chore(cd): deploy 6474717 [skip ci]

apps/web/messages/en.json

@@ -1237,6 +1237,36 @@
         "sourceDetail": "direct {direct} / candidate {candidate} / applied {applied}；原因 {reason}",
         "needsHumanYes": "需要",
         "needsHumanNo": "不需要",
+        "stateLabels": {
+          "verificationDegradedManualRequired": "驗證退化，需人工確認"
+        },
+        "nextActionLabels": {
+          "manualVerifyOrRepair": "人工確認修復狀態；需要時重新送審修復"
+        },
+        "reasonLabels": {
+          "incidentOpenAfterSuccessfulExecution": "自動執行已完成，但 Incident 仍開啟"
+        },
+        "sourceReasonLabels": {
+          "providerHeartbeatPresentButNoIncidentMatch": "Sentry / SigNoz 有新鮮心跳，但沒有匹配到此 Incident"
+        },
+        "handoff": {
+          "eyebrow": "現在要做",
+          "titleManual": "需要人工接手確認",
+          "titleAutomated": "自動鏈路已完成，持續觀察",
+          "titleUnknown": "等待 truth-chain 資料",
+          "actionManualVerifyOrRepair": "到 AwoooP Work Items / Approvals 確認執行證據；若服務仍異常，再重新送審修復，不要直接重啟或靜默關閉。",
+          "actionNoManual": "目前不需要人工介入；保留真相鏈與 Run history 供稽核追蹤。",
+          "actionUnknown": "尚未拿到完整狀態，先等 status-chain 載入完成。",
+          "ownerLabel": "主責",
+          "ownerSre": "SRE owner / AwoooP operator",
+          "ownerAutomation": "AI 自動化鏈路",
+          "entryLabel": "處理入口",
+          "entryManual": "Work Items / Approvals / Runs",
+          "entryReadOnly": "Runs / History",
+          "reasonLabel": "原因",
+          "boundaryLabel": "邊界",
+          "boundary": "只讀追蹤，不觸發修復"
+        },
         "repeatStates": {
           "duplicate": "最新入站重複",
           "related": "同指紋重複",
@@ -1961,12 +1991,12 @@
     "actionGoObservability": "前往可觀測性",
     "actionGoAutomation": "前往自動化",
     "actionGoOperations": "前往營運",
-    "actionGoSecurity": "前往安全合規",
+    "actionGoSecurity": "前往 IwoooS 安全主控台",
     "actionGoKnowledge": "前往知識殿堂",
     "actionGoSettings": "前往設定",
     "actionGoTerminal": "前往終端頁面",
     "actionGoApprovals": "前往授權中心",
-    "actionGoIwooos": "前往 IwoooS"
+    "actionGoIwooos": "前往 IwoooS 資安主控台"
   },
   "aiopsTimeline": {
     "title": "AIOps 全景時序",

apps/web/messages/zh-TW.json

@@ -1237,6 +1237,36 @@
         "sourceDetail": "direct {direct} / candidate {candidate} / applied {applied}；原因 {reason}",
         "needsHumanYes": "需要",
         "needsHumanNo": "不需要",
+        "stateLabels": {
+          "verificationDegradedManualRequired": "驗證退化，需人工確認"
+        },
+        "nextActionLabels": {
+          "manualVerifyOrRepair": "人工確認修復狀態；需要時重新送審修復"
+        },
+        "reasonLabels": {
+          "incidentOpenAfterSuccessfulExecution": "自動執行已完成，但 Incident 仍開啟"
+        },
+        "sourceReasonLabels": {
+          "providerHeartbeatPresentButNoIncidentMatch": "Sentry / SigNoz 有新鮮心跳，但沒有匹配到此 Incident"
+        },
+        "handoff": {
+          "eyebrow": "現在要做",
+          "titleManual": "需要人工接手確認",
+          "titleAutomated": "自動鏈路已完成，持續觀察",
+          "titleUnknown": "等待 truth-chain 資料",
+          "actionManualVerifyOrRepair": "到 AwoooP Work Items / Approvals 確認執行證據；若服務仍異常，再重新送審修復，不要直接重啟或靜默關閉。",
+          "actionNoManual": "目前不需要人工介入；保留真相鏈與 Run history 供稽核追蹤。",
+          "actionUnknown": "尚未拿到完整狀態，先等 status-chain 載入完成。",
+          "ownerLabel": "主責",
+          "ownerSre": "SRE owner / AwoooP operator",
+          "ownerAutomation": "AI 自動化鏈路",
+          "entryLabel": "處理入口",
+          "entryManual": "Work Items / Approvals / Runs",
+          "entryReadOnly": "Runs / History",
+          "reasonLabel": "原因",
+          "boundaryLabel": "邊界",
+          "boundary": "只讀追蹤，不觸發修復"
+        },
         "repeatStates": {
           "duplicate": "最新入站重複",
           "related": "同指紋重複",
@@ -1961,12 +1991,12 @@
     "actionGoObservability": "前往可觀測性",
     "actionGoAutomation": "前往自動化",
     "actionGoOperations": "前往營運",
-    "actionGoSecurity": "前往安全合規",
+    "actionGoSecurity": "前往 IwoooS 安全主控台",
     "actionGoKnowledge": "前往知識殿堂",
     "actionGoSettings": "前往設定",
     "actionGoTerminal": "前往終端頁面",
     "actionGoApprovals": "前往授權中心",
-    "actionGoIwooos": "前往 IwoooS"
+    "actionGoIwooos": "前往 IwoooS 資安主控台"
   },
   "aiopsTimeline": {
     "title": "AIOps 全景時序",

