awoooi/docs/security/security-mirror-dry-run.snapshot.json

{
  "schema_version": "security_mirror_dry_run_v1",
  "status": "draft",
  "date": "2026-05-13",
  "mode": "mirror_only",
  "dry_run_status": "contract_defined_not_executed",
  "runtime_execution_authorized": false,
  "source_indexes": [
    "docs/security/security-supply-chain-contract-manifest.snapshot.json",
    "docs/security/security-mirror-readiness.snapshot.json",
    "docs/security/security-mirror-event-sample.snapshot.json",
    "docs/security/security-mirror-route.snapshot.json",
    "docs/security/security-mirror-acceptance.snapshot.json",
    "docs/security/security-mirror-quarantine.snapshot.json"
  ],
  "summary": {
    "total_contracts": 30,
    "ready_for_mirror_count": 27,
    "route_group_count": 5,
    "acceptance_check_count": 7,
    "quarantine_lane_count": 5,
    "runtime_actions_executed": false,
    "payloads_ingested": false
  },
  "dry_run_steps": [
    {
      "step_id": "LOAD_CONTRACT_INDEXES",
      "expected_observation": "AwoooP dry-run 可讀到 manifest、readiness、event、route、acceptance、quarantine indexes。",
      "evidence_refs": [
        "docs/security/security-supply-chain-contract-manifest.snapshot.json",
        "docs/security/security-mirror-readiness.snapshot.json"
      ],
      "pass_condition": "看到 30 個 contracts、27 個 ready for mirror，且所有 contract execution_allowed=false。",
      "execution_allowed": false,
      "blocked_actions": [
        "execute_contract",
        "create_runtime_router",
        "add_action_button"
      ]
    },
    {
      "step_id": "CHECK_EVENT_ENVELOPE",
      "expected_observation": "每筆 mirror payload 都必須使用 security_mirror_event_v1 信封。",
      "evidence_refs": [
        "docs/security/security-mirror-event-sample.snapshot.json",
        "docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
      ],
      "pass_condition": "execution_authorized=false 且 action_buttons_allowed=false。",
      "execution_allowed": false,
      "blocked_actions": [
        "execute_event",
        "show_action_button",
        "auto_approve_event"
      ]
    },
    {
      "step_id": "CHECK_ROUTE_COVERAGE",
      "expected_observation": "5 個 route groups 覆蓋 manifest contract set，並保留 channel policy 與 review lane。",
      "evidence_refs": [
        "docs/security/security-mirror-route.snapshot.json",
        "docs/security/SECURITY-MIRROR-ROUTE.md"
      ],
      "pass_condition": "route groups 合併後涵蓋 30 個 contracts，沒有未知 execution route。",
      "execution_allowed": false,
      "blocked_actions": [
        "fallback_to_execution_route",
        "send_unknown_contract_to_runner",
        "auto_route_to_approval_queue"
      ]
    },
    {
      "step_id": "CHECK_ACCEPTANCE_AND_QUARANTINE",
      "expected_observation": "7 個 acceptance checks 與 5 個 quarantine lanes 都可顯示，且失敗 payload 只隔離不執行。",
      "evidence_refs": [
        "docs/security/security-mirror-acceptance.snapshot.json",
        "docs/security/security-mirror-quarantine.snapshot.json"
      ],
      "pass_condition": "blocking checks 只阻擋壞的 mirror payload；quarantine 不阻擋 runtime。",
      "execution_allowed": false,
      "blocked_actions": [
        "runtime_block_product_flow",
        "auto_retry_failed_payload",
        "convert_quarantine_to_execution"
      ]
    },
    {
      "step_id": "CHECK_LOW_NOISE_CHANNEL",
      "expected_observation": "Channel Event 初期只發低噪音摘要或人工批准必要事件。",
      "evidence_refs": [
        "docs/security/security-mirror-route.snapshot.json",
        "docs/security/SECURITY-MIRROR-ROUTE.md"
      ],
      "pass_condition": "LOW / MEDIUM observation 不發阻擋事件、不洗版。",
      "execution_allowed": false,
      "blocked_actions": [
        "notify_every_observation",
        "block_deploy_on_low_medium",
        "turn_warning_into_runtime_alarm"
      ]
    },
    {
      "step_id": "CONFIRM_NO_RUNTIME_ACTION",
      "expected_observation": "Dry-run 期間沒有 scan、execute、repo、refs、deploy、secret 類動作。",
      "evidence_refs": [
        "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
        "docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md"
      ],
      "pass_condition": "runtime_actions_executed=false 且 payloads_ingested=false。",
      "execution_allowed": false,
      "blocked_actions": [
        "start_kali_scan",
        "call_kali_execute_endpoint",
        "create_github_repo",
        "sync_git_refs",
        "switch_github_primary",
        "production_deploy",
        "store_secret_value"
      ]
    }
  ],
  "forbidden_actions": [
    "start_kali_scan",
    "call_kali_execute_endpoint",
    "run_credentialed_scan",
    "create_github_repo",
    "change_repo_visibility",
    "sync_git_refs",
    "switch_github_primary",
    "auto_merge",
    "production_deploy",
    "store_secret_token_cookie_private_key_or_exploit_payload"
  ]
}