14 KiB
14 KiB
資安供應鏈整體進度
| 項目 | 內容 |
|---|---|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
0. 本階段完成後整體進度
| 階段 | 狀態 | 目前結果 | 下一個 gate |
|---|---|---|---|
| S0 文件與契約同步 | 完成 | Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立 | AwoooP 只讀 mirror 消費 |
| S1 source-control read-only inventory | 進行中 | 已有 Gitea/GitHub refs、Gitea public-only user repo list、本機 remote、GitHub target probe、canonical lineage、110 refs evidence | Gitea private/internal 全量 repo list |
| S1.0 Gitea 全量 inventory approval | 完成草案 | 已建立 read-only token / admin export approval package | 統帥或 repo owner 批准 |
| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選,7 個需人工批准;3 個 not_found_or_private 不得自動建立 |
owner / visibility / canonical approval |
| S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board | 低摩擦逐項批准 |
| S1.2a refs reconcile plan | 完成草案 | awoooi、clawbot-v5、wooo-aiops 已產生 draft plan;狀態仍為 draft_blocked |
authenticated inventory + branch/tag diff + single-repo approval |
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
| S1.4 契約索引 | 完成草案 | 30 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + /execute high-risk gate |
| S1.6 Kali finding / scan scope approval | 完成草案 | security_finding_v1 sample snapshot 與 kali_scan_scope_approval_v1 approval package 已建立;111/168 已納入 observe-only scope |
人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate |
| S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中:7 pending approval、1 block candidate;AwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion,再 review safe crawl / Gitea inventory |
| S2 AwoooP mirror-only readiness | 完成草案 | security_mirror_readiness_v1 已整理 30 個 contracts:27 ready、2 partial、1 contract-only、0 blocked |
AwoooP 主線建立只讀入口 |
| S2.1 AwoooP mirror-only intake plan | 完成草案 | security_mirror_intake_plan_v1 已建立 5 個 intake waves 與 4 個 acceptance gates |
AwoooP 主線照 wave mirror,不新增 execution router |
| S2.2 AwoooP 鏡像事件信封 | 完成草案 | security_mirror_event_v1 已建立,要求每筆鏡像 payload 標示 execution_authorized=false 與 action_buttons_allowed=false |
AwoooP 鏡像 payload 統一信封 |
| S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | security_mirror_route_v1 已建立 5 個 route groups,定義目的地、channel policy 與 review lane |
AwoooP 消費時不猜路由、不新增執行入口 |
| S2.4 AwoooP 鏡像驗收契約 | 完成草案 | security_mirror_acceptance_v1 已建立 7 個 acceptance checks;blocking 只針對鏡像資料不完整或未脫敏 |
AwoooP 接入時可驗收,不升級成 runtime enforcement |
| S2.5 AwoooP 鏡像隔離契約 | 完成草案 | security_mirror_quarantine_v1 已建立 5 個 quarantine lanes;失敗 payload 必須等新 snapshot commit 後才能 retry |
AwoooP 可隔離壞資料,不阻擋 runtime |
| S2.6 AwoooP 鏡像 dry-run 報告契約 | 完成草案 | security_mirror_dry_run_v1 已建立 6 個 dry-run steps;目前狀態為 contract defined not executed |
AwoooP 未來可回報演練結果,但不啟動 production ingestion |
| S2.7 AwoooP 鏡像狀態彙整契約 | 完成草案 | security_mirror_status_rollup_v1 已建立,彙整 S0-S4、approval queue summary 與下一個安全 gate |
兩個 Session 用同一份 rollup 同步,不誤啟執行面 |
| S3 approval gate | 進行中 | security_approval_gate_v1 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved |
不得繞過人工批准;批准後仍需 follow-up runtime gate |
| S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item |
| S3.1 人工決策紀錄契約 | 完成草案 | security_approval_decision_record_v1 已建立;目前 0 筆 decision records、0 個 runtime action 授權 |
AwoooP 可稽核決策,不可把決策當執行 |
| S3.2 人工審查封包契約 | 完成草案 | security_approval_review_packet_v1 已建立;8 個 review packets、7 ready for human review、1 block candidate、0 個 runtime action 授權 |
AwoooP 可顯示 review lane,不可把 packet 當批准或執行 |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
1. 已建立的主要 evidence
| 類型 | 檔案 |
|---|---|
| AwoooP handoff | docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md |
| Mirror-only 清單 | docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md |
| Gitea/GitHub migration inventory | docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md |
| Gitea server-side inventory runbook | docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md |
| Gitea read-only inventory approval package | docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md |
| Gitea read-only inventory approval JSON | docs/security/gitea-readonly-inventory-approval.snapshot.json |
| Gitea 管理匯出 redaction checklist | docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md |
| Gitea org endpoint blocked evidence | docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md |
| Source-control migration matrix | docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md |
| Canonical repo 判定表 | docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md |
| GitHub target 決策表 | docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md |
| GitHub target 決策 JSON | docs/security/github-target-decision.snapshot.json |
| GitHub target repo approval package | docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md |
| GitHub target repo approval JSON | docs/security/github-target-repo-approval-package.snapshot.json |
| Source Control approval board | docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md |
| Source Control approval board JSON | docs/security/source-control-approval-board.snapshot.json |
