Files

Your Name 35d72a8a68 feat(web): add IwoooS writeup review

2026-05-20 00:45:16 +08:00

41 KiB

Raw Blame History

IwoooS 前端資安態勢投影契約

項目	內容
日期	2026-05-19
狀態	草案
Schema	`docs/schemas/iwooos_posture_projection_v1.schema.json`
Snapshot	`docs/security/iwooos-posture-projection.snapshot.json`
模式	`mirror_only`
runtime 執行授權	`false`

1. 目的

iwooos_posture_projection_v1 定義 IwoooS 如何把既有資安網資料投影到前端。

它只允許顯示資安態勢、headline progress、framework / runtime landing、non-blocking lanes、evidence refs 與下一個高層 gate。它不是掃描器、不是修復器、不是 approval gate，也不是 GitHub primary cutover 授權。

2. 來源

IwoooS 首版只讀取或對齊以下已提交 evidence：

來源	用途
`security_mirror_status_rollup_v1`	58% headline、36 contracts、0 active runtime gates、下一個高層 gate
`security_rollout_policy_v1`	7 條 low-friction non-blocking lanes
`source_control_owner_response_validation_rollup_v1`	owner response 仍為 0、S4.9 下一個收件候選
`kali_integration_status_v1`	Kali 112 observe-only 整合態勢
`/iwooos` 前端路由	顯示入口，不提供執行按鈕
既有前端資安頁面	只讀索引，不搬移原頁責任邊界、不新增執行控制

3. 前端可顯示

Security Posture / Exposure 入口。
58% headline progress 與框架 / runtime landing 判讀。
36 個主要契約、33 ready、2 partial、1 contract-only、0 blocked。
0 active runtime gates。
Exposure、source-control、Kali 112、approval boundary 四個面向。
7 條 non-blocking lanes。
evidence refs 與下一個高層 gate。
10 個既有前端資安相關頁面索引。
4 個前端資安責任面與 5 個重疊 / 衝突控制。
6 個只讀資安處理旅程階段。
7 個 owner evidence readiness items。
3 個只讀主機覆蓋 items：Kali 112、開發主機 168、開發主機 111。
6 個主機動作 gate items：active scan、credentialed scan、Kali /execute、SSH / host change、Kali update、runtime blocking control。
7 個主機 evidence readiness items：scope boundary、owner decision、credential handling、maintenance window、rollback plan、validation metrics、redacted ingestion。
7 個主機 evidence collection order steps，顯示收件順序與前置依賴。
7 個主機 evidence intake preflight checks，顯示未來 evidence 進人工 review 前的拒收 / 隔離規則。
7 個主機 evidence review outcome lanes，顯示 preflight 後的人工審查分流結果。
7 個主機 evidence review handoff packets，顯示人工 reviewer 需要的脫敏交接資料包。
7 個主機 evidence reviewer checklist items，顯示 reviewer 看完 handoff packets 後仍需確認的只讀檢查。
7 個主機 evidence reviewer outcome lanes，顯示 reviewer checklist 後的只讀結果分流。
7 個 host owner decision candidate packets，顯示 reviewer outcome 進到 owner decision 前仍需要的人工決策範圍。
7 個 host owner decision review checklist items，顯示 owner decision candidate packets 後仍需人工核對的安全邊界。
7 個 host owner decision review outcome lanes，顯示 owner review checklist 後的只讀結果分流。
7 個 host owner decision record draft packets，顯示 formal decision record 候選需要的草稿欄位。
7 個 host owner decision record draft review checklist items，顯示草稿欄位進入正式決策紀錄前仍需只讀核對的條件。
7 個 host owner decision record draft review outcome lanes，顯示草稿核對後的只讀結果分流。
7 個 host owner decision record write-up packets，顯示正式 decision record 撰寫欄位，但不建立 record、不標記 completed / accepted、不開 runtime gate。
7 個 host owner decision record write-up review checklist items，顯示正式撰寫欄位進入決策紀錄前仍需只讀核對的條件。

