587 lines
57 KiB
Markdown
587 lines
57 KiB
Markdown
# IwoooS 前端資安態勢投影契約
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-05-19 |
|
||
| 狀態 | 草案 |
|
||
| Schema | `docs/schemas/iwooos_posture_projection_v1.schema.json` |
|
||
| Snapshot | `docs/security/iwooos-posture-projection.snapshot.json` |
|
||
| 模式 | `mirror_only` |
|
||
| runtime 執行授權 | `false` |
|
||
|
||
## 1. 目的
|
||
|
||
`iwooos_posture_projection_v1` 定義 IwoooS 如何把既有資安網資料投影到前端。
|
||
|
||
它只允許顯示資安態勢、headline progress、framework / runtime landing、non-blocking lanes、evidence refs 與下一個高層 gate。它不是掃描器、不是修復器、不是 approval gate,也不是 GitHub primary cutover 授權。
|
||
|
||
## 2. 來源
|
||
|
||
IwoooS 首版只讀取或對齊以下已提交 evidence:
|
||
|
||
| 來源 | 用途 |
|
||
|------|------|
|
||
| `security_mirror_status_rollup_v1` | 58% headline、36 contracts、0 active runtime gates、下一個高層 gate |
|
||
| `security_rollout_policy_v1` | 7 條 low-friction non-blocking lanes |
|
||
| `source_control_owner_response_validation_rollup_v1` | owner response 仍為 0、S4.9 下一個收件候選 |
|
||
| `kali_integration_status_v1` | Kali 112 observe-only 整合態勢 |
|
||
| `/iwooos` 前端路由 | 顯示入口,不提供執行按鈕 |
|
||
| 既有前端資安頁面 | 只讀索引,不搬移原頁責任邊界、不新增執行控制 |
|
||
|
||
## 3. 前端可顯示
|
||
|
||
1. Security Posture / Exposure 入口。
|
||
2. 58% headline progress 與框架 / runtime landing 判讀。
|
||
3. 36 個主要契約、33 ready、2 partial、1 contract-only、0 blocked。
|
||
4. 0 active runtime gates。
|
||
5. Exposure、source-control、Kali 112、approval boundary 四個面向。
|
||
6. 7 條 non-blocking lanes。
|
||
7. evidence refs 與下一個高層 gate。
|
||
8. 10 個既有前端資安相關頁面索引。
|
||
9. 4 個前端資安責任面與 5 個重疊 / 衝突控制。
|
||
10. 6 個只讀資安處理旅程階段。
|
||
11. 7 個 owner evidence readiness items。
|
||
12. 3 個只讀主機覆蓋 items:Kali 112、開發主機 168、開發主機 111。
|
||
13. 6 個主機動作 gate items:active scan、credentialed scan、Kali `/execute`、SSH / host change、Kali update、runtime blocking control。
|
||
14. 7 個主機 evidence readiness items:scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
|
||
15. 7 個主機 evidence collection order steps,顯示收件順序與前置依賴。
|
||
16. 7 個主機 evidence intake preflight checks,顯示未來 evidence 進人工 review 前的拒收 / 隔離規則。
|
||
17. 7 個主機 evidence review outcome lanes,顯示 preflight 後的人工審查分流結果。
|
||
18. 7 個主機 evidence review handoff packets,顯示人工 reviewer 需要的脫敏交接資料包。
|
||
19. 7 個主機 evidence reviewer checklist items,顯示 reviewer 看完 handoff packets 後仍需確認的只讀檢查。
|
||
20. 7 個主機 evidence reviewer outcome lanes,顯示 reviewer checklist 後的只讀結果分流。
|
||
21. 7 個 host owner decision candidate packets,顯示 reviewer outcome 進到 owner decision 前仍需要的人工決策範圍。
|
||
22. 7 個 host owner decision review checklist items,顯示 owner decision candidate packets 後仍需人工核對的安全邊界。
|
||
23. 7 個 host owner decision review outcome lanes,顯示 owner review checklist 後的只讀結果分流。
|
||
24. 7 個 host owner decision record draft packets,顯示 formal decision record 候選需要的草稿欄位。
|
||
25. 7 個 host owner decision record draft review checklist items,顯示草稿欄位進入正式決策紀錄前仍需只讀核對的條件。
|
||
26. 7 個 host owner decision record draft review outcome lanes,顯示草稿核對後的只讀結果分流。
|
||
27. 7 個 host owner decision record write-up packets,顯示正式 decision record 撰寫欄位,但不建立 record、不標記 completed / accepted、不開 runtime gate。
|
||
28. 7 個 host owner decision record write-up review checklist items,顯示正式撰寫欄位進入決策紀錄前仍需只讀核對的條件。
|
||
29. 7 個 host owner decision record write-up review outcome lanes,顯示 write-up review 後的只讀結果分流與下一步。
|
||
30. 7 個 host owner decision record formal candidate packets,顯示 formal record candidate 需要的候選欄位,但不建立 decision record、不標記 finalized / accepted、不開 runtime gate。
|
||
31. 7 個 host owner decision record formal candidate review checklist items,顯示 formal candidate packets 進入後續人工紀錄前仍需只讀核對的條件。
|
||
32. 8 個 host owner decision record formal candidate review outcome lanes,顯示 candidate review 後的只讀結果分流與下一步。
|
||
33. 8 個 host owner decision record formal record queue packets,顯示人工正式紀錄佇列需要看的資料包,但不 enqueue、不建立 decision record、不開 runtime gate。
|
||
34. 8 個 host owner decision record formal record queue review checklist items,顯示佇列資料包進人工正式紀錄審查前仍需只讀核對的條件。
|
||
|
||
## 3.1 既有前端資安頁面整合
|
||
|
||
S2.10 將前端原本已存在的資安相關頁面收進 IwoooS,只作為 route / source / read-only mode 索引。
|
||
|
||
| Route | 來源 | IwoooS 呈現 |
|
||
|-------|------|-------------|
|
||
| `/security-compliance` | `SecurityPanel` / `CompliancePanel` | 安全合規整合頁 |
|
||
| `/security` | `apps/web/src/app/[locale]/security/page.tsx` | 既有安全監控頁 |
|
||
| `/compliance` | `apps/web/src/app/[locale]/compliance/page.tsx` | 既有合規頁 |
|
||
| `/alerts` | `useIncidents` / `IncidentCard` | 告警管理 |
|
||
| `/errors` | `ErrorsPanel` | 錯誤與 UX 稽核 |
|
||
| `/authorizations` | `LiveApprovalPanel` | HITL / multi-sig 授權中心 |
|
||
| `/governance` | Governance tabs | AI 治理中樞 |
|
||
| `/alert-operation-logs` | Alert operation log page | 告警操作稽核 |
|
||
| `/awooop/approvals` | AwoooP approvals page | AwoooP 審批佇列 |
|
||
| `/code-review` | Code Review page | AI Code Review 控制面 |
|
||
|
||
這些 route 仍保留原本功能與 owner 邊界;IwoooS 只提供可見索引,不把任何頁面升級成 scan、execute、repair、blocking gate、deploy approval 或 runtime authorization。
|
||
|
||
## 3.2 覆蓋與邊界矩陣
|
||
|
||
S2.11 將 10 個既有前端資安頁面分成四個責任面,讓使用者看懂「訊號在哪裡、人工控制在哪裡、治理稽核在哪裡、工程審查在哪裡」。
|
||
|
||
| 責任面 | Route | 邊界 |
|
||
|--------|-------|------|
|
||
| 訊號與暴露面 | `/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors` | 顯示風險、事件、錯誤、UX audit 與合規訊號,不把 observation 直接升 blocking |
|
||
| 人工控制邊界 | `/authorizations`、`/awooop/approvals` | 顯示 HITL / multi-sig / AwoooP approvals;不等於資安 runtime gate 已批准 |
|
||
| 治理與稽核 | `/governance`、`/alert-operation-logs` | 顯示治理事件、SLO、補救佇列與操作日誌;audit event 不是執行授權 |
|
||
| 工程審查 | `/code-review` | 顯示 AI Code Review pipeline;review 結果可產生 follow-up,不等於 deploy approval |
|
||
|
||
