feat(security): 納入 Agent Bounty 只讀資安範圍
This commit is contained in:
@@ -1,3 +1,27 @@
|
||||
## 2026-06-11|IwoooS 納入 agent-bounty-protocol 只讀資安範圍
|
||||
|
||||
**背景**:新增 `agent-bounty-protocol` 專案需要放入 AWOOOI / IwoooS 資訊安全驗證與控管視野,但本階段只建立收件框架、只讀證據、資料分級與 owner gate,不合併產品邊界、不啟用 runtime、不修改該 repo、不讀 `.env` 或 secret。
|
||||
|
||||
**完成內容:**
|
||||
- 新增 `docs/schemas/agent_bounty_iwooos_onboarding_handoff_v1.schema.json`,定義 repo、product、surface、owner、evidence refs、資料分級、部署邊界、外部 agent / MCP / A2A 邊界與禁止動作。
|
||||
- 新增 `docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json` 與 `docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md`,記錄只讀盤點、owner response 欄位、驗收規則與禁止事項。
|
||||
- 更新 `docs/security/iwooos-posture-projection.snapshot.json`,將全產品資安快照由 7 類調整為 8 類、全域資安矩陣由 8 面調整為 9 面、決策跑道依賴由 6 類調整為 7 類。
|
||||
- 更新 `/zh-TW/iwooos` 前端資料與 i18n,新增 `agent-bounty-protocol` 新專案收件卡,呈現 owner、資料分級、repo 來源、部署邊界、外部 agent、treasury、runtime gate 七項檢核。
|
||||
- 更新 `scripts/security/security-mirror-progress-guard.py`,補上 agent-bounty-protocol 的 DOM、i18n、snapshot 與 boundary guard,避免 UI 可見被誤判為 runtime 授權。
|
||||
|
||||
**本地驗證:**
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .` 通過。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .` 通過。
|
||||
- `python3 -m json.tool` 檢查新增 schema、snapshot、IwoooS projection 與 i18n JSON 通過。
|
||||
- zh-TW / en 鏡像一致:`True`。
|
||||
- `git diff --check` 通過。
|
||||
- `pnpm --filter @awoooi/web exec tsc --noEmit --tsBuildInfoFile /tmp/awoooi-web-agent-bounty-iwooos.tsbuildinfo` 通過。
|
||||
|
||||
**完成度與邊界:**
|
||||
- agent-bounty-protocol 只讀收件框架:本地 `100%`,正式站驗證 `待部署後補`。
|
||||
- IwoooS 整體仍維持 `64%`;active runtime gate 仍為 `0`;owner response received / accepted 仍為 `0 / false`。
|
||||
- 本階段不建 repo、不同步 refs、不修改 workflow、不收 secret、不部署、不掃描、不啟動 cron / daemon、不執行 claim / submit / payout / withdraw。
|
||||
|
||||
## 2026-06-06|AwoooP 導航資訊架構精簡正式部署
|
||||
|
||||
**背景**:AwoooP 操作控制台同時出現全站左側主導航、頁內二層菜單與頂部分頁,且三層都在重複「總覽 / 工作鏈路 / Run 監控 / 審批佇列 / 合約 / 租戶」這組任務入口,使用者需要在多個導航層之間判斷目前位置,體驗不佳。
|
||||
|
||||
@@ -0,0 +1,234 @@
|
||||
{
|
||||
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
||||
"$id": "urn:awoooi:agent-bounty-iwooos-onboarding-handoff-v1",
|
||||
"title": "Agent Bounty Protocol IwoooS Onboarding Handoff v1",
|
||||
"description": "定義 agent-bounty-protocol 納入 IwoooS 只讀資安視野時的 repo、product、surface、owner、evidence refs、資料分級、部署邊界、外部 agent / MCP / A2A 邊界與禁止動作。此契約不授權 repo / refs / workflow 變更、secret 收集、production deploy、掃描、claim / submit、金流 / payout 或 runtime execution。",
|
||||
"type": "object",
|
||||
"required": [
|
||||
"schema_version",
|
||||
"status",
|
||||
"date",
|
||||
"mode",
|
||||
"source_evidence_refs",
|
||||
"summary",
|
||||
"product_identity",
|
||||
"repo_scope",
|
||||
"product_surfaces",
|
||||
"owner_response_handoff",
|
||||
"independent_product_boundary",
|
||||
"data_classification_intake",
|
||||
"deployment_boundary",
|
||||
"external_agent_boundary",
|
||||
"acceptance_rules",
|
||||
"forbidden_actions"
|
||||
],
|
||||
"properties": {
|
||||
"schema_version": {"const": "agent_bounty_iwooos_onboarding_handoff_v1"},
|
||||
"status": {"type": "string", "enum": ["draft_waiting_owner_review"]},
|
||||
"date": {"type": "string"},
|
||||
"mode": {"type": "string", "enum": ["product_scope_handoff_only"]},
|
||||
"source_evidence_refs": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"summary": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"product_name",
|
||||
"onboarding_handoff_package_ready",
|
||||
"onboarding_handoff_completion_percent",
|
||||
"product_boundary_merged_into_awoooi",
|
||||
"owner_response_received",
|
||||
"owner_response_accepted",
|
||||
"repo_refs_truth_accepted",
|
||||
"data_classification_accepted",
|
||||
"deployment_boundary_accepted",
|
||||
"external_agent_boundary_accepted",
|
||||
"runtime_gate_open",
|
||||
"runtime_execution_authorized",
|
||||
"production_deploy_authorized",
|
||||
"repo_creation_authorized",
|
||||
"refs_sync_authorized",
|
||||
"workflow_modification_authorized",
|
||||
"secret_value_collection_authorized",
|
||||
"auto_claim_submit_authorized",
|
||||
"bounty_payout_authorized",
|
||||
"external_agent_autonomy_authorized",
|
||||
"shared_database_authorized",
|
||||
"shared_session_authorized",
|
||||
"shared_rbac_authorized",
|
||||
"action_buttons_allowed"
|
||||
],
|
||||
"properties": {
|
||||
"product_name": {"type": "string"},
|
||||
"onboarding_handoff_package_ready": {"type": "boolean"},
|
||||
"onboarding_handoff_completion_percent": {"type": "integer", "minimum": 0, "maximum": 100},
|
||||
"product_boundary_merged_into_awoooi": {"type": "boolean", "const": false},
|
||||
"owner_response_received": {"type": "boolean", "const": false},
|
||||
"owner_response_accepted": {"type": "boolean", "const": false},
|
||||
"repo_refs_truth_accepted": {"type": "boolean", "const": false},
|
||||
"data_classification_accepted": {"type": "boolean", "const": false},
|
||||
"deployment_boundary_accepted": {"type": "boolean", "const": false},
|
||||
"external_agent_boundary_accepted": {"type": "boolean", "const": false},
|
||||
"runtime_gate_open": {"type": "boolean", "const": false},
|
||||
"runtime_execution_authorized": {"type": "boolean", "const": false},
|
||||
"production_deploy_authorized": {"type": "boolean", "const": false},
|
||||