3.1 既有前端資安頁面整合

S2.10 將前端原本已存在的資安相關頁面收進 IwoooS，只作為 route / source / read-only mode 索引。

Route	來源	IwoooS 呈現
`/security-compliance`	`SecurityPanel` / `CompliancePanel`	安全合規整合頁
`/security`	`apps/web/src/app/[locale]/security/page.tsx`	既有安全監控頁
`/compliance`	`apps/web/src/app/[locale]/compliance/page.tsx`	既有合規頁
`/alerts`	`useIncidents` / `IncidentCard`	告警管理
`/errors`	`ErrorsPanel`	錯誤與 UX 稽核
`/authorizations`	`LiveApprovalPanel`	HITL / multi-sig 授權中心
`/governance`	Governance tabs	AI 治理中樞
`/alert-operation-logs`	Alert operation log page	告警操作稽核
`/awooop/approvals`	AwoooP approvals page	AwoooP 審批佇列
`/code-review`	Code Review page	AI Code Review 控制面

這些 route 仍保留原本功能與 owner 邊界；IwoooS 只提供可見索引，不把任何頁面升級成 scan、execute、repair、blocking gate、deploy approval 或 runtime authorization。

3.2 覆蓋與邊界矩陣

S2.11 將 10 個既有前端資安頁面分成四個責任面，讓使用者看懂「訊號在哪裡、人工控制在哪裡、治理稽核在哪裡、工程審查在哪裡」。

責任面	Route	邊界
訊號與暴露面	`/security-compliance`、`/security`、`/compliance`、`/alerts`、`/errors`	顯示風險、事件、錯誤、UX audit 與合規訊號，不把 observation 直接升 blocking
人工控制邊界	`/authorizations`、`/awooop/approvals`	顯示 HITL / multi-sig / AwoooP approvals；不等於資安 runtime gate 已批准
治理與稽核	`/governance`、`/alert-operation-logs`	顯示治理事件、SLO、補救佇列與操作日誌；audit event 不是執行授權
工程審查	`/code-review`	顯示 AI Code Review pipeline；review 結果可產生 follow-up，不等於 deploy approval

重疊 / 衝突控制：

IwoooS 保留原 route owner，不搬移資料寫入權。
覆蓋矩陣不得升級成 runtime gate。
Code Review link 不等於 deploy approval。
AwoooP approval 狀態不等於資安 approval decision record。
前端索引不得呼叫 Kali active scan 或 /execute。

3.3 資安處理旅程

S2.12 將使用者可見的資安處理流程固定為 6 個只讀階段：

順序	階段	輸出
1	讀取目前態勢	顯示 posture / progress / gate 狀態，不代表授權
2	開啟既有資安頁面	進入原 route，保留原 owner 與資料邊界
3	判讀非阻擋分流	建 follow-up，不直接升 blocking
4	收 owner evidence	更新 received / accepted 狀態，不執行 repo / refs / workflow / Kali 動作
5	等待人工決策	需要 decision record，不用 AwoooP approval、Code Review 或進度數字替代
6	準備後續 runtime gate	只有人工批准後才另開 follow-up runtime gate；目前 active runtime gates 仍為 0

這個旅程是 status projection，不是 execution queue。任何 active scan、repair、deploy、GitHub primary、repo / refs / workflow / runner 或 secret 變更，都仍需獨立批准與後續 runtime gate。

3.4 Owner Evidence Readiness

S2.13 將 headline 進度下一步真正需要的 evidence 顯示成只讀 readiness board。

順序	Evidence item	目前狀態	解除條件
1	S4.9 Gitea owner attestation response	next collection candidate；received=0、accepted=0	收到並接受脫敏 owner response
2	S4.10 GitHub target owner response	waiting owner response；received=0、accepted=0	GitHub target owner response accepted
3	S4.11 refs truth owner response	waiting owner response；received=0、accepted=0	refs truth owner response accepted
4	S4.12 workflow / secret name owner response	waiting owner response；received=0、accepted=0	workflow / secret owner response accepted
5	Redacted finding ingestion	approval required；received=0、accepted=0	人工批准後接收脫敏 finding
6	Kali scan scope approval	approval required；received=0、accepted=0	scan scope approval + follow-up runtime gate
7	Follow-up runtime gate	locked until human decision；active gate=0	decision record accepted 後另開 runtime gate