重疊 / 衝突控制:
|
||
|
||
1. IwoooS 保留原 route owner,不搬移資料寫入權。
|
||
2. 覆蓋矩陣不得升級成 runtime gate。
|
||
3. Code Review link 不等於 deploy approval。
|
||
4. AwoooP approval 狀態不等於資安 approval decision record。
|
||
5. 前端索引不得呼叫 Kali active scan 或 `/execute`。
|
||
|
||
## 3.3 資安處理旅程
|
||
|
||
S2.12 將使用者可見的資安處理流程固定為 6 個只讀階段:
|
||
|
||
| 順序 | 階段 | 輸出 |
|
||
|------|------|------|
|
||
| 1 | 讀取目前態勢 | 顯示 posture / progress / gate 狀態,不代表授權 |
|
||
| 2 | 開啟既有資安頁面 | 進入原 route,保留原 owner 與資料邊界 |
|
||
| 3 | 判讀非阻擋分流 | 建 follow-up,不直接升 blocking |
|
||
| 4 | 收 owner evidence | 更新 received / accepted 狀態,不執行 repo / refs / workflow / Kali 動作 |
|
||
| 5 | 等待人工決策 | 需要 decision record,不用 AwoooP approval、Code Review 或進度數字替代 |
|
||
| 6 | 準備後續 runtime gate | 只有人工批准後才另開 follow-up runtime gate;目前 active runtime gates 仍為 0 |
|
||
|
||
這個旅程是 status projection,不是 execution queue。任何 active scan、repair、deploy、GitHub primary、repo / refs / workflow / runner 或 secret 變更,都仍需獨立批准與後續 runtime gate。
|
||
|
||
## 3.4 Owner Evidence Readiness
|
||
|
||
S2.13 將 headline 進度下一步真正需要的 evidence 顯示成只讀 readiness board。
|
||
|
||
| 順序 | Evidence item | 目前狀態 | 解除條件 |
|
||
|------|---------------|----------|----------|
|
||
| 1 | S4.9 Gitea owner attestation response | next collection candidate;received=0、accepted=0 | 收到並接受脫敏 owner response |
|
||
| 2 | S4.10 GitHub target owner response | waiting owner response;received=0、accepted=0 | GitHub target owner response accepted |
|
||
| 3 | S4.11 refs truth owner response | waiting owner response;received=0、accepted=0 | refs truth owner response accepted |
|
||
| 4 | S4.12 workflow / secret name owner response | waiting owner response;received=0、accepted=0 | workflow / secret owner response accepted |
|
||
| 5 | Redacted finding ingestion | approval required;received=0、accepted=0 | 人工批准後接收脫敏 finding |
|
||
| 6 | Kali scan scope approval | approval required;received=0、accepted=0 | scan scope approval + follow-up runtime gate |
|
||
| 7 | Follow-up runtime gate | locked until human decision;active gate=0 | decision record accepted 後另開 runtime gate |
|
||
|
||
這個 board 只說明「還缺什麼」,不代表已收到 evidence、已接受 evidence、已批准、已可掃描、已可修復、已可部署或已可切 GitHub primary。
|
||
|
||
## 3.5 主機覆蓋視圖
|
||
|
||
S2.14 將統帥指定的 Kali 與兩台開發主機放進 IwoooS 的可見資安範圍,讓使用者能看懂哪些主機已被納入後續資安網路徑。
|
||
|
||
| 順序 | 主機 | 角色 | 目前狀態 |
|
||
|------|------|------|----------|
|
||
| 1 | `192.168.0.112` | Kali 資安主機 | 已在 posture / evidence refs 中作為 observe-only integration;active scan、`/execute`、SSH 變更與主機更新仍未批准 |
|
||
| 2 | `192.168.0.168` | 開發主機 | 已宣告為 observe-only scope;credentialed scan 與 runtime control 仍未批准 |
|
||
| 3 | `192.168.0.111` | 開發主機 | 已宣告為 observe-only scope;credentialed scan 與 runtime control 仍未批准 |
|
||
|
||
這個視圖只代表「納入視野」,不代表已啟動掃描、已登入主機、已更新 Kali、已調校主機、已建立 SSH 工作流或已允許 runtime control。
|
||
|
||
## 3.6 主機動作 Gate 矩陣
|
||
|
||
S2.15 將主機相關高風險動作拆成只讀 gate matrix,避免「主機已納入視野」被誤讀成「可以直接掃描、登入、更新或阻擋」。
|
||
|
||
| 順序 | 動作 | 相關主機 | 目前 Gate |
|
||
|------|------|----------|-----------|
|
||
| 1 | Active scan | `192.168.0.112`、`192.168.0.168`、`192.168.0.111` | 需要 S1.6 scan scope approval 與後續 runtime gate |
|
||
| 2 | Credentialed scan | `192.168.0.112`、`192.168.0.168`、`192.168.0.111` | 需要 scope、credential handling 與脫敏 evidence 規範;目前未批准 |
|
||
| 3 | Kali `/execute` | `192.168.0.112` | block candidate;需要人工 decision record 與 S3.4 follow-up runtime gate |
|
||
| 4 | SSH / host change | `192.168.0.112`、`192.168.0.168`、`192.168.0.111` | 需要明確人工批准、變更計畫與 rollback evidence |
|
||
| 5 | Kali host update | `192.168.0.112` | 需要維護窗口、更新清單、驗證指標與 rollback 計畫 |
|
||
| 6 | Runtime blocking control | `192.168.0.112`、`192.168.0.168`、`192.168.0.111` | 需要 accepted decision record;目前 active runtime gates 仍為 0 |
|
||
|
||
每個 item 都固定 `display_mode=gate_only`,且 `active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
## 3.7 主機 Evidence Readiness
|
||
|
||
S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board。這一層只回答「要進下一步前缺什麼」,不代表任何 evidence 已收到或已接受。
|
||
|
||
| 順序 | Evidence item | 目前狀態 | 影響範圍 |
|
||
|------|---------------|----------|----------|
|
||
| 1 | Scope boundary | waiting redacted scope approval;received=0、accepted=0 | 112、168、111 的目標、排除範圍、深度與速率 |
|
||
| 2 | Owner decision record | waiting human decision record;received=0、accepted=0 | 人控決策,不可由可見狀態替代 |
|
||
| 3 | Credential handling | credential material collection forbidden;received=0、accepted=0 | credentialed scan 前的憑證來源、保存邊界、遮蔽與拒收規則 |
|
||
| 4 | Maintenance window | waiting maintenance window;received=0、accepted=0 | Kali update、SSH / host change 與主機調校窗口 |
|
||
| 5 | Rollback plan | waiting rollback plan;received=0、accepted=0 | 套件、設定、服務、工具鏈版本回復 |
|
||
| 6 | Validation metrics | waiting post-check metrics;received=0、accepted=0 | 掃描器、監控、服務與使用者流程 post-check |
|
||
| 7 | Redacted ingestion | waiting redacted payload acceptance;received=0、accepted=0 | finding / scan result 只能以脫敏摘要進 mirror |
|
||
|
||
每個 item 都固定 `display_mode=evidence_readiness_only`,且 `active_scan_authorized=false`、`credentialed_scan_authorized=false`、`ssh_change_authorized=false`、`host_update_authorized=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
## 3.8 主機 Evidence 收件順序
|
||
|
||
S2.17 將 S2.16 的七個主機 evidence readiness items 排成建議收件順序。這一層只回答「先收哪個、下一個依賴什麼」,不把任何 evidence 標成 received / accepted。
|
||
|
||
| 順序 | 收件步驟 | Source item | 前置依賴 | 狀態 |
|
||
|------|----------|-------------|----------|------|
|
||
| 1 | 先定義 scope boundary | `host_scope_boundary_evidence` | 無 | `next_collection_candidate`;received=0、accepted=0 |
|
||
| 2 | 再收 owner decision | `host_owner_decision_record_evidence` | `collect_scope_boundary_first` | `waiting_previous_step`;received=0、accepted=0 |
