From 1e3e7a1525a52ae3a50a109cb3adf79cb56c5f87 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 20 May 2026 01:37:03 +0800 Subject: [PATCH] feat(web): add IwoooS candidate review --- apps/web/messages/en.json | 43 +++++ apps/web/messages/zh-TW.json | 43 +++++ apps/web/src/app/[locale]/iwooos/page.tsx | 69 ++++++++ docs/LOGBOOK.md | 14 ++ .../iwooos_posture_projection_v1.schema.json | 99 ++++++++++++ docs/security/IWOOOS-POSTURE-PROJECTION.md | 22 ++- .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 3 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 4 +- .../iwooos-posture-projection.snapshot.json | 148 +++++++++++++++++- ...ecurity-mirror-status-rollup.snapshot.json | 13 +- .../security-mirror-progress-guard.py | 109 +++++++++++++ 11 files changed, 560 insertions(+), 7 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 15c4174a2..6a5828215 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -2059,6 +2059,49 @@ "field": "validation / runtime pointer; active gates=0" } } + }, + "hostOwnerDecisionRecordFormalCandidateReview": { + "title": "Host Owner Decision Record Formal Candidate Review Checklist", + "subtitle": "Formal candidate packets can still only enter read-only review before any later human record step. This does not mark review passed, create decision records, mark accepted, create approval records, or open runtime gates.", + "checkLabel": "Candidate review", + "guardLabel": "Still locked", + "items": { + "identityTraceable": { + "title": "Record identity traceable", + "body": "Confirm candidate record id, version, owner, review scope, and trace source are readable while no formal record is created.", + "guard": "record created=false" + }, + "decisionSummaryReadable": { + "title": "Decision summary readable", + "body": "Confirm decision summary, risk acceptance boundary, and no-execution statement are readable while still not meaning decision accepted.", + "guard": "accepted=0" + }, + "scopeExpiryConsistent": { + "title": "Scope and expiry consistent", + "body": "Confirm host, network, service, exclusion, observation intent, and expiry are consistent while remaining candidate fields only.", + "guard": "finalized=0" + }, + "scanLimitsStillNotAuthorization": { + "title": "Scan limits still not authorization", + "body": "Confirm observe-only, future active scan, and credentialed scan limits cannot be mistaken for active scan or credentialed scan authorization.", + "guard": "scan authorized=false" + }, + "credentialBoundaryStillMetadataOnly": { + "title": "Credential boundary still metadata-only", + "body": "Confirm credential boundary only keeps metadata, owner, retention, masking, and forbidden collection content.", + "guard": "secret collection=false" + }, + "maintenanceRollbackTraceable": { + "title": "Maintenance and rollback traceable", + "body": "Confirm maintenance window, constraints, rollback owner, recovery path, and human contact remain traceable.", + "guard": "host update=false" + }, + "runtimeGateStillClosed": { + "title": "Runtime gate still closed", + "body": "Confirm validation evidence and runtime gate pointer still only point to a separate follow-up gate and candidate review does not open gates.", + "guard": "active runtime gates=0; action buttons=false" + } + } } }, "tickets": { diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index c5e021f62..4d916e4b4 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -2060,6 +2060,49 @@ "field": "validation / runtime pointer;active gates=0" } } + }, + "hostOwnerDecisionRecordFormalCandidateReview": { + "title": "主機 Owner Decision Record Formal Candidate Review Checklist", + "subtitle": "Formal candidate packets 進入後續人工紀錄前仍只能做只讀核對。