diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 95062d03a..7e3a16ea5 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -4198,6 +4198,35 @@ "workflowInventory": "Workflow, runner, deploy-key, branch-protection, CODEOWNERS, and secret-name inventory; names only, never values.", "postureProjection": "The IwoooS frontend projection for the GitHub readiness board and forbidden actions." } + }, + "ownerResponseValidationCandidate": { + "title": "Owner Response Validation Contract Read-only Candidate", + "subtitle": "The contract dashboard mirrors the S4.13 owner response validation rollup and four source intake packets. This is not received owner response, an approval record, repo / refs / workflow action, or runtime authorization.", + "badge": "Validation candidate", + "contractRefsTitle": "Owner response validation contract refs", + "boundaryLabel": "Validation Boundary", + "boundaryTitle": "No validation result is publishable or executable here", + "boundaryDetail": "This panel only displays the four packets, 22 response templates, received / accepted / rejected counters at 0, and AwoooP display sections. It does not create approval records, create repos, mutate refs, modify workflows / secrets, collect secret values, switch primary, or open runtime gates.", + "openIwooos": "Open IwoooS", + "metrics": { + "packets": "Packets", + "packetsDetail": "The S4.9-S4.12 packets are still waiting for owner response.", + "templates": "Templates", + "templatesDetail": "22 templates only define intake shape; they are not sent or accepted responses.", + "received": "Received", + "receivedDetail": "Still 0; visible work items or contracts must not rewrite intake state.", + "accepted": "Accepted", + "acceptedDetail": "Still 0; only redacted evidence that passes validation can change this.", + "displaySections": "Display sections", + "displaySectionsDetail": "8 AwoooP display sections explain validation flow and boundaries only." + }, + "contractRefs": { + "validationRollup": "The S4.13 four-packet validation rollup that keeps received / accepted / rejected and reviewer checks separate.", + "giteaAttestation": "The S4.9 Gitea inventory owner attestation packet; five templates are still not received.", + "githubTarget": "The S4.10 GitHub target owner decision packet; seven templates are still not accepted.", + "refsTruth": "The S4.11 refs truth owner response packet; classification must not become refs action authorization.", + "workflowSecret": "The S4.12 workflow / secret-name owner response packet; names and redacted evidence only, never secret values." + } } }, "approvals": { diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index a54ea2e3d..05035b2f9 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -4147,58 +4147,87 @@ "contracts": { "securityContractCandidate": { "title": "IwoooS 資安契約只讀候選", - "subtitle": "合約儀表板只顯示 IwoooS / 資安鏡像目前依賴的 schema、snapshot 與 guard 口徑;這不是合約發布,也不會觸發 runtime gate。", + "subtitle": "合約儀表板只顯示 IwoooS / 資安鏡像目前依賴的結構定義、快照與防護檢查口徑;這不是合約發布,也不會觸發執行期閘門。", "badge": "契約候選", "contractRefsTitle": "只讀合約參照", "boundaryLabel": "合約邊界", "boundaryTitle": "目前沒有可發布的資安合約", - "boundaryDetail": "這個面板不發布合約版次、不改合約生命週期、不寫入平台合約 API、不呼叫 GitHub / Gitea / Kali,也不新增掃描、執行、部署、主要來源切換或 refs 動作。", + "boundaryDetail": "這個面板不發布合約版次、不改合約生命週期、不寫入平台合約 API、不呼叫 GitHub / Gitea / Kali,也不新增掃描、執行、部署、主要來源切換或分支 / 標籤參照動作。", "openIwooos": "開啟 IwoooS", "metrics": { "totalContracts": "合約總數", "totalContractsDetail": "資安鏡像目前彙整 36 個主要合約。", "readyForMirror": "鏡像就緒", - "readyForMirrorDetail": "33 個 ready、2 個 partial、1 個 contract-only、0 blocked。", + "readyForMirrorDetail": "33 個已就緒、2 個部分就緒、1 個僅契約、0 個阻擋。", "partialReady": "部分就緒", - "partialReadyDetail": "缺口仍集中在負責人回覆、payload ingestion 與原始碼管控負責人 evidence。", + "partialReadyDetail": "缺口仍集中在負責人回覆、資料匯入與原始碼管控負責人證據。", "activeRuntimeGates": "主動執行閘門", - "activeRuntimeGatesDetail": "仍為 0;合約可見性不等於 runtime enforcement。" + "activeRuntimeGatesDetail": "仍為 0;合約可見性不等於執行期強制控管。" }, "contractRefs": { - "statusRollup": "AwoooP / Security Session 的共同狀態入口,只彙整進度與安全 gate。", + "statusRollup": "AwoooP / 資安工作階段的共同狀態入口,只彙整進度與安全閘門。", "postureProjection": "IwoooS 前端態勢、主機覆蓋、負責人回覆焦點與禁止動作的投影契約。", - "ownerValidation": "S4.9-S4.12 負責人回覆 received / accepted 分離與 reviewer 檢查口徑。", - "rolloutPolicy": "低摩擦、先觀測、封鎖前先由負責人審查的 rollout policy。" + "ownerValidation": "S4.9-S4.12 負責人回覆已收到 / 已接受分離與審查者檢查口徑。", + "rolloutPolicy": "低摩擦、先觀測、封鎖前先由負責人審查的推出政策。" } }, "githubPrimaryReadinessCandidate": { "title": "GitHub 主要來源就緒度合約只讀候選", - "subtitle": "合約儀表板同步顯示 Gitea 轉 GitHub 的就緒度合約參照、負責人回覆缺口與不可執行邊界;這不是 repo 建立、refs 變更、secret 收集或主要來源切換授權。", + "subtitle": "合約儀表板同步顯示 Gitea 轉 GitHub 的就緒度合約參照、負責人回覆缺口與不可執行邊界;這不是專案庫建立、分支 / 標籤參照變更、機密收集或主要來源切換授權。", "badge": "GitHub 就緒度", "contractRefsTitle": "主要來源就緒度合約參照", "boundaryLabel": "原始碼管控邊界", "boundaryTitle": "目前沒有可切換的 GitHub 主要來源", - "boundaryDetail": "這個面板只顯示候選 repo、範圍內 repo、主要來源就緒數、負責人回覆與 workflow / secret 名稱清冊缺口;不建立 GitHub repo、不改可見性、不 sync / delete / force push refs、不收 secret value、不切主要來源、不停用 Gitea,也不觸發 runtime gate。", + "boundaryDetail": "這個面板只顯示候選專案庫、範圍內專案庫、主要來源就緒數、負責人回覆與工作流程 / 機密名稱清冊缺口;不建立 GitHub 專案庫、不改可見性、不同步 / 刪除 / 強制推送分支或標籤參照、不收機密明文值、不切主要來源、不停用 Gitea,也不觸發執行期閘門。", "openIwooos": "開啟 IwoooS", "metrics": { - "candidateRepos": "候選 repo", + "candidateRepos": "候選專案庫", "candidateReposDetail": "S4.0 目前追蹤 8 個 GitHub 主要來源就緒度候選。", - "inScopeRepos": "範圍內 repo", - "inScopeReposDetail": "7 個仍需負責人 / 可見性 / canonical / rollback evidence。", + "inScopeRepos": "範圍內專案庫", + "inScopeReposDetail": "7 個仍需負責人、可見性、主來源與回復證據。", "primaryReady": "主要來源就緒數", "primaryReadyDetail": "仍為 0;就緒度可見不等於已可切主要來源。", "ownerResponses": "負責人回覆", - "ownerResponsesDetail": "S4.9-S4.12 共 22 個回覆範本仍為 0 received / accepted。", + "ownerResponsesDetail": "S4.9-S4.12 共 22 個回覆範本仍為 0 已收到 / 0 已接受。", "workflowInventory": "工作流程清冊", - "workflowInventoryDetail": "7 個範圍內 repo 的 workflow / secret 名稱清冊仍未 complete。" + "workflowInventoryDetail": "7 個範圍內專案庫的工作流程 / 機密名稱清冊仍未完成。" }, "contractRefs": { - "primaryReadiness": "GitHub 主要來源 parity、owner、refs、workflow 與 rollback 前置缺口的主就緒度閘門。", - "ownerValidation": "四包負責人回覆的 received / accepted / rejected 分離與 reviewer 檢查口徑。", - "rollbackAdr": "7 個 in-scope repos 的 rollback ADR 草案、owner review 與 validation window。", - "workflowInventory": "workflow、runner、deploy key、branch protection、CODEOWNERS 與 secret 名稱清冊;只收名稱不收 value。", + "primaryReadiness": "GitHub 主要來源一致性、負責人、分支 / 標籤參照、工作流程與回復前置缺口的主就緒度閘門。", + "ownerValidation": "四包負責人回覆的已收到 / 已接受 / 