"repo_creation_authorized": {"type": "boolean", "const": false},
|
||||
"refs_sync_authorized": {"type": "boolean", "const": false},
|
||||
"workflow_modification_authorized": {"type": "boolean", "const": false},
|
||||
"secret_value_collection_authorized": {"type": "boolean", "const": false},
|
||||
"auto_claim_submit_authorized": {"type": "boolean", "const": false},
|
||||
"bounty_payout_authorized": {"type": "boolean", "const": false},
|
||||
"external_agent_autonomy_authorized": {"type": "boolean", "const": false},
|
||||
"shared_database_authorized": {"type": "boolean", "const": false},
|
||||
"shared_session_authorized": {"type": "boolean", "const": false},
|
||||
"shared_rbac_authorized": {"type": "boolean", "const": false},
|
||||
"action_buttons_allowed": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"product_identity": {
|
||||
"type": "object",
|
||||
"required": ["product_type", "current_focus", "technical_stack", "language_policy"],
|
||||
"properties": {
|
||||
"product_type": {"type": "string"},
|
||||
"current_focus": {"type": "string"},
|
||||
"technical_stack": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"language_policy": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"repo_scope": {
|
||||
"type": "object",
|
||||
"required": ["active_workspace", "reference_worktree", "required_owner_answers"],
|
||||
"properties": {
|
||||
"active_workspace": {
|
||||
"type": "object",
|
||||
"required": ["path", "status_summary", "canonical_for_iwooos", "forbidden_actions"],
|
||||
"properties": {
|
||||
"path": {"type": "string"},
|
||||
"status_summary": {"type": "string"},
|
||||
"canonical_for_iwooos": {"type": "boolean", "const": false},
|
||||
"forbidden_actions": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"reference_worktree": {
|
||||
"type": "object",
|
||||
"required": ["path", "head_sha", "origin_main_sha", "main_sha", "remote", "refs_truth_status"],
|
||||
"properties": {
|
||||
"path": {"type": "string"},
|
||||
"head_sha": {"type": "string"},
|
||||
"origin_main_sha": {"type": "string"},
|
||||
"main_sha": {"type": "string"},
|
||||
"remote": {"type": "string"},
|
||||
"refs_truth_status": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"required_owner_answers": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"product_surfaces": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": ["surface_id", "routes", "boundary"],
|
||||
"properties": {
|
||||
"surface_id": {"type": "string"},
|
||||
"routes": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"boundary": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"owner_response_handoff": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"status",
|
||||
"request_dispatch_authorized",
|
||||
"required_response_fields",
|
||||
"allowed_decisions",
|
||||
"forbidden_inputs",
|
||||
"response_received",
|
||||
"response_accepted"
|
||||
],
|
||||
"properties": {
|
||||
"status": {"type": "string", "enum": ["ready_not_dispatched"]},
|
||||
"request_dispatch_authorized": {"type": "boolean", "const": false},
|
||||
"required_response_fields": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"allowed_decisions": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"forbidden_inputs": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"response_received": {"type": "boolean", "const": false},
|
||||
"response_accepted": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"independent_product_boundary": {
|
||||
"type": "object",
|
||||
"required": ["must_remain_independent", "forbidden_couplings", "allowed_future_integrations"],
|
||||
"properties": {
|
||||
"must_remain_independent": {"type": "boolean"},
|
||||
"forbidden_couplings": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"allowed_future_integrations": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"data_classification_intake": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": ["data_type", "status", "collection_rule"],
|
||||
"properties": {
|
||||
"data_type": {"type": "string"},
|
||||
"status": {"type": "string", "enum": ["waiting_owner_classification"]},
|
||||
"collection_rule": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"deployment_boundary": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"public_host",
|
||||
"production_mode",
|
||||
"compose_host_status",
|
||||
"compose_directory_status",
|
||||
"internal_web_status",
|
||||
"database_boundary",
|
||||
"production_verification_in_this_awoooi_stage",
|
||||
"deployment_authorized"
|
||||
],
|
||||
"properties": {
|
||||
"public_host": {"type": "string"},
|
||||
"production_mode": {"type": "string"},
|
||||
"compose_host_status": {"type": "string"},
|
||||
"compose_directory_status": {"type": "string"},
|
||||
"internal_web_status": {"type": "string"},
|
||||
"database_boundary": {"type": "string"},
|
||||
"production_verification_in_this_awoooi_stage": {"type": "boolean", "const": false},
|
||||
"deployment_authorized": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"external_agent_boundary": {
|
||||
"type": "object",
|
||||
"required": ["autonomy_authorized", "claim_submit_authorized", "payout_authorized", "allowed_now", "blocked_until_owner_review"],
|
||||
"properties": {
|
||||
"autonomy_authorized": {"type": "boolean", "const": false},
|
||||
