Files
awoooi/docs/security/security-mirror-readiness.snapshot.json
Your Name 58e760fae2
All checks were successful
CD Pipeline / tests (push) Successful in 1m25s
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / build-and-deploy (push) Successful in 4m2s
CD Pipeline / post-deploy-checks (push) Successful in 1m48s
feat(security): 擴充 S4.10 target owner response
2026-06-11 20:30:41 +08:00

567 lines
24 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_readiness_v1",
"status": "draft",
"date": "2026-05-17",
"default_enforcement_level": "mirror_only",
"runtime_execution_authorized": false,
"summary": {
"total_contracts": 36,
"ready_for_mirror_count": 33,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0
},
"mirror_destinations": [
"awooop_operator_console",
"awooop_runtime_state",
"awooop_channel_event",
"awooop_audit_evidence",
"awooop_approval_queue"
],
"contract_readiness": [
{
"contract": "security_rollout_policy_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "read_only_policy",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-rollout-policy.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
],
"notes": "可供 AwoooP 顯示 observe-first / mirror-only policy 與 7 條 non-blocking escalation lanes不得 runtime enforcement也不得把 follow-up 直接升 blocking。"
},
{
"contract": "security_finding_v1",
"readiness": "partial_ready",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-finding-kali-sample.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-FINDING-CONTRACT.md"
],
"notes": "目前只有 Kali sample snapshotruntime ingestion 尚未啟用。"
},
{
"contract": "kali_integration_status_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/kali-integration-status.snapshot.json"
],
"human_docs": [
"docs/security/KALI-INTEGRATION-STATUS.md"
],
"notes": "可 mirror Kali health、更新紀錄、缺口與高風險 gate。"
},
{
"contract": "kali_scan_scope_approval_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/kali-scan-scope-approval.snapshot.json"
],
"human_docs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
],
"notes": "可 mirror scope group 與 approval gates不得啟動 scan。"
},
{
"contract": "security_approval_queue_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-queue.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-QUEUE.md"
],
"notes": "可 mirror 8 個 queue items、review order、blocked reason 與 required reviewers。"
},
{
"contract": "security_approval_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-gate.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-GATE.md"
],
"notes": "可 mirror S3 人工批准 gate、決策範圍與 follow-up runtime gate不得執行 gate item。"
},
{
"contract": "security_approval_decision_record_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-decision-record.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-DECISION-RECORD.md"
],
"notes": "可 mirror S3 人工決策紀錄格式;目前尚無 approved decision record且 execution_authorized=false。"
},
{
"contract": "security_approval_review_packet_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-review-packet.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md"
],
"notes": "可 mirror S3 人工審查封包、review lane、required reviewers 與 still forbidden不代表批准或執行授權。"
},
{
"contract": "security_approval_state_transition_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-approval-state-transition.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md"
],
"notes": "可 mirror S3 人工決策狀態轉移語義approve_scope 仍只進 waiting runtime gate不授權執行。"
},
{
"contract": "security_followup_runtime_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"
],
"notes": "可 mirror S3 後續 runtime gate 準備模板、preflight checks 與 rollback/disable requirement目前 active_runtime_gates=0。"
},
{
"contract": "security_mirror_readiness_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-readiness.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-READINESS.md"
],
"notes": "本契約提供 AwoooP mirror/read-only readiness index不授權執行。"
},
{
"contract": "security_mirror_intake_plan_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-intake-plan.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-INTAKE-PLAN.md"
],
"notes": "提供 AwoooP mirror-only intake waves、destinations、allowed/blocked processing 與 acceptance gates。"
},
{
"contract": "security_mirror_event_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-event-sample.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
],
"notes": "提供 AwoooP mirror event envelope所有 mirror events 都必須帶 execution_authorized=false 與 action_buttons_allowed=false。"
},
{
"contract": "security_mirror_route_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-route.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"notes": "提供 AwoooP mirror-only route groups、channel policy 與 review lane不授權執行。"
},
{
"contract": "security_mirror_acceptance_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-acceptance.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-ACCEPTANCE.md"
],
"notes": "提供 AwoooP mirror-only ingestion 驗收 checks不作 runtime blocker。"
},
{
"contract": "security_mirror_quarantine_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-quarantine.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-QUARANTINE.md"
],
"notes": "提供 AwoooP mirror-only 驗收失敗隔離與 retry gate不授權執行。"
},
{
"contract": "security_mirror_dry_run_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-dry-run.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-DRY-RUN.md"
],
"notes": "提供 AwoooP mirror-only 接入演練回報格式;目前為 contract_defined_not_executed。"
},
{
"contract": "security_mirror_status_rollup_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md",
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md"
],
"notes": "提供 AwoooP / Security Supply Chain 跨 Session 狀態總覽、下一個 gate 與禁止事項S4.13 owner response validation rollup 可 mirror 四個 response packets、24 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、7 條 parallel session recovery outcome lanes、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;不授權執行。"
