From ca06136273fdd0ad396793195cb8118b0dc6880d Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 21 May 2026 08:47:39 +0800 Subject: [PATCH] feat(web): surface GitHub readiness in AwoooP work items --- apps/web/messages/en.json | 8 +++++ apps/web/messages/zh-TW.json | 8 +++++ .../app/[locale]/awooop/work-items/page.tsx | 19 +++++++++++ docs/LOGBOOK.md | 14 ++++++++ .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 2 ++ .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 6 ++-- ...ecurity-mirror-status-rollup.snapshot.json | 31 ++++++++++++++++- .../security-mirror-progress-guard.py | 33 +++++++++++++++++++ 8 files changed, 118 insertions(+), 3 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index cc3c41851..0e65651a7 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -4073,6 +4073,9 @@ "iwooosSecurityMirror": { "title": "IwoooS security mirror read-only work item" }, + "githubPrimaryReadiness": { + "title": "GitHub Primary Readiness read-only work item" + }, "mcpGateway": { "title": "MCP Gateway usage evidence overview" }, @@ -4088,6 +4091,7 @@ "governanceDispatch": "Governance alerts must enter dispatch and expose skipped / pending / repaired", "frontendConsole": "Completed and in-progress work must be trackable from the frontend", "iwooosSecurityMirror": "Track security mesh progress and boundaries as read-only only; do not create scan, execute, repair, deploy, primary switch, or runtime gate actions", + "githubPrimaryReadiness": "Track the Gitea-to-GitHub readiness gap as read-only only; do not create repos, change visibility, sync refs, collect secret values, switch primary, or disable Gitea", "mcpGateway": "MCP usage must show agent, tool, scope, and blocked reason", "timelineContract": "Incident, Approval, Evidence, KM, and Timeline must not contradict each other" }, @@ -4103,6 +4107,10 @@ "iwooosSecurityMirror": "Overall {headline}; framework {framework}; landing {runtime}; active runtime gates={gates}", "iwooosSecurityMirrorOwner": "Owner response is still waiting; production_landing_enabled=false", "iwooosSecurityMirrorBoundary": "execution_router_linked=false; runtime_execution_authorized=false; action_buttons_allowed=false", + "githubPrimaryReadiness": "Candidate repos={candidates}; in-scope={inScope}; primary ready={ready}", + "githubPrimaryOwnerResponses": "Owner response remains 0/22; request-ready is not accepted", + "githubPrimaryWorkflowNames": "Workflow / secret-name inventory complete=0/7; collect names only, never secret values", + "githubPrimaryBoundary": "repo_creation=false; refs_mutation=false; github_primary_switch=false; disable_gitea=false", "mcpReady": "MCP Gateway gate is not currently a top gap", "mcpMissing": "Quality summary still reports an MCP Gateway observation gap", "remediationHistory": "Dry-run history: {count}x; latest {preview}", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index aecf3b908..fe69e357c 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -4074,6 +4074,9 @@ "iwooosSecurityMirror": { "title": "IwoooS 資安鏡像只讀工作項" }, + "githubPrimaryReadiness": { + "title": "GitHub Primary Readiness 只讀工作項" + }, "mcpGateway": { "title": "MCP Gateway 使用證據總覽" }, @@ -4089,6 +4092,7 @@ "governanceDispatch": "治理告警必須進 dispatch,並標示 skipped / pending / repaired", "frontendConsole": "已完成與推進中的工作必須能從前端直接追蹤", "iwooosSecurityMirror": "只讀追蹤資安網進度與邊界;不得建立 scan、execute、repair、deploy、primary switch 或 runtime gate", + "githubPrimaryReadiness": "只讀追蹤 Gitea 轉 GitHub 的 readiness 缺口;不得建立 repo、改 visibility、sync refs、收 secret value、切 primary 或停用 Gitea", "mcpGateway": "MCP 使用必須看得到 agent、tool、scope 與 blocked 原因", "timelineContract": "Incident、Approval、Evidence、KM、Timeline 不得互相矛盾" }, @@ -4104,6 +4108,10 @@ "iwooosSecurityMirror": "整體 {headline};框架 {framework};落地 {runtime};active runtime gates={gates}", "iwooosSecurityMirrorOwner": "Owner response 仍等待;production_landing_enabled=false", "iwooosSecurityMirrorBoundary": "execution_router_linked=false;runtime_execution_authorized=false;action_buttons_allowed=false", + "githubPrimaryReadiness": "候選 