From 6e1dbfe964c721bf7f241df4b4286cb36a7b1940 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 21 May 2026 10:21:08 +0800 Subject: [PATCH] feat(web): show GitHub readiness in AwoooP runs --- apps/web/messages/en.json | 38 ++++ apps/web/messages/zh-TW.json | 38 ++++ .../web/src/app/[locale]/awooop/runs/page.tsx | 167 ++++++++++++++++++ docs/LOGBOOK.md | 14 ++ .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 2 + .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 6 +- ...ecurity-mirror-status-rollup.snapshot.json | 31 +++- .../security-mirror-progress-guard.py | 62 +++++++ 8 files changed, 355 insertions(+), 3 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 05a291cfa..c90d47a2d 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -4018,6 +4018,44 @@ "ownerResponse": "Owner response received / accepted remain 0, so any further Run movement waits for human intake.", "activeGates": "Active runtime gates remain 0. Do not open gates or create action buttons from Run Monitor." } + }, + "githubRunReadinessBoundary": { + "title": "GitHub Primary Readiness Run Boundary", + "subtitle": "Run Monitor mirrors that GitHub primary readiness still cannot create a security run. This is not platform run, execution router, repo creation, or primary switch authorization.", + "badge": "Run boundary", + "openIwooos": "Open IwoooS", + "runRefsTitle": "GitHub Readiness Run Refs", + "boundaryLabel": "GitHub / Run Boundary", + "boundaryTitle": "No GitHub primary run is executable", + "boundaryDetail": "This panel only projects source-control readiness into Run Monitor language. It does not create platform runs, connect an execution router, create GitHub repos, mutate refs, change workflows / secrets, collect secret values, switch primary, or disable Gitea.", + "metrics": { + "candidateRepos": { + "label": "Candidate Repos", + "detail": "8 candidate repos are readiness visibility only and do not create GitHub repo creation runs." + }, + "inScopeRepos": { + "label": "In-scope Repos", + "detail": "7 repos still wait for owner response. Run Monitor must not open tasks for them." + }, + "securityRuns": { + "label": "GitHub Security Runs", + "detail": "Currently 0. Readiness visibility is not platform run creation." + }, + "ownerResponses": { + "label": "Owner Responses", + "detail": "22 response templates remain 0 received / 0 accepted." + }, + "workflowInventory": { + "label": "Workflow Inventory", + "detail": "Workflow / secret name inventory is still incomplete for 7 repos." + } + }, + "runRefs": { + "primaryReadiness": "The primary readiness gate still reports ready=0 and cannot become a GitHub primary run.", + "ownerValidation": "The owner response validation rollup is still 0/22 and must not be autofilled as accepted by Run Monitor.", + "workflowInventory": "Workflow / secret name inventory only collects names and routing. It does not collect secret values or modify GitHub secrets.", + "rollbackAdr": "The rollback ADR has no owner-approved dry-run, so no primary switch run can start." + } } }, "contracts": { diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index c5db62572..d18f55839 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -4019,6 +4019,44 @@ "ownerResponse": "owner response received / accepted 仍為 0,任何 Run 進一步行動都要等待人工收件。", "activeGates": "active runtime gates 仍為 0,不從 Run 監控頁開 gate 或建立 action button。" } + }, + "githubRunReadinessBoundary": { + "title": "GitHub Primary Readiness Run 邊界", + "subtitle": "Run 監控同步顯示 GitHub primary readiness 仍不可產生 security run;這不是 platform run、execution router、repo 建立或 primary 切換授權。", + "badge": "Run 邊界", + "openIwooos": "開啟 IwoooS", + "runRefsTitle": "GitHub readiness run refs", + "boundaryLabel": "GitHub / Run 邊界", + "boundaryTitle": "目前沒有 GitHub primary run 可執行", + "boundaryDetail": "這個面板只把 source-control readiness 投影到 Run 監控語境;不建立 platform run、不接 execution router、不建立 GitHub repo、不改 refs、不改 workflow / secrets、不收 secret value、不切 primary,也不停用 Gitea。", + "metrics": { + "candidateRepos": { + "label": "Candidate repos", + "detail": "8 個候選 repo 只顯示 readiness,不會產生 GitHub repo creation run。" + }, + "inScopeRepos": { + "label": "In-scope repos", + "detail": "7 個 repo 仍等待 owner response;Run 監控不得替它們開任務。" + }, + "securityRuns": { + "label": "GitHub security runs", + "detail": "目前為 0;readiness visibility 不等於 platform run created。" + }, + "ownerResponses": { + "label": "Owner responses", + "detail": "22 個 response templates 仍為 0 received / 0 accepted。" + }, + "workflowInventory": { + "label": "Workflow inventory", + "detail": "7 個 repo 的 workflow / secret name inventory 仍未完成。" + } + }, + "runRefs": { + "primaryReadiness": "Primary readiness gate 仍顯示 ready=0,不能轉成 GitHub primary run。", + "ownerValidation": "Owner response validation rollup 仍是 0/22,不能被 Run 監控自動補成 accepted。", + "workflowInventory": "Workflow / secret name inventory 仍只收集名稱與路由,不收 secret value、不修改 GitHub secrets。", + "rollbackAdr": "Rollback ADR 尚未完成 owner-approved dry-run,因此不能啟動 primary switch run。" + } } }, "contracts": { diff --git a/apps/web/src/app/[locale]/awooop/runs/page.tsx b/apps/web/src/app/[locale]/awooop/runs/page.tsx index 5dc81a6da..b862901e8 100644 --- a/apps/web/src/app/[locale]/awooop/runs/page.tsx +++ b/apps/web/src/app/[locale]/awooop/runs/page.tsx @@ -19,7 +19,9 @@ import { ChevronLeft, ChevronRight, Cpu, + GitBranch, ListChecks, + Lock, SearchCheck, ShieldCheck, TriangleAlert, @@ -110,6 +112,19 @@ interface RecentEventsResponse { limit: number; } +type GitHubRunReadinessMetric = { + key: string; + value: string; + icon: typeof Activity; + tone: "neutral" | "warn"; +}; + +type GitHubRunReadinessRef = { + key: string; + name: string; + status: string; +}; + // ============================================================================= // 常數 // ============================================================================= @@ -269,6 +284,51 @@ const REMEDIATION_FILTER_OPTIONS: RemediationStatus[] = [ "no_evidence", ]; +const githubRunReadinessMetrics: GitHubRunReadinessMetric[] = [ + { key: "candidateRepos", value: "8", icon: GitBranch, tone: "neutral" }, + { key: "inScopeRepos", value: "7", icon: ListChecks, tone: "warn" }, + { key: "securityRuns", value: "0", icon: Activity, tone: "warn" }, + { key: "ownerResponses", value: "0/22", icon: ShieldCheck, tone: "warn" }, + { key: "workflowInventory", value: "0/7", icon: SearchCheck, tone: "warn" }, +]; + +const githubRunReadinessRefs: GitHubRunReadinessRef[] = [ + { + key: "primaryReadiness", + name: "source_control_primary_readiness_gate_v1", + status: "ready=0", + }, + { + key: "ownerValidation", + name: "source_control_owner_response_validation_rollup_v1", + status: "0/22", + }, + { + key: "workflowInventory", + name: "source_control_workflow_secret_name_inventory_v1", + status: "0/7", + }, + { + key: "rollbackAdr", + name: "source_control_primary_rollback_adr_v1", + status: "0/7", + }, +]; + +const githubRunReadinessBoundaries = [ + "security_run_created=false", + "github_primary_run_created=false", + "execution_router_linked=false", + "repo_creation_authorized=false", + "refs_mutation_authorized=false", + "workflow_secret_modification_authorized=false", + "secret_value_collection_allowed=false", + "github_primary_switch_authorized=false", + "gitea_disablement_authorized=false", + "runtime_execution_authorized=false", + "action_buttons_allowed=false", +]; + function getRunLane(state: RunState): RunLane { if (state === "pending") return "intake"; if (state === "waiting_tool") return "diagnosis"; @@ -703,6 +763,111 @@ function SecurityRunStateCandidatePanel() { ); } +function GitHubRunReadinessBoundaryPanel() { + const t = useTranslations("awooop.runs.githubRunReadinessBoundary"); + + return ( +
