diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index bbc7e0a2d..ae8f7ca53 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -68,7 +68,8 @@ "securityCompliance": "Security & Compliance", "classicAICenter": "Classic AI Center", "governance": "AI Governance", - "awooop": "AwoooP" + "awooop": "AwoooP", + "iwooos": "IwoooS" }, "locale": { "switch": "Switch Language", @@ -991,6 +992,103 @@ "error": "Load failed", "noData": "No security events" }, + "iwooos": { + "eyebrow": "Information Security Mesh", + "title": "IwoooS", + "subtitle": "The security mesh posture entry. It gathers Kali, source control, owner response, approval gates, and AwoooP mirror-only evidence into one readable posture without starting scans, repairs, or product blockers.", + "boundary": { + "label": "Current boundary", + "state": "Mirror-only / Observe-first", + "detail": "All numbers come from verified snapshots and guards. This page only displays posture, gaps, next gates, and non-blocking lanes." + }, + "metrics": { + "overall": { + "label": "Overall mesh", + "detail": "headline progress, not authorization" + }, + "framework": { + "label": "Framework maturity", + "detail": "docs, schema, read-only evidence" + }, + "runtime": { + "label": "Runtime landing", + "detail": "runtime gates are not active" + }, + "contracts": { + "label": "Core contracts", + "detail": "32 ready / 2 partial / 1 contract-only" + }, + "activeGates": { + "label": "Active runtime gates", + "detail": "kept at 0 before approval" + } + }, + "pillars": { + "exposure": { + "title": "Exposure Posture", + "state": "Waiting evidence", + "body": "Mainstream security management puts assets, exposure, vulnerabilities, and owner gates in one view. IwoooS shows coverage gaps without turning them into blockers." + }, + "sourceControl": { + "title": "Source-control Supply Chain", + "state": "Draft gated", + "body": "GitHub is the long-term direction, but refs, workflows, secret names, and rollback ADRs still need owner responses." + }, + "kali": { + "title": "Kali 112 Mesh", + "state": "Observe-only", + "body": "Kali 112 is in scope, and 111 / 168 are also observe-only. Active scan and /execute remain block candidates." + }, + "governance": { + "title": "Approval Boundary", + "state": "Locked", + "body": "7 pending approvals, 1 block candidate, and 0 active runtime gates. Execution requires a human decision record and a follow-up runtime gate." + } + }, + "lanes": { + "title": "Non-blocking Lanes", + "subtitle": "The initial phase stays observe / warn so security does not slow product and deployment flow.", + "lowMedium": { + "title": "LOW / MEDIUM observation", + "body": "Label risk, create follow-up, add evidence_ref, do not block deploy." + }, + "ownerMissing": { + "title": "Owner response missing", + "body": "Show gaps and the next collection candidate; do not treat silence as rejection." + }, + "mirrorIncomplete": { + "title": "Mirror data incomplete", + "body": "Show partial / quarantine reason and wait for a new redacted snapshot." + }, + "sourceDrift": { + "title": "Source-control drift draft", + "body": "Keep the draft reconcile plan; do not sync refs or force push." + }, + "kaliObserve": { + "title": "Kali observe finding", + "body": "Show only redacted finding summary; do not start active scan." + }, + "workflowGap": { + "title": "Workflow / secret name gap", + "body": "Request redacted export; do not collect secret values or enable runners." + }, + "progressHolding": { + "title": "Progress display holding", + "body": "58% means high-level gates are pending; it is neither stuck nor runtime