_surface_coverage_groups",
     "evidence_refs",
     "allowed_frontend_outputs",
@@ -83,6 +84,7 @@
         "owner_evidence_readiness_item_count",
         "host_coverage_item_count",
         "host_action_gate_item_count",
+        "host_evidence_readiness_item_count",
         "action_buttons_allowed"
       ],
       "properties": {
@@ -160,6 +162,10 @@
         "host_action_gate_item_count": {
           "type": "integer",
           "const": 6
+        },
+        "host_evidence_readiness_item_count": {
+          "type": "integer",
+          "const": 7
         }
       },
       "additionalProperties": false
@@ -722,6 +728,92 @@
         },
         "additionalProperties": false
       }
+    },
+    "host_evidence_readiness_items": {
+      "type": "array",
+      "minItems": 7,
+      "items": {
+        "type": "object",
+        "required": [
+          "item_id",
+          "display_order",
+          "related_hosts",
+          "required_gate",
+          "evidence_state",
+          "received_count",
+          "accepted_count",
+          "display_mode",
+          "active_scan_authorized",
+          "credentialed_scan_authorized",
+          "ssh_change_authorized",
+          "host_update_authorized",
+          "runtime_execution_authorized",
+          "action_buttons_allowed",
+          "not_authorization"
+        ],
+        "properties": {
+          "item_id": {
+            "type": "string"
+          },
+          "display_order": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "related_hosts": {
+            "type": "array",
+            "minItems": 1,
+            "items": {
+              "type": "string"
+            }
+          },
+          "required_gate": {
+            "type": "string"
+          },
+          "evidence_state": {
+            "type": "string"
+          },
+          "received_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "accepted_count": {
+            "type": "integer",
+            "const": 0
+          },
+          "display_mode": {
+            "const": "evidence_readiness_only"
+          },
+          "active_scan_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "credentialed_scan_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "ssh_change_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "host_update_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "runtime_execution_authorized": {
+            "type": "boolean",
+            "const": false
+          },
+          "action_buttons_allowed": {
+            "type": "boolean",
+            "const": false
+          },
+          "not_authorization": {
+            "type": "boolean",
+            "const": true
+          }
+        },
+        "additionalProperties": false
+      }
     }
   },
   "additionalProperties": false
diff --git a/docs/security/IWOOOS-POSTURE-PROJECTION.md b/docs/security/IWOOOS-POSTURE-PROJECTION.md
index 2b0d7dbd..d00f4595 100644
--- a/docs/security/IWOOOS-POSTURE-PROJECTION.md
+++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md
@@ -43,6 +43,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence：
 11. 7 個 owner evidence readiness items。
 12. 3 個只讀主機覆蓋 items：Kali 112、開發主機 168、開發主機 111。
 13. 6 個主機動作 gate items：active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control。
+14. 7 個主機 evidence readiness items：scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
 
 ## 3.1 既有前端資安頁面整合
 
@@ -140,6 +141,22 @@ S2.15 將主機相關高風險動作拆成只讀 gate matrix，避免「主機
 
 每個 item 都固定 `display_mode=gate_only`，且 `active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
 
+## 3.7 主機 Evidence Readiness
+
+S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board。這一層只回答「要進下一步前缺什麼」，不代表任何 evidence 已收到或已接受。
+
+| 順序 | Evidence item | 目前狀態 | 影響範圍 |
+|------|---------------|----------|----------|
+| 1 | Scope boundary | waiting redacted scope approval；received=0、accepted=0 | 112、168、111 的目標、排除範圍、深度與速率 |
+| 2 | Owner decision record | waiting human decision record；received=0、accepted=0 | 人控決策，不可由可見狀態替代 |
+| 3 | Credential handling | credential material collection forbidden；received=0、accepted=0 | credentialed scan 前的憑證來源、保存邊界、遮蔽與拒收規則 |
+| 4 | Maintenance window | waiting maintenance window；received=0、accepted=0 | Kali update、SSH / host change 與主機調校窗口 |
+| 5 | Rollback plan | waiting rollback plan；received=0、accepted=0 | 套件、設定、服務、工具鏈版本回復 |
+| 6 | Validation metrics | waiting post-check metrics；received=0、accepted=0 | 掃描器、監控、服務與使用者流程 post-check |
+| 7 | Redacted ingestion | waiting redacted payload acceptance；received=0、accepted=0 | finding / scan result 只能以脫敏摘要進 mirror |
+
+每個 item 都固定 `display_mode=evidence_readiness_only`，且 `active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
+
 ## 4. 仍禁止
 
