Files
awoooi/docs/security/security-mirror-status-rollup.snapshot.json

248 lines
11 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_status_rollup_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"rollup_status": "framework_ready_waiting_approval",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-mirror-intake-plan.snapshot.json",
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-dry-run.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-decision-record.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_contracts": 33,
"ready_for_mirror_count": 30,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
"approval_queue_total": 8,
"approval_review_packet_total": 8,
"approval_state_transition_rule_total": 5,
"followup_runtime_gate_template_total": 8,
"active_runtime_gate_count": 0,
"primary_readiness_candidate_repo_count": 8,
"github_primary_ready_count": 0,
"pending_approval_count": 7,
"block_candidate_count": 1,
"dry_run_status": "contract_defined_not_executed",
"runtime_actions_executed": false,
"payloads_ingested": false
},
"phase_status": [
{
"phase_id": "S0_contracts_and_boundaries",
"state": "completed",
"current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立。",
"next_gate": "AwoooP 只讀 mirror 消費。"
},
{
"phase_id": "S1_readonly_inventory",
"state": "in_progress",
"current_result": "已完成多項 read-only evidenceGitea private/internal 全量 repo list 仍需批准後補齊。",
"next_gate": "只讀 token 或 redacted admin export approval。"
},
{
"phase_id": "S2_mirror_only_consumption",
"state": "draft_ready",
"current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
"next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence不新增 execution router。"
},
{
"phase_id": "S3_approval_gate",
"state": "draft_ready",
"current_result": "Approval queue 已列出 8 個候選security_approval_gate_v1 已定義人工 gatesecurity_approval_decision_record_v1 已定義決策紀錄格式security_approval_review_packet_v1 已定義人工審查封包security_approval_state_transition_v1 已定義決策狀態轉移語義security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板。",
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventoryreview packet、decision record、state transition 與 follow-up runtime gate template 都不等於執行授權。"
},
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready。",
"next_gate": "Gitea authenticated inventory、refs truth、workflow/runner/secret name parity、rollback ADR 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
{
"action_id": "mirror_status_rollup_to_awooop",
"title": "AwoooP 顯示資安供應鏈總覽",
"mode": "observe",
"source_contract": "security_mirror_status_rollup_v1",
"allowed_processing": [
"顯示階段狀態、contract readiness、approval queue summary",
"顯示下一個 gate",
"寫入 audit evidence"
],
"blocked_processing": [
"把 rollup 當成 runtime authorization",
"新增 scan / execute / repo / refs action button",
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "mirror_approval_review_packets",
"title": "AwoooP 顯示 8 個人工審查封包",
"mode": "approval_required",
"source_contract": "security_approval_review_packet_v1",
"allowed_processing": [
"顯示 review order、review lane、required reviewers 與 requested decision",
"顯示仍然禁止事項與 follow-up runtime gate",
"將人工決策另寫入 security_approval_decision_record_v1"
],
"blocked_processing": [
"把 review packet 當成批准",
"把 review packet 當成 execution authorization",
"新增 scan / execute / repo / refs action button"
]
},
{
"action_id": "mirror_approval_state_transitions",
"title": "AwoooP 顯示人工決策後狀態轉移",
"mode": "approval_required",
"source_contract": "security_approval_state_transition_v1",
"allowed_processing": [
"顯示 approve/reject/defer/request_more_evidence/keep_blocked 的 next state",
