diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index ec04dc723..106ba2fe3 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -3792,6 +3792,35 @@ } } }, + "runs": { + "securityRunStateCandidate": { + "title": "IwoooS Run State Read-only Candidate", + "subtitle": "Run Monitor only shows how the security mirror can be understood from the AwoooP Run view. This is not run_created and does not connect an execution router.", + "badge": "Run State candidate", + "runRefsTitle": "Read-only run refs", + "boundaryLabel": "Run Boundary", + "boundaryTitle": "No security Run is executable here", + "boundaryDetail": "This panel does not create a platform run, connect an execution router, call GitHub / Gitea / Kali, or add scan, execute, repair, deploy, primary switch, or refs actions.", + "openIwooos": "Open IwoooS", + "metrics": { + "visibility": "Run visibility", + "visibilityValue": "read-only", + "visibilityDetail": "Projects the security mirror into Run Monitor language only. It does not create a real runtime run.", + "runtimeRuns": "Security runs", + "runtimeRunsDetail": "Currently 0. S2.58 is display-candidate only and does not create a run record.", + "activeGates": "Active runtime gates", + "activeGatesDetail": "Still 0. Runtime gates need separate approval, rollback, and post-check evidence.", + "ownerResponse": "Owner accepted", + "ownerResponseDetail": "S4.9-S4.12 owner response accepted remains 0. Run display is not completed intake." + }, + "runRefs": { + "mirrorRunState": "AwoooP Run Monitor can understand the security mirror, but only as a read-only candidate.", + "readOnlyDryRun": "If future dry-run evidence appears, it must still preserve read-only and human-gate semantics.", + "ownerResponse": "Owner response received / accepted remain 0, so any further Run movement waits for human intake.", + "activeGates": "Active runtime gates remain 0. Do not open gates or create action buttons from Run Monitor." + } + } + }, "contracts": { "securityContractCandidate": { "title": "IwoooS Security Contract Read-only Candidate", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 5d6738df7..e00a880de 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -3793,6 +3793,35 @@ } } }, + "runs": { + "securityRunStateCandidate": { + "title": "IwoooS Run State 只讀候選", + "subtitle": "Run 監控只顯示 security mirror 可以被 AwoooP Run 視角理解;這不是 run created,也不會接 execution router。", + "badge": "Run State 候選", + "runRefsTitle": "只讀 run refs", + "boundaryLabel": "Run 邊界", + "boundaryTitle": "目前沒有資安 Run 可執行", + "boundaryDetail": "這個面板不建立 platform run、不接 execution router、不呼叫 GitHub / Gitea / Kali,也不新增 scan、execute、repair、deploy、primary switch 或 refs action。", + "openIwooos": "開啟 IwoooS", + "metrics": { + "visibility": "Run visibility", + "visibilityValue": "read-only", + "visibilityDetail": "只把 security mirror 投影到 Run 監控語境,不建立真正 runtime run。", + "runtimeRuns": "Security runs", + "runtimeRunsDetail": "目前為 0;S2.58 只做顯示候選,不建立 run record。", + "activeGates": "Active runtime gates", + "activeGatesDetail": "仍為 0;runtime gate 需獨立批准、rollback 與 post-check evidence。", + "ownerResponse": "Owner accepted", + "ownerResponseDetail": "S4.9-S4.12 owner response accepted 仍為 0,Run 顯示不等於收件完成。" + }, + "runRefs": { + "mirrorRunState": "AwoooP Run 監控可以理解 security mirror,但只能當 read-only candidate。", + "readOnlyDryRun": "若未來產生 dry-run evidence,也必須維持 read-only 與 human gate 語義。", + "ownerResponse": "owner response received / accepted 仍為 0,任何 Run 進一步行動都要等待人工收件。", + "activeGates": "active runtime gates 仍為 0,不從 Run 監控頁開 gate 或建立 action button。" + } + } + }, "contracts": { "securityContractCandidate": { "title": "IwoooS 資安契約只讀候選", diff --git a/apps/web/src/app/[locale]/awooop/runs/page.tsx b/apps/web/src/app/[locale]/awooop/runs/page.tsx index 35795d67d..5dc81a6da 100644 --- a/apps/web/src/app/[locale]/awooop/runs/page.tsx +++ b/apps/web/src/app/[locale]/awooop/runs/page.tsx @@ -10,6 +10,7 @@ import { useTranslations } from "next-intl"; import { Link } from "@/i18n/routing"; import { Activity, + ArrowRight, BellOff, RefreshCw, AlertCircle, @@ -556,6 +557,152 @@ function GroupedAlertEventsPanel({ events }: { events: PlatformEvent[] }) { ); } +function SecurityRunStateCandidatePanel() { + const t = useTranslations("awooop.runs.securityRunStateCandidate"); + const metrics = [ + { + label: t("metrics.visibility"), + value: t("metrics.visibilityValue"), + detail: t("metrics.visibilityDetail"), + }, + { + label: t("metrics.runtimeRuns"), + value: "0", + detail: t("metrics.runtimeRunsDetail"), + }, + { + label: t("metrics.activeGates"), + value: "0", + detail: t("metrics.activeGatesDetail"), + }, + { + label: t("metrics.ownerResponse"), + value: "0", + detail: t("metrics.ownerResponseDetail"), + }, + ]; + const runRefs = [ + { + name: "security_mirror_run_state_candidate", + detail: t("runRefs.mirrorRunState"), + }, + { + name: "read_only_dry_run_only", + detail: t("runRefs.readOnlyDryRun"), + }, + { + name: "S4.9-S4.12 owner response waiting", + detail: t("runRefs.ownerResponse"), + }, + { + name: "active runtime gates 0", + detail: t("runRefs.activeGates"), + }, + ]; + + return ( +
+
+
+

