From a12de89233169b41099f0f58c458cbae87d65ded Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 24 May 2026 13:53:08 +0800 Subject: [PATCH] feat(web): integrate security compliance entry --- apps/web/messages/en.json | 77 ++++++++- apps/web/messages/zh-TW.json | 71 ++++++++ apps/web/src/app/[locale]/iwooos/page.tsx | 149 +++++++++++++++++ .../app/[locale]/security-compliance/page.tsx | 156 ++++++++++++++++++ docs/LOGBOOK.md | 15 ++ .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 2 + .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 4 +- ...ecurity-mirror-status-rollup.snapshot.json | 28 ++++ .../security-mirror-progress-guard.py | 137 +++++++++++++++ 9 files changed, 635 insertions(+), 4 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index a61d51791..6b01749bf 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -45,8 +45,8 @@ "monitoring": "Monitoring", "apm": "APM", "topology": "Topology", - "security": "Security", - "compliance": "Compliance", + "security": "安全", + "compliance": "合規", "autoRepair": "Auto Repair", "deployments": "Deployments", "tickets": "Tickets", @@ -65,7 +65,7 @@ "observability": "Observability", "automation": "Automation", "operations": "Operations", - "securityCompliance": "Security & Compliance", + "securityCompliance": "安全合規", "classicAICenter": "Classic AI Center", "governance": "AI Governance", "awooop": "AwoooP", @@ -979,6 +979,34 @@ "docs": "Documentation", "docsDescription": "Visit AWOOOI Docs for full documentation" }, + "securityCompliance": { + "frontStage": { + "eyebrow": "前台資安入口", + "title": "安全合規保留,並整合到 IwoooS", + "subtitle": "專業建議是不移除。這個頁面保留既有安全監控與合規統計,作為前台使用者熟悉的入口;IwoooS 則成為資安網的總覽與唯一姿態來源,避免安全合規與 IwoooS 變成兩套敘事。", + "openIwooos": "查看 IwoooS 總覽", + "boundaryTitle": "低摩擦整合邊界", + "boundaryIntro": "這裡只做前台整合與導流,不新增掃描、修復、批准、部署或 blocking control。", + "items": { + "routePreserved": { + "label": "路由策略", + "detail": "既有書籤、導覽與頁籤維持可用。" + }, + "iwooosBridge": { + "label": "資安總覽", + "detail": "IwoooS 承接總覽與跨頁姿態。" + }, + "dedupeNarrative": { + "label": "敘事收斂", + "detail": "安全合規不再另開一套資安來源。" + }, + "noRuntimeControl": { + "label": "執行控制", + "detail": "不新增掃描、修復、批准或部署按鈕。" + } + } + } + }, "security": { "title": "Security", "subtitle": "Errors & security event monitoring", @@ -4568,6 +4596,49 @@ } } }, + "securityComplianceFrontStage": { + "title": "前台安全合規整合判定", + "subtitle": "S2.107 的專業判定是保留 `/security-compliance`,並把它改成 IwoooS 的前台友善入口。使用者仍可從熟悉的安全合規頁看到安全監控與合規統計,但資安網總覽、進度與執行邊界統一由 IwoooS 說明。", + "decisionLabel": "判定", + "boundaryTitle": "前台入口邊界", + "boundaryIntro": "以下鍵值固定:這是導覽與資訊架構整合,不是 runtime 授權、審批、掃描、修復、部署或 GitHub primary 切換。", + "summary": { + "route": { + "label": "前台路由", + "detail": "保留既有安全合規入口,避免連結失效。" + }, + "decision": { + "label": "專業建議", + "detail": "整合到 IwoooS,不移除。" + }, + "removed": { + "label": "是否移除", + "detail": "不移除,改成橋接入口。" + }, + "runtime": { + "label": "Runtime 控制", + "detail": "維持 0,不新增執行控制。" + } + }, + "items": { + "routePreserved": { + "title": "保留安全合規頁", + "body": "`/security-compliance` 保留 SecurityPanel 與 CompliancePanel 頁籤,讓前台使用者不用改變既有入口。" + }, + "frontStageBridge": { + "title": "橋接到 IwoooS", + "body": "安全合規頁增加 IwoooS 前台說明與只讀導流,IwoooS 作為資安網總覽與姿態來源。" + }, + "singleSecurityNarrative": { + "title": "收斂資安敘事", + "body": "原本分散在安全、合規、治理、授權、告警與 Code Review 的內容,統一由 IwoooS 顯示整體邊界。" + }, + "runtimeControls": { + "title": "不新增執行控制", + "body": "本階段只有可視化與資訊架構整理,不新增掃描、修復、批准、部署或 blocking control。" + } + } + }, "s49OwnerResponseWorkOrder": { "title": "S4.9 Owner Response 人工收件工作單", "subtitle": "S2.101 把第一個真正能推動 58% 的 S4.9 回覆收件格式放到 IwoooS:每項都要包含 owner role/team、decision、decision reason、受影響 scope、脫敏 evidence refs 與 follow-up owner。這裡只是人工收件工作單,不送出 request、不收件、不標記 received / accepted。", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 547a7250f..3a1bde73b 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -980,6 +980,34 @@ "docs": "文件", "docsDescription": "查閱完整說明文件請造訪 AWOOOI Docs" }, + "securityCompliance": { + "frontStage": { + "eyebrow": "前台資安入口", + "title": "安全合規保留,並整合到 IwoooS", + "subtitle": "專業建議是不移除。