Files
awoooi/docs/security/security-mirror-intake-plan.snapshot.json
2026-05-13 11:41:47 +08:00

200 lines
6.7 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_intake_plan_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-mirror-event-sample.snapshot.json",
"docs/security/security-mirror-route.snapshot.json"
],
"intake_waves": [
{
"wave_id": "M0_index_bootstrap",
"title": "載入 readiness、manifest、低摩擦 policy 與鏡像路由",
"contracts": [
"security_mirror_readiness_v1",
"security_supply_chain_contract_manifest_v1",
"security_rollout_policy_v1",
"security_mirror_event_v1",
"security_mirror_route_v1"
],
"destinations": [
"operator_console",
"runtime_state",
"audit_evidence"
],
"allowed_processing": [
"顯示 contract readiness",
"顯示 mirror_only enforcement",
"顯示 partial_ready / contract_only 原因",
"使用 security_mirror_event_v1 包裝 mirror payload",
"依 security_mirror_route_v1 分流目的地與 review lane"
],
"blocked_processing": [
"runtime_enforcement",
"execution_router",
"blocking_gate"
],
"exit_gate": "Operator Console 能顯示 23 個 contract、5 個 route groups 與 execution_allowed=false且 mirror event envelope action_buttons_allowed=false。"
},
{
"wave_id": "M1_kali_visibility",
"title": "Kali 112 狀態、scope 與 approval queue visibility",
"contracts": [
"kali_integration_status_v1",
"kali_scan_scope_approval_v1",
"security_approval_queue_v1",
"security_finding_v1"
],
"destinations": [
"operator_console",
"runtime_state",
"channel_event",
"approval_queue",
"audit_evidence"
],
"allowed_processing": [
"mirror Kali health / update / gap evidence",
"顯示 scan scope group",
"顯示 approval queue review order",
"顯示 redacted finding sample"
],
"blocked_processing": [
"start_kali_scan",
"call_kali_execute_endpoint",
"credentialed_scan",
"full_upgrade_or_reboot"
],
"exit_gate": "AwoooP 顯示 Kali health、5 個 scan scope groups、8 個 approval queue items但沒有 action button。"
},
{
"wave_id": "M2_source_control_visibility",
"title": "Gitea/GitHub source-control evidence visibility",
"contracts": [
"source_control_migration_event_v1",
"gitea_repo_inventory_v1",
"local_git_remote_inventory_v1",
"github_target_probe_v1",
"github_target_decision_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
"source_control_reconcile_plan_v1",
"source_control_ref_detail_diff_v1",
"source_control_ref_truth_classification_v1",
"local_repo_canonical_probe_v1",
"git_remote_refs_probe_v1"
],
"destinations": [
"operator_console",
"runtime_state",
"approval_queue",
"audit_evidence"
],
"allowed_processing": [
"mirror repo/branch/tag 差異",
"顯示 pending owner / visibility / canonical decision",
"顯示 refs truth review lane",
"顯示 Gitea inventory partial reason"
],
"blocked_processing": [
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"delete_or_archive_gitea_repo"
],
"exit_gate": "AwoooP 能顯示 source-control blocking reasons且所有 repo/refs actions 都 disabled。"
},
{
"wave_id": "M3_approval_candidates",
"title": "Approval candidate mirror 與人工決策留痕",
"contracts": [
"approval_required_event_v1",
"security_approval_queue_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
"kali_scan_scope_approval_v1"
],
"destinations": [
"approval_queue",
"operator_console",
"audit_evidence"
],
"allowed_processing": [
"create_approval_candidate",
"record_human_decision",
"display_required_reviewers",
"display_blocked_until_approved"
],
"blocked_processing": [
"auto_approve",
"execute_after_approval_without_new_runtime_gate",
"store_secret_value"
],
"exit_gate": "Approval candidate 可顯示與留痕,但任何批准後執行仍需要下一階段 runtime gate。"
},
{
"wave_id": "M4_patch_only_backlog",
"title": "Code review / Codex patch-only backlog",
"contracts": [
"coding_task_v1"
],
"destinations": [
"operator_console",
"approval_queue",
"audit_evidence"
],
"allowed_processing": [
"display_patch_backlog_contract",
"create_draft_patch_task_after_review",
"request_reviewers"
],
"blocked_processing": [
"auto_merge",
"production_deploy",
"secret_rotation",
"network_policy_change"
],
"exit_gate": "AwoooP 只顯示 patch-only backlog lane沒有 Codex runner action。"
}
],
"acceptance_gates": [
{
"gate_id": "MIRROR_ONLY_DEFAULT",
"requirement": "所有 intake waves 都必須維持 runtime_execution_authorized=false。",
"evidence_ref": "docs/security/security-mirror-intake-plan.snapshot.json"
},
{
"gate_id": "NO_ACTION_BUTTONS",
"requirement": "Operator Console 不得新增 scan、execute、repo、refs、deploy、secret 類 action button。",
"evidence_ref": "docs/security/SECURITY-MIRROR-READINESS.md"
},
{
"gate_id": "REDACTION_ONLY",
"requirement": "Mirror payload 不得保存 raw secret、token、cookie、private key 或 exploit payload。",
"evidence_ref": "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
},
{
"gate_id": "LOW_MEDIUM_NOT_BLOCKING",
"requirement": "LOW / MEDIUM observation 初期只能 observe / warn不得升為 blocking gate。",
"evidence_ref": "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md"
}
],
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload"
]
}