+
+
+
+
+ + {t("badge")} + + + {t("openIwooos")} +
+
+ +
+ {githubRunReadinessMetrics.map((metric) => { + const Icon = metric.icon; + return ( +
+
+
+

+ {t(`metrics.${metric.key}.label` as never)} +

+

+ {metric.value} +

+
+ + +
+

+ {t(`metrics.${metric.key}.detail` as never)} +

+
+ ); + })} +
+ +
+
+
+ {t("runRefsTitle")} +
+
+ {githubRunReadinessRefs.map((ref) => ( +
+
+

+ {ref.name} +

+

+ {t(`runRefs.${ref.key}` as never)} +

+
+
+ + {ref.status} + +
+
+ ))} +
+
+ +
+
+
+

{t("boundaryDetail")}

+
+ {githubRunReadinessBoundaries.map((boundary) => ( + {boundary} + ))} +
+
+
+
+ ); +} + // ============================================================================= // Main Component // ============================================================================= @@ -944,6 +1109,8 @@ export default function RunsPage() { + + {/* Filters */} diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 146c36082..8db222e80 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,17 @@ +## 2026-05-21 | 資安供應鏈 S2.69:AwoooP Runs GitHub Primary Readiness Boundary + +**背景**:S2.63-S2.68 已把 GitHub Primary Readiness 放進 `/iwooos`、AwoooP 工作鏈路、合約、審批、首頁與租戶管理;本輪補到 AwoooP Run 監控,避免 GitHub readiness 被誤認成可以建立 platform run、接 execution router 或啟動 primary switch run。 + +**完成**: +- `/awooop/runs` 新增「GitHub Primary Readiness Run 邊界」只讀面板,顯示 candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7。 +- Run 邊界面板顯示 `source_control_primary_readiness_gate_v1`、`source_control_owner_response_validation_rollup_v1`、`source_control_workflow_secret_name_inventory_v1`、`source_control_primary_rollback_adr_v1`,並連回 `/iwooos`。 +- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_69_awooop_runs_github_primary_readiness_boundary`,並新增 `show_awooop_runs_github_primary_readiness_boundary` next safe action。 +- `security-mirror-progress-guard.py` 開始驗證 AwoooP runs 的 GitHub readiness Run 邊界、source-control refs、IwoooS link、i18n 鍵與 false 邊界。 + +**仍禁止**: +- S2.69 的 AwoooP runs 邊界面板不代表 platform run created、execution router linked、owner response received / accepted、runtime authorization、active runtime gate、repo creation、visibility change、refs sync / delete / force push、workflow / secret modification、secret value collection、GitHub primary switch、Gitea disablement、Kali `/execute`、SSH 登入、主機更新或 blocking control。 +- 整體資安網 headline 仍是 58%;框架 / 治理 / 文件 / schema / read-only evidence 仍約 80-85%;真正落地執行 / runtime ingestion / GitHub primary / AwoooP production landing 仍約 35-40%。 + ## 2026-05-21 | 資安供應鏈 S2.68:AwoooP Tenants GitHub Primary Readiness Scope **背景**:S2.63-S2.67 已把 GitHub Primary Readiness 放進 `/iwooos`、AwoooP 工作鏈路、合約、審批與首頁;本輪補到 AwoooP 租戶管理,讓 AWOOOI first tenant 與 source-control owner scope 的缺口可見,但不把租戶範圍視圖誤認成 tenant policy 或 GitHub primary approval。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 8b3d63b06..208f36122 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -50,6 +50,7 @@ | AwoooP approvals GitHub primary readiness boundary | S2.66 已在 `/awooop/approvals` 顯示 GitHub Primary Readiness 審批邊界;S4.9=0/5、S4.10=0/7、S4.11=0/5、S4.12=0/5、primary_ready_count=0;仍不建立 approval record、不建立 repo、不改 visibility、不改 refs、不收 secret value、不切 primary、不停用 Gitea | | AwoooP home GitHub primary readiness summary | S2.67 已在 `/awooop` 顯示 GitHub Primary Readiness 只讀摘要;candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;仍不建立 repo、不改 visibility、不改 refs、不收 secret value、不切 primary、不停用 Gitea | | AwoooP tenants GitHub