wooo/awoooi

Fork 0

Files

ogt 20c2c81f85

Code Review / ai-code-review (push) Successful in 14s

Details

CD Pipeline / tests (push) Successful in 1m41s

Details

CD Pipeline / build-and-deploy (push) Successful in 4m34s

Details

CD Pipeline / post-deploy-checks (push) Successful in 1m43s

Details

Ansible / Reboot Recovery Contract / validate (push) Has been cancelled

Details

feat(iwooos): professionalize SOC operating model

2026-06-25 15:16:14 +08:00

134 KiB

Raw Permalink Blame History

IwoooS 前端資安態勢投影契約

項目	內容
日期	2026-06-18
狀態	草案；P0 governance 總帳已建立；高價值配置 Owner Packet count sync、K8s / ArgoCD、Public Gateway / Nginx、Monitoring、CD / Runner / Secret、Backup / Restore / Escrow、Wazuh / 主機入侵、外部入侵防堵與 SOC / SIEM / Kali 112 / Wazuh 整合控制投影已完成
Schema	`docs/schemas/iwooos_posture_projection_v1.schema.json`
Snapshot	`docs/security/iwooos-posture-projection.snapshot.json`
模式	`mirror_only`
runtime 執行授權	`false`

1. 目的

iwooos_posture_projection_v1 定義 IwoooS 如何把既有資安網資料投影到前端。

它只允許顯示資安態勢、headline progress、framework / runtime landing、non-blocking lanes、evidence refs 與下一個高層 gate。它不是掃描器、不是修復器、不是 approval gate，也不是 GitHub primary cutover 授權。

2026-06-04 起，本契約的 P0 推進狀態以 docs/workplans/2026-06-04-iwooos-security-governance-p0.md 作為主控板。每個階段必須記錄完成度、優先順序、guard、production desktop / mobile sanity 是否需要執行，以及哪些 gate 仍維持 0 / false。

1.1 2026-06-14 Owner Packet count sync

high-value-config-owner-packet.snapshot.json 已正式同步為 packet_count=3、c0_packet_count=2。本契約與 iwooos-posture-projection.snapshot.json 已跟進相同數字，避免前台、owner packet snapshot 與 posture projection 出現 1 / 0 舊口徑漂移。

此同步只代表 committed read-only projection 與前台顯示對齊；request_sent_count、received_response_count、accepted_response_count、runtime_gate_count 與 action buttons 仍全部維持 0，不代表 Nginx reload、certbot renew、DNS / TLS probe、workflow 修改、secret rotation、host write、active scan、production write 或 runtime gate。

1.2 2026-06-15 K8s / ArgoCD 事故後回讀投影

k8s_argocd_post_incident_readback_plan_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 candidate_count=4、c0_candidate_count=3、write_capable_candidate_count=4、required_readback_field_count=31、reviewer_check_count=28、outcome_lane_count=10、blocked_action_count=41，並讓 k8s_production_gitops_coverage_percent=66。

此同步只代表前端可以顯示 K8s / ArgoCD 事故後回讀計畫與邊界；post_incident_readback_received_count、post_incident_readback_accepted_count、argocd_api_read_authorized_count、argocd_sync_authorized_count、kubectl_action_authorized_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把 ArgoCD Synced、route 200、Pod Running、CD success 或 smoke pass 視為資安驗收。

1.3 2026-06-15 Public Gateway / Nginx 事故後回讀投影

public_gateway_post_incident_readback_plan_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 candidate_count=3、c0_candidate_count=2、write_capable_candidate_count=3、required_readback_field_count=30、reviewer_check_count=28、outcome_lane_count=10、blocked_action_count=41，並讓 nginx_public_gateway_coverage_percent=92。

此同步只代表前端可以顯示 Nginx / Public Gateway 事故後回讀計畫與邊界；post_incident_readback_received_count、post_incident_readback_accepted_count、host_live_conf_read_authorized_count、nginx_test_authorized_count、nginx_reload_authorized_count、route_smoke_authorized_count、dns_tls_probe_authorized_count、certbot_renew_authorized_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把 route 200、Nginx active、dashboard up、CD success 或 UI 可見視為資安驗收。

1.4 2026-06-15 Monitoring / Alerting / Observability 事故後回讀投影

monitoring_post_incident_readback_plan_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 candidate_count=60、write_capable_candidate_count=11、live_evidence_required_candidate_count=60、alert_rule_candidate_count=13、deploy_or_reload_candidate_count=6、required_readback_field_count=30、reviewer_check_count=28、outcome_lane_count=11、blocked_action_count=53，並讓 monitoring_alerting_observability_coverage_percent=70。

此同步只代表前端可以顯示監控 / 告警 / 可觀測性事故後回讀計畫與邊界；post_incident_readback_received_count、post_incident_readback_accepted_count、receiver_receipt_readback_accepted_count、stale_pending_resolved_review_accepted_count、silence_mute_dedup_inhibit_review_accepted_count、alert_chain_health_readback_accepted_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把 route 200、dashboard up、container up、receiver reachable、CD success 或 UI 可見視為告警鏈路驗收。

1.5 2026-06-16 CD / Runner / Secret injection 事故後回讀投影

cd_runner_secret_injection_post_incident_readback_plan_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 candidate_count=5、c0_candidate_count=4、write_capable_candidate_count=5、required_readback_field_count=33、reviewer_check_count=30、outcome_lane_count=11、blocked_action_count=52，並讓 secret_metadata_coverage_percent=70、gitea_workflow_runner_source_control_coverage_percent=74。

此同步只代表前端可以顯示 CD / Runner / Secret injection 事故後回讀計畫與邊界；post_incident_readback_received_count、post_incident_readback_accepted_count、workflow_diff_state_accepted_count、runner_attestation_accepted_count、secret_name_parity_accepted_count、secret_injection_route_accepted_count、deploy_marker_readback_accepted_count、gitea_action_run_readback_accepted_count、log_redaction_readback_accepted_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把 CD success、deploy marker、workflow success、route 200、runner online、AwoooP approval 或 UI 可見視為資安驗收。

1.6 2026-06-18 Backup / Restore / Escrow 事故後回讀投影

backup_restore_post_incident_readback_plan_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 candidate_count=38、write_capable_candidate_count=27、live_evidence_required_candidate_count=38、restore_drill_required_candidate_count=38、offsite_or_escrow_required_candidate_count=20、retention_or_remote_delete_required_candidate_count=17、required_readback_field_count=34、reviewer_check_count=32、outcome_lane_count=11、blocked_action_count=51，並讓 backup_restore_credential_coverage_percent=66。

此同步只代表前端可以顯示 Backup / Restore / Escrow 事故後回讀計畫與邊界；post_incident_readback_received_count、post_incident_readback_accepted_count、backup_status_readback_accepted_count、restore_drill_readback_accepted_count、offsite_sync_readback_accepted_count、credential_escrow_non_secret_readback_accepted_count、retention_runway_readback_accepted_count、backup_health_no_false_green_readback_accepted_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把備份排程存在、route 200、冷啟動分數、UI 可見或文件齊備視為 backup / restore / DR 資安驗收。

1.7 2026-06-18 外部入侵主機防堵控制投影

external_host_intrusion_prevention_control_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 prevention_domain_count=12、control_candidate_count=14、c0_control_candidate_count=10、host_alias_count=4、sensor_alias_count=1、required_owner_field_count=36、reviewer_check_count=34、outcome_lane_count=12、blocked_action_count=82，並讓 docker_compose_systemd_host_config_coverage_percent=68、ssh_firewall_network_access_coverage_percent=70、monitoring_alerting_observability_coverage_percent=74。

此同步只代表前端可以顯示外部入侵防堵候選、優先序、拒收條件與 0 / false 邊界；owner_response_received_count、owner_response_accepted_count、evidence_ref_received_count、evidence_ref_accepted_count、prevention_control_accepted_count、wazuh_active_response_enabled_count、host_write_authorized_count、firewall_change_authorized_count、nginx_reload_authorized_count、package_upgrade_authorized_count、active_scan_authorized_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把這張矩陣解讀成已封鎖端口、已改防火牆、已重啟主機、已更新套件、已清除木馬或已啟用 Wazuh active response。

1.8 2026-06-18 SOC / SIEM / Kali 112 / Wazuh 整合控制投影

soc_siem_kali_wazuh_integration_control_v1 已投影到 iwooos-posture-projection.snapshot.json 與前台 marker。固定 standard_framework_count=14、operating_role_count=9、incident_lifecycle_stage_count=8、maturity_stage_count=7、validation_gate_count=18、control_domain_count=16、signal_source_count=12、control_candidate_count=20、c0_control_candidate_count=12、c1_control_candidate_count=8、required_owner_field_count=42、reviewer_check_count=36、outcome_lane_count=14、blocked_action_count=103，並讓 monitoring_alerting_observability_coverage_percent=78、security_evidence_tooling_coverage_percent=88、高價值配置平均只讀成熟度推進到 73%。

此同步只代表前端可以顯示 Wazuh、Kali 112、Prometheus / Alertmanager、SigNoz、Sentry、Nginx / Gateway、host forensic、Docker / systemd、K8s / ArgoCD、Gitea / runner、Harbor / SBOM 與 backup / DR 的只讀 SOC 控制框架；wazuh_event_ref_received_count、kali_scope_ref_accepted_count、kali_finding_envelope_accepted_count、siem_correlation_rule_accepted_count、alert_route_accepted_count、incident_case_accepted_count、forensic_evidence_accepted_count、owner_response_received_count、owner_response_accepted_count、active_response_enabled_count、kali_active_scan_authorized_count、kali_execute_authorized_count、prometheus_reload_authorized_count、alertmanager_reload_authorized_count、telegram_send_authorized_count、soar_case_create_authorized_count、auto_block_authorized_count、runtime_gate_count 與 action_button_count 仍全部維持 0。不得把 SOC 看板、SIEM 規則候選、Kali 工具清單、Wazuh agent 可見或告警 route reachable 視為資安驗收。

2. 來源

IwoooS 首版只讀取或對齊以下已提交 evidence：

來源	用途
`security_mirror_status_rollup_v1`	64% headline、36 contracts、0 active runtime gates、下一個高層 gate
`security_rollout_policy_v1`	7 條 low-friction non-blocking lanes
`source_control_owner_response_validation_rollup_v1`	owner response 仍為 0、S4.9 下一個收件候選
`source_control_primary_readiness_gate_v1`	GitHub primary readiness 仍為 0、候選 repo 與切換前置缺口
`public_gateway_post_incident_readback_plan_v1`	Public Gateway / Nginx 事故後回讀計畫、92% 子項成熟度、30 個必填欄位、41 類 blocked action、runtime gate 0
`k8s_argocd_post_incident_readback_plan_v1`	K8s / ArgoCD 事故後回讀計畫、66% 子項成熟度、31 個必填欄位、41 類 blocked action、runtime gate 0
`monitoring_post_incident_readback_plan_v1`	Monitoring / Alerting / Observability 事故後回讀計畫、70% 子項成熟度、30 個必填欄位、53 類 blocked action、runtime gate 0
`cd_runner_secret_injection_post_incident_readback_plan_v1`	CD / Runner / Secret injection 事故後回讀計畫、secret metadata 70%、workflow / runner 74%、33 個必填欄位、52 類 blocked action、runtime gate 0
`backup_restore_post_incident_readback_plan_v1`	Backup / Restore / Escrow 事故後回讀計畫、66% 子項成熟度、34 個必填欄位、51 類 blocked action、runtime gate 0
`external_host_intrusion_prevention_control_v1`	外部入侵主機防堵控制矩陣、12 個控制域、14 個 P0 防堵候選、36 個 owner 必填欄位、82 類 blocked action、runtime gate 0
`soc_siem_kali_wazuh_integration_control_v1`	SOC / SIEM / Kali 112 / Wazuh 整合控制矩陣、14 個業界框架、9 個營運角色、8 段事件生命週期、18 個驗證 Gate、16 個控制域、20 個控制候選、42 個 owner 必填欄位、103 類 blocked action、runtime gate 0
`kali_integration_status_v1`	Kali 112 observe-only 整合態勢
`vibework_iwooos_onboarding_handoff_v1`	VibeWork repo / product / surface / owner / evidence refs / 獨立產品邊界只讀 handoff
`docs/LOGBOOK.md`	部署 marker、Gitea run 與 rollout risk 邊界紀錄
`2026-06-04-iwooos-security-governance-p0.md`	IwoooS P0 完成度、優先順序、跨 Session 同步與驗證節點
`/iwooos` 前端路由	顯示入口，不提供執行按鈕
既有前端資安頁面	只讀索引，不搬移原頁責任邊界、不新增執行控制