這個頁面保留既有安全監控與合規統計,作為前台使用者熟悉的入口;IwoooS 則成為資安網的總覽與唯一姿態來源,避免安全合規與 IwoooS 變成兩套敘事。", + "openIwooos": "查看 IwoooS 總覽", + "boundaryTitle": "低摩擦整合邊界", + "boundaryIntro": "這裡只做前台整合與導流,不新增掃描、修復、批准、部署或 blocking control。", + "items": { + "routePreserved": { + "label": "路由策略", + "detail": "既有書籤、導覽與頁籤維持可用。" + }, + "iwooosBridge": { + "label": "資安總覽", + "detail": "IwoooS 承接總覽與跨頁姿態。" + }, + "dedupeNarrative": { + "label": "敘事收斂", + "detail": "安全合規不再另開一套資安來源。" + }, + "noRuntimeControl": { + "label": "執行控制", + "detail": "不新增掃描、修復、批准或部署按鈕。" + } + } + } + }, "security": { "title": "安全", "subtitle": "錯誤與安全事件監控", @@ -4569,6 +4597,49 @@ } } }, + "securityComplianceFrontStage": { + "title": "前台安全合規整合判定", + "subtitle": "S2.107 的專業判定是保留 `/security-compliance`,並把它改成 IwoooS 的前台友善入口。使用者仍可從熟悉的安全合規頁看到安全監控與合規統計,但資安網總覽、進度與執行邊界統一由 IwoooS 說明。", + "decisionLabel": "判定", + "boundaryTitle": "前台入口邊界", + "boundaryIntro": "以下鍵值固定:這是導覽與資訊架構整合,不是 runtime 授權、審批、掃描、修復、部署或 GitHub primary 切換。", + "summary": { + "route": { + "label": "前台路由", + "detail": "保留既有安全合規入口,避免連結失效。" + }, + "decision": { + "label": "專業建議", + "detail": "整合到 IwoooS,不移除。" + }, + "removed": { + "label": "是否移除", + "detail": "不移除,改成橋接入口。" + }, + "runtime": { + "label": "Runtime 控制", + "detail": "維持 0,不新增執行控制。" + } + }, + "items": { + "routePreserved": { + "title": "保留安全合規頁", + "body": "`/security-compliance` 保留 SecurityPanel 與 CompliancePanel 頁籤,讓前台使用者不用改變既有入口。" + }, + "frontStageBridge": { + "title": "橋接到 IwoooS", + "body": "安全合規頁增加 IwoooS 前台說明與只讀導流,IwoooS 作為資安網總覽與姿態來源。" + }, + "singleSecurityNarrative": { + "title": "收斂資安敘事", + "body": "原本分散在安全、合規、治理、授權、告警與 Code Review 的內容,統一由 IwoooS 顯示整體邊界。" + }, + "runtimeControls": { + "title": "不新增執行控制", + "body": "本階段只有可視化與資訊架構整理,不新增掃描、修復、批准、部署或 blocking control。" + } + } + }, "s49OwnerResponseWorkOrder": { "title": "S4.9 Owner Response 人工收件工作單", "subtitle": "S2.101 把第一個真正能推動 58% 的 S4.9 回覆收件格式放到 IwoooS:每項都要包含 owner role/team、decision、decision reason、受影響 scope、脫敏 evidence refs 與 follow-up owner。這裡只是人工收件工作單,不送出 request、不收件、不標記 received / accepted。", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index 8ebf56ff3..774aa326e 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -143,6 +143,13 @@ type S49OwnerResponseDispatchFlowStep = { tone: 'steady' | 'warn' | 'locked' } +type SecurityComplianceFrontStageDecision = { + key: string + value: string + icon: typeof ShieldCheck + tone: 'steady' | 'warn' | 'locked' +} + type Pillar = { key: string icon: typeof ShieldCheck @@ -888,6 +895,32 @@ const s49OwnerResponseDispatchFlowBoundaries = [ 'gitea_disablement_authorized=false', ] +const securityComplianceFrontStageDecisions: SecurityComplianceFrontStageDecision[] = [ + { key: 'routePreserved', value: '保留', icon: ShieldCheck, tone: 'steady' }, + { key: 'frontStageBridge', value: '整合', icon: GitBranch, tone: 'warn' }, + { key: 'singleSecurityNarrative', value: '收斂', icon: SearchCheck, tone: 'steady' }, + { key: 'runtimeControls', value: '0', icon: Lock, tone: 'locked' }, +] + +const securityComplianceFrontStageBoundaries = [ + 'security_compliance_route_preserved=true', + 'security_compliance_removed=false', + 'security_compliance_integration_mode=iwooos_frontstage_bridge', + 'iwooos_authoritative_security_entry=true', + 'security_compliance_tabs_preserved=true', + 'security_compliance_runtime_execution_authorized=false', + 'runtime_execution_authorized=false', + 'active_runtime_gate_count=0', + 'action_buttons_allowed=false', + 'not_authorization=true', + 'secret_value_collection_allowed=false', + 'repo_creation_authorized=false', + 'refs_sync_authorized=false', + 'workflow_modification_authorized=false', + 'github_primary_switch_authorized=false', + 'gitea_disablement_authorized=false', +] + const posturePillars: Pillar[] = [ { key: 'exposure', icon: Radar, tone: 'warn' }, { key: 'sourceControl', icon: GitBranch, tone: 'warn' }, @@ -3116,6 +3149,120 @@ function S49OwnerResponseDispatchFlowBoard() { ) } +function SecurityComplianceFrontStageBoard() { + const t = useTranslations('iwooos.securityComplianceFrontStage') + const summaryItems = [ + { key: 'route', value: '/security-compliance', tone: 'steady' as const }, + { key: 'decision', value: '整合', tone: 'warn' as const }, + { key: 'removed', value: '否', tone: 'steady' as const }, + { key: 'runtime', value: '0', tone: 'locked' as const }, + ] + const textWrap = { overflowWrap: 'anywhere' as const, wordBreak: 'break-word' as const } + + return ( +
+
+
+
+
+