|
||
| 3 | 隔離 credential handling | `host_credential_handling_evidence` | `collect_owner_decision_second` | `waiting_previous_step`;received=0、accepted=0 |
|
||
| 4 | 安排 maintenance window | `host_maintenance_window_evidence` | `collect_owner_decision_second` | `waiting_previous_step`;received=0、accepted=0 |
|
||
| 5 | 補 rollback plan | `host_rollback_plan_evidence` | `collect_maintenance_window_fourth` | `waiting_previous_step`;received=0、accepted=0 |
|
||
| 6 | 定義 validation metrics | `host_validation_metrics_evidence` | `collect_rollback_plan_fifth` | `waiting_previous_step`;received=0、accepted=0 |
|
||
| 7 | 最後才收 redacted ingestion | `host_redacted_ingestion_evidence` | `collect_validation_metrics_sixth` | `waiting_previous_step`;received=0、accepted=0 |
|
||
|
||
每個 step 都固定 `display_mode=collection_order_only`,且 `runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個順序是收件提示,不是工作佇列。不得因為某個 step 顯示為下一個候選,就啟動 scan、SSH、Kali update、raw payload ingestion、runtime blocking control,或把對應 evidence 標成已收到 / 已接受。
|
||
|
||
## 3.9 主機 Evidence Intake Preflight
|
||
|
||
S2.18 將主機 evidence 進人工 review 前的預檢條件顯示成只讀規則。這一層只回答「未來 evidence 送進來前要先擋什麼」,不接收 payload、不驗收 evidence、不推進 counters。
|
||
|
||
| 順序 | 預檢項目 | 拒收 / 隔離條件 | 目前狀態 |
|
||
|------|----------|------------------|----------|
|
||
| 1 | Metadata pointer only | 缺 redacted metadata pointer | `preflight_ready_not_executed`;received=0、accepted=0 |
|
||
| 2 | Collection order match | 跳過 S2.17 前置依賴 | `dependency_check_waiting_evidence`;received=0、accepted=0 |
|
||
| 3 | Scope before scan | scan evidence 沒有 scope boundary | `waiting_scope_evidence`;received=0、accepted=0 |
|
||
| 4 | Owner before host change | SSH / update / tuning / blocking evidence 缺 owner decision pointer | `waiting_owner_decision_pointer`;received=0、accepted=0 |
|
||
| 5 | Credential plaintext blocked | 出現帳密、token、private key、session 或憑證明文 | `plaintext_credential_collection_forbidden`;received=0、accepted=0 |
|
||
| 6 | Raw payload blocked | 出現完整掃描 raw output、未脫敏 finding、host dump 或 log bundle | `raw_payload_collection_forbidden`;received=0、accepted=0 |
|
||
| 7 | Frontend counters frozen | 前端嘗試推進 received / accepted | `frontend_counter_transition_forbidden`;received=0、accepted=0 |
|
||
|
||
每個 check 都固定 `display_mode=intake_preflight_only`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 preflight board 不代表已收到任何主機 evidence,也不代表已進人工 review。真正收件仍需要脫敏 evidence pointer、owner decision 與後續人工驗收。
|
||
|
||
## 3.10 主機 Evidence Review Outcome Lanes
|
||
|
||
S2.19 將主機 evidence 通過 preflight 後可能進入的人工審查結果分流顯示成只讀 lanes。這一層只回答「下一步該補什麼或顯示什麼結果」,不建立 approval record、不啟動 runtime gate、不改 received / accepted。
|
||
|
||
| 順序 | Outcome lane | 來源預檢 | 下一步 |
|
||
|------|--------------|----------|--------|
|
||
| 1 | Ready for human review | metadata pointer、dependency order、scope、owner decision | 顯示人工審查候選;received=0、accepted=0 |
|
||
| 2 | Needs scope evidence | scope before scan | 補脫敏 scope boundary pointer,不進 scan |
|
||
| 3 | Needs owner decision | owner before host change | 補 owner decision record pointer,不啟動主機動作 |
|
||
| 4 | Quarantine dependency skip | collection order match | 顯示隔離原因,不推 counter |
|
||
| 5 | Reject raw payload | raw payload blocked | 要求改交脫敏摘要 |
|
||
| 6 | Reject credential plaintext | credential plaintext blocked | 不保存、不轉送、不顯示憑證明文 |
|
||
| 7 | Waiting runtime gate | frontend counters frozen、owner decision | 人工審查後仍需另開 runtime gate;active runtime gates=0 |
|
||
|
||
每個 lane 都固定 `display_mode=review_outcome_only`、`received_count=0`、`accepted_count=0`、`approval_record_created=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 outcome board 不代表 evidence 已進 review、approval record 已建立或任何主機操作可執行。它只讓使用者理解「預檢後可能被導向哪一類人審結果」。
|
||
|
||
## 3.11 主機 Evidence Review Handoff Packets
|
||
|
||
S2.20 將人工 reviewer 真正需要看到的主機 evidence 交接內容拆成七個只讀 packets。這一層只回答「要把哪些脫敏指標交給 reviewer 判讀」,不標記 received / accepted、不保存 raw payload、不建立 approval record、不啟動 runtime gate。
|
||
|
||
| 順序 | Handoff packet | 來源 outcome lane | 必備內容 |
|
||
|------|----------------|-------------------|----------|
|
||
| 1 | Scope summary | ready for human review、needs scope evidence | redacted scope boundary summary;不含 raw payload |
|
||
| 2 | Owner decision | ready for human review、needs owner decision | owner decision record pointer;不等於主機動作批准 |
|
||
| 3 | Credential handling | ready for human review、reject credential plaintext | metadata-only handling statement;secret value blocked |
|
||
| 4 | Maintenance / rollback | waiting runtime gate、needs owner decision | maintenance window 與 rollback pointer;不啟動變更 |
|
||
| 5 | Validation metrics | ready for human review、waiting runtime gate | post-review validation metrics pointer;不代表 runtime gate opened |
|
||
| 6 | Redaction attestation | reject raw payload、reject credential plaintext | redaction attestation metadata only;不保存敏感 payload |
|
||
| 7 | Runtime gate pointer | waiting runtime gate | follow-up runtime gate pointer only;active runtime gates=0 |
|
||
|
||
每個 packet 都固定 `display_mode=review_handoff_only`、`received_count=0`、`accepted_count=0`、`approval_record_created=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 handoff board 不代表 reviewer 已收到資料、已接受資料、已批准主機操作或已開 runtime gate。它只讓 IwoooS 能把「送審前要準備什麼」清楚顯示給使用者。
|
||
|
||
## 3.12 主機 Evidence Reviewer Checklist
|
||
|
||
S2.21 將 reviewer 讀完 handoff packets 後仍需確認的檢查拆成七個只讀 checklist items。這一層只回答「人審前要確認哪些邊界沒有漂移」,不標記 passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Reviewer check | 來源 packet | Pass condition |
|
||
