diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 106ba2fe3..d2e12e960 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -990,7 +990,35 @@
"issue": "Issue",
"count": "Count",
"error": "Load failed",
- "noData": "No security events"
+ "noData": "No security events",
+ "iwooosBridge": {
+ "title": "Included in the IwoooS read-only security mirror",
+ "subtitle": "This existing security / compliance page now shows its IwoooS scope in reverse; it only displays progress, framework maturity, and runtime boundaries without adding scan, repair, approval, or deploy buttons.",
+ "compactTitle": "IwoooS",
+ "compactDetail": "58% / gate 0",
+ "openIwooos": "Open IwoooS",
+ "sourceLabel": "Integration source",
+ "sourceDetail": "SecurityPanel, CompliancePanel, standalone /security, and /compliance keep their original data sources; IwoooS only indexes the security mesh and aggregates mirror-only posture.",
+ "boundaryLabel": "Execution boundary",
+ "metrics": {
+ "overall": {
+ "label": "Overall mesh",
+ "detail": "headline progress"
+ },
+ "framework": {
+ "label": "Framework maturity",
+ "detail": "docs / schema / read-only evidence"
+ },
+ "runtimeGates": {
+ "label": "Runtime gates",
+ "detail": "not active"
+ },
+ "actions": {
+ "label": "Action buttons",
+ "detail": "not provided"
+ }
+ }
+ }
},
"iwooos": {
"eyebrow": "Information Security Mesh",
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index e00a880de..9e33ac471 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -991,7 +991,35 @@
"issue": "問題",
"count": "次數",
"error": "載入失敗",
- "noData": "無安全事件"
+ "noData": "無安全事件",
+ "iwooosBridge": {
+ "title": "已納入 IwoooS 只讀資安鏡像",
+ "subtitle": "這個既有安全 / 合規頁面現在會反向標示 IwoooS 納管狀態;只顯示整體進度、框架成熟度與 runtime 邊界,不新增掃描、修復、批准或部署按鈕。",
+ "compactTitle": "IwoooS",
+ "compactDetail": "58% / gate 0",
+ "openIwooos": "開啟 IwoooS",
+ "sourceLabel": "整合來源",
+ "sourceDetail": "SecurityPanel、CompliancePanel、standalone /security 與 /compliance 仍保留原本資料來源;IwoooS 只做資安網索引與 mirror-only 姿態彙整。",
+ "boundaryLabel": "執行邊界",
+ "metrics": {
+ "overall": {
+ "label": "整體資安網",
+ "detail": "headline progress"
+ },
+ "framework": {
+ "label": "框架成熟度",
+ "detail": "docs / schema / read-only evidence"
+ },
+ "runtimeGates": {
+ "label": "Runtime gates",
+ "detail": "未開啟"
+ },
+ "actions": {
+ "label": "執行按鈕",
+ "detail": "未提供"
+ }
+ }
+ }
},
"iwooos": {
"eyebrow": "Information Security Mesh",
diff --git a/apps/web/src/app/[locale]/compliance/page.tsx b/apps/web/src/app/[locale]/compliance/page.tsx
index 763b15771..1635749f1 100644
--- a/apps/web/src/app/[locale]/compliance/page.tsx
+++ b/apps/web/src/app/[locale]/compliance/page.tsx
@@ -9,6 +9,7 @@
import { useState, useEffect } from 'react'
import { useTranslations } from 'next-intl'
import { AppLayout } from '@/components/layout'
+import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge'
const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? ''
@@ -56,6 +57,8 @@ export default function CompliancePage({ params }: { params: { locale: string }
{t('subtitle')}
+
+
{loading ? (
{t('loading')}
) : error ? (
diff --git a/apps/web/src/app/[locale]/security/page.tsx b/apps/web/src/app/[locale]/security/page.tsx
index 2dc998723..ad89040d0 100644
--- a/apps/web/src/app/[locale]/security/page.tsx
+++ b/apps/web/src/app/[locale]/security/page.tsx
@@ -9,6 +9,7 @@
import { useState, useEffect } from 'react'
import { useTranslations } from 'next-intl'
import { AppLayout } from '@/components/layout'
+import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge'
const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? ''
@@ -72,6 +73,8 @@ export default function SecurityPage({ params }: { params: { locale: string } })
