Files
awoooi/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md

72 lines
6.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 資安鏡像狀態彙整契約
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-17 |
| 狀態 | 草案 |
| Schema | `docs/schemas/security_mirror_status_rollup_v1.schema.json` |
| Snapshot | `docs/security/security-mirror-status-rollup.snapshot.json` |
| 模式 | `mirror_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
`security_mirror_status_rollup_v1` 是 AwoooP 與 Security Supply Chain Session 的共同狀態入口。
它只彙整目前框架、鏡像契約、approval queue 與下一個安全 gate不授權任何 scan、execute、repo、refs、deploy 或 secret 類動作。
## 1. 目前狀態
| 類型 | 狀態 |
|------|------|
| Contract manifest | 35 個 contracts |
| Mirror readiness | 32 ready、2 partial、1 contract-only、0 blocked |
| Approval queue | 8 items7 pending approval、1 block candidate |
| Approval gate | S3.0 已建立0 approved、7 pending、1 block candidate |
| Decision records | S3.1 已建立;目前 0 筆決策紀錄 |
| Review packets | S3.2 已建立8 packets、7 ready for human review、1 block candidate |
| State transitions | S3.3 已建立5 個 decision options 都有 next state且都不授權執行 |
| Follow-up runtime gate templates | S3.4 已建立8 個 templates、0 個 active runtime gates |
| GitHub primary readiness gate | S4.0 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary readyS4.10 已補 GitHub target owner decision response 收件包7 個 response templates、owner response 0 筆S4.11 已補 refs truth owner response 收件包5 個 response templates、owner response 0 筆S4.12 已補 workflow / secret 名稱 owner response 收件包5 個 response templates、owner response 0 筆 |
| GitHub primary rollback ADR | S4.4 已建立7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover |
| Gitea inventory | S4.5 已補認證清冊匯出請求S4.6 已補匯入驗收契約S4.7 已補 owner coverage attestationS4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行S4.9 已補 owner response 收件包;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、敏感 payload 必須隔離、允許收集 token value=false |
| Workflow / secret name inventory | S4.1 已建立S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidenceS4.3 補 7 個 repos、5 類 lanes 的 redacted export requestS4.12 補 5 個 owner response templates0 個 inventory complete、禁止收集 secret value、禁止 write token |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
| Payload ingestion | `false` |
## 2. AwoooP 可做
1. 顯示 S0 到 S4 的階段狀態。
2. 顯示 contract readiness、approval queue summary、approval gate summary 與下一個 gate。
3. 將彙整結果寫入 Audit evidence。
4. 低噪音通知階段完成、blocked reason 或人工批准必要事件。
5. 把下一步限制在 `observe` / `approval_required` / `block_candidate`
## 3. AwoooP 不可做
1. 不把 rollup 當成 runtime authorization。
2. 不新增 scan、execute、repo、refs、deploy、secret 類 action button。
3. 不把 LOW / MEDIUM observation 變成 blocking gate。
4. 不把 approval queue 接成 runner。
5. 不把 GitHub primary、refs sync 或 Kali `/execute` 當成已批准。
## 4. 下一個安全 gate
下一步仍不是 runtime enforcement。
建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1`,並由人工依序 review
1. redacted finding ingestion adapter。
2. safe web crawl scope。
3. Gitea private/internal read-only inventory先依 S4.9 收到並驗收 S4.7 owner coverage attestation response且 S4.8 已把這個先行條件接到既有 approval queue / gate / review packet / follow-up runtime gate再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆,不保存 token value。
4. GitHub target / owner / visibility / canonical先依 S4.10 收到並驗收 7 個 owner decision response templatesreceived / accepted response 目前皆為 0不得把 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。
5. Kali `/execute` 維持 block candidate。
6. Refs truth owner response先依 S4.11 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templatesreceived / accepted response 目前皆為 0不得把 response packet 當成 refs sync、delete、force push 或 primary approval。
7. Workflow / secret 名稱 owner response先依 S4.12 顯示 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 5 個 response templatesreceived / accepted response 目前皆為 0不得把 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 primary approval。
8. GitHub primary readiness blockers 與 rollback ADR 缺口。
9. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggersowner approval 前不可執行。
10. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence再依 S4.3 redacted export request 與 S4.12 owner response 收件包補 webhook / runner / deploy key / branch protection / repository secret parity只保存名稱與 owner不保存 value不使用 write token。
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence不得由本 rollup 自動觸發。