apps/web/src/app/[locale]/alerts/page.tsx

@@ -200,6 +200,26 @@ function FocusIncidentEvidencePanel({
   const sourceStatusLabel = statusLabels[sourceStatus] ?? valueOrEmpty(sourceStatus, emptyLabel)
   const mcpGateway = chain?.mcp?.gateway
   const ansible = chain?.execution?.ansible
+  const outcomeState = String(chain?.operator_outcome?.state ?? '')
+  const nextAction = String(chain?.operator_outcome?.next_action ?? chain?.next_step ?? '')
+  const humanReason = String(chain?.operator_outcome?.human_action_reason ?? '')
+  const sourceReasonCode = String(sourceCorrelation?.missing_reason ?? '')
+  const outcomeStateLabels: Record<string, string> = {
+    verification_degraded_manual_required: t('operatorFlow.stateLabels.verificationDegradedManualRequired'),
+  }
+  const nextActionLabels: Record<string, string> = {
+    manual_verify_or_repair: t('operatorFlow.nextActionLabels.manualVerifyOrRepair'),
+  }
+  const humanReasonLabels: Record<string, string> = {
+    incident_open_after_successful_execution: t('operatorFlow.reasonLabels.incidentOpenAfterSuccessfulExecution'),
+  }
+  const sourceReasonLabels: Record<string, string> = {
+    provider_heartbeat_present_but_no_incident_match: t('operatorFlow.sourceReasonLabels.providerHeartbeatPresentButNoIncidentMatch'),
+  }
+  const outcomeStateLabel = outcomeStateLabels[outcomeState] ?? valueOrEmpty(outcomeState, emptyLabel)
+  const nextActionLabel = nextActionLabels[nextAction] ?? valueOrEmpty(nextAction, emptyLabel)
+  const humanReasonLabel = humanReasonLabels[humanReason] ?? valueOrEmpty(humanReason, emptyLabel)
+  const sourceReasonLabel = sourceReasonLabels[sourceReasonCode] ?? valueOrEmpty(sourceReasonCode, emptyLabel)
   const relatedIncidentIds = chain?.source_refs?.refs?.incident_ids ?? []
   const fingerprint = chain?.source_refs?.refs?.fingerprints?.[0] ?? emptyLabel
   const latestInbound = chain?.source_refs?.latest_inbound
@@ -219,8 +239,49 @@ function FocusIncidentEvidencePanel({
   const latestOutboundLabel = latestOutbound?.sent_at
     ? formatTimestamp(latestOutbound.sent_at, locale, emptyLabel)
     : emptyLabel
-  const sourceReason = valueOrEmpty(sourceCorrelation?.missing_reason, emptyLabel)
   const needsHumanLabel = chain?.needs_human ? t('operatorFlow.needsHumanYes') : t('operatorFlow.needsHumanNo')
+  const handoffTone = !chain ? 'gray' : chain.needs_human ? 'red' : 'green'
+  const handoffTitle = chain?.needs_human
+    ? t('operatorFlow.handoff.titleManual')
+    : chain
+      ? t('operatorFlow.handoff.titleAutomated')
+      : t('operatorFlow.handoff.titleUnknown')
+  const handoffAction = !chain
+    ? t('operatorFlow.handoff.actionUnknown')
+    : chain.needs_human
+      ? t('operatorFlow.handoff.actionManualVerifyOrRepair')
+      : t('operatorFlow.handoff.actionNoManual')
+  const handoffOwner = chain?.needs_human
+    ? t('operatorFlow.handoff.ownerSre')
+    : chain
+      ? t('operatorFlow.handoff.ownerAutomation')
+      : emptyLabel
+  const handoffEntry = chain?.needs_human
+    ? t('operatorFlow.handoff.entryManual')
+    : chain
+      ? t('operatorFlow.handoff.entryReadOnly')
+      : emptyLabel
+  const handoffReason = chain?.needs_human ? humanReasonLabel : valueOrEmpty(chain?.verdict, emptyLabel)
+  const handoffLinks = [
+    {
+      key: 'workItems',
+      label: t('links.workItems'),
+      href: `/awooop/work-items?project_id=${encodedProjectId}&incident_id=${encodedIncidentId}` as never,
+      Icon: ListChecks,
+    },
+    {
+      key: 'approvals',
+      label: t('links.approvals'),
+      href: `/awooop/approvals?project_id=${encodedProjectId}&incident_id=${encodedIncidentId}` as never,
+      Icon: ShieldCheck,
+    },
+    {
+      key: 'runs',
+      label: t('links.runs'),
+      href: `/awooop/runs?project_id=${encodedProjectId}&incident_id=${encodedIncidentId}` as never,
+      Icon: Activity,
+    },
+  ]
   const operatorCards = [
     {
       key: 'repeat',
@@ -259,8 +320,8 @@ function FocusIncidentEvidencePanel({
       title: t('operatorFlow.aiTitle'),
       value: valueOrEmpty(chain?.operator_outcome?.summary_zh ?? chain?.verdict, emptyLabel),
       detail: t('operatorFlow.aiDetail', {