 IwoooS 不得提供下列輸出：
@@ -151,7 +168,8 @@ IwoooS 不得提供下列輸出：
 5. production deploy 或 runtime enforcement。
 6. SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
 7. 套用 runtime blocking control。
-8. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
+8. 將主機 evidence 標記為 received / accepted，或匯入 raw host evidence。
+9. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
 
 ## 5. 驗證
 
diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
index 81201365..d33256f0 100644
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -35,7 +35,7 @@
 | Owner response validation | S4.13 已建立；四包 owner response 目前 received/accepted 皆為 0；4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示；下一個建議收件為 S4.9 Gitea owner attestation；latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`，reviewer audit emitted 仍為 0，不代表 owner response 已收到或任何執行授權 |
 | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes；LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn；`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` |
 | IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口；顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs；不新增執行按鈕 |
-| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；仍不新增 action button |
+| IwoooS posture projection | S2.9 已新增 `iwooos_posture_projection_v1`；S2.10 已把 10 個既有前端資安相關頁面納入 projection；S2.11 已補 4 個 coverage groups 與 5 個 conflict controls；S2.12 已補 6 個只讀 operator journey steps；S2.13 已補 7 個 owner evidence readiness items；S2.14 已補 3 個 host coverage items：Kali 112、開發主機 168、開發主機 111；S2.15 已補 6 個 host action gate items；S2.16 已補 7 個 host evidence readiness items；仍不新增 action button |
 | Dry-run | `contract_defined_not_executed`；已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`，latest local validation 為 `repo_snapshot_guard_pass`，仍不代表 production ingestion |
 | Runtime actions | `false` |
 | Payload ingestion | `false` |
@@ -99,6 +99,7 @@
 | S2.13 IwoooS owner evidence readiness board | framework detail | 0 | 只顯示 headline 進度下一步需要的 owner evidence / approval gate，received / accepted 仍為 0，不代表 owner response received、approval、runtime gate、Kali scan 或 GitHub primary 授權 |
 | S2.14 IwoooS host coverage view | framework detail | 0 | 只顯示 Kali 112 與 168 / 111 開發主機已納入 observe-only 資安視野，不代表 active scan、SSH 變更、主機更新、credentialed scan、runtime gate 或 Kali `/execute` 授權 |
 | S2.15 IwoooS host action gate matrix | framework detail | 0 | 只把 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update 與 runtime blocking control 拆成只讀 gate，不代表任何主機動作或 runtime enforcement 已批准 |
+| S2.16 IwoooS host evidence readiness board | framework detail | 0 | 只顯示主機動作前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence；received / accepted 仍為 0，不代表任何主機動作已批准 |
 
 headline 進度要再往上，至少需要下列任一高層 gate 有實質 evidence：
 
diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
index fa338bd1..957afd64 100644
--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -4,7 +4,7 @@
 |------|------|
 | 日期 | 2026-05-17 |
 | 狀態 | S0/S1 read-only evidence 建置中 |
-| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix |
+| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board |
 | 原則 | 低摩擦分階段；文件、schema、read-only evidence 優先；不做 runtime enforcement、不切 primary |
 
 ## 0. 本階段完成後整體進度
@@ -75,6 +75,7 @@ python3 scripts/security/security-mirror-progress-guard.py
 | S2.13 IwoooS owner evidence readiness board | 已完成草案，將 S4.9 / S4.10 / S4.11 / S4.12 owner response、redacted finding ingestion、Kali scan scope、follow-up runtime gate 固定為 7 個只讀 readiness items | 0 |
 | S2.14 IwoooS host coverage view | 已完成草案，將 Kali 112、開發主機 168、開發主機 111 固定為 3 個只讀 host coverage items；active scan、SSH 變更、主機更新、credentialed scan 與 runtime control 仍未批准 | 0 |
 | S2.15 IwoooS host action gate matrix | 已完成草案，將 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control 固定為 6 個只讀 gate items | 0 |
+| S2.16 IwoooS host evidence readiness board | 已完成草案，將 scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion 固定為 7 個只讀 readiness items | 0 |
 
 headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收，或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
 