"claim_submit_authorized": {"type": "boolean", "const": false},
|
||||
"payout_authorized": {"type": "boolean", "const": false},
|
||||
"allowed_now": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"blocked_until_owner_review": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"acceptance_rules": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"forbidden_actions": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
}
|
||||
148
docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md
Normal file
148
docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md
Normal file
@@ -0,0 +1,148 @@
|
||||
# agent-bounty-protocol 納入 IwoooS 只讀 Handoff
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-11 |
|
||||
| 狀態 | 草案,等待 owner review |
|
||||
| 產品 | `agent-bounty-protocol` |
|
||||
| Schema | `docs/schemas/agent_bounty_iwooos_onboarding_handoff_v1.schema.json` |
|
||||
| Snapshot | `docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json` |
|
||||
| 上游證據 | `docs/security/iwooos-posture-projection.snapshot.json`、`apps/web/src/app/[locale]/iwooos/page.tsx`、`/Users/ogt/Documents/agent-bounty-protocol/README.md`、`package.json`、`apps/web/package.json`、`packages/mcp-server/package.json`、`docker-compose.yml` |
|
||||
| 模式 | `product_scope_handoff_only` |
|
||||
| 執行面授權 | `false` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
`agent-bounty-protocol` 已被納入 IwoooS 的只讀資安驗證與控管範圍。這只代表 IwoooS 可以呈現產品範圍、surface、owner response 欄位、證據缺口與禁止動作;它不是產品合併、不是 production deploy 批准、不是外部 agent 自主行為批准、不是金流 / payout 批准,也不是掃描、修復、claim、submit、cron、daemon 或 runtime execution 授權。
|
||||
|
||||
本階段依照 IwoooS 初期原則,只建立低摩擦框架與只讀證據。owner response、資料分級、版本來源真相、部署邊界、外部 agent 邊界與財務 / settlement 邊界都仍未驗收。
|
||||
|
||||
## 1. 已讀到的只讀 evidence
|
||||
|
||||
| 類別 | evidence | 判讀 |
|
||||
|------|----------|------|
|
||||
| 產品定位 | `/Users/ogt/Documents/agent-bounty-protocol/README.md` | M2M 交易閘道器,含 Next.js dashboard 與 MCP Server |
|
||||
| 公開網域 | `README.md` | 對外服務候選為 `https://agent.wooo.work`,本段未做 production smoke |
|
||||
| 技術棧 | `package.json`、`apps/web/package.json`、`packages/mcp-server/package.json`、`packages/contracts/package.json` | Next.js 16、React 19、TypeScript、Prisma、PostgreSQL、Redis、MCP SDK、外部 agent / webhook / Stripe / Telegram / Discord / GitHub 類整合候選 |
|
||||
| Compose | `docker-compose.yml` | 本機 evidence 顯示 Postgres、Redis、web、agent 服務;`.env` 類檔案存在但本段未讀取 |
|
||||
| 路由面 | `apps/web/src/app/**` 檔名清冊 | 含 public task、admin、traffic、treasury、MCP、A2A、cron、webhook、health、scout 等 surface |
|
||||
| Repo refs | `git status` / `git rev-parse` 只讀查詢 | `HEAD / origin/main / main` 皆為 `a1856d08bc2778f9b41076cd6175ff2389b2e5ca`,但工作樹有 51 個修改或未追蹤項目,不能當成已驗收 canonical release |
|
||||
| IwoooS 前端 | `apps/web/src/app/[locale]/iwooos/page.tsx` | 已新增只讀收件卡與矩陣投影,runtime gate 仍為 `0` |
|
||||
|
||||
## 2. Scope 摘要
|
||||
|
||||
| 指標 | 值 |
|
||||
|------|----|
|
||||
| onboarding handoff package | `ready` |
|
||||
| package completion | `100%` |
|
||||
| product boundary merged into AWOOOI | `false` |
|
||||
| owner response received / accepted | `false / false` |
|
||||
| repo refs truth accepted | `false` |
|
||||
| data classification accepted | `false` |
|
||||
| deployment boundary accepted | `false` |
|
||||
| external agent boundary accepted | `false` |
|
||||
| runtime gate open | `false` |
|
||||
| production deploy authorized | `false` |
|
||||
| auto claim / submit authorized | `false / false` |
|
||||
| bounty payout / withdrawal authorized | `false / false` |
|
||||
| repo creation / refs sync / workflow modification authorized | `false / false / false` |
|
||||
|
||||
## 3. Repo / Refs Handoff
|
||||
|
||||
| 類型 | 路徑 / remote | 只讀判讀 | 不可誤讀 |
|
||||
|------|---------------|----------|----------|
|
||||
| active workspace | `/Users/ogt/Documents/agent-bounty-protocol` | branch `main`,但有 51 個 modified / untracked items,且存在 `.env` 類檔案未讀取 | 不可自動 commit、rebase、push、刪檔、同步 refs、讀 env 或跑部署腳本 |
|
||||
| reference refs | `HEAD = origin/main = main = a1856d08bc2778f9b41076cd6175ff2389b2e5ca` | refs 目前同 SHA,但 dirty workspace 仍需 owner 判定 WIP vs release candidate | 不可把 local dirty workspace 當成 production truth |
|
||||
| Gitea remote | `http://192.168.0.110:3001/wooo/agent-bounty-protocol.git` | 內部 Gitea remote 候選 | 不收 token、不改 remote、不 push、不切 GitHub primary |
|
||||
|
||||
後續 owner response 必須回答:
|
||||
|
||||
1. canonical repo path / remote 以哪個為準。
|
||||
2. 51 個 dirty / untracked items 中哪些是 WIP,哪些是 release candidate。
|
||||
3. GitHub target metadata 是否需要納入;若需要,也只收 target metadata,不建立 repo。
|
||||
4. workflow、runner、webhook、deploy key、branch protection、CODEOWNERS 與 secret name parity 的 owner。
|
||||
5. production host、compose directory、domain、TLS 與 smoke owner。
|
||||
6. MCP / A2A / external agent 自主行為邊界 owner。
|
||||
7. treasury / staking / settlement / Stripe / payout / withdrawal owner。
|
||||
|
||||
## 4. Product / Surface Handoff
|
||||
|
||||
| Surface | 路由 | 邊界 |
|
||||
|---------|------|------|
|
||||
| public task / marketplace | `/`、`/tasks/[id]`、`/tasks/create`、`/showcase`、`/leaderboard`、`/explorer`、`/traffic`、`/ico` | 只列公開與 marketplace surface,不代表 bounty payout 或外部 claim / submit 可執行 |
|
||||
| well-known metadata | `/.well-known/agent-card.json`、`/.well-known/ai-plugin.json`、`/.well-known/mcp.json`、`/.well-known/openapi.yaml` | metadata 可作 route evidence;不授權 agent execution 或 credential 曝露 |
