From cec38a4eddfdeeb05a8863eae6ac70dfd4c0476c Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 13 May 2026 11:51:44 +0800 Subject: [PATCH] docs(security): add mirror acceptance contract [skip ci] --- docs/LOGBOOK.md | 22 +++ .../security_mirror_acceptance_v1.schema.json | 138 +++++++++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 5 +- ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 24 ++- docs/security/SECURITY-MIRROR-ACCEPTANCE.md | 59 +++++++ docs/security/SECURITY-MIRROR-INTAKE-PLAN.md | 11 +- docs/security/SECURITY-MIRROR-READINESS.md | 11 +- docs/security/SECURITY-MIRROR-ROUTE.md | 6 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 3 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 11 +- .../security-mirror-acceptance.snapshot.json | 166 ++++++++++++++++++ ...security-mirror-event-sample.snapshot.json | 9 +- .../security-mirror-intake-plan.snapshot.json | 13 +- .../security-mirror-readiness.snapshot.json | 14 +- .../security-mirror-route.snapshot.json | 12 +- ...pply-chain-contract-manifest.snapshot.json | 24 ++- 16 files changed, 486 insertions(+), 42 deletions(-) create mode 100644 docs/schemas/security_mirror_acceptance_v1.schema.json create mode 100644 docs/security/SECURITY-MIRROR-ACCEPTANCE.md create mode 100644 docs/security/security-mirror-acceptance.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 97dcf64f..fe7948f8 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,25 @@ +## 2026-05-13 | 資安供應鏈 S2.4:AwoooP 鏡像驗收契約 + +**背景**:S2.3 已建立 `security_mirror_route_v1`,讓 AwoooP 知道每個 contract 應該進入哪些只讀目的地與 review lane。本輪補上只讀鏡像驗收契約,避免 AwoooP 接入時因 contract count、route coverage、event envelope 或 redaction 不一致而各自猜測。 + +**本次交付**: +- 新增 `docs/schemas/security_mirror_acceptance_v1.schema.json`。 +- 新增 `docs/security/security-mirror-acceptance.snapshot.json`,定義 7 個 acceptance checks。 +- 新增 `docs/security/SECURITY-MIRROR-ACCEPTANCE.md`,以繁體中文說明驗收、可做 / 不可做與階段定位。 +- 更新資安供應鏈 manifest,contract 數量從 23 增至 24。 +- 更新鏡像 readiness、接收計畫、事件範例、路由矩陣、AwoooP mirror-only checklist、AwoooP handoff 與整體進度。 + +**累積狀態**: +- 鏡像 readiness 目前為 24 個 contracts:21 個 ready for mirror、2 個 partial ready、1 個 contract-only、0 個 blocked。 +- `security_mirror_acceptance_v1` 只驗收 mirror ingestion,不是 runtime blocker。 +- Blocking check 只針對鏡像資料本身不完整或不脫敏;不阻擋產品、部署或使用者流程。 + +**邊界**: +- 沒有新增 runtime endpoint、DB migration、model 或執行 action。 +- 沒有新增執行按鈕。 +- 沒有啟動 scan、呼叫 Kali `/execute`、建立 repo、修改 visibility、sync refs 或切 GitHub primary。 +- 沒有保存 raw secret、token、cookie、private key 或 exploit payload。 + ## 2026-05-13 | 資安供應鏈 S2.3:AwoooP 鏡像路由矩陣 **背景**:S2.2 已建立 `security_mirror_event_v1`,讓每筆鏡像 payload 都帶明確不可執行的信封。本輪補上 AwoooP 只讀消費時的路由矩陣,讓另一個 Session 接資料時知道哪些 contract 進 Operator Console、Runtime State、Channel Event、Audit evidence、Approval Queue,避免各自猜測。 diff --git a/docs/schemas/security_mirror_acceptance_v1.schema.json b/docs/schemas/security_mirror_acceptance_v1.schema.json new file mode 100644 index 00000000..d7544c6d --- /dev/null +++ b/docs/schemas/security_mirror_acceptance_v1.schema.json @@ -0,0 +1,138 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:security-mirror-acceptance-v1", + "title": "AWOOOI Security Supply Chain Mirror Acceptance (v1)", + "description": "定義 AwoooP 只讀鏡像資安供應鏈 contracts 時的驗收條件。此契約不授權 runtime execution。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "runtime_execution_authorized", + "source_indexes", + "summary", + "acceptance_checks", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "security_mirror_acceptance_v1" + }, + "status": { + "type": "string", + "enum": ["draft"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["mirror_only"] + }, + "runtime_execution_authorized": { + "type": "boolean", + "const": false + }, + "source_indexes": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "total_contracts", + "ready_for_mirror_count", + "route_group_count", + "acceptance_check_count", + "blocking_check_count" + ], + "properties": { + "total_contracts": { + "type": "integer", + "minimum": 0 + }, + "ready_for_mirror_count": { + "type": "integer", + "minimum": 0 + }, + "route_group_count": { + "type": "integer", + "minimum": 0 + }, + "acceptance_check_count": { + "type": "integer", + "minimum": 0 + }, + "blocking_check_count": { + "type": "integer", + "minimum": 0 + } + }, + "additionalProperties": false + }, + "acceptance_checks": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "required": [ + "check_id", + "title", + "expected_result", + "evidence_refs", + "blocking_if_failed", + "allowed_processing", + "blocked_processing" + ], + "properties": { + "check_id": { + "type": "string" + }, + "title": { + "type": "string" + }, + "expected_result": { + "type": "string" + }, + "evidence_refs": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "blocking_if_failed": { + "type": "boolean" + }, + "allowed_processing": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "blocked_processing": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "forbidden_actions": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index fb1b6770..402075ac 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -33,6 +33,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_mirror_intake_plan_v1` | AwoooP mirror-only intake waves / destinations / acceptance gates | Operator Console、Runtime State、Channel Event、Audit、Approval Queue | mirror-only | 只照 wave 讀取與顯示,不執行 intake item | | `security_mirror_event_v1` | AwoooP mirror-only event envelope | Operator Console、Runtime State、Channel Event、Audit、Approval Queue | mirror-only | 每筆 event 必須 `execution_authorized=false`、`action_buttons_allowed=false` | | `security_mirror_route_v1` | AwoooP 鏡像路由矩陣 | Operator Console、Runtime State、Channel Event、Audit、Approval Queue | mirror-only | 只決定目的地、channel policy 與 review lane,不作 execution router | +| `security_mirror_acceptance_v1` | AwoooP 鏡像驗收契約 | Operator Console、Runtime State、Audit | mirror-only | 只驗收 contract count、event envelope、route coverage、redaction;不作 runtime blocker | | `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge | | `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary | | `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 不保存 token value、不刪除或停用 Gitea repo | @@ -83,10 +84,11 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `kali_integration_status_v1.status=partial_runtime_health_integrated` | `observe` | 顯示 Kali 112 health、更新紀錄、缺口與 approval gates;不得直接掃描 | | `kali_scan_scope_approval_v1.status=draft_waiting_approval` | `approve_required` | 顯示 Kali 112、111/168、核心主機、公開網站 scope 與 gate;不得執行 scan | | `security_approval_queue_v1.status=draft` | `approve_required` | 顯示 8 個 queue items、review order 與 blocked reason;不得執行 item | -| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 23 個 contracts 的 readiness;不得把 readiness 當 execution authorization | +| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 24 個 contracts 的 readiness;不得把 readiness 當 execution authorization | | `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates;不得執行 wave | | `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload,明確不授權執行、不顯示執行按鈕 | | `security_mirror_route_v1.status=draft` | `observe` | 顯示 5 個 route groups、channel policy 與 review lane;不得轉成 execution router | +| `security_mirror_acceptance_v1.status=draft` | `observe` | 顯示 7 個 acceptance checks;只可驗收鏡像資料,不得阻擋 runtime | | `coding_task_v1.risk=LOW|MEDIUM` | `warn` | 可排入 Codex patch-only backlog | | `coding_task_v1.risk=HIGH|CRITICAL` | `approve_required` | 必須指定 `critic`、`vuln-verifier` | | `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason,不允許切 primary | @@ -155,6 +157,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | Security mirror intake plan | `docs/security/security-mirror-intake-plan.snapshot.json` / `docs/security/SECURITY-MIRROR-INTAKE-PLAN.md` | | 資安鏡像事件契約 | `docs/security/security-mirror-event-sample.snapshot.json` / `docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md` | | 資安鏡像路由矩陣 | `docs/security/security-mirror-route.snapshot.json` / `docs/security/SECURITY-MIRROR-ROUTE.md` | +| 資安鏡像驗收契約 | `docs/security/security-mirror-acceptance.snapshot.json` / `docs/security/SECURITY-MIRROR-ACCEPTANCE.md` | | 本機 repo canonical lineage snapshot | `docs/security/local-repo-canonical-ewoooc-momo.snapshot.json` / `docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md` | | Internal 110 refs snapshot | `docs/security/git-remote-refs-bitan-tsenyang.snapshot.json` / `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md` | | wooo-infra-config refs snapshot | `docs/security/git-remote-refs-wooo-infra-config.snapshot.json` / `docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md` | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index