這個 board 只說明「還缺什麼」，不代表已收到 evidence、已接受 evidence、已批准、已可掃描、已可修復、已可部署或已可切 GitHub primary。

3.5 主機覆蓋視圖

S2.14 將統帥指定的 Kali 與兩台開發主機放進 IwoooS 的可見資安範圍，讓使用者能看懂哪些主機已被納入後續資安網路徑。

順序	主機	角色	目前狀態
1	`192.168.0.112`	Kali 資安主機	已在 posture / evidence refs 中作為 observe-only integration；active scan、`/execute`、SSH 變更與主機更新仍未批准
2	`192.168.0.168`	開發主機	已宣告為 observe-only scope；credentialed scan 與 runtime control 仍未批准
3	`192.168.0.111`	開發主機	已宣告為 observe-only scope；credentialed scan 與 runtime control 仍未批准

這個視圖只代表「納入視野」，不代表已啟動掃描、已登入主機、已更新 Kali、已調校主機、已建立 SSH 工作流或已允許 runtime control。

3.6 主機動作 Gate 矩陣

S2.15 將主機相關高風險動作拆成只讀 gate matrix，避免「主機已納入視野」被誤讀成「可以直接掃描、登入、更新或阻擋」。

順序	動作	相關主機	目前 Gate
1	Active scan	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要 S1.6 scan scope approval 與後續 runtime gate
2	Credentialed scan	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要 scope、credential handling 與脫敏 evidence 規範；目前未批准
3	Kali `/execute`	`192.168.0.112`	block candidate；需要人工 decision record 與 S3.4 follow-up runtime gate
4	SSH / host change	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要明確人工批准、變更計畫與 rollback evidence
5	Kali host update	`192.168.0.112`	需要維護窗口、更新清單、驗證指標與 rollback 計畫
6	Runtime blocking control	`192.168.0.112`、`192.168.0.168`、`192.168.0.111`	需要 accepted decision record；目前 active runtime gates 仍為 0

每個 item 都固定 display_mode=gate_only，且 active_scan_authorized=false、credentialed_scan_authorized=false、ssh_change_authorized=false、host_update_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

3.7 主機 Evidence Readiness

S2.16 將主機動作解鎖前需要的 evidence 顯示成只讀 readiness board。這一層只回答「要進下一步前缺什麼」，不代表任何 evidence 已收到或已接受。

順序	Evidence item	目前狀態	影響範圍
1	Scope boundary	waiting redacted scope approval；received=0、accepted=0	112、168、111 的目標、排除範圍、深度與速率
2	Owner decision record	waiting human decision record；received=0、accepted=0	人控決策，不可由可見狀態替代
3	Credential handling	credential material collection forbidden；received=0、accepted=0	credentialed scan 前的憑證來源、保存邊界、遮蔽與拒收規則
4	Maintenance window	waiting maintenance window；received=0、accepted=0	Kali update、SSH / host change 與主機調校窗口
5	Rollback plan	waiting rollback plan；received=0、accepted=0	套件、設定、服務、工具鏈版本回復
6	Validation metrics	waiting post-check metrics；received=0、accepted=0	掃描器、監控、服務與使用者流程 post-check
7	Redacted ingestion	waiting redacted payload acceptance；received=0、accepted=0	finding / scan result 只能以脫敏摘要進 mirror

每個 item 都固定 display_mode=evidence_readiness_only，且 active_scan_authorized=false、credentialed_scan_authorized=false、ssh_change_authorized=false、host_update_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

3.8 主機 Evidence 收件順序

S2.17 將 S2.16 的七個主機 evidence readiness items 排成建議收件順序。這一層只回答「先收哪個、下一個依賴什麼」，不把任何 evidence 標成 received / accepted。

