{ "schema_version": "security_mirror_readiness_v1", "status": "draft", "date": "2026-05-17", "default_enforcement_level": "mirror_only", "runtime_execution_authorized": false, "summary": { "total_contracts": 36, "ready_for_mirror_count": 33, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0 }, "mirror_destinations": [ "awooop_operator_console", "awooop_runtime_state", "awooop_channel_event", "awooop_audit_evidence", "awooop_approval_queue" ], "contract_readiness": [ { "contract": "security_rollout_policy_v1", "readiness": "ready_for_mirror", "consumption_mode": "read_only_policy", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-rollout-policy.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md" ], "notes": "可供 AwoooP 顯示 observe-first / mirror-only policy 與 7 條 non-blocking escalation lanes;不得 runtime enforcement,也不得把 follow-up 直接升 blocking。" }, { "contract": "security_finding_v1", "readiness": "partial_ready", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-finding-kali-sample.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-FINDING-CONTRACT.md" ], "notes": "目前只有 Kali sample snapshot;runtime ingestion 尚未啟用。" }, { "contract": "kali_integration_status_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/kali-integration-status.snapshot.json" ], "human_docs": [ "docs/security/KALI-INTEGRATION-STATUS.md" ], "notes": "可 mirror Kali health、更新紀錄、缺口與高風險 gate。" }, { "contract": "kali_scan_scope_approval_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/kali-scan-scope-approval.snapshot.json" ], "human_docs": [ "docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md" ], "notes": "可 mirror scope group 與 approval gates;不得啟動 scan。" }, { "contract": "security_approval_queue_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-approval-queue.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-APPROVAL-QUEUE.md" ], "notes": "可 mirror 8 個 queue items、review order、blocked reason 與 required reviewers。" }, { "contract": "security_approval_gate_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-approval-gate.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-APPROVAL-GATE.md" ], "notes": "可 mirror S3 人工批准 gate、決策範圍與 follow-up runtime gate;不得執行 gate item。" }, { "contract": "security_approval_decision_record_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-approval-decision-record.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-APPROVAL-DECISION-RECORD.md" ], "notes": "可 mirror S3 人工決策紀錄格式;目前尚無 approved decision record,且 execution_authorized=false。" }, { "contract": "security_approval_review_packet_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-approval-review-packet.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md" ], "notes": "可 mirror S3 人工審查封包、review lane、required reviewers 與 still forbidden;不代表批准或執行授權。" }, { "contract": "security_approval_state_transition_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-approval-state-transition.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md" ], "notes": "可 mirror S3 人工決策狀態轉移語義;approve_scope 仍只進 waiting runtime gate,不授權執行。" }, { "contract": "security_followup_runtime_gate_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-followup-runtime-gate.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md" ], "notes": "可 mirror S3 後續 runtime gate 準備模板、preflight checks 與 rollback/disable requirement;目前 active_runtime_gates=0。" }, { "contract": "security_mirror_readiness_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-readiness.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-READINESS.md" ], "notes": "本契約提供 AwoooP mirror/read-only readiness index;不授權執行。" }, { "contract": "security_mirror_intake_plan_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-intake-plan.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-INTAKE-PLAN.md" ], "notes": "提供 AwoooP mirror-only intake waves、destinations、allowed/blocked processing 與 acceptance gates。" }, { "contract": "security_mirror_event_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-event-sample.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md" ], "notes": "提供 AwoooP mirror event envelope;所有 mirror events 都必須帶 execution_authorized=false 與 action_buttons_allowed=false。" }, { "contract": "security_mirror_route_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-route.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-ROUTE.md" ], "notes": "提供 AwoooP mirror-only route groups、channel policy 與 review lane;不授權執行。" }, { "contract": "security_mirror_acceptance_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-acceptance.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-ACCEPTANCE.md" ], "notes": "提供 AwoooP mirror-only ingestion 驗收 checks;不作 runtime blocker。" }, { "contract": "security_mirror_quarantine_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-quarantine.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-QUARANTINE.md" ], "notes": "提供 AwoooP mirror-only 驗收失敗隔離與 retry gate;不授權執行。" }, { "contract": "security_mirror_dry_run_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-dry-run.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-DRY-RUN.md" ], "notes": "提供 AwoooP mirror-only 接入演練回報格式;目前為 contract_defined_not_executed。" }, { "contract": "security_mirror_status_rollup_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/security-mirror-status-rollup.snapshot.json", "docs/security/source-control-owner-response-validation-rollup.snapshot.json" ], "human_docs": [ "docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md" ], "notes": "提供 AwoooP / Security Supply Chain 跨 Session 狀態總覽、下一個 gate 與禁止事項;S4.13 owner response validation rollup 可 mirror 四個 response packets、24 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、7 條 parallel session recovery outcome lanes、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;不授權執行。" }, { "contract": "iwooos_posture_projection_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/iwooos-posture-projection.snapshot.json" ], "human_docs": [ "docs/security/IWOOOS-POSTURE-PROJECTION.md" ], "notes": "可 mirror IwoooS 前端資安態勢投影;只顯示 posture、progress、non-blocking lanes、evidence refs 與 forbidden actions,不提供執行按鈕。" }, { "contract": "coding_task_v1", "readiness": "contract_only", "consumption_mode": "suggest_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [], "human_docs": [ "docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md" ], "notes": "已有 schema 與 handoff prompt,但尚無正式 coding task snapshot。" }, { "contract": "source_control_migration_event_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/gitea-github-awoooi-inventory.snapshot.json", "docs/security/source-control-clawbot-v5.snapshot.json", "docs/security/source-control-wooo-aiops.snapshot.json" ], "human_docs": [ "docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md" ], "notes": "可 mirror source-control diff summary;仍不得 sync refs 或切 primary。" }, { "contract": "gitea_repo_inventory_v1", "readiness": "partial_ready", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/gitea-repo-inventory.snapshot.json", "docs/security/gitea-public-repo-search.snapshot.json", "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", "docs/security/gitea-authenticated-inventory-export-request.snapshot.json", "docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json", "docs/security/gitea-inventory-coverage-attestation.snapshot.json", "docs/security/gitea-inventory-owner-attestation-response.snapshot.json" ], "human_docs": [ "docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md", "docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md", "docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md", "docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md", "docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md" ], "notes": "目前仍是 public-only / blocked endpoint evidence;S4.5 已補 authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;private/internal 全量需 approval、脫敏 payload 驗收與 owner scope decision,audit templates 仍為 0 emitted。" }, { "contract": "local_git_remote_inventory_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/local-git-remote-inventory.snapshot.json" ], "human_docs": [ "docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md" ], "notes": "可 mirror 本機 remote coverage 與 embedded credential hygiene risk,不修改 remote。" }, { "contract": "github_target_probe_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/github-target-probe.snapshot.json" ], "human_docs": [ "docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md" ], "notes": "可 mirror GitHub target visibility;not_found_or_private 不等同可自動建立。" }, { "contract": "github_target_decision_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/github-target-decision.snapshot.json", "docs/security/github-target-owner-decision-response.snapshot.json" ], "human_docs": [ "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" ], "notes": "可 mirror target decision、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner response templates;repo 建立、visibility 修改、refs sync 與 primary switch 仍需後續人工批准與 runtime gate。" }, { "contract": "github_target_repo_approval_package_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/github-target-repo-approval-package.snapshot.json", "docs/security/github-target-owner-decision-response.snapshot.json" ], "human_docs": [ "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" ], "notes": "可 mirror 逐 repo approval package、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response 收件包;不得執行 item。" }, { "contract": "source_control_approval_board_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-approval-board.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md" ], "notes": "可 mirror owner / visibility / canonical / refs 決策 board。" }, { "contract": "source_control_reconcile_plan_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-reconcile-plan.snapshot.json", "docs/security/source-control-ref-truth-owner-response.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md", "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md" ], "notes": "可 mirror draft reconcile plan 與 S4.11 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包;response 通過前只更新草案 wording,不得 push refs。" }, { "contract": "source_control_ref_detail_diff_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-ref-detail-diff.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md" ], "notes": "可 mirror branch/tag detail diff;不得 fetch、push 或 delete refs。" }, { "contract": "source_control_ref_truth_classification_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-ref-truth-owner-response.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md", "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md" ], "notes": "可 mirror refs truth classification、review lanes、S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates;received_response_count=0、audit events emitted=0,不得執行分類結果。" }, { "contract": "source_control_primary_readiness_gate_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-primary-readiness-gate.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md" ], "notes": "可 mirror GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口;目前 primary_ready_count=0。" }, { "contract": "source_control_primary_rollback_adr_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-primary-rollback-adr.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md" ], "notes": "可 mirror S4.4 GitHub primary rollback ADR 草案、7 個 in-scope repo rollback plans、validation windows 與仍禁止事項;owner_approved_count=0、active_cutover_count=0。" }, { "contract": "source_control_workflow_secret_name_inventory_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md" ], "notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names;S4.3 export request 有 7 個 repos、5 類 export lanes;S4.12 owner response request packet 1 個、template statuses 5 個、audit event templates 3 個、redaction examples 5 個、collection checks 6 個、intake preflight checks 6 個、templates 5 個、received_response_count=0、audit_events_emitted=0;secret_value_collection_allowed=false。" }, { "contract": "local_repo_canonical_probe_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/local-repo-canonical-ewoooc-momo.snapshot.json" ], "human_docs": [ "docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md" ], "notes": "可 mirror momo/ewoooc lineage evidence;不得自動合併 unrelated histories。" }, { "contract": "git_remote_refs_probe_v1", "readiness": "ready_for_mirror", "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/git-remote-refs-bitan-tsenyang.snapshot.json", "docs/security/git-remote-refs-wooo-infra-config.snapshot.json" ], "human_docs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md" ], "notes": "可 mirror read-only refs readiness;不得 fetch 或 push。" }, { "contract": "approval_required_event_v1", "readiness": "ready_for_mirror", "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, "snapshot_paths": [ "docs/security/gitea-readonly-inventory-approval.snapshot.json" ], "human_docs": [ "docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md" ], "notes": "可 mirror approval candidate;blocked_until_approved=true 時不得執行。" } ], "still_forbidden": [ "execute_mirror_item", "start_kali_scan", "call_kali_execute_endpoint", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "store_secret_token_cookie_private_key_or_exploit_payload", "turn_low_medium_observations_into_blocking_gates" ] }