3. 前端可顯示

Security Posture / Exposure 入口。
64% headline progress、92% 框架與 40-45% runtime landing 判讀。
36 個主要契約、33 ready、2 partial、1 contract-only、0 blocked。
0 active runtime gates。
Exposure、source-control、Kali 112、approval boundary 四個面向。
7 條 non-blocking lanes。
evidence refs 與下一個高層 gate。
10 個既有前端資安相關頁面索引。
4 個前端資安責任面與 5 個重疊 / 衝突控制。
6 個只讀資安處理旅程階段。
7 個 owner evidence readiness items。
3 個只讀主機覆蓋 items：Kali 112、開發主機 168、開發主機 111。
6 個主機動作 gate items：active scan、credentialed scan、Kali /execute、SSH / host change、Kali update、runtime blocking control。
7 個主機 evidence readiness items：scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
7 個主機 evidence collection order steps，顯示收件順序與前置依賴。
7 個主機 evidence intake preflight checks，顯示未來 evidence 進人工 review 前的拒收 / 隔離規則。
7 個主機 evidence review outcome lanes，顯示 preflight 後的人工審查分流結果。
7 個主機 evidence review handoff packets，顯示人工 reviewer 需要的脫敏交接資料包。
7 個主機 evidence reviewer checklist items，顯示 reviewer 看完 handoff packets 後仍需確認的只讀檢查。
7 個主機 evidence reviewer outcome lanes，顯示 reviewer checklist 後的只讀結果分流。
7 個 host owner decision candidate packets，顯示 reviewer outcome 進到 owner decision 前仍需要的人工決策範圍。
7 個 host owner decision review checklist items，顯示 owner decision candidate packets 後仍需人工核對的安全邊界。
7 個 host owner decision review outcome lanes，顯示 owner review checklist 後的只讀結果分流。
7 個 host owner decision record draft packets，顯示 formal decision record 候選需要的草稿欄位。
7 個 host owner decision record draft review checklist items，顯示草稿欄位進入正式決策紀錄前仍需只讀核對的條件。
7 個 host owner decision record draft review outcome lanes，顯示草稿核對後的只讀結果分流。
7 個 host owner decision record write-up packets，顯示正式 decision record 撰寫欄位，但不建立 record、不標記 completed / accepted、不開 runtime gate。
7 個 host owner decision record write-up review checklist items，顯示正式撰寫欄位進入決策紀錄前仍需只讀核對的條件。
7 個 host owner decision record write-up review outcome lanes，顯示 write-up review 後的只讀結果分流與下一步。
7 個 host owner decision record formal candidate packets，顯示 formal record candidate 需要的候選欄位，但不建立 decision record、不標記 finalized / accepted、不開 runtime gate。
7 個 host owner decision record formal candidate review checklist items，顯示 formal candidate packets 進入後續人工紀錄前仍需只讀核對的條件。
8 個 host owner decision record formal candidate review outcome lanes，顯示 candidate review 後的只讀結果分流與下一步。
8 個 host owner decision record formal record queue packets，顯示人工正式紀錄佇列需要看的資料包，但不 enqueue、不建立 decision record、不開 runtime gate。
8 個 host owner decision record formal record queue review checklist items，顯示佇列資料包進人工正式紀錄審查前仍需只讀核對的條件。
8 個 host owner decision record formal record queue review outcome lanes，顯示 queue review 後的只讀結果分流與下一步。
8 個 host owner decision record human handoff readiness packets，顯示未來交給人工 record owner 前要準備的 metadata，但不開始 handoff、不標記 ready、不建立 decision record、不開 runtime gate。
8 個 host owner decision record human handoff readiness review checklist items，顯示 readiness packets 進人工 record owner 前仍需只讀核對的條件，但不標記 review passed、不開始 handoff、不建立 decision record、不開 runtime gate。
9 個 host owner decision record human handoff readiness review outcome lanes，顯示 readiness review 後的只讀結果分流與下一步，但不標記 review passed、不開始 handoff、不標記 handoff ready、不 enqueue、不建立 decision record、不開 runtime gate。
9 個 host owner decision record human record owner review candidate packets，顯示未來人工 record owner review candidate 需要看的 metadata，但不開始 review、不標記 ready、不收 owner decision、不建立 decision record、不開 runtime gate。
9 個 host owner decision record human record owner review candidate checklist items，顯示 candidate packets 進人工 record owner review 前仍需只讀核對的條件，但不標記 checklist passed、不開始 review、不標記 ready、不收 owner decision、不建立 decision record、不開 runtime gate。
9 個 host owner decision record human record owner review candidate outcome lanes，顯示 candidate checklist 後的只讀結果分流與下一步，但不標記 outcome passed、不開始 review、不標記 ready、不收 owner decision、不建立 decision record、不開 runtime gate。
9 個 host owner decision record human record owner review preparation packets，顯示未來人工 record owner review 畫面準備需要看的 metadata，但不標記 preparation completed、不開始 review、不標記 ready、不收 owner decision、不建立 decision record、不開 runtime gate。
9 個 host owner decision record human record owner review preparation checklist items，顯示 preparation packets 進人工 record owner review 前仍需只讀核對的條件，但不標記 preparation completed、不標記 checklist passed、不開始 review、不標記 ready、不收 owner decision、不建立 decision record、不開 runtime gate。
6 條 progress acceleration lanes，直接顯示 64% 後哪些高層 gate 能解鎖下一輪進度判讀，以及後續節奏要改成 milestone batch，但不把 acceleration lane 當授權、加分、owner response、runtime gate、GitHub primary 或 production execution。
4 個 owner response next-action focus items，直接顯示 S4.9 目前是下一個收件焦點，S4.10 / S4.11 / S4.12 依序排隊，但不催收、不代填、不標記 received / accepted、不建立 approval record、不開 runtime gate。
6 個 S4.9 owner response preflight checks，直接顯示第一個 P0 owner response 在收件前要確認的已知 item、必填欄位、allowed decision、脫敏 evidence、無 execution request 與五項到齊規則，但不寄送 request、不標記 received / accepted、不建立 audit event、不寫 Gitea、不 sync refs、不開 runtime gate。
5 個 S4.9 owner response request templates，直接顯示 owner 要逐項回覆的 public-only / local gap、org/user endpoint、110 adjacent source、repo owner / canonical scope、legacy / inaccessible disposition，但不送出 request、不催收、不代填、不標記 received / accepted、不完成 Gitea inventory、不寫 Gitea、不 sync refs、不切 GitHub primary。
6 個 progress hold movement gates，直接顯示 64% 後仍未打開的實質門檻：owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing、Kali 112 read-only evidence，但不把 gate 顯示當成進度加分、授權或 runtime execution。
6 個 AwoooP read-only landing readiness items，整理 AwoooP 主線只讀接入前要消費的 snapshot、evidence refs、guard checks、route groups、forbidden outputs 與 production handoff pending，但不標記 production landing enabled、不接 execution router。
6 個 AwoooP cross-session handoff packets，固定另一個 AwoooP Session 接手前要確認的 PR / branch、進度語義、guard commands、runtime 禁止動作、只讀輸入與下一個協調 gate，但不把 handoff 當 merge、deploy、primary switch、refs mutation、guard skip 或 production consumption。
10 個 frontend surface reverse bridge statuses，顯示既有資安入口目前是 embedded bridge、direct bridge 或 AwoooP read-only candidate；這只是連接狀態，不代表 owner response、runtime authorization、Code Review blocker、Gitea/GitHub action 或任何執行控制。
6 個 source control primary readiness items，顯示 GitHub primary 前置缺口：candidate repo inventory、primary ready counter、owner response validation、refs truth、workflow / secret name inventory、rollback ADR；這只是 readiness，不代表 repo 建立、visibility 變更、refs mutation、secret value collection、primary switch 或 Gitea 停用。
4 個 rollout risk read-only items，顯示風險來源部署 marker、AWOOOI_ROLLOUT_RISK=1、ArgoCD Degraded / OutOfSync、API health / smoke 已通過與執行期閘門仍為 0；這只是部署風險可見性，不代表 ArgoCD sync、kubectl、主機重啟、修復、部署或 runtime gate 已授權。
14 類 high-value config control coverage statuses，顯示 Nginx、DNS / TLS、K8s、機密、工作流程、執行器、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣；平均只讀成熟度 71%、C0 類別 8、需 live / owner evidence 類別 9、owner response received / accepted 與 runtime gate 仍為 0，不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。 54a. 前台 source / messages 敏感資訊防洩漏 guard 已固定 public_surface_file_count=225、forbidden_pattern_count=12、allowlisted_match_count=2、violation_count=0、runtime_gate_count=0，讓 public_admin_api_runtime_config 從 64% 推進到 66%；這只代表 source-control 防洩漏 gate，仍不是 production bundle scan accepted、desktop / mobile production smoke accepted、owner response accepted 或 runtime gate。
9 個 host-service config repo-only inventory surfaces，顯示 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 的第一層清冊；write-capable surface 3、repair-bot whitelist 2、systemd restart surface 1，owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 0，不代表 docker compose、systemctl、repair-bot 或 Ansible apply 已授權。 55a. 9 個 Docker / systemd / host service change evidence acceptance 候選，顯示重啟 actor、before / after service state、Docker daemon state、compose / systemd state、failed unit review、port binding、dependency impact、cold-start sequence、route recovery、operator notification、cross-project sync 與 no-false-green service health 收件規則；write-capable candidate 3、required evidence field 25、reviewer check 26、outcome lane 10、blocked action 39，讓 Docker / systemd / host service 類別成熟度從 58% 推進到 62%；change evidence、Docker daemon state accepted、compose stack accepted、systemd unit accepted、failed unit review accepted、port binding accepted、route recovery accepted、operator notification accepted、live host read、Docker / systemd、repair-bot、Ansible、route smoke、runtime gate 與 action button 仍全部為 0。 55b. 9 個 Docker / systemd / host service post-incident readback 候選，顯示主機重啟、Docker daemon、compose、systemd、failed unit、port binding、public/admin route、AI provider、monitoring、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard 與 no-false-green attestation 的事故後回讀規則；write-capable candidate 3、live evidence required 8、required readback field 28、reviewer check 28、outcome lane 10、blocked action 41，讓 Docker / systemd / host service 類別成熟度從 62% 推進到 64%；readback received / accepted、Docker daemon accepted、compose accepted、systemd accepted、route recovery accepted、monitoring accepted、cross-project sync accepted、recurrence guard accepted、runtime gate 與 action button 仍全部為 0。
16 個 SSH / network access repo-only inventory surfaces、owner response acceptance 與端口 / 防火牆變更證據驗收只讀帳本，顯示 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 的第一層清冊；write-capable surface 6、NetworkPolicy 2、NodePort 2、sudoers 1、WireGuard 1，acceptance candidate 16、change evidence candidate 14、reviewer check 21、outcome lane 9、blocked action 28，讓 SSH / network 類別成熟度從 58% 推進到 62%；owner response、change evidence、actor、before / after state、service health impact、operator notification、cross-project sync、post-check evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 0，不代表 SSH、sudo、firewall、port close / open、NetworkPolicy、NodePort、WireGuard、route smoke 或 known_hosts patch 已授權。 56d. 14 個 SSH / network / firewall post-incident readback 候選，顯示端口關閉、firewall / NetworkPolicy / NodePort / WireGuard policy、deploy SSH、sudo 與 alert action 事故後必須回讀 actor、before / after、service / public route / AI provider / monitoring impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard 與 no-false-green attestation；write-capable candidate 6、policy / exposure candidate 5、required readback field 24、reviewer check 24、outcome lane 10、blocked action 34，讓 SSH / network 類別成熟度從 62% 推進到 64%；readback received / accepted、actor accepted、before / after accepted、impact accepted、notification accepted、sync accepted、restoration accepted、recurrence guard accepted、runtime gate 與 action button 仍全部為 0。 56a. 4 個 K8s / ArgoCD GitOps 變更證據驗收候選，顯示 production manifests、ArgoCD app、Velero、monitoring manifests 的 proposed commit、rendered manifest diff、ArgoCD app / sync revision、health before / after、rollout、route smoke、metrics / alert、secret metadata parity、blast radius、maintenance window、rollback revision 與 postcheck owner 收件規則；C0 candidate 3、write-capable candidate 4、reviewer check 18、outcome lane 8、blocked action 28，讓 K8s / ArgoCD 類別成熟度從 62% 推進到 64%；change evidence、runtime approval package、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、NetworkPolicy / NodePort / RBAC change、production write、runtime gate 與 action button 仍全部為 0。 56a.1. 4 個 K8s / ArgoCD post-incident readback 候選，顯示 ArgoCD app health、sync status、Degraded / Pending、image pull / scheduling、rollout before / after、event / metrics / alert、drift scanner、CronJob、NetworkPolicy / RBAC / Secret metadata、public/admin route、AI provider / monitoring、backup / restore、operator notification、cross-project sync、postcheck、recurrence guard 與 no-false-green attestation 的事故後回讀規則；C0 candidate 3、write-capable candidate 4、required readback field 31、reviewer check 28、outcome lane 10、blocked action 41，讓 K8s / ArgoCD 類別成熟度從 64% 推進到 66%；readback received / accepted、ArgoCD API read、ArgoCD sync、live cluster read、kubectl、Helm、NetworkPolicy / NodePort / RBAC change、route smoke、production write、runtime gate 與 action button 仍全部為 0。 56b. 5 個 CD / Runner / Secret 注入變更證據驗收候選，顯示 CD pipeline、程式碼審查、部署通知、執行器證明與 repository secret name parity / injection owner 的 metadata-only 收件規則；C0 candidate 4、write-capable candidate 5、local workflow file 33、referenced secret name 42、runner label 5、reviewer check 19、outcome lane 8、blocked action 32，讓 secret metadata 類別成熟度從 66% 推進到 68%，讓 Gitea workflow / runner 類別成熟度從 70% 推進到 72%；workflow diff、runner attestation、secret name parity、secret injection route、deploy marker readback、guard result、postcheck evidence、runtime approval package、workflow modification、runner change、repo secret change、secret rotation、Gitea action dispatch、production deploy、runtime gate 與 action button 仍全部為 0。 56c. 8 個 AI provider / model routing owner response acceptance 候選，顯示 AI router provider policy、Ollama proxy gateway、fallback order / circuit breaker、cost budget / quota、privacy / data egress、benchmark / dry-run、model card / version inventory 與 agent replacement candidate boundary 的 metadata-only 收件規則；write-capable candidate 5、paid-provider candidate 5、data-egress candidate 6、owner field 24、reviewer check 24、outcome lane 10、blocked action 38，讓 AI provider / model routing 類別成熟度從 60% 推進到 64%；owner response、fallback order、dry-run、benchmark、cost review、privacy review、prompt redaction、quality gate、provider switch、external provider call、paid provider call、prompt send、live endpoint probe、secret collection、SDK install、shadow / canary、runtime gate 與 action button 仍全部為 0。
38 個 Backup / restore / escrow / retention repo-only inventory surfaces，顯示 backup orchestration、service backup scripts、restic retention、offsite sync、credential escrow、Velero restore drill、backup health alert 與 cold-start / DR runbook 的第一層清冊；write-capable surface 27、restore drill surface 4、offsite / escrow surface 8，owner response、live evidence、restore drill、offsite sync、credential escrow、retention change、runtime gate 與 action button 仍全部為 0，不代表 backup、restore、offsite sync、remote delete、restic prune、escrow marker write、rclone config 或 Velero restore 已授權。 57a. 38 個 Backup / restore / escrow owner response acceptance backfill，顯示 restore recovery、freshness SLO、隔離 restore target、backup dependency map、data classification、remote delete guard、retention runway、restore observer / stop condition、credential recovery non-secret proof 與 backup health no-false-green review 收件規則；owner field 23、reviewer check 22、outcome lane 9、blocked action 31，讓 backup / restore / credential 類別成熟度從 62% 推進到 64%；owner response、freshness SLO accepted、restore target isolation accepted、remote delete guard accepted、retention runway accepted、credential recovery drill accepted、backup run、restore run、offsite sync、remote delete、retention change、secret collection、runtime gate 與 action button 仍全部為 0。 57b. 38 個 Backup / restore / escrow post-incident readback 候選，顯示 actor、時間窗、改前改後 freshness、backup status、restore drill、隔離 restore target、offsite sync、remote delete guard、credential escrow non-secret proof、retention runway、retention / prune decision、dependency map、data classification、restore observer、alert textfile、cold-start scorecard、cross-project sync、rollback、post-change monitoring、防再發與 no-false-green attestation 的事故後回讀規則；write-capable candidate 27、live evidence required 38、required readback field 34、reviewer check 32、outcome lane 11、blocked action 51，讓 backup / restore / credential 類別成熟度從 64% 推進到 66%；readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、runtime gate 與 action button 仍全部為 0。
60 個 Monitoring / alerting / observability repo-only inventory surfaces，顯示 Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL、Telegram / notification policy、deploy / reload scripts 與 alert chain smoke scripts 的第一層清冊；write-capable surface 11、alert rule surface 13、deploy / reload surface 6，owner response、live evidence、reload owner、receiver owner、route smoke、runtime gate 與 action button 仍全部為 0，不代表 Prometheus reload、Alertmanager reload、Grafana import、SigNoz apply、Sentry deploy、Telegram send、live alert fire 或 alert chain smoke 已授權。 58a. 60 個 Monitoring / alerting / observability owner response acceptance 候選已補告警鏈路 no-false-green 回補規則；acceptance field 38、reviewer check 23、outcome lane 12、blocked action 34，新增 incident context、alert chain health 不能只看 route 200、receiver receipt proof、stale alert review、silence / dedup review、false-green risk review、post-reload readback plan 與 cross-project notification ref，讓 monitoring / alerting / observability 類別成熟度從 66% 推進到 68%；owner response、receiver receipt、stale alert review、silence / dedup review、false-green risk review、post-reload readback、runtime gate 與 action button 仍全部為 0。 58b. 60 個 Monitoring / alerting / observability post-incident readback 候選，顯示 actor、change / outage time window、before / after alert state、rule / datasource / scrape state、receiver route、receiver receipt、stale / silence review、dashboard / trace / log freshness、notification delivery、alert chain health、cross-project sync、rollback、post-change monitoring、postcheck、recurrence guard 與 no-false-green attestation 的事故後回讀規則；write-capable candidate 11、live evidence required 60、alert rule candidate 13、deploy / reload candidate 6、required readback field 30、reviewer check 28、outcome lane 11、blocked action 53，讓 monitoring / alerting / observability 類別成熟度從 68% 推進到 70%；readback received / accepted、receiver receipt、stale / silence、alert chain health、reload、Telegram send、alert chain smoke、runtime gate 與 action button 仍全部為 0。
12 個 Public Gateway Preflight repo-only gates，顯示 Nginx public gateway reload / route change 前必備的 owner、live conf、rendered diff、nginx -t、public / admin / WebSocket route smoke、ACME / TLS owner check、maintenance window 與 rollback owner；source config 3、route impact 14、repo-only ready gate 2，owner acceptance、live conf、rendered diff、nginx -t evidence、route smoke、runtime gate 與 action button 仍全部為 0，不代表 SSH、live conf read、Nginx reload、route change、DNS / TLS probe 或 certbot renew 已授權。