-        state: valueOrEmpty(chain?.operator_outcome?.state, emptyLabel),
-        nextStep: valueOrEmpty(chain?.operator_outcome?.next_action ?? chain?.next_step, emptyLabel),
+        state: outcomeStateLabel,
+        nextStep: nextActionLabel,
         needsHuman: needsHumanLabel,
       }),
       tone: chain?.needs_human ? 'red' : chain ? 'green' : 'gray',
@@ -275,7 +336,7 @@ function FocusIncidentEvidencePanel({
         direct: sourceCorrelation?.direct_ref_total ?? 0,
         candidate: sourceCorrelation?.candidate_total ?? 0,
         applied: sourceCorrelation?.applied_link_total ?? 0,
-        reason: sourceReason,
+        reason: sourceReasonLabel,
       }),
       tone: sourceStatus === 'linked' ? 'green' : sourceStatus === 'missing' ? 'red' : 'amber',
       testId: 'alerts-source-state',
@@ -395,6 +456,53 @@ function FocusIncidentEvidencePanel({
           <p className="text-sm font-semibold text-[#141413]">{t('operatorFlow.title')}</p>
           <p className="mt-1 text-xs leading-5 text-[#77736a]">{t('operatorFlow.subtitle')}</p>
         </div>
+        <div
+          data-testid="alerts-operator-handoff"
+          className={cn(
+            'mb-3 border px-3 py-3',
+            handoffTone === 'green' && 'border-[#9bc7a4] bg-[#f0faf2]',
+            handoffTone === 'red' && 'border-[#e2a29b] bg-[#fff0ef]',
+            handoffTone === 'gray' && 'border-[#d8d3c7] bg-[#faf9f3]',
+          )}
+        >
+          <div className="flex flex-wrap items-start justify-between gap-3">
+            <div className="min-w-0">
+              <p className="text-xs font-semibold text-[#5f5b52]">{t('operatorFlow.handoff.eyebrow')}</p>
+              <p className="mt-1 text-sm font-semibold text-[#141413]">{handoffTitle}</p>
+              <p className="mt-1 text-xs leading-5 text-[#77736a]">{handoffAction}</p>
+            </div>
+            <div className="flex shrink-0 flex-wrap gap-2">
+              {handoffLinks.map(({ key, label, href, Icon }) => (
+                <Link
+                  key={key}
+                  href={href}
+                  className="inline-flex items-center gap-1.5 border border-[#d8d3c7] bg-white/80 px-2.5 py-1.5 text-xs font-semibold text-[#3f3a32] hover:bg-white"
+                >
+                  <Icon className="h-3.5 w-3.5" aria-hidden="true" />
+                  {label}
+                </Link>
+              ))}
+            </div>
+          </div>
+          <div className="mt-3 grid gap-2 md:grid-cols-4">
+            <div className="min-w-0 border border-current/10 bg-white/60 px-2.5 py-2">
+              <p className="text-[11px] font-semibold uppercase text-[#77736a]">{t('operatorFlow.handoff.ownerLabel')}</p>
+              <p className="mt-1 truncate text-xs font-semibold text-[#141413]" title={handoffOwner}>{handoffOwner}</p>
+            </div>
+            <div className="min-w-0 border border-current/10 bg-white/60 px-2.5 py-2">
+              <p className="text-[11px] font-semibold uppercase text-[#77736a]">{t('operatorFlow.handoff.entryLabel')}</p>
+              <p className="mt-1 truncate text-xs font-semibold text-[#141413]" title={handoffEntry}>{handoffEntry}</p>
+            </div>
+            <div className="min-w-0 border border-current/10 bg-white/60 px-2.5 py-2">
+              <p className="text-[11px] font-semibold uppercase text-[#77736a]">{t('operatorFlow.handoff.reasonLabel')}</p>
+              <p className="mt-1 truncate text-xs font-semibold text-[#141413]" title={handoffReason}>{handoffReason}</p>
+            </div>
+            <div className="min-w-0 border border-current/10 bg-white/60 px-2.5 py-2">
+              <p className="text-[11px] font-semibold uppercase text-[#77736a]">{t('operatorFlow.handoff.boundaryLabel')}</p>
+              <p className="mt-1 truncate text-xs font-semibold text-[#141413]" title={t('operatorFlow.handoff.boundary')}>{t('operatorFlow.handoff.boundary')}</p>
+            </div>
+          </div>
+        </div>
         <div className="grid gap-3 md:grid-cols-2 xl:grid-cols-4">
           {operatorCards.map(({ key, Icon, title, value, detail, tone, testId }) => (
             <div