{t('title')}

+

+ {t('subtitle')} +

+
+
+ {summaryItems.map(item => ( +
+
+ {t(`summary.${item.key}.label` as never)} + +
+
+ {item.value} +
+

+ {t(`summary.${item.key}.detail` as never)} +

+
+ ))} +
+
+ {securityComplianceFrontStageDecisions.map(item => { + const Icon = item.icon + return ( +
+
+ {t('decisionLabel')} + +
+
+ {item.value} +
+

+ {t(`items.${item.key}.title` as never)} +

+

+ {t(`items.${item.key}.body` as never)} +

+
+ ) + })} +
+
+
+
+ +

{t('boundaryTitle')}

+
+

+ {t('boundaryIntro')} +

+
+ {securityComplianceFrontStageBoundaries.map(item => ( + + {item} + + ))} +
+
+
+
+
+ ) +} + function PillarCard({ item }: { item: Pillar }) { const t = useTranslations('iwooos.pillars') const Icon = item.icon @@ -6854,6 +7001,8 @@ export default function IwoooSPage({ params }: { params: { locale: string } }) { + + diff --git a/apps/web/src/app/[locale]/security-compliance/page.tsx b/apps/web/src/app/[locale]/security-compliance/page.tsx index fcc088567..a885aeaf1 100644 --- a/apps/web/src/app/[locale]/security-compliance/page.tsx +++ b/apps/web/src/app/[locale]/security-compliance/page.tsx @@ -7,11 +7,166 @@ */ import { useTranslations } from 'next-intl' +import Link from 'next/link' +import { ArrowRight, CheckCircle2, GitBranch, Lock, ShieldCheck } from 'lucide-react' import { AppLayout } from '@/components/layout' import { PageTabs, type TabConfig } from '@/components/layout/page-tabs' import { SecurityPanel } from '@/components/panels/SecurityPanel' import { CompliancePanel } from '@/components/panels/CompliancePanel' +const integrationItems = [ + { key: 'routePreserved', value: '保留', icon: ShieldCheck, color: '#1f7a4d' }, + { key: 'iwooosBridge', value: '整合', icon: GitBranch, color: '#d97757' }, + { key: 'dedupeNarrative', value: '收斂', icon: CheckCircle2, color: '#1f7a4d' }, + { key: 'noRuntimeControl', value: '0', icon: Lock, color: '#6f6d66' }, +] as const + +const integrationBoundaries = [ + 'security_compliance_route_preserved=true', + 'security_compliance_removed=false', + 'security_compliance_integration_mode=iwooos_frontstage_bridge', + 'iwooos_authoritative_security_entry=true', + 'runtime_execution_authorized=false', + 'active_runtime_gate_count=0', + 'action_buttons_allowed=false', + 'not_authorization=true', +] as const + +function SecurityComplianceFrontStage() { + const t = useTranslations('securityCompliance.frontStage') + const textWrap = { overflowWrap: 'anywhere' as const, wordBreak: 'break-word' as const } + + return ( +
+
+
+
+ + {t('eyebrow')} +
+

{t('title')}

+

+ {t('subtitle')} +

+
+ {integrationItems.map(item => { + const Icon = item.icon + return ( +
+
+ {t(`items.${item.key}.label` as never)} + +
+
{item.value}
+

