68 KiB
IwoooS 前端資安態勢投影契約
| 項目 | 內容 |
|---|---|
| 日期 | 2026-05-19 |
| 狀態 | 草案 |
| Schema | docs/schemas/iwooos_posture_projection_v1.schema.json |
| Snapshot | docs/security/iwooos-posture-projection.snapshot.json |
| 模式 | mirror_only |
| runtime 執行授權 | false |
1. 目的
iwooos_posture_projection_v1 定義 IwoooS 如何把既有資安網資料投影到前端。
它只允許顯示資安態勢、headline progress、framework / runtime landing、non-blocking lanes、evidence refs 與下一個高層 gate。它不是掃描器、不是修復器、不是 approval gate,也不是 GitHub primary cutover 授權。
2. 來源
IwoooS 首版只讀取或對齊以下已提交 evidence:
| 來源 | 用途 |
|---|---|
security_mirror_status_rollup_v1 |
58% headline、36 contracts、0 active runtime gates、下一個高層 gate |
security_rollout_policy_v1 |
7 條 low-friction non-blocking lanes |
source_control_owner_response_validation_rollup_v1 |
owner response 仍為 0、S4.9 下一個收件候選 |
kali_integration_status_v1 |
Kali 112 observe-only 整合態勢 |
/iwooos 前端路由 |
顯示入口,不提供執行按鈕 |
| 既有前端資安頁面 | 只讀索引,不搬移原頁責任邊界、不新增執行控制 |
3. 前端可顯示
- Security Posture / Exposure 入口。
- 58% headline progress 與框架 / runtime landing 判讀。
- 36 個主要契約、33 ready、2 partial、1 contract-only、0 blocked。
- 0 active runtime gates。
- Exposure、source-control、Kali 112、approval boundary 四個面向。
- 7 條 non-blocking lanes。
- evidence refs 與下一個高層 gate。
- 10 個既有前端資安相關頁面索引。
- 4 個前端資安責任面與 5 個重疊 / 衝突控制。
- 6 個只讀資安處理旅程階段。
- 7 個 owner evidence readiness items。
- 3 個只讀主機覆蓋 items:Kali 112、開發主機 168、開發主機 111。
- 6 個主機動作 gate items:active scan、credentialed scan、Kali
/execute、SSH / host change、Kali update、runtime blocking control。 - 7 個主機 evidence readiness items:scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
- 7 個主機 evidence collection order steps,顯示收件順序與前置依賴。
- 7 個主機 evidence intake preflight checks,顯示未來 evidence 進人工 review 前的拒收 / 隔離規則。
- 7 個主機 evidence review outcome lanes,顯示 preflight 後的人工審查分流結果。
- 7 個主機 evidence review handoff packets,顯示人工 reviewer 需要的脫敏交接資料包。
- 7 個主機 evidence reviewer checklist items,顯示 reviewer 看完 handoff packets 後仍需確認的只讀檢查。
- 7 個主機 evidence reviewer outcome lanes,顯示 reviewer checklist 後的只讀結果分流。
- 7 個 host owner decision candidate packets,顯示 reviewer outcome 進到 owner decision 前仍需要的人工決策範圍。
- 7 個 host owner decision review checklist items,顯示 owner decision candidate packets 後仍需人工核對的安全邊界。
- 7 個 host owner decision review outcome lanes,顯示 owner review checklist 後的只讀結果分流。
- 7 個 host owner decision record draft packets,顯示 formal decision record 候選需要的草稿欄位。
- 7 個 host owner decision record draft review checklist items,顯示草稿欄位進入正式決策紀錄前仍需只讀核對的條件。
- 7 個 host owner decision record draft review outcome lanes,顯示草稿核對後的只讀結果分流。
- 7 個 host owner decision record write-up packets,顯示正式 decision record 撰寫欄位,但不建立 record、不標記 completed / accepted、不開 runtime gate。
- 7 個 host owner decision record write-up review checklist items,顯示正式撰寫欄位進入決策紀錄前仍需只讀核對的條件。
- 7 個 host owner decision record write-up review outcome lanes,顯示 write-up review 後的只讀結果分流與下一步。
- 7 個 host owner decision record formal candidate packets,顯示 formal record candidate 需要的候選欄位,但不建立 decision record、不標記 finalized / accepted、不開 runtime gate。
- 7 個 host owner decision record formal candidate review checklist items,顯示 formal candidate packets 進入後續人工紀錄前仍需只讀核對的條件。
- 8 個 host owner decision record formal candidate review outcome lanes,顯示 candidate review 後的只讀結果分流與下一步。
- 8 個 host owner decision record formal record queue packets,顯示人工正式紀錄佇列需要看的資料包,但不 enqueue、不建立 decision record、不開 runtime gate。
- 8 個 host owner decision record formal record queue review checklist items,顯示佇列資料包進人工正式紀錄審查前仍需只讀核對的條件。
- 8 個 host owner decision record formal record queue review outcome lanes,顯示 queue review 後的只讀結果分流與下一步。
- 8 個 host owner decision record human handoff readiness packets,顯示未來交給人工 record owner 前要準備的 metadata,但不開始 handoff、不標記 ready、不建立 decision record、不開 runtime gate。
- 8 個 host owner decision record human handoff readiness review checklist items,顯示 readiness packets 進人工 record owner 前仍需只讀核對的條件,但不標記 review passed、不開始 handoff、不建立 decision record、不開 runtime gate。
- 9 個 host owner decision record human handoff readiness review outcome lanes,顯示 readiness review 後的只讀結果分流與下一步,但不標記 review passed、不開始 handoff、不標記 handoff ready、不 enqueue、不建立 decision record、不開 runtime gate。
3.1 既有前端資安頁面整合
S2.10 將前端原本已存在的資安相關頁面收進 IwoooS,只作為 route / source / read-only mode 索引。
| Route | 來源 | IwoooS 呈現 |
|---|---|---|
/security-compliance |
SecurityPanel / CompliancePanel |
安全合規整合頁 |
/security |
apps/web/src/app/[locale]/security/page.tsx |
既有安全監控頁 |
/compliance |
apps/web/src/app/[locale]/compliance/page.tsx |
既有合規頁 |
/alerts |
useIncidents / IncidentCard |
告警管理 |
/errors |
ErrorsPanel |
錯誤與 UX 稽核 |
/authorizations |
LiveApprovalPanel |
HITL / multi-sig 授權中心 |
/governance |
Governance tabs | AI 治理中樞 |
/alert-operation-logs |
Alert operation log page | 告警操作稽核 |
/awooop/approvals |
AwoooP approvals page | AwoooP 審批佇列 |
/code-review |
Code Review page | AI Code Review 控制面 |
這些 route 仍保留原本功能與 owner 邊界;IwoooS 只提供可見索引,不把任何頁面升級成 scan、execute、repair、blocking gate、deploy approval 或 runtime authorization。
3.2 覆蓋與邊界矩陣
S2.11 將 10 個既有前端資安頁面分成四個責任面,讓使用者看懂「訊號在哪裡、人工控制在哪裡、治理稽核在哪裡、工程審查在哪裡」。
| 責任面 | Route | 邊界 |
|---|---|---|
| 訊號與暴露面 | /security-compliance、/security、/compliance、/alerts、/errors |
顯示風險、事件、錯誤、UX audit 與合規訊號,不把 observation 直接升 blocking |
| 人工控制邊界 | /authorizations、/awooop/approvals |
顯示 HITL / multi-sig / AwoooP approvals;不等於資安 runtime gate 已批准 |
| 治理與稽核 | /governance、/alert-operation-logs |
顯示治理事件、SLO、補救佇列與操作日誌;audit event 不是執行授權 |
| 工程審查 | /code-review |
顯示 AI Code Review pipeline;review 結果可產生 follow-up,不等於 deploy approval |
重疊 / 衝突控制:
- IwoooS 保留原 route owner,不搬移資料寫入權。
- 覆蓋矩陣不得升級成 runtime gate。
- Code Review link 不等於 deploy approval。
- AwoooP approval 狀態不等於資安 approval decision record。
- 前端索引不得呼叫 Kali active scan 或
/execute。
3.3 資安處理旅程
S2.12 將使用者可見的資安處理流程固定為 6 個只讀階段:
| 順序 | 階段 | 輸出 |
|---|---|---|
| 1 | 讀取目前態勢 | 顯示 posture / progress / gate 狀態,不代表授權 |
| 2 | 開啟既有資安頁面 | 進入原 route,保留原 owner 與資料邊界 |
| 3 | 判讀非阻擋分流 | 建 follow-up,不直接升 blocking |
| 4 | 收 owner evidence | 更新 received / accepted 狀態,不執行 repo / refs / workflow / Kali 動作 |