3.1 既有前端資安頁面整合

S2.10 將前端原本已存在的資安相關頁面收進 IwoooS，只作為 route / source / read-only mode 索引。

Route	來源	IwoooS 呈現
`/security-compliance`	`SecurityPanel` / `CompliancePanel`	安全合規整合頁
`/security`	`apps/web/src/app/[locale]/security/page.tsx`	既有安全監控頁
`/compliance`	`apps/web/src/app/[locale]/compliance/page.tsx`	既有合規頁
`/alerts`	`useIncidents` / `IncidentCard`	告警管理
`/errors`	`ErrorsPanel`	錯誤與 UX 稽核
`/authorizations`	`LiveApprovalPanel`	HITL / multi-sig 授權中心
`/governance`	Governance tabs	AI 治理中樞
`/alert-operation-logs`	Alert operation log page	告警操作稽核
`/awooop/approvals`	AwoooP approvals page	AwoooP 審批佇列
`/code-review`	Code Review page	AI Code Review 控制面

這些 route 仍保留原本功能與 owner 邊界；IwoooS 只提供可見索引，不把任何頁面升級成 scan、execute、repair、blocking gate、deploy approval 或 runtime authorization。

S2.62 追加「前端資安頁面連接狀態板」，讓使用者可以直接看見每個 route 目前如何接回 IwoooS：

Route	連接狀態	邊界
`/security-compliance`	embedded bridge visible	透過 SecurityPanel / CompliancePanel 內嵌橋接顯示納管狀態，不新增修復、批准或部署
`/security`	direct bridge visible	顯示 standalone security 的 IwoooS 只讀橋接，不變成 scan entrypoint
`/compliance`	direct bridge visible	顯示 standalone compliance 的 IwoooS 只讀橋接，不建立 approval 或 runtime gate
`/alerts`	direct bridge visible	顯示 active incident 納管狀態，不新增 alert blocker 或 repair
`/errors`	direct bridge visible	顯示 ErrorsPanel 納管狀態，不新增執行控制
`/authorizations`	direct bridge visible	顯示 HITL / multi-sig 人控邊界，不把橋接當 approval record
`/governance`	direct bridge visible	顯示 governance evidence，不把治理可見性當 runtime authorization
`/alert-operation-logs`	direct bridge visible	顯示深色只讀橋接與事件流，不新增 preflight bypass、repair 或 deploy
`/awooop/approvals`	AwoooP read-only candidate	顯示 owner response 只讀候選，不等於資安批准或 runtime gate
`/code-review`	direct bridge visible	顯示深色只讀橋接，不把 Code Review 當 deploy approval 或 Gitea/GitHub action

3.1.1 GitHub Primary Readiness Board

S2.63 追加 GitHub Primary Readiness 只讀狀態板，讓使用者理解「長期考量轉回 GitHub」仍需要哪些 evidence，而不是把方向共識誤讀成已可切換 primary。

項目	目前值	邊界
candidate repo inventory	10 個 candidate、9 個 in-scope	只顯示清冊與 owner evidence 缺口，不建立 GitHub repo、不改 visibility
primary ready counter	`primary_ready_count=0`	不切 GitHub primary、不停用 Gitea
owner response validation	`received=0`、`accepted=0`、22 templates	不把 request-ready、template 或前端顯示當 owner response accepted
refs truth	accepted=0	不 push、delete、force push refs
workflow / secret name inventory	complete=0/9	只收名稱與 owner evidence，不收 secret value
rollback ADR	approved=0、dry-run=0	不 dry-run cutover、不執行 rollback、不切 primary

這個 board 的唯一允許輸出是 display_source_control_primary_readiness_board。所有 repo、refs、workflow、secret、runner、primary switch 與 Gitea disablement 都仍必須留在後續人工 gate。

3.2 覆蓋與邊界矩陣

S2.11 將 10 個既有前端資安頁面分成四個責任面，讓使用者看懂「訊號在哪裡、人工控制在哪裡、治理稽核在哪裡、工程審查在哪裡」。

責任面	Route	邊界
訊號與暴露面	`/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors`	顯示風險、事件、錯誤、UX audit 與合規訊號，不把 observation 直接升 blocking
人工控制邊界	`/authorizations`、`/awooop/approvals`	顯示 HITL / multi-sig / AwoooP approvals；不等於資安 runtime gate 已批准
治理與稽核	`/governance`、`/alert-operation-logs`	顯示治理事件、SLO、補救佇列與操作日誌；audit event 不是執行授權
工程審查	`/code-review`	顯示 AI Code Review pipeline；review 結果可產生 follow-up，不等於 deploy approval

重疊 / 衝突控制：

IwoooS 保留原 route owner，不搬移資料寫入權。
覆蓋矩陣不得升級成 runtime gate。
Code Review link 不等於 deploy approval。
AwoooP approval 狀態不等於資安 approval decision record。
前端索引不得呼叫 Kali active scan 或 /execute。

3.3 資安處理旅程

S2.12 將使用者可見的資安處理流程固定為 6 個只讀階段：

順序	階段	輸出
1	讀取目前態勢	顯示 posture / progress / gate 狀態，不代表授權
2	開啟既有資安頁面	進入原 route，保留原 owner 與資料邊界
3	判讀非阻擋分流	建 follow-up，不直接升 blocking
4	收 owner evidence	更新 received / accepted 狀態，不執行 repo / refs / workflow / Kali 動作
5	等待人工決策	需要 decision record，不用 AwoooP approval、Code Review 或進度數字替代
6	準備後續 runtime gate	只有人工批准後才另開 follow-up runtime gate；目前 active runtime gates 仍為 0

這個旅程是 status projection，不是 execution queue。任何 active scan、repair、deploy、GitHub primary、repo / refs / workflow / runner 或 secret 變更，都仍需獨立批准與後續 runtime gate。

3.4 Owner Evidence Readiness

S2.13 將 headline 進度下一步真正需要的 evidence 顯示成只讀 readiness board。

順序	Evidence item	目前狀態	解除條件
1	S4.9 Gitea owner attestation response	next collection candidate；received=0、accepted=0	收到並接受脫敏 owner response
2	S4.10 GitHub target owner response	waiting owner response；received=0、accepted=0	GitHub target owner response accepted
3	S4.11 refs truth owner response	waiting owner response；received=0、accepted=0	refs truth owner response accepted
4	S4.12 workflow / secret name owner response	waiting owner response；received=0、accepted=0	workflow / secret owner response accepted
5	Redacted finding ingestion	approval required；received=0、accepted=0	人工批准後接收脫敏 finding
6	Kali scan scope approval	approval required；received=0、accepted=0	scan scope approval + follow-up runtime gate
7	Follow-up runtime gate	locked until human decision；active gate=0	decision record accepted 後另開 runtime gate

這個 board 只說明「還缺什麼」，不代表已收到 evidence、已接受 evidence、已批准、已可掃描、已可修復、已可部署或已可切 GitHub primary。

3.5 主機覆蓋視圖

S2.14 將統帥指定的 Kali 與兩台開發主機放進 IwoooS 的可見資安範圍，讓使用者能看懂哪些主機已被納入後續資安網路徑。

順序	主機	角色	目前狀態
1	`192.168.0.112`	Kali 資安主機	已在 posture / evidence refs 中作為 observe-only integration；active scan、`/execute`、SSH 變更與主機更新仍未批准
2	`192.168.0.168`	開發主機	已宣告為 observe-only scope；credentialed scan 與 runtime control 仍未批准
3	`192.168.0.111`	開發主機	已宣告為 observe-only scope；credentialed scan 與 runtime control 仍未批准