|
||||
| MCP / open task API | `/api/mcp/[tool]`、`/api/mcp/create_human_task`、`/api/mcp/submit_bid`、`/api/open-tasks` | MCP tool gateway 需 owner response、auth boundary 與 abuse control;本段只讀 |
|
||||
| A2A protocol | `/api/a2a/*` | negotiation、settlement、staking、dispute 等路徑全部鎖到 owner review 與後續 runtime gate 之後 |
|
||||
| cron / automation | `/api/cron/*` | 不啟用 schedule、不跑 daemon、不 claim、不 submit、不 self-replicate、不外送訊息 |
|
||||
| admin / treasury | `/admin`、`/admin/traffic`、`/admin/treasury`、`/api/admin/*`、`/login` | 需 RBAC / auth / financial owner response;IwoooS 只列 scope |
|
||||
| webhook / scout / traffic | `/api/traffic`、`/api/webhooks/github`、`/api/webhooks/stripe`、`/api/scout/*`、`/api/intents/stream`、`/api/v1/health` | 只收 redacted metadata,不收 webhook secret、auth header 或 raw payload body |
|
||||
|
||||
## 5. Owner Response Handoff
|
||||
|
||||
此 handoff 只讓 AwoooP 或 reviewer 請 owner 補 `agent-bounty-protocol` metadata。它不是 request sent、不是 approval queue,也不是可執行動作。
|
||||
|
||||
### 5.1 必填欄位
|
||||
|
||||
| 欄位 | 說明 |
|
||||
|------|------|
|
||||
| `product_owner_role_or_team` | agent-bounty-protocol 產品 owner 或 team |
|
||||
| `security_owner_role_or_team` | 資安 / abuse / 資料保護 owner |
|
||||
| `source_control_owner_role_or_team` | repo / refs / workflow / secret name owner |
|
||||
| `deployment_owner_role_or_team` | Docker Compose / domain / TLS / smoke owner |
|
||||
| `data_classification_owner_role_or_team` | task、agent、webhook、traffic、treasury、admin 資料分級 owner |
|
||||
| `external_agent_boundary_owner_role_or_team` | MCP / A2A / Nostr / Waku / XMTP / cron / daemon owner |
|
||||
| `settlement_or_treasury_owner_role_or_team` | staking、withdrawal、payout、Stripe / wallet 類風險 owner |
|
||||
| `notification_owner_role_or_team` | Telegram、Discord、GitHub webhook / issue comment owner |
|
||||
| `surface_scope` | 本次納入 IwoooS 的 route、API、admin、cron、worker、webhook 範圍 |
|
||||
| `decision` | 允許值:`confirm_observe_only`、`defer`、`reject`、`request_more_evidence` |
|
||||
| `decision_reason` | 決策理由摘要,不得貼 raw secret、token、cookie、session、wallet key 或未脫敏 payload |
|
||||
| `redacted_evidence_refs` | 只填文件、snapshot、ticket、commit、hash 或脫敏 metadata pointer |
|
||||
| `followup_owner` | 補件、拒收或下一階段 owner |
|
||||
|
||||
### 5.2 禁止輸入
|
||||
|
||||
| 類型 | 規則 |
|
||||
|------|------|
|
||||
| credential | 不貼 `.env`、DB URL、API key、MCP key、E2B key、Telegram token、Discord webhook、GitHub token、Stripe secret、wallet private key、seed phrase、cookie、session、auth header |
|
||||
| raw payload | 不貼 webhook body、traffic body、agent prompt、agent transcript、task raw solution、unpublished code、admin account data |
|
||||
| source-control action | 不要求建立 repo、同步 refs、rebase、push、改 workflow、改 runner、改 secret |
|
||||
| production action | 不要求 deploy、restart、compose up/down、DB migration、cron enable、daemon start、traffic send |
|
||||
| external agent action | 不要求 `AUTO_CLAIM`、`AUTO_SUBMIT`、`RUN_DAEMON`、MCP claim / submit、A2A dispatcher、自我複製、外部送訊 |
|
||||
| settlement action | 不要求 payout、withdrawal、staking、Stripe webhook secret 變更或 wallet 操作 |
|
||||
|
||||
## 6. 獨立產品邊界
|
||||
|
||||
`agent-bounty-protocol` 可以納入 IwoooS 的全產品資安視野,但第一階段仍必須維持獨立產品邊界:
|
||||
|
||||
1. 不共用 AWOOOI 或其他產品資料庫。
|
||||
2. 不共用 AWOOOI 會員 Session。
|
||||
3. 不把 agent-bounty-protocol RBAC 綁到 AWOOOI 權限模型。
|
||||
4. 不讓 agent-bounty-protocol 核心流程依賴 AWOOOI runtime 可用性。
|
||||
5. 不把 AwoooP approval 當 agent-bounty-protocol 資安批准、部署批准、agent 行為批准或 payout 批准。
|
||||
6. 不把 AwoooP work item 直接轉成 external agent claim / submit。
|
||||
7. 後續整合只能走版本化 API、Webhook、outbox、匯入匯出配接器、SSO / OAuth 或 Anti-Corruption Layer。
|
||||
|
||||
## 7. 資料分級收件
|
||||
|
||||
| 資料類型 | 初期分級狀態 | 收件規則 |
|
||||
|----------|--------------|----------|
|
||||
| task / bounty / solution metadata | waiting owner classification | 只收欄位類型、狀態與脫敏摘要,不收 private task、raw solution 或 unpublished code |
|
||||
| agent identity / reputation / negotiation state | waiting owner classification | 只收 agent 類型、狀態轉移與 owner 判讀,不收 prompt、transcript、private key 或 token |
|
||||
| MCP tool calls / A2A protocol events | waiting owner classification | 只收 route、tool name、decision metadata,不收 request body、credential、payload 或 generated secret |
|
||||
| webhook / traffic / scout evidence | waiting owner classification | 只收 source type、timestamp、redacted status,不收 webhook secret、auth header 或 raw payload body |
|
||||
| settlement / staking / treasury / Stripe | waiting owner classification | 只收 capability 與 owner metadata,不收 wallet private key、seed phrase、Stripe secret 或 payout instruction |
|
||||
| admin / login / traffic dashboard | waiting owner classification | 只收角色邊界與 audit event type,不收 password、session、cookie 或 private user data |
|
||||
| cron / daemon / ecosystem hunter | waiting owner classification | 只收 schedule name、disabled/enabled intent 與 redacted endpoint refs,不啟動 daemon、claim、submit 或 external send |
|
||||
|
||||
## 8. 驗收規則
|
||||
|
||||
1. 本 handoff 完成不代表 `agent-bounty-protocol` owner response 已收到或 accepted。
|
||||
2. 納入 IwoooS 只代表全產品資安視野可見,不代表掃描、部署、修復、claim、submit、payout、withdraw、cron 或 runtime execution。
|
||||
3. canonical repo、refs truth、workflow / secret name、GitHub target、compose host 與 production URL 仍需 owner response。
|
||||
4. 正式 URL、Docker Compose、health endpoint、MCP metadata 或 A2A routes 可見,不等於本段已做 production verification。
|
||||