已拒收分離與審查者檢查口徑。", + "rollbackAdr": "7 個範圍內專案庫的回復 ADR 草案、負責人審查與驗證窗口。", + "workflowInventory": "工作流程、執行器、部署金鑰、分支保護、CODEOWNERS 與機密名稱清冊;只收名稱不收明文值。", "postureProjection": "IwoooS 用來呈現 GitHub 就緒度狀態板與禁止動作的前端投影。" } + }, + "ownerResponseValidationCandidate": { + "title": "負責人回覆驗收契約只讀候選", + "subtitle": "合約儀表板同步顯示 S4.13 負責人回覆驗收彙整與四個來源收件包;這不是負責人回覆已收到、審批紀錄、專案庫 / 分支與標籤參照 / 工作流程動作或執行期授權。", + "badge": "驗收候選", + "contractRefsTitle": "負責人回覆驗收合約參照", + "boundaryLabel": "驗收邊界", + "boundaryTitle": "目前沒有可發布或可執行的驗收結果", + "boundaryDetail": "這個面板只顯示四包、22 個回覆範本、收件 / 接受 / 拒收仍為 0,以及 AwoooP 可顯示的驗收區塊;不建立審批紀錄、不建立專案庫、不改分支 / 標籤參照、不改工作流程 / 機密設定、不收機密明文值、不切主要來源,也不開執行期閘門。", + "openIwooos": "開啟 IwoooS", + "metrics": { + "packets": "回覆包", + "packetsDetail": "S4.9-S4.12 四包都仍在等待負責人回覆。", + "templates": "回覆範本", + "templatesDetail": "22 個範本只代表可收件格式,不代表已送出或已接受。", + "received": "已收到", + "receivedDetail": "目前仍為 0;工作項或合約可見性不得改寫收件狀態。", + "accepted": "已接受", + "acceptedDetail": "目前仍為 0;只有脫敏 evidence 通過驗收後才能改變。", + "displaySections": "顯示區塊", + "displaySectionsDetail": "8 個 AwoooP 顯示區塊只用於說明驗收流程與邊界。" + }, + "contractRefs": { + "validationRollup": "S4.13 的四包驗收總覽,固定已收到 / 已接受 / 已拒收分離與審查者檢查口徑。", + "giteaAttestation": "S4.9 Gitea 清冊負責人證明收件包;目前 5 個範本仍未收到。", + "githubTarget": "S4.10 GitHub 目標負責人決策收件包;目前 7 個範本仍未接受。", + "refsTruth": "S4.11 分支 / 標籤真相負責人回覆收件包;不得把分類視為分支 / 標籤參照動作授權。", + "workflowSecret": "S4.12 工作流程 / 機密名稱負責人回覆收件包;只允許名稱與脫敏證據,不允許機密明文值。" + } } }, "approvals": { diff --git a/apps/web/src/app/[locale]/awooop/contracts/page.tsx b/apps/web/src/app/[locale]/awooop/contracts/page.tsx index 570faf8ed..1a2657430 100644 --- a/apps/web/src/app/[locale]/awooop/contracts/page.tsx +++ b/apps/web/src/app/[locale]/awooop/contracts/page.tsx @@ -15,6 +15,7 @@ import { AlertCircle, Filter, ChevronDown, + ClipboardCheck, ShieldCheck, GitBranch, } from "lucide-react"; @@ -365,6 +366,127 @@ function GitHubPrimaryReadinessContractCandidatePanel() { ); } +function OwnerResponseValidationContractCandidatePanel() { + const t = useTranslations("awooop.contracts.ownerResponseValidationCandidate"); + const metrics = [ + { + label: t("metrics.packets"), + value: "4", + detail: t("metrics.packetsDetail"), + }, + { + label: t("metrics.templates"), + value: "22", + detail: t("metrics.templatesDetail"), + }, + { + label: t("metrics.received"), + value: "0", + detail: t("metrics.receivedDetail"), + }, + { + label: t("metrics.accepted"), + value: "0", + detail: t("metrics.acceptedDetail"), + }, + { + label: t("metrics.displaySections"), + value: "8", + detail: t("metrics.displaySectionsDetail"), + }, + ]; + const contracts = [ + { + name: "source_control_owner_response_validation_rollup_v1", + detail: t("contractRefs.validationRollup"), + }, + { + name: "gitea_inventory_owner_attestation_response_v1", + detail: t("contractRefs.giteaAttestation"), + }, + { + name: "github_target_owner_decision_response_v1", + detail: t("contractRefs.githubTarget"), + }, + { + name: "source_control_ref_truth_owner_response_v1", + detail: t("contractRefs.refsTruth"), + }, + { + name: "source_control_workflow_secret_name_owner_response_v1", + detail: t("contractRefs.workflowSecret"), + }, + ]; + + return ( +
+
+
+
+ + {t("badge")} + +
+ +
+ {metrics.map((item) => ( +
+

