awoooi/docs/security/vibework-iwooos-onboarding-handoff.snapshot.json

{
  "schema_version": "vibework_iwooos_onboarding_handoff_v1",
  "status": "draft_waiting_owner_review",
  "date": "2026-06-04",
  "mode": "product_scope_handoff_only",
  "source_evidence_refs": [
    "docs/security/iwooos-posture-projection.snapshot.json",
    "docs/workplans/2026-06-04-iwooos-security-governance-p0.md",
    "apps/web/src/app/[locale]/iwooos/page.tsx",
    "apps/web/messages/zh-TW.json",
    "/Users/ogt/Documents/VibeWork-current-main/README.md",
    "/Users/ogt/Documents/VibeWork-current-main/docs/PROJECT_BOUNDARIES.md",
    "/Users/ogt/Documents/VibeWork-current-main/docs/DEPLOYMENT_STRATEGY.md",
    "/Users/ogt/Documents/VibeWork-current-main/docs/RELEASE_PROCESS.md",
    "/Users/ogt/Documents/VibeWork-current-main/package.json"
  ],
  "summary": {
    "product_name": "VibeWork",
    "onboarding_handoff_package_ready": true,
    "onboarding_handoff_completion_percent": 100,
    "product_boundary_merged_into_awoooi": false,
    "owner_response_received": false,
    "owner_response_accepted": false,
    "repo_refs_truth_accepted": false,
    "data_classification_accepted": false,
    "deployment_boundary_accepted": false,
    "runtime_gate_open": false,
    "runtime_execution_authorized": false,
    "production_deploy_authorized": false,
    "repo_creation_authorized": false,
    "refs_sync_authorized": false,
    "workflow_modification_authorized": false,
    "secret_value_collection_authorized": false,
    "shared_database_authorized": false,
    "shared_session_authorized": false,
    "shared_rbac_authorized": false,
    "action_buttons_allowed": false
  },
  "product_identity": {
    "product_type": "獨立 AI Vibe Coding 接案媒合平台",
    "current_focus": "需求者引導式需求收集、區塊式 PRD、可解釋媒合、接案者回應、合作確認、站內通知、管理後台監控",
    "technical_stack": [
      "Next.js 14 App Router",
      "TypeScript",
      "Tailwind CSS",
      "React Hook Form",
      "Zod",
      "Zustand",
      "Prisma",
      "PostgreSQL"
    ],
    "language_policy": "所有文件、產品文案、註解與說明文字皆使用繁體中文；技術名詞與識別字可保留英文。"
  },
  "repo_scope": {
    "active_workspace": {
      "path": "/Users/ogt/Documents/VibeWork",
      "status_summary": "read_only_observed_dirty_workspace_ahead_3_behind_92_with_many_modified_and_untracked_files",
      "canonical_for_iwooos": false,
      "forbidden_actions": [
        "commit",
        "rebase",
        "push",
        "delete_files",
        "sync_refs"
      ]
    },
    "reference_worktree": {
      "path": "/Users/ogt/Documents/VibeWork-current-main",
      "head_sha": "1a902530141004d958cda639bea9a837282c867f",
      "origin_main_sha": "421c834756b7f41ef554c0348274f3762c3fc2de",
      "main_sha": "48275cc52be79107e887147d3fe10310a887afe9",
      "remote": "ssh://git@192.168.0.110:2222/wooo/vibework.git",
      "refs_truth_status": "waiting_owner_decision"
    },
    "required_owner_answers": [
      "canonical repo path / remote",
      "refs truth between active workspace, reference worktree, origin/main and main",
      "dirty workspace WIP vs release candidate disposition",
      "GitHub target metadata if needed",
      "workflow / runner / secret name parity owner"
    ]
  },
  "product_surfaces": [
    {
      "surface_id": "public-marketing",
      "routes": [
        "/",
        "/en",
        "/services",
        "/industries",
        "/resources",
        "/case-studies",
        "/pricing"
      ],
      "boundary": "public content surface only; not production smoke in this AWOOOI handoff"
    },
    {
      "surface_id": "client-workspace",
      "routes": [
        "/client/projects/new",
        "/client/projects",
        "/client/projects/[projectId]/intake/[sessionId]",
        "/client/projects/[projectId]/prd",
        "/client/projects/[projectId]/matches",
        "/client/projects/[projectId]/workspace"
      ],
      "boundary": "client Session and data ownership stay inside VibeWork"
    },
    {
      "surface_id": "coder-workspace",
      "routes": [
        "/coder/profile",
        "/coder/matches",
        "/coder/projects/[projectId]/workspace"
      ],
      "boundary": "coder profile, portfolio and match data require VibeWork data classification"
    },
    {
      "surface_id": "admin-review",
      "routes": [
        "/admin",
        "/admin/growth-analytics",
        "/admin/growth-launch",
        "/admin/growth-leads",
        "/admin/marketing-preview",
        "/api/v1/admin/*"
      ],
      "boundary": "admin / reviewer RBAC remains VibeWork-owned"
    },
    {
      "surface_id": "health-and-jobs",
      "routes": [
        "/api/v1/health",
        "/api/v1/jobs/*"
      ],
      "boundary": "health and job routes need VibeWork job-secret handling; no secret value collection"
    },
    {
      "surface_id": "ai-assistance",
      "routes": [
        "/api/ai/intake-assistant",