repo={candidates};in-scope={inScope};primary ready={ready}", + "githubPrimaryOwnerResponses": "Owner response 仍為 0/22;request-ready 不是 accepted", + "githubPrimaryWorkflowNames": "Workflow / secret name inventory complete=0/7;只收名稱不收 secret value", + "githubPrimaryBoundary": "repo_creation=false;refs_mutation=false;github_primary_switch=false;disable_gitea=false", "mcpReady": "MCP Gateway gate 目前未列為主要缺口", "mcpMissing": "品質總覽仍指出 MCP Gateway 觀測缺口", "remediationHistory": "試跑歷史:{count} 次;上次 {preview}", diff --git a/apps/web/src/app/[locale]/awooop/work-items/page.tsx b/apps/web/src/app/[locale]/awooop/work-items/page.tsx index c80e41014..26d9c0a7f 100644 --- a/apps/web/src/app/[locale]/awooop/work-items/page.tsx +++ b/apps/web/src/app/[locale]/awooop/work-items/page.tsx @@ -290,6 +290,25 @@ function buildWorkItems( ], href: "/iwooos", }, + { + id: "githubPrimaryReadiness", + phase: "S2.64", + status: "watching", + surfaceKey: "iwooos", + source: "source-control-primary-readiness-gate.snapshot.json / iwooos_posture_projection_v1", + gateKey: "githubPrimaryReadiness", + evidence: t("evidence.githubPrimaryReadiness", { + candidates: 8, + inScope: 7, + ready: 0, + }), + evidenceDetails: [ + t("evidence.githubPrimaryOwnerResponses"), + t("evidence.githubPrimaryWorkflowNames"), + t("evidence.githubPrimaryBoundary"), + ], + href: "/iwooos", + }, { id: "mcpGateway", phase: "T18", diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 49f093fa8..6421438e8 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,17 @@ +## 2026-05-21 | 資安供應鏈 S2.64:AwoooP Work-Items GitHub Primary Readiness Candidate + +**背景**:S2.63 已把 Gitea → GitHub 的長期 primary readiness 缺口放進 `/iwooos`;本輪同步到 AwoooP 工作鏈路,讓另一個 AwoooP Session 與使用者能在工作項層看見 GitHub primary 仍處於只讀 readiness,而不是誤解成已可建立 repo 或切 primary。 + +**完成**: +- `/awooop/work-items` 新增 `S2.64`「GitHub Primary Readiness 只讀工作項」,狀態為觀察期,來源為 `source-control-primary-readiness-gate.snapshot.json / iwooos_posture_projection_v1`。 +- 工作項顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7,並連回 `/iwooos`。 +- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_64_awooop_work_items_github_primary_readiness_candidate`,並新增 `show_awooop_work_items_github_primary_readiness_candidate` next safe action。 +- `security-mirror-progress-guard.py` 開始驗證 AwoooP work-items 的 GitHub readiness 工作項、source contract、IwoooS link、i18n 鍵與 false 邊界。 + +**仍禁止**: +- S2.64 的 AwoooP 工作項不代表 owner response received / accepted、runtime authorization、active runtime gate、repo creation、visibility change、refs sync / delete / force push、workflow / secret modification、secret value collection、GitHub primary switch、Gitea disablement、Kali `/execute`、SSH 登入、主機更新或 blocking control。 +- 整體資安網 headline 仍是 58%;框架 / 治理 / 文件 / schema / read-only evidence 仍約 80-85%;真正落地執行 / runtime ingestion / GitHub primary / AwoooP production landing 仍約 35-40%。 + ## 2026-05-20 | 資安供應鏈 S2.63:IwoooS GitHub Primary Readiness Board **背景**:統帥已同意長期將本地 Gitea 的專案版本完整轉移到 GitHub;S2.62 已讓使用者看見既有資安頁面如何連回 IwoooS,本輪把 Gitea → GitHub 的 source-control readiness 缺口也集中顯示在 `/iwooos`,避免「已決定長期方向」被誤讀成「已可切 primary」。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 5f6d679f3..02089ca79 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -45,6 +45,7 @@ | Audit / engineering pages IwoooS reverse bridge | S2.61 已把 `/alert-operation-logs` 與 `/code-review` 反向接上 IwoooS 深色只讀橋接;headline=58%、framework=80-85%、runtime gates=0、action buttons=0;仍不新增 Code Review blocker、Gitea/GitHub action、scan、repair、approve、deploy 或 blocking control | | IwoooS frontend surface connection board | S2.62 已在 `/iwooos` 顯示 10 個既有資安入口的連接狀態,區分 embedded bridge、direct bridge 與 AwoooP read-only candidate;frontend_surface_reverse_bridge_status_count=10;仍不新增授權、阻擋、scan、repair、approve、deploy、Code Review blocker 或 Gitea/GitHub action | | IwoooS GitHub primary readiness board | S2.63 已在 `/iwooos` 顯示 GitHub Primary Readiness 