5. 任何 `.env`、secret、DB URL、token、private key、seed phrase、cookie、session、auth header、webhook secret 都必須拒收或隔離。
|
||||
6. 未來若要改 production、deploy、compose、DB migration、cron、daemon、domain、TLS、MCP tool behavior 或 A2A automation,必須另開 owner approval 與 rollback / post-check。
|
||||
|
||||
## 9. 階段定位
|
||||
|
||||
本段只把 `agent-bounty-protocol` 從「新專案尚未在 IwoooS 可見」推到「owner / reviewer 可照表審 repo、product、surface、owner、data classification、deployment boundary、external agent boundary、treasury boundary 與 evidence refs」。它不改 `agent-bounty-protocol` repo、不部署、不掃描、不讀 `.env`、不開 runtime gate,也不提高 IwoooS headline 64%。
|
||||
@@ -0,0 +1,385 @@
|
||||
{
|
||||
"schema_version": "agent_bounty_iwooos_onboarding_handoff_v1",
|
||||
"status": "draft_waiting_owner_review",
|
||||
"date": "2026-06-11",
|
||||
"mode": "product_scope_handoff_only",
|
||||
"source_evidence_refs": [
|
||||
"docs/security/iwooos-posture-projection.snapshot.json",
|
||||
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md",
|
||||
"apps/web/src/app/[locale]/iwooos/page.tsx",
|
||||
"apps/web/messages/zh-TW.json",
|
||||
"/Users/ogt/Documents/agent-bounty-protocol/README.md",
|
||||
"/Users/ogt/Documents/agent-bounty-protocol/package.json",
|
||||
"/Users/ogt/Documents/agent-bounty-protocol/apps/web/package.json",
|
||||
"/Users/ogt/Documents/agent-bounty-protocol/packages/mcp-server/package.json",
|
||||
"/Users/ogt/Documents/agent-bounty-protocol/packages/contracts/package.json",
|
||||
"/Users/ogt/Documents/agent-bounty-protocol/docker-compose.yml"
|
||||
],
|
||||
"summary": {
|
||||
"product_name": "agent-bounty-protocol",
|
||||
"onboarding_handoff_package_ready": true,
|
||||
"onboarding_handoff_completion_percent": 100,
|
||||
"product_boundary_merged_into_awoooi": false,
|
||||
"owner_response_received": false,
|
||||
"owner_response_accepted": false,
|
||||
"repo_refs_truth_accepted": false,
|
||||
"data_classification_accepted": false,
|
||||
"deployment_boundary_accepted": false,
|
||||
"external_agent_boundary_accepted": false,
|
||||
"runtime_gate_open": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"production_deploy_authorized": false,
|
||||
"repo_creation_authorized": false,
|
||||
"refs_sync_authorized": false,
|
||||
"workflow_modification_authorized": false,
|
||||
"secret_value_collection_authorized": false,
|
||||
"auto_claim_submit_authorized": false,
|
||||
"bounty_payout_authorized": false,
|
||||
"external_agent_autonomy_authorized": false,
|
||||
"shared_database_authorized": false,
|
||||
"shared_session_authorized": false,
|
||||
"shared_rbac_authorized": false,
|
||||
"action_buttons_allowed": false
|
||||
},
|
||||
"product_identity": {
|
||||
"product_type": "M2M 交易閘道器、Agent Bounty / MCP / A2A 實驗產品",
|
||||
"current_focus": "公開任務、agent 互動、MCP tool gateway、A2A negotiation、外部流量監控、scout、webhook、admin / treasury 與 cron automation 的只讀資安納管。",
|
||||
"technical_stack": [
|
||||
"Next.js 16 App Router",
|
||||
"React 19",
|
||||
"TypeScript",
|
||||
"Prisma",
|
||||
"PostgreSQL",
|
||||
"Redis",
|
||||
"Docker Compose",
|
||||
"MCP SDK",
|
||||
"A2A / Nostr / Waku / XMTP 類外部 agent 連線",
|
||||
"Stripe / Ethers / webhook 類整合候選",
|
||||
"Telegram / Discord / GitHub 通知或 webhook 候選"
|
||||
],
|
||||
"language_policy": "納入 IwoooS 與 AWOOOI 文件、前端內容、LOGBOOK 與 handoff 時一律使用繁體中文;程式符號、API、套件名稱、route 與 env-key 名稱可保留英文。"
|
||||
},
|
||||
"repo_scope": {
|
||||
"active_workspace": {
|
||||
"path": "/Users/ogt/Documents/agent-bounty-protocol",
|
||||
"status_summary": "read_only_observed_dirty_workspace_on_main_with_51_modified_or_untracked_items; .env-like files exist but were not read",
|
||||
"canonical_for_iwooos": false,
|
||||
"forbidden_actions": [
|
||||
"commit",
|
||||
"rebase",
|
||||
"push",
|
||||
"delete_files",
|
||||
"sync_refs",
|
||||
"read_env_file",
|
||||
"run_deploy_script",
|
||||
"run_security_scan",
|
||||
"start_cron_or_daemon"
|
||||
]
|
||||
},
|
||||
"reference_worktree": {
|
||||
"path": "/Users/ogt/Documents/agent-bounty-protocol",
|
||||
"head_sha": "a1856d08bc2778f9b41076cd6175ff2389b2e5ca",
|
||||
"origin_main_sha": "a1856d08bc2778f9b41076cd6175ff2389b2e5ca",
|
||||
"main_sha": "a1856d08bc2778f9b41076cd6175ff2389b2e5ca",
|
||||
"remote": "http://192.168.0.110:3001/wooo/agent-bounty-protocol.git",
|
||||
"refs_truth_status": "waiting_owner_decision_due_dirty_workspace_and_internal_remote"
|
||||
},
|
||||
"required_owner_answers": [
|
||||
"canonical repo path / remote",
|
||||
"dirty workspace WIP vs release candidate disposition",
|
||||
"GitHub target metadata if needed",
|
||||
"workflow / runner / webhook / secret name parity owner",
|
||||
"production host / compose directory / domain / TLS owner",
|
||||
"A2A / MCP / external agent autonomy boundary owner",
|
||||
"treasury / payout / staking / Stripe / settlement data owner",
|
||||
"traffic monitoring / Telegram / Discord / GitHub webhook notification owner"
|
||||
]
|
||||
},
|
||||
"product_surfaces": [
|
||||
{
|
||||
"surface_id": "public-and-task-surface",
|
||||
"routes": [
|
||||
"/",
|
||||
"/tasks/[id]",
|
||||
"/tasks/create",
|
||||
"/showcase",
|
||||
"/showcase/[id]",
|
||||
"/leaderboard",
|
||||
"/explorer",
|
||||
"/traffic",
|
||||
"/ico"
|
||||
],
|
||||
"boundary": "public and marketplace-facing surface only; no bounty payout or external claim/submit authorization in this handoff"
