{ "schema_version": "security_mirror_acceptance_v1", "status": "draft", "date": "2026-05-13", "mode": "mirror_only", "runtime_execution_authorized": false, "source_indexes": [ "docs/security/security-mirror-readiness.snapshot.json", "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-event-sample.snapshot.json", "docs/security/security-mirror-route.snapshot.json", "docs/security/security-mirror-status-rollup.snapshot.json", "docs/security/iwooos-posture-projection.snapshot.json" ], "summary": { "total_contracts": 36, "ready_for_mirror_count": 33, "route_group_count": 5, "acceptance_check_count": 8, "blocking_check_count": 5 }, "acceptance_checks": [ { "check_id": "CONTRACT_COUNT_MATCH", "title": "契約數量一致", "expected_result": "AwoooP 讀到 36 個 contracts,且 manifest、readiness、route coverage 的 contract 集合一致。", "evidence_refs": [ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json", "docs/security/security-mirror-route.snapshot.json", "docs/security/iwooos-posture-projection.snapshot.json" ], "blocking_if_failed": true, "allowed_processing": [ "顯示 contract count mismatch", "要求 Security Supply Chain Session 修正 snapshot" ], "blocked_processing": [ "以不完整 contract list 啟動鏡像", "補猜缺漏 contract", "忽略 mismatch 後繼續" ] }, { "check_id": "EVENT_ENVELOPE_REQUIRED", "title": "鏡像事件信封必填", "expected_result": "每筆 mirror payload 都帶 `security_mirror_event_v1`,且 `execution_authorized=false`、`action_buttons_allowed=false`。", "evidence_refs": [ "docs/security/security-mirror-event-sample.snapshot.json", "docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md" ], "blocking_if_failed": true, "allowed_processing": [ "拒收未帶信封的 mirror payload", "顯示缺失欄位" ], "blocked_processing": [ "自動補成可執行事件", "顯示執行按鈕", "把 mirror event 當 approval" ] }, { "check_id": "ROUTE_GROUP_COVERAGE", "title": "路由群組覆蓋", "expected_result": "5 個 route groups 合併後涵蓋 manifest 36 個 contracts,且每個 group 都有 destinations、channel_policy 與 review_lane。", "evidence_refs": [ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" ], "blocking_if_failed": true, "allowed_processing": [ "顯示 route group 缺漏", "停留在 observe-only 狀態" ], "blocked_processing": [ "使用 fallback 執行路由", "把未知 contract 送進 execution queue" ] }, { "check_id": "REDACTION_ONLY", "title": "只接受脫敏 evidence", "expected_result": "Mirror payload 不保存 raw secret、token、cookie、private key 或 exploit payload。", "evidence_refs": [ "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md", "docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md" ], "blocking_if_failed": true, "allowed_processing": [ "標示 redaction failed", "要求來源重新輸出脫敏 snapshot" ], "blocked_processing": [ "保存 raw sensitive value", "將 secret value 寫入 Runtime State 或 Audit evidence" ] }, { "check_id": "PROGRESS_ESTIMATE_NOT_AUTHORIZATION", "title": "進度估算不是執行授權", "expected_result": "AwoooP 顯示 `security_mirror_status_rollup_v1.progress_estimate.overall_percent=58`、`progress_display_policy.headline_status=holding_until_owner_response_or_runtime_gate` 與 `progress_delta_ledger`;所有 progress 欄位仍必須 `not_authorization=true`、`runtime_execution_authorized=false`、`active_runtime_gate_count=0`、`github_primary_ready_count=0`。", "evidence_refs": [ "docs/security/security-mirror-status-rollup.snapshot.json", "docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md", "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md", "docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md" ], "blocking_if_failed": true, "allowed_processing": [ "顯示整體 58%、框架 80-85%、落地 35-40%", "顯示 micro progress delta ledger,但 headline_percent_delta 必須維持 0", "顯示 owner response、runtime gate、GitHub primary 與 AwoooP production ingestion 缺口", "要求來源修正 rollup 後再 mirror" ], "blocked_processing": [ "把 58% 視為 approval", "把 micro progress delta 視為 approval", "把 58% 視為 runtime authorization", "隱藏 owner response 或 runtime landing 缺口", "新增 scan / execute / repo / refs / workflow / secret / runner / primary action button" ] }, { "check_id": "LOW_MEDIUM_NOT_BLOCKING", "title": "低摩擦分流不升級為阻擋", "expected_result": "LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只進 observe / warn,不變成 blocking gate。", "evidence_refs": [ "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md", "docs/security/security-rollout-policy.snapshot.json" ], "blocking_if_failed": false, "allowed_processing": [ "顯示 observe / warn", "顯示 non-blocking escalation lanes", "排入 weekly review" ], "blocked_processing": [ "阻擋 deploy", "自動封鎖 service", "要求全 repo 一次升級到最高安全等級" ] }, { "check_id": "APPROVAL_IS_NOT_EXECUTION", "title": "Approval Queue 不是執行隊列", "expected_result": "Approval Queue 只保存候選、review order 與人工決策留痕;批准後執行仍需要下一階段 runtime gate。", "evidence_refs": [ "docs/security/SECURITY-APPROVAL-QUEUE.md", "docs/security/security-approval-queue.snapshot.json", "docs/security/security-mirror-route.snapshot.json" ], "blocking_if_failed": false, "allowed_processing": [ "建立 approval candidate", "記錄人工決策" ], "blocked_processing": [ "auto approve", "批准後直接執行", "把 approval queue 接成 runner" ] }, { "check_id": "CHANNEL_LOW_NOISE", "title": "Channel Event 低噪音", "expected_result": "Channel Event 初期只發階段完成、blocked 狀態或人工批准必要事件,不對所有 LOW / MEDIUM observation 發通知。", "evidence_refs": [ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" ], "blocking_if_failed": false, "allowed_processing": [ "發送低噪音狀態摘要", "顯示高風險 approval-required 事件" ], "blocked_processing": [ "對所有 observation 發通知", "用通知量取代 review lane" ] } ], "forbidden_actions": [ "start_kali_scan", "call_kali_execute_endpoint", "run_credentialed_scan", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "auto_merge", "production_deploy", "store_secret_token_cookie_private_key_or_exploit_payload" ] }