{t("title")}

+ + {t("badge")} + +
+
+
+

view

+

read

+
+
+

runs

+

0

+
+
+

gates

+

0

+
+
+

owner

+

0

+
+
+
+

{t("boundaryTitle")}

+

4 gates = false

+ + IwoooS +
+
+ +
+
+
+
+ + {t("badge")} + +
+ +
+ {metrics.map((item) => ( +
+

{item.label}

+

{item.value}

+

{item.detail}

+
+ ))} +
+ +
+
+
+ {t("runRefsTitle")} +
+
+ {runRefs.map((item) => ( +
+

{item.name}

+

{item.detail}

+
+ ))} +
+
+ +
+

{t("boundaryLabel")}

+

{t("boundaryTitle")}

+

{t("boundaryDetail")}

+
+ security_run_created=false + execution_router_linked=false + runtime_execution_authorized=false + action_buttons_allowed=false +
+ + {t("openIwooos")} +
+
+
+
+ ); +} + // ============================================================================= // Main Component // ============================================================================= @@ -795,6 +942,8 @@ export default function RunsPage() { })} + + {/* Filters */} diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 48887791d..16735ced3 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,17 @@ +## 2026-05-20 | 資安供應鏈 S2.58:AwoooP Runs IwoooS Run State Candidate + +**背景**:S2.53-S2.57 已把 IwoooS 資安鏡像接到 AwoooP 首頁、工作鏈路、審批、合約與租戶管理;本輪補上 `/awooop/runs` 的只讀 Run 視角,讓使用者能在 Run 監控理解 security mirror 目前仍只是候選狀態,不是已建立 runtime run。 + +**完成**: +- `/awooop/runs` 新增「IwoooS Run State 只讀候選」面板,顯示 `security_mirror_run_state_candidate`、`read_only_dry_run_only`、S4.9-S4.12 owner response waiting 與 active runtime gates 0。 +- 面板顯示 run visibility=read-only、security runs=0、active runtime gates=0、owner accepted=0,並以 `/iwooos` 作為只讀入口。 +- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_58_awooop_runs_iwooos_run_state_candidate`,並新增 `show_awooop_runs_iwooos_run_state_candidate` next safe action。 +- `security-mirror-progress-guard.py` 開始驗證 AwoooP runs 面板、IwoooS link、四個 run refs、四個 false 邊界與 i18n 鍵。 + +**仍禁止**: +- AwoooP runs 的 S2.58 面板不代表 platform run created、execution router linked、runtime gate、execution queue、action button、Kali `/execute`、SSH 登入、主機更新、GitHub primary、Gitea/GitHub refs mutation 或 blocking control。 +- 整體資安網 headline 仍是 58%;框架 / 治理 / 文件 / schema / read-only evidence 仍約 80-85%;真正落地執行 / runtime ingestion / GitHub primary / AwoooP production landing 仍約 35-40%。 + ## 2026-05-20 | 資安供應鏈 S2.57:AwoooP Tenants IwoooS Tenant Scope Candidate **背景**:S2.53-S2.56 已把 IwoooS 資安鏡像接到 AwoooP 首頁、工作鏈路、審批佇列與合約儀表板;本輪把同一個只讀範圍放進 `/awooop/tenants`,讓使用者在租戶管理也能理解 AWOOOI 第一租戶、IwoooS 與三台指定主機的資安視野,但不把它變成租戶設定或 policy mutation。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index c2e718d0e..e80af894b 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -39,6 +39,7 @@ | AwoooP approvals IwoooS owner response focus | S2.55 已把 S4.9-S4.12 owner response 下一個人工收件焦點放進 `/awooop/approvals` 只讀面板;received=0、accepted=0、active runtime gates=0、headline=58%、approval_record_created=false;仍不新增 approve、execute、deploy、primary switch、refs action 或 runtime gate | | AwoooP contracts IwoooS security contract candidate | S2.56 已把四個 security mirror contract refs 放進 `/awooop/contracts` 只讀面板;total contracts=36、ready=33、partial=2、active runtime gates=0、contract_publish_authorized=false;仍不發布 contract revision、不改 lifecycle、不寫 platform contracts API、不新增 action button | | AwoooP tenants IwoooS tenant scope candidate | S2.57 已把 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111 與 S4.9-S4.12 owner response waiting 放進 `/awooop/tenants` 只讀面板;host coverage=3、tenant policy changes=0、tenant_migration_mode_changed=false;仍不改 migration mode、不改 tenant policy、不寫 platform tenants API、不新增 action button | +| AwoooP runs IwoooS run state candidate | S2.58 已把 security mirror Run State 候選放進 `/awooop/runs` 