這個視圖只代表「納入視野」，不代表已啟動掃描、已登入主機、已更新 Kali、已調校主機、已建立 SSH 工作流或已允許 runtime control。

3.6 主機動作 Gate 矩陣

S2.15 將主機相關高風險動作拆成只讀 gate matrix，避免「主機已納入視野」被誤讀成「可以直接掃描、登入、更新或阻擋」。

順序	動作	相關主機	目前 Gate
1	Active scan	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要 S1.6 scan scope approval 與後續 runtime gate
2	Credentialed scan	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要 scope、credential handling 與脫敏 evidence 規範；目前未批准
3	Kali `/execute`	`192.168.0.112`	block candidate；需要人工 decision record 與 S3.4 follow-up runtime gate
4	SSH / host change	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要明確人工批准、變更計畫與 rollback evidence
5	Kali host update	`192.168.0.112`	需要維護窗口、更新清單、驗證指標與 rollback 計畫
6	Runtime blocking control	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要 accepted decision record；目前 active runtime gates 仍為 0

每個 item 都固定 display_mode=gate_only，且 active_scan_authorized=false、credentialed_scan_authorized=false、ssh_change_authorized=false、host_update_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

3.7 主機 Evidence Readiness

S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board。這一層只回答「要進下一步前缺什麼」，不代表任何 evidence 已收到或已接受。

順序	Evidence item	目前狀態	影響範圍
1	Scope boundary	waiting redacted scope approval；received=0、accepted=0	112、168、111 的目標、排除範圍、深度與速率
2	Owner decision record	waiting human decision record；received=0、accepted=0	人控決策，不可由可見狀態替代
3	Credential handling	credential material collection forbidden；received=0、accepted=0	credentialed scan 前的憑證來源、保存邊界、遮蔽與拒收規則
4	Maintenance window	waiting maintenance window；received=0、accepted=0	Kali update、SSH / host change 與主機調校窗口
5	Rollback plan	waiting rollback plan；received=0、accepted=0	套件、設定、服務、工具鏈版本回復
6	Validation metrics	waiting post-check metrics；received=0、accepted=0	掃描器、監控、服務與使用者流程 post-check
7	Redacted ingestion	waiting redacted payload acceptance；received=0、accepted=0	finding / scan result 只能以脫敏摘要進 mirror

每個 item 都固定 display_mode=evidence_readiness_only，且 active_scan_authorized=false、credentialed_scan_authorized=false、ssh_change_authorized=false、host_update_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

3.8 主機 Evidence 收件順序

S2.17 將 S2.16 的七個主機 evidence readiness items 排成建議收件順序。這一層只回答「先收哪個、下一個依賴什麼」，不把任何 evidence 標成 received / accepted。

順序	收件步驟	Source item	前置依賴	狀態
1	先定義 scope boundary	`host_scope_boundary_evidence`	無	`next_collection_candidate`；received=0、accepted=0
2	再收 owner decision	`host_owner_decision_record_evidence`	`collect_scope_boundary_first`	`waiting_previous_step`；received=0、accepted=0
3	隔離 credential handling	`host_credential_handling_evidence`	`collect_owner_decision_second`	`waiting_previous_step`；received=0、accepted=0
4	安排 maintenance window	`host_maintenance_window_evidence`	`collect_owner_decision_second`	`waiting_previous_step`；received=0、accepted=0
5	補 rollback plan	`host_rollback_plan_evidence`	`collect_maintenance_window_fourth`	`waiting_previous_step`；received=0、accepted=0
6	定義 validation metrics	`host_validation_metrics_evidence`	`collect_rollback_plan_fifth`	`waiting_previous_step`；received=0、accepted=0
7	最後才收 redacted ingestion	`host_redacted_ingestion_evidence`	`collect_validation_metrics_sixth`	`waiting_previous_step`；received=0、accepted=0

每個 step 都固定 display_mode=collection_order_only，且 runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個順序是收件提示，不是工作佇列。不得因為某個 step 顯示為下一個候選，就啟動 scan、SSH、Kali update、raw payload ingestion、runtime blocking control，或把對應 evidence 標成已收到 / 已接受。

3.9 主機 Evidence Intake Preflight

S2.18 將主機 evidence 進人工 review 前的預檢條件顯示成只讀規則。這一層只回答「未來 evidence 送進來前要先擋什麼」，不接收 payload、不驗收 evidence、不推進 counters。

順序	預檢項目	拒收 / 隔離條件	目前狀態
1	Metadata pointer only	缺 redacted metadata pointer	`preflight_ready_not_executed`；received=0、accepted=0
2	Collection order match	跳過 S2.17 前置依賴	`dependency_check_waiting_evidence`；received=0、accepted=0
3	Scope before scan	scan evidence 沒有 scope boundary	`waiting_scope_evidence`；received=0、accepted=0
4	Owner before host change	SSH / update / tuning / blocking evidence 缺 owner decision pointer	`waiting_owner_decision_pointer`；received=0、accepted=0
5	Credential plaintext blocked	出現帳密、token、private key、session 或憑證明文	`plaintext_credential_collection_forbidden`；received=0、accepted=0
6	Raw payload blocked	出現完整掃描 raw output、未脫敏 finding、host dump 或 log bundle	`raw_payload_collection_forbidden`；received=0、accepted=0
7	Frontend counters frozen	前端嘗試推進 received / accepted	`frontend_counter_transition_forbidden`；received=0、accepted=0

每個 check 都固定 display_mode=intake_preflight_only、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 preflight board 不代表已收到任何主機 evidence，也不代表已進人工 review。真正收件仍需要脫敏 evidence pointer、owner decision 與後續人工驗收。

3.10 主機 Evidence Review Outcome Lanes

S2.19 將主機 evidence 通過 preflight 後可能進入的人工審查結果分流顯示成只讀 lanes。這一層只回答「下一步該補什麼或顯示什麼結果」，不建立 approval record、不啟動 runtime gate、不改 received / accepted。

順序	Outcome lane	來源預檢	下一步
1	Ready for human review	metadata pointer、dependency order、scope、owner decision	顯示人工審查候選；received=0、accepted=0
2	Needs scope evidence	scope before scan	補脫敏 scope boundary pointer，不進 scan
3	Needs owner decision	owner before host change	補 owner decision record pointer，不啟動主機動作
4	Quarantine dependency skip	collection order match	顯示隔離原因，不推 counter
5	Reject raw payload	raw payload blocked	要求改交脫敏摘要
6	Reject credential plaintext	credential plaintext blocked	不保存、不轉送、不顯示憑證明文
7	Waiting runtime gate	frontend counters frozen、owner decision	人工審查後仍需另開 runtime gate；active runtime gates=0

每個 lane 都固定 display_mode=review_outcome_only、received_count=0、accepted_count=0、approval_record_created=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 evidence 已進 review、approval record 已建立或任何主機操作可執行。它只讓使用者理解「預檢後可能被導向哪一類人審結果」。

3.11 主機 Evidence Review Handoff Packets

S2.20 將人工 reviewer 真正需要看到的主機 evidence 交接內容拆成七個只讀 packets。這一層只回答「要把哪些脫敏指標交給 reviewer 判讀」，不標記 received / accepted、不保存 raw payload、不建立 approval record、不啟動 runtime gate。

順序	Handoff packet	來源 outcome lane	必備內容
1	Scope summary	ready for human review、needs scope evidence	redacted scope boundary summary；不含 raw payload
2	Owner decision	ready for human review、needs owner decision	owner decision record pointer；不等於主機動作批准
3	Credential handling	ready for human review、reject credential plaintext	metadata-only handling statement；secret value blocked
4	Maintenance / rollback	waiting runtime gate、needs owner decision	maintenance window 與 rollback pointer；不啟動變更
5	Validation metrics	ready for human review、waiting runtime gate	post-review validation metrics pointer；不代表 runtime gate opened
6	Redaction attestation	reject raw payload、reject credential plaintext	redaction attestation metadata only；不保存敏感 payload
7	Runtime gate pointer	waiting runtime gate	follow-up runtime gate pointer only；active runtime gates=0

每個 packet 都固定 display_mode=review_handoff_only、received_count=0、accepted_count=0、approval_record_created=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 handoff board 不代表 reviewer 已收到資料、已接受資料、已批准主機操作或已開 runtime gate。它只讓 IwoooS 能把「送審前要準備什麼」清楚顯示給使用者。

3.12 主機 Evidence Reviewer Checklist

S2.21 將 reviewer 讀完 handoff packets 後仍需確認的檢查拆成七個只讀 checklist items。這一層只回答「人審前要確認哪些邊界沒有漂移」，不標記 passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。

順序	Reviewer check	來源 packet	Pass condition
1	Scope boundary match	scope summary	redacted scope pointer only；no scan started
2	Owner decision scope / expiry	owner decision	decision pointer only；no approval record created
3	Credential handling metadata only	credential handling	secret value collection=false
4	Redaction attestation pass	redaction attestation	raw payload allowed=false
5	Maintenance / rollback complete	maintenance / rollback	future change conditions only；no change execution
6	Validation metrics linked	validation metrics	validation pointer only；runtime gate closed
7	Runtime gate separated	runtime gate pointer	active runtime gates=0；action buttons=false

每個 check 都固定 display_mode=reviewer_checklist_only、received_count=0、accepted_count=0、approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 reviewer 已完成審查、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把人審前的安全判讀步驟顯示清楚。

3.13 主機 Evidence Reviewer Outcome Lanes

S2.22 將 reviewer checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「人審檢查後要回到哪個補件或人工決策 lane」，不標記 checklist passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。

順序	Reviewer outcome	來源 check	下一步
1	Ready for owner decision	scope、owner、redaction、runtime separation	顯示 owner decision candidate；received=0、accepted=0
2	Scope mismatch	scope boundary match	補 scope boundary pointer；不啟動 scan
3	Owner decision expired	owner decision scope / expiry	補 owner decision record；不建立 approval
4	Credential metadata failed	credential handling metadata only	要求 metadata-only statement；不收敏感素材
5	Redaction failed	redaction attestation pass	要求重新脫敏；不保存 raw payload
6	Rollback missing	maintenance / rollback complete	補 maintenance window 與 rollback pointer；不執行 change
7	Runtime gate required	validation metrics linked、runtime gate separated	維持獨立 runtime gate 且仍關閉

每個 lane 都固定 display_mode=reviewer_outcome_only、checklist_passed_count=0、received_count=0、accepted_count=0、approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 reviewer check 已通過、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把 checklist 後的下一步分流說清楚。

3.14 Host Owner Decision Candidate Packets

S2.23 將 ready for owner decision 後的下一步拆成七個只讀 candidate packets。這一層只回答「owner 之後要看哪些人工決策素材」，不建立 decision record、不標記 approved、不推進 received / accepted、不開 runtime gate。

順序	Candidate packet	來源 outcome lane	人工決策範圍
1	Scope approval candidate	ready for owner decision	主機、網段、服務、排除範圍與觀察目的
2	Scan mode candidate	ready for owner decision	observe-only、未來 active scan 或 credentialed scan 的差異；目前不授權掃描
3	Credential handling candidate	ready for owner decision、credential metadata failed	metadata-only handling、責任人與保存邊界；不收敏感素材
4	Maintenance window candidate	ready for owner decision、rollback missing	未來維護窗口與限制條件；不執行 host update
5	Rollback owner candidate	ready for owner decision、rollback missing	rollback owner、復原路徑與人工聯絡點
6	Validation metrics candidate	ready for owner decision、runtime gate required	post-check metrics、baseline 與 evidence pointer
7	Runtime gate candidate	runtime gate required	後續主機動作仍需獨立 runtime gate；active runtime gates=0

每個 packet 都固定 display_mode=owner_decision_candidate_only、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 candidate board 不代表 owner decision 已收到、已接受、已批准或已建立後續 runtime gate。它只讓 IwoooS 把「要請 owner 人工判讀什麼」先說清楚。

3.15 Host Owner Decision Review Checklist

S2.24 將 owner decision candidate packets 後的人工核對項拆成七個只讀 checklist items。這一層只回答「owner 決策前還要逐項確認什麼安全邊界」，不建立 decision record、不標記 approved、不開 runtime gate。

順序	Review check	來源 candidate packet	Guard condition
1	Scope boundary readable	scope approval candidate	scope review only；owner decision received=0
2	Scan mode not authorization	scan mode candidate	active scan / credentialed scan authorized=false
3	Credential boundary metadata only	credential handling candidate	secret value collection=false
4	Maintenance window not change	maintenance window candidate	host update authorized=false
5	Rollback owner readable	rollback owner candidate	owner approval record created=false
6	Validation metrics predefined	validation metrics candidate	runtime gate opened=false
7	Runtime gate still separate	runtime gate candidate	action buttons=false；runtime gate separate