{t('subtitle')}
+
+
{loading ? (
{t('loading')}
) : error ? (
diff --git a/apps/web/src/components/panels/CompliancePanel.tsx b/apps/web/src/components/panels/CompliancePanel.tsx
index 7333fa778..10118540f 100644
--- a/apps/web/src/components/panels/CompliancePanel.tsx
+++ b/apps/web/src/components/panels/CompliancePanel.tsx
@@ -8,6 +8,7 @@
import { useState, useEffect } from 'react'
import { useTranslations } from 'next-intl'
+import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge'
const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? ''
@@ -55,6 +56,8 @@ export function CompliancePanel() {
{t('subtitle')}
+
+
{loading ? (
{t('loading')}
) : error ? (
diff --git a/apps/web/src/components/panels/SecurityPanel.tsx b/apps/web/src/components/panels/SecurityPanel.tsx
index ee8469bde..ed58b0885 100644
--- a/apps/web/src/components/panels/SecurityPanel.tsx
+++ b/apps/web/src/components/panels/SecurityPanel.tsx
@@ -8,6 +8,7 @@
import { useState, useEffect } from 'react'
import { useTranslations } from 'next-intl'
+import { IwoooSReadOnlyBridge } from '@/components/security/iwooos-read-only-bridge'
const API_BASE = process.env.NEXT_PUBLIC_API_URL ?? ''
@@ -61,6 +62,8 @@ export function SecurityPanel() {
{t('subtitle')}
+
+
{loading ? (
{t('loading')}
) : error ? (
diff --git a/apps/web/src/components/security/iwooos-read-only-bridge.tsx b/apps/web/src/components/security/iwooos-read-only-bridge.tsx
new file mode 100644
index 000000000..e22235170
--- /dev/null
+++ b/apps/web/src/components/security/iwooos-read-only-bridge.tsx
@@ -0,0 +1,196 @@
+'use client'
+
+/**
+ * IwoooSReadOnlyBridge — 既有資安頁面到 IwoooS 的只讀橋接
+ * @created 2026-05-20 Codex Asia/Taipei
+ */
+
+import Link from 'next/link'
+import { ArrowRight, ShieldCheck } from 'lucide-react'
+import { useTranslations } from 'next-intl'
+
+const metrics = [
+ { key: 'overall', value: '58%' },
+ { key: 'framework', value: '80-85%' },
+ { key: 'runtimeGates', value: '0' },
+ { key: 'actions', value: '0' },
+] as const
+
+const boundaries = [
+ 'runtime_execution_authorized=false',
+ 'active_runtime_gate_count=0',
+ 'action_buttons_allowed=false',
+ 'not_authorization=true',
+] as const
+
+export function IwoooSReadOnlyBridge() {
+ const t = useTranslations('security.iwooosBridge')
+
+ return (
+ <>
+
+
+
+
+
+
+ {t('compactTitle')}
+
+
+
+ {t('compactDetail')}
+
+
+
+
+
+
+
+
+
+
+
+
+ {t('title')}
+
+
+ {t('subtitle')}
+
+
+
+
+ {t('openIwooos')}
+
+
+
+
+
+ {metrics.map(metric => (
+
+
+ {t(`metrics.${metric.key}.label`)}
+
+
+ {metric.value}
+
+
+ {t(`metrics.${metric.key}.detail`)}
+
+
+ ))}
+
+
+
+
+
+ {t('sourceLabel')}
+
+
+ {t('sourceDetail')}
+
+
+
+
+ {t('boundaryLabel')}
+
+
+ {boundaries.map(boundary => (
+
+ {boundary}
+
+ ))}
+
+
+
+
+ >
+ )
+}
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 16735ced3..5556bab1a 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,17 @@
+## 2026-05-20 | 資安供應鏈 S2.59:Existing Security Pages IwoooS Reverse Bridge
+
+**背景**:S2.10 已把前端既有資安相關頁面收進 IwoooS 只讀索引,S2.53-S2.58 也把 IwoooS 狀態放進 AwoooP;本輪補上反向橋接,讓使用者在原本的 SecurityPanel、CompliancePanel、`/security` 與 `/compliance` 也能看到這些頁面已被納入 IwoooS 資安網,但不把既有頁面升級成執行控制台。
+
+**完成**:
+- 新增共用 `IwoooSReadOnlyBridge`,顯示整體資安網 58%、框架成熟度 80-85%、runtime gates=0、action buttons=0。
+- `SecurityPanel`、`CompliancePanel`、standalone `/security` 與 `/compliance` 都加入只讀橋接,連到 `/iwooos`。
+- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_59_existing_security_pages_iwooos_reverse_bridge`,並新增 `show_existing_security_pages_iwooos_reverse_bridge` next safe action。
+- `security-mirror-progress-guard.py` 開始驗證共用橋接、四個既有頁面的引用、IwoooS link、四個 false 邊界與 i18n 鍵。
+
+**仍禁止**:
