269 lines
14 KiB
JSON
269 lines
14 KiB
JSON
{
|
||
"schema_version": "security_mirror_dry_run_v1",
|
||
"status": "draft",
|
||
"date": "2026-05-13",
|
||
"mode": "mirror_only",
|
||
"dry_run_status": "contract_defined_not_executed",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
|
||
"docs/security/security-mirror-readiness.snapshot.json",
|
||
"docs/security/security-mirror-event-sample.snapshot.json",
|
||
"docs/security/security-mirror-route.snapshot.json",
|
||
"docs/security/security-mirror-acceptance.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json",
|
||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
|
||
"docs/security/iwooos-posture-projection.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"total_contracts": 36,
|
||
"ready_for_mirror_count": 33,
|
||
"route_group_count": 5,
|
||
"acceptance_check_count": 8,
|
||
"quarantine_lane_count": 5,
|
||
"runtime_actions_executed": false,
|
||
"payloads_ingested": false
|
||
},
|
||
"dry_run_steps": [
|
||
{
|
||
"step_id": "LOAD_CONTRACT_INDEXES",
|
||
"expected_observation": "AwoooP dry-run 可讀到 manifest、readiness、event、route、acceptance、quarantine indexes。",
|
||
"evidence_refs": [
|
||
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
|
||
"docs/security/security-mirror-readiness.snapshot.json",
|
||
"docs/security/iwooos-posture-projection.snapshot.json"
|
||
],
|
||
"pass_condition": "看到 36 個 contracts、33 個 ready for mirror,且所有 contract execution_allowed=false。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"execute_contract",
|
||
"create_runtime_router",
|
||
"add_action_button"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_EVENT_ENVELOPE",
|
||
"expected_observation": "每筆 mirror payload 都必須使用 security_mirror_event_v1 信封。",
|
||
"evidence_refs": [
|
||
"docs/security/security-mirror-event-sample.snapshot.json",
|
||
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
|
||
],
|
||
"pass_condition": "execution_authorized=false 且 action_buttons_allowed=false。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"execute_event",
|
||
"show_action_button",
|
||
"auto_approve_event"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_ROUTE_COVERAGE",
|
||
"expected_observation": "5 個 route groups 覆蓋 manifest contract set,並保留 channel policy 與 review lane。",
|
||
"evidence_refs": [
|
||
"docs/security/security-mirror-route.snapshot.json",
|
||
"docs/security/SECURITY-MIRROR-ROUTE.md"
|
||
],
|
||
"pass_condition": "route groups 合併後涵蓋 36 個 contracts,沒有未知 execution route。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"fallback_to_execution_route",
|
||
"send_unknown_contract_to_runner",
|
||
"auto_route_to_approval_queue"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_ACCEPTANCE_AND_QUARANTINE",
|
||
"expected_observation": "8 個 acceptance checks 與 5 個 quarantine lanes 都可顯示,且失敗 payload 只隔離不執行。",
|
||
"evidence_refs": [
|
||
"docs/security/security-mirror-acceptance.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"pass_condition": "blocking checks 只阻擋壞的 mirror payload;quarantine 不阻擋 runtime。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"runtime_block_product_flow",
|
||
"auto_retry_failed_payload",
|
||
"convert_quarantine_to_execution"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_PROGRESS_GUARD",
|
||
"expected_observation": "AwoooP dry-run 必須確認 58% headline 進度與 micro progress delta ledger 只作狀態顯示,不代表 approval、runtime gate、GitHub primary、repo / refs / workflow / secret / runner 或 Kali scan 授權;所有 delta 的 headline_percent_delta 必須為 0。",
|
||
"evidence_refs": [
|
||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||
"docs/security/security-mirror-acceptance.snapshot.json",
|
||
"scripts/security/security-mirror-progress-guard.py"
|
||
],
|
||
"pass_condition": "`python3 scripts/security/security-mirror-progress-guard.py` 回傳 SECURITY_MIRROR_PROGRESS_GUARD_OK,且 runtime_actions_executed=false、payloads_ingested=false。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"treat_progress_as_approval",
|
||
"activate_runtime_gate",