每個 check 都固定 display_mode=owner_decision_review_checklist_only、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 owner 已完成決策、已批准、已建立 approval record 或已開 runtime gate。它只讓 IwoooS 把 owner 決策前的人工核對順序說清楚。

3.16 Host Owner Decision Review Outcome Lanes

S2.25 將 owner decision review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「owner review 後要回到哪個補件或候選 decision record lane」，不標記 review passed、不建立 decision record、不標記 approved、不開 runtime gate。

順序	Review outcome	來源 check	下一步
1	Ready for decision record	scope、scan mode、runtime separation	顯示 formal decision record candidate；received=0、accepted=0
2	Scope needs refresh	scope boundary readable	補 scope boundary pointer；不啟動 scan
3	Scan mode needs scope	scan mode not authorization	補 scan mode / scope statement；scan authorized=false
4	Credential boundary failed	credential boundary metadata only	補 metadata-only credential boundary；secret value collection=false
5	Maintenance window missing	maintenance window not change	補 maintenance window constraints；host update=false
6	Rollback owner missing	rollback owner readable	補 rollback owner 與復原 pointer；approval record=false
7	Runtime gate required	validation metrics、runtime gate still separate	維持獨立 runtime gate 且仍關閉

每個 lane 都固定 display_mode=owner_decision_review_outcome_only、owner_decision_review_passed_count=0、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 owner review 已通過、decision record 已建立、人工批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 owner review 後的下一步分流說清楚。

3.17 Host Owner Decision Record Draft Packets

S2.26 將 ready for decision record 後需要整理的欄位拆成七個只讀 draft packets。這一層只回答「若 owner review 進入 ready lane，formal decision record 草稿要有哪些 metadata」，不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Draft packet	來源 lane	必要 metadata
1	Scope statement draft	ready for decision record	host / network / service / exclusion / observation intent
2	Scan mode draft	scan mode scope required	observe-only / future active / credentialed scan candidate mode
3	Credential boundary draft	credential boundary failed	metadata-only credential owner / retention boundary
4	Maintenance constraints draft	maintenance window required	window / constraints / impact boundary / no-change statement
5	Rollback owner draft	rollback owner required	rollback owner / recovery path / human contact pointer
6	Validation metrics draft	runtime gate required	post-check metrics / baseline / evidence pointer
7	Runtime gate draft	runtime gate required	separate follow-up runtime gate pointer；active gate=0

每個 draft packet 都固定 display_mode=owner_decision_record_draft_only、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 draft board 不代表 decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 decision record 草稿欄位先說清楚，方便後續人工決策時不混入執行語義。

3.18 Host Owner Decision Record Draft Review Checklist

S2.27 將 decision record draft packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「草稿是否足以進入人工 decision record 撰寫」，不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Draft review	來源 packet	核對條件
1	Scope statement complete	scope draft	scope metadata complete
2	Scan mode still not approval	scan mode draft	scan mode not authorization
3	Credential boundary metadata only	credential boundary draft	credential boundary metadata-only
4	Maintenance constraints readable	maintenance constraints draft	maintenance constraints no-change
5	Rollback owner readable	rollback owner draft	rollback owner / recovery pointer readable
6	Validation metrics linked	validation metrics draft	metrics / baseline linked
7	Runtime gate still closed	runtime gate draft	runtime gate separate and closed

每個 review check 都固定 display_mode=owner_decision_record_draft_review_checklist_only、decision_record_review_passed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 decision record review 已通過、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把草稿進入正式人審前的核對條件說清楚。

3.19 Host Owner Decision Record Draft Review Outcome Lanes

S2.28 將 decision record draft review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「草稿核對後要進入正式撰寫候選、補哪個草稿，或等待獨立 runtime gate」，不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Review outcome	來源 check	下一步
1	Ready for decision record write-up	scope、scan mode、runtime separation	顯示 formal decision record write-up candidate；record created=false
2	Scope draft incomplete	scope statement review	補 scope statement；不建立 record
3	Scan mode ambiguous	scan mode review	補 scan mode wording；scan authorized=false
4	Credential boundary incomplete	credential boundary review	補 metadata-only credential boundary；secret collection=false
5	Maintenance constraints incomplete	maintenance constraints review	補 maintenance constraints；host update=false
6	Rollback owner incomplete	rollback owner review	補 rollback owner 與 recovery pointer；approval record=false
7	Runtime gate still required	validation metrics、runtime gate review	維持獨立 runtime gate 且仍關閉

每個 lane 都固定 display_mode=owner_decision_record_draft_review_outcome_only、decision_record_review_passed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 draft review 已通過、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把草稿核對後的下一步說清楚。

3.20 Host Owner Decision Record Write-Up Packets

S2.29 將 ready for decision record write-up 後需要整理的正式撰寫欄位拆成七個只讀 packets。這一層只回答「若未來要寫正式 decision record，需要哪些欄位」，不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Write-up packet	來源 lane	必要欄位
1	Decision summary write-up	ready for decision record write-up	human decision summary、risk acceptance boundary、no-execution statement
2	Approved scope write-up	ready for decision record write-up	host / network / service / exclusion / observation intent / expiry
3	Scan mode limits write-up	scan mode ambiguous	observe-only、future active scan、credentialed scan limits
4	Credential boundary write-up	credential boundary incomplete	metadata-only credential owner、retention boundary、forbidden collection
5	Maintenance and rollback write-up	maintenance constraints incomplete	maintenance window、constraints、rollback owner、recovery path、human contact
6	Validation evidence write-up	runtime gate required	post-check metrics、baseline、evidence pointer、human acceptance condition
7	Runtime gate pointer write-up	runtime gate required	separate follow-up runtime gate pointer；active gate=0

每個 packet 都固定 display_mode=owner_decision_record_writeup_only、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 write-up board 不代表 formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把正式撰寫欄位先說清楚，並保留後續人工批准與 runtime gate 的分離。

3.21 Host Owner Decision Record Write-Up Review Checklist

S2.30 將 write-up packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「正式撰寫欄位是否可讀、可追、仍未升級成批准語義」，不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Write-up review	來源 packet	核對條件
1	Decision summary readable	decision summary write-up	decision summary、risk acceptance、no-execution statement readable
2	Scope and expiry complete	approved scope write-up	scope、exclusion、observation intent、expiry complete
3	Scan mode limits explicit	scan mode limits write-up	scan mode limits explicit and not authorization
4	Credential boundary metadata only	credential boundary write-up	metadata-only boundary and no secret collection
5	Maintenance and rollback linked	maintenance / rollback write-up	maintenance window、constraints、rollback、human contact linked
6	Validation evidence linked	validation evidence write-up	metrics、baseline、evidence、acceptance condition linked
7	Runtime gate still separate	runtime gate pointer write-up	runtime gate pointer separate and closed

每個 review check 都固定 display_mode=owner_decision_record_writeup_review_checklist_only、decision_record_writeup_review_passed_count=0、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把正式 decision record 進入後續人審前的核對條件說清楚。

3.22 Host Owner Decision Record Write-Up Review Outcome Lanes

S2.31 將 write-up review checklist 後的可能結果拆成七個只讀 outcome lanes。這一層只回答「核對後下一步應該顯示什麼」，不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Review outcome	來源 check	下一步
1	Ready for formal record candidate	summary、scope、runtime gate checks	顯示 formal record candidate；record created=false
2	Decision summary needs clarification	summary check	補 decision summary；completed=0
3	Scope and expiry needs refresh	scope check	補 scope / expiry；record created=false
4	Scan mode limits ambiguous	scan mode limits check	補 scan wording；scan authorized=false
5	Credential boundary failed	credential boundary check	補 metadata-only boundary；secret collection=false
6	Maintenance and rollback incomplete	maintenance / rollback check	補 maintenance / rollback；host update=false
7	Runtime gate still required	validation evidence、runtime gate checks	active runtime gates=0；action buttons=false

每個 outcome lane 都固定 display_mode=owner_decision_record_writeup_review_outcome_only、decision_record_writeup_review_passed_count=0、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 write-up review 後的補件、候選或 runtime gate 分離狀態顯示清楚。

3.23 Host Owner Decision Record Formal Candidate Packets

S2.32 將 ready for formal record candidate 後的候選正式紀錄欄位拆成七個只讀 packets。這一層只回答「若未來真的要建立正式 decision record，candidate 需要有哪些可讀欄位」，不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Candidate packet	來源 lane	候選欄位
1	Record identity candidate	ready for formal record candidate	record id、version、owner、review scope、trace source
2	Decision summary candidate	ready for formal record candidate	human decision summary、risk acceptance boundary、no-execution statement
3	Approved scope candidate	ready for formal record candidate	host / network / service / exclusion / observation intent / expiry
4	Scan mode limits candidate	ready for formal record candidate	observe-only、future active scan、credentialed scan limits
5	Credential boundary candidate	ready for formal record candidate	metadata-only credential owner、retention、masking、forbidden collection
6	Maintenance and rollback candidate	ready for formal record candidate	maintenance window、constraints、rollback owner、recovery path、human contact
7	Validation and runtime gate candidate	ready for formal record candidate	validation evidence、post-check metrics、baseline pointer、separate runtime gate requirement

每個 candidate packet 都固定 display_mode=owner_decision_record_formal_candidate_only、formal_record_candidate_finalized_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 candidate board 不代表 formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 先把正式紀錄候選欄位呈現清楚，讓後續人工 owner decision 與 runtime gate 繼續保持分離。

3.24 Host Owner Decision Record Formal Candidate Review Checklist

S2.33 將 formal candidate packets 後的只讀核對條件拆成七個 review checklist items。這一層只回答「candidate 進入後續人工紀錄前，哪些欄位需要被看懂」，不標記 review passed、不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Candidate review	來源 packet	鎖定條件
1	Record identity traceable	identity packet	record created=false
2	Decision summary readable	decision summary packet	accepted=0
3	Scope and expiry consistent	approved scope packet	finalized=0
4	Scan limits still not authorization	scan mode limits packet	scan authorized=false
5	Credential boundary still metadata-only	credential boundary packet	secret collection=false
6	Maintenance and rollback traceable	maintenance / rollback packet	host update=false
7	Runtime gate still closed	validation / runtime gate packet	active runtime gates=0；action buttons=false

每個 checklist item 都固定 display_mode=owner_decision_record_formal_candidate_review_checklist_only、formal_record_candidate_review_passed_count=0、formal_record_candidate_finalized_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 review checklist 不代表 formal candidate review 已通過、formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 candidate review 的人工核對點顯示清楚，避免把欄位可讀性誤解成正式批准。

3.25 Host Owner Decision Record Formal Candidate Review Outcome Lanes

S2.34 將 formal candidate review checklist 後的可能結果拆成八個只讀 outcome lanes。這一層只回答「候選核對後下一步要補什麼或顯示哪個分流」，不標記 review passed、不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Review outcome	來源 check	下一步
1	Ready for human record queue	all review checks	顯示可進人工正式紀錄佇列；record created=false
2	Record identity needs trace	identity check	補 identity trace；review passed=0
3	Decision summary needs clarification	summary check	補 decision summary；accepted=0
4	Scope and expiry need refresh	scope check	補 scope / expiry；finalized=0
5	Scan limits remain ambiguous	scan limits check	補 scan limits；scan authorized=false
6	Credential boundary failed	credential boundary check	補 metadata-only boundary；secret collection=false
7	Maintenance and rollback incomplete	maintenance / rollback check	補 maintenance / rollback；host update=false
8	Runtime gate still required	runtime gate check	active runtime gates=0；action buttons=false

每個 outcome lane 都固定 display_mode=owner_decision_record_formal_candidate_review_outcome_only、formal_record_candidate_review_passed_count=0、formal_record_candidate_finalized_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 formal candidate review 已通過、formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把候選核對後的補件、佇列與 runtime gate 分離狀態顯示清楚。

3.26 Host Owner Decision Record Formal Record Queue Packets

S2.35 將 ready for human record queue 後的人工正式紀錄佇列資料拆成八個只讀 packets。這一層只回答「若未來人工要建立正式紀錄，佇列畫面需要哪些資料包」，不 enqueue、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Queue packet	來源 lane	佇列欄位
1	Queue identity packet	ready for human record queue	candidate record id、version、owner、review scope、trace source
2	Queue decision summary packet	ready for human record queue	decision summary、risk acceptance boundary、no-execution statement
3	Queue scope and expiry packet	ready for human record queue	host / network / service / exclusion / observation intent / expiry
4	Queue scan limits packet	ready for human record queue	observe-only、future active scan、credentialed scan limits
5	Queue credential boundary packet	ready for human record queue	metadata-only credential owner、retention、masking、forbidden collection
6	Queue maintenance and rollback packet	ready for human record queue	maintenance window、constraints、rollback owner、recovery path、human contact
7	Queue validation and runtime gate packet	ready for human record queue	validation evidence、post-check metrics、baseline pointer、separate runtime gate requirement
8	Queue no-execution attestation packet	ready for human record queue	not authorization、no execution、no approval、no runtime gate statement