+- S2.59 的反向橋接不代表 owner response received / accepted、runtime authorization、active runtime gate、scan、repair、approve、deploy、GitHub primary、Gitea/GitHub refs mutation、Kali `/execute`、SSH 登入、主機更新或 blocking control。
+- 整體資安網 headline 仍是 58%;框架 / 治理 / 文件 / schema / read-only evidence 仍約 80-85%;真正落地執行 / runtime ingestion / GitHub primary / AwoooP production landing 仍約 35-40%。
+
## 2026-05-20 | 資安供應鏈 S2.58:AwoooP Runs IwoooS Run State Candidate
**背景**:S2.53-S2.57 已把 IwoooS 資安鏡像接到 AwoooP 首頁、工作鏈路、審批、合約與租戶管理;本輪補上 `/awooop/runs` 的只讀 Run 視角,讓使用者能在 Run 監控理解 security mirror 目前仍只是候選狀態,不是已建立 runtime run。
diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
index e80af894b..8b3937e8c 100644
--- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
+++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
@@ -40,6 +40,7 @@
| AwoooP contracts IwoooS security contract candidate | S2.56 已把四個 security mirror contract refs 放進 `/awooop/contracts` 只讀面板;total contracts=36、ready=33、partial=2、active runtime gates=0、contract_publish_authorized=false;仍不發布 contract revision、不改 lifecycle、不寫 platform contracts API、不新增 action button |
| AwoooP tenants IwoooS tenant scope candidate | S2.57 已把 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111 與 S4.9-S4.12 owner response waiting 放進 `/awooop/tenants` 只讀面板;host coverage=3、tenant policy changes=0、tenant_migration_mode_changed=false;仍不改 migration mode、不改 tenant policy、不寫 platform tenants API、不新增 action button |
| AwoooP runs IwoooS run state candidate | S2.58 已把 security mirror Run State 候選放進 `/awooop/runs` 只讀面板;security runs=0、active runtime gates=0、owner accepted=0、security_run_created=false、execution_router_linked=false;仍不建立 platform run、不接 execution router、不新增 action button |
+| Existing security pages IwoooS reverse bridge | S2.59 已把 `SecurityPanel`、`CompliancePanel`、standalone `/security` 與 `/compliance` 反向接上 IwoooS 只讀橋接;headline=58%、framework=80-85%、runtime gates=0、action buttons=0;仍不新增 scan、repair、approve、deploy 或 blocking control |
| Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion |
| Runtime actions | `false` |
| Payload ingestion | `false` |
@@ -146,6 +147,7 @@
| S2.56 AwoooP contracts IwoooS security contract candidate | framework detail | 0 | 只把四個 security mirror contract refs 放進 AwoooP 合約儀表板只讀視野;contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button |
| S2.57 AwoooP tenants IwoooS tenant scope candidate | framework detail | 0 | 只把 AWOOOI first tenant、IwoooS security mirror、host coverage=3 與 owner response waiting 放進 AwoooP 租戶管理只讀視野;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 migration mode change、tenant policy mutation、runtime gate、execution router 或 action button |
| S2.58 AwoooP runs IwoooS run state candidate | framework detail | 0 | 只把 security mirror Run State、read-only dry-run-only、owner response waiting 與 active runtime gates 0 放進 AwoooP Run 監控只讀視野;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把面板當 platform run、execution router、runtime gate、execution queue 或 action button |
+| S2.59 existing security pages IwoooS reverse bridge | framework detail | 0 | 只把 SecurityPanel、CompliancePanel、standalone `/security` 與 `/compliance` 反向接上 IwoooS 只讀橋接;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把既有頁面的可見性當 owner response、runtime gate、掃描、修復、批准或部署 |
headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence:
diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
index 41bb32b0b..9a231832b 100644
--- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
+++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
@@ -5,7 +5,7 @@
| 日期 | 2026-05-17 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
-| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 |
+| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 |