| 5 | 等待人工決策 | 需要 decision record,不用 AwoooP approval、Code Review 或進度數字替代 |
| 6 | 準備後續 runtime gate | 只有人工批准後才另開 follow-up runtime gate;目前 active runtime gates 仍為 0 |
這個旅程是 status projection,不是 execution queue。任何 active scan、repair、deploy、GitHub primary、repo / refs / workflow / runner 或 secret 變更,都仍需獨立批准與後續 runtime gate。
3.4 Owner Evidence Readiness
S2.13 將 headline 進度下一步真正需要的 evidence 顯示成只讀 readiness board。
| 順序 | Evidence item | 目前狀態 | 解除條件 |
|---|---|---|---|
| 1 | S4.9 Gitea owner attestation response | next collection candidate;received=0、accepted=0 | 收到並接受脫敏 owner response |
| 2 | S4.10 GitHub target owner response | waiting owner response;received=0、accepted=0 | GitHub target owner response accepted |
| 3 | S4.11 refs truth owner response | waiting owner response;received=0、accepted=0 | refs truth owner response accepted |
| 4 | S4.12 workflow / secret name owner response | waiting owner response;received=0、accepted=0 | workflow / secret owner response accepted |
| 5 | Redacted finding ingestion | approval required;received=0、accepted=0 | 人工批准後接收脫敏 finding |
| 6 | Kali scan scope approval | approval required;received=0、accepted=0 | scan scope approval + follow-up runtime gate |
| 7 | Follow-up runtime gate | locked until human decision;active gate=0 | decision record accepted 後另開 runtime gate |
這個 board 只說明「還缺什麼」,不代表已收到 evidence、已接受 evidence、已批准、已可掃描、已可修復、已可部署或已可切 GitHub primary。
3.5 主機覆蓋視圖
S2.14 將統帥指定的 Kali 與兩台開發主機放進 IwoooS 的可見資安範圍,讓使用者能看懂哪些主機已被納入後續資安網路徑。
| 順序 | 主機 | 角色 | 目前狀態 |
|---|---|---|---|
| 1 | 192.168.0.112 |
Kali 資安主機 | 已在 posture / evidence refs 中作為 observe-only integration;active scan、/execute、SSH 變更與主機更新仍未批准 |
| 2 | 192.168.0.168 |
開發主機 | 已宣告為 observe-only scope;credentialed scan 與 runtime control 仍未批准 |
| 3 | 192.168.0.111 |
開發主機 | 已宣告為 observe-only scope;credentialed scan 與 runtime control 仍未批准 |
這個視圖只代表「納入視野」,不代表已啟動掃描、已登入主機、已更新 Kali、已調校主機、已建立 SSH 工作流或已允許 runtime control。
3.6 主機動作 Gate 矩陣
S2.15 將主機相關高風險動作拆成只讀 gate matrix,避免「主機已納入視野」被誤讀成「可以直接掃描、登入、更新或阻擋」。
| 順序 | 動作 | 相關主機 | 目前 Gate |
|---|---|---|---|
| 1 | Active scan | 192.168.0.112、192.168.0.168、192.168.0.111 |
需要 S1.6 scan scope approval 與後續 runtime gate |
| 2 | Credentialed scan | 192.168.0.112、192.168.0.168、192.168.0.111 |
需要 scope、credential handling 與脫敏 evidence 規範;目前未批准 |
| 3 | Kali /execute |
192.168.0.112 |
block candidate;需要人工 decision record 與 S3.4 follow-up runtime gate |
| 4 | SSH / host change | 192.168.0.112、192.168.0.168、192.168.0.111 |
需要明確人工批准、變更計畫與 rollback evidence |
| 5 | Kali host update | 192.168.0.112 |
需要維護窗口、更新清單、驗證指標與 rollback 計畫 |
| 6 | Runtime blocking control | 192.168.0.112、192.168.0.168、192.168.0.111 |
需要 accepted decision record;目前 active runtime gates 仍為 0 |
每個 item 都固定 display_mode=gate_only,且 active_scan_authorized=false、credentialed_scan_authorized=false、ssh_change_authorized=false、host_update_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
3.7 主機 Evidence Readiness
S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board。這一層只回答「要進下一步前缺什麼」,不代表任何 evidence 已收到或已接受。
| 順序 | Evidence item | 目前狀態 | 影響範圍 |
|---|---|---|---|
| 1 | Scope boundary | waiting redacted scope approval;received=0、accepted=0 | 112、168、111 的目標、排除範圍、深度與速率 |
| 2 | Owner decision record | waiting human decision record;received=0、accepted=0 | 人控決策,不可由可見狀態替代 |
| 3 | Credential handling | credential material collection forbidden;received=0、accepted=0 | credentialed scan 前的憑證來源、保存邊界、遮蔽與拒收規則 |
| 4 | Maintenance window | waiting maintenance window;received=0、accepted=0 | Kali update、SSH / host change 與主機調校窗口 |
| 5 | Rollback plan | waiting rollback plan;received=0、accepted=0 | 套件、設定、服務、工具鏈版本回復 |
| 6 | Validation metrics | waiting post-check metrics;received=0、accepted=0 | 掃描器、監控、服務與使用者流程 post-check |
| 7 | Redacted ingestion | waiting redacted payload acceptance;received=0、accepted=0 | finding / scan result 只能以脫敏摘要進 mirror |
每個 item 都固定 display_mode=evidence_readiness_only,且 active_scan_authorized=false、credentialed_scan_authorized=false、ssh_change_authorized=false、host_update_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
3.8 主機 Evidence 收件順序
S2.17 將 S2.16 的七個主機 evidence readiness items 排成建議收件順序。這一層只回答「先收哪個、下一個依賴什麼」,不把任何 evidence 標成 received / accepted。
| 順序 | 收件步驟 | Source item | 前置依賴 | 狀態 |
|---|---|---|---|---|
| 1 | 先定義 scope boundary | host_scope_boundary_evidence |
無 | next_collection_candidate;received=0、accepted=0 |
| 2 | 再收 owner decision | host_owner_decision_record_evidence |
collect_scope_boundary_first |
waiting_previous_step;received=0、accepted=0 |
| 3 | 隔離 credential handling | host_credential_handling_evidence |
collect_owner_decision_second |
waiting_previous_step;received=0、accepted=0 |
| 4 | 安排 maintenance window | host_maintenance_window_evidence |
collect_owner_decision_second |
waiting_previous_step;received=0、accepted=0 |
| 5 | 補 rollback plan | host_rollback_plan_evidence |
collect_maintenance_window_fourth |
waiting_previous_step;received=0、accepted=0 |
| 6 | 定義 validation metrics | host_validation_metrics_evidence |
collect_rollback_plan_fifth |
waiting_previous_step;received=0、accepted=0 |
| 7 | 最後才收 redacted ingestion | host_redacted_ingestion_evidence |
collect_validation_metrics_sixth |
waiting_previous_step;received=0、accepted=0 |
每個 step 都固定 display_mode=collection_order_only,且 runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個順序是收件提示,不是工作佇列。不得因為某個 step 顯示為下一個候選,就啟動 scan、SSH、Kali update、raw payload ingestion、runtime blocking control,或把對應 evidence 標成已收到 / 已接受。
3.9 主機 Evidence Intake Preflight
S2.18 將主機 evidence 進人工 review 前的預檢條件顯示成只讀規則。這一層只回答「未來 evidence 送進來前要先擋什麼」,不接收 payload、不驗收 evidence、不推進 counters。
| 順序 | 預檢項目 | 拒收 / 隔離條件 | 目前狀態 |
|---|---|---|---|
| 1 | Metadata pointer only | 缺 redacted metadata pointer | preflight_ready_not_executed;received=0、accepted=0 |
| 2 | Collection order match | 跳過 S2.17 前置依賴 | dependency_check_waiting_evidence;received=0、accepted=0 |
| 3 | Scope before scan | scan evidence 沒有 scope boundary | waiting_scope_evidence;received=0、accepted=0 |