a8617bfa..4ada86c1 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -73,7 +73,7 @@ ```text Kali / Code Review / GitHub / Gitea / Codex -> security_supply_chain_contract_manifest_v1 - -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 + -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 -> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL -> mirror 到 AwoooP Runtime State / Channel Event / Audit -> AwoooP Policy / Approval / Exception / Operator Console @@ -143,7 +143,7 @@ Schema:`docs/schemas/security_mirror_readiness_v1.schema.json` Snapshot:`docs/security/security-mirror-readiness.snapshot.json` -目前 readiness:23 個 contracts,20 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。 +目前 readiness:24 個 contracts,21 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。 AwoooP 初期處理方式:先 mirror readiness index,再依 readiness 分批 mirror 其他 snapshots;不得把 readiness 當 execution authorization。 @@ -179,10 +179,22 @@ Schema:`docs/schemas/security_mirror_route_v1.schema.json` Snapshot:`docs/security/security-mirror-route.snapshot.json` -目前 route:5 個 route groups,涵蓋 23 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。 +目前 route:5 個 route groups,涵蓋 24 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。 AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue,不把 route 轉成 execution router。 +### `security_mirror_acceptance_v1` + +用途:定義 AwoooP 接收 mirror-only 資安資料時的驗收 checks,避免 contract count、event envelope、route coverage 或 redaction 不一致。 + +Schema:`docs/schemas/security_mirror_acceptance_v1.schema.json` + +Snapshot:`docs/security/security-mirror-acceptance.snapshot.json` + +目前 acceptance:7 個 checks;其中 blocking checks 只阻擋不完整或未脫敏的鏡像資料,不阻擋 runtime。 + +AwoooP 初期處理方式:顯示驗收結果與失敗原因;不得把 acceptance contract 轉成 runtime blocker 或 execution queue。 + ### `security_rollout_policy_v1` 用途:定義 Security Supply Chain 初期的低摩擦 rollout policy,避免把 observation 全部變成 blocking controls。 @@ -215,7 +227,7 @@ Schema:`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json` "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 23 + "contract_count": 24 } ``` @@ -629,7 +641,9 @@ Console 初期不提供高風險執行按鈕。 2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`、`docs/security/security-supply-chain-contract-manifest.snapshot.json` 與 `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry,不把 manifest 當 execution router。 -2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 23 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。 +2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 24 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。 + +2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json`、`docs/security/security-mirror-acceptance.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestion;blocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence,不得阻擋 runtime 流程。 2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 diff --git a/docs/security/SECURITY-MIRROR-ACCEPTANCE.md b/docs/security/SECURITY-MIRROR-ACCEPTANCE.md new file mode 100644 index 00000000..c18f23cb --- /dev/null +++ b/docs/security/SECURITY-MIRROR-ACCEPTANCE.md @@ -0,0 +1,59 @@ +# 資安鏡像驗收契約 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-13 | +| 狀態 | 草案 | +| Schema | `docs/schemas/security_mirror_acceptance_v1.schema.json` | +| Snapshot | `docs/security/security-mirror-acceptance.snapshot.json` | +| 模式 | `mirror_only` | +| runtime 執行授權 | `false` | + +## 0. 核心結論 + +`security_mirror_acceptance_v1` 是 AwoooP 接收資安供應鏈 mirror-only 資料時的驗收契約。 + +它不新增功能,也不授權執行。它只定義 AwoooP 在接收前必須看見的條件: + +1. Contract 數量與集合一致。 +2. 每筆鏡像 payload 都有 `security_mirror_event_v1` 信封。 +3. Route group 覆蓋所有 contract。 +4. Evidence 必須脫敏。 +5. LOW / MEDIUM observation 初期不阻擋。 +6. Approval Queue 不等於 execution queue。 +7. Channel Event 初期低噪音。 + +## 1. 驗收 Checks + +| Check | 目的 | 失敗時是否阻擋鏡像 | +|-------|------|--------------------| +| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 24 個 contracts | 是 | +| `EVENT_ENVELOPE_REQUIRED` | 確認每筆 payload 都不可執行、不可顯示執行按鈕 | 是 | +| `ROUTE_GROUP_COVERAGE` | 確認 5 個 route groups 覆蓋所有 contracts | 是 | +| `REDACTION_ONLY` | 確認不保存 raw sensitive value | 是 | +| `LOW_MEDIUM_NOT_BLOCKING` | 確認低中風險 observation 初期只 observe / warn | 否 | +| `APPROVAL_IS_NOT_EXECUTION` | 確認 approval 只留痕、不自動執行 | 否 | +| `CHANNEL_LOW_NOISE` | 確認通知低噪音 | 否 | + +## 2. AwoooP 可做 + +1. 