Files
awoooi/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md

105 lines
9.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Security Supply Chain 整體進度
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | Security Supply Chain contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + Mirror Readiness Index + Mirror Intake Plan + Mirror Event Envelope |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
| 階段 | 狀態 | 目前結果 | 下一個 gate |
|------|------|----------|-------------|
| S0 文件與契約同步 | 完成 | Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立 | AwoooP 只讀 mirror 消費 |
| S1 source-control read-only inventory | 進行中 | 已有 Gitea/GitHub refs、Gitea public-only user repo list、本機 remote、GitHub target probe、canonical lineage、110 refs evidence | Gitea private/internal 全量 repo list |
| S1.0 Gitea 全量 inventory approval | 完成草案 | 已建立 read-only token / admin export approval package | 統帥或 repo owner 批准 |
| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選7 個需人工批准3 個 `not_found_or_private` 不得自動建立 | owner / visibility / canonical approval |
| S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package並彙整成 8-item approval board | 低摩擦逐項批准 |
| S1.2a refs reconcile plan | 完成草案 | `awoooi``clawbot-v5``wooo-aiops` 已產生 draft plan狀態仍為 `draft_blocked` | authenticated inventory + branch/tag diff + single-repo approval |
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
| S1.4 Contract manifest | 完成草案 | 22 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
| S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate |
| S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中7 pending approval、1 block candidateAwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion再 review safe crawl / Gitea inventory |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 22 個 contracts19 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror不新增 execution router |
| S2.2 AwoooP mirror event envelope | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆 mirror payload 標示 `execution_authorized=false``action_buttons_allowed=false` | AwoooP mirror payload 統一 envelope |
| S3 approval gate | 未開始 | 已定義哪些動作要進 approval | 不得繞過人工批准 |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
## 1. 已建立的主要 evidence
| 類型 | 檔案 |
|------|------|
| AwoooP handoff | `docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md` |
| Mirror-only 清單 | `docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md` |
| Gitea/GitHub migration inventory | `docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md` |
| Gitea server-side inventory runbook | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` |
| Gitea read-only inventory approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` |
| Gitea read-only inventory approval JSON | `docs/security/gitea-readonly-inventory-approval.snapshot.json` |
| Gitea 管理匯出 redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` |
| Gitea org endpoint blocked evidence | `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md` |
| Source-control migration matrix | `docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` |
| Canonical repo 判定表 | `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md` |
| GitHub target 決策表 | `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` |
| GitHub target 決策 JSON | `docs/security/github-target-decision.snapshot.json` |
| GitHub target repo approval package | `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md` |
| GitHub target repo approval JSON | `docs/security/github-target-repo-approval-package.snapshot.json` |
| Source Control approval board | `docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md` |
| Source Control approval board JSON | `docs/security/source-control-approval-board.snapshot.json` |
| Source Control draft reconcile plan | `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` |
| Source Control draft reconcile plan JSON | `docs/security/source-control-reconcile-plan.snapshot.json` |
| Source Control branch/tag detail diff | `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` |
| Source Control branch/tag detail diff JSON | `docs/security/source-control-ref-detail-diff.snapshot.json` |
| Source Control ref truth classification | `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
| Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` |
| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` |
| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` |
| Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` |
| Security finding sample JSON | `docs/security/security-finding-kali-sample.snapshot.json` |
| Kali scan scope approval package | `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` |
| Kali scan scope approval JSON | `docs/security/kali-scan-scope-approval.snapshot.json` |
| Security approval queue | `docs/security/SECURITY-APPROVAL-QUEUE.md` |
| Security approval queue JSON | `docs/security/security-approval-queue.snapshot.json` |
| Security mirror readiness | `docs/security/SECURITY-MIRROR-READINESS.md` |
| Security mirror readiness JSON | `docs/security/security-mirror-readiness.snapshot.json` |
| Security mirror intake plan | `docs/security/SECURITY-MIRROR-INTAKE-PLAN.md` |
| Security mirror intake plan JSON | `docs/security/security-mirror-intake-plan.snapshot.json` |
| Security mirror event contract | `docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md` |
| Security mirror event sample JSON | `docs/security/security-mirror-event-sample.snapshot.json` |
| 低摩擦 rollout policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` |
| 低摩擦 rollout policy JSON | `docs/security/security-rollout-policy.snapshot.json` |
| Security Supply Chain contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` |
| Security Supply Chain contract manifest JSON | `docs/security/security-supply-chain-contract-manifest.snapshot.json` |
## 2. 現在不能做的事
1. 不建立或刪除 GitHub / Gitea repo。
2. 不修改 repo visibility。
3. 不同步 refs、branch、tag。
4. 不切 GitHub primary。
5. 不把 Codex patch runner、Kali scan 或 deploy 接進 AwoooP runtime。
6. 不保存 secret / token value。
## 2.1 初期不要過度收緊
1. Read-only inventory、文件化、risk label、mirror evidence 可持續推進。
2. 初期不把 LOW / MEDIUM observation 變成阻擋條件。
3. 初期不要求所有 repo 一次完成最高等級 controls。
4. 只針對不可逆或高風險動作設 approval gate。
5. 每階段完成後再逐步收斂,避免讓產品、架構與部署流程突然變複雜。
## 3. 下一階段建議
1. 等待 Gitea read-only inventory approval 被批准後,再用只讀 token 或管理匯出補 private/internal server-side 全量 repo list。
2.`SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5.`KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_supply_chain_contract_manifest_v1`,顯示 review order 與 blocked reason不新增 execution router。