順序	收件步驟	Source item	前置依賴	狀態
1	先定義 scope boundary	`host_scope_boundary_evidence`	無	`next_collection_candidate`；received=0、accepted=0
2	再收 owner decision	`host_owner_decision_record_evidence`	`collect_scope_boundary_first`	`waiting_previous_step`；received=0、accepted=0
3	隔離 credential handling	`host_credential_handling_evidence`	`collect_owner_decision_second`	`waiting_previous_step`；received=0、accepted=0
4	安排 maintenance window	`host_maintenance_window_evidence`	`collect_owner_decision_second`	`waiting_previous_step`；received=0、accepted=0
5	補 rollback plan	`host_rollback_plan_evidence`	`collect_maintenance_window_fourth`	`waiting_previous_step`；received=0、accepted=0
6	定義 validation metrics	`host_validation_metrics_evidence`	`collect_rollback_plan_fifth`	`waiting_previous_step`；received=0、accepted=0
7	最後才收 redacted ingestion	`host_redacted_ingestion_evidence`	`collect_validation_metrics_sixth`	`waiting_previous_step`；received=0、accepted=0

每個 step 都固定 display_mode=collection_order_only，且 runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個順序是收件提示，不是工作佇列。不得因為某個 step 顯示為下一個候選，就啟動 scan、SSH、Kali update、raw payload ingestion、runtime blocking control，或把對應 evidence 標成已收到 / 已接受。

3.9 主機 Evidence Intake Preflight

S2.18 將主機 evidence 進人工 review 前的預檢條件顯示成只讀規則。這一層只回答「未來 evidence 送進來前要先擋什麼」，不接收 payload、不驗收 evidence、不推進 counters。

順序	預檢項目	拒收 / 隔離條件	目前狀態
1	Metadata pointer only	缺 redacted metadata pointer	`preflight_ready_not_executed`；received=0、accepted=0
2	Collection order match	跳過 S2.17 前置依賴	`dependency_check_waiting_evidence`；received=0、accepted=0
3	Scope before scan	scan evidence 沒有 scope boundary	`waiting_scope_evidence`；received=0、accepted=0
4	Owner before host change	SSH / update / tuning / blocking evidence 缺 owner decision pointer	`waiting_owner_decision_pointer`；received=0、accepted=0
5	Credential plaintext blocked	出現帳密、token、private key、session 或憑證明文	`plaintext_credential_collection_forbidden`；received=0、accepted=0
6	Raw payload blocked	出現完整掃描 raw output、未脫敏 finding、host dump 或 log bundle	`raw_payload_collection_forbidden`；received=0、accepted=0
7	Frontend counters frozen	前端嘗試推進 received / accepted	`frontend_counter_transition_forbidden`；received=0、accepted=0

每個 check 都固定 display_mode=intake_preflight_only、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 preflight board 不代表已收到任何主機 evidence，也不代表已進人工 review。真正收件仍需要脫敏 evidence pointer、owner decision 與後續人工驗收。

3.10 主機 Evidence Review Outcome Lanes

S2.19 將主機 evidence 通過 preflight 後可能進入的人工審查結果分流顯示成只讀 lanes。這一層只回答「下一步該補什麼或顯示什麼結果」，不建立 approval record、不啟動 runtime gate、不改 received / accepted。

順序	Outcome lane	來源預檢	下一步
1	Ready for human review	metadata pointer、dependency order、scope、owner decision	顯示人工審查候選；received=0、accepted=0
2	Needs scope evidence	scope before scan	補脫敏 scope boundary pointer，不進 scan
3	Needs owner decision	owner before host change	補 owner decision record pointer，不啟動主機動作
4	Quarantine dependency skip	collection order match	顯示隔離原因，不推 counter
5	Reject raw payload	raw payload blocked	要求改交脫敏摘要
6	Reject credential plaintext	credential plaintext blocked	不保存、不轉送、不顯示憑證明文
7	Waiting runtime gate	frontend counters frozen、owner decision	人工審查後仍需另開 runtime gate；active runtime gates=0

每個 lane 都固定 display_mode=review_outcome_only、received_count=0、accepted_count=0、approval_record_created=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 evidence 已進 review、approval record 已建立或任何主機操作可執行。它只讓使用者理解「預檢後可能被導向哪一類人審結果」。