顯示驗收結果。 +2. 顯示哪個 check 失敗。 +3. 將失敗 evidence 留在 Audit evidence。 +4. 對 blocking check 失敗時暫停鏡像該批 payload。 +5. 對非 blocking check 失敗時顯示 warn,保留低摩擦 rollout。 + +## 3. AwoooP 不可做 + +1. 不把驗收契約轉成 runtime blocker。 +2. 不把 Approval Queue 接成 execution queue。 +3. 不自動補猜缺失 contract。 +4. 不保存 raw secret、token、cookie、private key 或 exploit payload。 +5. 不啟動 Kali scan。 +6. 不建立 repo、不修改 visibility、不 sync refs、不切 GitHub primary。 + +## 4. 階段定位 + +S2.4 的目標是讓 AwoooP 消費 mirror-only 資安資料時有共同驗收語言。 + +它仍然屬於框架期,不是收緊期;只有「鏡像資料本身不完整或不脫敏」才阻擋該批 mirror ingestion,不阻擋產品、部署或使用者流程。 diff --git a/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md b/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md index 52d8f7b5..12ef852a 100644 --- a/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md +++ b/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md @@ -19,7 +19,7 @@ | Wave | 目的 | 主要 contracts | Exit gate | |------|------|----------------|-----------| -| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封與鏡像路由矩陣 | readiness / manifest / rollout policy / mirror event / mirror route | 顯示 23 個 contract 且 `execution_allowed=false` | +| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣與驗收契約 | readiness / manifest / rollout policy / mirror event / mirror route / acceptance | 顯示 24 個 contract 且 `execution_allowed=false` | | `M1_kali_visibility` | 顯示 Kali 112、scan scope、approval queue | Kali status / scan scope / approval queue / finding sample | 顯示 5 個 scope groups 與 8 個 queue items,沒有執行按鈕 | | `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence | migration / inventory / refs / approval board | 顯示 blocking reasons,repo/refs actions 全 disabled | | `M3_approval_candidates` | 顯示 approval candidates 與人工決策留痕 | approval events / approval queue / source-control board | 可留痕,不可自動批准或執行 | @@ -30,10 +30,11 @@ 1. 讀取 `security_mirror_readiness_v1`、manifest 與 rollout policy。 2. 使用 `security_mirror_event_v1` 包裝每一筆 mirror payload。 3. 使用 `security_mirror_route_v1` 決定目的地、channel policy 與 review lane。 -4. 將 ready / partial contracts mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence。 -5. 將 approval-only contracts mirror 到 Approval Queue。 -6. 顯示 required reviewers、blocked reason、evidence refs、review order。 -7. 記錄人工決策結果,但不自動執行後續動作。 +4. 使用 `security_mirror_acceptance_v1` 驗收 contract count、event envelope、route coverage 與 redaction。 +5. 將 ready / partial contracts mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence。 +6. 將 approval-only contracts mirror 到 Approval Queue。 +7. 顯示 required reviewers、blocked reason、evidence refs、review order。 +8. 記錄人工決策結果,但不自動執行後續動作。 ## 3. AwoooP 不可做 diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 6a7d6e80..deff6a68 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -23,7 +23,7 @@ | 狀態 | 數量 | 說明 | |------|------|------| -| `ready_for_mirror` | 20 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence | +| `ready_for_mirror` | 21 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence | | `partial_ready` | 2 | 可 mirror,但 evidence 仍不完整 | | `contract_only` | 1 | 有 schema / handoff,尚無正式 snapshot | | `blocked` | 0 | 目前沒有禁止 mirror 的 contract | @@ -69,9 +69,10 @@ AwoooP 可以將 ready / partial contracts mirror 到: 1. AwoooP 先 mirror `security_mirror_readiness_v1` 與 `security_supply_chain_contract_manifest_v1`。 2. 再使用 `security_mirror_event_v1` 包裝每一筆 mirror payload。 3. 再 mirror `security_mirror_route_v1`,決定目的地、channel policy 與 review lane。 -4. 再 mirror `security_mirror_intake_plan_v1`,照 wave 執行 read-only intake。 -5. 再 mirror `security_approval_queue_v1`,只顯示 review order。 -6. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 -7. 最後再 mirror source-control 相關 contracts。 +4. 再 mirror `security_mirror_acceptance_v1`,驗收 contract count、event envelope、route coverage 與 redaction。 +5. 再 mirror `security_mirror_intake_plan_v1`,照 wave 執行 read-only intake。 +6. 再 mirror `security_approval_queue_v1`,只顯示 review order。 +7. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 +8. 最後再 mirror source-control 相關 contracts。 整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。 