|------|----------------|-------------|----------------|
|
||
| 1 | Scope boundary match | scope summary | redacted scope pointer only;no scan started |
|
||
| 2 | Owner decision scope / expiry | owner decision | decision pointer only;no approval record created |
|
||
| 3 | Credential handling metadata only | credential handling | secret value collection=false |
|
||
| 4 | Redaction attestation pass | redaction attestation | raw payload allowed=false |
|
||
| 5 | Maintenance / rollback complete | maintenance / rollback | future change conditions only;no change execution |
|
||
| 6 | Validation metrics linked | validation metrics | validation pointer only;runtime gate closed |
|
||
| 7 | Runtime gate separated | runtime gate pointer | active runtime gates=0;action buttons=false |
|
||
|
||
每個 check 都固定 `display_mode=reviewer_checklist_only`、`received_count=0`、`accepted_count=0`、`approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 checklist 不代表 reviewer 已完成審查、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把人審前的安全判讀步驟顯示清楚。
|
||
|
||
## 3.13 主機 Evidence Reviewer Outcome Lanes
|
||
|
||
S2.22 將 reviewer checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「人審檢查後要回到哪個補件或人工決策 lane」,不標記 checklist passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Reviewer outcome | 來源 check | 下一步 |
|
||
|------|------------------|------------|--------|
|
||
| 1 | Ready for owner decision | scope、owner、redaction、runtime separation | 顯示 owner decision candidate;received=0、accepted=0 |
|
||
| 2 | Scope mismatch | scope boundary match | 補 scope boundary pointer;不啟動 scan |
|
||
| 3 | Owner decision expired | owner decision scope / expiry | 補 owner decision record;不建立 approval |
|
||
| 4 | Credential metadata failed | credential handling metadata only | 要求 metadata-only statement;不收敏感素材 |
|
||
| 5 | Redaction failed | redaction attestation pass | 要求重新脫敏;不保存 raw payload |
|
||
| 6 | Rollback missing | maintenance / rollback complete | 補 maintenance window 與 rollback pointer;不執行 change |
|
||
| 7 | Runtime gate required | validation metrics linked、runtime gate separated | 維持獨立 runtime gate 且仍關閉 |
|
||
|
||
每個 lane 都固定 `display_mode=reviewer_outcome_only`、`checklist_passed_count=0`、`received_count=0`、`accepted_count=0`、`approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 outcome board 不代表 reviewer check 已通過、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把 checklist 後的下一步分流說清楚。
|
||
|
||
## 3.14 Host Owner Decision Candidate Packets
|
||
|
||
S2.23 將 ready for owner decision 後的下一步拆成七個只讀 candidate packets。這一層只回答「owner 之後要看哪些人工決策素材」,不建立 decision record、不標記 approved、不推進 received / accepted、不開 runtime gate。
|
||
|
||
| 順序 | Candidate packet | 來源 outcome lane | 人工決策範圍 |
|
||
|------|------------------|-------------------|--------------|
|
||
| 1 | Scope approval candidate | ready for owner decision | 主機、網段、服務、排除範圍與觀察目的 |
|
||
| 2 | Scan mode candidate | ready for owner decision | observe-only、未來 active scan 或 credentialed scan 的差異;目前不授權掃描 |
|
||
| 3 | Credential handling candidate | ready for owner decision、credential metadata failed | metadata-only handling、責任人與保存邊界;不收敏感素材 |
|
||
| 4 | Maintenance window candidate | ready for owner decision、rollback missing | 未來維護窗口與限制條件;不執行 host update |
|
||
| 5 | Rollback owner candidate | ready for owner decision、rollback missing | rollback owner、復原路徑與人工聯絡點 |
|
||
| 6 | Validation metrics candidate | ready for owner decision、runtime gate required | post-check metrics、baseline 與 evidence pointer |
|
||
| 7 | Runtime gate candidate | runtime gate required | 後續主機動作仍需獨立 runtime gate;active runtime gates=0 |
|
||
|
||
每個 packet 都固定 `display_mode=owner_decision_candidate_only`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 candidate board 不代表 owner decision 已收到、已接受、已批准或已建立後續 runtime gate。它只讓 IwoooS 把「要請 owner 人工判讀什麼」先說清楚。
|
||
|
||
## 3.15 Host Owner Decision Review Checklist
|
||
|
||
S2.24 將 owner decision candidate packets 後的人工核對項拆成七個只讀 checklist items。這一層只回答「owner 決策前還要逐項確認什麼安全邊界」,不建立 decision record、不標記 approved、不開 runtime gate。
|
||
|
||
| 順序 | Review check | 來源 candidate packet | Guard condition |
|
||
|------|--------------|----------------------|-----------------|
|
||
| 1 | Scope boundary readable | scope approval candidate | scope review only;owner decision received=0 |
|
||
| 2 | Scan mode not authorization | scan mode candidate | active scan / credentialed scan authorized=false |
|
||
| 3 | Credential boundary metadata only | credential handling candidate | secret value collection=false |
|
||
| 4 | Maintenance window not change | maintenance window candidate | host update authorized=false |
|
||
| 5 | Rollback owner readable | rollback owner candidate | owner approval record created=false |
|
||
| 6 | Validation metrics predefined | validation metrics candidate | runtime gate opened=false |
|
||
| 7 | Runtime gate still separate | runtime gate candidate | action buttons=false;runtime gate separate |
|
||
|
||
每個 check 都固定 `display_mode=owner_decision_review_checklist_only`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 checklist 不代表 owner 已完成決策、已批准、已建立 approval record 或已開 runtime gate。它只讓 IwoooS 把 owner 決策前的人工核對順序說清楚。
|
||
|
||
## 3.16 Host Owner Decision Review Outcome Lanes
|
||
|
||
S2.25 將 owner decision review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「owner review 後要回到哪個補件或候選 decision record lane」,不標記 review passed、不建立 decision record、不標記 approved、不開 runtime gate。
|
||
|
||
| 順序 | Review outcome | 來源 check | 下一步 |
|
||
|------|----------------|------------|--------|
|
||