3.11 主機 Evidence Review Handoff Packets

S2.20 將人工 reviewer 真正需要看到的主機 evidence 交接內容拆成七個只讀 packets。這一層只回答「要把哪些脫敏指標交給 reviewer 判讀」，不標記 received / accepted、不保存 raw payload、不建立 approval record、不啟動 runtime gate。

順序	Handoff packet	來源 outcome lane	必備內容
1	Scope summary	ready for human review、needs scope evidence	redacted scope boundary summary；不含 raw payload
2	Owner decision	ready for human review、needs owner decision	owner decision record pointer；不等於主機動作批准
3	Credential handling	ready for human review、reject credential plaintext	metadata-only handling statement；secret value blocked
4	Maintenance / rollback	waiting runtime gate、needs owner decision	maintenance window 與 rollback pointer；不啟動變更
5	Validation metrics	ready for human review、waiting runtime gate	post-review validation metrics pointer；不代表 runtime gate opened
6	Redaction attestation	reject raw payload、reject credential plaintext	redaction attestation metadata only；不保存敏感 payload
7	Runtime gate pointer	waiting runtime gate	follow-up runtime gate pointer only；active runtime gates=0

每個 packet 都固定 display_mode=review_handoff_only、received_count=0、accepted_count=0、approval_record_created=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 handoff board 不代表 reviewer 已收到資料、已接受資料、已批准主機操作或已開 runtime gate。它只讓 IwoooS 能把「送審前要準備什麼」清楚顯示給使用者。

3.12 主機 Evidence Reviewer Checklist

S2.21 將 reviewer 讀完 handoff packets 後仍需確認的檢查拆成七個只讀 checklist items。這一層只回答「人審前要確認哪些邊界沒有漂移」，不標記 passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。

順序	Reviewer check	來源 packet	Pass condition
1	Scope boundary match	scope summary	redacted scope pointer only；no scan started
2	Owner decision scope / expiry	owner decision	decision pointer only；no approval record created
3	Credential handling metadata only	credential handling	secret value collection=false
4	Redaction attestation pass	redaction attestation	raw payload allowed=false
5	Maintenance / rollback complete	maintenance / rollback	future change conditions only；no change execution
6	Validation metrics linked	validation metrics	validation pointer only；runtime gate closed
7	Runtime gate separated	runtime gate pointer	active runtime gates=0；action buttons=false

每個 check 都固定 display_mode=reviewer_checklist_only、received_count=0、accepted_count=0、approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 reviewer 已完成審查、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把人審前的安全判讀步驟顯示清楚。

3.13 主機 Evidence Reviewer Outcome Lanes

S2.22 將 reviewer checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「人審檢查後要回到哪個補件或人工決策 lane」，不標記 checklist passed、不推進 received / accepted、不建立 approval record、不開 runtime gate。

順序	Reviewer outcome	來源 check	下一步
1	Ready for owner decision	scope、owner、redaction、runtime separation	顯示 owner decision candidate；received=0、accepted=0
2	Scope mismatch	scope boundary match	補 scope boundary pointer；不啟動 scan
3	Owner decision expired	owner decision scope / expiry	補 owner decision record；不建立 approval
4	Credential metadata failed	credential handling metadata only	要求 metadata-only statement；不收敏感素材
5	Redaction failed	redaction attestation pass	要求重新脫敏；不保存 raw payload
6	Rollback missing	maintenance / rollback complete	補 maintenance window 與 rollback pointer；不執行 change
7	Runtime gate required	validation metrics linked、runtime gate separated	維持獨立 runtime gate 且仍關閉

每個 lane 都固定 display_mode=reviewer_outcome_only、checklist_passed_count=0、received_count=0、accepted_count=0、approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 reviewer check 已通過、資料已 accepted、人工批准已建立或 runtime gate 已開啟。它只讓 IwoooS 把 checklist 後的下一步分流說清楚。

3.14 Host Owner Decision Candidate Packets

S2.23 將 ready for owner decision 後的下一步拆成七個只讀 candidate packets。這一層只回答「owner 之後要看哪些人工決策素材」，不建立 decision record、不標記 approved、不推進 received / accepted、不開 runtime gate。