|
||
"add_action_button",
|
||
"start_kali_scan",
|
||
"create_github_repo",
|
||
"sync_git_refs",
|
||
"switch_github_primary"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_OWNER_RESPONSE_GUARD",
|
||
"expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 9 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離,S4.10 intake preflight checks 只分類可收、補證、隔離或拒收,S4.11 request packet 只提示 5 類 refs truth owner response 欄位,S4.11 template status ledger 逐項顯示 waiting / request ready,S4.11 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.11 redaction examples 只顯示安全 metadata shape,S4.11 collection checks 只維持 request / received / accepted 分離,S4.11 intake preflight checks 只分類可審、補證、隔離、拒收或等待,S4.12 request packet 只提示 5 類 workflow / secret 名稱 owner response 欄位,S4.12 template status ledger 逐項顯示 waiting / request ready,S4.12 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.12 redaction examples 只顯示安全 metadata shape,S4.12 collection checks 只維持 request / received / accepted 分離,S4.12 intake preflight checks 只分類可審、補證、隔離或拒收;不能把 request shown、template status、response received metadata、redaction example、collection check pass、preflight pass 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。",
|
||
"evidence_refs": [
|
||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
|
||
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md",
|
||
"scripts/security/source-control-owner-response-guard.py"
|
||
],
|
||
"pass_condition": "`python3 scripts/security/source-control-owner-response-guard.py` 回傳 SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK,且 received_response_count=0、accepted_response_count=0。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"treat_owner_guard_as_response_received",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"modify_workflow_or_secret",
|
||
"enable_runner",
|
||
"switch_github_primary"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_OWNER_GATE_GUARD",
|
||
"expected_observation": "AwoooP dry-run 必須確認 S4.9 canonical owner response envelope、intake form、gap audit、Gitea owner attestation response、S4.10 / S4.11 / S4.12 owner response packet 與 S4.13 rollup 全部維持 waiting owner response;五題、六欄、四包、received / accepted / rejected=0、runtime gate=0、action button=false 必須一致。",
|
||
"evidence_refs": [
|
||
"docs/security/S4-9-OWNER-RESPONSE-GATE-CURRENT-GAP-AUDIT.md",
|
||
"docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md",
|
||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
|
||
"scripts/security/iwooos-owner-gate-guard.py"
|
||
],
|
||
"pass_condition": "`python3 scripts/security/iwooos-owner-gate-guard.py` 回傳 IWOOOS_OWNER_GATE_GUARD_OK,且 request_sent_count=0、received_response_count=0、accepted_response_count=0、runtime_gate_count=0。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"treat_intake_form_as_owner_response",
|
||
"mark_owner_response_received_without_envelope",
|
||
"mark_owner_response_accepted_without_reviewer",
|
||
"create_github_repo",
|
||
"sync_git_refs",
|
||
"modify_workflow_or_secret",
|
||
"enable_runner",
|
||
"open_runtime_gate"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_CONFIG_CONTROL_GUARD",
|
||
"expected_observation": "AwoooP dry-run 必須確認 14 類高價值配置控管 snapshot 齊備,Nginx、DNS / TLS、K8s、Secrets、runner、public runtime、防火牆、backup、monitoring 與 agent-bounty-protocol 的 owner response / change evidence 帳本仍維持只讀,不代表 reload、restart、sync、deploy、secret、scan 或 runtime gate 授權。",
|
||
"evidence_refs": [
|
||
"docs/security/high-value-config-control-coverage.snapshot.json",
|
||
"docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md",
|
||
"scripts/security/iwooos-config-control-guard.py"
|
||
],
|
||
"pass_condition": "`python3 scripts/security/iwooos-config-control-guard.py` 回傳 IWOOOS_CONFIG_CONTROL_GUARD_OK,且 owner_response_received_count=0、owner_response_accepted_count=0、runtime_gate_count=0、action_button_count=0。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"treat_config_coverage_as_runtime_approval",
|
||
"reload_nginx",
|
||
"modify_firewall",
|
||
"modify_workflow_or_secret",