        "/api/ai/milestone-assistant",
        "/api/ai/support"
      ],
      "boundary": "AI evidence must remain within VibeWork audit and authorization boundary"
    }
  ],
  "owner_response_handoff": {
    "status": "ready_not_dispatched",
    "request_dispatch_authorized": false,
    "required_response_fields": [
      "product_owner_role_or_team",
      "security_owner_role_or_team",
      "source_control_owner_role_or_team",
      "deployment_owner_role_or_team",
      "data_classification_owner_role_or_team",
      "surface_scope",
      "decision",
      "decision_reason",
      "redacted_evidence_refs",
      "followup_owner"
    ],
    "allowed_decisions": [
      "confirm_observe_only",
      "defer",
      "reject",
      "request_more_evidence"
    ],
    "forbidden_inputs": [
      ".env content",
      "database URL value",
      "auth secret value",
      "job secret value",
      "webhook token value",
      "API key value",
      "cookie",
      "session",
      "private key",
      "client raw requirement",
      "PRD raw content",
      "match personal data",
      "notification raw content",
      "audit raw payload",
      "deploy command request",
      "compose restart request",
      "DB migration request",
      "repo push request",
      "refs sync request"
    ],
    "response_received": false,
    "response_accepted": false
  },
  "independent_product_boundary": {
    "must_remain_independent": true,
    "forbidden_couplings": [
      "share_awoooi_database",
      "share_awoooi_session",
      "bind_vibework_rbac_to_awoooi_rbac",
      "depend_on_awoooi_runtime_for_core_flow",
      "treat_awooop_approval_as_vibework_security_approval",
      "direct_cross_database_join"
    ],
    "allowed_future_integrations": [
      "versioned API",
      "Webhook event",
      "outbox pattern",
      "import / export adapter",
      "SSO / OAuth with VibeWork RBAC preserved",
      "Anti-Corruption Layer"
    ]
  },
  "data_classification_intake": [
    {
      "data_type": "client requirement / intake answer",
      "status": "waiting_owner_classification",
      "collection_rule": "metadata and field type only; no raw answer content"
    },
    {
      "data_type": "PRD block / source anchor",
      "status": "waiting_owner_classification",
      "collection_rule": "model and risk summary only; no full PRD"
    },
    {
      "data_type": "coder profile / portfolio",
      "status": "waiting_owner_classification",
      "collection_rule": "field and public / private boundary only; no personal data content"
    },
    {
      "data_type": "match record / score reason",
      "status": "waiting_owner_classification",
      "collection_rule": "scoring factor and audit rule only; no case data"
    },
    {
      "data_type": "AuditEvent / notification",
      "status": "waiting_owner_classification",
      "collection_rule": "event type and retention policy only; no message body"
    },
    {
      "data_type": "admin / marketing content",
      "status": "waiting_owner_classification",
      "collection_rule": "publication workflow and permission boundary only; no unpublished content"
    }
  ],
  "deployment_boundary": {
    "public_host": "https://vibework.wooo.work",
    "production_mode": "Docker Compose on independent product boundary",
    "compose_host": "192.168.0.188",
    "compose_directory": "/home/ollama/vibework-production",
    "internal_web": "http://192.168.0.188:32336",
    "database_boundary": "Compose PostgreSQL service; host binding documented as 127.0.0.1:54329",
    "k3s_namespace_reference": "vibework namespace manifests retained as optional reference; runtime deployment scaled to 0 in source evidence",
    "production_verification_in_this_awoooi_stage": false,
    "deployment_authorized": false
  },
  "acceptance_rules": [
    "本 handoff 完成不代表 VibeWork owner response 已收到或 accepted。",
    "VibeWork 納入 IwoooS 只代表全產品資安視野可見，不代表掃描、部署、修復或 runtime execution。",
    "canonical repo、refs truth、workflow / secret name、GitHub target 仍需 source-control owner response。",
    "正式 URL、Docker Compose、health endpoint 或 drift guard 可見，不等於本段已做 production verification。",
    "任何 .env、secret、DB URL、token、private key、cookie、session、auth header、job secret 都必須拒收或隔離。",
    "未來若要改 VibeWork production、deploy、compose、DB migration、worker、domain、TLS 或 smoke 帳密，必須另開 VibeWork owner approval 與 rollback / post-check。"
  ],
  "forbidden_actions": [
    "modify_vibework_repo",
    "commit_vibework_changes",
    "push_vibework_refs",
    "sync_refs",
    "create_github_repo",
    "change_workflow",
    "collect_secret_value",
    "read_env_file",
    "deploy_production",
    "restart_compose",
    "run_db_migration",
    "run_active_scan",
    "run_credentialed_scan",
    "share_database",
    "share_session",
    "bind_rbac",
    "enable_runtime_gate",
    "add_awooop_action_button"
  ]
}