apps/web/src/components/command-palette/CommandPalette.tsx

@@ -17,7 +17,7 @@ import React, { useEffect, useRef, useState, useCallback } from 'react'
 import { useTranslations } from 'next-intl'
 import { useRouter, usePathname } from 'next/navigation'
 import { useLocale } from 'next-intl'
-import { Search, Terminal, Home, Activity, Wrench, Shield, BookOpen, Settings, Zap, GitBranch, Radar } from 'lucide-react'
+import { Search, Terminal, Home, Activity, Wrench, BookOpen, Settings, Zap, GitBranch, Radar } from 'lucide-react'
 import { useTerminalStore } from '@/stores/terminal.store'
 import { Z_INDEX } from '@/lib/constants/z-index'
 
@@ -99,21 +99,23 @@ export function CommandPalette() {
       action: () => nav('/operations'),
       keywords: ['operations', '營運', 'ops'],
     },
-    {
-      id: 'security',
-      label: t('actionGoSecurity'),
-      group: t('groupNav'),
-      icon: <Shield size={14} />,
-      action: () => nav('/security-compliance'),
-      keywords: ['security', '安全', 'compliance', '合規'],
-    },
     {
       id: 'iwooos',
       label: t('actionGoIwooos'),
       group: t('groupNav'),
       icon: <Radar size={14} />,
       action: () => nav('/iwooos'),
-      keywords: ['iwooos', 'information security', '資安網', '資安態勢'],
+      keywords: [
+        'iwooos',
+        'information security',
+        'security',
+        '安全',
+        '安全合規',
+        'compliance',
+        '合規',
+        '資安網',
+        '資安態勢',
+      ],
     },
     {
       id: 'knowledge',

