{ "schema_version": "security_mirror_quarantine_v1", "status": "draft", "date": "2026-05-13", "mode": "mirror_only", "runtime_execution_authorized": false, "source_indexes": [ "docs/security/security-mirror-acceptance.snapshot.json", "docs/security/security-mirror-event-sample.snapshot.json", "docs/security/security-mirror-route.snapshot.json", "docs/security/security-supply-chain-contract-manifest.snapshot.json" ], "summary": { "total_contracts": 35, "quarantine_lane_count": 5, "auto_retry_allowed": false, "runtime_blocking_allowed": false }, "quarantine_lanes": [ { "lane_id": "contract_count_mismatch", "trigger_check_id": "CONTRACT_COUNT_MATCH", "owner": "Security Supply Chain Session", "severity": "HIGH", "allowed_processing": [ "隔離該批 mirror payload", "顯示 manifest / readiness / route 的 count mismatch", "要求重新產生一致的 snapshot" ], "blocked_processing": [ "猜測缺漏 contract", "用不完整 contract list 啟動 mirror ingestion", "新增任何 execution action" ], "recovery_request": "重新產生 manifest、readiness、route 與 event sample,確保 contract set 完全一致。", "retry_gate": "新 snapshot commit 後才可重新驗收。" }, { "lane_id": "missing_event_envelope", "trigger_check_id": "EVENT_ENVELOPE_REQUIRED", "owner": "AwoooP ingestion adapter", "severity": "HIGH", "allowed_processing": [ "拒收未帶 security_mirror_event_v1 的 payload", "顯示缺少的 event envelope 欄位", "要求來源補齊 execution_authorized=false 與 action_buttons_allowed=false" ], "blocked_processing": [ "自動補成可執行事件", "顯示執行按鈕", "把 mirror payload 當 approval item" ], "recovery_request": "來源必須重新輸出帶完整 security_mirror_event_v1 信封的 payload。", "retry_gate": "event envelope 完整且不可執行欄位皆為 false。" }, { "lane_id": "route_coverage_gap", "trigger_check_id": "ROUTE_GROUP_COVERAGE", "owner": "Security Supply Chain Session", "severity": "MEDIUM", "allowed_processing": [ "隔離未知或未路由 contract", "顯示缺漏的 route group 或 destination", "要求補齊 security_mirror_route_v1" ], "blocked_processing": [ "使用 fallback execution route", "把未知 contract 送進 Approval Queue", "用預設目的地吞掉缺漏" ], "recovery_request": "補齊 route group、destinations、channel_policy 與 review_lane。", "retry_gate": "route groups 合併後完整覆蓋 manifest contract set。" }, { "lane_id": "redaction_failed", "trigger_check_id": "REDACTION_ONLY", "owner": "Source evidence producer", "severity": "CRITICAL", "allowed_processing": [ "拒收含 raw sensitive value 的 payload", "只記錄 redaction failed metadata", "要求來源重新輸出脫敏 snapshot" ], "blocked_processing": [ "保存 raw secret、token、cookie、private key 或 exploit payload", "把敏感值寫入 Runtime State", "把敏感值寫入 Audit evidence" ], "recovery_request": "來源必須移除 raw sensitive value,並只保留 metadata、hash 或 redacted marker。", "retry_gate": "敏感資訊掃描通過後才可重新驗收。" }, { "lane_id": "schema_or_json_invalid", "trigger_check_id": "SCHEMA_JSON_PARSE", "owner": "Security Supply Chain Session", "severity": "MEDIUM", "allowed_processing": [ "隔離無法 parse 的 snapshot", "顯示 schema / JSON 錯誤", "要求來源修正格式" ], "blocked_processing": [ "用部分 parse 結果繼續 ingestion", "忽略 schema 錯誤", "將格式錯誤轉成 runtime alert" ], "recovery_request": "修正 JSON 與 schema 後重新提交 snapshot。", "retry_gate": "JSON parse 與一致性 assertion 通過。" } ], "retry_policy": { "auto_retry_allowed": false, "manual_refresh_required": true, "max_retry_without_new_snapshot": 0 }, "forbidden_actions": [ "start_kali_scan", "call_kali_execute_endpoint", "run_credentialed_scan", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "auto_merge", "production_deploy", "store_secret_token_cookie_private_key_or_exploit_payload" ] }