@@ -109,6 +110,7 @@ headline 要再往上，需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
 | S2.13 IwoooS Owner Evidence Readiness | 完成草案 | `/iwooos` 新增 owner evidence readiness board，顯示下一步真正影響 headline progress 的 7 個 evidence / gate 缺口 | 使用者能理解為什麼 58% 不應灌水提高；全部 received / accepted 仍為 0，不新增執行控制 |
 | S2.14 IwoooS Host Coverage View | 完成草案 | `/iwooos` 新增主機覆蓋視圖，明確顯示 Kali 112 與 168 / 111 兩台開發主機已納入 observe-only 資安視野 | 使用者能看到指定主機已納管到資安架構視圖；仍不新增 SSH、scan、update、execute、credentialed scan 或 blocking control |
 | S2.15 IwoooS Host Action Gate Matrix | 完成草案 | `/iwooos` 新增主機動作 gate 矩陣，將 active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update 與 runtime blocking control 拆成只讀 gate | 使用者能看懂主機動作為什麼仍需人工批准；仍不新增任何主機操作或 runtime enforcement |
+| S2.16 IwoooS Host Evidence Readiness | 完成草案 | `/iwooos` 新增主機 evidence readiness board，顯示主機動作前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence | 使用者能看懂主機行動前置證據，不會把規劃誤認為已批准；仍不新增任何主機操作 |
 | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items：7 pending、1 block candidate、0 approved | 不得繞過人工批准；批准後仍需 follow-up runtime gate |
 | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策，不可執行 gate item |
 | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立；目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策，不可把決策當執行 |
diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json
index 32f80b7d..7e00a26d 100644
--- a/docs/security/iwooos-posture-projection.snapshot.json
+++ b/docs/security/iwooos-posture-projection.snapshot.json
@@ -41,7 +41,8 @@
     "operator_journey_step_count": 6,
     "owner_evidence_readiness_item_count": 7,
     "host_coverage_item_count": 3,
-    "host_action_gate_item_count": 6
+    "host_action_gate_item_count": 6,
+    "host_evidence_readiness_item_count": 7
   },
   "progress": {
     "overall_percent": 58,
@@ -117,6 +118,7 @@
     "display_owner_evidence_readiness_board",
     "display_host_coverage_view",
     "display_host_action_gate_matrix",
+    "display_host_evidence_readiness_board",
     "display_evidence_refs",
     "display_next_gate",
     "display_forbidden_actions"
@@ -140,6 +142,9 @@
     "auto_update_host",
     "run_host_package_upgrade",
     "apply_runtime_blocking_control",
+    "mark_host_evidence_received",
+    "mark_host_evidence_accepted",
+    "ingest_raw_host_evidence",
     "production_deploy",
     "treat_progress_as_authorization"
   ],
@@ -766,5 +771,154 @@
       "action_buttons_allowed": false,
       "not_authorization": true
     }
+  ],
+  "host_evidence_readiness_items": [
+    {
+      "item_id": "host_scope_boundary_evidence",
+      "display_order": 1,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "kali_scan_scope_approval_v1",
+      "evidence_state": "waiting_redacted_scope_approval",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "host_owner_decision_record_evidence",
+      "display_order": 2,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "security_approval_decision_record_v1",
+      "evidence_state": "waiting_human_decision_record",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "host_credential_handling_evidence",
+      "display_order": 3,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "credential_handling_review_before_credentialed_scan",
+      "evidence_state": "credential_material_collection_forbidden_waiting_policy",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "host_maintenance_window_evidence",
+      "display_order": 4,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "security_approval_gate_v1_with_maintenance_window",
+      "evidence_state": "waiting_maintenance_window",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "host_rollback_plan_evidence",
+      "display_order": 5,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "security_approval_gate_v1_with_change_plan_and_rollback_evidence",
+      "evidence_state": "waiting_rollback_plan",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "host_validation_metrics_evidence",
+      "display_order": 6,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "security_followup_runtime_gate_v1_post_check",
+      "evidence_state": "waiting_post_check_metrics",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    },
+    {
+      "item_id": "host_redacted_ingestion_evidence",
+      "display_order": 7,
+      "related_hosts": [
+        "192.168.0.112",
+        "192.168.0.168",
+        "192.168.0.111"
+      ],
+      "required_gate": "security_finding_v1_redacted_payload_acceptance",
+      "evidence_state": "waiting_redacted_payload_acceptance_payloads_ingested_false",
+      "received_count": 0,
+      "accepted_count": 0,
+      "display_mode": "evidence_readiness_only",
+      "active_scan_authorized": false,
+      "credentialed_scan_authorized": false,
+      "ssh_change_authorized": false,
+      "host_update_authorized": false,
+      "runtime_execution_authorized": false,
+      "action_buttons_allowed": false,
+      "not_authorization": true
+    }
   ]
 }
diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json
index 96a3df4e..eb209c85 100644
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -696,6 +696,18 @@
       "runtime_delta": false,
       "execution_authorized": false,
       "not_authorization": true
+    },
+    {
+      "delta_id": "s2_16_iwooos_host_evidence_readiness_board",