| 4 | Owner before host change | SSH / update / tuning / blocking evidence 缺 owner decision pointer | waiting_owner_decision_pointer;received=0、accepted=0 |
| 5 | Credential plaintext blocked | 出現帳密、token、private key、session 或憑證明文 | plaintext_credential_collection_forbidden;received=0、accepted=0 |
| 6 | Raw payload blocked | 出現完整掃描 raw output、未脫敏 finding、host dump 或 log bundle | raw_payload_collection_forbidden;received=0、accepted=0 |
| 7 | Frontend counters frozen | 前端嘗試推進 received / accepted | frontend_counter_transition_forbidden;received=0、accepted=0 |
每個 check 都固定 display_mode=intake_preflight_only、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 preflight board 不代表已收到任何主機 evidence,也不代表已進人工 review。真正收件仍需要脫敏 evidence pointer、owner decision 與後續人工驗收。
3.10 主機 Evidence Review Outcome Lanes
S2.19 將主機 evidence 通過 preflight 後可能進入的人工審查結果分流顯示成只讀 lanes。這一層只回答「下一步該補什麼或顯示什麼結果」,不建立 approval record、不啟動 runtime gate、不改 received / accepted。
| 順序 | Outcome lane | 來源預檢 | 下一步 |
|---|---|---|---|
| 1 | Ready for human review | metadata pointer、dependency order、scope、owner decision | 顯示人工審查候選;received=0、accepted=0 |
| 2 | Needs scope evidence | scope before scan | 補脫敏 scope boundary pointer,不進 scan |
| 3 | Needs owner decision | owner before host change | 補 owner decision record pointer,不啟動主機動作 |
| 4 | Quarantine dependency skip | collection order match | 顯示隔離原因,不推 counter |
| 5 | Reject raw payload | raw payload blocked | 要求改交脫敏摘要 |
| 6 | Reject credential plaintext | credential plaintext blocked | 不保存、不轉送、不顯示憑證明文 |
| 7 | Waiting runtime gate | frontend counters frozen、owner decision | 人工審查後仍需另開 runtime gate;active runtime gates=0 |
每個 lane 都固定 display_mode=review_outcome_only、received_count=0、accepted_count=0、approval_record_created=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 evidence 已進 review、approval record 已建立或任何主機操作可執行。它只讓使用者理解「預檢後可能被導向哪一類人審結果」。
3.11 主機 Evidence Review Handoff Packets
S2.20 將人工 reviewer 真正需要看到的主機 evidence 交接內容拆成七個只讀 packets。這一層只回答「要把哪些脫敏指標交給 reviewer 判讀」,不標記 received / accepted、不保存 raw payload、不建立 approval record、不啟動 runtime gate。
| 順序 | Handoff packet | 來源 outcome lane | 必備內容 |
|---|---|---|---|
| 1 | Scope summary | ready for human review、needs scope evidence | redacted scope boundary summary;不含 raw payload |
| 2 | Owner decision | ready for human review、needs owner decision | owner decision record pointer;不等於主機動作批准 |
| 3 | Credential handling | ready for human review、reject credential plaintext | metadata-only handling statement;secret value blocked |
| 4 | Maintenance / rollback | waiting runtime gate、needs owner decision | maintenance window 與 rollback pointer;不啟動變更 |
| 5 | Validation metrics | ready for human review、waiting runtime gate | post-review validation metrics pointer;不代表 runtime gate opened |
| 6 | Redaction attestation | reject raw payload、reject credential plaintext | redaction attestation metadata only;不保存敏感 payload |
| 7 | Runtime gate pointer | waiting runtime gate | follow-up runtime gate pointer only;active runtime gates=0 |
每個 packet 都固定 display_mode=review_handoff_only、received_count=0、accepted_count=0、approval_record_created=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 handoff board 不代表 reviewer 已收到資料、已接受資料、已批准主機操作或已開 runtime gate。它只讓 IwoooS 能把「送審前要準備什麼」清楚顯示給使用者。
3.12 主機 Evidence Reviewer Checklist
S2.21 將 reviewer 讀完 handoff packets 後仍需確認的檢查拆成七個只讀 checklist items。這一層只回答「人審前要確認哪些邊界沒有漂移」,不標記 passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。
| 順序 | Reviewer check | 來源 packet | Pass condition |
|---|---|---|---|
| 1 | Scope boundary match | scope summary | redacted scope pointer only;no scan started |
| 2 | Owner decision scope / expiry | owner decision | decision pointer only;no approval record created |
| 3 | Credential handling metadata only | credential handling | secret value collection=false |
| 4 | Redaction attestation pass | redaction attestation | raw payload allowed=false |
| 5 | Maintenance / rollback complete | maintenance / rollback | future change conditions only;no change execution |
| 6 | Validation metrics linked | validation metrics | validation pointer only;runtime gate closed |
| 7 | Runtime gate separated | runtime gate pointer | active runtime gates=0;action buttons=false |
每個 check 都固定 display_mode=reviewer_checklist_only、received_count=0、accepted_count=0、approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 checklist 不代表 reviewer 已完成審查、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把人審前的安全判讀步驟顯示清楚。
3.13 主機 Evidence Reviewer Outcome Lanes
S2.22 將 reviewer checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「人審檢查後要回到哪個補件或人工決策 lane」,不標記 checklist passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。
| 順序 | Reviewer outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for owner decision | scope、owner、redaction、runtime separation | 顯示 owner decision candidate;received=0、accepted=0 |
| 2 | Scope mismatch | scope boundary match | 補 scope boundary pointer;不啟動 scan |
| 3 | Owner decision expired | owner decision scope / expiry | 補 owner decision record;不建立 approval |
| 4 | Credential metadata failed | credential handling metadata only | 要求 metadata-only statement;不收敏感素材 |
| 5 | Redaction failed | redaction attestation pass | 要求重新脫敏;不保存 raw payload |
| 6 | Rollback missing | maintenance / rollback complete | 補 maintenance window 與 rollback pointer;不執行 change |
| 7 | Runtime gate required | validation metrics linked、runtime gate separated | 維持獨立 runtime gate 且仍關閉 |
每個 lane 都固定 display_mode=reviewer_outcome_only、checklist_passed_count=0、received_count=0、accepted_count=0、approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 reviewer check 已通過、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把 checklist 後的下一步分流說清楚。
3.14 Host Owner Decision Candidate Packets
S2.23 將 ready for owner decision 後的下一步拆成七個只讀 candidate packets。這一層只回答「owner 之後要看哪些人工決策素材」,不建立 decision record、不標記 approved、不推進 received / accepted、不開 runtime gate。
| 順序 | Candidate packet | 來源 outcome lane | 人工決策範圍 |
|---|---|---|---|