+ {t(`items.${item.key}.detail` as never)} +

+
+ ) + })} +
+
+ +
+
+ +

{t('boundaryTitle')}

+
+

+ {t('boundaryIntro')} +

+
+ {integrationBoundaries.map(boundary => ( + + {boundary} + + ))} +
+ + {t('openIwooos')} + + +
+
+
+ ) +} + export default function SecurityCompliancePage({ params }: { params: { locale: string } }) { const t = useTranslations('nav') @@ -22,6 +177,7 @@ export default function SecurityCompliancePage({ params }: { params: { locale: s return ( + ) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 3827ca0ad..e1413edf3 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,18 @@ +## 2026-05-24 | 資安供應鏈 S2.107:前台安全合規 IwoooS 整合入口 + +**背景**:使用者詢問前台頁面的「安全合規」應整合或移除;本階段做專業判定與前台呈現。 + +**完成**: +- 專業建議採「保留並整合」:不移除 `/security-compliance`,避免既有導覽、書籤與使用者熟悉入口失效。 +- `/security-compliance` 新增前台友善整合說明,保留既有 SecurityPanel / CompliancePanel 頁籤,並導向 IwoooS 作為資安網總覽與唯一姿態來源。 +- `/iwooos` 新增「前台安全合規整合判定」看板,顯示 route preserved、removed=false、integration mode、runtime gate 0 與 action button 0。 +- `security_mirror_status_rollup_v1` 新增 `s2_107_security_compliance_iwooos_frontstage_bridge` 與 `show_iwooos_security_compliance_frontstage_bridge`。 +- `security-mirror-progress-guard.py` 已納入前台安全合規橋接頁、IwoooS 看板、i18n 鍵與 false 邊界檢查。 + +**仍禁止**: +- S2.107 只做前台資訊架構整合與只讀導流,不代表 runtime 授權、人工審批、掃描、修復、部署、blocking control、專案庫建立、refs sync、workflow / secret 修改、GitHub primary 切換、Gitea 停用、Kali / SSH / 主機更新。 +- 整體資安網百分比仍是 58%;這是 framework detail 可見進展,不是 runtime landing。 + ## 2026-05-24 | 資安供應鏈 S2.106:IwoooS S4.9 負責人回覆送件鏈路摘要 **背景**:使用者要求前端需要更專業的呈現;S2.105 已補上送件請求草稿,但 S4.9 的工作單、封套、預檢、分流與草稿仍分散在多張看板中。本輪把它們整理成一條可掃描的專業摘要帶,讓使用者與 AwoooP 平行 Session 能一眼看懂目前停在 request draft,而不是卡住或已送出。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 50a4d5655..a34cabd9d 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -50,6 +50,7 @@ | IwoooS S4.9 送件前結果分流 | S2.104 已在 `/iwooos` 顯示 S4.9 負責人回覆封套送件前結果分流;分流=7、可進收件=0、已隔離=0、已拒收=0、已提交=0、已接受=0;`s4_9_owner_response_envelope_preflight_outcome_lane_count=7`、`s4_9_owner_response_envelope_preflight_ready_for_intake_count=0`、`s4_9_owner_response_envelope_preflight_quarantined_count=0`、`s4_9_owner_response_envelope_preflight_rejected_count=0`、`s4_9_owner_response_envelope_submitted_count=0`、`s4_9_owner_response_envelope_accepted_count=0`、`s4_9_owner_response_request_sent=false`、`owner_response_acceptance_gate_open=false`、`audit_events_emitted=0`、`progress_review_authorized=false`、`runtime_execution_authorized=false`、`active_runtime_gate_count=0`、`action_buttons_allowed=false`、`not_authorization=true`,仍不代表 request sent、owner response submitted / received / accepted、audit event emitted、人工批准、GitHub 主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | | IwoooS S4.9 送件請求草稿 | S2.105 已在 `/iwooos` 顯示 S4.9 負責人回覆送件請求草稿;草稿項=6、可送件=0、已送出=0、稽核事件=0;`s4_9_owner_response_request_draft_item_count=6`、`s4_9_owner_response_request_draft_ready_count=0`、`s4_9_owner_response_request_dispatch_authorized=false`、`s4_9_owner_response_request_sent=false`、`s4_9_owner_response_request_sent_count=0`、`s4_9_owner_response_request_audit_events_emitted=0`、`runtime_execution_authorized=false`、`active_runtime_gate_count=0`、`action_buttons_allowed=false`、`not_authorization=true`,仍不代表 request sent、owner response received / accepted、audit event emitted、人工批准、GitHub 主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | | IwoooS S4.9 送件鏈路摘要 | S2.106 已在 `/iwooos` 顯示 S4.9 負責人回覆送件鏈路摘要;鏈路步驟=6、目前焦點=request draft、已送出=0、已接受=0;`s4_9_owner_response_dispatch_flow_step_count=6`、`s4_9_owner_response_dispatch_flow_current_step=request_draft`、`s4_9_owner_response_dispatch_flow_completed_count=0`、`s4_9_owner_response_request_sent=false`、`s4_9_owner_response_request_dispatch_authorized=false`、`runtime_execution_authorized=false`、`active_runtime_gate_count=0`、`action_buttons_allowed=false`、`not_authorization=true`,仍不代表 request sent、owner response received / accepted、audit event emitted、人工批准、GitHub 主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | +| 前台安全合規 IwoooS 整合入口 | S2.107 已保留 `/security-compliance` 並把它整合成 IwoooS 前台友善入口;`security_compliance_route_preserved=true`、`security_compliance_removed=false`、`security_compliance_integration_mode=iwooos_frontstage_bridge`、`iwooos_authoritative_security_entry=true`、`runtime_execution_authorized=false`、`active_runtime_gate_count=0`、`action_buttons_allowed=false`、`not_authorization=true`,仍不代表 runtime 授權、審批、掃描、修復、部署、GitHub 主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | | AwoooP approvals IwoooS owner response focus | S2.55 已把 S4.9-S4.12 owner response 下一個人工收件焦點放進 `/awooop/approvals` 只讀面板;received=0、accepted=0、active runtime gates=0、headline=58%、approval_record_created=false;仍不新增 approve、execute、deploy、primary switch、refs action 或 runtime gate | | AwoooP contracts IwoooS security contract candidate | S2.56 已把四個 security mirror contract refs 放進 `/awooop/contracts` 只讀面板;total contracts=36、ready=33、partial=2、active runtime gates=0、contract_publish_authorized=false;仍不發布 contract revision、不改 lifecycle、不寫 platform contracts API、不新增 action button | | AwoooP tenants IwoooS tenant scope candidate | S2.57 已把 AWOOOI first tenant、IwoooS security mirror、Kali 112 / Dev 168 / Dev 111 與 S4.9-S4.12 owner response waiting 放進 `/awooop/tenants` 只讀面板;host coverage=3、tenant policy changes=0、tenant_migration_mode_changed=false;仍不改 migration mode、不改 tenant policy、不寫 platform tenants API、不新增 action button | @@ -241,6 +242,7 @@ | S2.104 IwoooS S4.9 負責人回覆封套送件前結果分流 | framework detail | 0 | 只在 `/iwooos` 顯示 S4.9 負責人回覆封套送件前結果分流,呈現維持封套等待、要求補齊欄位、要求修正判定、隔離敏感證據、要求修正範圍、拒收變更要求、維持後續負責人等待七條分流;s4_9_owner_response_envelope_preflight_outcome_lane_count=7、s4_9_owner_response_envelope_preflight_ready_for_intake_count=0、s4_9_owner_response_envelope_preflight_quarantined_count=0、s4_9_owner_response_envelope_preflight_rejected_count=0、s4_9_owner_response_envelope_submitted_count=0、s4_9_owner_response_envelope_accepted_count=0、s4_9_owner_response_request_sent=false、s4_9_owner_response_received_count=0、s4_9_owner_response_accepted_count=0、owner_response_acceptance_gate_open=false、audit_events_emitted=0、progress_review_authorized=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把送件前結果分流當 request sent、owner response submitted / received / accepted、audit event emitted、人工批准、審批紀錄、專案庫建立、分支 / 標籤參照同步、工作流程 / 機密設定修改、主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | | S2.105 IwoooS S4.9 負責人回覆送件請求草稿 | framework detail | 0 | 只在 `/iwooos` 顯示 S4.9 負責人回覆送件請求草稿,呈現收件範圍對應草稿、負責人收件對象草稿、脫敏證據參照草稿、禁止變更條款草稿、稽核事件範本草稿與人工送件閘門草稿六個草稿項;s4_9_owner_response_request_draft_item_count=6、s4_9_owner_response_request_draft_ready_count=0、s4_9_owner_response_request_dispatch_authorized=false、s4_9_owner_response_request_sent=false、s4_9_owner_response_request_sent_count=0、s4_9_owner_response_request_recipients_confirmed_count=0、s4_9_owner_response_request_audit_events_emitted=0、s4_9_owner_response_received_count=0、s4_9_owner_response_accepted_count=0、owner_response_acceptance_gate_open=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把送件請求草稿當 request sent、owner response received / accepted、audit event emitted、人工批准、審批紀錄、專案庫建立、分支 / 標籤參照同步、工作流程 / 機密設定修改、主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | | S2.106 IwoooS S4.9 負責人回覆送件鏈路摘要 | framework detail | 0 | 只在 `/iwooos` 顯示 S4.9 負責人回覆送件鏈路摘要,將人工收件工作單、回覆封套欄位、送件前檢查、結果分流、送件請求草稿與人工送件閘門整理成六段專業只讀流程;s4_9_owner_response_dispatch_flow_step_count=6、s4_9_owner_response_dispatch_flow_current_step=request_draft、s4_9_owner_response_dispatch_flow_completed_count=0、s4_9_owner_response_dispatch_flow_blocked_count=0、s4_9_owner_response_request_sent=false、s4_9_owner_response_request_dispatch_authorized=false、s4_9_owner_response_received_count=0、s4_9_owner_response_accepted_count=0、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把送件鏈路摘要當 