},
{
"contract": "iwooos_posture_projection_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/iwooos-posture-projection.snapshot.json"
],
"human_docs": [
"docs/security/IWOOOS-POSTURE-PROJECTION.md"
],
"notes": "可 mirror IwoooS 前端資安態勢投影;只顯示 posture、progress、non-blocking lanes、evidence refs 與 forbidden actions不提供執行按鈕。"
},
{
"contract": "coding_task_v1",
"readiness": "contract_only",
"consumption_mode": "suggest_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [],
"human_docs": [
"docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md"
],
"notes": "已有 schema 與 handoff prompt但尚無正式 coding task snapshot。"
},
{
"contract": "source_control_migration_event_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
"docs/security/source-control-clawbot-v5.snapshot.json",
"docs/security/source-control-wooo-aiops.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md"
],
"notes": "可 mirror source-control diff summary仍不得 sync refs 或切 primary。"
},
{
"contract": "gitea_repo_inventory_v1",
"readiness": "partial_ready",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md",
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md"
],
"notes": "目前仍是 public-only / blocked endpoint evidenceS4.5 已補 authenticated/admin export requestS4.6 已補 redacted import acceptanceS4.7 已補 owner coverage attestation requestS4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanesprivate/internal 全量需 approval、脫敏 payload 驗收與 owner scope decisionaudit templates 仍為 0 emitted。"
},
{
"contract": "local_git_remote_inventory_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/local-git-remote-inventory.snapshot.json"
],
"human_docs": [
"docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md"
],
"notes": "可 mirror 本機 remote coverage 與 embedded credential hygiene risk不修改 remote。"
},
{
"contract": "github_target_probe_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/github-target-probe.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md"
],
"notes": "可 mirror GitHub target visibilitynot_found_or_private 不等同可自動建立。"
},
{
"contract": "github_target_decision_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"notes": "可 mirror target decision、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner response templatesrepo 建立、visibility 修改、refs sync 與 primary switch 仍需後續人工批准與 runtime gate。"
},
{
"contract": "github_target_repo_approval_package_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/github-target-repo-approval-package.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"notes": "可 mirror 逐 repo approval package、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response 收件包;不得執行 item。"
},
{
"contract": "source_control_approval_board_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-approval-board.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md"
],
"notes": "可 mirror owner / visibility / canonical / refs 決策 board。"
},
{
"contract": "source_control_reconcile_plan_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
],
"notes": " mirror draft reconcile plan S4.11 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response wording push refs"
},
{
"contract": "source_control_ref_detail_diff_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-ref-detail-diff.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
],
"notes": " mirror branch/tag detail diff fetchpush delete refs"
},
{
"contract": "source_control_ref_truth_classification_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
],
"notes": " mirror refs truth classificationreview lanesS4.11 owner response request packettemplate status ledgeraudit event templatesredaction examplescollection checksintake preflight checks templatesreceived_response_count=0audit events emitted=0"
},
{
"contract": "source_control_primary_readiness_gate_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
],
"notes": " mirror GitHub primary readiness blockersparity gates rollback ADR primary_ready_count=0"
},
{
"contract": "source_control_primary_rollback_adr_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-primary-rollback-adr.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"
],
"notes": " mirror S4.4 GitHub primary rollback ADR 7 in-scope repo rollback plansvalidation windows owner_approved_count=0active_cutover_count=0"
},
{
"contract": "source_control_workflow_secret_name_inventory_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md"
],
"notes": " mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret inventory S4.2 local evidence 4 repos31 workflow files43 referenced secret namesS4.3 export request 7 repos5 export lanesS4.12 owner response request packet 1 template statuses 5 audit event templates 3 redaction examples 5 collection checks 6 intake preflight checks 6 templates 5 received_response_count=0audit_events_emitted=0secret_value_collection_allowed=false"
},
{
"contract": "local_repo_canonical_probe_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/local-repo-canonical-ewoooc-momo.snapshot.json"
],
"human_docs": [
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md"
],
"notes": " mirror momo/ewoooc lineage evidence unrelated histories"
},
{
"contract": "git_remote_refs_probe_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "mirror_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json"
],
"human_docs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md"
],
"notes": " mirror read-only refs readiness fetch push"
},
{
"contract": "approval_required_event_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": [
"docs/security/gitea-readonly-inventory-approval.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md"
],
"notes": " mirror approval candidateblocked_until_approved=true "
}
],
"still_forbidden": [
"execute_mirror_item",
"start_kali_scan",
"call_kali_execute_endpoint",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}