"顯示 approve_scope 仍需 follow-up runtime gate",
"將實際決策另寫入 security_approval_decision_record_v1"
],
"blocked_processing": [
"把 state transition 當成執行命令",
"批准後立即執行 scan / execute / repo / refs 動作",
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "mirror_followup_runtime_gate_templates",
"title": "AwoooP 顯示後續 runtime gate 準備模板",
"mode": "approval_required",
"source_contract": "security_followup_runtime_gate_v1",
"allowed_processing": [
"顯示 minimum evidence、preflight checks 與 rollback/disable requirement",
"顯示 active_runtime_gates=0",
"提醒 approve_scope 後仍需獨立 runtime gate"
],
"blocked_processing": [
"啟用 runtime gate",
"新增 scan / execute / repo / refs action button",
"把 template 當成執行授權"
]
},
{
"action_id": "review_redacted_finding_ingestion",
"title": "先審 redacted finding ingestion adapter",
"mode": "approval_required",
"source_contract": "security_approval_queue_v1",
"allowed_processing": [
"依 security_approval_gate_v1 人工審查是否可設計 redacted security_finding_v1 ingestion",
"依 security_approval_decision_record_v1 記錄人工決策",
"維持只接收摘要與 evidence_ref",
"保留 patch-only / review gate"
],
"blocked_processing": [
"保存 raw secret/token/cookie/private key/exploit payload",
"讓 AwoooP 直接啟動 scan",
"自動修復或自動封鎖 deploy"
]
},
{
"action_id": "review_gitea_readonly_inventory",
"title": "審查 Gitea private/internal 只讀 inventory",
"mode": "approval_required",
"source_contract": "gitea_repo_inventory_v1",
"allowed_processing": [
"使用 read-only token 或 redacted admin export 補齊 repo list",
"只保存 token_present=true/false",
"更新 migration matrix 與 decision table"
],
"blocked_processing": [
"保存 token value",
"使用 write-capable token",
"建立 GitHub repo 或 sync refs"
]
},
{
"action_id": "review_github_target_decisions",
"title": "逐 repo 審 GitHub target / owner / visibility / canonical",
"mode": "approval_required",
"source_contract": "source_control_approval_board_v1",
"allowed_processing": [
"逐 repo 更新 owner / visibility / canonical decision",
"產生 draft reconcile plan 或 ADR",
"維持 refs action disabled"
],
"blocked_processing": [
"建立 repo",
"修改 visibility",
"push / delete refs",
"切 GitHub primary"
]
},
{
"action_id": "review_github_primary_readiness_gate",
"title": "審查 GitHub primary readiness blockers",
"mode": "approval_required",
"source_contract": "source_control_primary_readiness_gate_v1",
"allowed_processing": [
"顯示 7 個 in-scope repos 仍 blocked",
"顯示 Gitea inventory、refs truth、workflow/secret name parity 與 rollback ADR 缺口",
"要求 repo owner 補 owner / visibility / canonical 決策"
],
"blocked_processing": [
"建立 GitHub repo",
"sync refs",
"切 GitHub primary",
"停用或封存 Gitea repo"
]
},
{
"action_id": "keep_kali_execute_blocked",
"title": "Kali /execute 維持 block candidate",
"mode": "block_candidate",
"source_contract": "kali_scan_scope_approval_v1",
"allowed_processing": [
"只設計 disable / allowlist / audit gate",
"保留人工 exception 記錄",
"持續顯示 blocked reason"
],
"blocked_processing": [
"AwoooP runtime 直接呼叫 /execute",
"把 /execute 當成一般 MCP action",
"執行 shell command 自動修復"
]
}
],
"session_sync_notes": [
"本 rollup 是跨 Session 的共同讀取入口,避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
"S2/S3 目前仍屬框架期;狀態與人工 gate 可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
"S3.1 只新增人工決策紀錄格式;決策紀錄仍維持 execution_authorized=false不可直接跳到執行面。",
"S3.2 只新增人工審查封包格式review packet 只讓 AwoooP 顯示與準備人審,不代表批准。",
"S3.3 只新增人工決策狀態轉移語義approve_scope 只進入 waiting runtime gate不代表可立即執行。",
"S3.4 只新增後續 runtime gate 準備模板active_runtime_gates=0不新增 action button。",
"S4.0 只新增 GitHub primary readiness gategithub_primary_ready_count=0不新增 repo / refs / primary switch action。"
],
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}