awoooi/docs/security/security-mirror-acceptance.snapshot.json

{
  "schema_version": "security_mirror_acceptance_v1",
  "status": "draft",
  "date": "2026-05-13",
  "mode": "mirror_only",
  "runtime_execution_authorized": false,
  "source_indexes": [
    "docs/security/security-mirror-readiness.snapshot.json",
    "docs/security/security-supply-chain-contract-manifest.snapshot.json",
    "docs/security/security-mirror-event-sample.snapshot.json",
    "docs/security/security-mirror-route.snapshot.json"
  ],
  "summary": {
    "total_contracts": 30,
    "ready_for_mirror_count": 27,
    "route_group_count": 5,
    "acceptance_check_count": 7,
    "blocking_check_count": 4
  },
  "acceptance_checks": [
    {
      "check_id": "CONTRACT_COUNT_MATCH",
      "title": "契約數量一致",
      "expected_result": "AwoooP 讀到 30 個 contracts，且 manifest、readiness、route coverage 的 contract 集合一致。",
      "evidence_refs": [
        "docs/security/security-supply-chain-contract-manifest.snapshot.json",
        "docs/security/security-mirror-readiness.snapshot.json",
        "docs/security/security-mirror-route.snapshot.json"
      ],
      "blocking_if_failed": true,
      "allowed_processing": [
        "顯示 contract count mismatch",
        "要求 Security Supply Chain Session 修正 snapshot"
      ],
      "blocked_processing": [
        "以不完整 contract list 啟動鏡像",
        "補猜缺漏 contract",
        "忽略 mismatch 後繼續"
      ]
    },
    {
      "check_id": "EVENT_ENVELOPE_REQUIRED",
      "title": "鏡像事件信封必填",
      "expected_result": "每筆 mirror payload 都帶 `security_mirror_event_v1`，且 `execution_authorized=false`、`action_buttons_allowed=false`。",
      "evidence_refs": [
        "docs/security/security-mirror-event-sample.snapshot.json",
        "docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
      ],
      "blocking_if_failed": true,
      "allowed_processing": [
        "拒收未帶信封的 mirror payload",
        "顯示缺失欄位"
      ],
      "blocked_processing": [
        "自動補成可執行事件",
        "顯示執行按鈕",
        "把 mirror event 當 approval"
      ]
    },
    {
      "check_id": "ROUTE_GROUP_COVERAGE",
      "title": "路由群組覆蓋",
      "expected_result": "5 個 route groups 合併後涵蓋 manifest 30 個 contracts，且每個 group 都有 destinations、channel_policy 與 review_lane。",
      "evidence_refs": [
        "docs/security/security-mirror-route.snapshot.json",
        "docs/security/SECURITY-MIRROR-ROUTE.md"
      ],
      "blocking_if_failed": true,
      "allowed_processing": [
        "顯示 route group 缺漏",
        "停留在 observe-only 狀態"
      ],
      "blocked_processing": [
        "使用 fallback 執行路由",
        "把未知 contract 送進 execution queue"
      ]
    },
    {
      "check_id": "REDACTION_ONLY",
      "title": "只接受脫敏 evidence",
      "expected_result": "Mirror payload 不保存 raw secret、token、cookie、private key 或 exploit payload。",
      "evidence_refs": [
        "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md",
        "docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md"
      ],
      "blocking_if_failed": true,
      "allowed_processing": [
        "標示 redaction failed",
        "要求來源重新輸出脫敏 snapshot"
      ],
      "blocked_processing": [
        "保存 raw sensitive value",
        "將 secret value 寫入 Runtime State 或 Audit evidence"
      ]
    },
    {
      "check_id": "LOW_MEDIUM_NOT_BLOCKING",
      "title": "LOW / MEDIUM 不升級為阻擋",
      "expected_result": "LOW / MEDIUM observation 初期只進 observe / warn，不變成 blocking gate。",
      "evidence_refs": [
        "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
        "docs/security/security-rollout-policy.snapshot.json"
      ],
      "blocking_if_failed": false,
      "allowed_processing": [
        "顯示 observe / warn",
        "排入 weekly review"
      ],
      "blocked_processing": [
        "阻擋 deploy",
        "自動封鎖 service",
        "要求全 repo 一次升級到最高安全等級"
      ]
    },
    {
      "check_id": "APPROVAL_IS_NOT_EXECUTION",
      "title": "Approval Queue 不是執行隊列",
      "expected_result": "Approval Queue 只保存候選、review order 與人工決策留痕；批准後執行仍需要下一階段 runtime gate。",
      "evidence_refs": [
        "docs/security/SECURITY-APPROVAL-QUEUE.md",
        "docs/security/security-approval-queue.snapshot.json",
        "docs/security/security-mirror-route.snapshot.json"
      ],
      "blocking_if_failed": false,
      "allowed_processing": [
        "建立 approval candidate",
        "記錄人工決策"
      ],
      "blocked_processing": [
        "auto approve",
        "批准後直接執行",
        "把 approval queue 接成 runner"
      ]
    },
    {
      "check_id": "CHANNEL_LOW_NOISE",
      "title": "Channel Event 低噪音",
      "expected_result": "Channel Event 初期只發階段完成、blocked 狀態或人工批准必要事件，不對所有 LOW / MEDIUM observation 發通知。",
      "evidence_refs": [
        "docs/security/security-mirror-route.snapshot.json",
        "docs/security/SECURITY-MIRROR-ROUTE.md"
      ],
      "blocking_if_failed": false,
      "allowed_processing": [
        "發送低噪音狀態摘要",
        "顯示高風險 approval-required 事件"
      ],
      "blocked_processing": [
        "對所有 observation 發通知",
        "用通知量取代 review lane"
      ]
    }
  ],
  "forbidden_actions": [
    "start_kali_scan",
    "call_kali_execute_endpoint",
    "run_credentialed_scan",
    "create_github_repo",
    "change_repo_visibility",
    "sync_git_refs",
    "switch_github_primary",
    "auto_merge",
    "production_deploy",
    "store_secret_token_cookie_private_key_or_exploit_payload"
  ]
}