這裡不標記 review passed、不建立 decision record、不標記 accepted、不建立 approval record、不開 runtime gate。", + "checkLabel": "Candidate review", + "guardLabel": "仍鎖住", + "items": { + "identityTraceable": { + "title": "Record identity traceable", + "body": "確認 candidate record id、版本、owner、review scope 與 trace source 可讀,且沒有建立正式紀錄。", + "guard": "record created=false" + }, + "decisionSummaryReadable": { + "title": "Decision summary readable", + "body": "確認 decision summary、風險接受邊界與不執行聲明可讀,但仍不代表 decision accepted。", + "guard": "accepted=0" + }, + "scopeExpiryConsistent": { + "title": "Scope and expiry consistent", + "body": "確認 host、network、service、exclusion、觀察目的與到期時間一致,仍只作為候選欄位。", + "guard": "finalized=0" + }, + "scanLimitsStillNotAuthorization": { + "title": "Scan limits still not authorization", + "body": "確認 observe-only、future active scan 與 credentialed scan limits 沒有被誤讀成 active scan 或 credentialed scan 授權。", + "guard": "scan authorized=false" + }, + "credentialBoundaryStillMetadataOnly": { + "title": "Credential boundary still metadata-only", + "body": "確認 credential boundary 只保留 metadata、owner、retention、masking 與不可收集內容。", + "guard": "secret collection=false" + }, + "maintenanceRollbackTraceable": { + "title": "Maintenance and rollback traceable", + "body": "確認維護窗口、限制條件、rollback owner、復原路徑與人工聯絡點可追。", + "guard": "host update=false" + }, + "runtimeGateStillClosed": { + "title": "Runtime gate still closed", + "body": "確認 validation evidence 與 runtime gate pointer 仍只指向獨立 follow-up gate,candidate review 不會開 gate。", + "guard": "active runtime gates=0;action buttons=false" + } + } } }, "tickets": { diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index 3865633bc..5a98051aa 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -208,6 +208,13 @@ type HostOwnerDecisionRecordFormalCandidatePacket = { tone: 'steady' | 'warn' | 'locked' } +type HostOwnerDecisionRecordFormalCandidateReviewItem = { + key: string + check: string + icon: typeof ShieldCheck + tone: 'steady' | 'warn' | 'locked' +} + const postureMetrics: PostureMetric[] = [ { key: 'overall', value: '58%', tone: 'warn' }, { key: 'framework', value: '80-85%', tone: 'steady' }, @@ -489,6 +496,16 @@ const hostOwnerDecisionRecordFormalCandidatePackets: HostOwnerDecisionRecordForm { key: 'validationRuntimeGateCandidate', packet: 'FC7', icon: ShieldCheck, tone: 'locked' }, ] +const hostOwnerDecisionRecordFormalCandidateReviewItems: HostOwnerDecisionRecordFormalCandidateReviewItem[] = [ + { key: 'identityTraceable', check: 'FR1', icon: FileText, tone: 'warn' }, + { key: 'decisionSummaryReadable', check: 'FR2', icon: ClipboardCheck, tone: 'warn' }, + { key: 'scopeExpiryConsistent', check: 'FR3', icon: Radar, tone: 'warn' }, + { key: 'scanLimitsStillNotAuthorization', check: 'FR4', icon: Activity, tone: 'locked' }, + { key: 'credentialBoundaryStillMetadataOnly', check: 'FR5', icon: Lock, tone: 'locked' }, + { key: 'maintenanceRollbackTraceable', check: 'FR6', icon: Clock3, tone: 'warn' }, + { key: 'runtimeGateStillClosed', check: 'FR7', icon: ShieldCheck, tone: 'locked' }, +] + const evidenceItems = [ 'iwooos-posture-projection.snapshot.json', 'security-rollout-policy.snapshot.json', @@ -1279,6 +1296,38 @@ function HostOwnerDecisionRecordFormalCandidateCard({ ) } +function HostOwnerDecisionRecordFormalCandidateReviewCard({ + item, +}: { + item: HostOwnerDecisionRecordFormalCandidateReviewItem +}) { + const t = useTranslations('iwooos.hostOwnerDecisionRecordFormalCandidateReview') + const Icon = item.icon + return ( +
+
+
+ + {t('checkLabel')} +
+ {item.check} +
+