| 1 | Scope approval candidate | ready for owner decision | 主機、網段、服務、排除範圍與觀察目的 |
| 2 | Scan mode candidate | ready for owner decision | observe-only、未來 active scan 或 credentialed scan 的差異;目前不授權掃描 |
| 3 | Credential handling candidate | ready for owner decision、credential metadata failed | metadata-only handling、責任人與保存邊界;不收敏感素材 |
| 4 | Maintenance window candidate | ready for owner decision、rollback missing | 未來維護窗口與限制條件;不執行 host update |
| 5 | Rollback owner candidate | ready for owner decision、rollback missing | rollback owner、復原路徑與人工聯絡點 |
| 6 | Validation metrics candidate | ready for owner decision、runtime gate required | post-check metrics、baseline 與 evidence pointer |
| 7 | Runtime gate candidate | runtime gate required | 後續主機動作仍需獨立 runtime gate;active runtime gates=0 |
每個 packet 都固定 display_mode=owner_decision_candidate_only、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 candidate board 不代表 owner decision 已收到、已接受、已批准或已建立後續 runtime gate。它只讓 IwoooS 把「要請 owner 人工判讀什麼」先說清楚。
3.15 Host Owner Decision Review Checklist
S2.24 將 owner decision candidate packets 後的人工核對項拆成七個只讀 checklist items。這一層只回答「owner 決策前還要逐項確認什麼安全邊界」,不建立 decision record、不標記 approved、不開 runtime gate。
| 順序 | Review check | 來源 candidate packet | Guard condition |
|---|---|---|---|
| 1 | Scope boundary readable | scope approval candidate | scope review only;owner decision received=0 |
| 2 | Scan mode not authorization | scan mode candidate | active scan / credentialed scan authorized=false |
| 3 | Credential boundary metadata only | credential handling candidate | secret value collection=false |
| 4 | Maintenance window not change | maintenance window candidate | host update authorized=false |
| 5 | Rollback owner readable | rollback owner candidate | owner approval record created=false |
| 6 | Validation metrics predefined | validation metrics candidate | runtime gate opened=false |
| 7 | Runtime gate still separate | runtime gate candidate | action buttons=false;runtime gate separate |
每個 check 都固定 display_mode=owner_decision_review_checklist_only、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 checklist 不代表 owner 已完成決策、已批准、已建立 approval record 或已開 runtime gate。它只讓 IwoooS 把 owner 決策前的人工核對順序說清楚。
3.16 Host Owner Decision Review Outcome Lanes
S2.25 將 owner decision review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「owner review 後要回到哪個補件或候選 decision record lane」,不標記 review passed、不建立 decision record、不標記 approved、不開 runtime gate。
| 順序 | Review outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for decision record | scope、scan mode、runtime separation | 顯示 formal decision record candidate;received=0、accepted=0 |
| 2 | Scope needs refresh | scope boundary readable | 補 scope boundary pointer;不啟動 scan |
| 3 | Scan mode needs scope | scan mode not authorization | 補 scan mode / scope statement;scan authorized=false |
| 4 | Credential boundary failed | credential boundary metadata only | 補 metadata-only credential boundary;secret value collection=false |
| 5 | Maintenance window missing | maintenance window not change | 補 maintenance window constraints;host update=false |
| 6 | Rollback owner missing | rollback owner readable | 補 rollback owner 與復原 pointer;approval record=false |
| 7 | Runtime gate required | validation metrics、runtime gate still separate | 維持獨立 runtime gate 且仍關閉 |
每個 lane 都固定 display_mode=owner_decision_review_outcome_only、owner_decision_review_passed_count=0、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 owner review 已通過、decision record 已建立、人工批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 owner review 後的下一步分流說清楚。
3.17 Host Owner Decision Record Draft Packets
S2.26 將 ready for decision record 後需要整理的欄位拆成七個只讀 draft packets。這一層只回答「若 owner review 進入 ready lane,formal decision record 草稿要有哪些 metadata」,不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Draft packet | 來源 lane | 必要 metadata |
|---|---|---|---|
| 1 | Scope statement draft | ready for decision record | host / network / service / exclusion / observation intent |
| 2 | Scan mode draft | scan mode scope required | observe-only / future active / credentialed scan candidate mode |
| 3 | Credential boundary draft | credential boundary failed | metadata-only credential owner / retention boundary |
| 4 | Maintenance constraints draft | maintenance window required | window / constraints / impact boundary / no-change statement |
| 5 | Rollback owner draft | rollback owner required | rollback owner / recovery path / human contact pointer |
| 6 | Validation metrics draft | runtime gate required | post-check metrics / baseline / evidence pointer |
| 7 | Runtime gate draft | runtime gate required | separate follow-up runtime gate pointer;active gate=0 |
每個 draft packet 都固定 display_mode=owner_decision_record_draft_only、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 draft board 不代表 decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 decision record 草稿欄位先說清楚,方便後續人工決策時不混入執行語義。
3.18 Host Owner Decision Record Draft Review Checklist
S2.27 將 decision record draft packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「草稿是否足以進入人工 decision record 撰寫」,不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Draft review | 來源 packet | 核對條件 |
|---|---|---|---|
| 1 | Scope statement complete | scope draft | scope metadata complete |
| 2 | Scan mode still not approval | scan mode draft | scan mode not authorization |
| 3 | Credential boundary metadata only | credential boundary draft | credential boundary metadata-only |
| 4 | Maintenance constraints readable | maintenance constraints draft | maintenance constraints no-change |
| 5 | Rollback owner readable | rollback owner draft | rollback owner / recovery pointer readable |
| 6 | Validation metrics linked | validation metrics draft | metrics / baseline linked |
| 7 | Runtime gate still closed | runtime gate draft | runtime gate separate and closed |
每個 review check 都固定 display_mode=owner_decision_record_draft_review_checklist_only、decision_record_review_passed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 checklist 不代表 decision record review 已通過、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把草稿進入正式人審前的核對條件說清楚。