| Source Control draft reconcile plan | docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md |
| Source Control draft reconcile plan JSON | docs/security/source-control-reconcile-plan.snapshot.json |
| Source Control branch/tag detail diff | docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md |
| Source Control branch/tag detail diff JSON | docs/security/source-control-ref-detail-diff.snapshot.json |
| Source Control ref truth classification | docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md |
| Source Control ref truth classification JSON | docs/security/source-control-ref-truth-classification.snapshot.json |
| Kali 112 integration status | docs/security/KALI-INTEGRATION-STATUS.md |
| Kali 112 integration status JSON | docs/security/kali-integration-status.snapshot.json |
| Security finding contract | docs/security/SECURITY-FINDING-CONTRACT.md |
| Security finding sample JSON | docs/security/security-finding-kali-sample.snapshot.json |
| Kali scan scope approval package | docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md |
| Kali scan scope approval JSON | docs/security/kali-scan-scope-approval.snapshot.json |
| Security approval queue | docs/security/SECURITY-APPROVAL-QUEUE.md |
| Security approval queue JSON | docs/security/security-approval-queue.snapshot.json |
| Security approval gate | docs/security/SECURITY-APPROVAL-GATE.md |
| Security approval gate JSON | docs/security/security-approval-gate.snapshot.json |
| Security approval decision record | docs/security/SECURITY-APPROVAL-DECISION-RECORD.md |
| Security approval decision record JSON | docs/security/security-approval-decision-record.snapshot.json |
| Security approval review packet | docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md |
| Security approval review packet JSON | docs/security/security-approval-review-packet.snapshot.json |
| Security mirror readiness | docs/security/SECURITY-MIRROR-READINESS.md |
| Security mirror readiness JSON | docs/security/security-mirror-readiness.snapshot.json |
| Security mirror intake plan | docs/security/SECURITY-MIRROR-INTAKE-PLAN.md |
| Security mirror intake plan JSON | docs/security/security-mirror-intake-plan.snapshot.json |
| 資安鏡像事件契約 | docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md |
| 資安鏡像事件範例 JSON | docs/security/security-mirror-event-sample.snapshot.json |
| 資安鏡像路由矩陣 | docs/security/SECURITY-MIRROR-ROUTE.md |
| 資安鏡像路由矩陣 JSON | docs/security/security-mirror-route.snapshot.json |
| 資安鏡像驗收契約 | docs/security/SECURITY-MIRROR-ACCEPTANCE.md |
| 資安鏡像驗收契約 JSON | docs/security/security-mirror-acceptance.snapshot.json |
| 資安鏡像隔離契約 | docs/security/SECURITY-MIRROR-QUARANTINE.md |
| 資安鏡像隔離契約 JSON | docs/security/security-mirror-quarantine.snapshot.json |
| 資安鏡像 dry-run 報告契約 | docs/security/SECURITY-MIRROR-DRY-RUN.md |
| 資安鏡像 dry-run 報告契約 JSON | docs/security/security-mirror-dry-run.snapshot.json |
| 資安鏡像狀態彙整契約 | docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md |
| 資安鏡像狀態彙整契約 JSON | docs/security/security-mirror-status-rollup.snapshot.json |
| 低摩擦 rollout policy | docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md |
| 低摩擦 rollout policy JSON | docs/security/security-rollout-policy.snapshot.json |
| Security Supply Chain contract manifest | docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md |
| Security Supply Chain contract manifest JSON | docs/security/security-supply-chain-contract-manifest.snapshot.json |
2. 現在不能做的事
- 不建立或刪除 GitHub / Gitea repo。
- 不修改 repo visibility。
- 不同步 refs、branch、tag。
- 不切 GitHub primary。
- 不把 Codex patch runner、Kali scan 或 deploy 接進 AwoooP runtime。
- 不保存 secret / token value。
2.1 初期不要過度收緊
- Read-only inventory、文件化、risk label、mirror evidence 可持續推進。
- 初期不把 LOW / MEDIUM observation 變成阻擋條件。
- 初期不要求所有 repo 一次完成最高等級 controls。
- 只針對不可逆或高風險動作設 approval gate。
- 每階段完成後再逐步收斂,避免讓產品、架構與部署流程突然變複雜。
3. 下一階段建議
- 等待 Gitea read-only inventory approval 被批准後,再用只讀 token 或管理匯出補 private/internal server-side 全量 repo list。
- 依
SOURCE-CONTROL-APPROVAL-BOARD.md對 7 個approval_required=true的 GitHub target 做 owner / visibility / canonical 決策。 - 依
SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md對awoooi、clawbot-v5、wooo-aiops做單 repo / 單 ref owner 判定;仍不得 push refs。 - 對
ewoooc/momo-pro-system完成 server-side canonical 判定。 - 依
KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接/execute。 - AwoooP 主線先讀
security_mirror_readiness_v1、security_mirror_intake_plan_v1、security_mirror_event_v1、security_mirror_route_v1、security_mirror_acceptance_v1、security_mirror_quarantine_v1、security_mirror_dry_run_v1、security_mirror_status_rollup_v1、security_approval_gate_v1、security_approval_decision_record_v1與security_approval_review_packet_v1,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 - AwoooP 主線消費
security_rollout_policy_v1時,只做 read-only policy,不做 runtime blocking。 - AwoooP 主線再讀
security_approval_queue_v1、security_approval_gate_v1、security_approval_decision_record_v1、security_approval_review_packet_v1與security_supply_chain_contract_manifest_v1,顯示 review order、批准範圍、審查封包、決策紀錄與 blocked reason,不新增 execution router。