{item.label}

+

{item.value}

+

{item.detail}

+
+ ))} +
+ +
+
+
+ {t("contractRefsTitle")} +
+
+ {contracts.map((item) => ( +
+

{item.name}

+

{item.detail}

+
+ ))} +
+
+ +
+

{t("boundaryLabel")}

+

{t("boundaryTitle")}

+

{t("boundaryDetail")}

+
+ owner_response_validation_received_count=0 + owner_response_validation_accepted_count=0 + approval_record_created=false + repo_creation_authorized=false + refs_sync_authorized=false + workflow_modification_authorized=false + secret_value_collection_allowed=false + github_primary_switch_authorized=false + runtime_execution_authorized=false + action_buttons_allowed=false +
+ + {t("openIwooos")} +
+
+
+ ); +} + // ============================================================================= // Main Component // ============================================================================= @@ -437,6 +559,7 @@ export default function ContractsPage() { + {/* Filters */}
@@ -481,13 +604,13 @@ export default function ContractsPage() { 合約類型 - Project ID + 專案 ID 狀態 - Hash + 雜湊 建立時間 diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 47d8472ff..f917cd05e 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,17 @@ +## 2026-05-21 | 資安供應鏈 S2.74:AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + +**背景**:S2.72 已把負責人回覆驗收放進 AwoooP 首頁,S2.73 已同步到工作鏈路;合約儀表板仍只看得到 IwoooS 資安契約與 GitHub 主要來源就緒度,尚未把 S4.13 驗收 rollup 與四個來源收件包清楚呈現。 + +**完成**: +- `/awooop/contracts` 新增「負責人回覆驗收契約只讀候選」,顯示 S4.13 rollup、S4.9 Gitea 清冊負責人證明、S4.10 GitHub 目標負責人決策、S4.11 分支 / 標籤真相負責人回覆與 S4.12 工作流程 / 機密名稱負責人回覆五個合約參照。 +- 合約候選顯示四包、22 個回覆範本、已收到=0、已接受=0 與 8 個顯示區塊,並連回 `/iwooos`。 +- `security_mirror_status_rollup_v1` 新增 `s2_74_awooop_contracts_owner_response_validation_candidate` 與 `show_awooop_contracts_owner_response_validation_candidate`。 +- `security-mirror-progress-guard.py` 已驗證合約候選元件、i18n 鍵、五個合約參照與 `false` 邊界。 + +**仍禁止**: +- S2.74 是 AwoooP 合約儀表板只讀呈現,不代表負責人回覆已收到 / 已接受、審批紀錄已建立、合約已發布、專案庫建立、分支 / 標籤參照同步、工作流程 / 機密設定修改、機密明文值收集、GitHub 主要來源切換、Gitea 停用、Kali `/execute`、SSH 登入、主機更新、阻擋型控制或執行期閘門。 +- 整體資安網百分比仍是 58%;框架 / 治理 / 文件 / 結構定義 / 只讀證據仍約 80-85%;真正落地執行 / 執行期匯入 / GitHub 主要來源 / AwoooP 正式入口仍約 35-40%。 + ## 2026-05-21 | 資安供應鏈 S2.73:AwoooP 工作鏈路負責人回覆驗收只讀工作項 **背景**:S2.72 已把四包負責人回覆驗收總覽放進 AwoooP 首頁,但 `/awooop/work-items` 尚未有同一個工作鏈路項目。另一個 AwoooP Session 與使用者需要在工作項層看見真正卡住 GitHub 主要來源與後續執行期閘門的是負責人回覆收件與驗收,而不是頁面已呈現就代表可執行。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 37dc8b8a5..a983d1564 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -55,6 +55,7 @@ | AwoooP run detail Traditional Chinese wording guard | S2.71 已把 AwoooP 執行詳情、審批決策與事件證據的使用者可見英文標籤改成繁體中文,並由 scoped guard 阻擋 Trace ID、Trigger、Tool、Scope、Dry-run、Tools、Incident Evidence、Run state、audit trail 等英文文案回流;保留技術 ID 與證據鍵值;仍不建立 approval record、不執行 runtime、不建立 repo、不改 refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | | AwoooP 首頁負責人回覆驗收總覽 | S2.72 已在 `/awooop` 顯示四包負責人回覆驗收總覽;S4.9/S4.10/S4.11/S4.12、22 個回覆範本、已收到=0、已接受=0、已拒收=0、10 個跨包驗收、6 條證據路由、8 個顯示區塊、7 條狀態轉移、9 個審查清單項目、7 條審查結果分流;仍不標記負責人回覆已收到 / 已接受、不建立審批紀錄、不建立專案庫、不改分支 / 標籤參照、不改工作流程 / 機密設定、不收機密明文值、不切主要來源、不開執行期閘門 | | AwoooP 工作鏈路負責人回覆驗收只讀工作項 | S2.73 已在 `/awooop/work-items` 顯示四包負責人回覆驗收只讀工作項;22 個回覆範本、已收到=0、已接受=0、已拒收=0、10 個跨包驗收、6 條證據路由、8 個顯示區塊;仍不把工作項當成已收到 / 已接受、審批紀錄、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定 / 主要來源動作或執行期閘門 | +| AwoooP 合約儀表板負責人回覆驗收契約只讀候選 | S2.74 已在 `/awooop/contracts` 顯示負責人回覆驗收契約只讀候選;S4.13 rollup 與 S4.9-S4.12 四個來源收件包、22 個回覆範本、已收到=0、已接受=0、8 個顯示區塊;仍不把合約候選當成已收到 / 已接受、審批紀錄、合約發布、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定 / 主要來源動作或執行期閘門 | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -175,6 +176,7 @@ | S2.70 IwoooS / AwoooP Traditional Chinese security surface wording guard | framework detail | 0 | 只把 IwoooS / AwoooP 資安可視區塊使用者可見英文標籤改成繁體中文,並由 `security-mirror-progress-guard.py` 阻擋 Candidate repos、In-scope repos、Owner response、Workflow inventory、Active runtime gates、GitHub Primary Readiness 等英文標籤回流;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | | S2.71 AwoooP run detail Traditional Chinese wording guard | framework detail | 0 | 只把 AwoooP 執行詳情、審批決策與事件證據使用者可見英文標籤改成繁體中文,並由 `security-mirror-progress-guard.py` scoped guard 阻擋 Trace ID、Trigger、Tool、Scope、Dry-run、Tools、Incident Evidence、Run state、audit trail 等英文文案回流;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 approval record、不執行 runtime、不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | | S2.73 AwoooP work-items owner response validation candidate | framework detail | 0 | 只在 `/awooop/work-items` 顯示四包負責人回覆驗收只讀工作項,呈現回覆包=4、範本=22、已收到=0、已接受=0、已拒收=0、跨包驗收=10、證據路由=6、顯示區塊=8;owner_response_validation_received_count=0、owner_response_validation_accepted_count=0、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立審批紀錄、不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | +| S2.74 AwoooP contracts owner response validation candidate | framework detail | 0 | 只在 `/awooop/contracts` 顯示負責人回覆驗收契約只讀候選,呈現四包、範本=22、已收到=0、已接受=0、顯示區塊=8、S4.13 rollup 與 S4.9-S4.12 四個來源收件包;owner_response_validation_received_count=0、owner_response_validation_accepted_count=0、approval_record_created=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不發布合約、不建立審批紀錄、不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index c019b4fa4..f19025852 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -5,7 +5,7 @@ | 日期 | 2026-05-17 | | 狀態 | S0/S1 read-only evidence 建置中 | | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | -| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 | +| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.73 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.74 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。 @@ -136,6 +136,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons | S2.71 AwoooP run detail Traditional Chinese wording guard | 已完成草案,將 AwoooP 執行詳情、審批決策與事件證據的使用者可見英文標籤改成繁體中文,並由 scoped guard 阻擋 Trace ID、Trigger、Tool、Scope、Dry-run、Tools、Incident Evidence、Run state、audit trail 等英文文案回流;技術 ID 與 false flags 保留可追溯 | 0 | | S2.72 AwoooP 首頁負責人回覆驗收總覽 | 已完成草案,在 `/awooop` 顯示 S4.9/S4.10/S4.11/S4.12 四包負責人回覆、22 個回覆範本、已收到=0、已接受=0、已拒收=0 與人工審查驗收檢查;仍不標記負責人回覆已收到 / 已接受、不建立審批紀錄、不建立專案庫、不改分支 / 標籤參照、不開執行期閘門 | 0 | | S2.73 AwoooP 工作鏈路負責人回覆驗收只讀工作項 | 已完成草案,在 `/awooop/work-items` 顯示四包負責人回覆、22 個回覆範本、已收到=0、已接受=0、已拒收=0、10 個跨包驗收、6 條證據路由與 8 個顯示區塊;仍不把工作項當成已收到 / 已接受、審批紀錄、主要來源切換或執行期閘門 | 0 | +| S2.74 AwoooP 合約儀表板負責人回覆驗收契約只讀候選 | 已完成草案,在 `/awooop/contracts` 顯示 S4.13 rollup、四個來源收件包、22 個回覆範本、已收到=0、已接受=0 與 8 個顯示區塊;仍不把合約候選當成已收到 / 已接受、審批紀錄、合約發布、主要來源切換或執行期閘門 | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -228,6 +229,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.71 AwoooP Run Detail Traditional Chinese Wording Guard | 完成草案 | zh-TW AwoooP 執行詳情、審批決策與事件證據文案改為繁體中文,並新增 scoped guard 防止詳情頁英文標籤回流 | 使用者進入執行時間線、審批決策與事件證據時能以繁體中文理解狀態、來源、MCP、補救試跑與稽核欄位;本修正仍只是文案與 guard,不是 approval record、runtime、repo、refs、workflow、secret、GitHub primary 或 Gitea 動作 | | S2.72 AwoooP 首頁負責人回覆驗收總覽 | 完成草案 | `/awooop` 新增四包負責人回覆驗收總覽,顯示 22 個範本、0 已收到、0 已接受、0 已拒收、10 個跨包驗收、6 條證據路由、8 個顯示區塊、7 條狀態轉移、9 個審查清單項目與 7 條審查結果分流 | 使用者能在首頁看懂 GitHub 主要來源前真正卡住的是負責人證據收件與驗收;總覽仍不是審批紀錄、負責人回覆已接受、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定動作、GitHub 主要來源或執行期閘門 | | S2.73 AwoooP 工作鏈路負責人回覆驗收只讀工作項 | 完成草案 | `/awooop/work-items` 新增四包負責人回覆驗收工作項,顯示 22 個範本、0 已收到、0 已接受、0 已拒收、10 個跨包驗收、6 條證據路由與 8 個顯示區塊,並連回 `/iwooos` | 使用者與另一個 AwoooP Session 能在工作鏈路理解 GitHub 主要來源真正等待負責人回覆驗收;工作項仍不是審批紀錄、已接受回覆、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定動作、主要來源切換或執行期閘門 | +| S2.74 AwoooP 合約儀表板負責人回覆驗收契約只讀候選 | 完成草案 | `/awooop/contracts` 新增負責人回覆驗收契約候選,顯示 S4.13 rollup、S4.9-S4.12 四個來源收件包、22 個範本、0 已收到、0 已接受與 8 個顯示區塊 | 使用者與另一個 AwoooP Session 能在合約控制面理解負責人回覆驗收仍只是只讀契約缺口;合約候選仍不是合約發布、審批紀錄、已接受回覆、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定動作、主要來源切換或執行期閘門 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index b67a40a6a..1c8b77416 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -1346,6 +1346,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_74_awooop_contracts_owner_response_validation_candidate", + "display_order": 103, + "completed_stage": "S2.74 AwoooP 合約儀表板負責人回覆驗收契約只讀候選", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "AwoooP 合約儀表板只新增負責人回覆驗收契約只讀候選,顯示四包、22 個回覆範本、已收到=0、已接受=0、8 個顯示區塊與五個合約參照;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,不標記負責人回覆已收到 / 已接受、不建立審批紀錄、不發布合約、不建立專案庫、不改分支 / 標籤參照、不改工作流程 / 機密設定、不收機密明文值、不切主要來源、不停用 Gitea。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -1606,6 +1618,22 @@ "從 AwoooP contracts 切 GitHub primary、停用 Gitea 或把 request-ready 當 owner response accepted" ] }, + { + "action_id": "show_awooop_contracts_owner_response_validation_candidate", + "title": "AwoooP 合約儀表板顯示負責人回覆驗收契約只讀候選", + "mode": "observe", + "source_contract": "security_mirror_status_rollup_v1", + "allowed_processing": [ + "在 /awooop/contracts 顯示 S2.74 負責人回覆驗收契約只讀候選", + "顯示四包、22 個回覆範本、已收到=0、已接受=0、8 個顯示區塊與五個合約參照", + "連到 /iwooos 只讀入口,不新增審批紀錄、合約發布、專案庫、可見性、分支 / 標籤參照、工作流程、機密設定、主要來源或 Gitea 停用動作" + ], + "blocked_processing": [ + "把 AwoooP 合約儀表板負責人回覆驗收契約候選當成負責人回覆已收到或已接受", + "從 AwoooP contracts 建立審批紀錄、發布合約、建立專案庫、改可見性、同步 / 刪除 / 強制推送分支或標籤參照,或收機密明文值", + "從 AwoooP contracts 切 GitHub 主要來源、停用 Gitea 或開執行期閘門" + ] + }, { "action_id": "show_awooop_approvals_github_primary_readiness_boundary", "title": "AwoooP 審批佇列顯示 GitHub Primary Readiness 審批邊界", @@ -2088,7 +2116,8 @@ "S2.70 修正 IwoooS / AwoooP 資安可視區塊繁體中文呈現;zh-TW 前端文案將 GitHub readiness、owner response、runtime gate、run state、workflow inventory、tenant scope、contract refs、approval lanes 等使用者可見英文標籤改成繁體中文,並由 security-mirror-progress-guard.py 阻擋 Candidate repos、In-scope repos、Owner response、Workflow inventory、Active runtime gates、GitHub Primary Readiness 等英文標籤回流;保留 GitHub、Gitea、Kali、AwoooP、IwoooS、refs、workflow、secret、runtime、contract id 與 false flags 作為技術名詞或證據鍵值;runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不建立 repo、不改 refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea。", "S2.71 修正 AwoooP 執行詳情、審批決策與事件證據繁體中文呈現;zh-TW 前端文案將 Trace ID、Trigger、Trigger Ref、Tool、Scope、First-class、Policy enforced、Approval executor、Legacy bridge、Dry-run、Tools、Incident Evidence、Run state、audit trail 等使用者可見英文標籤改成繁體中文,並由 security-mirror-progress-guard.py 新增 scoped guard 阻擋回流;保留 run_id、project_id、trace_id、MCP Gateway、Runtime、ADR-100 與 false flags 作為技術名詞或證據鍵值;runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不建立 approval record、不執行 runtime、不建立 repo、不改 refs、不改 workflow / secrets、不收 secret value、不切 primary、不停用 Gitea。", "S2.72 新增 AwoooP 首頁負責人回覆驗收總覽;/awooop 顯示 S4.9/S4.10/S4.11/S4.12 四包負責人回覆、22 個回覆範本、已收到=0、已接受=0、已拒收=0、10 個跨包驗收、6 條證據路由、8 個顯示區塊、7 