+      "display_order": 45,
+      "completed_stage": "S2.16 IwoooS host evidence readiness board",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS host evidence readiness board 只顯示主機掃描、SSH/host change、Kali update 與 runtime blocking 前仍缺 scope、owner decision、credential handling、maintenance window、rollback、validation metrics 與 redacted ingestion evidence；received / accepted 仍為 0，所有主機動作授權仍為 false。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
     }
   ],
   "next_safe_actions": [
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index 1353dbd3..1fdceb0e 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -167,6 +167,7 @@ def validate(root: Path) -> None:
         "s2_13_iwooos_owner_evidence_readiness_board",
         "s2_14_iwooos_host_coverage_view",
         "s2_15_iwooos_host_action_gate_matrix",
+        "s2_16_iwooos_host_evidence_readiness_board",
     ]
     assert_equal(
         "progress_delta_ledger.delta_ids",
@@ -348,6 +349,15 @@ def validate(root: Path) -> None:
         "kali_host_update_gate",
         "runtime_blocking_control_gate",
     ]
+    expected_iwooos_host_evidence_readiness_item_ids = [
+        "host_scope_boundary_evidence",
+        "host_owner_decision_record_evidence",
+        "host_credential_handling_evidence",
+        "host_maintenance_window_evidence",
+        "host_rollback_plan_evidence",
+        "host_validation_metrics_evidence",
+        "host_redacted_ingestion_evidence",
+    ]
     assert_equal(
         "iwooos_projection.summary.frontend_surface_coverage_group_count",
         iwooos_projection["summary"]["frontend_surface_coverage_group_count"],
@@ -378,6 +388,11 @@ def validate(root: Path) -> None:
         iwooos_projection["summary"]["host_action_gate_item_count"],
         len(expected_iwooos_host_action_gate_item_ids),
     )
+    assert_equal(
+        "iwooos_projection.summary.host_evidence_readiness_item_count",
+        iwooos_projection["summary"]["host_evidence_readiness_item_count"],
+        len(expected_iwooos_host_evidence_readiness_item_ids),
+    )
     iwooos_progress = iwooos_projection["progress"]
     assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"])
     assert_equal(
@@ -662,6 +677,61 @@ def validate(root: Path) -> None:
             f"iwooos_projection.host_action_gate_items.{item['action_id']}.not_authorization",
             item["not_authorization"],
         )
+    iwooos_host_evidence_readiness = iwooos_projection["host_evidence_readiness_items"]
+    assert_equal(
+        "iwooos_projection.host_evidence_readiness_items.ids",
+        [item["item_id"] for item in iwooos_host_evidence_readiness],
+        expected_iwooos_host_evidence_readiness_item_ids,
+    )
+    assert_equal(
+        "iwooos_projection.host_evidence_readiness_items.display_order",
+        [item["display_order"] for item in iwooos_host_evidence_readiness],
+        list(range(1, len(expected_iwooos_host_evidence_readiness_item_ids) + 1)),
+    )
+    for item in iwooos_host_evidence_readiness:
+        assert_equal(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.display_mode",
+            item["display_mode"],
+            "evidence_readiness_only",
+        )
+        assert_equal(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.received_count",
+            item["received_count"],
+            0,
+        )
+        assert_equal(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.accepted_count",
+            item["accepted_count"],
+            0,
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.active_scan_authorized",
+            item["active_scan_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.credentialed_scan_authorized",
+            item["credentialed_scan_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.ssh_change_authorized",
+            item["ssh_change_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.host_update_authorized",
+            item["host_update_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.runtime_execution_authorized",
+            item["runtime_execution_authorized"],
+        )
+        assert_false(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.action_buttons_allowed",
+            item["action_buttons_allowed"],
+        )
+        assert_true(
+            f"iwooos_projection.host_evidence_readiness_items.{item['item_id']}.not_authorization",
+            item["not_authorization"],
+        )
     assert_equal(
         "iwooos_projection.non_blocking_lane_ids",
         iwooos_projection["non_blocking_lane_ids"],
@@ -686,6 +756,7 @@ def validate(root: Path) -> None:
         "display_owner_evidence_readiness_board",
         "display_host_coverage_view",
         "display_host_action_gate_matrix",
+        "display_host_evidence_readiness_board",
         "display_evidence_refs",
         "display_forbidden_actions",
     ]:
@@ -706,6 +777,9 @@ def validate(root: Path) -> None:
         "auto_update_host",
         "run_host_package_upgrade",
         "credentialed_scan_host",
+        "mark_host_evidence_received",
+        "mark_host_evidence_accepted",
+        "ingest_raw_host_evidence",
         "apply_runtime_blocking_control",
         "switch_github_primary",
         "production_deploy",