| 1 | Ready for decision record | scope、scan mode、runtime separation | 顯示 formal decision record candidate;received=0、accepted=0 |
|
||
| 2 | Scope needs refresh | scope boundary readable | 補 scope boundary pointer;不啟動 scan |
|
||
| 3 | Scan mode needs scope | scan mode not authorization | 補 scan mode / scope statement;scan authorized=false |
|
||
| 4 | Credential boundary failed | credential boundary metadata only | 補 metadata-only credential boundary;secret value collection=false |
|
||
| 5 | Maintenance window missing | maintenance window not change | 補 maintenance window constraints;host update=false |
|
||
| 6 | Rollback owner missing | rollback owner readable | 補 rollback owner 與復原 pointer;approval record=false |
|
||
| 7 | Runtime gate required | validation metrics、runtime gate still separate | 維持獨立 runtime gate 且仍關閉 |
|
||
|
||
每個 lane 都固定 `display_mode=owner_decision_review_outcome_only`、`owner_decision_review_passed_count=0`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 outcome board 不代表 owner review 已通過、decision record 已建立、人工批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 owner review 後的下一步分流說清楚。
|
||
|
||
## 3.17 Host Owner Decision Record Draft Packets
|
||
|
||
S2.26 將 ready for decision record 後需要整理的欄位拆成七個只讀 draft packets。這一層只回答「若 owner review 進入 ready lane,formal decision record 草稿要有哪些 metadata」,不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Draft packet | 來源 lane | 必要 metadata |
|
||
|------|--------------|-----------|---------------|
|
||
| 1 | Scope statement draft | ready for decision record | host / network / service / exclusion / observation intent |
|
||
| 2 | Scan mode draft | scan mode scope required | observe-only / future active / credentialed scan candidate mode |
|
||
| 3 | Credential boundary draft | credential boundary failed | metadata-only credential owner / retention boundary |
|
||
| 4 | Maintenance constraints draft | maintenance window required | window / constraints / impact boundary / no-change statement |
|
||
| 5 | Rollback owner draft | rollback owner required | rollback owner / recovery path / human contact pointer |
|
||
| 6 | Validation metrics draft | runtime gate required | post-check metrics / baseline / evidence pointer |
|
||
| 7 | Runtime gate draft | runtime gate required | separate follow-up runtime gate pointer;active gate=0 |
|
||
|
||
每個 draft packet 都固定 `display_mode=owner_decision_record_draft_only`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 draft board 不代表 decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 decision record 草稿欄位先說清楚,方便後續人工決策時不混入執行語義。
|
||
|
||
## 3.18 Host Owner Decision Record Draft Review Checklist
|
||
|
||
S2.27 將 decision record draft packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「草稿是否足以進入人工 decision record 撰寫」,不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Draft review | 來源 packet | 核對條件 |
|
||
|------|--------------|-------------|----------|
|
||
| 1 | Scope statement complete | scope draft | scope metadata complete |
|
||
| 2 | Scan mode still not approval | scan mode draft | scan mode not authorization |
|
||
| 3 | Credential boundary metadata only | credential boundary draft | credential boundary metadata-only |
|
||
| 4 | Maintenance constraints readable | maintenance constraints draft | maintenance constraints no-change |
|
||
| 5 | Rollback owner readable | rollback owner draft | rollback owner / recovery pointer readable |
|
||
| 6 | Validation metrics linked | validation metrics draft | metrics / baseline linked |
|
||
| 7 | Runtime gate still closed | runtime gate draft | runtime gate separate and closed |
|
||
|
||
每個 review check 都固定 `display_mode=owner_decision_record_draft_review_checklist_only`、`decision_record_review_passed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 checklist 不代表 decision record review 已通過、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把草稿進入正式人審前的核對條件說清楚。
|
||
|
||
## 3.19 Host Owner Decision Record Draft Review Outcome Lanes
|
||
|
||
S2.28 將 decision record draft review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「草稿核對後要進入正式撰寫候選、補哪個草稿,或等待獨立 runtime gate」,不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Review outcome | 來源 check | 下一步 |
|
||
|------|----------------|------------|--------|
|
||
| 1 | Ready for decision record write-up | scope、scan mode、runtime separation | 顯示 formal decision record write-up candidate;record created=false |
|
||
| 2 | Scope draft incomplete | scope statement review | 補 scope statement;不建立 record |
|
||
| 3 | Scan mode ambiguous | scan mode review | 補 scan mode wording;scan authorized=false |
|
||
| 4 | Credential boundary incomplete | credential boundary review | 補 metadata-only credential boundary;secret collection=false |
|
||
| 5 | Maintenance constraints incomplete | maintenance constraints review | 補 maintenance constraints;host update=false |
|
||
| 6 | Rollback owner incomplete | rollback owner review | 補 rollback owner 與 recovery pointer;approval record=false |
|
||
| 7 | Runtime gate still required | validation metrics、runtime gate review | 維持獨立 runtime gate 且仍關閉 |
|
||
|
||
每個 lane 都固定 `display_mode=owner_decision_record_draft_review_outcome_only`、`decision_record_review_passed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 outcome board 不代表 draft review 已通過、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把草稿核對後的下一步說清楚。
|
||
|
||
## 3.20 Host Owner Decision Record Write-Up Packets
|
||
|
||
S2.29 將 ready for decision record write-up 後需要整理的正式撰寫欄位拆成七個只讀 packets。這一層只回答「若未來要寫正式 decision record,需要哪些欄位」,不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Write-up packet | 來源 lane | 必要欄位 |