diff --git a/docs/security/SECURITY-MIRROR-ROUTE.md b/docs/security/SECURITY-MIRROR-ROUTE.md index cff5147d..aee5c701 100644 --- a/docs/security/SECURITY-MIRROR-ROUTE.md +++ b/docs/security/SECURITY-MIRROR-ROUTE.md @@ -25,7 +25,7 @@ | Route group | 目的 | 初期 channel policy | review lane | |-------------|------|---------------------|-------------| -| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route | `no_channel_event` | `observe` | +| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance | `no_channel_event` | `observe` | | `M1_kali_visibility` | 顯示 Kali 112、111 / 168 scope、approval queue 與 finding sample | `approval_required_only` | `approval_required` | | `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異 | `low_noise_status` | `source_control_review` | | `M3_approval_candidates` | 顯示人工批准候選與留痕 | `approval_required_only` | `approval_required` | @@ -50,9 +50,9 @@ ## 4. 驗收 -S2.3 完成時,AwoooP 主線只需要能讀到: +S2.4 後,AwoooP 主線只需要能讀到: -1. 23 個 contracts。 +1. 24 個 contracts。 2. 5 個 route groups。 3. 所有 route group 都是 `runtime_execution_authorized=false`。 4. Channel Event 初期低噪音。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index ae757268..5ac4181e 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -11,7 +11,7 @@ ## 0. 核心結論 -目前 Security Supply Chain 已有 23 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 +目前 Security Supply Chain 已有 24 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。 @@ -28,6 +28,7 @@ | `security_mirror_intake_plan_v1` | mirror-only | AwoooP mirror-only intake waves 與 acceptance gates | `security-mirror-intake-plan.snapshot.json` | | `security_mirror_event_v1` | mirror-only | AwoooP mirror event envelope | `security-mirror-event-sample.snapshot.json` | | `security_mirror_route_v1` | mirror-only | AwoooP 鏡像目的地、channel policy 與 review lane 路由 | `security-mirror-route.snapshot.json` | +| `security_mirror_acceptance_v1` | mirror-only | AwoooP 只讀鏡像接入驗收 checks | `security-mirror-acceptance.snapshot.json` | | `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot | | `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi`、`clawbot-v5`、`wooo-aiops` | | `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory | public-only / blocked endpoint snapshots | diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 5d245379..c0e42809 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-13 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 | +| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -20,14 +20,15 @@ | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | | S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 | | S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 | -| S1.4 契約索引 | 完成草案 | 23 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | +| S1.4 契約索引 | 完成草案 | 24 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | | S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate | | S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立;111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate | | S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中:7 pending approval、1 block candidate;AwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion,再 review safe crawl / Gitea inventory | -| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 23 個 contracts:20 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 | +| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 24 個 contracts:21 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 | | S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror,不新增 execution router | | S2.2 AwoooP 鏡像事件信封 | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆鏡像 payload 標示 `execution_authorized=false` 與 `action_buttons_allowed=false` | AwoooP 鏡像 payload 統一信封 | | S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | `security_mirror_route_v1` 已建立 5 個 route groups,定義目的地、channel policy 與 review lane | AwoooP 消費時不猜路由、不新增執行入口 | +| S2.4 AwoooP 鏡像驗收契約 | 完成草案 | `security_mirror_acceptance_v1` 已建立 7 個 acceptance checks;blocking 只針對鏡像資料不完整或未脫敏 | AwoooP 接入時可驗收,不升級成 runtime enforcement | | S3 approval gate | 未開始 | 已定義哪些動作要進 approval | 不得繞過人工批准 | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR | @@ -73,6 +74,8 @@ | 資安鏡像事件範例 JSON | `docs/security/security-mirror-event-sample.snapshot.json` | | 資安鏡像路由矩陣 | `docs/security/SECURITY-MIRROR-ROUTE.md` | | 資安鏡像路由矩陣 JSON | `docs/security/security-mirror-route.snapshot.json` | +| 資安鏡像驗收契約 | `docs/security/SECURITY-MIRROR-ACCEPTANCE.md` | +| 資安鏡像驗收契約 JSON | `docs/security/security-mirror-acceptance.snapshot.json` | | 低摩擦 rollout policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` | | 低摩擦 rollout policy JSON | `docs/security/security-rollout-policy.snapshot.json` | | Security Supply Chain contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` | @@ -102,6 +105,6 @@ 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1` 與 `security_mirror_route_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 +6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1` 與 `security_mirror_acceptance_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 8. AwoooP 主線再讀 `security_approval_queue_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order 與 blocked reason,不新增 execution router。 