awoooi/docs/security/security-rollout-policy.snapshot.json

{
  "schema_version": "security_rollout_policy_v1",
  "status": "draft",
  "default_mode": "observe",
  "enforcement_level": "mirror_only",
  "non_blocking_escalation_lane_count": 7,
  "non_blocking_escalation_lanes": [
    {
      "lane_id": "lane-low-medium-observation",
      "display_order": 1,
      "trigger": "LOW / MEDIUM finding 且不涉及不可逆變更、secret value、repo / refs / deploy / primary control plane。",
      "initial_mode": "warn",
      "allowed_action": "標記風險、建立 follow-up、補 evidence_ref 或準備草案。",
      "forbidden_escalation": "不得阻擋 deploy、不得自動 patch、不得自動 merge、不得建立 runtime blocker。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    },
    {
      "lane_id": "lane-owner-response-missing",
      "display_order": 2,
      "trigger": "S4.9 / S4.10 / S4.11 / S4.12 owner response 尚未收到或尚未 accepted。",
      "initial_mode": "observe",
      "allowed_action": "顯示 missing lane、next collection candidate、template status 與 request packet。",
      "forbidden_escalation": "不得把未回覆當成拒絕、不得停止產品流程、不得自動補 owner response。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    },
    {
      "lane_id": "lane-mirror-data-incomplete",
      "display_order": 3,
      "trigger": "mirror snapshot、redacted payload 或 contract coverage 不完整，但未涉及 raw secret / token / exploit payload。",
      "initial_mode": "warn",
      "allowed_action": "顯示 partial / quarantine reason、要求補 redacted snapshot、保留 retry gate。",
      "forbidden_escalation": "不得阻擋無關 runtime、不得把 partial mirror 當 production incident、不得吞入未脫敏 payload。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    },
    {
      "lane_id": "lane-source-control-drift-draft",
      "display_order": 4,
      "trigger": "GitHub / Gitea refs、target、visibility 或 canonical decision 存在差異，但尚未 owner approved。",
      "initial_mode": "warn",
      "allowed_action": "維持 draft reconcile plan、ADR、read-only diff 與 owner review lane。",
      "forbidden_escalation": "不得 sync refs、delete refs、force push、建立 repo、修改 visibility 或切 GitHub primary。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    },
    {
      "lane_id": "lane-kali-observe-finding",
      "display_order": 5,
      "trigger": "Kali finding 或 scan scope 仍在 observe / approval package 階段。",
      "initial_mode": "warn",
      "allowed_action": "只顯示 redacted finding summary、evidence_ref、scan scope approval candidate 與 block reason。",
      "forbidden_escalation": "不得自動啟動 active scan、不得呼叫 /execute、不得把 finding 直接變 deploy blocker。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    },
    {
      "lane_id": "lane-workflow-secret-name-gap",
      "display_order": 6,
      "trigger": "workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 secret 名稱 parity 尚缺 redacted evidence。",
      "initial_mode": "warn",
      "allowed_action": "要求 redacted export、顯示 owner response template 與只讀 readiness blocker wording。",
      "forbidden_escalation": "不得收集 secret value、不得啟用 GitHub hosted runner、不得修改 workflow / webhook / repository secret。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    },
    {
      "lane_id": "lane-progress-display-holding",
      "display_order": 7,
      "trigger": "headline progress 維持 58%，但 framework detail ledger 持續增加。",
      "initial_mode": "observe",
      "allowed_action": "顯示 micro progress、latest delta、not_authorization 與下一個高層 gate。",
      "forbidden_escalation": "不得把 progress holding 解讀成卡住、不得把 micro progress 當 runtime approval。",
      "owner_review_required_before_blocking": true,
      "runtime_blocking_allowed": false,
      "awooop_display_mode": "display_low_friction_non_blocking_lane_only",
      "not_authorization": true
    }
  ],
  "allowed_awooop_outputs": [
    "display_non_blocking_escalation_lanes",
    "create_followup_without_blocking",
    "show_owner_review_required_before_blocking",
    "keep_runtime_blocking_false"
  ],
  "policy_items": [
    {
      "condition": "read_only_inventory_or_evidence_mirror",
      "mode": "observe",
      "allowed": [
        "collect_metadata",
        "write_redacted_snapshot",
        "update_docs",
        "mirror_to_awooop_runtime_state"
      ],
      "forbidden": [
        "change_runtime",
        "write_to_remote_system",
        "delete_or_archive_repo",
        "sync_refs"
      ],
      "reason": "初期先建立可見性與追溯性，不阻擋產品與架構推進。"
    },
    {
      "condition": "low_or_medium_observation_without_irreversible_change",
      "mode": "warn",
      "allowed": [
        "label_risk",
        "create_followup_item",
        "add_evidence_ref",
        "prepare_draft_plan"
      ],
      "forbidden": [
        "block_deploy",
        "force_owner_decision",
        "auto_patch",
        "auto_merge"
      ],
      "reason": "LOW / MEDIUM observation 先累積 evidence，不把日常流程變成審批地獄。"
    },
    {
      "condition": "uses_readonly_token_or_admin_export",
      "mode": "approve_required",
      "allowed": [
        "request_human_approval",
        "run_once_after_approval",
        "store_token_present_boolean_only",
        "write_redacted_inventory"
      ],
      "forbidden": [
        "store_token_value",
        "reuse_write_token",
        "write_to_gitea",
        "create_repo"
      ],
      "reason": "只讀 token 與管理匯出會碰敏感邊界，需 approval，但仍不授權任何同步或寫入。"
    },
    {
      "condition": "repo_creation_visibility_change_or_refs_sync",
      "mode": "approve_required",
      "allowed": [
        "create_approval_candidate",
        "prepare_migration_plan",
        "prepare_rollback_plan"
      ],
      "forbidden": [
        "execute_without_owner_approval",
        "push_refs",
        "change_visibility",
        "switch_primary"
      ],
      "reason": "這些動作會改供應鏈控制面，必須逐 repo 核准。"
    },
    {
      "condition": "secret_rbac_network_firewall_deploy_or_primary_switch",
      "mode": "approve_required",
      "allowed": [
        "create_approval_required_event",
        "prepare_dry_run_plan",
        "define_rollback"
      ],
      "forbidden": [
        "auto_execute",
        "store_secret_value",
        "skip_human_review"
      ],
      "reason": "這些動作有生產、權限或安全 blast radius，不進入初期自動化。"
    },
    {
      "condition": "destructive_action_without_rollback_or_secret_value_storage",
      "mode": "block_candidate",
      "allowed": [
        "record_block_reason",
        "request_manual_exception"
      ],
      "forbidden": [
        "force_push",
        "delete_repo",
        "store_raw_secret",
        "disable_audit"
      ],
      "reason": "不可逆且無 rollback 的動作不屬於初期框架建置範圍。"
    }
  ]
}