只讀面板;security runs=0、active runtime gates=0、owner accepted=0、security_run_created=false、execution_router_linked=false;仍不建立 platform run、不接 execution router、不新增 action button | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -144,6 +145,7 @@ | S2.55 AwoooP approvals IwoooS owner response gate candidate | framework detail | 0 | 只把 S4.9-S4.12 owner response 下一個人工收件焦點放進 AwoooP 審批視野;approval_record_created=false、owner_response_accepted_count=0、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 approval record、runtime gate、execution router 或 action button | | S2.56 AwoooP contracts IwoooS security contract candidate | framework detail | 0 | 只把四個 security mirror contract refs 放進 AwoooP 合約儀表板只讀視野;contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button | | S2.57 AwoooP tenants IwoooS tenant scope candidate | framework detail | 0 | 只把 AWOOOI first tenant、IwoooS security mirror、host coverage=3 與 owner response waiting 放進 AwoooP 租戶管理只讀視野;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 migration mode change、tenant policy mutation、runtime gate、execution router 或 action button | +| S2.58 AwoooP runs IwoooS run state candidate | framework detail | 0 | 只把 security mirror Run State、read-only dry-run-only、owner response waiting 與 active runtime gates 0 放進 AwoooP Run 監控只讀視野;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 platform run、execution router、runtime gate、execution queue 或 action button | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 89ee49033..41bb32b0b 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -5,7 +5,7 @@ | 日期 | 2026-05-17 | | 狀態 | S0/S1 read-only evidence 建置中 | | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | -| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 | +| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.57 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.58 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。 @@ -120,6 +120,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons | S2.55 AwoooP approvals IwoooS owner response gate candidate | 已完成草案,將 S4.9-S4.12 owner response 下一個人工收件焦點放進 AwoooP 審批佇列的只讀面板;approval_record_created=false、runtime gate 仍為 0 | 0 | | S2.56 AwoooP contracts IwoooS security contract candidate | 已完成草案,將四個 security mirror contract refs 放進 AwoooP 合約儀表板只讀面板;contract_publish_authorized=false、runtime gate 仍為 0 | 0 | | S2.57 AwoooP tenants IwoooS tenant scope candidate | 已完成草案,將 AWOOOI first tenant、IwoooS security mirror、host coverage=3 與 owner response waiting 放進 AwoooP 租戶管理只讀面板;tenant_migration_mode_changed=false、tenant policy changes 仍為 0 | 0 | +| S2.58 AwoooP runs IwoooS run state candidate | 已完成草案,將 security mirror Run State、read-only dry-run-only、owner response waiting 與 active runtime gates 0 放進 AwoooP Run 監控只讀面板;security_run_created=false、execution_router_linked=false | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -196,6 +197,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.55 AwoooP Approvals IwoooS Owner Response Gate Candidate | 完成草案 | `/awooop/approvals` 新增 IwoooS owner response 只讀審查焦點,顯示 S4.9-S4.12 收件順序、received=0、accepted=0、active runtime gates=0、headline=58%,並連到 `/iwooos` | 使用者能在審批佇列理解下一個人工收件焦點;面板仍不是 approval record、runtime gate、execution router、action button 或 headline 加分 | | S2.56 AwoooP Contracts IwoooS Security Contract Candidate | 完成草案 | `/awooop/contracts` 新增 IwoooS 資安契約只讀候選,顯示四個 security mirror contract refs、36 total、33 ready、2 partial、active runtime gates=0,並連到 `/iwooos` | 使用者能在合約儀表板理解資安網背後的契約來源;面板仍不是 contract publish、lifecycle mutation、runtime gate、execution router、action button 或 headline 加分 | | S2.57 AwoooP Tenants IwoooS Tenant Scope Candidate | 