只讀狀態板;candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7、rollback ADR approved=0;仍不建立 repo、不改 visibility、不改 refs、不收 secret value、不切 primary | +| AwoooP work-items GitHub primary readiness candidate | S2.64 已在 `/awooop/work-items` 顯示 GitHub Primary Readiness 只讀工作項;candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;仍不建立 repo、不改 visibility、不改 refs、不收 secret value、不切 primary、不停用 Gitea | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -156,6 +157,7 @@ | S2.61 audit engineering pages IwoooS reverse bridge | framework detail | 0 | 只把 `/alert-operation-logs` 與 `/code-review` 反向接上 IwoooS 深色只讀橋接;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把稽核或工程審查頁面的可見性當 owner response、runtime gate、掃描、修復、批准、部署、Code Review blocker 或 Gitea/GitHub action | | S2.62 IwoooS frontend surface connection board | framework detail | 0 | 只在 `/iwooos` 顯示 10 個既有資安入口的 embedded bridge、direct bridge 與 AwoooP read-only candidate 連接狀態;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把連接狀態當 owner response、runtime gate、掃描、修復、批准、部署、Code Review blocker 或 Gitea/GitHub action | | S2.63 IwoooS GitHub primary readiness board | framework detail | 0 | 只在 `/iwooos` 顯示 GitHub Primary Readiness 缺口:candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、refs truth accepted=0、workflow inventory complete=0/7、rollback ADR approved=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不收 secret value、不切 primary、不停用 Gitea | +| S2.64 AwoooP work-items GitHub primary readiness candidate | framework detail | 0 | 只在 `/awooop/work-items` 顯示 GitHub Primary Readiness 只讀工作項,連回 `/iwooos` 並呈現 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 GitHub repo、不改 visibility、不 sync / delete / force push refs、不收 secret value、不切 primary、不停用 Gitea | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 3e8351819..d1658940d 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -5,7 +5,7 @@ | 日期 | 2026-05-17 | | 狀態 | S0/S1 read-only evidence 建置中 | | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | -| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub Primary Readiness 只讀狀態板 | +| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP Run 監控 IwoooS Run State 只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub Primary Readiness 只讀狀態板 + AwoooP 工作鏈路 GitHub Primary Readiness 只讀工作項 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -28,7 +28,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.63 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes、S2.8 IwoooS frontend posture entry,以及 S2.9-S2.64 IwoooS / AwoooP security projection contract 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner response accepted、redacted payload ingestion、active runtime gate、GitHub primary ready、AwoooP read-only landing。這五個 gate 目前仍全部是 0 / false,所以 headline 不應被灌水提高。 @@ -126,6 +126,7 @@ S2.50 也把「為什麼 58% 還不動」拆成五個可見 gate:owner respons | S2.61 audit engineering pages IwoooS reverse bridge | 已完成草案,將 `/alert-operation-logs` 與 `/code-review` 反向顯示 IwoooS 深色只讀納管狀態;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 | | S2.62 IwoooS frontend surface connection board | 已完成草案,在 `/iwooos` 顯示 10 個既有資安入口的 embedded bridge、direct bridge 與 AwoooP read-only candidate 連接狀態;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 | | S2.63 IwoooS GitHub primary readiness board | 已完成草案,在 `/iwooos` 顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、refs truth accepted=0、workflow inventory complete=0/7、rollback ADR approved=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 | +| S2.64 AwoooP work-items GitHub primary readiness candidate | 已完成草案,在 `/awooop/work-items` 顯示 GitHub Primary Readiness 只讀工作項,連回 `/iwooos`,並顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -208,6 +209,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.61 Audit / Engineering Pages IwoooS Reverse Bridge | 完成草案 | `/alert-operation-logs` 與 `/code-review` 新增 IwoooS 深色只讀橋接,顯示 58%、80-85%、runtime gates=0、action buttons=0,並連到 `/iwooos` | 使用者能在稽核操作日誌與 Code Review 控制面看見資安網邊界;橋接仍不是 Code Review blocker、Gitea/GitHub