|
||||
},
|
||||
{
|
||||
"surface_id": "well-known-agent-metadata",
|
||||
"routes": [
|
||||
"/.well-known/agent-card.json",
|
||||
"/.well-known/ai-plugin.json",
|
||||
"/.well-known/mcp.json",
|
||||
"/.well-known/openapi.yaml"
|
||||
],
|
||||
"boundary": "metadata can be indexed as route evidence; it does not authorize agent execution or credential exposure"
|
||||
},
|
||||
{
|
||||
"surface_id": "mcp-and-open-task-api",
|
||||
"routes": [
|
||||
"/api/mcp/[tool]",
|
||||
"/api/mcp/agent_card",
|
||||
"/api/mcp/create_human_task",
|
||||
"/api/mcp/submit_bid",
|
||||
"/api/open-tasks"
|
||||
],
|
||||
"boundary": "MCP tool gateway requires owner response, auth boundary and abuse controls before any runtime use; this handoff is read-only"
|
||||
},
|
||||
{
|
||||
"surface_id": "a2a-agent-protocol",
|
||||
"routes": [
|
||||
"/api/a2a/arbitrate",
|
||||
"/api/a2a/directory/sync",
|
||||
"/api/a2a/dispute",
|
||||
"/api/a2a/launchpad/create",
|
||||
"/api/a2a/launchpad/projects",
|
||||
"/api/a2a/mcp/discover",
|
||||
"/api/a2a/negotiate",
|
||||
"/api/a2a/reputation/verify",
|
||||
"/api/a2a/rpc",
|
||||
"/api/a2a/settle",
|
||||
"/api/a2a/staking/deposit",
|
||||
"/api/a2a/staking/withdraw"
|
||||
],
|
||||
"boundary": "external agent, settlement, staking and dispute routes stay locked until owner approval and follow-up runtime gate"
|
||||
},
|
||||
{
|
||||
"surface_id": "automation-and-cron",
|
||||
"routes": [
|
||||
"/api/cron/a2a-discovery",
|
||||
"/api/cron/a2a-dispatcher",
|
||||
"/api/cron/a2a-inviter",
|
||||
"/api/cron/a2a-swarm",
|
||||
"/api/cron/bidding-evaluator",
|
||||
"/api/cron/judge-agent",
|
||||
"/api/cron/lead-gen",
|
||||
"/api/cron/reaper",
|
||||
"/api/cron/self-replicate",
|
||||
"/api/cron/sentience-check",
|
||||
"/api/cron/treasury-alert"
|
||||
],
|
||||
"boundary": "cron and daemon behavior is observe-only in IwoooS; no schedule enable, external send, claim, submit, payout or self-replication is authorized"
|
||||
},
|
||||
{
|
||||
"surface_id": "admin-and-treasury",
|
||||
"routes": [
|
||||
"/admin",
|
||||
"/admin/traffic",
|
||||
"/admin/treasury",
|
||||
"/api/admin/health",
|
||||
"/api/admin/simulate",
|
||||
"/api/admin/treasury/stats",
|
||||
"/api/admin/withdraw",
|
||||
"/login"
|
||||
],
|
||||
"boundary": "admin, treasury and withdraw surfaces require RBAC / auth / financial owner response; IwoooS only lists them as scope"
|
||||
},
|
||||
{
|
||||
"surface_id": "webhooks-and-traffic",
|
||||
"routes": [
|
||||
"/api/traffic",
|
||||
"/api/webhooks/github",
|
||||
"/api/webhooks/stripe",
|
||||
"/api/scout/draft",
|
||||
"/api/scout/issue-exists",
|
||||
"/api/intents/stream",
|
||||
"/api/v1/health"
|
||||
],
|
||||
"boundary": "traffic, scout and webhook evidence must be redacted metadata only; no webhook secret or payload body collection"
|
||||
}
|
||||
],
|
||||
"owner_response_handoff": {
|
||||
"status": "ready_not_dispatched",
|
||||
"request_dispatch_authorized": false,
|
||||
"required_response_fields": [
|
||||
"product_owner_role_or_team",
|
||||
"security_owner_role_or_team",
|
||||
"source_control_owner_role_or_team",
|
||||
"deployment_owner_role_or_team",
|
||||
"data_classification_owner_role_or_team",
|
||||
"external_agent_boundary_owner_role_or_team",
|
||||
"settlement_or_treasury_owner_role_or_team",
|
||||
"notification_owner_role_or_team",
|
||||
"surface_scope",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"redacted_evidence_refs",
|
||||
"followup_owner"
|
||||
],
|
||||
"allowed_decisions": [
|
||||
"confirm_observe_only",
|
||||
"defer",
|
||||
"reject",
|
||||
"request_more_evidence"
|
||||
],
|
||||
"forbidden_inputs": [
|
||||
".env content",
|
||||
"database URL value",
|
||||
"API key value",
|
||||
"MCP API key value",
|
||||
"E2B API key value",
|
||||
"Telegram bot token value",
|
||||
"Telegram chat id value",
|
||||
"Discord webhook value",
|
||||
"GitHub token value",
|
||||
"Stripe secret value",
|
||||
"wallet private key",
|
||||
"seed phrase",
|
||||
"cookie",
|
||||
"session",
|
||||
"auth header",
|
||||
"raw webhook payload",
|
||||
"raw traffic payload",
|
||||
"raw agent prompt or transcript",
|
||||
"claim or submit execution request",
|
||||
"payout or withdraw execution request",
|
||||
"deploy command request",
|
||||
"compose restart request",
|
||||
"DB migration request",
|
||||
"repo push request",
|
||||
"refs sync request"
|
||||
],
|
||||
"response_received": false,
|
||||
"response_accepted": false
|
||||
},
|
||||
"independent_product_boundary": {
|
||||
"must_remain_independent": true,
|
||||
"forbidden_couplings": [
|
||||
"share_awoooi_database",
|
||||
"share_awoooi_session",
|
||||
"bind_agent_bounty_rbac_to_awoooi_rbac_without_owner_review",
|
||||
"depend_on_awoooi_runtime_for_agent_bounty_core_flow",
|
||||
"treat_awooop_approval_as_agent_bounty_security_approval",
|
||||
"direct_cross_database_join",
|
||||
"auto_bridge_awooop_work_item_to_agent_claim_submit",
|
||||
"auto_trigger_payout_or_withdrawal"
|
||||
],
|
||||
"allowed_future_integrations": [
|
||||
"versioned API",
|
||||
"Webhook event with redacted metadata",
|
||||
"outbox pattern",
|
||||
"import / export adapter",
|
||||
"SSO / OAuth with product RBAC preserved",
|
||||
"Anti-Corruption Layer",