request sent、owner response received / accepted、audit event emitted、人工批准、審批紀錄、專案庫建立、分支 / 標籤參照同步、工作流程 / 機密設定修改、主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | +| S2.107 前台安全合規 IwoooS 整合入口 | framework detail | 0 | 只保留 `/security-compliance` 並把它整合成 IwoooS 前台友善入口,讓前台使用者仍從安全合規看到既有安全監控與合規統計,IwoooS 則成為資安網總覽與唯一姿態來源;security_compliance_route_preserved=true、security_compliance_removed=false、security_compliance_integration_mode=iwooos_frontstage_bridge、iwooos_authoritative_security_entry=true、security_compliance_runtime_execution_authorized=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把前台入口整合當 runtime 授權、審批、掃描、修復、部署、blocking control、專案庫建立、分支 / 標籤參照同步、工作流程 / 機密設定修改、主要來源切換、Gitea 停用、Kali / SSH / 主機更新或執行期授權 | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 07dcd096a..2f01f36f3 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 請求包、範本狀態台帳、稽核事件範本、脫敏範例、收件檢查、收件預檢,S4.11 請求包 / 範本狀態台帳 / 稽核事件範本 / 脫敏範例 / 收件檢查 / 收件預檢,S4.12 請求包 / 範本狀態台帳 / 稽核事件範本 / 脫敏範例 / 收件檢查 / 收件預檢,S4.13 證據路由規則 / 顯示區塊 / 狀態轉移規則 / 審查清單 / 審查結果分流 / 審查稽核事件範本 / 審查稽核顯示區塊 / 審查稽核收件檢查 / 審查稽核脫敏範例 / 審查稽核保留規則 / 審查稽核保留檢查 / 審查稽核交接包 / 交接檢查 / 平行 Session 同步檢查 / 衝突分流 / 復原檢查 / 復原結果分流,S1.3 低摩擦非阻擋升級分流、S2.8 IwoooS 前端態勢入口,以及 S2.9-S2.106 IwoooS / AwoooP 資安投影契約都是有效進展,但它們是框架細節,不是負責人回覆、執行期閘門、生產匯入或 GitHub 主要來源就緒。因此整體百分比仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 請求包、範本狀態台帳、稽核事件範本、脫敏範例、收件檢查、收件預檢,S4.11 請求包 / 範本狀態台帳 / 稽核事件範本 / 脫敏範例 / 收件檢查 / 收件預檢,S4.12 請求包 / 範本狀態台帳 / 稽核事件範本 / 脫敏範例 / 收件檢查 / 收件預檢,S4.13 證據路由規則 / 顯示區塊 / 狀態轉移規則 / 審查清單 / 審查結果分流 / 審查稽核事件範本 / 審查稽核顯示區塊 / 審查稽核收件檢查 / 審查稽核脫敏範例 / 審查稽核保留規則 / 審查稽核保留檢查 / 審查稽核交接包 / 交接檢查 / 平行 Session 同步檢查 / 衝突分流 / 復原檢查 / 復原結果分流,S1.3 低摩擦非阻擋升級分流、S2.8 IwoooS 前端態勢入口,以及 S2.9-S2.107 IwoooS / AwoooP 資安投影契約都是有效進展,但它們是框架細節,不是負責人回覆、執行期閘門、生產匯入或 GitHub 主要來源就緒。因此整體百分比仍維持 58%,避免把只讀框架誤算成已落地執行。 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。 @@ -169,6 +169,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons | S2.104 IwoooS S4.9 負責人回覆封套送件前結果分流 | 已完成草案,在 `/iwooos` 顯示七條送件前結果分流、可進收件=0、已隔離=0、已拒收=0、已提交=0、已接受=0;仍不把結果分流當成 request sent、owner response submitted / received / accepted、audit event emitted、人工批准、主要來源切換或執行期閘門 | 0 | | S2.105 IwoooS S4.9 負責人回覆送件請求草稿 | 已完成草案,在 `/iwooos` 顯示六個送件請求草稿項、可送件=0、已送出=0、稽核事件=0;仍不把送件請求草稿當成 request sent、owner response received / accepted、audit event emitted、人工批准、主要來源切換或執行期閘門 | 0 | | S2.106 IwoooS S4.9 負責人回覆送件鏈路摘要 | 已完成草案,在 `/iwooos` 以專業摘要帶顯示工作單、封套、送件前檢查、結果分流、請求草稿、人工送件閘門六段鏈路,目前焦點=request draft、已送出=0、已接受=0;仍不把送件鏈路摘要當成 request sent、owner response received / accepted、audit event emitted、人工批准、主要來源切換或執行期閘門 | 0 | +| S2.107 前台安全合規 IwoooS 整合入口 | 已完成草案,保留 `/security-compliance` 並新增前台整合說明;`/iwooos` 同步顯示「前台安全合規整合判定」,確認安全合規整合、不移除、runtime gate 0、action button 0;仍不把前台入口整合當成 runtime 授權、審批、掃描、修復、部署、主要來源切換或執行期閘門 | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -294,6 +295,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.104 IwoooS S4.9 負責人回覆封套送件前結果分流 | 完成草案 | `/iwooos` 新增 S4.9 負責人回覆封套送件前結果分流看板,列出維持封套等待、要求補齊欄位、要求修正判定、隔離敏感證據、要求修正範圍、拒收變更要求、維持後續負責人等待七條分流 | 使用者與另一個 AwoooP Session 能直接知道送件前檢查後要回到哪個補正或隔離分流;結果分流仍不是 request sent、owner response submitted / received / accepted、audit event emitted、人工批准、主要來源切換或執行期閘門 | | S2.105 IwoooS S4.9 負責人回覆送件請求草稿 | 完成草案 | `/iwooos` 新增 S4.9 負責人回覆送件請求草稿看板,列出收件範圍對應草稿、負責人收件對象草稿、脫敏證據參照草稿、禁止變更條款草稿、稽核事件範本草稿、人工送件閘門草稿六個草稿項 | 使用者與另一個 AwoooP Session 能直接知道封套通過預檢後仍需要人工整理與批准送件;送件請求草稿仍不是 request sent、owner response received / accepted、audit event emitted、人工批准、主要來源切換或執行期閘門 | | S2.106 IwoooS S4.9 負責人回覆送件鏈路摘要 | 完成草案 | `/iwooos` 新增 S4.9 負責人回覆送件鏈路摘要帶,以六段流程顯示人工收件工作單、回覆封套欄位、送件前檢查、結果分流、送件請求草稿、人工送件閘門,並把目前焦點固定為 request draft | 使用者與另一個 AwoooP Session 能用更專業的視覺摘要理解 S4.9 不是卡住,而是仍停在只讀送件前準備;送件鏈路摘要仍不是 request sent、owner response received / accepted、audit event emitted、人工批准、主要來源切換或執行期閘門 | +| S2.107 前台安全合規 IwoooS 整合入口 | 完成草案 | `/security-compliance` 保留既有 SecurityPanel / CompliancePanel 