|
||
|------|-----------------|-----------|----------|
|
||
| 1 | Decision summary write-up | ready for decision record write-up | human decision summary、risk acceptance boundary、no-execution statement |
|
||
| 2 | Approved scope write-up | ready for decision record write-up | host / network / service / exclusion / observation intent / expiry |
|
||
| 3 | Scan mode limits write-up | scan mode ambiguous | observe-only、future active scan、credentialed scan limits |
|
||
| 4 | Credential boundary write-up | credential boundary incomplete | metadata-only credential owner、retention boundary、forbidden collection |
|
||
| 5 | Maintenance and rollback write-up | maintenance constraints incomplete | maintenance window、constraints、rollback owner、recovery path、human contact |
|
||
| 6 | Validation evidence write-up | runtime gate required | post-check metrics、baseline、evidence pointer、human acceptance condition |
|
||
| 7 | Runtime gate pointer write-up | runtime gate required | separate follow-up runtime gate pointer;active gate=0 |
|
||
|
||
每個 packet 都固定 `display_mode=owner_decision_record_writeup_only`、`decision_record_writeup_completed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 write-up board 不代表 formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把正式撰寫欄位先說清楚,並保留後續人工批准與 runtime gate 的分離。
|
||
|
||
## 3.21 Host Owner Decision Record Write-Up Review Checklist
|
||
|
||
S2.30 將 write-up packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「正式撰寫欄位是否可讀、可追、仍未升級成批准語義」,不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Write-up review | 來源 packet | 核對條件 |
|
||
|------|-----------------|-------------|----------|
|
||
| 1 | Decision summary readable | decision summary write-up | decision summary、risk acceptance、no-execution statement readable |
|
||
| 2 | Scope and expiry complete | approved scope write-up | scope、exclusion、observation intent、expiry complete |
|
||
| 3 | Scan mode limits explicit | scan mode limits write-up | scan mode limits explicit and not authorization |
|
||
| 4 | Credential boundary metadata only | credential boundary write-up | metadata-only boundary and no secret collection |
|
||
| 5 | Maintenance and rollback linked | maintenance / rollback write-up | maintenance window、constraints、rollback、human contact linked |
|
||
| 6 | Validation evidence linked | validation evidence write-up | metrics、baseline、evidence、acceptance condition linked |
|
||
| 7 | Runtime gate still separate | runtime gate pointer write-up | runtime gate pointer separate and closed |
|
||
|
||
每個 review check 都固定 `display_mode=owner_decision_record_writeup_review_checklist_only`、`decision_record_writeup_review_passed_count=0`、`decision_record_writeup_completed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 checklist 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把正式 decision record 進入後續人審前的核對條件說清楚。
|
||
|
||
## 3.22 Host Owner Decision Record Write-Up Review Outcome Lanes
|
||
|
||
S2.31 將 write-up review checklist 後的可能結果拆成七個只讀 outcome lanes。這一層只回答「核對後下一步應該顯示什麼」,不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Review outcome | 來源 check | 下一步 |
|
||
|------|----------------|------------|--------|
|
||
| 1 | Ready for formal record candidate | summary、scope、runtime gate checks | 顯示 formal record candidate;record created=false |
|
||
| 2 | Decision summary needs clarification | summary check | 補 decision summary;completed=0 |
|
||
| 3 | Scope and expiry needs refresh | scope check | 補 scope / expiry;record created=false |
|
||
| 4 | Scan mode limits ambiguous | scan mode limits check | 補 scan wording;scan authorized=false |
|
||
| 5 | Credential boundary failed | credential boundary check | 補 metadata-only boundary;secret collection=false |
|
||
| 6 | Maintenance and rollback incomplete | maintenance / rollback check | 補 maintenance / rollback;host update=false |
|
||
| 7 | Runtime gate still required | validation evidence、runtime gate checks | active runtime gates=0;action buttons=false |
|
||
|
||
每個 outcome lane 都固定 `display_mode=owner_decision_record_writeup_review_outcome_only`、`decision_record_writeup_review_passed_count=0`、`decision_record_writeup_completed_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 outcome board 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 write-up review 後的補件、候選或 runtime gate 分離狀態顯示清楚。
|
||
|
||
## 3.23 Host Owner Decision Record Formal Candidate Packets
|
||
|
||
S2.32 將 ready for formal record candidate 後的候選正式紀錄欄位拆成七個只讀 packets。這一層只回答「若未來真的要建立正式 decision record,candidate 需要有哪些可讀欄位」,不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Candidate packet | 來源 lane | 候選欄位 |
|
||
|------|------------------|-----------|----------|
|
||
| 1 | Record identity candidate | ready for formal record candidate | record id、version、owner、review scope、trace source |
|
||
| 2 | Decision summary candidate | ready for formal record candidate | human decision summary、risk acceptance boundary、no-execution statement |
|
||
| 3 | Approved scope candidate | ready for formal record candidate | host / network / service / exclusion / observation intent / expiry |
|
||
| 4 | Scan mode limits candidate | ready for formal record candidate | observe-only、future active scan、credentialed scan limits |
|
||
| 5 | Credential boundary candidate | ready for formal record candidate | metadata-only credential owner、retention、masking、forbidden collection |
|
||
| 6 | Maintenance and rollback candidate | ready for formal record candidate | maintenance window、constraints、rollback owner、recovery path、human contact |