每個 queue packet 都固定 display_mode=owner_decision_record_formal_record_queue_packet_only、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 queue packet board 不代表正式紀錄佇列已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把人工正式紀錄佇列需要看的資料包顯示出來，避免把佇列可讀性誤解成執行授權。

3.27 Host Owner Decision Record Formal Record Queue Review Checklist

S2.36 將 formal record queue packets 後的人工正式紀錄佇列核對拆成八個只讀 checklist items。這一層只回答「佇列資料包是否可供未來人工正式紀錄審查」，不標記 review passed、不 enqueue、不建立 decision record、不建立 approval record、不開 runtime gate。

順序	Queue review check	來源 packet	保護邊界
1	Queue identity traceable	Queue identity packet	trace only；queue enqueued=0
2	Queue decision summary readable	Queue decision summary packet	summary only；record created=false
3	Queue scope and expiry fresh	Queue scope and expiry packet	scope check only；finalized=0
4	Queue scan limits not authorization	Queue scan limits packet	scan authorized=false
5	Queue credential boundary metadata-only	Queue credential boundary packet	secret collection=false
6	Queue maintenance and rollback linked	Queue maintenance and rollback packet	host change=false
7	Queue validation gate separate	Queue validation and runtime gate packet	active gates=0
8	Queue no-execution attestation present	Queue no-execution attestation packet	action buttons=false

每個 queue review check 都固定 display_mode=owner_decision_record_formal_record_queue_review_checklist_only、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 queue review checklist 不代表正式紀錄佇列核對已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把佇列資料包進人工正式紀錄前的核對條件顯示出來，避免把 checklist 可見性誤解成執行授權。

3.28 Host Owner Decision Record Formal Record Queue Review Outcome Lanes

S2.37 將 formal record queue review checklist 後的結果拆成八個只讀 outcome lanes。這一層只回答「queue review 後下一步應補哪個資料包或交給人工 record owner 看」，不標記 review passed、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。

順序	Queue review outcome	來源 check	下一步
1	Ready for human record owner handoff	identity / summary / scope / guardrail checks	顯示 handoff 候選；review passed=0、queue enqueued=0
2	Identity needs trace refresh	identity traceable check	補 identity trace；record created=false
3	Decision summary needs clarification	decision summary readable check	補 decision summary；accepted=0
4	Scope and expiry need refresh	scope and expiry fresh check	補 scope / expiry；finalized=0
5	Scan limits remain ambiguous	scan limits not authorization check	補 scan limits；scan authorized=false
6	Credential boundary failed	credential boundary metadata-only check	補 metadata-only boundary；secret collection=false
7	Maintenance and rollback incomplete	maintenance and rollback linked check	補 maintenance / rollback；host change=false
8	Runtime gate still required	validation gate separate check	active runtime gates=0；action buttons=false

每個 queue review outcome lane 都固定 display_mode=owner_decision_record_formal_record_queue_review_outcome_only、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 queue review outcome board 不代表 formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 queue review 後的補件、handoff 候選與 runtime gate 分離狀態顯示清楚。

3.29 Host Owner Decision Record Human Handoff Readiness Packets

S2.38 將 queue review outcome 中的 ready for human record owner handoff 拆成八個只讀 readiness packets。這一層只回答「未來要交給人工 record owner 前，哪些 metadata 需要可讀」，不開始 handoff、不標記 handoff ready、不標記 review passed、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。

順序	Handoff readiness packet	Readiness field	保護邊界
1	Handoff identity and trace	record identity and trace	handoff started=0；ready=0
2	Human record owner boundary	human record owner contact boundary	owner decision received=0
3	Decision summary packet	decision summary and no-execution statement	decision record created=false
4	Scope and expiry packet	approved scope and expiry window	review passed=0
5	Scan limits packet	observe-only and future scan limits	scan authorized=false
6	Credential boundary packet	metadata-only credential boundary	secret collection=false
7	Maintenance and rollback packet	maintenance constraints and rollback owner	host change=false
8	Runtime gate separation packet	independent runtime gate and no action buttons	active runtime gates=0；action buttons=false

每個 handoff readiness packet 都固定 display_mode=owner_decision_record_human_handoff_readiness_only、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 handoff readiness board 不代表 handoff 已開始、handoff 已 ready、formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把未來交給人工 record owner 前的準備欄位顯示清楚。

3.30 Host Owner Decision Record Human Handoff Readiness Review Checklist

S2.39 將 handoff readiness packets 後的核對條件拆成八個只讀 checklist items。這一層只回答「handoff readiness packets 是否可供未來人工 record owner 看」，不標記 review passed、不開始 handoff、不標記 handoff ready、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。

順序	Handoff readiness review check	來源 packet	保護邊界
1	Identity trace readable	Handoff identity and trace	handoff started=0；ready=0
2	Owner boundary readable	Human record owner boundary	owner decision received=0
3	Decision summary readable	Decision summary packet	decision record created=false
4	Scope and expiry current	Scope and expiry packet	review passed=0
5	Scan limits not authorization	Scan limits packet	scan authorized=false
6	Credential boundary metadata-only	Credential boundary packet	secret collection=false
7	Maintenance and rollback traceable	Maintenance and rollback packet	host change=false
8	Runtime gate separate	Runtime gate separation packet	active runtime gates=0；action buttons=false

每個 handoff readiness review check 都固定 display_mode=owner_decision_record_human_handoff_readiness_review_checklist_only、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 handoff readiness review checklist 不代表 handoff readiness review 已通過、handoff 已開始、handoff 已 ready、formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 readiness packets 進人工 record owner 前的核對條件顯示清楚。

3.31 Host Owner Decision Record Human Handoff Readiness Review Outcome Lanes

S2.40 將 handoff readiness review checklist 後的結果拆成九個只讀 outcome lanes。這一層只回答「readiness review 後下一步要補哪一段或是否可顯示 human record owner review candidate」，不標記 review passed、不開始 handoff、不標記 handoff ready、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。

順序	Handoff readiness review outcome	來源 check	下一步
1	Ready for human record owner review candidate	identity trace readable	顯示 review candidate；handoff started=0、ready=0
2	Identity trace needs refresh	identity trace readable	補 identity trace；review passed=0
3	Owner boundary needs clarification	owner boundary readable	補 owner boundary；owner decision received=0
4	Decision summary needs clarification	decision summary readable	補 decision summary；decision record created=false
5	Scope and expiry need refresh	scope and expiry current	補 scope / expiry；queue review passed=0
6	Scan limits remain ambiguous	scan limits not authorization	補 scan limits；scan authorized=false
7	Credential boundary failed	credential boundary metadata-only	補 metadata-only boundary；secret collection=false
8	Maintenance and rollback incomplete	maintenance and rollback traceable	補 maintenance / rollback；host change=false
9	Runtime gate still required	runtime gate separate	active runtime gates=0；action buttons=false

每個 handoff readiness review outcome lane 都固定 display_mode=owner_decision_record_human_handoff_readiness_review_outcome_only、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 handoff readiness review 已通過、handoff 已開始、handoff 已 ready、formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 readiness review 後的補件、review candidate 與 runtime gate 分離狀態顯示清楚。

3.32 Host Owner Decision Record Human Record Owner Review Candidate Packets

S2.41 將 ready for human record owner review candidate 後的 metadata 拆成九個只讀 candidate packets。這一層只回答「未來人工 record owner review 候選畫面需要哪些資料包」，不開始 review、不標記 review ready、不開始 handoff、不收 owner decision、不建立 decision record、不建立 approval record、不開 runtime gate。

順序	Review candidate packet	來源 outcome	候選欄位
1	Review candidate identity packet	ready for human record owner review candidate	candidate id、source outcome、version、trace pointer、source queue review
2	Review owner boundary packet	ready for human record owner review candidate	human record owner、backup owner、contact boundary、responsibility boundary
3	Review decision summary packet	ready for human record owner review candidate	candidate decision summary、risk acceptance boundary、no-execution statement
4	Review scope and expiry packet	ready for human record owner review candidate	host、network、service、exclusion、observation intent、expiry
5	Review scan limits packet	ready for human record owner review candidate	observe-only、future active scan、credentialed scan limits
6	Review credential boundary packet	ready for human record owner review candidate	metadata-only credential owner、retention、masking、forbidden collection
7	Review maintenance and rollback packet	ready for human record owner review candidate	maintenance window、constraints、rollback owner、recovery path、human contact
8	Review validation and runtime gate packet	ready for human record owner review candidate	validation evidence pointer、post-check metrics、separate runtime gate requirement
9	Review no-execution attestation packet	ready for human record owner review candidate	not authorization、no execution、no approval、no runtime gate statement

每個 review candidate packet 都固定 display_mode=owner_decision_record_human_record_owner_review_candidate_packet_only、human_record_owner_review_started_count=0、human_record_owner_review_ready_count=0、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 candidate packet board 不代表 human record owner review 已開始、review 已 ready、handoff 已開始、handoff 已 ready、owner decision 已收到或接受、decision record 已建立、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把未來人工 record owner 可能需要看的 metadata 顯示清楚。

3.33 Host Owner Decision Record Human Record Owner Review Candidate Checklist

S2.42 將 human record owner review candidate packets 後的核對條件拆成九個只讀 checklist items。這一層只回答「candidate packets 是否可供未來人工 record owner review」，不標記 checklist passed、不開始 review、不標記 review ready、不開始 handoff、不收 owner decision、不建立 decision record、不建立 approval record、不開 runtime gate。

順序	Review candidate check	來源 packet	保護邊界
1	Candidate identity traceable	Review candidate identity packet	check passed=0；review started=0
2	Candidate owner boundary readable	Review owner boundary packet	owner decision received=0；review ready=0
3	Candidate decision summary readable	Review decision summary packet	decision record created=false
4	Candidate scope and expiry current	Review scope and expiry packet	runtime gate opened=false
5	Candidate scan limits not authorization	Review scan limits packet	scan authorized=false
6	Candidate credential boundary metadata-only	Review credential boundary packet	secret collection=false
7	Candidate maintenance and rollback traceable	Review maintenance and rollback packet	host change=false
8	Candidate validation and runtime gate separate	Review validation and runtime gate packet	active runtime gates=0；action buttons=false
9	Candidate no-execution attestation present	Review no-execution attestation packet	not authorization=true

每個 review candidate checklist item 都固定 display_mode=owner_decision_record_human_record_owner_review_candidate_checklist_only、human_record_owner_review_check_passed_count=0、human_record_owner_review_started_count=0、human_record_owner_review_ready_count=0、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 human record owner review checklist 已通過、review 已開始、review 已 ready、handoff 已開始、owner decision 已收到或接受、decision record 已建立、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 candidate packets 進人工 record owner review 前的核對條件顯示清楚。

3.34 Host Owner Decision Record Human Record Owner Review Candidate Outcome Lanes

S2.43 將 human record owner review candidate checklist 後的結果拆成九個只讀 outcome lanes。這一層只回答「candidate checklist 後下一步要補哪一段或是否可顯示 human record owner review preparation candidate」，不標記 checklist passed、不開始 review、不標記 review ready、不開始 handoff、不收 owner decision、不建立 decision record、不建立 approval record、不開 runtime gate。

順序	Review candidate outcome	來源 check	下一步
1	Ready for human record owner review preparation candidate	identity traceable	顯示 preparation candidate；review started=0
2	Identity trace needs refresh	identity traceable	補 identity trace；check passed=0
3	Owner boundary needs clarification	owner boundary readable	補 owner boundary；owner decision received=0
4	Decision summary needs clarification	decision summary readable	補 decision summary；decision record created=false
5	Scope and expiry need refresh	scope and expiry current	補 scope / expiry；review ready=0
6	Scan limits remain ambiguous	scan limits not authorization	補 scan limits；scan authorized=false
7	Credential boundary failed	credential boundary metadata-only	隔離 credential boundary；secret collection=false
8	Maintenance and rollback incomplete	maintenance and rollback traceable	補 maintenance / rollback；host change=false
9	Runtime gate still required	validation and runtime gate separate	active runtime gates=0；action buttons=false

每個 review candidate outcome lane 都固定 display_mode=owner_decision_record_human_record_owner_review_candidate_outcome_only、human_record_owner_review_check_passed_count=0、human_record_owner_review_started_count=0、human_record_owner_review_ready_count=0、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 human record owner review candidate outcome 已通過、review 已開始、review 已 ready、handoff 已開始、owner decision 已收到或接受、decision record 已建立、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 candidate checklist 後的補件、preparation candidate 與 runtime gate 分離狀態顯示清楚。

3.35 Host Owner Decision Record Human Record Owner Review Preparation Packets

S2.44 將 ready for human record owner review preparation candidate 後的 metadata 拆成九個只讀 preparation packets。這一層只回答「未來人工 record owner review 畫面要準備哪些資料包」，不標記 preparation completed、不開始 review、不標記 review ready、不開始 handoff、不收 owner decision、不建立 decision record、不建立 approval record、不開 runtime gate。

