Files
awoooi/docs/security/security-mirror-dry-run.snapshot.json

269 lines
14 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_dry_run_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"dry_run_status": "contract_defined_not_executed",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-mirror-event-sample.snapshot.json",
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"docs/security/iwooos-posture-projection.snapshot.json"
],
"summary": {
"total_contracts": 36,
"ready_for_mirror_count": 33,
"route_group_count": 5,
"acceptance_check_count": 8,
"quarantine_lane_count": 5,
"runtime_actions_executed": false,
"payloads_ingested": false
},
"dry_run_steps": [
{
"step_id": "LOAD_CONTRACT_INDEXES",
"expected_observation": "AwoooP dry-run 可讀到 manifest、readiness、event、route、acceptance、quarantine indexes。",
"evidence_refs": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/iwooos-posture-projection.snapshot.json"
],
"pass_condition": "看到 36 個 contracts、33 個 ready for mirror且所有 contract execution_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_contract",
"create_runtime_router",
"add_action_button"
]
},
{
"step_id": "CHECK_EVENT_ENVELOPE",
"expected_observation": "每筆 mirror payload 都必須使用 security_mirror_event_v1 信封。",
"evidence_refs": [
"docs/security/security-mirror-event-sample.snapshot.json",
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
],
"pass_condition": "execution_authorized=false 且 action_buttons_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_event",
"show_action_button",
"auto_approve_event"
]
},
{
"step_id": "CHECK_ROUTE_COVERAGE",
"expected_observation": "5 個 route groups 覆蓋 manifest contract set並保留 channel policy 與 review lane。",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "route groups 合併後涵蓋 36 個 contracts沒有未知 execution route。",
"execution_allowed": false,
"blocked_actions": [
"fallback_to_execution_route",
"send_unknown_contract_to_runner",
"auto_route_to_approval_queue"
]
},
{
"step_id": "CHECK_ACCEPTANCE_AND_QUARANTINE",
"expected_observation": "8 個 acceptance checks 與 5 個 quarantine lanes 都可顯示,且失敗 payload 只隔離不執行。",
"evidence_refs": [
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"pass_condition": "blocking checks 只阻擋壞的 mirror payloadquarantine 不阻擋 runtime。",
"execution_allowed": false,
"blocked_actions": [
"runtime_block_product_flow",
"auto_retry_failed_payload",
"convert_quarantine_to_execution"
]
},
{
"step_id": "CHECK_PROGRESS_GUARD",
"expected_observation": "AwoooP dry-run 必須確認 58% headline 進度與 micro progress delta ledger 只作狀態顯示,不代表 approval、runtime gate、GitHub primary、repo / refs / workflow / secret / runner 或 Kali scan 授權;所有 delta 的 headline_percent_delta 必須為 0。",
"evidence_refs": [
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"scripts/security/security-mirror-progress-guard.py"
],
"pass_condition": "`python3 scripts/security/security-mirror-progress-guard.py` 回傳 SECURITY_MIRROR_PROGRESS_GUARD_OK且 runtime_actions_executed=false、payloads_ingested=false。",
"execution_allowed": false,
"blocked_actions": [
"treat_progress_as_approval",
"activate_runtime_gate",
"add_action_button",
"start_kali_scan",
"create_github_repo",
"sync_git_refs",
"switch_github_primary"
]
},
{
"step_id": "CHECK_OWNER_RESPONSE_GUARD",
"expected_observation": "AwoooP dry-run S4.9 / S4.10 / S4.11 / S4.12 owner response waiting_owner_responsereceived / accepted 0 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes ownerS4.10 owner response request packet 9 GitHub target owner / visibility / canonical S4.10 template status ledger waiting / request readyS4.10 audit event templates 0 emitted metadataS4.10 redaction examples metadata shapeS4.10 collection checks request / received / accepted S4.10 intake preflight checks S4.11 request packet 5 refs truth owner response S4.11 template status ledger waiting / request readyS4.11 audit event templates 0 emitted metadataS4.11 redaction examples metadata shapeS4.11 collection checks request / received / accepted S4.11 intake preflight checks S4.12 request packet 5 workflow / secret owner response S4.12 template status ledger waiting / request readyS4.12 audit event templates 0 emitted metadataS4.12 redaction examples metadata shapeS4.12 collection checks request / received / accepted S4.12 intake preflight checks request showntemplate statusresponse received metadataredaction examplecollection check passpreflight pass outcome classified approval reporefsworkflowsecretrunnerGitHub primaryaudit production ingestion runtime action",
"evidence_refs": [
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md",
"scripts/security/source-control-owner-response-guard.py"
],
"pass_condition": "`python3 scripts/security/source-control-owner-response-guard.py` SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK received_response_count=0accepted_response_count=0",
"execution_allowed": false,
"blocked_actions": [
"treat_owner_guard_as_response_received",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"modify_workflow_or_secret",
"enable_runner",
"switch_github_primary"
]
},
{
"step_id": "CHECK_OWNER_GATE_GUARD",