|
||
| 7 | Validation and runtime gate candidate | ready for formal record candidate | validation evidence、post-check metrics、baseline pointer、separate runtime gate requirement |
|
||
|
||
每個 candidate packet 都固定 `display_mode=owner_decision_record_formal_candidate_only`、`formal_record_candidate_finalized_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 candidate board 不代表 formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 先把正式紀錄候選欄位呈現清楚,讓後續人工 owner decision 與 runtime gate 繼續保持分離。
|
||
|
||
## 3.24 Host Owner Decision Record Formal Candidate Review Checklist
|
||
|
||
S2.33 將 formal candidate packets 後的只讀核對條件拆成七個 review checklist items。這一層只回答「candidate 進入後續人工紀錄前,哪些欄位需要被看懂」,不標記 review passed、不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Candidate review | 來源 packet | 鎖定條件 |
|
||
|------|------------------|-------------|----------|
|
||
| 1 | Record identity traceable | identity packet | record created=false |
|
||
| 2 | Decision summary readable | decision summary packet | accepted=0 |
|
||
| 3 | Scope and expiry consistent | approved scope packet | finalized=0 |
|
||
| 4 | Scan limits still not authorization | scan mode limits packet | scan authorized=false |
|
||
| 5 | Credential boundary still metadata-only | credential boundary packet | secret collection=false |
|
||
| 6 | Maintenance and rollback traceable | maintenance / rollback packet | host update=false |
|
||
| 7 | Runtime gate still closed | validation / runtime gate packet | active runtime gates=0;action buttons=false |
|
||
|
||
每個 checklist item 都固定 `display_mode=owner_decision_record_formal_candidate_review_checklist_only`、`formal_record_candidate_review_passed_count=0`、`formal_record_candidate_finalized_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 review checklist 不代表 formal candidate review 已通過、formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 candidate review 的人工核對點顯示清楚,避免把欄位可讀性誤解成正式批准。
|
||
|
||
## 3.25 Host Owner Decision Record Formal Candidate Review Outcome Lanes
|
||
|
||
S2.34 將 formal candidate review checklist 後的可能結果拆成八個只讀 outcome lanes。這一層只回答「候選核對後下一步要補什麼或顯示哪個分流」,不標記 review passed、不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Review outcome | 來源 check | 下一步 |
|
||
|------|----------------|------------|--------|
|
||
| 1 | Ready for human record queue | all review checks | 顯示可進人工正式紀錄佇列;record created=false |
|
||
| 2 | Record identity needs trace | identity check | 補 identity trace;review passed=0 |
|
||
| 3 | Decision summary needs clarification | summary check | 補 decision summary;accepted=0 |
|
||
| 4 | Scope and expiry need refresh | scope check | 補 scope / expiry;finalized=0 |
|
||
| 5 | Scan limits remain ambiguous | scan limits check | 補 scan limits;scan authorized=false |
|
||
| 6 | Credential boundary failed | credential boundary check | 補 metadata-only boundary;secret collection=false |
|
||
| 7 | Maintenance and rollback incomplete | maintenance / rollback check | 補 maintenance / rollback;host update=false |
|
||
| 8 | Runtime gate still required | runtime gate check | active runtime gates=0;action buttons=false |
|
||
|
||
每個 outcome lane 都固定 `display_mode=owner_decision_record_formal_candidate_review_outcome_only`、`formal_record_candidate_review_passed_count=0`、`formal_record_candidate_finalized_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 outcome board 不代表 formal candidate review 已通過、formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把候選核對後的補件、佇列與 runtime gate 分離狀態顯示清楚。
|
||
|
||
## 3.26 Host Owner Decision Record Formal Record Queue Packets
|
||
|
||
S2.35 將 ready for human record queue 後的人工正式紀錄佇列資料拆成八個只讀 packets。這一層只回答「若未來人工要建立正式紀錄,佇列畫面需要哪些資料包」,不 enqueue、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Queue packet | 來源 lane | 佇列欄位 |
|
||
|------|--------------|-----------|----------|
|
||
| 1 | Queue identity packet | ready for human record queue | candidate record id、version、owner、review scope、trace source |
|
||
| 2 | Queue decision summary packet | ready for human record queue | decision summary、risk acceptance boundary、no-execution statement |
|
||
| 3 | Queue scope and expiry packet | ready for human record queue | host / network / service / exclusion / observation intent / expiry |
|
||
| 4 | Queue scan limits packet | ready for human record queue | observe-only、future active scan、credentialed scan limits |
|
||
| 5 | Queue credential boundary packet | ready for human record queue | metadata-only credential owner、retention、masking、forbidden collection |
|
||
| 6 | Queue maintenance and rollback packet | ready for human record queue | maintenance window、constraints、rollback owner、recovery path、human contact |
|
||
| 7 | Queue validation and runtime gate packet | ready for human record queue | validation evidence、post-check metrics、baseline pointer、separate runtime gate requirement |
|
||
| 8 | Queue no-execution attestation packet | ready for human record queue | not authorization、no execution、no approval、no runtime gate statement |
|
||
|
||
每個 queue packet 都固定 `display_mode=owner_decision_record_formal_record_queue_packet_only`、`formal_record_queue_enqueued_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 queue packet board 不代表正式紀錄佇列已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把人工正式紀錄佇列需要看的資料包顯示出來,避免把佇列可讀性誤解成執行授權。
|
||
|
||
## 3.27 Host Owner Decision Record Formal Record Queue Review Checklist
|
||
|
||