3.19 Host Owner Decision Record Draft Review Outcome Lanes
S2.28 將 decision record draft review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「草稿核對後要進入正式撰寫候選、補哪個草稿,或等待獨立 runtime gate」,不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Review outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for decision record write-up | scope、scan mode、runtime separation | 顯示 formal decision record write-up candidate;record created=false |
| 2 | Scope draft incomplete | scope statement review | 補 scope statement;不建立 record |
| 3 | Scan mode ambiguous | scan mode review | 補 scan mode wording;scan authorized=false |
| 4 | Credential boundary incomplete | credential boundary review | 補 metadata-only credential boundary;secret collection=false |
| 5 | Maintenance constraints incomplete | maintenance constraints review | 補 maintenance constraints;host update=false |
| 6 | Rollback owner incomplete | rollback owner review | 補 rollback owner 與 recovery pointer;approval record=false |
| 7 | Runtime gate still required | validation metrics、runtime gate review | 維持獨立 runtime gate 且仍關閉 |
每個 lane 都固定 display_mode=owner_decision_record_draft_review_outcome_only、decision_record_review_passed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 draft review 已通過、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把草稿核對後的下一步說清楚。
3.20 Host Owner Decision Record Write-Up Packets
S2.29 將 ready for decision record write-up 後需要整理的正式撰寫欄位拆成七個只讀 packets。這一層只回答「若未來要寫正式 decision record,需要哪些欄位」,不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Write-up packet | 來源 lane | 必要欄位 |
|---|---|---|---|
| 1 | Decision summary write-up | ready for decision record write-up | human decision summary、risk acceptance boundary、no-execution statement |
| 2 | Approved scope write-up | ready for decision record write-up | host / network / service / exclusion / observation intent / expiry |
| 3 | Scan mode limits write-up | scan mode ambiguous | observe-only、future active scan、credentialed scan limits |
| 4 | Credential boundary write-up | credential boundary incomplete | metadata-only credential owner、retention boundary、forbidden collection |
| 5 | Maintenance and rollback write-up | maintenance constraints incomplete | maintenance window、constraints、rollback owner、recovery path、human contact |
| 6 | Validation evidence write-up | runtime gate required | post-check metrics、baseline、evidence pointer、human acceptance condition |
| 7 | Runtime gate pointer write-up | runtime gate required | separate follow-up runtime gate pointer;active gate=0 |
每個 packet 都固定 display_mode=owner_decision_record_writeup_only、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 write-up board 不代表 formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把正式撰寫欄位先說清楚,並保留後續人工批准與 runtime gate 的分離。
3.21 Host Owner Decision Record Write-Up Review Checklist
S2.30 將 write-up packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「正式撰寫欄位是否可讀、可追、仍未升級成批准語義」,不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Write-up review | 來源 packet | 核對條件 |
|---|---|---|---|
| 1 | Decision summary readable | decision summary write-up | decision summary、risk acceptance、no-execution statement readable |
| 2 | Scope and expiry complete | approved scope write-up | scope、exclusion、observation intent、expiry complete |
| 3 | Scan mode limits explicit | scan mode limits write-up | scan mode limits explicit and not authorization |
| 4 | Credential boundary metadata only | credential boundary write-up | metadata-only boundary and no secret collection |
| 5 | Maintenance and rollback linked | maintenance / rollback write-up | maintenance window、constraints、rollback、human contact linked |
| 6 | Validation evidence linked | validation evidence write-up | metrics、baseline、evidence、acceptance condition linked |
| 7 | Runtime gate still separate | runtime gate pointer write-up | runtime gate pointer separate and closed |
每個 review check 都固定 display_mode=owner_decision_record_writeup_review_checklist_only、decision_record_writeup_review_passed_count=0、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 checklist 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把正式 decision record 進入後續人審前的核對條件說清楚。
3.22 Host Owner Decision Record Write-Up Review Outcome Lanes
S2.31 將 write-up review checklist 後的可能結果拆成七個只讀 outcome lanes。這一層只回答「核對後下一步應該顯示什麼」,不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Review outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for formal record candidate | summary、scope、runtime gate checks | 顯示 formal record candidate;record created=false |
| 2 | Decision summary needs clarification | summary check | 補 decision summary;completed=0 |
| 3 | Scope and expiry needs refresh | scope check | 補 scope / expiry;record created=false |
| 4 | Scan mode limits ambiguous | scan mode limits check | 補 scan wording;scan authorized=false |
| 5 | Credential boundary failed | credential boundary check | 補 metadata-only boundary;secret collection=false |
| 6 | Maintenance and rollback incomplete | maintenance / rollback check | 補 maintenance / rollback;host update=false |
| 7 | Runtime gate still required | validation evidence、runtime gate checks | active runtime gates=0;action buttons=false |
每個 outcome lane 都固定 display_mode=owner_decision_record_writeup_review_outcome_only、decision_record_writeup_review_passed_count=0、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 write-up review 後的補件、候選或 runtime gate 分離狀態顯示清楚。
3.23 Host Owner Decision Record Formal Candidate Packets
S2.32 將 ready for formal record candidate 後的候選正式紀錄欄位拆成七個只讀 packets。這一層只回答「若未來真的要建立正式 decision record,candidate 需要有哪些可讀欄位」,不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Candidate packet | 來源 lane | 候選欄位 |
|---|---|---|---|
| 1 | Record identity candidate | ready for formal record candidate | record id、version、owner、review scope、trace source |