primary readiness scope | S2.68 已在 `/awooop/tenants` 顯示 GitHub Primary Readiness 租戶範圍;candidate repos=8、in-scope=7、owner response 0/22、tenant scope changes=0;仍不改 migration mode、不改 tenant policy、不建立 repo、不改 visibility、不改 refs、不收 secret value、不切 primary、不停用 Gitea | +| AwoooP runs GitHub primary readiness boundary | S2.69 已在 `/awooop/runs` 顯示 GitHub Primary Readiness Run 邊界;candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7;仍不建立 platform run、不接 execution router、不建立 repo、不改 visibility、不改 refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -166,6 +167,7 @@ | S2.66 AwoooP approvals GitHub primary readiness boundary | framework detail | 0 | 只在 `/awooop/approvals` 顯示 GitHub Primary Readiness 審批邊界,連回 `/iwooos` 並呈現 S4.9=0/5、S4.10=0/7、S4.11=0/5、S4.12=0/5、primary_ready_count=0;approval_record_created=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 approval record、不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不收 secret value、不切 primary、不停用 Gitea | | S2.67 AwoooP home GitHub primary readiness summary | framework detail | 0 | 只在 `/awooop` 顯示 GitHub Primary Readiness 只讀摘要,連回 `/iwooos` 並呈現 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;repo_creation_authorized=false、refs_mutation_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不收 secret value、不切 primary、不停用 Gitea | | S2.68 AwoooP tenants GitHub primary readiness scope | framework detail | 0 | 只在 `/awooop/tenants` 顯示 GitHub Primary Readiness 租戶範圍,連回 `/iwooos` 並呈現 AWOOOI first tenant source-control scope、S4.9、S4.10、S4.12 owner scope refs、candidate repos=8、in-scope=7、owner response 0/22、tenant scope changes=0;tenant_source_control_scope_accepted=false、repo_owner_response_accepted=false、repo_creation_authorized=false、refs_mutation_authorized=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不改 migration mode、不改 tenant policy、不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不收 secret value、不切 primary、不停用 Gitea | +| S2.69 AwoooP runs GitHub primary readiness boundary | framework detail | 0 | 只在 `/awooop/runs` 顯示 GitHub Primary Readiness Run 邊界,連回 `/iwooos` 並呈現 source_control_primary_readiness_gate_v1、source_control_owner_response_validation_rollup_v1、source_control_workflow_secret_name_inventory_v1、source_control_primary_rollback_adr_v1、candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7;security_run_created=false、github_primary_run_created=false、execution_router_linked=false、repo_creation_authorized=false、refs_mutation_authorized=false、workflow_secret_modification_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 platform run、不接 execution router、不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index ec9627c9d..ffd35e82c 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -5,7 +5,7 @@ | 日期 | 2026-05-17 | | 狀態 | S0/S1 read-only evidence 建置中 | | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | -| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub Primary Readiness 只讀狀態板 + AwoooP 工作鏈路 GitHub Primary Readiness 只讀工作項 + AwoooP 合約儀表板 GitHub Primary Readiness 合約只讀候選 + AwoooP 審批佇列 GitHub Primary Readiness 審批邊界 + AwoooP 首頁 GitHub Primary Readiness 只讀摘要 + AwoooP 租戶管理 GitHub Primary Readiness 租戶範圍 | +| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub Primary Readiness 只讀狀態板 + AwoooP 工作鏈路 GitHub Primary Readiness 只讀工作項 + AwoooP 合約儀表板 GitHub Primary Readiness 合約只讀候選 + AwoooP 審批佇列 GitHub Primary Readiness 審批邊界 + AwoooP 首頁 GitHub Primary Readiness 只讀摘要 + AwoooP 租戶管理 GitHub Primary Readiness 租戶範圍 + AwoooP Run 監控 GitHub Primary Readiness Run 邊界 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.68 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.69 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。 @@ -131,6 +131,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons | S2.66 AwoooP approvals GitHub primary readiness boundary | 已完成草案,在 `/awooop/approvals` 顯示 GitHub Primary Readiness 審批邊界,連回 `/iwooos`,並顯示 S4.9=0/5、S4.10=0/7、S4.11=0/5、S4.12=0/5、primary_ready_count=0;approval_record_created=false、runtime_execution_authorized=false、action_buttons_allowed=false | 0 | | S2.67 AwoooP home GitHub primary readiness summary | 已完成草案,在 `/awooop` 顯示 GitHub Primary Readiness 只讀摘要,連回 `/iwooos`,並顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;repo_creation_authorized=false、refs_mutation_authorized=false、secret_value_collection_allowed=false、runtime_execution_authorized=false、action_buttons_allowed=false | 0 | | S2.68 AwoooP tenants GitHub primary readiness scope | 已完成草案,在 `/awooop/tenants` 顯示 GitHub Primary Readiness 租戶範圍,連回 `/iwooos`,並顯示 candidate repos=8、in-scope=7、owner response 0/22、tenant scope changes=0;tenant_source_control_scope_accepted=false、repo_creation_authorized=false、refs_mutation_authorized=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false | 0 | +| S2.69 AwoooP runs GitHub primary readiness boundary | 已完成草案,在 `/awooop/runs` 顯示 GitHub Primary Readiness Run 邊界,連回 `/iwooos`,並顯示 candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7;security_run_created=false、execution_router_linked=false、repo_creation_authorized=false、refs_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -218,6 +219,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.66 AwoooP Approvals GitHub Primary Readiness Boundary | 完成草案 | `/awooop/approvals` 新增 GitHub Primary Readiness 審批邊界,顯示 S4.9 / S4.10 / S4.11 / S4.12 owner response lanes 全部仍未 accepted | 使用者與另一個 AwoooP Session 能在審批視野理解 GitHub primary readiness 仍只是 owner response 收件缺口;審批邊界仍不是 approval record、repo creation、refs mutation、secret value collection、primary switch、Gitea disablement 或 runtime 授權 | | S2.67 AwoooP Home GitHub Primary Readiness Summary | 完成草案 | `/awooop` 新增 GitHub Primary Readiness 只讀摘要,顯示 primary readiness、owner response validation、rollback ADR、workflow / secret name inventory refs,並顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7 | 使用者與另一個 AwoooP Session 能在首頁理解 GitHub primary readiness 仍只是 source-control readiness 缺口;首頁摘要仍不是 repo creation、visibility change、refs mutation、secret value collection、primary switch、Gitea disablement 或 runtime 授權 | | S2.68 AwoooP Tenants GitHub Primary Readiness Scope | 完成草案 | `/awooop/tenants` 新增 GitHub Primary Readiness 租戶範圍,顯示 AWOOOI first tenant source-control scope、S4.9、S4.10、S4.12 owner scope refs、candidate repos=8、in-scope=7、owner response 0/22、tenant scope changes=0 | 使用者與另一個 AwoooP Session 能在租戶視野理解 GitHub primary readiness 仍只是 owner scope 缺口;租戶範圍仍不是 tenant policy approval、repo creation、visibility change、refs mutation、secret value collection、primary switch、Gitea disablement 或 runtime 授權 | +| S2.69 AwoooP Runs GitHub Primary Readiness Boundary | 完成草案 | `/awooop/runs` 新增 GitHub Primary Readiness Run 邊界,顯示 primary readiness、owner response validation、workflow / secret name inventory、rollback ADR refs,以及 security runs=0 | 使用者與另一個 AwoooP Session 能在 Run 監控理解 GitHub primary readiness 仍不能變成 platform run 或 execution router;Run 邊界仍不是 repo creation、visibility change、refs mutation、workflow / secret mutation、secret value collection、primary switch、Gitea disablement 或 runtime 授權 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 80454f2b7..1ddffcbe9 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -1286,6 +1286,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_69_awooop_runs_github_primary_readiness_boundary", + "display_order": 98, + "completed_stage": "S2.69 AwoooP runs GitHub primary readiness boundary", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "AwoooP Run 監控只新增 GitHub Primary Readiness Run 邊界只讀面板,顯示 candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,沒有建立 platform run、接 execution router、建立 GitHub repo、修改 visibility、sync / delete / force push refs、改 workflow / secrets、收 secret value、切 primary 或停用 Gitea。