wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/security/security-mirror-readiness.snapshot.json
Your Name 58e760fae2
All checks were successful
CD Pipeline / tests (push) Successful in 1m25s
Details
Code Review / ai-code-review (push) Successful in 13s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m2s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m48s
Details
feat(security): 擴充 S4.10 target owner response
2026-06-11 20:30:41 +08:00

567 lines
24 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_readiness_v1",
"status": "draft",
"date": "2026-05-17",
"default_enforcement_level": "mirror_only",
"runtime_execution_authorized": false,
"summary": {
"total_contracts": 36,
"ready_for_mirror_count": 33,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0
},
"mirror_destinations": [
"awooop_operator_console",
"awooop_runtime_state",
"awooop_channel_event",
"awooop_audit_evidence",
"awooop_approval_queue"
],
"contract_readiness": [
{
"contract": "security_rollout_policy_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "read_only_policy",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-rollout-policy.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
],
"notes": "可供 AwoooP 顯示 observe-first / mirror-only policy 與 7 條 non-blocking escalation lanes不得 runtime enforcement也不得把 follow-up 直接升 blocking。"
},
{
"contract": "security_finding_v1",
"readiness": "partial_ready",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-finding-kali-sample.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-FINDING-CONTRACT.md"
],
"notes": "目前只有 Kali sample snapshotruntime ingestion 尚未啟用。"
},
{
"contract": "kali_integration_status_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/kali-integration-status.snapshot.json"
],
"human_docs": [
"docs/security/KALI-INTEGRATION-STATUS.md"
],
"notes": "可 mirror Kali health、更新紀錄、缺口與高風險 gate。"
},
{
"contract": "kali_scan_scope_approval_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/kali-scan-scope-approval.snapshot.json"
],
"human_docs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
],
"notes": "可 mirror scope group 與 approval gates不得啟動 scan。"
},
{
"contract": "security_approval_queue_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-queue.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-QUEUE.md"
],
"notes": "可 mirror 8 個 queue items、review order、blocked reason 與 required reviewers。"
},
{
"contract": "security_approval_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-gate.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-GATE.md"
],
"notes": "可 mirror S3 人工批准 gate、決策範圍與 follow-up runtime gate不得執行 gate item。"
},
{
"contract": "security_approval_decision_record_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-decision-record.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-DECISION-RECORD.md"
],
"notes": "可 mirror S3 人工決策紀錄格式;目前尚無 approved decision record且 execution_authorized=false。"
},
{
"contract": "security_approval_review_packet_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-review-packet.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md"
],
"notes": "可 mirror S3 人工審查封包、review lane、required reviewers 與 still forbidden不代表批准或執行授權。"
},
{
"contract": "security_approval_state_transition_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-state-transition.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md"
],
"notes": "可 mirror S3 人工決策狀態轉移語義approve_scope 仍只進 waiting runtime gate不授權執行。"
},
{
"contract": "security_followup_runtime_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"
],
"notes": "可 mirror S3 後續 runtime gate 準備模板、preflight checks 與 rollback/disable requirement目前 active_runtime_gates=0。"
},
{
"contract": "security_mirror_readiness_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-readiness.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-READINESS.md"
],
"notes": "本契約提供 AwoooP mirror/read-only readiness index不授權執行。"
},
{
"contract": "security_mirror_intake_plan_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-intake-plan.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-INTAKE-PLAN.md"
],
"notes": "提供 AwoooP mirror-only intake waves、destinations、allowed/blocked processing 與 acceptance gates。"
},
{
"contract": "security_mirror_event_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-event-sample.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
],
"notes": "提供 AwoooP mirror event envelope所有 mirror events 都必須帶 execution_authorized=false 與 action_buttons_allowed=false。"
},
{
"contract": "security_mirror_route_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-route.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"notes": "提供 AwoooP mirror-only route groups、channel policy 與 review lane不授權執行。"
},
{
"contract": "security_mirror_acceptance_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-acceptance.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-ACCEPTANCE.md"
],
"notes": "提供 AwoooP mirror-only ingestion 驗收 checks不作 runtime blocker。"
},
{
"contract": "security_mirror_quarantine_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-quarantine.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-QUARANTINE.md"
],
"notes": "提供 AwoooP mirror-only 驗收失敗隔離與 retry gate不授權執行。"
},
{
"contract": "security_mirror_dry_run_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-dry-run.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-DRY-RUN.md"
],
"notes": "提供 AwoooP mirror-only 接入演練回報格式;目前為 contract_defined_not_executed。"
},
{
"contract": "security_mirror_status_rollup_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md",
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md"
],
"notes": "提供 AwoooP / Security Supply Chain 跨 Session 狀態總覽、下一個 gate 與禁止事項S4.13 owner response validation rollup 可 mirror 四個 response packets、24 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、7 條 parallel session recovery outcome lanes、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;不授權執行。"