approval." + } + }, + "nextGate": { + "title": "Next High-level Gate", + "body": "S4.9 Gitea owner attestation response is the recommended next owner evidence. Headline progress should only increase after owner responses, redacted payload ingestion, active runtime gates, or GitHub primary readiness actually change." + }, + "evidence": { + "title": "Current Evidence" + }, + "blocked": { + "title": "Blocked Actions", + "body": "This page does not provide scan, execute, repo, refs, workflow, secret, runner, primary switch, or deploy action buttons." + } + }, "tickets": { "title": "Tickets", "subtitle": "Incident ticket tracking", @@ -1225,6 +1323,7 @@ "actionGoAutomation": "Go to Automation", "actionGoOperations": "Go to Operations", "actionGoSecurity": "Go to Security & Compliance", + "actionGoIwooos": "Go to IwoooS", "actionGoKnowledge": "Go to Knowledge Hall", "actionGoSettings": "Go to Settings", "actionGoTerminal": "Go to Terminal", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 440be43e4..c15f88b2f 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -68,7 +68,8 @@ "securityCompliance": "安全合規", "classicAICenter": "經典 AI 中心", "governance": "AI 治理", - "awooop": "AwoooP" + "awooop": "AwoooP", + "iwooos": "IwoooS" }, "locale": { "switch": "切換語系", @@ -992,6 +993,103 @@ "error": "載入失敗", "noData": "無安全事件" }, + "iwooos": { + "eyebrow": "Information Security Mesh", + "title": "IwoooS", + "subtitle": "資安網的態勢入口。把 Kali、source-control、owner response、approval gate、AwoooP mirror-only evidence 收成一個可讀的資安態勢,不啟動掃描、不修復、不阻擋產品流程。", + "boundary": { + "label": "目前邊界", + "state": "Mirror-only / Observe-first", + "detail": "所有數字來自已驗證 snapshot 與 guard。此頁只顯示態勢、缺口、下一個 gate 與非阻擋分流。" + }, + "metrics": { + "overall": { + "label": "整體資安網", + "detail": "headline progress,不是授權" + }, + "framework": { + "label": "框架成熟度", + "detail": "文件、schema、read-only evidence" + }, + "runtime": { + "label": "落地執行", + "detail": "runtime gate 尚未啟用" + }, + "contracts": { + "label": "主要契約", + "detail": "32 ready / 2 partial / 1 contract-only" + }, + "activeGates": { + "label": "Active runtime gates", + "detail": "人工批准前維持 0" + } + }, + "pillars": { + "exposure": { + "title": "Exposure Posture", + "state": "Waiting evidence", + "body": "主流資安管理會把資產、暴露面、弱點與 owner gate 放在同一張圖。IwoooS 先顯示覆蓋缺口,不把缺口變成阻擋。" + }, + "sourceControl": { + "title": "Source-control Supply Chain", + "state": "Draft gated", + "body": "Gitea 到 GitHub 的長期方向已確認,但 refs、workflow、secret name 與 rollback ADR 仍需 owner response。" + }, + "kali": { + "title": "Kali 112 Mesh", + "state": "Observe-only", + "body": "Kali 112 已在資安網範圍中,111 / 168 也納入 observe-only。active scan 與 /execute 仍維持封鎖候選。" + }, + "governance": { + "title": "Approval Boundary", + "state": "Locked", + "body": "7 個 pending approval、1 個 block candidate、0 active runtime gates。任何執行都必須先留下人工決策與後續 runtime gate。" + } + }, + "lanes": { + "title": "非阻擋分流", + "subtitle": "初期只 observe / warn,避免資安框架拖慢產品與部署節奏。", + "lowMedium": { + "title": "LOW / MEDIUM observation", + "body": "標風險、建 follow-up、補 evidence_ref,不阻擋 deploy。" + }, + "ownerMissing": { + "title": "Owner response missing", + "body": "顯示缺口與下一個收件候選,不把未回覆當拒絕。" + }, + "mirrorIncomplete": { + "title": "Mirror data incomplete", + "body": "顯示 partial / quarantine reason,等待新的 redacted snapshot。" + }, + "sourceDrift": { + "title": "Source-control drift draft", + "body": "維持 draft reconcile plan,不 sync refs、不 force push。" + }, + "kaliObserve": { + "title": "Kali observe finding", + "body": "只顯示 redacted finding summary,不啟動 active scan。" + }, + "workflowGap": { + "title": "Workflow / secret name gap", + "body": "要求 redacted export,不收集 secret value、不啟用 runner。" + }, + "progressHolding": { + "title": "Progress display holding", + "body": "58% 代表等待高層 gate,不代表卡住,也不是 runtime approval。" + } + }, + "nextGate": { + "title": "下一個高層 Gate", + "body": "S4.9 Gitea owner attestation response 是目前建議先收的 owner evidence。