Files
awoooi/docs/security/security-mirror-dry-run.snapshot.json

194 lines
7.8 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_dry_run_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"dry_run_status": "contract_defined_not_executed",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-mirror-event-sample.snapshot.json",
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json"
],
"summary": {
"total_contracts": 35,
"ready_for_mirror_count": 32,
"route_group_count": 5,
"acceptance_check_count": 8,
"quarantine_lane_count": 5,
"runtime_actions_executed": false,
"payloads_ingested": false
},
"dry_run_steps": [
{
"step_id": "LOAD_CONTRACT_INDEXES",
"expected_observation": "AwoooP dry-run 可讀到 manifest、readiness、event、route、acceptance、quarantine indexes。",
"evidence_refs": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json"
],
"pass_condition": "看到 35 個 contracts、32 個 ready for mirror且所有 contract execution_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_contract",
"create_runtime_router",
"add_action_button"
]
},
{
"step_id": "CHECK_EVENT_ENVELOPE",
"expected_observation": "每筆 mirror payload 都必須使用 security_mirror_event_v1 信封。",
"evidence_refs": [
"docs/security/security-mirror-event-sample.snapshot.json",
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
],
"pass_condition": "execution_authorized=false 且 action_buttons_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_event",
"show_action_button",
"auto_approve_event"
]
},
{
"step_id": "CHECK_ROUTE_COVERAGE",
"expected_observation": "5 個 route groups 覆蓋 manifest contract set並保留 channel policy 與 review lane。",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "route groups 合併後涵蓋 35 個 contracts沒有未知 execution route。",
"execution_allowed": false,
"blocked_actions": [
"fallback_to_execution_route",
"send_unknown_contract_to_runner",
"auto_route_to_approval_queue"
]
},
{
"step_id": "CHECK_ACCEPTANCE_AND_QUARANTINE",
"expected_observation": "8 個 acceptance checks 與 5 個 quarantine lanes 都可顯示,且失敗 payload 只隔離不執行。",
"evidence_refs": [
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"pass_condition": "blocking checks 只阻擋壞的 mirror payloadquarantine 不阻擋 runtime。",
"execution_allowed": false,
"blocked_actions": [
"runtime_block_product_flow",
"auto_retry_failed_payload",
"convert_quarantine_to_execution"
]
},
{
"step_id": "CHECK_PROGRESS_GUARD",
"expected_observation": "AwoooP dry-run 必須確認 58% 進度估算只作狀態顯示,不代表 approval、runtime gate、GitHub primary、repo / refs / workflow / secret / runner 或 Kali scan 授權。",
"evidence_refs": [
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"scripts/security/security-mirror-progress-guard.py"
],
"pass_condition": "`python3 scripts/security/security-mirror-progress-guard.py` 回傳 SECURITY_MIRROR_PROGRESS_GUARD_OK且 runtime_actions_executed=false、payloads_ingested=false。",
"execution_allowed": false,
"blocked_actions": [
"treat_progress_as_approval",
"activate_runtime_gate",
"add_action_button",
"start_kali_scan",
"create_github_repo",
"sync_git_refs",
"switch_github_primary"
]
},
{
"step_id": "CHECK_OWNER_RESPONSE_GUARD",
"expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_responsereceived / accepted 皆為 0且不能解鎖 repo、refs、workflow、secret、runner、GitHub primary 或 runtime action。",
"evidence_refs": [
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md",
"scripts/security/source-control-owner-response-guard.py"
],
"pass_condition": "`python3 scripts/security/source-control-owner-response-guard.py` 回傳 SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK且 received_response_count=0、accepted_response_count=0。",
"execution_allowed": false,
"blocked_actions": [
"treat_owner_guard_as_response_received",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"modify_workflow_or_secret",
"enable_runner",
"switch_github_primary"
]
},
{
"step_id": "CHECK_LOW_NOISE_CHANNEL",
"expected_observation": "Channel Event 初期只發低噪音摘要或人工批准必要事件。",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "LOW / MEDIUM observation 不發阻擋事件、不洗版。",
"execution_allowed": false,
"blocked_actions": [
"notify_every_observation",
"block_deploy_on_low_medium",
"turn_warning_into_runtime_alarm"
]
},
{
"step_id": "CONFIRM_NO_RUNTIME_ACTION",
"expected_observation": "Dry-run 期間沒有 scan、execute、repo、refs、deploy、secret 類動作。",
"evidence_refs": [
"docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
"docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md"
],
"pass_condition": "runtime_actions_executed=false 且 payloads_ingested=false。",
"execution_allowed": false,
"blocked_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"create_github_repo",
"sync_git_refs",
"switch_github_primary",
"production_deploy",
"store_secret_value"
]
}
],
"latest_local_validation": {
"status": "repo_snapshot_guard_pass",
"date": "2026-05-18",
"scope": "repo_snapshot_only",
"command": "python3 scripts/security/security-mirror-progress-guard.py && python3 scripts/security/source-control-owner-response-guard.py",
"result": "SECURITY_MIRROR_PROGRESS_GUARD_OK; SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK",
"validated_steps": [
"LOAD_CONTRACT_INDEXES",
"CHECK_ACCEPTANCE_AND_QUARANTINE",
"CHECK_PROGRESS_GUARD",
"CHECK_OWNER_RESPONSE_GUARD",
"CONFIRM_NO_RUNTIME_ACTION"
],
"runtime_actions_executed": false,
"payloads_ingested": false,
"production_ingestion_enabled": false,
"not_authorization": true
},
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload"
]
}