action、owner response、runtime authorization、scan、repair、approve、deploy 或 blocking control | | S2.62 IwoooS Frontend Surface Connection Board | 完成草案 | `/iwooos` 新增 10 個既有資安入口的連接狀態板,區分 embedded bridge、direct bridge 與 AwoooP read-only candidate | 使用者能直接看見資安頁面目前怎麼接回 IwoooS;連接狀態仍不是 owner response、runtime authorization、Code Review blocker、Gitea/GitHub action、scan、repair、approve、deploy 或 blocking control | | S2.63 IwoooS GitHub Primary Readiness Board | 完成草案 | `/iwooos` 新增 GitHub Primary Readiness 只讀狀態板,顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、refs truth accepted=0、workflow inventory complete=0/7、rollback ADR approved=0 | 使用者能理解 Gitea 長期轉 GitHub 的 readiness 缺口;狀態板仍不是 repo creation、visibility change、refs mutation、secret value collection、primary switch、Gitea disablement 或 runtime 授權 | +| S2.64 AwoooP Work-Items GitHub Primary Readiness Candidate | 完成草案 | `/awooop/work-items` 新增 GitHub Primary Readiness 只讀工作項,顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7,並連回 `/iwooos` | 使用者與另一個 AwoooP Session 能在工作鏈路理解 GitHub primary readiness 仍只是缺口追蹤;工作項仍不是 repo creation、visibility change、refs mutation、secret value collection、primary switch、Gitea disablement 或 runtime 授權 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index cb862a0ff..d3c7c78f7 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -1226,6 +1226,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_64_awooop_work_items_github_primary_readiness_candidate", + "display_order": 93, + "completed_stage": "S2.64 AwoooP work-items GitHub primary readiness candidate", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "AwoooP 工作鏈路只新增 GitHub Primary Readiness 只讀工作項,顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,沒有建立 GitHub repo、修改 visibility、sync / delete / force push refs、收 secret value、切 primary 或停用 Gitea。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -1438,6 +1450,22 @@ "從 readiness board 收 secret value、切 GitHub primary、停用 Gitea 或把 request-ready 當 owner response accepted" ] }, + { + "action_id": "show_awooop_work_items_github_primary_readiness_candidate", + "title": "AwoooP 工作鏈路顯示 GitHub Primary Readiness 只讀工作項", + "mode": "observe", + "source_contract": "security_mirror_status_rollup_v1", + "allowed_processing": [ + "在 /awooop/work-items 顯示 S2.64 GitHub Primary Readiness 只讀工作項", + "顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7", + "連到 /iwooos 只讀入口,不新增 repo、visibility、refs、workflow、secret、primary 或 Gitea disablement action" + ], + "blocked_processing": [ + "把 AwoooP 工作鏈路工作項當成 GitHub primary approval", + "從 AwoooP 工作鏈路建立 repo、改 visibility、sync/delete/force push refs 或收 secret value", + "從 AwoooP 工作鏈路切 GitHub primary、停用 Gitea 或把 request-ready 當 owner response accepted" + ] + }, { "action_id": "mirror_low_friction_non_blocking_lanes", "title": "AwoooP 顯示低摩擦非阻擋升級分流", @@ -1814,7 +1842,8 @@ "S2.60 新增資安控制頁面 IwoooS reverse bridge;/alerts、/errors、/authorizations 與 /governance 反向顯示 IwoooS 只讀納管狀態、headline 58%、framework 80-85%、runtime gates=0、action buttons=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把告警、錯誤、授權或治理頁面的可見性當 owner response、runtime gate、掃描、修復、批准、部署或 blocking control。", "S2.61 新增稽核與工程審查頁面 IwoooS reverse bridge;/alert-operation-logs 與 /code-review 以深色只讀橋接顯示 IwoooS 納管狀態、headline 58%、framework 80-85%、runtime gates=0、action buttons=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把稽核或工程審查頁面的可見性當 owner response、runtime gate、掃描、修復、批准、部署、Code Review blocker 或 Gitea/GitHub action。", "S2.62 新增 IwoooS frontend surface connection board;/iwooos 顯示 10 個既有資安入口的連接狀態,區分 embedded bridge、direct bridge 與 AwoooP read-only candidate;frontend_surface_reverse_bridge_status_count=10、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把連接狀態當 owner response、runtime gate、掃描、修復、批准、部署、Code Review blocker 或 Gitea/GitHub action。", - "S2.63 新增 IwoooS GitHub Primary Readiness 只讀狀態板;/iwooos 顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、refs truth accepted=0、workflow inventory complete=0/7、rollback ADR