任何 headline 提升都要等 owner response、redacted payload ingestion、active runtime gate 或 GitHub primary readiness 有真實變化。" + }, + "evidence": { + "title": "目前 Evidence" + }, + "blocked": { + "title": "禁止動作", + "body": "此頁不提供 scan、execute、repo、refs、workflow、secret、runner、primary switch 或 deploy action button。" + } + }, "tickets": { "title": "工單", "subtitle": "事件工單追蹤", @@ -1226,6 +1324,7 @@ "actionGoAutomation": "前往自動化", "actionGoOperations": "前往營運", "actionGoSecurity": "前往安全合規", + "actionGoIwooos": "前往 IwoooS", "actionGoKnowledge": "前往知識殿堂", "actionGoSettings": "前往設定", "actionGoTerminal": "前往終端頁面", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx new file mode 100644 index 000000000..0da6dddca --- /dev/null +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -0,0 +1,278 @@ +'use client' + +/** + * IwoooS — Information Security posture 入口 + * @created 2026-05-19 Codex Asia/Taipei + */ + +import { + Activity, + AlertTriangle, + CheckCircle2, + Clock3, + GitBranch, + Lock, + Radar, + ShieldCheck, +} from 'lucide-react' +import { useTranslations } from 'next-intl' +import { AppLayout } from '@/components/layout' + +type PostureMetric = { + key: string + value: string + tone: 'steady' | 'warn' | 'locked' +} + +type Pillar = { + key: string + icon: typeof ShieldCheck + tone: 'steady' | 'warn' | 'locked' +} + +type Lane = { + key: string + mode: 'observe' | 'warn' +} + +const postureMetrics: PostureMetric[] = [ + { key: 'overall', value: '58%', tone: 'warn' }, + { key: 'framework', value: '80-85%', tone: 'steady' }, + { key: 'runtime', value: '35-40%', tone: 'locked' }, + { key: 'contracts', value: '35', tone: 'steady' }, + { key: 'activeGates', value: '0', tone: 'locked' }, +] + +const posturePillars: Pillar[] = [ + { key: 'exposure', icon: Radar, tone: 'warn' }, + { key: 'sourceControl', icon: GitBranch, tone: 'warn' }, + { key: 'kali', icon: Activity, tone: 'steady' }, + { key: 'governance', icon: ShieldCheck, tone: 'locked' }, +] + +const nonBlockingLanes: Lane[] = [ + { key: 'lowMedium', mode: 'warn' }, + { key: 'ownerMissing', mode: 'observe' }, + { key: 'mirrorIncomplete', mode: 'warn' }, + { key: 'sourceDrift', mode: 'warn' }, + { key: 'kaliObserve', mode: 'warn' }, + { key: 'workflowGap', mode: 'warn' }, + { key: 'progressHolding', mode: 'observe' }, +] + +const evidenceItems = [ + 'security-rollout-policy.snapshot.json', + 'security-mirror-status-rollup.snapshot.json', + 'source-control-owner-response-validation-rollup.snapshot.json', + 'kali-integration-status.snapshot.json', +] + +const toneColors = { + steady: '#1f7a4d', + warn: '#b66a2d', + locked: '#6f6d66', +} + +const page = { + minHeight: 'calc(100vh - 68px)', + background: '#f5f4ed', + color: '#141413', + padding: '22px', + fontFamily: 'var(--font-body), monospace', +} + +const band = { + background: '#fff', + border: '0.5px solid #e0ddd4', + borderRadius: 8, +} + +function ToneDot({ tone }: { tone: 'steady' | 'warn' | 'locked' }) { + return ( + + ) +} + +function MetricCard({ item }: { item: PostureMetric }) { + const t = useTranslations('iwooos.metrics') + return ( +
+
+ {t(`${item.key}.label` as never)} + +
+
{item.value}
+
{t(`${item.key}.detail` as never)}
+
+ ) +} + +function PillarCard({ item }: { item: Pillar }) { + const t = useTranslations('iwooos.pillars') + const Icon = item.icon + return ( +
+
+ + + {t(`${item.key}.state` as never)} + +
+

