awoooi/docs/security/security-mirror-status-rollup.snapshot.json

{
  "schema_version": "security_mirror_status_rollup_v1",
  "status": "draft",
  "date": "2026-05-13",
  "mode": "mirror_only",
  "rollup_status": "framework_ready_waiting_approval",
  "runtime_execution_authorized": false,
  "source_indexes": [
    "docs/security/security-supply-chain-contract-manifest.snapshot.json",
    "docs/security/security-mirror-readiness.snapshot.json",
    "docs/security/security-mirror-intake-plan.snapshot.json",
    "docs/security/security-mirror-route.snapshot.json",
    "docs/security/security-mirror-acceptance.snapshot.json",
    "docs/security/security-mirror-quarantine.snapshot.json",
    "docs/security/security-mirror-dry-run.snapshot.json",
    "docs/security/security-approval-queue.snapshot.json",
    "docs/security/security-approval-gate.snapshot.json",
    "docs/security/security-approval-decision-record.snapshot.json",
    "docs/security/security-approval-review-packet.snapshot.json",
    "docs/security/security-rollout-policy.snapshot.json"
  ],
  "summary": {
    "total_contracts": 30,
    "ready_for_mirror_count": 27,
    "partial_ready_count": 2,
    "contract_only_count": 1,
    "blocked_count": 0,
    "approval_queue_total": 8,
    "approval_review_packet_total": 8,
    "pending_approval_count": 7,
    "block_candidate_count": 1,
    "dry_run_status": "contract_defined_not_executed",
    "runtime_actions_executed": false,
    "payloads_ingested": false
  },
  "phase_status": [
    {
      "phase_id": "S0_contracts_and_boundaries",
      "state": "completed",
      "current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化，核心 schema 草案已建立。",
      "next_gate": "AwoooP 只讀 mirror 消費。"
    },
    {
      "phase_id": "S1_readonly_inventory",
      "state": "in_progress",
      "current_result": "已完成多項 read-only evidence；Gitea private/internal 全量 repo list 仍需批准後補齊。",
      "next_gate": "只讀 token 或 redacted admin export approval。"
    },
    {
      "phase_id": "S2_mirror_only_consumption",
      "state": "draft_ready",
      "current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
      "next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence，不新增 execution router。"
    },
    {
      "phase_id": "S3_approval_gate",
      "state": "draft_ready",
      "current_result": "Approval queue 已列出 8 個候選，security_approval_gate_v1 已定義人工 gate，security_approval_decision_record_v1 已定義決策紀錄格式，security_approval_review_packet_v1 已定義人工審查封包。",
      "next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventory；review packet 與決策紀錄都不等於執行授權。"
    },
    {
      "phase_id": "S4_migration_execution",
      "state": "not_started",
      "current_result": "GitHub primary 是長期方向，但 refs / tags / workflow / secret 名稱尚未全量驗證。",
      "next_gate": "SHA/tag/workflow parity、rollback ADR 與逐 repo 人工批准。"
    }
  ],
  "next_safe_actions": [
    {
      "action_id": "mirror_status_rollup_to_awooop",
      "title": "AwoooP 顯示資安供應鏈總覽",
      "mode": "observe",
      "source_contract": "security_mirror_status_rollup_v1",
      "allowed_processing": [
        "顯示階段狀態、contract readiness、approval queue summary",
        "顯示下一個 gate",
        "寫入 audit evidence"
      ],
      "blocked_processing": [
        "把 rollup 當成 runtime authorization",
        "新增 scan / execute / repo / refs action button",
        "把 LOW / MEDIUM observation 變成 blocking gate"
      ]
    },
    {
      "action_id": "mirror_approval_review_packets",
      "title": "AwoooP 顯示 8 個人工審查封包",
      "mode": "approval_required",
      "source_contract": "security_approval_review_packet_v1",
      "allowed_processing": [
        "顯示 review order、review lane、required reviewers 與 requested decision",
        "顯示仍然禁止事項與 follow-up runtime gate",
        "將人工決策另寫入 security_approval_decision_record_v1"
      ],
      "blocked_processing": [
        "把 review packet 當成批准",
        "把 review packet 當成 execution authorization",
        "新增 scan / execute / repo / refs action button"
      ]
    },
    {
      "action_id": "review_redacted_finding_ingestion",
      "title": "先審 redacted finding ingestion adapter",
      "mode": "approval_required",
      "source_contract": "security_approval_queue_v1",
      "allowed_processing": [
        "依 security_approval_gate_v1 人工審查是否可設計 redacted security_finding_v1 ingestion",
        "依 security_approval_decision_record_v1 記錄人工決策",
        "維持只接收摘要與 evidence_ref",
        "保留 patch-only / review gate"
      ],
      "blocked_processing": [
        "保存 raw secret/token/cookie/private key/exploit payload",
        "讓 AwoooP 直接啟動 scan",
        "自動修復或自動封鎖 deploy"
      ]
    },
    {
      "action_id": "review_gitea_readonly_inventory",
      "title": "審查 Gitea private/internal 只讀 inventory",
      "mode": "approval_required",
      "source_contract": "gitea_repo_inventory_v1",
      "allowed_processing": [
        "使用 read-only token 或 redacted admin export 補齊 repo list",
        "只保存 token_present=true/false",
        "更新 migration matrix 與 decision table"
      ],
      "blocked_processing": [
        "保存 token value",
        "使用 write-capable token",
        "建立 GitHub repo 或 sync refs"
      ]
    },
    {
      "action_id": "review_github_target_decisions",
      "title": "逐 repo 審 GitHub target / owner / visibility / canonical",
      "mode": "approval_required",
      "source_contract": "source_control_approval_board_v1",
      "allowed_processing": [
        "逐 repo 更新 owner / visibility / canonical decision",
        "產生 draft reconcile plan 或 ADR",
        "維持 refs action disabled"
      ],
      "blocked_processing": [
        "建立 repo",
        "修改 visibility",
        "push / delete refs",
        "切 GitHub primary"
      ]
    },
    {
      "action_id": "keep_kali_execute_blocked",
      "title": "Kali /execute 維持 block candidate",
      "mode": "block_candidate",
      "source_contract": "kali_scan_scope_approval_v1",
      "allowed_processing": [
        "只設計 disable / allowlist / audit gate",
        "保留人工 exception 記錄",
        "持續顯示 blocked reason"
      ],
      "blocked_processing": [
        "AwoooP runtime 直接呼叫 /execute",
        "把 /execute 當成一般 MCP action",
        "執行 shell command 自動修復"
      ]
    }
  ],
  "session_sync_notes": [
    "本 rollup 是跨 Session 的共同讀取入口，避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
    "S2/S3 目前仍屬框架期；狀態與人工 gate 可見，不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
    "S3.1 只新增人工決策紀錄格式；決策紀錄仍維持 execution_authorized=false，不可直接跳到執行面。",
    "S3.2 只新增人工審查封包格式；review packet 只讓 AwoooP 顯示與準備人審，不代表批准。"
  ],
  "forbidden_actions": [
    "start_kali_scan",
    "call_kali_execute_endpoint",
    "run_credentialed_scan",
    "create_github_repo",
    "change_repo_visibility",
    "sync_git_refs",
    "switch_github_primary",
    "auto_merge",
    "production_deploy",
    "store_secret_token_cookie_private_key_or_exploit_payload",
    "turn_low_medium_observations_into_blocking_gates"
  ]
}