順序	Candidate packet	來源 outcome lane	人工決策範圍
1	Scope approval candidate	ready for owner decision	主機、網段、服務、排除範圍與觀察目的
2	Scan mode candidate	ready for owner decision	observe-only、未來 active scan 或 credentialed scan 的差異；目前不授權掃描
3	Credential handling candidate	ready for owner decision、credential metadata failed	metadata-only handling、責任人與保存邊界；不收敏感素材
4	Maintenance window candidate	ready for owner decision、rollback missing	未來維護窗口與限制條件；不執行 host update
5	Rollback owner candidate	ready for owner decision、rollback missing	rollback owner、復原路徑與人工聯絡點
6	Validation metrics candidate	ready for owner decision、runtime gate required	post-check metrics、baseline 與 evidence pointer
7	Runtime gate candidate	runtime gate required	後續主機動作仍需獨立 runtime gate；active runtime gates=0

每個 packet 都固定 display_mode=owner_decision_candidate_only、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 candidate board 不代表 owner decision 已收到、已接受、已批准或已建立後續 runtime gate。它只讓 IwoooS 把「要請 owner 人工判讀什麼」先說清楚。

3.15 Host Owner Decision Review Checklist

S2.24 將 owner decision candidate packets 後的人工核對項拆成七個只讀 checklist items。這一層只回答「owner 決策前還要逐項確認什麼安全邊界」，不建立 decision record、不標記 approved、不開 runtime gate。

順序	Review check	來源 candidate packet	Guard condition
1	Scope boundary readable	scope approval candidate	scope review only；owner decision received=0
2	Scan mode not authorization	scan mode candidate	active scan / credentialed scan authorized=false
3	Credential boundary metadata only	credential handling candidate	secret value collection=false
4	Maintenance window not change	maintenance window candidate	host update authorized=false
5	Rollback owner readable	rollback owner candidate	owner approval record created=false
6	Validation metrics predefined	validation metrics candidate	runtime gate opened=false
7	Runtime gate still separate	runtime gate candidate	action buttons=false；runtime gate separate

每個 check 都固定 display_mode=owner_decision_review_checklist_only、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 owner 已完成決策、已批准、已建立 approval record 或已開 runtime gate。它只讓 IwoooS 把 owner 決策前的人工核對順序說清楚。

3.16 Host Owner Decision Review Outcome Lanes

S2.25 將 owner decision review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「owner review 後要回到哪個補件或候選 decision record lane」，不標記 review passed、不建立 decision record、不標記 approved、不開 runtime gate。

順序	Review outcome	來源 check	下一步
1	Ready for decision record	scope、scan mode、runtime separation	顯示 formal decision record candidate；received=0、accepted=0
2	Scope needs refresh	scope boundary readable	補 scope boundary pointer；不啟動 scan
3	Scan mode needs scope	scan mode not authorization	補 scan mode / scope statement；scan authorized=false
4	Credential boundary failed	credential boundary metadata only	補 metadata-only credential boundary；secret value collection=false
5	Maintenance window missing	maintenance window not change	補 maintenance window constraints；host update=false
6	Rollback owner missing	rollback owner readable	補 rollback owner 與復原 pointer；approval record=false
7	Runtime gate required	validation metrics、runtime gate still separate	維持獨立 runtime gate 且仍關閉

每個 lane 都固定 display_mode=owner_decision_review_outcome_only、owner_decision_review_passed_count=0、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 owner review 已通過、decision record 已建立、人工批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 owner review 後的下一步分流說清楚。

3.17 Host Owner Decision Record Draft Packets

S2.26 將 ready for decision record 後需要整理的欄位拆成七個只讀 draft packets。這一層只回答「若 owner review 進入 ready lane，formal decision record 草稿要有哪些 metadata」，不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Draft packet	來源 lane	必要 metadata
1	Scope statement draft	ready for decision record	host / network / service / exclusion / observation intent
2	Scan mode draft	scan mode scope required	observe-only / future active / credentialed scan candidate mode
3	Credential boundary draft	credential boundary failed	metadata-only credential owner / retention boundary
4	Maintenance constraints draft	maintenance window required	window / constraints / impact boundary / no-change statement
5	Rollback owner draft	rollback owner required	rollback owner / recovery path / human contact pointer
6	Validation metrics draft	runtime gate required	post-check metrics / baseline / evidence pointer
7	Runtime gate draft	runtime gate required	separate follow-up runtime gate pointer；active gate=0