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -1578,6 +1590,22 @@ "從 AwoooP tenants 切 GitHub primary、停用 Gitea 或把 request-ready 當 owner response accepted" ] }, + { + "action_id": "show_awooop_runs_github_primary_readiness_boundary", + "title": "AwoooP Run 監控顯示 GitHub Primary Readiness Run 邊界", + "mode": "observe", + "source_contract": "security_mirror_status_rollup_v1", + "allowed_processing": [ + "在 /awooop/runs 顯示 S2.69 GitHub Primary Readiness Run 邊界", + "顯示 candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7", + "連到 /iwooos 只讀入口,不新增 platform run、execution router、repo、visibility、refs、workflow、secret、primary 或 Gitea disablement action" + ], + "blocked_processing": [ + "把 AwoooP runs GitHub readiness 邊界當成 platform run、execution router 或 GitHub primary approval", + "從 AwoooP runs 建立 platform run、接 execution router、建立 repo、改 visibility、sync/delete/force push refs 或收 secret value", + "從 AwoooP runs 修改 workflow / secrets、切 GitHub primary、停用 Gitea 或把 request-ready 當 owner response accepted" + ] + }, { "action_id": "mirror_low_friction_non_blocking_lanes", "title": "AwoooP 顯示低摩擦非阻擋升級分流", @@ -1959,7 +1987,8 @@ "S2.65 新增 AwoooP contracts GitHub Primary Readiness 合約只讀候選;/awooop/contracts 顯示 source_control_primary_readiness_gate_v1、source_control_owner_response_validation_rollup_v1、source_control_primary_rollback_adr_v1、source_control_workflow_secret_name_inventory_v1、iwooos_posture_projection_v1、candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7,並連回 /iwooos;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把合約候選當 GitHub primary approval、不建立 repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。", "S2.66 新增 AwoooP approvals GitHub Primary Readiness 審批邊界;/awooop/approvals 顯示 S4.9=0/5、S4.10=0/7、S4.11=0/5、S4.12=0/5、primary_ready_count=0,並連回 /iwooos;approval_record_created=false、github_primary_approval_granted=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把 approvals 邊界當 GitHub primary approval、不建立 repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。", "S2.67 新增 AwoooP home GitHub Primary Readiness 只讀摘要;/awooop 顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7,並連回 /iwooos;repo_creation_authorized=false、refs_mutation_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把首頁摘要當 GitHub primary approval、不建立 repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。", - "S2.68 新增 AwoooP tenants GitHub Primary Readiness 租戶範圍;/awooop/tenants 顯示 AWOOOI first tenant source-control scope、S4.9、S4.10、S4.12 owner scope refs、candidate repos=8、in-scope=7、owner response 0/22、tenant scope changes=0,並連回 /iwooos;tenant_source_control_scope_accepted=false、repo_owner_response_accepted=false、repo_creation_authorized=false、refs_mutation_authorized=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把租戶範圍當 tenant policy approval 或 GitHub primary approval、不改 migration mode、不改 tenant policy、不建立 repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。" + "S2.68 新增 AwoooP tenants GitHub Primary Readiness 租戶範圍;/awooop/tenants 顯示 AWOOOI first tenant source-control scope、S4.9、S4.10、S4.12 owner scope refs、candidate repos=8、in-scope=7、owner response 0/22、tenant scope changes=0,並連回 /iwooos;tenant_source_control_scope_accepted=false、repo_owner_response_accepted=false、repo_creation_authorized=false、refs_mutation_authorized=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把租戶範圍當 tenant policy approval 或 GitHub primary approval、不改 migration mode、不改 tenant policy、不建立 repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。", + "S2.69 新增 AwoooP runs GitHub Primary Readiness Run 邊界;/awooop/runs 顯示 source_control_primary_readiness_gate_v1、source_control_owner_response_validation_rollup_v1、source_control_workflow_secret_name_inventory_v1、source_control_primary_rollback_adr_v1、candidate repos=8、in-scope=7、security runs=0、owner response 0/22、workflow inventory complete=0/7,並連回 /iwooos;security_run_created=false、github_primary_run_created=false、execution_router_linked=false、repo_creation_authorized=false、refs_mutation_authorized=false、workflow_secret_modification_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、gitea_disablement_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把 Run 邊界當 platform run、execution router 或 GitHub primary approval、不建立 repo、不改 visibility、不 sync/delete/force push refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index befc20f27..efc254b90 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -281,6 +281,7 @@ def validate(root: Path) -> None: "s2_66_awooop_approvals_github_primary_readiness_boundary", "s2_67_awooop_home_github_primary_readiness_summary", "s2_68_awooop_tenants_github_primary_readiness_scope", + "s2_69_awooop_runs_github_primary_readiness_boundary", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -390,6 +391,11 @@ def validate(root: Path) -> None: [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], "show_awooop_tenants_github_primary_readiness_scope", ) + assert_contains( + "rollup.next_safe_actions.action_ids", + [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], + "show_awooop_runs_github_primary_readiness_boundary", + ) assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1") assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe") @@ -5327,6 +5333,62 @@ def validate(root: Path) -> None: key, ) + assert_text_contains( + "awooop_runs_page.github_run_boundary_panel", + awooop_runs_page, + "GitHubRunReadinessBoundaryPanel", + ) + assert_text_contains( + "awooop_runs_page.github_run_boundary_metrics", + awooop_runs_page, + "githubRunReadinessMetrics", + ) + assert_text_contains( + "awooop_runs_page.github_run_boundary_iwooos_link", + awooop_runs_page, + 'href="/iwooos"', + ) + for text in [ + "source_control_primary_readiness_gate_v1", + "source_control_owner_response_validation_rollup_v1", + "source_control_workflow_secret_name_inventory_v1", + "source_control_primary_rollback_adr_v1", + "security_run_created=false", + "github_primary_run_created=false", + "execution_router_linked=false", + "repo_creation_authorized=false", + "refs_mutation_authorized=false", + "workflow_secret_modification_authorized=false", + "secret_value_collection_allowed=false", + "github_primary_switch_authorized=false", + "gitea_disablement_authorized=false", + "runtime_execution_authorized=false", + "action_buttons_allowed=false", + ]: + assert_text_contains("awooop_runs_page.github_run_boundary", awooop_runs_page, text) + for key in [ + "title", + "subtitle", + "badge", + "openIwooos", + "runRefsTitle", + "boundaryLabel", + "boundaryTitle", + "boundaryDetail", + "metrics", + "runRefs", + ]: + assert_contains( + "web_messages.zh-TW.awooop.runs.githubRunReadinessBoundary", + list(web_messages_zh["awooop"]["runs"]["githubRunReadinessBoundary"].keys()), + key, + ) + assert_contains( + "web_messages.en.awooop.runs.githubRunReadinessBoundary", + list(web_messages_en["awooop"]["runs"]["githubRunReadinessBoundary"].keys()), + key, + ) + assert_text_contains("awooop_approvals_page.security_owner_response_panel", awooop_approvals_page, "SecurityOwnerResponseGatePanel") assert_text_contains("awooop_approvals_page.iwooos_link", awooop_approvals_page, 'href="/iwooos"') for text in [