diff --git a/docs/security/security-mirror-acceptance.snapshot.json b/docs/security/security-mirror-acceptance.snapshot.json new file mode 100644 index 00000000..936c657b --- /dev/null +++ b/docs/security/security-mirror-acceptance.snapshot.json @@ -0,0 +1,166 @@ +{ + "schema_version": "security_mirror_acceptance_v1", + "status": "draft", + "date": "2026-05-13", + "mode": "mirror_only", + "runtime_execution_authorized": false, + "source_indexes": [ + "docs/security/security-mirror-readiness.snapshot.json", + "docs/security/security-supply-chain-contract-manifest.snapshot.json", + "docs/security/security-mirror-event-sample.snapshot.json", + "docs/security/security-mirror-route.snapshot.json" + ], + "summary": { + "total_contracts": 24, + "ready_for_mirror_count": 21, + "route_group_count": 5, + "acceptance_check_count": 7, + "blocking_check_count": 4 + }, + "acceptance_checks": [ + { + "check_id": "CONTRACT_COUNT_MATCH", + "title": "契約數量一致", + "expected_result": "AwoooP 讀到 24 個 contracts,且 manifest、readiness、route coverage 的 contract 集合一致。", + "evidence_refs": [ + "docs/security/security-supply-chain-contract-manifest.snapshot.json", + "docs/security/security-mirror-readiness.snapshot.json", + "docs/security/security-mirror-route.snapshot.json" + ], + "blocking_if_failed": true, + "allowed_processing": [ + "顯示 contract count mismatch", + "要求 Security Supply Chain Session 修正 snapshot" + ], + "blocked_processing": [ + "以不完整 contract list 啟動鏡像", + "補猜缺漏 contract", + "忽略 mismatch 後繼續" + ] + }, + { + "check_id": "EVENT_ENVELOPE_REQUIRED", + "title": "鏡像事件信封必填", + "expected_result": "每筆 mirror payload 都帶 `security_mirror_event_v1`,且 `execution_authorized=false`、`action_buttons_allowed=false`。", + "evidence_refs": [ + "docs/security/security-mirror-event-sample.snapshot.json", + "docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md" + ], + "blocking_if_failed": true, + "allowed_processing": [ + "拒收未帶信封的 mirror payload", + "顯示缺失欄位" + ], + "blocked_processing": [ + "自動補成可執行事件", + "顯示執行按鈕", + "把 mirror event 當 approval" + ] + }, + { + "check_id": "ROUTE_GROUP_COVERAGE", + "title": "路由群組覆蓋", + "expected_result": "5 個 route groups 合併後涵蓋 manifest 24 個 contracts,且每個 group 都有 destinations、channel_policy 與 review_lane。", + "evidence_refs": [ + "docs/security/security-mirror-route.snapshot.json", + "docs/security/SECURITY-MIRROR-ROUTE.md" + ], + "blocking_if_failed": true, + "allowed_processing": [ + "顯示 route group 缺漏", + "停留在 observe-only 狀態" + ], + "blocked_processing": [ + "使用 fallback 執行路由", + "把未知 contract 送進 execution queue" + ] + }, + { + "check_id": "REDACTION_ONLY", + "title": "只接受脫敏 evidence", + "expected_result": "Mirror payload 不保存 raw secret、token、cookie、private key 或 exploit payload。", + "evidence_refs": [ + "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md", + "docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md" + ], + "blocking_if_failed": true, + "allowed_processing": [ + "標示 redaction failed", + "要求來源重新輸出脫敏 snapshot" + ], + "blocked_processing": [ + "保存 raw sensitive value", + "將 secret value 寫入 Runtime State 或 Audit evidence" + ] + }, + { + "check_id": "LOW_MEDIUM_NOT_BLOCKING", + "title": "LOW / MEDIUM 不升級為阻擋", + "expected_result": "LOW / MEDIUM observation 初期只進 observe / warn,不變成 blocking gate。", + "evidence_refs": [ + "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md", + "docs/security/security-rollout-policy.snapshot.json" + ], + "blocking_if_failed": false, + "allowed_processing": [ + "顯示 observe / warn", + "排入 weekly review" + ], + "blocked_processing": [ + "阻擋 deploy", + "自動封鎖 service", + "要求全 repo 一次升級到最高安全等級" + ] + }, + { + "check_id": "APPROVAL_IS_NOT_EXECUTION", + "title": "Approval