docs/LOGBOOK.md

@@ -1,3 +1,127 @@
+## 2026-06-01｜IwoooS 命令面板資安入口收斂
+
+**背景**：
+
+- 使用者指出「安全合規」與 `IwoooS` 兩個入口容易被理解成兩套資安系統。
+- 主線 sidebar 已收斂成單一 `IwoooS` 資安入口，`/security-compliance` 只保留相容與既有使用者熟悉頁面；本輪補齊命令面板，避免搜尋「安全合規 / compliance」時又回到舊獨立入口。
+
+**本次調整**：
+
+- `apps/web/src/components/command-palette/CommandPalette.tsx`：
+  - 移除命令面板中的獨立 `security` 項目。
+  - 將 `security`、`安全`、`安全合規`、`compliance`、`合規` 等搜尋詞全部收斂到 `IwoooS`，導向 `/iwooos`。
+- `apps/web/messages/zh-TW.json` / `apps/web/messages/en.json`：
+  - 將命令面板顯示文字調整為「前往 IwoooS 資安主控台」；`en.json` 維持繁中鏡像。
+- `docs/security/iwooos-posture-projection.snapshot.json` / `security-mirror-status-rollup.snapshot.json`：
+  - 補上 `command_palette_security_action_unified_to_iwooos=true`、`command_palette_security_compliance_direct_action_allowed=false`、`command_palette_security_keywords_route_to_iwooos=true`。
+  - 新增 `S2.144` 進度 ledger；headline 仍不增加，因為這是入口收斂與理解成本降低，不是 runtime 授權。
+- `scripts/security/security-mirror-progress-guard.py`：
+  - 新增 guard，禁止命令面板重新出現 `nav('/security-compliance')` 或獨立 `security` 項目。
+
+**進度邊界**：
+
+- 整體維持 `61%`。
+- 本輪屬於 framework / UX / evidence 可理解度推進；runtime gate、Kali / SSH、掃描、修復、部署按鈕、GitHub primary 切換、Gitea 停用仍維持 `false / 0`。
+
+## 2026-05-31｜Alerts 焦點告警補上處理狀態卡
+
+**背景**：
+
+- 使用者指出 Telegram 告警雖然已能 deep link 到 Alerts 真相鏈，但前端仍要 operator 自己讀多段狀態，無法第一眼判斷「是否重複、Telegram 是否回寫、AI 是否已處置、是否需要人工、Sentry / SigNoz 是否匹配」。
+- 本輪不新增決策規則、不觸發修復、不寫入 DB；只把既有 `status-chain` DB truth-chain 以 operator 可讀的四張狀態卡呈現在 Alerts 焦點告警區。
+
+**本次調整**：
+
+- `apps/web/src/app/[locale]/alerts/page.tsx`：
+  - 在 `FocusIncidentEvidencePanel` 新增 `告警處理狀態` 區塊。
+  - 四張卡直接讀 `source_refs` / `operator_outcome` / `source correlation`：
+    - `重複 / 同指紋`：顯示最新入站是否重複、同 fingerprint 關聯 Incident 數。
+    - `Telegram 回寫`：顯示 channel、send status、message type、出站數與最新送出時間。
+    - `AI 處置判定`：顯示 AI summary、state、next step 與是否需要人工。
+    - `Sentry / SigNoz 匹配`：顯示 direct / candidate / applied 與未匹配原因。
+- `apps/web/messages/zh-TW.json` / `apps/web/messages/en.json`：
+  - 補齊繁中文案；`en.json` 維持繁中鏡像，避免前端 i18n 破裂。
+
+**驗證**：
+
+```text
+python3 -m json.tool apps/web/messages/zh-TW.json / en.json -> pass
+cmp -s apps/web/messages/zh-TW.json apps/web/messages/en.json -> pass
+git diff --check -> pass
+pnpm --dir apps/web exec tsc --noEmit --tsBuildInfoFile /tmp/awoooi-alerts-operator-flow-20260531-r4.tsbuildinfo -> pass
+NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 pnpm --dir apps/web run build -> pass
+```
+
+**本機 / Production 瀏覽器檢查**：
+
+```text
+local:
+  http://127.0.0.1:3108/zh-TW/alerts?project_id=awoooi&incident_id=INC-20260530-0DD83C&_v=operator-flow-local
+  hasFlow=true
+  cardCount=4
+  canScroll=true
+  horizontalOverflow=false
+
+production:
+  https://awoooi.wooo.work/zh-TW/alerts?project_id=awoooi&incident_id=INC-20260530-0DD83C&_v=d40c4a9f
+  hasFlow=true
+  cardCount=4
+  canScroll=true
+  horizontalOverflow=false
+  repeat_state=同指紋重複，關聯 5 筆
+  telegram_state=telegram / sent，出站 3
+  ai_state=已執行但驗證退化，需人工確認
+  source_state=provider_fresh_no_match / provider_heartbeat_present_but_no_incident_match
+  screenshot=/tmp/awoooi-alerts-operator-flow-cards-d40c4a9f.png
+```
+
+**Gitea / Production deploy**：
+
+```text
+a73ccffb fix(web): surface alert operator flow state
+  code-review run 2343 -> success
+  cd run 2342 -> cancelled by newer main push d40c4a9f (workflow cancel-in-progress)
+
+d40c4a9f feat(web): add IwoooS command map
+  includes a73ccffb
+  code-review run 2345 -> success
+  cd run 2344 -> success
+
+c80aae34 chore(cd): deploy d40c4a9 [skip ci]
+
+k8s latest:
+  awoooi-api image = 192.168.0.110:5000/awoooi/api:d40c4a9fdb680121181812394d0b0211d5d4818f
+  awoooi-web image = 192.168.0.110:5000/awoooi/web:d40c4a9fdb680121181812394d0b0211d5d4818f
+  awoooi-worker image = 192.168.0.110:5000/awoooi/api:d40c4a9fdb680121181812394d0b0211d5d4818f
+  awoooi-api/web/worker rollout = successfully rolled out
+
+production status-chain sample:
+  incident_id=INC-20260530-0DD83C
+  current_stage=execution_succeeded
+  stage_status=success
+  verdict=auto_repaired_verification_degraded
+  repair_state=executed
+  verification=degraded
+  needs_human=true
+  next_step=manual_verify_or_repair
+  source_refs inbound_total=54 outbound_total=3
+  latest_outbound=telegram sent error
+  related_incidents=5
+  fingerprint=e4f823b8be3d604c92fc776009f09cde
+```
+
+**進度**：
+
+```text
+Telegram/AwoooP/frontend truth-chain visibility: 95%
+Frontend AI automation management UI: 97%
+Sentry/SigNoz per-incident visibility: 92%
+MCP / self-hosted MCP visibility: 97%
+Ansible / PlayBook visibility: 90%
+Overall AI automation flywheel: 81%
+24h full AI Agent auto-repair production claim: 0% (尚未做 24h 無人工介入驗證，不宣稱達成)
+```
+
 ## 2026-05-31｜IwoooS 資安工作地圖首層化
 