每個 draft packet 都固定 display_mode=owner_decision_record_draft_only、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 draft board 不代表 decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把 decision record 草稿欄位先說清楚，方便後續人工決策時不混入執行語義。

3.18 Host Owner Decision Record Draft Review Checklist

S2.27 將 decision record draft packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「草稿是否足以進入人工 decision record 撰寫」，不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Draft review	來源 packet	核對條件
1	Scope statement complete	scope draft	scope metadata complete
2	Scan mode still not approval	scan mode draft	scan mode not authorization
3	Credential boundary metadata only	credential boundary draft	credential boundary metadata-only
4	Maintenance constraints readable	maintenance constraints draft	maintenance constraints no-change
5	Rollback owner readable	rollback owner draft	rollback owner / recovery pointer readable
6	Validation metrics linked	validation metrics draft	metrics / baseline linked
7	Runtime gate still closed	runtime gate draft	runtime gate separate and closed

每個 review check 都固定 display_mode=owner_decision_record_draft_review_checklist_only、decision_record_review_passed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 decision record review 已通過、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把草稿進入正式人審前的核對條件說清楚。

3.19 Host Owner Decision Record Draft Review Outcome Lanes

S2.28 將 decision record draft review checklist 後可能出現的結果拆成七個只讀 outcome lanes。這一層只回答「草稿核對後要進入正式撰寫候選、補哪個草稿，或等待獨立 runtime gate」，不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Review outcome	來源 check	下一步
1	Ready for decision record write-up	scope、scan mode、runtime separation	顯示 formal decision record write-up candidate；record created=false
2	Scope draft incomplete	scope statement review	補 scope statement；不建立 record
3	Scan mode ambiguous	scan mode review	補 scan mode wording；scan authorized=false
4	Credential boundary incomplete	credential boundary review	補 metadata-only credential boundary；secret collection=false
5	Maintenance constraints incomplete	maintenance constraints review	補 maintenance constraints；host update=false
6	Rollback owner incomplete	rollback owner review	補 rollback owner 與 recovery pointer；approval record=false
7	Runtime gate still required	validation metrics、runtime gate review	維持獨立 runtime gate 且仍關閉

每個 lane 都固定 display_mode=owner_decision_record_draft_review_outcome_only、decision_record_review_passed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 outcome board 不代表 draft review 已通過、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把草稿核對後的下一步說清楚。

3.20 Host Owner Decision Record Write-Up Packets

S2.29 將 ready for decision record write-up 後需要整理的正式撰寫欄位拆成七個只讀 packets。這一層只回答「若未來要寫正式 decision record，需要哪些欄位」，不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Write-up packet	來源 lane	必要欄位
1	Decision summary write-up	ready for decision record write-up	human decision summary、risk acceptance boundary、no-execution statement
2	Approved scope write-up	ready for decision record write-up	host / network / service / exclusion / observation intent / expiry
3	Scan mode limits write-up	scan mode ambiguous	observe-only、future active scan、credentialed scan limits
4	Credential boundary write-up	credential boundary incomplete	metadata-only credential owner、retention boundary、forbidden collection
5	Maintenance and rollback write-up	maintenance constraints incomplete	maintenance window、constraints、rollback owner、recovery path、human contact
6	Validation evidence write-up	runtime gate required	post-check metrics、baseline、evidence pointer、human acceptance condition
7	Runtime gate pointer write-up	runtime gate required	separate follow-up runtime gate pointer；active gate=0

每個 packet 都固定 display_mode=owner_decision_record_writeup_only、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 write-up board 不代表 formal decision record 已完成、decision record 已建立、owner decision 已接受、資安批准已完成或 runtime gate 已開啟。它只讓 IwoooS 把正式撰寫欄位先說清楚，並保留後續人工批准與 runtime gate 的分離。