approved=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 GitHub repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。" + "S2.63 新增 IwoooS GitHub Primary Readiness 只讀狀態板;/iwooos 顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、refs truth accepted=0、workflow inventory complete=0/7、rollback ADR approved=0;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不建立 GitHub repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。", + "S2.64 新增 AwoooP work-items GitHub Primary Readiness 只讀工作項;/awooop/work-items 顯示 candidate repos=8、in-scope=7、primary_ready_count=0、owner response 0/22、workflow inventory complete=0/7,並連回 /iwooos;runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false、not_authorization=true,不把工作項當 GitHub primary approval、不建立 repo、不改 visibility、不 sync/delete/force push refs、不收 secret value、不切 primary、不停用 Gitea。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 8b47368cf..60c66fbf8 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -276,6 +276,7 @@ def validate(root: Path) -> None: "s2_61_audit_engineering_pages_iwooos_reverse_bridge", "s2_62_iwooos_frontend_surface_connection_board", "s2_63_iwooos_github_primary_readiness_board", + "s2_64_awooop_work_items_github_primary_readiness_candidate", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -360,6 +361,11 @@ def validate(root: Path) -> None: [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], "show_iwooos_github_primary_readiness_board", ) + assert_contains( + "rollup.next_safe_actions.action_ids", + [item["action_id"] for item in rollup["next_safe_actions"] if isinstance(item, dict)], + "show_awooop_work_items_github_primary_readiness_candidate", + ) assert_equal("rollout_policy.schema_version", rollout_policy["schema_version"], "security_rollout_policy_v1") assert_equal("rollout_policy.default_mode", rollout_policy["default_mode"], "observe") @@ -5041,11 +5047,17 @@ def validate(root: Path) -> None: ) assert_text_contains("awooop_work_items_page.security_mirror_item", awooop_work_items_page, "iwooosSecurityMirror") + assert_text_contains("awooop_work_items_page.github_primary_item", awooop_work_items_page, "githubPrimaryReadiness") assert_text_contains( "awooop_work_items_page.security_mirror_source", awooop_work_items_page, "security_mirror_status_rollup_v1 / iwooos_posture_projection_v1", ) + assert_text_contains( + "awooop_work_items_page.github_primary_source", + awooop_work_items_page, + "source-control-primary-readiness-gate.snapshot.json / iwooos_posture_projection_v1", + ) assert_text_contains("awooop_work_items_page.security_mirror_href", awooop_work_items_page, 'href: "/iwooos"') assert_text_contains("awooop_work_items_page.security_mirror_status", awooop_work_items_page, 'status: "watching"') for key in ["iwooos"]: @@ -5070,6 +5082,16 @@ def validate(root: Path) -> None: list(web_messages_en["awooop"]["workItems"][section].keys()), "iwooosSecurityMirror", ) + assert_contains( + f"web_messages.zh-TW.awooop.workItems.{section}", + list(web_messages_zh["awooop"]["workItems"][section].keys()), + "githubPrimaryReadiness", + ) + assert_contains( + f"web_messages.en.awooop.workItems.{section}", + list(web_messages_en["awooop"]["workItems"][section].keys()), + "githubPrimaryReadiness", + ) for key in ["iwooosSecurityMirrorOwner", "iwooosSecurityMirrorBoundary"]: assert_contains( "web_messages.zh-TW.awooop.workItems.evidence", @@ -5081,6 +5103,17 @@ def validate(root: Path) -> None: list(web_messages_en["awooop"]["workItems"]["evidence"].keys()), key, ) + for key in ["githubPrimaryOwnerResponses", "githubPrimaryWorkflowNames", "githubPrimaryBoundary"]: + assert_contains( + "web_messages.zh-TW.awooop.workItems.evidence", + list(web_messages_zh["awooop"]["workItems"]["evidence"].keys()), + key, + ) + assert_contains( + "web_messages.en.awooop.workItems.evidence", + list(web_messages_en["awooop"]["workItems"]["evidence"].keys()), + key, + ) assert_text_contains( "awooop_tenants_page.security_tenant_scope_panel",