完成草案 | `/awooop/tenants` 新增 IwoooS 租戶資安範圍只讀候選,顯示 AWOOOI 第一租戶、IwoooS、host coverage=3、tenant policy changes=0,並連到 `/iwooos` | 使用者能在租戶管理理解資安網保護範圍;面板仍不是 migration mode change、tenant policy mutation、runtime gate、execution router、action button 或 headline 加分 | +| S2.58 AwoooP Runs IwoooS Run State Candidate | 完成草案 | `/awooop/runs` 新增 IwoooS Run State 只讀候選,顯示 run visibility=read-only、security runs=0、active runtime gates=0、owner accepted=0,並連到 `/iwooos` | 使用者能在 Run 監控理解資安網仍是只讀候選;面板仍不是 platform run created、execution router linked、runtime gate、execution queue、action button 或 headline 加分 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 0ce21e1ec..5d6d793b3 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -1154,6 +1154,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_58_awooop_runs_iwooos_run_state_candidate", + "display_order": 87, + "completed_stage": "S2.58 AwoooP runs IwoooS run state candidate", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "AwoooP runs IwoooS run state candidate 只把 security mirror 投影到 Run 監控只讀語境;security_run_created=false,execution_router_linked=false,runtime gate 仍未啟用。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -1270,6 +1282,22 @@ "從 AwoooP tenants 面板建立 runtime gate、GitHub/Gitea action、Kali action、secret action 或 refs action" ] }, + { + "action_id": "show_awooop_runs_iwooos_run_state_candidate", + "title": "AwoooP Run 監控顯示 IwoooS Run State 候選", + "mode": "observe", + "source_contract": "security_mirror_status_rollup_v1", + "allowed_processing": [ + "在 /awooop/runs 顯示 security mirror 的 Run State 只讀候選", + "顯示 security runs=0、active runtime gates=0、owner accepted=0", + "連到 /iwooos 只讀入口,不建立 platform run、不接 execution router、不新增 scan、execute、repair、deploy、primary switch、refs action 或 runtime gate" + ], + "blocked_processing": [ + "把 AwoooP runs 面板當成 security_run_created", + "從 AwoooP runs 面板接 execution router 或建立 platform run", + "從 AwoooP runs 面板建立 runtime gate、GitHub/Gitea action、Kali action、secret action 或 refs action" + ] + }, { "action_id": "mirror_low_friction_non_blocking_lanes", "title": "AwoooP 顯示低摩擦非阻擋升級分流", @@ -1640,7 +1668,8 @@ "S2.54 新增 AwoooP work-items IwoooS security mirror candidate;AwoooP 工作鏈路以觀察期只讀工作項顯示 S2.54、IwoooS / security mirror、headline 58%、framework 80-85%、runtime 35-40%、active runtime gates 0 與 owner response waiting;production_landing_enabled=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把工作項當 production landing、runtime gate、execution router 或 action button。", "S2.55 新增 AwoooP approvals IwoooS owner response gate candidate;AwoooP 審批佇列以只讀焦點顯示 S4.9-S4.12 owner response 收件順序、received=0、accepted=0、active runtime gates=0、headline=58%;approval_record_created=false、owner_response_accepted_count=0、runtime_execution_authorized=false、action_buttons_allowed=false,不把 approvals 面板當 owner response received/accepted、approval record、runtime gate、execution router 或 action button。", "S2.56 新增 AwoooP contracts IwoooS security contract candidate;AwoooP 合約儀表板以只讀候選顯示 security_mirror_status_rollup_v1、iwooos_posture_projection_v1、source_control_owner_response_validation_rollup_v1、security_rollout_policy_v1、total contracts=36、ready=33、partial=2、active runtime gates=0;contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 contracts 面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button。", - "S2.57 新增 AwoooP tenants IwoooS tenant scope candidate;AwoooP 租戶管理以只讀候選顯示 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111、S4.9-S4.12 owner response waiting、host coverage=3、tenant policy changes=0;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 tenants 面板當 tenant migration、policy mutation、runtime gate、execution router 或 