{ "schema_version": "security_mirror_dry_run_v1", "status": "draft", "date": "2026-05-13", "mode": "mirror_only", "dry_run_status": "contract_defined_not_executed", "runtime_execution_authorized": false, "source_indexes": [ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json", "docs/security/security-mirror-event-sample.snapshot.json", "docs/security/security-mirror-route.snapshot.json", "docs/security/security-mirror-acceptance.snapshot.json", "docs/security/security-mirror-quarantine.snapshot.json", "docs/security/security-mirror-status-rollup.snapshot.json", "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/iwooos-posture-projection.snapshot.json" ], "summary": { "total_contracts": 36, "ready_for_mirror_count": 33, "route_group_count": 5, "acceptance_check_count": 8, "quarantine_lane_count": 5, "runtime_actions_executed": false, "payloads_ingested": false }, "dry_run_steps": [ { "step_id": "LOAD_CONTRACT_INDEXES", "expected_observation": "AwoooP dry-run 可讀到 manifest、readiness、event、route、acceptance、quarantine indexes。", "evidence_refs": [ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json", "docs/security/iwooos-posture-projection.snapshot.json" ], "pass_condition": "看到 36 個 contracts、33 個 ready for mirror,且所有 contract execution_allowed=false。", "execution_allowed": false, "blocked_actions": [ "execute_contract", "create_runtime_router", "add_action_button" ] }, { "step_id": "CHECK_EVENT_ENVELOPE", "expected_observation": "每筆 mirror payload 都必須使用 security_mirror_event_v1 信封。", "evidence_refs": [ "docs/security/security-mirror-event-sample.snapshot.json", "docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md" ], "pass_condition": "execution_authorized=false 且 action_buttons_allowed=false。", "execution_allowed": false, "blocked_actions": [ "execute_event", "show_action_button", "auto_approve_event" ] }, { "step_id": "CHECK_ROUTE_COVERAGE", "expected_observation": "5 個 route groups 覆蓋 manifest contract set,並保留 channel policy 與 review lane。", "evidence_refs": [ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" ], "pass_condition": "route groups 合併後涵蓋 36 個 contracts,沒有未知 execution route。", "execution_allowed": false, "blocked_actions": [ "fallback_to_execution_route", "send_unknown_contract_to_runner", "auto_route_to_approval_queue" ] }, { "step_id": "CHECK_ACCEPTANCE_AND_QUARANTINE", "expected_observation": "8 個 acceptance checks 與 5 個 quarantine lanes 都可顯示,且失敗 payload 只隔離不執行。", "evidence_refs": [ "docs/security/security-mirror-acceptance.snapshot.json", "docs/security/security-mirror-quarantine.snapshot.json" ], "pass_condition": "blocking checks 只阻擋壞的 mirror payload;quarantine 不阻擋 runtime。", "execution_allowed": false, "blocked_actions": [ "runtime_block_product_flow", "auto_retry_failed_payload", "convert_quarantine_to_execution" ] }, { "step_id": "CHECK_PROGRESS_GUARD", "expected_observation": "AwoooP dry-run 必須確認 58% headline 進度與 micro progress delta ledger 只作狀態顯示,不代表 approval、runtime gate、GitHub primary、repo / refs / workflow / secret / runner 或 Kali scan 授權;所有 delta 的 headline_percent_delta 必須為 0。", "evidence_refs": [ "docs/security/security-mirror-status-rollup.snapshot.json", "docs/security/security-mirror-acceptance.snapshot.json", "scripts/security/security-mirror-progress-guard.py" ], "pass_condition": "`python3 scripts/security/security-mirror-progress-guard.py` 回傳 SECURITY_MIRROR_PROGRESS_GUARD_OK,且 runtime_actions_executed=false、payloads_ingested=false。", "execution_allowed": false, "blocked_actions": [ "treat_progress_as_approval", "activate_runtime_gate", "add_action_button", "start_kali_scan", "create_github_repo", "sync_git_refs", "switch_github_primary" ] }, { "step_id": "CHECK_OWNER_RESPONSE_GUARD", "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 9 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離,S4.10 intake preflight checks 只分類可收、補證、隔離或拒收,S4.11 request packet 只提示 5 類 refs truth owner response 欄位,S4.11 template status ledger 逐項顯示 waiting / request ready,S4.11 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.11 redaction examples 只顯示安全 metadata shape,S4.11 collection checks 只維持 request / received / accepted 分離,S4.11 intake preflight checks 只分類可審、補證、隔離、拒收或等待,S4.12 request packet 只提示 5 類 workflow / secret 名稱 owner response 欄位,S4.12 template status ledger 逐項顯示 waiting / request ready,S4.12 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.12 redaction examples 只顯示安全 metadata shape,S4.12 collection checks 只維持 request / received / accepted 分離,S4.12 intake preflight checks 只分類可審、補證、隔離或拒收;不能把 request shown、template status、response received metadata、redaction example、collection check pass、preflight pass 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", "evidence_refs": [ "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md", "scripts/security/source-control-owner-response-guard.py" ], "pass_condition": "`python3 scripts/security/source-control-owner-response-guard.py` 回傳 SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK,且 received_response_count=0、accepted_response_count=0。", "execution_allowed": false, "blocked_actions": [ "treat_owner_guard_as_response_received", "create_github_repo", "change_repo_visibility", "sync_git_refs", "modify_workflow_or_secret", "enable_runner", "switch_github_primary" ] }, { "step_id": "CHECK_LOW_NOISE_CHANNEL", "expected_observation": "Channel Event 初期只發低噪音摘要或人工批准必要事件。", "evidence_refs": [ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" ], "pass_condition": "LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 不發阻擋事件、不洗版。", "execution_allowed": false, "blocked_actions": [ "notify_every_observation", "block_deploy_on_low_medium", "turn_warning_into_runtime_alarm" ] }, { "step_id": "CONFIRM_NO_RUNTIME_ACTION", "expected_observation": "Dry-run 期間沒有 scan、execute、repo、refs、deploy、secret 類動作。", "evidence_refs": [ "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md", "docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md" ], "pass_condition": "runtime_actions_executed=false 且 payloads_ingested=false。", "execution_allowed": false, "blocked_actions": [ "start_kali_scan", "call_kali_execute_endpoint", "create_github_repo", "sync_git_refs", "switch_github_primary", "production_deploy", "store_secret_value" ] } ], "latest_local_validation": { "status": "repo_snapshot_guard_pass", "date": "2026-05-18", "scope": "repo_snapshot_only", "command": "python3 scripts/security/security-mirror-progress-guard.py && python3 scripts/security/source-control-owner-response-guard.py", "result": "SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK", "validated_steps": [ "LOAD_CONTRACT_INDEXES", "CHECK_ACCEPTANCE_AND_QUARANTINE", "CHECK_PROGRESS_GUARD", "CHECK_OWNER_RESPONSE_GUARD", "CONFIRM_NO_RUNTIME_ACTION" ], "runtime_actions_executed": false, "payloads_ingested": false, "production_ingestion_enabled": false, "not_authorization": true }, "forbidden_actions": [ "start_kali_scan", "call_kali_execute_endpoint", "run_credentialed_scan", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "auto_merge", "production_deploy", "store_secret_token_cookie_private_key_or_exploit_payload" ] }