|
||||
"read-only AwoooP evidence mirror"
|
||||
]
|
||||
},
|
||||
"data_classification_intake": [
|
||||
{
|
||||
"data_type": "task / bounty / solution metadata",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "metadata and field type only; no private task content, raw solution or unpublished code"
|
||||
},
|
||||
{
|
||||
"data_type": "agent identity / reputation / negotiation state",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "agent id category and state transition summary only; no raw prompt, transcript, private key or token"
|
||||
},
|
||||
{
|
||||
"data_type": "MCP tool calls / A2A protocol events",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "route, tool name and decision metadata only; no request body, credential, payload or generated secret"
|
||||
},
|
||||
{
|
||||
"data_type": "webhook / traffic / scout evidence",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "source type, timestamp and redacted status only; no webhook secret, auth header or raw payload body"
|
||||
},
|
||||
{
|
||||
"data_type": "settlement / staking / treasury / Stripe",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "capability and owner metadata only; no wallet private key, seed phrase, Stripe secret or payout instruction"
|
||||
},
|
||||
{
|
||||
"data_type": "admin / login / traffic dashboard",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "role boundary and audit event type only; no account password, session, cookie or private user data"
|
||||
},
|
||||
{
|
||||
"data_type": "cron / daemon / ecosystem hunter",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "schedule name, disabled/enabled intent and redacted endpoint refs only; no daemon start, claim, submit or external send"
|
||||
}
|
||||
],
|
||||
"deployment_boundary": {
|
||||
"public_host": "https://agent.wooo.work",
|
||||
"production_mode": "Docker Compose candidate with owner confirmation required",
|
||||
"compose_host_status": "README mentions 110; scripts and prior local deploy helpers mention 188; owner must confirm canonical host before any production claim",
|
||||
"compose_directory_status": "waiting_owner_confirmation; no SSH, rsync, compose restart or deploy script was executed in this AWOOOI stage",
|
||||
"internal_web_status": "docker-compose exposes web host port 3004 and agent host port 3001 in local evidence; do not publish internal URL in frontend",
|
||||
"database_boundary": "Compose PostgreSQL and Redis services; .env-like files exist but were not read; no DB URL value collection",
|
||||
"production_verification_in_this_awoooi_stage": false,
|
||||
"deployment_authorized": false
|
||||
},
|
||||
"external_agent_boundary": {
|
||||
"autonomy_authorized": false,
|
||||
"claim_submit_authorized": false,
|
||||
"payout_authorized": false,
|
||||
"allowed_now": [
|
||||
"display_read_only_scope",
|
||||
"display_redacted_route_inventory",
|
||||
"display_required_owner_response_fields",
|
||||
"display_forbidden_actions",
|
||||
"prepare_followup_review_candidate"
|
||||
],
|
||||
"blocked_until_owner_review": [
|
||||
"AUTO_CLAIM",
|
||||
"AUTO_SUBMIT",
|
||||
"RUN_DAEMON",
|
||||
"external MCP claim / submit",
|
||||
"Nostr listener daemon",
|
||||
"A2A dispatcher",
|
||||
"self-replicate cron",
|
||||
"treasury alert send",
|
||||
"Stripe webhook secret validation change",
|
||||
"payout / withdraw / staking action",
|
||||
"GitHub issue comment or token use",
|
||||
"Telegram / Discord notification send"
|
||||
]
|
||||
},
|
||||
"acceptance_rules": [
|
||||
"本 handoff 完成不代表 agent-bounty-protocol owner response 已收到或 accepted。",
|
||||
"agent-bounty-protocol 納入 IwoooS 只代表全產品資安視野可見,不代表掃描、部署、修復、claim、submit、payout、withdraw、cron 或 runtime execution。",
|
||||
"canonical repo、refs truth、workflow / secret name、GitHub target、compose host 與 production URL 仍需 owner response。",
|
||||
"正式 URL、Docker Compose、health endpoint、MCP metadata 或 A2A routes 可見,不等於本段已做 production verification。",
|
||||
"任何 .env、secret、DB URL、token、private key、seed phrase、cookie、session、auth header、webhook secret 都必須拒收或隔離。",
|
||||
"未來若要改 agent-bounty-protocol production、deploy、compose、DB migration、cron、daemon、domain、TLS、MCP tool behavior 或 A2A automation,必須另開 owner approval 與 rollback / post-check。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"modify_agent_bounty_repo",
|
||||
"commit_agent_bounty_changes",
|
||||
"push_agent_bounty_refs",
|
||||
"sync_refs",
|
||||
"create_github_repo",
|
||||
"change_workflow",
|
||||
"collect_secret_value",
|
||||
"read_env_file",
|
||||
"deploy_production",
|
||||
"restart_compose",
|
||||
"run_db_migration",
|
||||
"run_active_scan",
|
||||
"run_credentialed_scan",
|
||||
"start_daemon",
|
||||
"enable_cron",
|
||||
"auto_claim",
|
||||
"auto_submit",
|
||||
"send_external_agent_message",
|
||||
"send_telegram_notification",
|
||||
"send_discord_notification",
|
||||
"post_github_comment",
|
||||
"execute_payout",
|
||||
"execute_withdrawal",
|
||||
"share_database",
|
||||
"share_session",
|
||||
"bind_rbac",
|
||||
"enable_runtime_gate",
|
||||
"add_awooop_action_button"
|
||||
]
|
||||
}
|
||||
@@ -13,6 +13,9 @@
|
||||
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-REQUEST-DRAFT.md",
|
||||
"docs/security/gitea-inventory-owner-attestation-request-draft.snapshot.json",
|
||||