頁籤並新增 IwoooS 前台整合說明;`/iwooos` 新增前台安全合規整合判定看板 | 專業判定是整合而非移除:安全合規維持前台熟悉入口,IwoooS 統一資安總覽與姿態來源;此整合仍不是 runtime 授權、審批、掃描、修復、部署、主要來源切換或執行期閘門 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 79cde810b..e08ac92fd 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -1742,6 +1742,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_107_security_compliance_iwooos_frontstage_bridge", + "display_order": 136, + "completed_stage": "S2.107 前台安全合規 IwoooS 整合入口", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "IwoooS 只新增前台安全合規整合判定,保留 /security-compliance 作為既有安全監控與合規統計入口,並把它橋接到 IwoooS 作為資安網總覽與唯一姿態來源;security_compliance_route_preserved=true、security_compliance_removed=false、security_compliance_integration_mode=iwooos_frontstage_bridge、iwooos_authoritative_security_entry=true、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,不把前台入口整合當 runtime 授權、審批、掃描、修復、部署、專案庫建立、refs sync、workflow 修改、GitHub primary 切換或 Gitea 停用。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -2594,6 +2606,22 @@ "從 S4.9 送件鏈路摘要呼叫 Kali、開 SSH、更新主機、切 GitHub 主要來源、停用 Gitea、收機密明文值或開執行期閘門" ] }, + { + "action_id": "show_iwooos_security_compliance_frontstage_bridge", + "title": "前台安全合規保留並整合到 IwoooS", + "mode": "observe", + "source_contract": "iwooos_posture_projection_v1", + "allowed_processing": [ + "保留 /security-compliance 作為前台熟悉入口", + "在安全合規頁顯示 IwoooS 前台整合說明與只讀導流", + "在 /iwooos 顯示 S2.107 前台安全合規整合判定,固定 route preserved、removed=false、runtime gate 0 與 action button 0" + ], + "blocked_processing": [ + "把安全合規入口整合當成 runtime 授權、審批、掃描、修復、部署或 blocking control", + "從安全合規入口建立專案庫、改可見性、同步 / 刪除 / 強制推送 refs,或修改工作流程 / 機密設定", + "從安全合規入口呼叫 Kali、開 SSH、更新主機、切 GitHub 主要來源、停用 Gitea 或收機密明文值" + ] + }, { "action_id": "enforce_traditional_chinese_security_surface_wording", "title": "IwoooS / AwoooP 資安可視區塊維持繁體中文呈現", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 3e82d651c..5ff77070f 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -79,6 +79,9 @@ def validate(root: Path) -> None: iwooos_projection_page = ( root / "apps" / "web" / "src" / "app" / "[locale]" / "iwooos" / "page.tsx" ).read_text(encoding="utf-8") + security_compliance_page = ( + root / "apps" / "web" / "src" / "app" / "[locale]" / "security-compliance" / "page.tsx" + ).read_text(encoding="utf-8") awooop_home_page = ( root / "apps" / "web" / "src" / "app" / "[locale]" / "awooop" / "page.tsx" ).read_text(encoding="utf-8") @@ -355,6 +358,7 @@ def validate(root: Path) -> None: "s2_104_iwooos_s49_owner_response_envelope_preflight_outcome_board", "s2_105_iwooos_s49_owner_response_request_draft_board", "s2_106_iwooos_s49_owner_response_dispatch_flow_board", + "s2_107_security_compliance_iwooos_frontstage_bridge", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -609,6 +613,11 @@ def validate(root: Path) -> None: [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], "show_iwooos_owner_response_formal_record_owner_assignment_decision_checklist_board", ) + assert_contains( + "rollup.next_safe_actions.action_ids", + [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], + "show_iwooos_security_compliance_frontstage_bridge", + ) assert_contains( "rollup.next_safe_actions.action_ids", [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], @@ -7973,6 +7982,134 @@ def validate(root: Path) -> None: list(web_messages_en["iwooos"]["s49OwnerResponseDispatchFlow"]["items"].keys()), key, ) + assert_text_contains( + "security_compliance_page.frontstage_bridge_testid", + security_compliance_page, + 'data-testid="security-compliance-iwooos-frontstage-bridge"', + ) + assert_text_contains( + "security_compliance_page.frontstage_component", + security_compliance_page, + "SecurityComplianceFrontStage", + ) + assert_text_contains( + "iwooos_page.security_compliance_frontstage_testid", + iwooos_projection_page, + 