| 2 | Decision summary candidate | ready for formal record candidate | human decision summary、risk acceptance boundary、no-execution statement |
| 3 | Approved scope candidate | ready for formal record candidate | host / network / service / exclusion / observation intent / expiry |
| 4 | Scan mode limits candidate | ready for formal record candidate | observe-only、future active scan、credentialed scan limits |
| 5 | Credential boundary candidate | ready for formal record candidate | metadata-only credential owner、retention、masking、forbidden collection |
| 6 | Maintenance and rollback candidate | ready for formal record candidate | maintenance window、constraints、rollback owner、recovery path、human contact |
| 7 | Validation and runtime gate candidate | ready for formal record candidate | validation evidence、post-check metrics、baseline pointer、separate runtime gate requirement |
每個 candidate packet 都固定 display_mode=owner_decision_record_formal_candidate_only、formal_record_candidate_finalized_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 candidate board 不代表 formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 先把正式紀錄候選欄位呈現清楚,讓後續人工 owner decision 與 runtime gate 繼續保持分離。
3.24 Host Owner Decision Record Formal Candidate Review Checklist
S2.33 將 formal candidate packets 後的只讀核對條件拆成七個 review checklist items。這一層只回答「candidate 進入後續人工紀錄前,哪些欄位需要被看懂」,不標記 review passed、不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Candidate review | 來源 packet | 鎖定條件 |
|---|---|---|---|
| 1 | Record identity traceable | identity packet | record created=false |
| 2 | Decision summary readable | decision summary packet | accepted=0 |
| 3 | Scope and expiry consistent | approved scope packet | finalized=0 |
| 4 | Scan limits still not authorization | scan mode limits packet | scan authorized=false |
| 5 | Credential boundary still metadata-only | credential boundary packet | secret collection=false |
| 6 | Maintenance and rollback traceable | maintenance / rollback packet | host update=false |
| 7 | Runtime gate still closed | validation / runtime gate packet | active runtime gates=0;action buttons=false |
每個 checklist item 都固定 display_mode=owner_decision_record_formal_candidate_review_checklist_only、formal_record_candidate_review_passed_count=0、formal_record_candidate_finalized_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 review checklist 不代表 formal candidate review 已通過、formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 candidate review 的人工核對點顯示清楚,避免把欄位可讀性誤解成正式批准。
3.25 Host Owner Decision Record Formal Candidate Review Outcome Lanes
S2.34 將 formal candidate review checklist 後的可能結果拆成八個只讀 outcome lanes。這一層只回答「候選核對後下一步要補什麼或顯示哪個分流」,不標記 review passed、不標記 finalized、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Review outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for human record queue | all review checks | 顯示可進人工正式紀錄佇列;record created=false |
| 2 | Record identity needs trace | identity check | 補 identity trace;review passed=0 |
| 3 | Decision summary needs clarification | summary check | 補 decision summary;accepted=0 |
| 4 | Scope and expiry need refresh | scope check | 補 scope / expiry;finalized=0 |
| 5 | Scan limits remain ambiguous | scan limits check | 補 scan limits;scan authorized=false |
| 6 | Credential boundary failed | credential boundary check | 補 metadata-only boundary;secret collection=false |
| 7 | Maintenance and rollback incomplete | maintenance / rollback check | 補 maintenance / rollback;host update=false |
| 8 | Runtime gate still required | runtime gate check | active runtime gates=0;action buttons=false |
每個 outcome lane 都固定 display_mode=owner_decision_record_formal_candidate_review_outcome_only、formal_record_candidate_review_passed_count=0、formal_record_candidate_finalized_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 formal candidate review 已通過、formal decision record 已 finalized、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把候選核對後的補件、佇列與 runtime gate 分離狀態顯示清楚。
3.26 Host Owner Decision Record Formal Record Queue Packets
S2.35 將 ready for human record queue 後的人工正式紀錄佇列資料拆成八個只讀 packets。這一層只回答「若未來人工要建立正式紀錄,佇列畫面需要哪些資料包」,不 enqueue、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。
| 順序 | Queue packet | 來源 lane | 佇列欄位 |
|---|---|---|---|
| 1 | Queue identity packet | ready for human record queue | candidate record id、version、owner、review scope、trace source |
| 2 | Queue decision summary packet | ready for human record queue | decision summary、risk acceptance boundary、no-execution statement |
| 3 | Queue scope and expiry packet | ready for human record queue | host / network / service / exclusion / observation intent / expiry |
| 4 | Queue scan limits packet | ready for human record queue | observe-only、future active scan、credentialed scan limits |
| 5 | Queue credential boundary packet | ready for human record queue | metadata-only credential owner、retention、masking、forbidden collection |
| 6 | Queue maintenance and rollback packet | ready for human record queue | maintenance window、constraints、rollback owner、recovery path、human contact |
| 7 | Queue validation and runtime gate packet | ready for human record queue | validation evidence、post-check metrics、baseline pointer、separate runtime gate requirement |
| 8 | Queue no-execution attestation packet | ready for human record queue | not authorization、no execution、no approval、no runtime gate statement |
每個 queue packet 都固定 display_mode=owner_decision_record_formal_record_queue_packet_only、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 queue packet board 不代表正式紀錄佇列已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把人工正式紀錄佇列需要看的資料包顯示出來,避免把佇列可讀性誤解成執行授權。
3.27 Host Owner Decision Record Formal Record Queue Review Checklist
S2.36 將 formal record queue packets 後的人工正式紀錄佇列核對拆成八個只讀 checklist items。這一層只回答「佇列資料包是否可供未來人工正式紀錄審查」,不標記 review passed、不 enqueue、不建立 decision record、不建立 approval record、不開 runtime gate。
| 順序 | Queue review check | 來源 packet | 保護邊界 |
|---|---|---|---|
| 1 | Queue identity traceable | Queue identity packet | trace only;queue enqueued=0 |