action button。" + "S2.57 新增 AwoooP tenants IwoooS tenant scope candidate;AwoooP 租戶管理以只讀候選顯示 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111、S4.9-S4.12 owner response waiting、host coverage=3、tenant policy changes=0;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 tenants 面板當 tenant migration、policy mutation、runtime gate、execution router 或 action button。", + "S2.58 新增 AwoooP runs IwoooS run state candidate;AwoooP Run 監控以只讀候選顯示 security_mirror_run_state_candidate、read_only_dry_run_only、S4.9-S4.12 owner response waiting、active runtime gates 0、security runs=0、owner accepted=0;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 runs 面板當 platform run、execution router、runtime gate、execution queue 或 action button。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 09658559c..a34651b4a 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -64,6 +64,9 @@ def validate(root: Path) -> None: awooop_tenants_page = ( root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "tenants" / "page.tsx" ).read_text(encoding="utf-8") + awooop_runs_page = ( + root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "runs" / "page.tsx" + ).read_text(encoding="utf-8") awooop_approvals_page = ( root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "approvals" / "page.tsx" ).read_text(encoding="utf-8") @@ -231,6 +234,7 @@ def validate(root: Path) -> None: "s2_55_awooop_approvals_iwooos_owner_response_gate_candidate", "s2_56_awooop_contracts_iwooos_security_contract_candidate", "s2_57_awooop_tenants_iwooos_tenant_scope_candidate", + "s2_58_awooop_runs_iwooos_run_state_candidate", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -285,6 +289,11 @@ def validate(root: Path) -> None: [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], "show_awooop_tenants_iwooos_tenant_scope_candidate", ) + assert_contains( + "rollup.next_safe_actions.action_ids", + [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], + "show_awooop_runs_iwooos_run_state_candidate", + ) assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1") assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe") @@ -4919,6 +4928,49 @@ def validate(root: Path) -> None: key, ) + assert_text_contains( + "awooop_runs_page.security_run_state_panel", + awooop_runs_page, + "SecurityRunStateCandidatePanel", + ) + assert_text_contains("awooop_runs_page.iwooos_link", awooop_runs_page, 'href="/iwooos"') + for text in [ + "security_run_created=false", + "execution_router_linked=false", + "runtime_execution_authorized=false", + "action_buttons_allowed=false", + ]: + assert_text_contains("awooop_runs_page.security_run_boundary", awooop_runs_page, text) + for text in [ + "security_mirror_run_state_candidate", + "read_only_dry_run_only", + "S4.9-S4.12 owner response waiting", + "active runtime gates 0", + ]: + assert_text_contains("awooop_runs_page.security_run_refs", awooop_runs_page, text) + for key in [ + "title", + "subtitle", + "badge", + "runRefsTitle", + "boundaryLabel", + "boundaryTitle", + "boundaryDetail", + "openIwooos", + "metrics", + "runRefs", + ]: + assert_contains( + "web_messages.zh-TW.awooop.runs.securityRunStateCandidate", + list(web_messages_zh["awooop"]["runs"]["securityRunStateCandidate"].keys()), + key, + ) + assert_contains( + "web_messages.en.awooop.runs.securityRunStateCandidate", + list(web_messages_en["awooop"]["runs"]["securityRunStateCandidate"].keys()), + key, + ) + assert_text_contains("awooop_approvals_page.security_owner_response_panel", awooop_approvals_page, "SecurityOwnerResponseGatePanel") assert_text_contains("awooop_approvals_page.iwooos_link", awooop_approvals_page, 'href="/iwooos"') for text in [