順序	Review preparation packet	來源 outcome	準備欄位
1	Preparation identity trace packet	ready for human record owner review preparation candidate	preparation id、source outcome、version、trace pointer、candidate checklist link
2	Preparation owner boundary packet	ready for human record owner review preparation candidate	human record owner、backup owner、contact boundary、responsibility boundary、open clarifications
3	Preparation decision summary packet	ready for human record owner review preparation candidate	candidate decision summary、risk acceptance boundary、no-execution statement、formal record preface
4	Preparation scope and expiry packet	ready for human record owner review preparation candidate	host、network、service、exclusion、observation intent、expiry、refresh need
5	Preparation scan limits packet	ready for human record owner review preparation candidate	observe-only、future active scan、credentialed scan limits、separate approval boundary
6	Preparation credential boundary packet	ready for human record owner review preparation candidate	metadata-only credential owner、retention、masking、forbidden collection、quarantine rules
7	Preparation maintenance and rollback packet	ready for human record owner review preparation candidate	maintenance window、constraints、rollback owner、recovery path、human contact
8	Preparation validation and runtime gate packet	ready for human record owner review preparation candidate	validation evidence pointer、post-check metrics、separate runtime gate requirement
9	Preparation no-execution attestation packet	ready for human record owner review preparation candidate	not authorization、no execution、no approval、no runtime gate statement

每個 review preparation packet 都固定 display_mode=owner_decision_record_human_record_owner_review_preparation_packet_only、human_record_owner_review_prepared_count=0、human_record_owner_review_check_passed_count=0、human_record_owner_review_started_count=0、human_record_owner_review_ready_count=0、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 preparation packet board 不代表 human record owner review preparation 已完成、review 已開始、review 已 ready、handoff 已開始、owner decision 已收到或接受、decision record 已建立、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把未來人工 record owner review 畫面需要的 metadata 顯示清楚。

3.36 Host Owner Decision Record Human Record Owner Review Preparation Checklist

S2.45 將 human record owner review preparation packets 後的只讀核對條件拆成九個 checklist items。這一層只回答「preparation packets 是否足夠清楚，能不能交給未來人工 record owner review 畫面閱讀」，不標記 preparation completed、不標記 checklist passed、不開始 review、不標記 review ready、不開始 handoff、不收 owner decision、不建立 decision record、不建立 approval record、不開 runtime gate。

順序	Review preparation check	來源 packet	失敗分流
1	Preparation identity trace readable	Preparation identity trace packet	refresh preparation identity trace
2	Preparation owner boundary readable	Preparation owner boundary packet	clarify preparation owner boundary
3	Preparation decision summary readable	Preparation decision summary packet	clarify preparation decision summary
4	Preparation scope and expiry current	Preparation scope and expiry packet	refresh preparation scope expiry
5	Preparation scan limits not authorization	Preparation scan limits packet	clarify preparation scan limits
6	Preparation credential boundary metadata-only	Preparation credential boundary packet	quarantine preparation credential boundary
7	Preparation maintenance and rollback traceable	Preparation maintenance and rollback packet	complete preparation maintenance rollback
8	Preparation validation and runtime gate separate	Preparation validation and runtime gate packet	keep runtime gate separate
9	Preparation no-execution attestation present	Preparation no-execution attestation packet	keep no-execution attestation visible

每個 review preparation checklist item 都固定 display_mode=owner_decision_record_human_record_owner_review_preparation_checklist_only、human_record_owner_review_prepared_count=0、human_record_owner_review_check_passed_count=0、human_record_owner_review_started_count=0、human_record_owner_review_ready_count=0、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 preparation checklist board 不代表 human record owner review preparation 已完成、checklist 已通過、review 已開始、review 已 ready、handoff 已開始、owner decision 已收到或接受、decision record 已建立、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 preparation packets 進人工 record owner review 前仍需核對的 read-only 條件顯示清楚。

3.37 Progress Acceleration Lanes

S2.46 將「為什麼進度看起來慢」改成 IwoooS 首屏可見的六條解鎖 lane。這一層只回答「64% 後哪些高層 gate 才會讓 headline 進入下一輪 progress review」，不自動調整進度、不收 owner response、不啟用 payload ingestion、不開 runtime gate、不切 GitHub primary、不啟用 production execution。

順序	Acceleration lane	目前狀態	解鎖條件
1	Owner response	waiting owner response	S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收
2	Redacted ingestion	waiting preflight and human review	脫敏 payload 通過 preflight、quarantine 與人工 review
3	Runtime gate	intentionally closed	人工批准、scope、rollback、validation evidence 完整後另開 follow-up runtime gate
4	GitHub readiness	waiting parity evidence	refs truth、workflow / secret 名稱、rollback ADR 與逐 repo owner decision 通過後 primary_ready_count 大於 0
5	AwoooP landing	read-only landing pending	AwoooP 主線只讀消費 rollup、evidence refs 與 guard result，且不接 execution router
6	Cadence compression	approved for next framework work	後續同類 packet / checklist / outcome 合併成 milestone batch，除非 guard 需要獨立驗證

每條 progress acceleration lane 都固定 display_mode=progress_acceleration_only、owner_response_received_count=0、owner_response_accepted_count=0、payloads_ingested=false、active_runtime_gate_count=0、github_primary_ready_count=0、production_landing_enabled=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 acceleration board 不代表進度已加分、owner response 已收到、payload ingestion 已啟用、runtime gate 已開啟、GitHub primary 已 ready、AwoooP production execution 已啟用或任何資安批准已完成。它只把下一個真正能推動 headline 的槓桿顯示清楚，並把後續框架工作改成更有感的 milestone batch 節奏。

3.38 Owner Response Next-Action Focus

S2.47 將 owner response 的下一步收件焦點從 S4.13 rollup 拉到 IwoooS 可見面板。這一層只回答「現在下一個應該看哪份 owner response request packet」，不催收、不代填、不標記 received、不標記 accepted、不建立 approval record、不開 runtime gate、不切 GitHub primary。

順序	Focus	Required packet	目前狀態
1	S4.9 Gitea owner attestation	`docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`	next collection candidate
2	S4.10 GitHub target owner decision	`docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md`	queued after S4.9 accepted
3	S4.11 refs truth owner response	`docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`	queued after target decision accepted
4	S4.12 workflow / secret name owner response	`docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md`	queued after refs truth accepted

每個 owner response next-action focus item 都固定 display_mode=owner_response_next_action_focus_only、owner_response_received_count=0、owner_response_accepted_count=0、owner_response_rejected_count=0、audit_events_emitted_count=0、auto_chase_allowed=false、autofill_allowed=false、mark_received_allowed=false、mark_accepted_allowed=false、approval_record_created=false、runtime_gate_opened=false、repo_or_refs_mutation_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 focus board 不代表 S4.9 request 已送出、owner response 已收到、owner response 已接受或下一步可自動推到 GitHub migration。它只把 P0 收件順序顯示清楚，讓後續工作從 S4.9 開始收斂，而不是再繼續新增細碎 checklist。

3.39 S4.9 Owner Response Preflight

S2.48 將 S4.9 owner response 的收件前 preflight 從 Gitea owner attestation response packet 拉到 IwoooS 可見面板。這一層只回答「第一個 P0 owner response 送入驗收前要檢查什麼」，不寄送 request、不催收、不代填、不標記 received、不標記 accepted、不建立 audit event、不寫 Gitea、不 sync refs、不開 runtime gate、不切 GitHub primary。

順序	Preflight check	Failure lane	核對條件
1	Known attestation item	`request_owner_correction`	回覆必須對應 S4.7 五個 coverage attestation items 之一
2	Required owner fields	`request_more_evidence`	owner role/team、decision、decision reason、受影響 scope、evidence refs、followup owner 完整
3	Allowed decision	`request_owner_correction`	decision 必須落在對應 response template 的 acceptable decisions
4	Redacted evidence only	`quarantine_sensitive_payload`	evidence 只能是 repo 內文件、snapshot 或脫敏 metadata pointer
5	No execution request	`reject_execution_request`	不得夾帶 repo / refs / workflow / secret / runner / scan / runtime 執行要求
6	All five items before accepted	`keep_waiting_owner_response`	五個 response templates 都可驗收前，不得標記 S4.9 accepted

每個 S4.9 owner response preflight check 都固定 display_mode=s4_9_owner_response_preflight_only、request_sent_count=0、owner_response_received_count=0、owner_response_accepted_count=0、owner_response_rejected_count=0、preflight_passed_count=0、audit_events_emitted_count=0、request_sent_allowed=false、owner_response_collection_allowed=false、mark_passed_allowed=false、mark_received_allowed=false、mark_accepted_allowed=false、approval_record_created=false、runtime_gate_opened=false、gitea_write_allowed=false、repo_or_refs_mutation_allowed=false、secret_value_collection_allowed=false、sensitive_payload_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 preflight board 不代表 S4.9 request 已送出、owner response 已收到、owner response 已接受、audit event 已建立或 Gitea / GitHub migration 可執行。它只把第一個能真正推動 64% 後下一輪進度的 owner response 收件條件顯示清楚。

3.40 S4.9 Owner Response Request Templates

S2.49 將 S4.9 owner response 的五個 request templates 拉到 IwoooS 可見面板。這一層只回答「owner 要逐項回覆哪五題」，不送出 request、不催收、不代填、不標記 received、不標記 accepted、不建立 audit event、不完成 Gitea inventory、不寫 Gitea、不 sync refs、不切 GitHub primary。

順序	Template	Attestation item	目前狀態
1	Public-only / local Gitea gap	`public_only_vs_local_gitea_gap`	request ready not sent
2	Gitea `wooo` org/user endpoint	`org_user_endpoint_identity`	request ready not sent
3	110 adjacent source scope	`internal_110_adjacent_scope`	request ready not sent
4	Repo owner / canonical / GitHub target	`repo_owner_canonical_scope`	request ready not sent
5	Legacy / inaccessible disposition	`legacy_or_inaccessible_repo_disposition`	request ready not sent

每個 S4.9 owner response request template 都固定 display_mode=s4_9_owner_response_request_template_only、request_status=request_ready_not_sent、current_state=waiting_owner_response、request_sent_count=0、owner_response_received_count=0、owner_response_accepted_count=0、owner_response_rejected_count=0、audit_events_emitted_count=0、auto_chase_allowed=false、autofill_allowed=false、request_send_allowed=false、mark_received_allowed=false、mark_accepted_allowed=false、approval_record_created=false、gitea_inventory_completed=false、gitea_write_allowed=false、repo_or_refs_mutation_allowed=false、github_primary_ready=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 request template board 不代表 S4.9 request 已寄出、owner response 已收到、owner response 已接受或 Gitea 清冊已完成。它只把第一個 owner response 收件包需要 owner 回覆的五題顯示清楚，讓後續真正收件時不再模糊。

3.41 Progress Hold Movement Gates

S2.50 回應「為什麼 64% 後仍不能亂加分」：這不是沒有推進，而是 owner response、redacted payload、active runtime gate、GitHub primary 這四個能讓 headline 進度進入下一輪重估的實質 gate 仍為 0 / false。IwoooS 只把這些 gate 顯示清楚，不自動提高百分比、不收 payload、不開 runtime gate、不切 GitHub primary、不把 AwoooP / Kali read-only evidence 當 production execution。

順序	Movement gate	目前狀態	需要的實質 evidence
1	Owner response accepted	`owner_response_validation_accepted_count=0`	S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 通過脫敏 preflight、S4.13 rollup 與人工 review
2	Redacted payload ingested	`payloads_ingested=false`	脫敏 payload 經人工批准、通過 preflight / quarantine，並以 read-only ingestion 進入可驗證狀態
3	Active runtime gate	`active_runtime_gate_count=0`	人工批准、scope、rollback、post-check metrics 與獨立 active runtime gate 完整建立
4	GitHub primary ready	`github_primary_ready_count=0`	至少一批 repo 通過 GitHub target、refs truth、workflow / secret name parity 與 rollback readiness
5	AwoooP read-only landing	`production_landing_enabled=false`	AwoooP 主線以只讀模式消費 rollup、evidence refs 與 guard result，且未接 execution router

每個 progress hold movement gate 都固定 display_mode=progress_hold_movement_gate_only、headline_percent_delta=0、owner_response_received_count=0、owner_response_accepted_count=0、payloads_ingested=false、active_runtime_gate_count=0、github_primary_ready_count=0、production_landing_enabled=false、progress_change_applied=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 movement gate board 不代表進度已加分、owner response 已收到或接受、payload ingestion 已啟用、runtime gate 已開啟、GitHub primary 已 ready 或 AwoooP / Kali 已進 production execution。它只把 64% 後仍需等待的理由轉成使用者可理解、也可被 guard 驗證的門檻。

3.42 AwoooP Read-Only Landing Readiness

S2.51 將 AwoooP 主線只讀接入前的準備條件拉到 IwoooS 可見面板。這一層只回答「AwoooP 要如何安全消費 IwoooS / security mirror 狀態」，不代表 AwoooP production 已接入、不啟用 production landing、不接 execution router、不新增 action button。