| 2 | Queue decision summary readable | Queue decision summary packet | summary only;record created=false |
| 3 | Queue scope and expiry fresh | Queue scope and expiry packet | scope check only;finalized=0 |
| 4 | Queue scan limits not authorization | Queue scan limits packet | scan authorized=false |
| 5 | Queue credential boundary metadata-only | Queue credential boundary packet | secret collection=false |
| 6 | Queue maintenance and rollback linked | Queue maintenance and rollback packet | host change=false |
| 7 | Queue validation gate separate | Queue validation and runtime gate packet | active gates=0 |
| 8 | Queue no-execution attestation present | Queue no-execution attestation packet | action buttons=false |
每個 queue review check 都固定 display_mode=owner_decision_record_formal_record_queue_review_checklist_only、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 queue review checklist 不代表正式紀錄佇列核對已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把佇列資料包進人工正式紀錄前的核對條件顯示出來,避免把 checklist 可見性誤解成執行授權。
3.28 Host Owner Decision Record Formal Record Queue Review Outcome Lanes
S2.37 將 formal record queue review checklist 後的結果拆成八個只讀 outcome lanes。這一層只回答「queue review 後下一步應補哪個資料包或交給人工 record owner 看」,不標記 review passed、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。
| 順序 | Queue review outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for human record owner handoff | identity / summary / scope / guardrail checks | 顯示 handoff 候選;review passed=0、queue enqueued=0 |
| 2 | Identity needs trace refresh | identity traceable check | 補 identity trace;record created=false |
| 3 | Decision summary needs clarification | decision summary readable check | 補 decision summary;accepted=0 |
| 4 | Scope and expiry need refresh | scope and expiry fresh check | 補 scope / expiry;finalized=0 |
| 5 | Scan limits remain ambiguous | scan limits not authorization check | 補 scan limits;scan authorized=false |
| 6 | Credential boundary failed | credential boundary metadata-only check | 補 metadata-only boundary;secret collection=false |
| 7 | Maintenance and rollback incomplete | maintenance and rollback linked check | 補 maintenance / rollback;host change=false |
| 8 | Runtime gate still required | validation gate separate check | active runtime gates=0;action buttons=false |
每個 queue review outcome lane 都固定 display_mode=owner_decision_record_formal_record_queue_review_outcome_only、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 queue review outcome board 不代表 formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 queue review 後的補件、handoff 候選與 runtime gate 分離狀態顯示清楚。
3.29 Host Owner Decision Record Human Handoff Readiness Packets
S2.38 將 queue review outcome 中的 ready for human record owner handoff 拆成八個只讀 readiness packets。這一層只回答「未來要交給人工 record owner 前,哪些 metadata 需要可讀」,不開始 handoff、不標記 handoff ready、不標記 review passed、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。
| 順序 | Handoff readiness packet | Readiness field | 保護邊界 |
|---|---|---|---|
| 1 | Handoff identity and trace | record identity and trace | handoff started=0;ready=0 |
| 2 | Human record owner boundary | human record owner contact boundary | owner decision received=0 |
| 3 | Decision summary packet | decision summary and no-execution statement | decision record created=false |
| 4 | Scope and expiry packet | approved scope and expiry window | review passed=0 |
| 5 | Scan limits packet | observe-only and future scan limits | scan authorized=false |
| 6 | Credential boundary packet | metadata-only credential boundary | secret collection=false |
| 7 | Maintenance and rollback packet | maintenance constraints and rollback owner | host change=false |
| 8 | Runtime gate separation packet | independent runtime gate and no action buttons | active runtime gates=0;action buttons=false |
每個 handoff readiness packet 都固定 display_mode=owner_decision_record_human_handoff_readiness_only、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 handoff readiness board 不代表 handoff 已開始、handoff 已 ready、formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把未來交給人工 record owner 前的準備欄位顯示清楚。
3.30 Host Owner Decision Record Human Handoff Readiness Review Checklist
S2.39 將 handoff readiness packets 後的核對條件拆成八個只讀 checklist items。這一層只回答「handoff readiness packets 是否可供未來人工 record owner 看」,不標記 review passed、不開始 handoff、不標記 handoff ready、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。
| 順序 | Handoff readiness review check | 來源 packet | 保護邊界 |
|---|---|---|---|
| 1 | Identity trace readable | Handoff identity and trace | handoff started=0;ready=0 |
| 2 | Owner boundary readable | Human record owner boundary | owner decision received=0 |
| 3 | Decision summary readable | Decision summary packet | decision record created=false |
| 4 | Scope and expiry current | Scope and expiry packet | review passed=0 |
| 5 | Scan limits not authorization | Scan limits packet | scan authorized=false |
| 6 | Credential boundary metadata-only | Credential boundary packet | secret collection=false |
| 7 | Maintenance and rollback traceable | Maintenance and rollback packet | host change=false |
| 8 | Runtime gate separate | Runtime gate separation packet | active runtime gates=0;action buttons=false |
每個 handoff readiness review check 都固定 display_mode=owner_decision_record_human_handoff_readiness_review_checklist_only、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 handoff readiness review checklist 不代表 handoff readiness review 已通過、handoff 已開始、handoff 已 ready、formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 readiness packets 進人工 record owner 前的核對條件顯示清楚。
3.31 Host Owner Decision Record Human Handoff Readiness Review Outcome Lanes
S2.40 將 handoff readiness review checklist 後的結果拆成九個只讀 outcome lanes。這一層只回答「readiness review 後下一步要補哪一段或是否可顯示 human record owner review candidate」,不標記 review passed、不開始 handoff、不標記 handoff ready、不 enqueue、不建立 decision record、不接受 owner decision、不建立 approval record、不開 runtime gate。
| 順序 | Handoff readiness review outcome | 來源 check | 下一步 |
|---|---|---|---|