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py
### 0.2 Headline 58% 不代表停滯
-近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.58 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。
+近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.59 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。
S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。
@@ -121,6 +121,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons
| S2.56 AwoooP contracts IwoooS security contract candidate | 已完成草案,將四個 security mirror contract refs 放進 AwoooP 合約儀表板只讀面板;contract_publish_authorized=false、runtime gate 仍為 0 | 0 |
| S2.57 AwoooP tenants IwoooS tenant scope candidate | 已完成草案,將 AWOOOI first tenant、IwoooS security mirror、host coverage=3 與 owner response waiting 放進 AwoooP 租戶管理只讀面板;tenant_migration_mode_changed=false、tenant policy changes 仍為 0 | 0 |
| S2.58 AwoooP runs IwoooS run state candidate | 已完成草案,將 security mirror Run State、read-only dry-run-only、owner response waiting 與 active runtime gates 0 放進 AwoooP Run 監控只讀面板;security_run_created=false、execution_router_linked=false | 0 |
+| S2.59 existing security pages IwoooS reverse bridge | 已完成草案,將 SecurityPanel、CompliancePanel、standalone `/security` 與 `/compliance` 反向顯示 IwoooS 只讀納管狀態;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 |
headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。
@@ -198,6 +199,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
| S2.56 AwoooP Contracts IwoooS Security Contract Candidate | 完成草案 | `/awooop/contracts` 新增 IwoooS 資安契約只讀候選,顯示四個 security mirror contract refs、36 total、33 ready、2 partial、active runtime gates=0,並連到 `/iwooos` | 使用者能在合約儀表板理解資安網背後的契約來源;面板仍不是 contract publish、lifecycle mutation、runtime gate、execution router、action button 或 headline 加分 |
| S2.57 AwoooP Tenants IwoooS Tenant Scope Candidate | 完成草案 | `/awooop/tenants` 新增 IwoooS 租戶資安範圍只讀候選,顯示 AWOOOI 第一租戶、IwoooS、host coverage=3、tenant policy changes=0,並連到 `/iwooos` | 使用者能在租戶管理理解資安網保護範圍;面板仍不是 migration mode change、tenant policy mutation、runtime gate、execution router、action button 或 headline 加分 |
| S2.58 AwoooP Runs IwoooS Run State Candidate | 完成草案 | `/awooop/runs` 新增 IwoooS Run State 只讀候選,顯示 run visibility=read-only、security runs=0、active runtime gates=0、owner accepted=0,並連到 `/iwooos` | 使用者能在 Run 監控理解資安網仍是只讀候選;面板仍不是 platform run created、execution router linked、runtime gate、execution queue、action button 或 headline 加分 |
+| S2.59 Existing Security Pages IwoooS Reverse Bridge | 完成草案 | `SecurityPanel`、`CompliancePanel`、standalone `/security` 與 `/compliance` 新增 IwoooS 只讀橋接,顯示 58%、80-85%、runtime gates=0、action buttons=0,並連到 `/iwooos` | 使用者回到原本安全 / 合規頁也能知道它們已納入 IwoooS;橋接仍不是 owner response、runtime authorization、scan、repair、approve、deploy 或 blocking control |
| S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate |
| S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item |
| S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 |
diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json
index 5d6d793b3..381e5422b 100644
--- a/docs/security/security-mirror-status-rollup.snapshot.json
+++ b/docs/security/security-mirror-status-rollup.snapshot.json
@@ -1166,6 +1166,18 @@
"runtime_delta": false,
"execution_authorized": false,
"not_authorization": true
+ },
+ {
+ "delta_id": "s2_59_existing_security_pages_iwooos_reverse_bridge",
+ "display_order": 88,
+ "completed_stage": "S2.59 existing security pages IwoooS reverse bridge",
+ "progress_axis": "framework_detail",
+ "headline_percent_delta": 0,
+ "framework_delta_visible": true,
+ "why_headline_unchanged": "既有 SecurityPanel、CompliancePanel、/security 與 /compliance 只新增 IwoooS 只讀橋接;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,沒有新增掃描、修復、批准或部署入口。",