|
||
"enable_runner",
|
||
"run_active_scan",
|
||
"production_deploy"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD",
|
||
"expected_observation": "AwoooP dry-run 必須確認 Package / Docker 供應鏈 baseline 的五個缺口已轉成 owner policy gate,六個 request、兩個 C0、八個 owner 欄位、十二個 reviewer checks、二十個 blocked actions 齊備,且 request_sent / received / accepted / runtime / action 全部維持 0 / false。",
|
||
"evidence_refs": [
|
||
"docs/security/PACKAGE-SUPPLY-CHAIN-BASELINE.md",
|
||
"docs/security/package-supply-chain-baseline.snapshot.json",
|
||
"docs/security/PACKAGE-SUPPLY-CHAIN-OWNER-POLICY-GATE.md",
|
||
"docs/security/package-supply-chain-owner-policy-gate.snapshot.json",
|
||
"scripts/security/package-supply-chain-owner-policy-guard.py"
|
||
],
|
||
"pass_condition": "`python3 scripts/security/package-supply-chain-owner-policy-guard.py` 回傳 PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK,且不 install、不 upgrade、不跑外部 CVE / license lookup、不產生 SBOM、不 pull / build / push image、不登入 registry。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"install_package",
|
||
"upgrade_package",
|
||
"rewrite_lockfile",
|
||
"pin_requirements_without_owner_policy",
|
||
"run_external_cve_lookup",
|
||
"run_external_license_lookup",
|
||
"generate_sbom",
|
||
"docker_pull",
|
||
"docker_build",
|
||
"docker_push",
|
||
"registry_login",
|
||
"production_deploy",
|
||
"open_runtime_gate"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CHECK_LOW_NOISE_CHANNEL",
|
||
"expected_observation": "Channel Event 初期只發低噪音摘要或人工批准必要事件。",
|
||
"evidence_refs": [
|
||
"docs/security/security-mirror-route.snapshot.json",
|
||
"docs/security/SECURITY-MIRROR-ROUTE.md"
|
||
],
|
||
"pass_condition": "LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 不發阻擋事件、不洗版。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"notify_every_observation",
|
||
"block_deploy_on_low_medium",
|
||
"turn_warning_into_runtime_alarm"
|
||
]
|
||
},
|
||
{
|
||
"step_id": "CONFIRM_NO_RUNTIME_ACTION",
|
||
"expected_observation": "Dry-run 期間沒有 scan、execute、repo、refs、deploy、secret 類動作。",
|
||
"evidence_refs": [
|
||
"docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
|
||
"docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md"
|
||
],
|
||
"pass_condition": "runtime_actions_executed=false 且 payloads_ingested=false。",
|
||
"execution_allowed": false,
|
||
"blocked_actions": [
|
||
"start_kali_scan",
|
||
"call_kali_execute_endpoint",
|
||
"create_github_repo",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"production_deploy",
|
||
"store_secret_value"
|
||
]
|
||
}
|
||
],
|
||
"latest_local_validation": {
|
||
"status": "repo_snapshot_guard_pass",
|
||
"date": "2026-06-15",
|
||
"scope": "repo_snapshot_only",
|
||
"command": "python3 scripts/security/security-mirror-progress-guard.py && python3 scripts/security/source-control-owner-response-guard.py && python3 scripts/security/iwooos-config-control-guard.py && python3 scripts/security/iwooos-owner-gate-guard.py && python3 scripts/security/package-supply-chain-owner-policy-guard.py",
|
||
"result": "SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK; IWOOOS_CONFIG_CONTROL_GUARD_OK; IWOOOS_OWNER_GATE_GUARD_OK; PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK",
|
||
"validated_steps": [
|
||
"LOAD_CONTRACT_INDEXES",
|
||
"CHECK_ACCEPTANCE_AND_QUARANTINE",
|
||
"CHECK_PROGRESS_GUARD",
|
||
"CHECK_OWNER_RESPONSE_GUARD",
|
||
"CHECK_OWNER_GATE_GUARD",
|
||
"CHECK_CONFIG_CONTROL_GUARD",
|
||
"CHECK_PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD",
|
||
"CONFIRM_NO_RUNTIME_ACTION"
|
||
],
|
||
"runtime_actions_executed": false,
|
||
"payloads_ingested": false,
|
||
"production_ingestion_enabled": false,
|
||
"not_authorization": true
|
||
},
|
||
"forbidden_actions": [
|
||
"start_kali_scan",
|
||
"call_kali_execute_endpoint",
|
||
"run_credentialed_scan",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"auto_merge",
|
||
"production_deploy",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload"
|
||
]
|
||
}
|