"docs/security/kali-integration-status.snapshot.json",
|
||||
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json",
|
||||
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
|
||||
"docs/schemas/agent_bounty_iwooos_onboarding_handoff_v1.schema.json",
|
||||
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md",
|
||||
"apps/web/src/app/[locale]/iwooos/page.tsx",
|
||||
"apps/web/src/app/[locale]/security-compliance/page.tsx",
|
||||
@@ -43,7 +46,7 @@
|
||||
"progress_integrity_ribbon_signal_count": 3,
|
||||
"progress_integrity_ribbon_headline_percent": 64,
|
||||
"progress_integrity_ribbon_headline_delta": 3,
|
||||
"progress_integrity_ribbon_read_only_scope_count": 8,
|
||||
"progress_integrity_ribbon_read_only_scope_count": 9,
|
||||
"progress_integrity_ribbon_pending_evidence_gate_count": 3,
|
||||
"progress_integrity_ribbon_runtime_gate_count": 0,
|
||||
"progress_integrity_ribbon_action_buttons_allowed": false,
|
||||
@@ -163,15 +166,15 @@
|
||||
"executive_snapshot_runtime_gate_count": 0,
|
||||
"executive_snapshot_owner_response_received_count": 0,
|
||||
"executive_snapshot_owner_response_accepted_count": 0,
|
||||
"all_product_coverage_snapshot_scope_count": 7,
|
||||
"all_product_coverage_snapshot_read_only_count": 7,
|
||||
"all_product_coverage_snapshot_scope_count": 8,
|
||||
"all_product_coverage_snapshot_read_only_count": 8,
|
||||
"all_product_coverage_snapshot_runtime_ready_count": 0,
|
||||
"all_product_coverage_snapshot_default_summary_mode": "compact_first",
|
||||
"all_product_coverage_snapshot_detail_ledger_collapsed": true,
|
||||
"global_security_mesh_matrix_first_layer": true,
|
||||
"global_security_mesh_matrix_default_visible": false,
|
||||
"global_security_mesh_matrix_asset_count": 8,
|
||||
"global_security_mesh_matrix_read_only_count": 8,
|
||||
"global_security_mesh_matrix_asset_count": 9,
|
||||
"global_security_mesh_matrix_read_only_count": 9,
|
||||
"global_security_mesh_matrix_runtime_gate_count": 0,
|
||||
"host_tool_evidence_chain_first_layer": true,
|
||||
"host_tool_evidence_chain_default_visible": false,
|
||||
@@ -182,6 +185,10 @@
|
||||
"vibework_security_onboarding_default_visible": false,
|
||||
"vibework_security_onboarding_item_count": 6,
|
||||
"vibework_security_onboarding_runtime_gate_count": 0,
|
||||
"agent_bounty_security_onboarding_first_layer": true,
|
||||
"agent_bounty_security_onboarding_default_visible": false,
|
||||
"agent_bounty_security_onboarding_item_count": 7,
|
||||
"agent_bounty_security_onboarding_runtime_gate_count": 0,
|
||||
"existing_frontend_surface_count": 10,
|
||||
"frontend_surface_reverse_bridge_status_count": 10,
|
||||
"frontend_surface_coverage_group_count": 4,
|
||||
@@ -253,7 +260,7 @@
|
||||
"decision_runway_default_visible": false,
|
||||
"decision_runway_step_count": 5,
|
||||
"decision_runway_default_step": "ownerEvidence",
|
||||
"decision_runway_dependency_count": 6,
|
||||
"decision_runway_dependency_count": 7,
|
||||
"decision_runway_boundary_signal_count": 4,
|
||||
"decision_runway_above_gate_radar": true,
|
||||
"decision_runway_interactive_step_allowed": true,
|
||||
@@ -275,7 +282,7 @@
|
||||
"signal_id": "coverageVisible",
|
||||
"display_order": 1,
|
||||
"display_mode": "first_screen_progress_integrity_ribbon",
|
||||
"value": "8 類",
|
||||
"value": "9 類",
|
||||
"percent": 92,
|
||||
"current_state": "read_only_scope_visible",
|
||||
"headline_percent": 64,
|
||||
@@ -1440,7 +1447,8 @@
|
||||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||||
"docs/security/kali-integration-status.snapshot.json"
|
||||
"docs/security/kali-integration-status.snapshot.json",
|
||||
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json"
|
||||
],
|
||||
"allowed_frontend_outputs": [
|
||||
"display_security_posture",
|
||||
@@ -1451,6 +1459,7 @@
|
||||
"display_global_security_mesh_matrix",
|
||||
"display_host_tool_evidence_chain",
|
||||
"display_vibework_security_onboarding",
|
||||
"display_agent_bounty_security_onboarding",
|
||||
"display_awooop_read_only_landing_readiness",
|
||||
"display_awooop_cross_session_handoff_packets",
|
||||
"display_progress_hold_movement_gates",
|
||||
@@ -8813,16 +8822,24 @@
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"dependency_id": "kali",
|
||||
"dependency_id": "agentBounty",
|
||||
"display_order": 4,
|
||||
"display_mode": "first_screen_decision_runway_dependency",
|
||||
"status": "product_scope_candidate_read_only",
|
||||
"runtime_delta": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"dependency_id": "kali",
|
||||
"display_order": 5,
|
||||
"display_mode": "first_screen_decision_runway_dependency",
|
||||
"status": "read_only_host_node",
|
||||
"runtime_delta": false,
|
||||
"not_authorization": true
|
||||
},
|
||||
{
|
||||
"dependency_id": "devHosts",
|
||||
"display_order": 5,
|
||||
"display_order": 6,
|
||||
"display_mode": "first_screen_decision_runway_dependency",
|
||||
"status": "waiting_owner_window",
|
||||
"runtime_delta": false,
|
||||
@@ -8830,7 +8847,7 @@
|
||||
},
|
||||
{
|
||||
"dependency_id": "monitoring",
|
||||
"display_order": 6,
|
||||
"display_order": 7,
|
||||
"display_mode": "first_screen_decision_runway_dependency",
|
||||
"status": "evidence_lane_visible",
|
||||
"runtime_delta": false,
|
||||
|
||||
Reference in New Issue
Block a user