S2.36 將 formal record queue packets 後的人工正式紀錄佇列核對拆成八個只讀 checklist items。這一層只回答「佇列資料包是否可供未來人工正式紀錄審查」,不標記 review passed、不 enqueue、不建立 decision record、不建立 approval record、不開 runtime gate。
|
||
|
||
| 順序 | Queue review check | 來源 packet | 保護邊界 |
|
||
|------|--------------------|-------------|----------|
|
||
| 1 | Queue identity traceable | Queue identity packet | trace only;queue enqueued=0 |
|
||
| 2 | Queue decision summary readable | Queue decision summary packet | summary only;record created=false |
|
||
| 3 | Queue scope and expiry fresh | Queue scope and expiry packet | scope check only;finalized=0 |
|
||
| 4 | Queue scan limits not authorization | Queue scan limits packet | scan authorized=false |
|
||
| 5 | Queue credential boundary metadata-only | Queue credential boundary packet | secret collection=false |
|
||
| 6 | Queue maintenance and rollback linked | Queue maintenance and rollback packet | host change=false |
|
||
| 7 | Queue validation gate separate | Queue validation and runtime gate packet | active gates=0 |
|
||
| 8 | Queue no-execution attestation present | Queue no-execution attestation packet | action buttons=false |
|
||
|
||
每個 queue review check 都固定 `display_mode=owner_decision_record_formal_record_queue_review_checklist_only`、`formal_record_queue_review_passed_count=0`、`formal_record_queue_enqueued_count=0`、`decision_record_created=false`、`owner_decision_received_count=0`、`owner_decision_accepted_count=0`、`owner_approval_record_created=false`、`runtime_gate_opened=false`、`raw_payload_allowed=false`、`secret_value_collection_allowed=false`、`runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|
||
|
||
這個 queue review checklist 不代表正式紀錄佇列核對已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把佇列資料包進人工正式紀錄前的核對條件顯示出來,避免把 checklist 可見性誤解成執行授權。
|
||
|
||
## 4. 仍禁止
|
||
|
||
IwoooS 不得提供下列輸出:
|
||
|
||
1. scan / execute / repair button。
|
||
2. repo creation、visibility change、refs sync / delete / force push。
|
||
3. workflow / webhook / runner / deploy key / branch protection / repository secret 修改。
|
||
4. GitHub primary switch 或 Gitea disable。
|
||
5. production deploy 或 runtime enforcement。
|
||
6. SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
|
||
7. 套用 runtime blocking control。
|
||
8. 將主機 evidence 標記為 received / accepted,或匯入 raw host evidence。
|
||
9. 推進 host collection state 或跳過 host evidence dependency。
|
||
10. 未通過 preflight 就接受 host evidence。
|
||
11. 收集 host credential plaintext、ingest host raw payload,或由前端推進 host evidence counters。
|
||
12. 從 review outcome lane 建立 host approval record、把 review lane 當 runtime gate,或把 review outcome 標成 accepted。
|
||
13. 把 host handoff packet 當成 approval、將 handoff packet 標記 received,或保存 handoff sensitive payload。
|
||
14. 把 reviewer checklist 當成 approval、由前端標記 reviewer check passed,或從 reviewer check 開 runtime gate。
|
||
15. 把 reviewer outcome 當成 approval、標記 reviewer outcome passed,或從 reviewer outcome 開 runtime gate。
|
||
16. 把 owner decision candidate 當成 approval、標記 host owner decision approved,或從 owner decision candidate 開 runtime gate。
|
||
17. 把 owner decision review checklist 當成 approval、標記 owner decision review passed,或從 owner decision review checklist 開 runtime gate。
|
||
18. 把 owner decision review outcome 當成 approval、標記 owner decision review outcome passed,或從 owner decision review outcome 開 runtime gate。
|
||
19. 從 owner decision record draft 建立 host owner decision record、標記 record created,或從 draft 開 runtime gate。
|
||
20. 把 owner decision record draft review 當成 approval、標記 draft review passed、從 draft review 建立 decision record,或從 draft review 開 runtime gate。
|
||
21. 把 owner decision record draft review outcome 當成 approval、標記 draft review outcome passed、從 draft review outcome 建立 decision record,或從 draft review outcome 開 runtime gate。
|
||
22. 從 owner decision record write-up 建立 decision record、標記 write-up completed、標記 decision record accepted,或從 write-up 開 runtime gate。
|
||
23. 把 owner decision record write-up review 當成 approval、標記 write-up review passed / completed、從 write-up review 建立 decision record,或從 write-up review 開 runtime gate。
|
||
24. 把 owner decision record write-up review outcome 當成 approval、標記 write-up review outcome passed / completed、從 write-up review outcome 建立 decision record,或從 write-up review outcome 開 runtime gate。
|
||
25. 把 owner decision record formal candidate 當成 approval、標記 formal candidate finalized、從 formal candidate 建立或接受 decision record,或從 formal candidate 開 runtime gate。
|
||
26. 把 owner decision record formal candidate review 當成 approval、標記 formal candidate review passed / finalized、從 formal candidate review 建立 decision record,或從 formal candidate review 開 runtime gate。
|
||
27. 把 owner decision record formal candidate review outcome 當成 approval、標記 formal candidate review outcome passed / finalized、從 formal candidate review outcome 建立 decision record,或從 formal candidate review outcome 開 runtime gate。
|
||
28. 把 owner decision record formal record queue packet 當成 approval、由前端 enqueue formal record queue、從 formal record queue packet 建立或接受 decision record,或從 formal record queue packet 開 runtime gate。
|
||
29. 把 owner decision record formal record queue review checklist 當成 approval、標記 queue review passed、由 queue review enqueue 或建立 decision record,或從 queue review 開 runtime gate。
|
||
30. 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
|
||
|
||
## 5. 驗證
|
||
|
||
只讀驗證:
|
||
|
||
```text
|
||
python3 scripts/security/security-mirror-progress-guard.py
|
||
```
|
||
|
||
這個 guard 會確認 IwoooS 投影與 rollup / rollout policy 對齊,且 `runtime_execution_authorized=false`、`action_buttons_allowed=false`、`not_authorization=true`。
|