 **背景**：

docs/security/iwooos-posture-projection.snapshot.json

@@ -21,12 +21,16 @@
     "apps/web/src/app/[locale]/governance/page.tsx",
     "apps/web/src/app/[locale]/alert-operation-logs/page.tsx",
     "apps/web/src/app/[locale]/awooop/approvals/page.tsx",
-    "apps/web/src/app/[locale]/code-review/page.tsx"
+    "apps/web/src/app/[locale]/code-review/page.tsx",
+    "apps/web/src/components/command-palette/CommandPalette.tsx"
   ],
   "summary": {
     "route_path": "/iwooos",
     "nav_entry_added": true,
     "command_palette_entry_added": true,
+    "command_palette_security_action_unified_to_iwooos": true,
+    "command_palette_security_compliance_direct_action_allowed": false,
+    "command_palette_security_keywords_route_to_iwooos": true,
     "contract_count": 36,
     "active_runtime_gate_count": 0,
     "approval_queue_total": 8,

docs/security/security-mirror-status-rollup.snapshot.json

@@ -2197,6 +2197,18 @@
       "runtime_delta": false,
       "execution_authorized": false,
       "not_authorization": true
+    },
+    {
+      "delta_id": "s2_144_iwooos_command_palette_security_entry_unified",
+      "display_order": 173,
+      "completed_stage": "S2.144 IwoooS 命令面板資安入口收斂",
+      "progress_axis": "framework_detail",
+      "headline_percent_delta": 0,
+      "framework_delta_visible": true,
+      "why_headline_unchanged": "IwoooS 只把命令面板中的 security / 安全 / 安全合規 / compliance / 合規 等搜尋詞統一導向 /iwooos，移除命令面板對 /security-compliance 的獨立直達動作；command_palette_security_action_unified_to_iwooos=true、command_palette_security_compliance_direct_action_allowed=false、command_palette_security_keywords_route_to_iwooos=true、runtime_execution_authorized=false、active_runtime_gate_count=0，不把入口收斂當 runtime 授權、審批、掃描、修復、部署、主機更新、GitHub primary 切換或 Gitea 停用。",
+      "runtime_delta": false,
+      "execution_authorized": false,
+      "not_authorization": true
     }
   ],
   "next_safe_actions": [