"expected_observation": "AwoooP dry-run S4.9 canonical owner response envelopeintake formgap auditGitea owner attestation responseS4.10 / S4.11 / S4.12 owner response packet S4.13 rollup waiting owner responsereceived / accepted / rejected=0runtime gate=0action button=false ",
"evidence_refs": [
"docs/security/S4-9-OWNER-RESPONSE-GATE-CURRENT-GAP-AUDIT.md",
"docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"scripts/security/iwooos-owner-gate-guard.py"
],
"pass_condition": "`python3 scripts/security/iwooos-owner-gate-guard.py` IWOOOS_OWNER_GATE_GUARD_OK request_sent_count=0received_response_count=0accepted_response_count=0runtime_gate_count=0",
"execution_allowed": false,
"blocked_actions": [
"treat_intake_form_as_owner_response",
"mark_owner_response_received_without_envelope",
"mark_owner_response_accepted_without_reviewer",
"create_github_repo",
"sync_git_refs",
"modify_workflow_or_secret",
"enable_runner",
"open_runtime_gate"
]
},
{
"step_id": "CHECK_CONFIG_CONTROL_GUARD",
"expected_observation": "AwoooP dry-run 14 snapshot NginxDNS / TLSK8sSecretsrunnerpublic runtimebackupmonitoring agent-bounty-protocol owner response / change evidence reloadrestartsyncdeploysecretscan runtime gate ",
"evidence_refs": [
"docs/security/high-value-config-control-coverage.snapshot.json",
"docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md",
"scripts/security/iwooos-config-control-guard.py"
],
"pass_condition": "`python3 scripts/security/iwooos-config-control-guard.py` IWOOOS_CONFIG_CONTROL_GUARD_OK owner_response_received_count=0owner_response_accepted_count=0runtime_gate_count=0action_button_count=0",
"execution_allowed": false,
"blocked_actions": [
"treat_config_coverage_as_runtime_approval",
"reload_nginx",
"modify_firewall",
"modify_workflow_or_secret",
"enable_runner",
"run_active_scan",
"production_deploy"
]
},
{
"step_id": "CHECK_PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD",
"expected_observation": "AwoooP dry-run Package / Docker baseline owner policy gate request C0 owner reviewer checks blocked actions request_sent / received / accepted / runtime / action 0 / false",
"evidence_refs": [
"docs/security/PACKAGE-SUPPLY-CHAIN-BASELINE.md",
"docs/security/package-supply-chain-baseline.snapshot.json",
"docs/security/PACKAGE-SUPPLY-CHAIN-OWNER-POLICY-GATE.md",
"docs/security/package-supply-chain-owner-policy-gate.snapshot.json",
"scripts/security/package-supply-chain-owner-policy-guard.py"
],
"pass_condition": "`python3 scripts/security/package-supply-chain-owner-policy-guard.py` PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK install upgrade CVE / license lookup SBOM pull / build / push image registry",
"execution_allowed": false,
"blocked_actions": [
"install_package",
"upgrade_package",
"rewrite_lockfile",
"pin_requirements_without_owner_policy",
"run_external_cve_lookup",
"run_external_license_lookup",
"generate_sbom",
"docker_pull",
"docker_build",
"docker_push",
"registry_login",
"production_deploy",
"open_runtime_gate"
]
},
{
"step_id": "CHECK_LOW_NOISE_CHANNEL",
"expected_observation": "Channel Event ",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "LOW / MEDIUM owner responsepartial mirrorsource-control driftKali observe findingworkflow / secret name gap headline holding ",
"execution_allowed": false,
"blocked_actions": [
"notify_every_observation",
"block_deploy_on_low_medium",
"turn_warning_into_runtime_alarm"
]
},
{
"step_id": "CONFIRM_NO_RUNTIME_ACTION",
"expected_observation": "Dry-run scanexecutereporefsdeploysecret ",
"evidence_refs": [
"docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
"docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md"
],
"pass_condition": "runtime_actions_executed=false payloads_ingested=false",
"execution_allowed": false,
"blocked_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"create_github_repo",
"sync_git_refs",
"switch_github_primary",
"production_deploy",
"store_secret_value"
]
}
],
"latest_local_validation": {
"status": "repo_snapshot_guard_pass",
"date": "2026-06-15",
"scope": "repo_snapshot_only",
"command": "python3 scripts/security/security-mirror-progress-guard.py && python3 scripts/security/source-control-owner-response-guard.py && python3 scripts/security/iwooos-config-control-guard.py && python3 scripts/security/iwooos-owner-gate-guard.py && python3 scripts/security/package-supply-chain-owner-policy-guard.py",
"result": "SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK; IWOOOS_CONFIG_CONTROL_GUARD_OK; IWOOOS_OWNER_GATE_GUARD_OK; PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK",
"validated_steps": [
"LOAD_CONTRACT_INDEXES",
"CHECK_ACCEPTANCE_AND_QUARANTINE",
"CHECK_PROGRESS_GUARD",
"CHECK_OWNER_RESPONSE_GUARD",
"CHECK_OWNER_GATE_GUARD",
"CHECK_CONFIG_CONTROL_GUARD",
"CHECK_PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD",
"CONFIRM_NO_RUNTIME_ACTION"
],
"runtime_actions_executed": false,
"payloads_ingested": false,
"production_ingestion_enabled": false,
"not_authorization": true
},
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload"
]
}