{t(`${item.key}.title` as never)}

+

{t(`${item.key}.body` as never)}

+
+ ) +} + +function LaneRow({ item, index }: { item: Lane; index: number }) { + const t = useTranslations('iwooos.lanes') + const tone = item.mode === 'observe' ? 'locked' : 'warn' + return ( +
+ {String(index + 1).padStart(2, '0')} +
+
{t(`${item.key}.title` as never)}
+
{t(`${item.key}.body` as never)}
+
+
+ {item.mode} +
+
+ ) +} + +export default function IwoooSPage({ params }: { params: { locale: string } }) { + const t = useTranslations('iwooos') + + return ( + +
+
+
+
+ + {t('eyebrow')} +
+

{t('title')}

+

+ {t('subtitle')} +

+
+
+
+ + {t('boundary.label')} +
+
{t('boundary.state')}
+

{t('boundary.detail')}

+
+
+ +
+ {postureMetrics.map(item => )} +
+ +
+ {posturePillars.map(item => )} +
+ +
+
+
+

{t('lanes.title')}

+

{t('lanes.subtitle')}

+
+ {nonBlockingLanes.map((item, index) => )} +
+ +
+
+
+ +

{t('nextGate.title')}

+
+

{t('nextGate.body')}

+
+ +
+
+ +

{t('evidence.title')}

+
+
+ {evidenceItems.map(item => ( +
+ {item} +
+ ))} +
+
+ +
+
+ +

{t('blocked.title')}

+
+

{t('blocked.body')}

+
+
+
+
+
+ ) +} diff --git a/apps/web/src/components/command-palette/CommandPalette.tsx b/apps/web/src/components/command-palette/CommandPalette.tsx index dc1bd1ab3..af8545d69 100644 --- a/apps/web/src/components/command-palette/CommandPalette.tsx +++ b/apps/web/src/components/command-palette/CommandPalette.tsx @@ -17,7 +17,7 @@ import React, { useEffect, useRef, useState, useCallback } from 'react' import { useTranslations } from 'next-intl' import { useRouter, usePathname } from 'next/navigation' import { useLocale } from 'next-intl' -import { Search, Terminal, Home, Activity, Wrench, Shield, BookOpen, Settings, Zap, GitBranch } from 'lucide-react' +import { Search, Terminal, Home, Activity, Wrench, Shield, BookOpen, Settings, Zap, GitBranch, Radar } from 'lucide-react' import { useTerminalStore } from '@/stores/terminal.store' import { Z_INDEX } from '@/lib/constants/z-index' @@ -107,6 +107,14 @@ export function CommandPalette() { action: () => nav('/security-compliance'), keywords: ['security', '安全', 'compliance', '合規'], }, + { + id: 'iwooos', + label: t('actionGoIwooos'), + group: t('groupNav'), + icon: , + action: () => nav('/iwooos'), + keywords: ['iwooos', 'information security', '資安網', '資安態勢'], + }, { id: 'knowledge', label: t('actionGoKnowledge'), diff --git a/apps/web/src/components/layout/sidebar.tsx b/apps/web/src/components/layout/sidebar.tsx index 673eb5c37..4af026774 100644 --- a/apps/web/src/components/layout/sidebar.tsx +++ b/apps/web/src/components/layout/sidebar.tsx @@ -33,7 +33,7 @@ import { Wrench, Package, Ticket, DollarSign, Zap, FileText, BookOpen, Terminal, AppWindow, Server, Users, BellRing, CreditCard, HelpCircle, Settings, - ChevronLeft, ChevronRight, Diff, BrainCircuit, + ChevronLeft, ChevronRight, Diff, BrainCircuit, Radar, } from 'lucide-react' // Phase 8.0 #15: 改用 approval store SSE (移除 polling) import { useApprovalStore } from '@/stores/approval.store' @@ -85,6 +85,7 @@ const NAV_SECTIONS: NavSection[] = [ { id: 'automation', href: '/automation', labelKey: 'automation', Icon: Wrench }, { id: 'operations', href: '/operations', labelKey: 'operations', Icon: Package }, { id: 'security-compliance', href: '/security-compliance', labelKey: 'securityCompliance',Icon: Shield }, + { id: 'iwooos', href: '/iwooos', labelKey: 'iwooos', Icon: Radar }, { id: 'knowledge', href: '/knowledge', labelKey: 'knowledge', Icon: BookOpen }, { id: 'governance', href: '/governance', labelKey: 'governance', Icon: ShieldCheck }, { id: 'awooop', href: '/awooop/work-items', labelKey: 'awooop', Icon: BrainCircuit }, diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 346f2a90f..d9a747b5f 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,17 @@ +## 2026-05-19 | 資安供應鏈 S2.8:IwoooS Frontend Posture Entry + +**背景**:統帥指出目前資安工作雖有 schema / snapshot / guard 推進,但使用者端無感;決策為新增獨立入口 **IwoooS = Information Security**,不再把資安網塞在一般安全 / 合規頁。 + +**完成**: +- 新增 `/iwooos` 前端路由,作為 Information Security Mesh 的 read-only posture dashboard。 +- Sidebar 與 Command Palette 新增 IwoooS 入口。 +- IwoooS 首版以 Security Posture / Exposure Management 方式顯示:58% headline、framework 80-85%、runtime landing 35-40%、35 contracts、0 active runtime gates、Exposure / Source-control / Kali / Approval 四個資安面向、7 條 non-blocking escalation lanes 與 evidence refs。 +- `security_mirror_status_rollup_v1` micro progress ledger 新增 `s2_8_iwooos_frontend_posture_entry`,headline progress 仍維持 58%。 + +**仍禁止**: +- IwoooS 只顯示 mirror-only / observe-first posture,不新增 scan、execute、repair、repo、refs、workflow、secret、runner、primary switch 或 deploy action button。 +- 不把前端可見進度當成 owner response、production ingestion、approval、runtime gate、Kali scan 或 GitHub primary approval。 + ## 2026-05-19 | 資安供應鏈 S1.3:Low-Friction Non-Blocking Escalation Lanes **背景**:統帥明確要求初期不要把資訊安全等級一次拉太高,避免產品、架構與流程被過度阻擋。既有 `security_rollout_policy_v1` 已有 observe-first / mirror-only 原則,但尚未把「哪些情境不能直接升 blocking」寫成可驗證 lanes。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 6a54ad135..ca2955ee9 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -34,6 +34,7 @@ | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates;0 個 inventory complete、audit events emitted 0 筆、禁止收集 secret value、禁止 write token | | Owner response validation | S4.13 已建立;四包 owner response 目前 received/accepted 皆為 0;4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes 可供 AwoooP 直接顯示;下一個建議收件為 S4.9 Gitea owner attestation;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`,reviewer audit emitted 仍為 0,不代表 owner response 已收到或任何執行授權 | | Low-friction rollout policy | S1.3 已補 7 條 non-blocking escalation lanes;LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 初期只能 observe / warn;`owner_review_required_before_blocking=true`、`runtime_blocking_allowed=false` | +| IwoooS frontend posture | S2.8 已新增 `/iwooos` read-only Information Security 入口;顯示 Security Posture / Exposure、source-control supply chain、Kali 112 Mesh、approval boundary、non-blocking lanes 與 evidence refs;不新增執行按鈕 | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -89,6 +90,7 @@ | S4.13 parallel session recovery checks | framework detail | 0 | 只確認 conflict lane 後要重抓遠端、重讀 latest ledger、重跑只讀 guards、review staged diff、確認 runtime false flags 與回到 S4.9 next focus,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | | S4.13 parallel session recovery outcome lanes | framework detail | 0 | 只把復原結果分類成 ready、branch diverged、ledger stale、guard failed、diff out-of-scope、runtime flag drift 或 next focus drift,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | | S1.3 non-blocking escalation lanes | framework detail | 0 | 只確認 LOW / MEDIUM observation、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 先維持 observe / warn,不代表 blocking gate、runtime enforcement 或 action button | +| S2.8 IwoooS frontend posture entry | framework detail | 0 | 只把 mirror-only 資安態勢呈現在前端,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index ee5d9e7ab..d55d5296e 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -27,7 +27,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes,以及 S1.3 non-blocking escalation lanes 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks / recovery outcome lanes、S1.3 non-blocking escalation lanes,以及 S2.8 IwoooS frontend posture entry 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 | 最近完成 | 目前狀態 | headline delta | |----------|----------|----------------| @@ -67,6 +67,7 @@ python3 scripts/security/security-mirror-progress-guard.py | S4.13 parallel session recovery checks | 已完成草案,只確認 conflict lane 後要重抓遠端、重讀 latest ledger、重跑只讀 guards、review diff、確認 false flags 與回到 S4.9 next focus | 0 | | S4.13 parallel session recovery outcome lanes | 已完成草案,只分類 ready、branch diverged、ledger stale、guard failed、diff out-of-scope、runtime flag drift 或 next focus drift | 0 | | S1.3 low-friction non-blocking escalation lanes | 已完成草案,只確認 LOW / MEDIUM、缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 維持 observe / warn | 0 | +| S2.8 IwoooS frontend posture entry | 已完成草案,新增 `/iwooos` read-only Security Posture / Exposure 入口,顯示 58%、35 contracts、Kali / source-control / approval boundary 與 non-blocking lanes | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -93,6 +94,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.5 AwoooP 鏡像隔離契約 | 完成草案 | `security_mirror_quarantine_v1` 已建立 5 個 quarantine lanes;失敗 payload 必須等新 snapshot commit 後才能 retry | AwoooP 可隔離壞資料,不阻擋 runtime | | S2.6 AwoooP 鏡像 dry-run 報告契約 | 完成草案 | `security_mirror_dry_run_v1` 已建立 8 個 dry-run steps,已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`;latest local validation 為 `repo_snapshot_guard_pass`;目前狀態仍為 contract defined not executed | AwoooP 未來可回報演練結果,但不啟動 production ingestion | | S2.7 AwoooP 鏡像狀態彙整契約 | 完成草案 | `security_mirror_status_rollup_v1` 已建立,彙整 S0-S4、approval queue summary 與下一個安全 gate;S4.13 已補 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 parallel session recovery outcome lanes | 兩個 Session 用同一份 rollup 同步,不誤啟執行面 | +| S2.8 IwoooS 前端態勢入口 | 完成草案 | 已新增 `/iwooos`、Sidebar 入口與 Command Palette 入口;以 Security Posture / Exposure Management 方式顯示目前資安網狀態、Kali 112、source-control supply chain、approval boundary、non-blocking lanes 與 evidence refs | 使用者可看懂資安網進度與邊界,但不新增執行按鈕 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 7e05a4f4c..3c6db291d 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -599,6 +599,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s2_8_iwooos_frontend_posture_entry", + "display_order": 37, + "completed_stage": "S2.8 IwoooS frontend posture entry", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "IwoooS 只把 mirror-only security posture、exposure、approval boundary、evidence 與 non-blocking lanes 呈現在前端,不代表 owner response received、production ingestion、approval、runtime gate 或 execution authorization。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -651,6 +663,22 @@ "新增 scan / execute / repo / refs / workflow / secret / runner / primary action button" ] }, + { + "action_id": "show_iwooos_frontend_posture", + "title": "IwoooS 顯示資安態勢入口", + "mode": "observe", + "source_contract": "security_mirror_status_rollup_v1", + "allowed_processing": [ + "顯示 58% headline、framework / runtime landing、35 contracts 與 0 active runtime gates", + "顯示 Exposure Posture、Source-control Supply Chain、Kali 112 Mesh 與 Approval Boundary", + "顯示 7 條 non-blocking escalation lanes 與目前 evidence refs" + ], + "blocked_processing": [ + "新增 scan / execute / repair button", + "把 IwoooS posture 當成 runtime authorization", + "把前端可見進度當成 GitHub primary、Kali scan 或 repo / refs action approval" + ] + }, { "action_id": "mirror_approval_review_packets", "title": "AwoooP 顯示 8 個人工審查封包", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 26fee2c97..d9b29d136 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -119,6 +119,7 @@ def validate(root: Path) -> None: "s4_13_owner_response_validation_parallel_session_recovery_checks", "s4_13_owner_response_validation_parallel_session_recovery_outcome_lanes", "s1_3_low_friction_non_blocking_escalation_lanes", + "s2_8_iwooos_frontend_posture_entry", ] assert_equal( "progress_delta_ledger.delta_ids",