+ {t(`items.${item.key}.title` as never)} +

+

+ {t(`items.${item.key}.body` as never)} +

+
+
{t('guardLabel')}
+
+ {t(`items.${item.key}.guard` as never)} +
+
+
+ ) +} + export default function IwoooSPage({ params }: { params: { locale: string } }) { const t = useTranslations('iwooos') @@ -1731,6 +1780,26 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) { +
+
+

{t('hostOwnerDecisionRecordFormalCandidateReview.title')}

+

+ {t('hostOwnerDecisionRecordFormalCandidateReview.subtitle')} +

+
+
+ {hostOwnerDecisionRecordFormalCandidateReviewItems.map(item => ( + + ))} +
+
+
None: "s2_30_iwooos_host_owner_decision_record_writeup_review_checklist", "s2_31_iwooos_host_owner_decision_record_writeup_review_outcome_lanes", "s2_32_iwooos_host_owner_decision_record_formal_candidate_packets", + "s2_33_iwooos_host_owner_decision_record_formal_candidate_review_checklist", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -518,6 +519,15 @@ def validate(root: Path) -> None: "host_decision_record_formal_candidate_maintenance_rollback_packet", "host_decision_record_formal_candidate_validation_runtime_gate_packet", ] + expected_iwooos_host_owner_decision_record_formal_candidate_review_checklist_item_ids = [ + "host_decision_record_formal_candidate_identity_review_check", + "host_decision_record_formal_candidate_summary_review_check", + "host_decision_record_formal_candidate_scope_review_check", + "host_decision_record_formal_candidate_scan_limits_review_check", + "host_decision_record_formal_candidate_credential_boundary_review_check", + "host_decision_record_formal_candidate_maintenance_rollback_review_check", + "host_decision_record_formal_candidate_runtime_gate_review_check", + ] assert_equal( "iwooos_projection.summary.frontend_surface_coverage_group_count", iwooos_projection["summary"]["frontend_surface_coverage_group_count"], @@ -633,6 +643,11 @@ def validate(root: Path) -> None: iwooos_projection["summary"]["host_owner_decision_record_formal_candidate_packet_count"], len(expected_iwooos_host_owner_decision_record_formal_candidate_packet_ids), ) + assert_equal( + "iwooos_projection.summary.host_owner_decision_record_formal_candidate_review_checklist_item_count", + iwooos_projection["summary"]["host_owner_decision_record_formal_candidate_review_checklist_item_count"], + len(expected_iwooos_host_owner_decision_record_formal_candidate_review_checklist_item_ids), + ) iwooos_progress = iwooos_projection["progress"] assert_equal("iwooos_projection.progress.overall_percent", iwooos_progress["overall_percent"], progress["overall_percent"]) assert_equal( @@ -2147,6 +2162,94 @@ def validate(root: Path) -> None: f"iwooos_projection.host_owner_decision_record_formal_candidate_packets.{item['packet_id']}.not_authorization", item["not_authorization"], ) + iwooos_host_owner_decision_record_formal_candidate_review_checklist_items = iwooos_projection[ + "host_owner_decision_record_formal_candidate_review_checklist_items" + ] + assert_equal( + "iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.ids", + [item["check_id"] for item in iwooos_host_owner_decision_record_formal_candidate_review_checklist_items], + expected_iwooos_host_owner_decision_record_formal_candidate_review_checklist_item_ids, + ) + assert_equal( + "iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.display_order", + [item["display_order"] for item in iwooos_host_owner_decision_record_formal_candidate_review_checklist_items], + list(range(1, len(expected_iwooos_host_owner_decision_record_formal_candidate_review_checklist_item_ids) + 1)), + ) + expected_iwooos_host_owner_decision_record_formal_candidate_review_conditions = [ + "record_identity_version_owner_scope_and_trace_source_readable", + "decision_summary_risk_acceptance_and_no_execution_statement_readable", + "scope_exclusion_observation_intent_and_expiry_consistent", + "scan_limits_explicit_and_not_authorization", + "credential_boundary_metadata_only_masked_and_no_secret_collection", + "maintenance_window_constraints_rollback_and_human_contact_traceable", + "validation_evidence_linked_and_runtime_gate_separate_closed", + ] + assert_equal( + "iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.review_conditions", + [ + item["review_condition"] + for item in iwooos_host_owner_decision_record_formal_candidate_review_checklist_items + ], + expected_iwooos_host_owner_decision_record_formal_candidate_review_conditions, + ) + for item in iwooos_host_owner_decision_record_formal_candidate_review_checklist_items: + assert_equal( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.display_mode", + item["display_mode"], + "owner_decision_record_formal_candidate_review_checklist_only", + ) + assert_equal( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.formal_record_candidate_review_passed_count", + item["formal_record_candidate_review_passed_count"], + 0, + ) + assert_equal( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.formal_record_candidate_finalized_count", + item["formal_record_candidate_finalized_count"], + 0, + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.decision_record_created", + item["decision_record_created"], + ) + assert_equal( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.owner_decision_received_count", + item["owner_decision_received_count"], + 0, + ) + assert_equal( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.owner_decision_accepted_count", + item["owner_decision_accepted_count"], + 0, + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.owner_approval_record_created", + item["owner_approval_record_created"], + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.runtime_gate_opened", + item["runtime_gate_opened"], + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.raw_payload_allowed", + item["raw_payload_allowed"], + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.secret_value_collection_allowed", + item["secret_value_collection_allowed"], + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.runtime_execution_authorized", + item["runtime_execution_authorized"], + ) + assert_false( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.action_buttons_allowed", + item["action_buttons_allowed"], + ) + assert_true( + f"iwooos_projection.host_owner_decision_record_formal_candidate_review_checklist_items.{item['check_id']}.not_authorization", + item["not_authorization"], + ) assert_equal( "iwooos_projection.non_blocking_lane_ids", iwooos_projection["non_blocking_lane_ids"], @@ -2188,6 +2291,7 @@ def validate(root: Path) -> None: "display_host_owner_decision_record_writeup_review_checklist", "display_host_owner_decision_record_writeup_review_outcome_lanes", "display_host_owner_decision_record_formal_candidate_packets", + "display_host_owner_decision_record_formal_candidate_review_checklist", "display_evidence_refs", "display_forbidden_actions", ]: @@ -2268,6 +2372,11 @@ def validate(root: Path) -> None: "create_host_owner_decision_record_from_formal_candidate", "accept_host_owner_decision_record_from_formal_candidate", "open_runtime_gate_from_owner_decision_record_formal_candidate", + "treat_host_owner_decision_record_formal_candidate_review_as_approval", + "mark_host_owner_decision_record_formal_candidate_review_passed", + "mark_host_owner_decision_record_formal_candidate_review_finalized", + "create_host_owner_decision_record_from_formal_candidate_review", + "open_runtime_gate_from_owner_decision_record_formal_candidate_review", "apply_runtime_blocking_control", "switch_github_primary", "production_deploy",