| 1 | Ready for human record owner review candidate | identity trace readable | 顯示 review candidate;handoff started=0、ready=0 |
| 2 | Identity trace needs refresh | identity trace readable | 補 identity trace;review passed=0 |
| 3 | Owner boundary needs clarification | owner boundary readable | 補 owner boundary;owner decision received=0 |
| 4 | Decision summary needs clarification | decision summary readable | 補 decision summary;decision record created=false |
| 5 | Scope and expiry need refresh | scope and expiry current | 補 scope / expiry;queue review passed=0 |
| 6 | Scan limits remain ambiguous | scan limits not authorization | 補 scan limits;scan authorized=false |
| 7 | Credential boundary failed | credential boundary metadata-only | 補 metadata-only boundary;secret collection=false |
| 8 | Maintenance and rollback incomplete | maintenance and rollback traceable | 補 maintenance / rollback;host change=false |
| 9 | Runtime gate still required | runtime gate separate | active runtime gates=0;action buttons=false |
每個 handoff readiness review outcome lane 都固定 display_mode=owner_decision_record_human_handoff_readiness_review_outcome_only、human_record_owner_handoff_review_passed_count=0、human_record_owner_handoff_started_count=0、human_record_owner_handoff_ready_count=0、formal_record_queue_review_passed_count=0、formal_record_queue_enqueued_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。
這個 outcome board 不代表 handoff readiness review 已通過、handoff 已開始、handoff 已 ready、formal record queue review 已通過、正式紀錄已 enqueue、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 readiness review 後的補件、review candidate 與 runtime gate 分離狀態顯示清楚。
4. 仍禁止
IwoooS 不得提供下列輸出:
- scan / execute / repair button。
- repo creation、visibility change、refs sync / delete / force push。
- workflow / webhook / runner / deploy key / branch protection / repository secret 修改。
- GitHub primary switch 或 Gitea disable。
- production deploy 或 runtime enforcement。
- SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
- 套用 runtime blocking control。
- 將主機 evidence 標記為 received / accepted,或匯入 raw host evidence。
- 推進 host collection state 或跳過 host evidence dependency。
- 未通過 preflight 就接受 host evidence。
- 收集 host credential plaintext、ingest host raw payload,或由前端推進 host evidence counters。
- 從 review outcome lane 建立 host approval record、把 review lane 當 runtime gate,或把 review outcome 標成 accepted。
- 把 host handoff packet 當成 approval、將 handoff packet 標記 received,或保存 handoff sensitive payload。
- 把 reviewer checklist 當成 approval、由前端標記 reviewer check passed,或從 reviewer check 開 runtime gate。
- 把 reviewer outcome 當成 approval、標記 reviewer outcome passed,或從 reviewer outcome 開 runtime gate。
- 把 owner decision candidate 當成 approval、標記 host owner decision approved,或從 owner decision candidate 開 runtime gate。
- 把 owner decision review checklist 當成 approval、標記 owner decision review passed,或從 owner decision review checklist 開 runtime gate。
- 把 owner decision review outcome 當成 approval、標記 owner decision review outcome passed,或從 owner decision review outcome 開 runtime gate。
- 從 owner decision record draft 建立 host owner decision record、標記 record created,或從 draft 開 runtime gate。
- 把 owner decision record draft review 當成 approval、標記 draft review passed、從 draft review 建立 decision record,或從 draft review 開 runtime gate。
- 把 owner decision record draft review outcome 當成 approval、標記 draft review outcome passed、從 draft review outcome 建立 decision record,或從 draft review outcome 開 runtime gate。
- 從 owner decision record write-up 建立 decision record、標記 write-up completed、標記 decision record accepted,或從 write-up 開 runtime gate。
- 把 owner decision record write-up review 當成 approval、標記 write-up review passed / completed、從 write-up review 建立 decision record,或從 write-up review 開 runtime gate。
- 把 owner decision record write-up review outcome 當成 approval、標記 write-up review outcome passed / completed、從 write-up review outcome 建立 decision record,或從 write-up review outcome 開 runtime gate。
- 把 owner decision record formal candidate 當成 approval、標記 formal candidate finalized、從 formal candidate 建立或接受 decision record,或從 formal candidate 開 runtime gate。
- 把 owner decision record formal candidate review 當成 approval、標記 formal candidate review passed / finalized、從 formal candidate review 建立 decision record,或從 formal candidate review 開 runtime gate。
- 把 owner decision record formal candidate review outcome 當成 approval、標記 formal candidate review outcome passed / finalized、從 formal candidate review outcome 建立 decision record,或從 formal candidate review outcome 開 runtime gate。
- 把 owner decision record formal record queue packet 當成 approval、由前端 enqueue formal record queue、從 formal record queue packet 建立或接受 decision record,或從 formal record queue packet 開 runtime gate。
- 把 owner decision record formal record queue review checklist 當成 approval、標記 queue review passed、由 queue review enqueue 或建立 decision record,或從 queue review 開 runtime gate。
- 把 owner decision record formal record queue review outcome 當成 approval、標記 queue review outcome passed、由 queue review outcome enqueue 或建立 decision record,或從 queue review outcome 開 runtime gate。
- 把 owner decision record handoff readiness 當成 approval、開始 human record owner handoff、標記 handoff ready、由 readiness packet 建立 decision record,或從 handoff readiness 開 runtime gate。
- 把 owner decision record handoff readiness review 當成 approval、標記 handoff readiness review passed、開始 human record owner handoff、標記 handoff ready、由 readiness review 建立 decision record,或從 readiness review 開 runtime gate。
- 把 owner decision record handoff readiness review outcome 當成 approval、標記 handoff readiness review outcome passed、開始 human record owner handoff、標記 handoff ready、由 readiness review outcome 建立 decision record,或從 readiness review outcome 開 runtime gate。
- 把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。
5. 驗證
只讀驗證:
python3 scripts/security/security-mirror-progress-guard.py
這個 guard 會確認 IwoooS 投影與 rollup / rollout policy 對齊,且 runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。