+ "runtime_delta": false,
+ "execution_authorized": false,
+ "not_authorization": true
}
],
"next_safe_actions": [
@@ -1298,6 +1310,22 @@
"從 AwoooP runs 面板建立 runtime gate、GitHub/Gitea action、Kali action、secret action 或 refs action"
]
},
+ {
+ "action_id": "show_existing_security_pages_iwooos_reverse_bridge",
+ "title": "既有安全 / 合規頁面顯示 IwoooS 只讀橋接",
+ "mode": "observe",
+ "source_contract": "security_mirror_status_rollup_v1",
+ "allowed_processing": [
+ "在 SecurityPanel、CompliancePanel、/security 與 /compliance 顯示 IwoooS 只讀橋接",
+ "顯示 headline 58%、framework 80-85%、runtime gates=0、action buttons=0",
+ "連到 /iwooos 只讀入口,不新增 scan、execute、repair、approve、deploy、primary switch、refs action 或 runtime gate"
+ ],
+ "blocked_processing": [
+ "把既有安全 / 合規頁面的橋接面板當成 runtime authorization",
+ "從既有安全 / 合規頁面新增掃描、修復、批准、部署或 blocking control",
+ "把 /security、/compliance 或 SecurityPanel 的可見性當成 owner response received / accepted"
+ ]
+ },
{
"action_id": "mirror_low_friction_non_blocking_lanes",
"title": "AwoooP 顯示低摩擦非阻擋升級分流",
@@ -1669,7 +1697,8 @@
"S2.55 新增 AwoooP approvals IwoooS owner response gate candidate;AwoooP 審批佇列以只讀焦點顯示 S4.9-S4.12 owner response 收件順序、received=0、accepted=0、active runtime gates=0、headline=58%;approval_record_created=false、owner_response_accepted_count=0、runtime_execution_authorized=false、action_buttons_allowed=false,不把 approvals 面板當 owner response received/accepted、approval record、runtime gate、execution router 或 action button。",
"S2.56 新增 AwoooP contracts IwoooS security contract candidate;AwoooP 合約儀表板以只讀候選顯示 security_mirror_status_rollup_v1、iwooos_posture_projection_v1、source_control_owner_response_validation_rollup_v1、security_rollout_policy_v1、total contracts=36、ready=33、partial=2、active runtime gates=0;contract_publish_authorized=false、contract_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 contracts 面板當 contract publish、lifecycle mutation、runtime gate、execution router 或 action button。",
"S2.57 新增 AwoooP tenants IwoooS tenant scope candidate;AwoooP 租戶管理以只讀候選顯示 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111、S4.9-S4.12 owner response waiting、host coverage=3、tenant policy changes=0;tenant_migration_mode_changed=false、tenant_policy_mutation_authorized=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 tenants 面板當 tenant migration、policy mutation、runtime gate、execution router 或 action button。",
- "S2.58 新增 AwoooP runs IwoooS run state candidate;AwoooP Run 監控以只讀候選顯示 security_mirror_run_state_candidate、read_only_dry_run_only、S4.9-S4.12 owner response waiting、active runtime gates 0、security runs=0、owner accepted=0;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 runs 面板當 platform run、execution router、runtime gate、execution queue 或 action button。"
+ "S2.58 新增 AwoooP runs IwoooS run state candidate;AwoooP Run 監控以只讀候選顯示 security_mirror_run_state_candidate、read_only_dry_run_only、S4.9-S4.12 owner response waiting、active runtime gates 0、security runs=0、owner accepted=0;security_run_created=false、execution_router_linked=false、runtime_execution_authorized=false、action_buttons_allowed=false,不把 runs 面板當 platform run、execution router、runtime gate、execution queue 或 action button。",
+ "S2.59 新增既有安全 / 合規頁面 IwoooS reverse bridge;SecurityPanel、CompliancePanel、standalone /security 與 /compliance 反向顯示 IwoooS 只讀納管狀態、headline 58%、framework 80-85%、runtime gates=0、action buttons=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把既有頁面的可見性當 owner response、runtime gate、掃描、修復、批准或部署。"
],
"forbidden_actions": [
"start_kali_scan",
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index a34651b4a..8206730e0 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -73,6 +73,21 @@ def validate(root: Path) -> None:
awooop_contracts_page = (