條狀態轉移、9 個審查清單項目與 7 條審查結果分流;owner_response_validation_received_count=0、owner_response_validation_accepted_count=0、repo_creation_authorized=false、refs_sync_authorized=false、workflow_modification_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把首頁驗收總覽當負責人回覆已收到 / 已接受、審批紀錄、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定 / 主要來源動作或執行期閘門。", - "S2.73 新增 AwoooP 工作鏈路負責人回覆驗收只讀工作項;/awooop/work-items 顯示四包、22 個回覆範本、已收到=0、已接受=0、已拒收=0、10 個跨包驗收、6 條證據路由與 8 個顯示區塊;owner_response_validation_received_count=0、owner_response_validation_accepted_count=0、repo_creation_authorized=false、refs_sync_authorized=false、workflow_modification_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把工作鏈路工作項當負責人回覆已收到 / 已接受、審批紀錄、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定 / 主要來源動作或執行期閘門。" + "S2.73 新增 AwoooP 工作鏈路負責人回覆驗收只讀工作項;/awooop/work-items 顯示四包、22 個回覆範本、已收到=0、已接受=0、已拒收=0、10 個跨包驗收、6 條證據路由與 8 個顯示區塊;owner_response_validation_received_count=0、owner_response_validation_accepted_count=0、repo_creation_authorized=false、refs_sync_authorized=false、workflow_modification_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把工作鏈路工作項當負責人回覆已收到 / 已接受、審批紀錄、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定 / 主要來源動作或執行期閘門。", + "S2.74 新增 AwoooP 合約儀表板負責人回覆驗收契約只讀候選;/awooop/contracts 顯示四包、22 個回覆範本、已收到=0、已接受=0、8 個顯示區塊、source_control_owner_response_validation_rollup_v1 與四個來源收件包參照;owner_response_validation_received_count=0、owner_response_validation_accepted_count=0、approval_record_created=false、repo_creation_authorized=false、refs_sync_authorized=false、workflow_modification_authorized=false、secret_value_collection_allowed=false、github_primary_switch_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false、not_authorization=true,不把合約候選當負責人回覆已收到 / 已接受、審批紀錄、合約發布、專案庫 / 分支與標籤參照 / 工作流程 / 機密設定 / 主要來源動作或執行期閘門。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 4af51a7f2..f9512bdf1 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -45,6 +45,22 @@ def assert_text_not_contains(label: str, text: str, forbidden: str) -> None: raise SystemExit(f"BLOCKED {label}: forbidden {forbidden!r}") +def collect_string_values(value: Any) -> list[str]: + if isinstance(value, str): + return [value] + if isinstance(value, list): + collected: list[str] = [] + for item in value: + collected.extend(collect_string_values(item)) + return collected + if isinstance(value, dict): + collected = [] + for item in value.values(): + collected.extend(collect_string_values(item)) + return collected + return [] + + def validate(root: Path) -> None: security_dir = root / "docs" / "security" @@ -291,6 +307,7 @@ def validate(root: Path) -> None: "s2_71_awooop_run_detail_traditional_chinese_wording_guard", "s2_72_awooop_home_owner_response_validation_rollup", "s2_73_awooop_work_items_owner_response_validation_candidate", + "s2_74_awooop_contracts_owner_response_validation_candidate", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -395,6 +412,11 @@ def validate(root: Path) -> None: [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], "show_awooop_contracts_github_primary_readiness_candidate", ) + assert_contains( + "rollup.next_safe_actions.action_ids", + [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], + "show_awooop_contracts_owner_response_validation_candidate", + ) assert_contains( "rollup.next_safe_actions.action_ids", [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], @@ -520,6 +542,30 @@ def validate(root: Path) -> None: forbidden, ) + zh_awooop_contracts_value_text = "\n".join(collect_string_values(web_messages_zh["awooop"]["contracts"])) + for forbidden in [ + "secret value", + "workflow / secret", + "runtime gate", + "runtime enforcement", + "候選 repo", + "範圍內 repo", + "repo 建立", + "repo / refs", + "refs 變更", + "refs 動作", + "sync / delete / force push", + "received / accepted", + "received / accepted / rejected", + "waiting owner response", + "未 complete", + ]: + assert_text_not_contains( + "web_messages.zh-TW.awooop_contracts_wording", + zh_awooop_contracts_value_text, + forbidden, + ) + zh_awooop_home_security_text = json.dumps( { "securityMirror": web_messages_zh["awooop"]["home"]["securityMirror"], @@ -5761,6 +5807,10 @@ def validate(root: Path) -> None: assert_text_contains("awooop_contracts_page.security_contract_candidate_panel", awooop_contracts_page, "SecurityContractCandidatePanel") assert_text_contains("awooop_contracts_page.iwooos_link", awooop_contracts_page, 'href="/iwooos"') + assert_text_contains("awooop_contracts_page.project_header_traditional_chinese", awooop_contracts_page, "專案 ID") + assert_text_contains("awooop_contracts_page.hash_header_traditional_chinese", awooop_contracts_page, "雜湊") + assert_text_not_contains("awooop_contracts_page.project_header_english", awooop_contracts_page, "Project ID") + assert_text_not_contains("awooop_contracts_page.hash_header_english", awooop_contracts_page, ">Hash<") for text in [ "contract_publish_authorized=false", "contract_mutation_authorized=false", @@ -5844,6 +5894,55 @@ def validate(root: Path) -> None: key, ) + assert_text_contains( + "awooop_contracts_page.owner_response_validation_candidate_panel", + awooop_contracts_page, + "OwnerResponseValidationContractCandidatePanel", + ) + for text in [ + "owner_response_validation_received_count=0", + "owner_response_validation_accepted_count=0", + "approval_record_created=false", + "repo_creation_authorized=false", + "refs_sync_authorized=false", + "workflow_modification_authorized=false", + "secret_value_collection_allowed=false", + "github_primary_switch_authorized=false", + "runtime_execution_authorized=false", + "action_buttons_allowed=false", + ]: + assert_text_contains("awooop_contracts_page.owner_response_validation_boundary", awooop_contracts_page, text) + for text in [ + "source_control_owner_response_validation_rollup_v1", + "gitea_inventory_owner_attestation_response_v1", + "github_target_owner_decision_response_v1", + "source_control_ref_truth_owner_response_v1", + "source_control_workflow_secret_name_owner_response_v1", + ]: + assert_text_contains("awooop_contracts_page.owner_response_validation_refs", awooop_contracts_page, text) + for key in [ + "title", + "subtitle", + "badge", + "contractRefsTitle", + "boundaryLabel", + "boundaryTitle", + "boundaryDetail", + "openIwooos", + "metrics", + "contractRefs", + ]: + assert_contains( + "web_messages.zh-TW.awooop.contracts.ownerResponseValidationCandidate", + list(web_messages_zh["awooop"]["contracts"]["ownerResponseValidationCandidate"].keys()), + key, + ) + assert_contains( + "web_messages.en.awooop.contracts.ownerResponseValidationCandidate", + list(web_messages_en["awooop"]["contracts"]["ownerResponseValidationCandidate"].keys()), + key, + ) + assert_text_contains("iwooos_bridge.component", iwooos_bridge, "IwoooSReadOnlyBridge") assert_text_contains("iwooos_bridge.testid", iwooos_bridge, 'data-testid="iwooos-read-only-bridge"') assert_text_contains("iwooos_bridge.iwooos_link", iwooos_bridge, 'href="/iwooos"')