105 lines
9.8 KiB
Markdown
105 lines
9.8 KiB
Markdown
# Security Supply Chain 整體進度
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-05-13 |
|
||
| 狀態 | S0/S1 read-only evidence 建置中 |
|
||
| 本階段完成 | Security Supply Chain contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + Mirror Readiness Index + Mirror Intake Plan + Mirror Event Envelope |
|
||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||
|
||
## 0. 本階段完成後整體進度
|
||
|
||
| 階段 | 狀態 | 目前結果 | 下一個 gate |
|
||
|------|------|----------|-------------|
|
||
| S0 文件與契約同步 | 完成 | Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立 | AwoooP 只讀 mirror 消費 |
|
||
| S1 source-control read-only inventory | 進行中 | 已有 Gitea/GitHub refs、Gitea public-only user repo list、本機 remote、GitHub target probe、canonical lineage、110 refs evidence | Gitea private/internal 全量 repo list |
|
||
| S1.0 Gitea 全量 inventory approval | 完成草案 | 已建立 read-only token / admin export approval package | 統帥或 repo owner 批准 |
|
||
| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選,7 個需人工批准;3 個 `not_found_or_private` 不得自動建立 | owner / visibility / canonical approval |
|
||
| S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board | 低摩擦逐項批准 |
|
||
| S1.2a refs reconcile plan | 完成草案 | `awoooi`、`clawbot-v5`、`wooo-aiops` 已產生 draft plan;狀態仍為 `draft_blocked` | authenticated inventory + branch/tag diff + single-repo approval |
|
||
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
|
||
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
|
||
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
|
||
| S1.4 Contract manifest | 完成草案 | 22 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
|
||
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
|
||
| S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立;111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate |
|
||
| S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中:7 pending approval、1 block candidate;AwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion,再 review safe crawl / Gitea inventory |
|
||
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 22 個 contracts:19 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
|
||
| S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror,不新增 execution router |
|
||
| S2.2 AwoooP mirror event envelope | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆 mirror payload 標示 `execution_authorized=false` 與 `action_buttons_allowed=false` | AwoooP mirror payload 統一 envelope |
|
||
| S3 approval gate | 未開始 | 已定義哪些動作要進 approval | 不得繞過人工批准 |
|
||
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
|
||
|
||
## 1. 已建立的主要 evidence
|
||
|
||
| 類型 | 檔案 |
|
||
|------|------|
|
||
| AwoooP handoff | `docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md` |
|
||
| Mirror-only 清單 | `docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md` |
|
||
| Gitea/GitHub migration inventory | `docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md` |
|
||
| Gitea server-side inventory runbook | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` |
|
||
| Gitea read-only inventory approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` |
|
||
| Gitea read-only inventory approval JSON | `docs/security/gitea-readonly-inventory-approval.snapshot.json` |
|
||
| Gitea 管理匯出 redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` |
|
||
| Gitea org endpoint blocked evidence | `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md` |
|
||
| Source-control migration matrix | `docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` |
|
||
| Canonical repo 判定表 | `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md` |
|
||
| GitHub target 決策表 | `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` |
|
||
| GitHub target 決策 JSON | `docs/security/github-target-decision.snapshot.json` |
|
||
| GitHub target repo approval package | `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md` |
|
||
| GitHub target repo approval JSON | `docs/security/github-target-repo-approval-package.snapshot.json` |
|
||
| Source Control approval board | `docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md` |
|
||
| Source Control approval board JSON | `docs/security/source-control-approval-board.snapshot.json` |
|
||
| Source Control draft reconcile plan | `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` |
|
||
| Source Control draft reconcile plan JSON | `docs/security/source-control-reconcile-plan.snapshot.json` |
|
||
| Source Control branch/tag detail diff | `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` |
|
||
| Source Control branch/tag detail diff JSON | `docs/security/source-control-ref-detail-diff.snapshot.json` |
|
||
| Source Control ref truth classification | `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
|
||
| Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` |
|
||
| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` |
|
||
| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` |
|
||
| Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` |
|
||
| Security finding sample JSON | `docs/security/security-finding-kali-sample.snapshot.json` |
|
||
| Kali scan scope approval package | `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` |
|
||
| Kali scan scope approval JSON | `docs/security/kali-scan-scope-approval.snapshot.json` |
|
||
| Security approval queue | `docs/security/SECURITY-APPROVAL-QUEUE.md` |
|
||
| Security approval queue JSON | `docs/security/security-approval-queue.snapshot.json` |
|
||
| Security mirror readiness | `docs/security/SECURITY-MIRROR-READINESS.md` |
|
||
| Security mirror readiness JSON | `docs/security/security-mirror-readiness.snapshot.json` |
|
||
| Security mirror intake plan | `docs/security/SECURITY-MIRROR-INTAKE-PLAN.md` |
|
||
| Security mirror intake plan JSON | `docs/security/security-mirror-intake-plan.snapshot.json` |
|
||
| Security mirror event contract | `docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md` |
|
||
| Security mirror event sample JSON | `docs/security/security-mirror-event-sample.snapshot.json` |
|
||
| 低摩擦 rollout policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` |
|
||
| 低摩擦 rollout policy JSON | `docs/security/security-rollout-policy.snapshot.json` |
|
||
| Security Supply Chain contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` |
|
||
| Security Supply Chain contract manifest JSON | `docs/security/security-supply-chain-contract-manifest.snapshot.json` |
|
||
|
||
## 2. 現在不能做的事
|
||
|
||
1. 不建立或刪除 GitHub / Gitea repo。
|
||
2. 不修改 repo visibility。
|
||
3. 不同步 refs、branch、tag。
|
||
4. 不切 GitHub primary。
|
||
5. 不把 Codex patch runner、Kali scan 或 deploy 接進 AwoooP runtime。
|
||
6. 不保存 secret / token value。
|
||
|
||
## 2.1 初期不要過度收緊
|
||
|
||
1. Read-only inventory、文件化、risk label、mirror evidence 可持續推進。
|
||
2. 初期不把 LOW / MEDIUM observation 變成阻擋條件。
|
||
3. 初期不要求所有 repo 一次完成最高等級 controls。
|
||
4. 只針對不可逆或高風險動作設 approval gate。
|
||
5. 每階段完成後再逐步收斂,避免讓產品、架構與部署流程突然變複雜。
|
||
|
||
## 3. 下一階段建議
|
||
|
||
1. 等待 Gitea read-only inventory approval 被批准後,再用只讀 token 或管理匯出補 private/internal server-side 全量 repo list。
|
||
2. 依 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。
|
||
3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
|
||
4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
|
||
5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。
|
||
6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1` 與 `security_mirror_event_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
|
||
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。
|
||
8. AwoooP 主線再讀 `security_approval_queue_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order 與 blocked reason,不新增 execution router。
|