'data-testid="iwooos-security-compliance-frontstage-board"', + ) + assert_text_contains( + "iwooos_page.security_compliance_frontstage_component", + iwooos_projection_page, + "SecurityComplianceFrontStageBoard", + ) + for text in [ + "security_compliance_route_preserved=true", + "security_compliance_removed=false", + "security_compliance_integration_mode=iwooos_frontstage_bridge", + "iwooos_authoritative_security_entry=true", + "runtime_execution_authorized=false", + "active_runtime_gate_count=0", + "action_buttons_allowed=false", + "not_authorization=true", + ]: + assert_text_contains( + "security_compliance_page.frontstage_boundary", + security_compliance_page, + text, + ) + assert_text_contains( + "iwooos_page.security_compliance_frontstage_boundary", + iwooos_projection_page, + text, + ) + for text in [ + "secret_value_collection_allowed=false", + "repo_creation_authorized=false", + "refs_sync_authorized=false", + "workflow_modification_authorized=false", + "github_primary_switch_authorized=false", + "gitea_disablement_authorized=false", + ]: + assert_text_contains( + "iwooos_page.security_compliance_frontstage_hard_boundary", + iwooos_projection_page, + text, + ) + assert_contains( + "web_messages.zh-TW.securityCompliance", + list(web_messages_zh.keys()), + "securityCompliance", + ) + assert_contains( + "web_messages.en.securityCompliance", + list(web_messages_en.keys()), + "securityCompliance", + ) + for key in ["eyebrow", "title", "subtitle", "openIwooos", "boundaryTitle", "boundaryIntro", "items"]: + assert_contains( + "web_messages.zh-TW.securityCompliance.frontStage.keys", + list(web_messages_zh["securityCompliance"]["frontStage"].keys()), + key, + ) + assert_contains( + "web_messages.en.securityCompliance.frontStage.keys", + list(web_messages_en["securityCompliance"]["frontStage"].keys()), + key, + ) + for key in ["routePreserved", "iwooosBridge", "dedupeNarrative", "noRuntimeControl"]: + assert_contains( + "web_messages.zh-TW.securityCompliance.frontStage.items", + list(web_messages_zh["securityCompliance"]["frontStage"]["items"].keys()), + key, + ) + assert_contains( + "web_messages.en.securityCompliance.frontStage.items", + list(web_messages_en["securityCompliance"]["frontStage"]["items"].keys()), + key, + ) + assert_contains( + "web_messages.zh-TW.iwooos.securityComplianceFrontStage", + list(web_messages_zh["iwooos"].keys()), + "securityComplianceFrontStage", + ) + assert_contains( + "web_messages.en.iwooos.securityComplianceFrontStage", + list(web_messages_en["iwooos"].keys()), + "securityComplianceFrontStage", + ) + for key in ["title", "subtitle", "summary", "items", "decisionLabel", "boundaryTitle", "boundaryIntro"]: + assert_contains( + "web_messages.zh-TW.iwooos.securityComplianceFrontStage.keys", + list(web_messages_zh["iwooos"]["securityComplianceFrontStage"].keys()), + key, + ) + assert_contains( + "web_messages.en.iwooos.securityComplianceFrontStage.keys", + list(web_messages_en["iwooos"]["securityComplianceFrontStage"].keys()), + key, + ) + for key in ["route", "decision", "removed", "runtime"]: + assert_contains( + "web_messages.zh-TW.iwooos.securityComplianceFrontStage.summary", + list(web_messages_zh["iwooos"]["securityComplianceFrontStage"]["summary"].keys()), + key, + ) + assert_contains( + "web_messages.en.iwooos.securityComplianceFrontStage.summary", + list(web_messages_en["iwooos"]["securityComplianceFrontStage"]["summary"].keys()), + key, + ) + for key in ["routePreserved", "frontStageBridge", "singleSecurityNarrative", "runtimeControls"]: + assert_contains( + "web_messages.zh-TW.iwooos.securityComplianceFrontStage.items", + list(web_messages_zh["iwooos"]["securityComplianceFrontStage"]["items"].keys()), + key, + ) + assert_contains( + "web_messages.en.iwooos.securityComplianceFrontStage.items", + list(web_messages_en["iwooos"]["securityComplianceFrontStage"]["items"].keys()), + key, + ) for key in [ "title", "subtitle",