129 lines
4.6 KiB
JSON
129 lines
4.6 KiB
JSON
{
|
||
"schema_version": "security_mirror_quarantine_v1",
|
||
"status": "draft",
|
||
"date": "2026-05-13",
|
||
"mode": "mirror_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/security-mirror-acceptance.snapshot.json",
|
||
"docs/security/security-mirror-event-sample.snapshot.json",
|
||
"docs/security/security-mirror-route.snapshot.json",
|
||
"docs/security/security-supply-chain-contract-manifest.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"total_contracts": 31,
|
||
"quarantine_lane_count": 5,
|
||
"auto_retry_allowed": false,
|
||
"runtime_blocking_allowed": false
|
||
},
|
||
"quarantine_lanes": [
|
||
{
|
||
"lane_id": "contract_count_mismatch",
|
||
"trigger_check_id": "CONTRACT_COUNT_MATCH",
|
||
"owner": "Security Supply Chain Session",
|
||
"severity": "HIGH",
|
||
"allowed_processing": [
|
||
"隔離該批 mirror payload",
|
||
"顯示 manifest / readiness / route 的 count mismatch",
|
||
"要求重新產生一致的 snapshot"
|
||
],
|
||
"blocked_processing": [
|
||
"猜測缺漏 contract",
|
||
"用不完整 contract list 啟動 mirror ingestion",
|
||
"新增任何 execution action"
|
||
],
|
||
"recovery_request": "重新產生 manifest、readiness、route 與 event sample,確保 contract set 完全一致。",
|
||
"retry_gate": "新 snapshot commit 後才可重新驗收。"
|
||
},
|
||
{
|
||
"lane_id": "missing_event_envelope",
|
||
"trigger_check_id": "EVENT_ENVELOPE_REQUIRED",
|
||
"owner": "AwoooP ingestion adapter",
|
||
"severity": "HIGH",
|
||
"allowed_processing": [
|
||
"拒收未帶 security_mirror_event_v1 的 payload",
|
||
"顯示缺少的 event envelope 欄位",
|
||
"要求來源補齊 execution_authorized=false 與 action_buttons_allowed=false"
|
||
],
|
||
"blocked_processing": [
|
||
"自動補成可執行事件",
|
||
"顯示執行按鈕",
|
||
"把 mirror payload 當 approval item"
|
||
],
|
||
"recovery_request": "來源必須重新輸出帶完整 security_mirror_event_v1 信封的 payload。",
|
||
"retry_gate": "event envelope 完整且不可執行欄位皆為 false。"
|
||
},
|
||
{
|
||
"lane_id": "route_coverage_gap",
|
||
"trigger_check_id": "ROUTE_GROUP_COVERAGE",
|
||
"owner": "Security Supply Chain Session",
|
||
"severity": "MEDIUM",
|
||
"allowed_processing": [
|
||
"隔離未知或未路由 contract",
|
||
"顯示缺漏的 route group 或 destination",
|
||
"要求補齊 security_mirror_route_v1"
|
||
],
|
||
"blocked_processing": [
|
||
"使用 fallback execution route",
|
||
"把未知 contract 送進 Approval Queue",
|
||
"用預設目的地吞掉缺漏"
|
||
],
|
||
"recovery_request": "補齊 route group、destinations、channel_policy 與 review_lane。",
|
||
"retry_gate": "route groups 合併後完整覆蓋 manifest contract set。"
|
||
},
|
||
{
|
||
"lane_id": "redaction_failed",
|
||
"trigger_check_id": "REDACTION_ONLY",
|
||
"owner": "Source evidence producer",
|
||
"severity": "CRITICAL",
|
||
"allowed_processing": [
|
||
"拒收含 raw sensitive value 的 payload",
|
||
"只記錄 redaction failed metadata",
|
||
"要求來源重新輸出脫敏 snapshot"
|
||
],
|
||
"blocked_processing": [
|
||
"保存 raw secret、token、cookie、private key 或 exploit payload",
|
||
"把敏感值寫入 Runtime State",
|
||
"把敏感值寫入 Audit evidence"
|
||
],
|
||
"recovery_request": "來源必須移除 raw sensitive value,並只保留 metadata、hash 或 redacted marker。",
|
||
"retry_gate": "敏感資訊掃描通過後才可重新驗收。"
|
||
},
|
||
{
|
||
"lane_id": "schema_or_json_invalid",
|
||
"trigger_check_id": "SCHEMA_JSON_PARSE",
|
||
"owner": "Security Supply Chain Session",
|
||
"severity": "MEDIUM",
|
||
"allowed_processing": [
|
||
"隔離無法 parse 的 snapshot",
|
||
"顯示 schema / JSON 錯誤",
|
||
"要求來源修正格式"
|
||
],
|
||
"blocked_processing": [
|
||
"用部分 parse 結果繼續 ingestion",
|
||
"忽略 schema 錯誤",
|
||
"將格式錯誤轉成 runtime alert"
|
||
],
|
||
"recovery_request": "修正 JSON 與 schema 後重新提交 snapshot。",
|
||
"retry_gate": "JSON parse 與一致性 assertion 通過。"
|
||
}
|
||
],
|
||
"retry_policy": {
|
||
"auto_retry_allowed": false,
|
||
"manual_refresh_required": true,
|
||
"max_retry_without_new_snapshot": 0
|
||
},
|
||
"forbidden_actions": [
|
||
"start_kali_scan",
|
||
"call_kali_execute_endpoint",
|
||
"run_credentialed_scan",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"auto_merge",
|
||
"production_deploy",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload"
|
||
]
|
||
}
|