Queue 不是執行隊列", + "expected_result": "Approval Queue 只保存候選、review order 與人工決策留痕;批准後執行仍需要下一階段 runtime gate。", + "evidence_refs": [ + "docs/security/SECURITY-APPROVAL-QUEUE.md", + "docs/security/security-approval-queue.snapshot.json", + "docs/security/security-mirror-route.snapshot.json" + ], + "blocking_if_failed": false, + "allowed_processing": [ + "建立 approval candidate", + "記錄人工決策" + ], + "blocked_processing": [ + "auto approve", + "批准後直接執行", + "把 approval queue 接成 runner" + ] + }, + { + "check_id": "CHANNEL_LOW_NOISE", + "title": "Channel Event 低噪音", + "expected_result": "Channel Event 初期只發階段完成、blocked 狀態或人工批准必要事件,不對所有 LOW / MEDIUM observation 發通知。", + "evidence_refs": [ + "docs/security/security-mirror-route.snapshot.json", + "docs/security/SECURITY-MIRROR-ROUTE.md" + ], + "blocking_if_failed": false, + "allowed_processing": [ + "發送低噪音狀態摘要", + "顯示高風險 approval-required 事件" + ], + "blocked_processing": [ + "對所有 observation 發通知", + "用通知量取代 review lane" + ] + } + ], + "forbidden_actions": [ + "start_kali_scan", + "call_kali_execute_endpoint", + "run_credentialed_scan", + "create_github_repo", + "change_repo_visibility", + "sync_git_refs", + "switch_github_primary", + "auto_merge", + "production_deploy", + "store_secret_token_cookie_private_key_or_exploit_payload" + ] +} diff --git a/docs/security/security-mirror-event-sample.snapshot.json b/docs/security/security-mirror-event-sample.snapshot.json index 62adb0c0..2b6d9379 100644 --- a/docs/security/security-mirror-event-sample.snapshot.json +++ b/docs/security/security-mirror-event-sample.snapshot.json @@ -16,8 +16,8 @@ "risk": "LOW", "summary": "AwoooP 可 mirror Security Supply Chain readiness index,但不得把 readiness 視為執行授權。", "payload_summary": { - "total_contracts": 23, - "ready_for_mirror_count": 20, + "total_contracts": 24, + "ready_for_mirror_count": 21, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0, @@ -27,7 +27,8 @@ "docs/security/SECURITY-MIRROR-READINESS.md", "docs/security/security-mirror-readiness.snapshot.json", "docs/security/SECURITY-MIRROR-INTAKE-PLAN.md", - "docs/security/SECURITY-MIRROR-ROUTE.md" + "docs/security/SECURITY-MIRROR-ROUTE.md", + "docs/security/SECURITY-MIRROR-ACCEPTANCE.md" ], "blocked_actions": [ "execute_mirror_item", @@ -39,7 +40,7 @@ "store_secret_value" ], "labels": { - "phase": "S2.2", + "phase": "S2.4", "redacted": "true", "action_surface": "none", "mirror_only": "true" diff --git a/docs/security/security-mirror-intake-plan.snapshot.json b/docs/security/security-mirror-intake-plan.snapshot.json index c1591e6d..dccb0465 100644 --- a/docs/security/security-mirror-intake-plan.snapshot.json +++ b/docs/security/security-mirror-intake-plan.snapshot.json @@ -9,18 +9,20 @@ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-approval-queue.snapshot.json", "docs/security/security-mirror-event-sample.snapshot.json", - "docs/security/security-mirror-route.snapshot.json" + "docs/security/security-mirror-route.snapshot.json", + "docs/security/security-mirror-acceptance.snapshot.json" ], "intake_waves": [ { "wave_id": "M0_index_bootstrap", - "title": "載入 readiness、manifest、低摩擦 policy 與鏡像路由", + "title": "載入 readiness、manifest、低摩擦 policy、鏡像路由與驗收契約", "contracts": [ "security_mirror_readiness_v1", "security_supply_chain_contract_manifest_v1", "security_rollout_policy_v1", "security_mirror_event_v1", - "security_mirror_route_v1" + "security_mirror_route_v1", + "security_mirror_acceptance_v1" ], "destinations": [ "operator_console", @@ -32,14 +34,15 @@ "顯示 mirror_only enforcement", "顯示 partial_ready / contract_only 原因", "使用 security_mirror_event_v1 包裝 mirror payload", - "依 security_mirror_route_v1 分流目的地與 review lane" + "依 security_mirror_route_v1 分流目的地與 review lane", + "依 security_mirror_acceptance_v1 驗收鏡像資料完整性與脫敏狀態" ], "blocked_processing": [ "runtime_enforcement", "execution_router", "blocking_gate" ], - "exit_gate": "Operator Console 能顯示 23 個 contract、5 個 route groups 與 execution_allowed=false,且 mirror event envelope action_buttons_allowed=false。" + "exit_gate": "Operator Console 能顯示 24 個 contract、5 個 route groups 與 7 個 acceptance checks,且 mirror event envelope action_buttons_allowed=false。" }, { "wave_id": "M1_kali_visibility", diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index 61cc464b..37102432 