順序	Readiness item	目前狀態	接入要求
1	Rollup snapshot readable	ready for read-only intake	AwoooP 只讀消費 committed `security-mirror-status-rollup` 與 `iwooos-posture-projection` snapshot
2	Evidence refs readable	ready for read-only intake	顯示 security rollout、owner response validation、Kali status、rollup 與 projection evidence refs
3	Guard checks known	ready for read-only intake	接入前保留 `security-mirror-progress-guard.py` 與 `source-control-owner-response-guard.py`
4	Mirror route groups known	ready for read-only intake	依 `security_mirror_route_v1` 的 Operator Console、runtime state、channel event、audit evidence、approval queue 只讀目的地顯示
5	Forbidden outputs locked	ready for read-only intake	保留 IwoooS / rollup forbidden outputs，不從 readiness 產生 action button、runtime gate 或 GitHub primary
6	Production handoff pending	pending production consumption	後續 PR / deployment evidence 證明 AwoooP production 主線只讀顯示 rollup、evidence refs 與 guard result

每個 AwoooP read-only landing readiness item 都固定 display_mode=awooop_read_only_landing_readiness_only、headline_percent_delta=0、production_landing_enabled=false、execution_router_linked=false、progress_change_applied=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 readiness board 不代表 production landing 已完成、AwoooP 已消費 production 狀態、guard 已可跳過、execution router 已接上或 progress 已加分。它只把下一個 AwoooP 主線接入需要保留的只讀邊界整理清楚。

3.43 AwoooP Cross-Session Handoff Packets

S2.52 將另一個 AwoooP Session 接手前必須先看懂的同步資訊固定成 IwoooS 可見 handoff packets。這一層只回答「另一個 Session 要怎麼避免和本 PR / 本資安線互相打架」，不代表 production landing、merge、deploy、primary switch、refs mutation、guard skip 或 runtime action 已獲准。

順序	Handoff packet	目前狀態	交接要求
1	PR / branch anchor	ready for parallel session sync	先確認 PR #117、`codex/security-supply-chain-contracts-20260512` 與 latest commit，再讀 LOGBOOK 與 rollup ledger
2	Progress semantics	ready for parallel session sync	headline 維持 64%，framework 維持 92%，runtime / ingestion / GitHub primary / AwoooP production landing 維持 40-45%
3	Required guard commands	ready for parallel session sync	接手前先跑 `security-mirror-progress-guard.py` 與 `source-control-owner-response-guard.py`
4	Forbidden runtime actions	ready for parallel session sync	Kali `/execute`、SSH、host update、active scan、credentialed scan、blocking control、repo / refs / workflow 動作仍未授權
5	AwoooP read-only inputs	ready for parallel session sync	AwoooP 只消費 rollup snapshot、IwoooS projection、owner response validation rollup、Kali status 與 rollout policy
6	Next coordination gate	waiting external production evidence	若要推進 production landing，必須提供 read-only consumption evidence 與 deployment proof

每個 AwoooP cross-session handoff packet 都固定 display_mode=awooop_cross_session_handoff_packet_only、headline_percent_delta=0、production_landing_enabled=false、execution_router_linked=false、progress_change_applied=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 handoff board 不代表另一個 Session 已完成 production consumption、可以 merge / deploy、可以切 primary、可以改 refs、可以跳過 guard 或可以提高 progress。它只把跨 Session 接手的讀取順序與禁止動作固定成可驗證 contract。

4. 仍禁止

IwoooS 不得提供下列輸出：

scan / execute / repair button。
repo creation、visibility change、refs sync / delete / force push。
workflow / webhook / runner / deploy key / branch protection / repository secret 修改。
GitHub primary switch 或 Gitea disable。
production deploy 或 runtime enforcement。
SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
套用 runtime blocking control。
將主機 evidence 標記為 received / accepted，或匯入 raw host evidence。
推進 host collection state 或跳過 host evidence dependency。
未通過 preflight 就接受 host evidence。
收集 host credential plaintext、ingest host raw payload，或由前端推進 host evidence counters。
從 review outcome lane 建立 host approval record、把 review lane 當 runtime gate，或把 review outcome 標成 accepted。
把 host handoff packet 當成 approval、將 handoff packet 標記 received，或保存 handoff sensitive payload。
把 reviewer checklist 當成 approval、由前端標記 reviewer check passed，或從 reviewer check 開 runtime gate。
把 reviewer outcome 當成 approval、標記 reviewer outcome passed，或從 reviewer outcome 開 runtime gate。
把 owner decision candidate 當成 approval、標記 host owner decision approved，或從 owner decision candidate 開 runtime gate。
把 owner decision review checklist 當成 approval、標記 owner decision review passed，或從 owner decision review checklist 開 runtime gate。
把 owner decision review outcome 當成 approval、標記 owner decision review outcome passed，或從 owner decision review outcome 開 runtime gate。
從 owner decision record draft 建立 host owner decision record、標記 record created，或從 draft 開 runtime gate。
把 owner decision record draft review 當成 approval、標記 draft review passed、從 draft review 建立 decision record，或從 draft review 開 runtime gate。
把 owner decision record draft review outcome 當成 approval、標記 draft review outcome passed、從 draft review outcome 建立 decision record，或從 draft review outcome 開 runtime gate。
從 owner decision record write-up 建立 decision record、標記 write-up completed、標記 decision record accepted，或從 write-up 開 runtime gate。
把 owner decision record write-up review 當成 approval、標記 write-up review passed / completed、從 write-up review 建立 decision record，或從 write-up review 開 runtime gate。
把 owner decision record write-up review outcome 當成 approval、標記 write-up review outcome passed / completed、從 write-up review outcome 建立 decision record，或從 write-up review outcome 開 runtime gate。
把 owner decision record formal candidate 當成 approval、標記 formal candidate finalized、從 formal candidate 建立或接受 decision record，或從 formal candidate 開 runtime gate。
把 owner decision record formal candidate review 當成 approval、標記 formal candidate review passed / finalized、從 formal candidate review 建立 decision record，或從 formal candidate review 開 runtime gate。
把 owner decision record formal candidate review outcome 當成 approval、標記 formal candidate review outcome passed / finalized、從 formal candidate review outcome 建立 decision record，或從 formal candidate review outcome 開 runtime gate。
把 owner decision record formal record queue packet 當成 approval、由前端 enqueue formal record queue、從 formal record queue packet 建立或接受 decision record，或從 formal record queue packet 開 runtime gate。
把 owner decision record formal record queue review checklist 當成 approval、標記 queue review passed、由 queue review enqueue 或建立 decision record，或從 queue review 開 runtime gate。
把 owner decision record formal record queue review outcome 當成 approval、標記 queue review outcome passed、由 queue review outcome enqueue 或建立 decision record，或從 queue review outcome 開 runtime gate。
把 owner decision record handoff readiness 當成 approval、開始 human record owner handoff、標記 handoff ready、由 readiness packet 建立 decision record，或從 handoff readiness 開 runtime gate。
把 owner decision record handoff readiness review 當成 approval、標記 handoff readiness review passed、開始 human record owner handoff、標記 handoff ready、由 readiness review 建立 decision record，或從 readiness review 開 runtime gate。
把 owner decision record handoff readiness review outcome 當成 approval、標記 handoff readiness review outcome passed、開始 human record owner handoff、標記 handoff ready、由 readiness review outcome 建立 decision record，或從 readiness review outcome 開 runtime gate。
把 owner decision record human record owner review candidate packet 當成 approval、開始 human record owner review、標記 review ready、收 owner decision、由 candidate packet 建立 decision record，或從 candidate packet 開 runtime gate。
把 owner decision record human record owner review candidate checklist 當成 approval、標記 checklist passed、開始 human record owner review、標記 review ready、收 owner decision、由 candidate checklist 建立 decision record，或從 candidate checklist 開 runtime gate。
把 owner decision record human record owner review candidate outcome 當成 approval、標記 outcome passed、開始 human record owner review、標記 review ready、收 owner decision、由 candidate outcome 建立 decision record，或從 candidate outcome 開 runtime gate。
把 owner decision record human record owner review preparation packet 當成 approval、標記 preparation completed、開始 human record owner review、標記 review ready、收 owner decision、由 preparation packet 建立 decision record，或從 preparation packet 開 runtime gate。
把 owner decision record human record owner review preparation checklist 當成 approval、標記 preparation checklist passed 或 preparation completed、開始 human record owner review、標記 review ready、收 owner decision、由 preparation checklist 建立 decision record，或從 preparation checklist 開 runtime gate。
把 progress acceleration lane 當成授權、進度自動加分、owner response received、runtime gate、GitHub primary readiness 或 production execution。
把 progress hold movement gate 當成進度加分、owner response received / accepted、payload ingestion、runtime gate、GitHub primary ready、AwoooP production landing 或 action button。
把 AwoooP read-only landing readiness 當成 production consumption、progress increase、execution router、action button、guard skip、runtime gate 或 GitHub primary readiness。
把 AwoooP cross-session handoff packet 當成 merge、deploy、primary switch、refs mutation、guard skip、production consumption、runtime gate 或 action button。
把 owner response next-action focus 當成催收、代填、received、accepted、approval record、runtime gate、repo / refs mutation、secret value collection 或 GitHub primary switch。
把 S4.9 owner response preflight 當成 request sent、owner response received / accepted、preflight passed、audit emitted、approval record、Gitea write、repo / refs mutation、runtime gate 或 GitHub primary switch。
把 S4.9 owner response request template 當成 request sent、owner response received / accepted、audit emitted、Gitea inventory completed、Gitea write、repo / refs mutation、token collection、runtime gate 或 GitHub primary switch。
把 64% progress、contract count、mirror readiness 或前端可見狀態當成授權。

5. 驗證

只讀驗證：

python3 scripts/security/security-mirror-progress-guard.py

這個 guard 會確認 IwoooS 投影與 rollup / rollout policy 對齊，且 runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

134 KiB Raw Permalink Blame History Unescape Escape

IwoooS 前端資安態勢投影契約

1. 目的

1.1 2026-06-14 Owner Packet count sync

1.2 2026-06-15 K8s / ArgoCD 事故後回讀投影

1.3 2026-06-15 Public Gateway / Nginx 事故後回讀投影

1.4 2026-06-15 Monitoring / Alerting / Observability 事故後回讀投影

1.5 2026-06-16 CD / Runner / Secret injection 事故後回讀投影

1.6 2026-06-18 Backup / Restore / Escrow 事故後回讀投影

1.7 2026-06-18 外部入侵主機防堵控制投影

1.8 2026-06-18 SOC / SIEM / Kali 112 / Wazuh 整合控制投影

2. 來源

3. 前端可顯示

3.1 既有前端資安頁面整合

3.1.1 GitHub Primary Readiness Board

3.2 覆蓋與邊界矩陣

3.3 資安處理旅程

3.4 Owner Evidence Readiness

3.5 主機覆蓋視圖

3.6 主機動作 Gate 矩陣

3.7 主機 Evidence Readiness

3.8 主機 Evidence 收件順序

3.9 主機 Evidence Intake Preflight

3.10 主機 Evidence Review Outcome Lanes

3.11 主機 Evidence Review Handoff Packets

3.12 主機 Evidence Reviewer Checklist

3.13 主機 Evidence Reviewer Outcome Lanes

3.14 Host Owner Decision Candidate Packets

3.15 Host Owner Decision Review Checklist

3.16 Host Owner Decision Review Outcome Lanes

3.17 Host Owner Decision Record Draft Packets

3.18 Host Owner Decision Record Draft Review Checklist

3.19 Host Owner Decision Record Draft Review Outcome Lanes

3.20 Host Owner Decision Record Write-Up Packets

3.21 Host Owner Decision Record Write-Up Review Checklist

3.22 Host Owner Decision Record Write-Up Review Outcome Lanes

3.23 Host Owner Decision Record Formal Candidate Packets

3.24 Host Owner Decision Record Formal Candidate Review Checklist

3.25 Host Owner Decision Record Formal Candidate Review Outcome Lanes

3.26 Host Owner Decision Record Formal Record Queue Packets

3.27 Host Owner Decision Record Formal Record Queue Review Checklist

3.28 Host Owner Decision Record Formal Record Queue Review Outcome Lanes

3.29 Host Owner Decision Record Human Handoff Readiness Packets

3.30 Host Owner Decision Record Human Handoff Readiness Review Checklist

3.31 Host Owner Decision Record Human Handoff Readiness Review Outcome Lanes

3.32 Host Owner Decision Record Human Record Owner Review Candidate Packets

3.33 Host Owner Decision Record Human Record Owner Review Candidate Checklist

3.34 Host Owner Decision Record Human Record Owner Review Candidate Outcome Lanes

3.35 Host Owner Decision Record Human Record Owner Review Preparation Packets

3.36 Host Owner Decision Record Human Record Owner Review Preparation Checklist

3.37 Progress Acceleration Lanes

3.38 Owner Response Next-Action Focus

3.39 S4.9 Owner Response Preflight

3.40 S4.9 Owner Response Request Templates

3.41 Progress Hold Movement Gates

3.42 AwoooP Read-Only Landing Readiness

3.43 AwoooP Cross-Session Handoff Packets

4. 仍禁止

5. 驗證

134 KiB

Raw Permalink Blame History