},
{
"contract": "iwooos_posture_projection_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/iwooos-posture-projection.snapshot.json"
],
"human_docs": [
"docs/security/IWOOOS-POSTURE-PROJECTION.md"
],
"notes": "可 mirror IwoooS 前端資安態勢投影;只顯示 posture、progress、non-blocking lanes、evidence refs 與 forbidden actions不提供執行按鈕。"
},
{
"contract": "coding_task_v1",
"readiness": "contract_only",
"consumption_mode": "suggest_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [],
"human_docs": [
"docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md"
],
"notes": "已有 schema 與 handoff prompt但尚無正式 coding task snapshot。"
},
{
"contract": "source_control_migration_event_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
"docs/security/source-control-clawbot-v5.snapshot.json",
"docs/security/source-control-wooo-aiops.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md"
],
"notes": "可 mirror source-control diff summary仍不得 sync refs 或切 primary。"
},
{
"contract": "gitea_repo_inventory_v1",
"readiness": "partial_ready",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md",
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md"
],
"notes": "目前仍是 public-only / blocked endpoint evidenceS4.5 已補 authenticated/admin export requestS4.6 已補 redacted import acceptanceS4.7 已補 owner coverage attestation requestS4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanesprivate/internal 全量需 approval、脫敏 payload 驗收與 owner scope decisionaudit templates 仍為 0 emitted。"
},
{
"contract": "local_git_remote_inventory_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/local-git-remote-inventory.snapshot.json"
],
"human_docs": [
"docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md"
],
"notes": "可 mirror 本機 remote coverage 與 embedded credential hygiene risk不修改 remote。"
},
{
"contract": "github_target_probe_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/github-target-probe.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md"
],
"notes": "可 mirror GitHub target visibilitynot_found_or_private 不等同可自動建立。"
},
{
"contract": "github_target_decision_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"notes": "可 mirror target decision、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner response templatesrepo 建立、visibility 修改、refs sync 與 primary switch 仍需後續人工批准與 runtime gate。"
},
{
"contract": "github_target_repo_approval_package_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/github-target-repo-approval-package.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"notes": "可 mirror 逐 repo approval package、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response 收件包;不得執行 item。"
},
{
"contract": "source_control_approval_board_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-approval-board.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md"
],
"notes": "可 mirror owner / visibility / canonical / refs 決策 board。"
},
{
"contract": "source_control_reconcile_plan_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
],
"notes": "可 mirror draft reconcile plan 與 S4.11 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包response 通過前只更新草案 wording不得 push refs。"
},
{
"contract": "source_control_ref_detail_diff_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-ref-detail-diff.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
],
"notes": "可 mirror branch/tag detail diff不得 fetch、push 或 delete refs。"
},
{
"contract": "source_control_ref_truth_classification_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
],
"notes": "可 mirror refs truth classification、review lanes、S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templatesreceived_response_count=0、audit events emitted=0不得執行分類結果。"
},
{
"contract": "source_control_primary_readiness_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
],
"notes": "可 mirror GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口;目前 primary_ready_count=0。"
},
{
"contract": "source_control_primary_rollback_adr_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-primary-rollback-adr.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"
],
"notes": "可 mirror S4.4 GitHub primary rollback ADR 草案、7 個 in-scope repo rollback plans、validation windows 與仍禁止事項owner_approved_count=0、active_cutover_count=0。"
},
{
"contract": "source_control_workflow_secret_name_inventory_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md"
],
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namesS4.3 export request 有 7 個 repos、5 類 export lanesS4.12 owner response request packet 1 個、template statuses 5 個、audit event templates 3 個、redaction examples 5 個、collection checks 6 個、intake preflight checks 6 個、templates 5 個、received_response_count=0、audit_events_emitted=0secret_value_collection_allowed=false。"
},
{
"contract": "local_repo_canonical_probe_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/local-repo-canonical-ewoooc-momo.snapshot.json"
],
"human_docs": [
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md"
],
"notes": "可 mirror momo/ewoooc lineage evidence不得自動合併 unrelated histories。"
},
{
"contract": "git_remote_refs_probe_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json"
],
"human_docs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md"
],
"notes": "可 mirror read-only refs readiness不得 fetch 或 push。"
},
{
"contract": "approval_required_event_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/gitea-readonly-inventory-approval.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md"
],
"notes": "可 mirror approval candidateblocked_until_approved=true 時不得執行。"
}
],
"still_forbidden": [
"execute_mirror_item",
"start_kali_scan",
"call_kali_execute_endpoint",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}
Reference in New Issue View Git Blame Copy Permalink