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -5,8 +5,8 @@ "default_enforcement_level": "mirror_only", "runtime_execution_authorized": false, "summary": { - "total_contracts": 23, - "ready_for_mirror_count": 20, + "total_contracts": 24, + "ready_for_mirror_count": 21, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0 @@ -109,6 +109,16 @@ "human_docs": ["docs/security/SECURITY-MIRROR-ROUTE.md"], "notes": "提供 AwoooP mirror-only route groups、channel policy 與 review lane;不授權執行。" }, + { + "contract": "security_mirror_acceptance_v1", + "readiness": "ready_for_mirror", + "consumption_mode": "mirror_only", + "mirror_allowed": true, + "execution_allowed": false, + "snapshot_paths": ["docs/security/security-mirror-acceptance.snapshot.json"], + "human_docs": ["docs/security/SECURITY-MIRROR-ACCEPTANCE.md"], + "notes": "提供 AwoooP mirror-only ingestion 驗收 checks;不作 runtime blocker。" + }, { "contract": "coding_task_v1", "readiness": "contract_only", diff --git a/docs/security/security-mirror-route.snapshot.json b/docs/security/security-mirror-route.snapshot.json index 111ec86b..f3a2efd3 100644 --- a/docs/security/security-mirror-route.snapshot.json +++ b/docs/security/security-mirror-route.snapshot.json @@ -11,7 +11,7 @@ "docs/security/security-mirror-event-sample.snapshot.json" ], "summary": { - "total_contracts": 23, + "total_contracts": 24, "route_group_count": 5, "channel_event_policy": "初期只對階段完成、blocked 狀態或需要人工批准的高風險候選發低噪音事件;LOW / MEDIUM observation 不發阻擋事件。", "approval_queue_policy": "只有 approval-only、suggest-only 或 blocked-until-approved 項目可進 approval queue;approval queue 不代表可執行。" @@ -25,7 +25,8 @@ "security_rollout_policy_v1", "security_mirror_event_v1", "security_mirror_intake_plan_v1", - "security_mirror_route_v1" + "security_mirror_route_v1", + "security_mirror_acceptance_v1" ], "destinations": [ "operator_console", @@ -38,7 +39,8 @@ "顯示 contract readiness 與 manifest", "顯示 mirror-only policy", "顯示每個 wave 的目的地與 blocked processing", - "要求所有鏡像 payload 使用 security_mirror_event_v1 信封" + "要求所有鏡像 payload 使用 security_mirror_event_v1 信封", + "顯示 security_mirror_acceptance_v1 驗收結果" ], "blocked_processing": [ "新增執行按鈕", @@ -46,7 +48,7 @@ "runtime blocking", "自動批准任何 queue item" ], - "exit_gate": "AwoooP 可顯示 23 個 contract、5 個 route groups,且所有 route 都維持 runtime_execution_authorized=false。" + "exit_gate": "AwoooP 可顯示 24 個 contract、5 個 route groups、7 個 acceptance checks,且所有 route 都維持 runtime_execution_authorized=false。" }, { "wave_id": "M1_kali_visibility", @@ -183,7 +185,7 @@ "acceptance_gates": [ { "gate_id": "ROUTE_COVERS_ALL_CONTRACTS", - "requirement": "route_groups 合併後必須涵蓋 manifest 的 23 個 contracts。" + "requirement": "route_groups 合併後必須涵蓋 manifest 的 24 個 contracts。" }, { "gate_id": "NO_EXECUTION_SURFACE", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index f127c91c..53dd763c 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -2,7 +2,7 @@ "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 23, + "contract_count": 24, "contracts": [ { "contract": "security_rollout_policy_v1", @@ -101,7 +101,7 @@ "switch_github_primary", "store_secret_value" ], - "notes": "整理 23 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。" + "notes": "整理 24 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。" }, { "contract": "security_mirror_intake_plan_v1", @@ -160,6 +160,26 @@ ], "notes": "定義 AwoooP mirror-only route groups、destination、channel policy 與 review lane;不作 execution router。" }, + { + "contract": "security_mirror_acceptance_v1", + "schema_path": "docs/schemas/security_mirror_acceptance_v1.schema.json", + "snapshot_paths": ["docs/security/security-mirror-acceptance.snapshot.json"], + "human_docs": ["docs/security/SECURITY-MIRROR-ACCEPTANCE.md"], + "consumer": "AwoooP Operator Console / Runtime State / Audit", + "consumption_mode": "mirror_only", + "allowed_actions": ["mirror_acceptance_checks", "display_acceptance_result", "display_blocking_check_failure"], + "forbidden_actions": [ + "execute_acceptance_check", + "runtime_block_product_flow", + "add_action_button", + "start_scan", + "call_execute_endpoint", + "create_repo", + "sync_refs", + "store_secret_value" + ], + "notes": "定義 AwoooP mirror-only ingestion 驗收 checks;只阻擋不完整或未脫敏的鏡像資料,不作 runtime blocker。" + }, { "contract": "coding_task_v1", "schema_path": "docs/schemas/coding_task_v1.schema.json",