3.21 Host Owner Decision Record Write-Up Review Checklist

S2.30 將 write-up packets 後的核對條件拆成七個只讀 checklist items。這一層只回答「正式撰寫欄位是否可讀、可追、仍未升級成批准語義」，不標記 review passed、不標記 write-up completed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。

順序	Write-up review	來源 packet	核對條件
1	Decision summary readable	decision summary write-up	decision summary、risk acceptance、no-execution statement readable
2	Scope and expiry complete	approved scope write-up	scope、exclusion、observation intent、expiry complete
3	Scan mode limits explicit	scan mode limits write-up	scan mode limits explicit and not authorization
4	Credential boundary metadata only	credential boundary write-up	metadata-only boundary and no secret collection
5	Maintenance and rollback linked	maintenance / rollback write-up	maintenance window、constraints、rollback、human contact linked
6	Validation evidence linked	validation evidence write-up	metrics、baseline、evidence、acceptance condition linked
7	Runtime gate still separate	runtime gate pointer write-up	runtime gate pointer separate and closed

每個 review check 都固定 display_mode=owner_decision_record_writeup_review_checklist_only、decision_record_writeup_review_passed_count=0、decision_record_writeup_completed_count=0、decision_record_created=false、owner_decision_received_count=0、owner_decision_accepted_count=0、owner_approval_record_created=false、runtime_gate_opened=false、raw_payload_allowed=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

這個 checklist 不代表 write-up review 已通過、formal decision record 已完成、decision record 已建立、owner decision 已接受或 runtime gate 已開啟。它只讓 IwoooS 把正式 decision record 進入後續人審前的核對條件說清楚。

4. 仍禁止

IwoooS 不得提供下列輸出：

scan / execute / repair button。
repo creation、visibility change、refs sync / delete / force push。
workflow / webhook / runner / deploy key / branch protection / repository secret 修改。
GitHub primary switch 或 Gitea disable。
production deploy 或 runtime enforcement。
SSH 到主機、開 SSH session、更新 Kali、package upgrade、credentialed scan 或 active scan。
套用 runtime blocking control。
將主機 evidence 標記為 received / accepted，或匯入 raw host evidence。
推進 host collection state 或跳過 host evidence dependency。
未通過 preflight 就接受 host evidence。
收集 host credential plaintext、ingest host raw payload，或由前端推進 host evidence counters。
從 review outcome lane 建立 host approval record、把 review lane 當 runtime gate，或把 review outcome 標成 accepted。
把 host handoff packet 當成 approval、將 handoff packet 標記 received，或保存 handoff sensitive payload。
把 reviewer checklist 當成 approval、由前端標記 reviewer check passed，或從 reviewer check 開 runtime gate。
把 reviewer outcome 當成 approval、標記 reviewer outcome passed，或從 reviewer outcome 開 runtime gate。
把 owner decision candidate 當成 approval、標記 host owner decision approved，或從 owner decision candidate 開 runtime gate。
把 owner decision review checklist 當成 approval、標記 owner decision review passed，或從 owner decision review checklist 開 runtime gate。
把 owner decision review outcome 當成 approval、標記 owner decision review outcome passed，或從 owner decision review outcome 開 runtime gate。
從 owner decision record draft 建立 host owner decision record、標記 record created，或從 draft 開 runtime gate。
把 owner decision record draft review 當成 approval、標記 draft review passed、從 draft review 建立 decision record，或從 draft review 開 runtime gate。
把 owner decision record draft review outcome 當成 approval、標記 draft review outcome passed、從 draft review outcome 建立 decision record，或從 draft review outcome 開 runtime gate。
從 owner decision record write-up 建立 decision record、標記 write-up completed、標記 decision record accepted，或從 write-up 開 runtime gate。
把 owner decision record write-up review 當成 approval、標記 write-up review passed / completed、從 write-up review 建立 decision record，或從 write-up review 開 runtime gate。
把 58% progress、contract count、mirror readiness 或前端可見狀態當成授權。

5. 驗證

只讀驗證：

python3 scripts/security/security-mirror-progress-guard.py

這個 guard 會確認 IwoooS 投影與 rollup / rollout policy 對齊，且 runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true。

41 KiB Raw Blame History Unescape Escape