root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "contracts" / "page.tsx"
).read_text(encoding="utf-8")
+ security_panel = (root / "apps" / "web" / "src" / "components" / "panels" / "SecurityPanel.tsx").read_text(
+ encoding="utf-8"
+ )
+ compliance_panel = (
+ root / "apps" / "web" / "src" / "components" / "panels" / "CompliancePanel.tsx"
+ ).read_text(encoding="utf-8")
+ standalone_security_page = (
+ root / "apps" / "web" / "src" / "app" / "[locale]" / "security" / "page.tsx"
+ ).read_text(encoding="utf-8")
+ standalone_compliance_page = (
+ root / "apps" / "web" / "src" / "app" / "[locale]" / "compliance" / "page.tsx"
+ ).read_text(encoding="utf-8")
+ iwooos_bridge = (
+ root / "apps" / "web" / "src" / "components" / "security" / "iwooos-read-only-bridge.tsx"
+ ).read_text(encoding="utf-8")
web_messages_zh = load_json(root / "apps" / "web" / "messages" / "zh-TW.json")
web_messages_en = load_json(root / "apps" / "web" / "messages" / "en.json")
@@ -235,6 +250,7 @@ def validate(root: Path) -> None:
"s2_56_awooop_contracts_iwooos_security_contract_candidate",
"s2_57_awooop_tenants_iwooos_tenant_scope_candidate",
"s2_58_awooop_runs_iwooos_run_state_candidate",
+ "s2_59_existing_security_pages_iwooos_reverse_bridge",
]
assert_equal(
"progress_delta_ledger.delta_ids",
@@ -294,6 +310,11 @@ def validate(root: Path) -> None:
[item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)],
"show_awooop_runs_iwooos_run_state_candidate",
)
+ assert_contains(
+ "rollup.next_safe_actions.action_ids",
+ [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)],
+ "show_existing_security_pages_iwooos_reverse_bridge",
+ )
assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1")
assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe")
@@ -5042,6 +5063,57 @@ def validate(root: Path) -> None:
key,
)
+ assert_text_contains("iwooos_bridge.component", iwooos_bridge, "IwoooSReadOnlyBridge")
+ assert_text_contains("iwooos_bridge.testid", iwooos_bridge, 'data-testid="iwooos-read-only-bridge"')
+ assert_text_contains("iwooos_bridge.iwooos_link", iwooos_bridge, 'href="/iwooos"')
+ for text in [
+ "runtime_execution_authorized=false",
+ "active_runtime_gate_count=0",
+ "action_buttons_allowed=false",
+ "not_authorization=true",
+ ]:
+ assert_text_contains("iwooos_bridge.boundary", iwooos_bridge, text)
+ for source_text in [
+ security_panel,
+ compliance_panel,
+ standalone_security_page,
+ standalone_compliance_page,
+ ]:
+ assert_text_contains("existing_security_pages.iwooos_bridge_import", source_text, "IwoooSReadOnlyBridge")
+ assert_text_contains("existing_security_pages.iwooos_bridge_render", source_text, "")
+ for key in [
+ "title",
+ "subtitle",
+ "compactTitle",
+ "compactDetail",
+ "openIwooos",
+ "sourceLabel",
+ "sourceDetail",
+ "boundaryLabel",
+ "metrics",
+ ]:
+ assert_contains(
+ "web_messages.zh-TW.security.iwooosBridge",
+ list(web_messages_zh["security"]["iwooosBridge"].keys()),
+ key,
+ )
+ assert_contains(
+ "web_messages.en.security.iwooosBridge",
+ list(web_messages_en["security"]["iwooosBridge"].keys()),
+ key,
+ )
+ for key in ["overall", "framework", "runtimeGates", "actions"]:
+ assert_contains(
+ "web_messages.zh-TW.security.iwooosBridge.metrics",
+ list(web_messages_zh["security"]["iwooosBridge"]["metrics"].keys()),
+ key,
+ )
+ assert_contains(
+ "web_messages.en.security.iwooosBridge.metrics",
+ list(web_messages_en["security"]["iwooosBridge"]["metrics"].keys()),
+ key,
+ )
+
owner_summary = owner_rollup["summary"]
assert_equal("owner_rollup.total_received_response_count", owner_summary["total_received_response_count"], 0)
assert_equal("owner_rollup.total_accepted_response_count", owner_summary["total_accepted_response_count"], 0)