k8s/awoooi-prod/kustomization.yaml

@@ -41,7 +41,7 @@ resources:
 images:
 - name: 192.168.0.110:5000/library/api:IMAGE_TAG_PLACEHOLDER
   newName: 192.168.0.110:5000/awoooi/api
-  newTag: d40c4a9fdb680121181812394d0b0211d5d4818f
+  newTag: 64747170f142cd266dc8fc17b9130608bd213346
 - name: 192.168.0.110:5000/library/web:IMAGE_TAG_PLACEHOLDER
   newName: 192.168.0.110:5000/awoooi/web
-  newTag: d40c4a9fdb680121181812394d0b0211d5d4818f
+  newTag: 64747170f142cd266dc8fc17b9130608bd213346

scripts/security/security-mirror-progress-guard.py

@@ -163,6 +163,9 @@ def validate(root: Path) -> None:
     sidebar = (root / "apps" / "web" / "src" / "components" / "layout" / "sidebar.tsx").read_text(
         encoding="utf-8"
     )
+    command_palette = (
+        root / "apps" / "web" / "src" / "components" / "command-palette" / "CommandPalette.tsx"
+    ).read_text(encoding="utf-8")
     web_messages_zh = load_json(root / "apps" / "web" / "messages" / "zh-TW.json")
     web_messages_en = load_json(root / "apps" / "web" / "messages" / "en.json")
 
@@ -219,6 +222,11 @@ def validate(root: Path) -> None:
     assert_text_not_contains("sidebar.iwooos_security_duplicate_label", sidebar, "labelKey: 'iwooosSecurityCompliance'")
     assert_text_contains("sidebar.security_compliance_alias", sidebar, "aliases: ['/security-compliance']")
     assert_text_not_contains("sidebar.duplicate_security_compliance_entry", sidebar, "id: 'security-compliance'")
+    assert_text_contains("command_palette.iwooos_entry", command_palette, "id: 'iwooos'")
+    assert_text_contains("command_palette.iwooos_route", command_palette, "nav('/iwooos')")
+    assert_text_contains("command_palette.security_keyword", command_palette, "'安全合規'")
+    assert_text_not_contains("command_palette.legacy_security_entry", command_palette, "id: 'security'")
+    assert_text_not_contains("command_palette.legacy_security_compliance_route", command_palette, "nav('/security-compliance')")
     assert_equal(
         "web_messages.zh-TW.nav.iwooos",
         web_messages_zh["nav"]["iwooos"],
@@ -600,6 +608,7 @@ def validate(root: Path) -> None:
         "s2_141_iwooos_all_product_coverage_snapshot",
         "s2_142_iwooos_first_unlock_path_first_layer",
         "s2_143_iwooos_command_map_first_layer",
+        "s2_144_iwooos_command_palette_security_entry_unified",
     ]
     assert_equal(
         "progress_delta_ledger.delta_ids",
@@ -1369,6 +1378,18 @@ def validate(root: Path) -> None:
         "iwooos_projection.summary.command_palette_entry_added",
         iwooos_projection["summary"]["command_palette_entry_added"],
     )
+    assert_true(
+        "iwooos_projection.summary.command_palette_security_action_unified_to_iwooos",
+        iwooos_projection["summary"]["command_palette_security_action_unified_to_iwooos"],
+    )
+    assert_false(
+        "iwooos_projection.summary.command_palette_security_compliance_direct_action_allowed",
+        iwooos_projection["summary"]["command_palette_security_compliance_direct_action_allowed"],
+    )
+    assert_true(
+        "iwooos_projection.summary.command_palette_security_keywords_route_to_iwooos",
+        iwooos_projection["summary"]["command_palette_security_keywords_route_to_iwooos"],
+    )
     assert_equal("iwooos_projection.summary.contract_count", iwooos_projection["summary"]["contract_count"], manifest_count)
     assert_equal(
         "iwooos_projection.summary.active_runtime_gate_count",