Files
awoooi/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md

6.2 KiB
Raw Blame History

資安供應鏈契約索引

項目 內容
日期 2026-05-13
狀態 草案
JSON snapshot docs/security/security-supply-chain-contract-manifest.snapshot.json
Schema docs/schemas/security_supply_chain_contract_manifest_v1.schema.json
預設 enforcement mirror_only
原則 AwoooP 先讀 manifest再依合約 mirror / read-only policy / approval queue 消費

0. 核心結論

目前 Security Supply Chain 已有 31 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。

初期預設仍是 mirror_only。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。

1. Contract 清單

Contract Consumption 主要用途 Snapshot
security_rollout_policy_v1 read-only policy 低摩擦 observe-first policy docs/security/security-rollout-policy.snapshot.json
security_finding_v1 mirror-only Kali / code / infra finding security-finding-kali-sample.snapshot.json
kali_integration_status_v1 mirror-only Kali 112 live health / update / gap evidence kali-integration-status.snapshot.json
kali_scan_scope_approval_v1 approval-only Kali scan scope、111/168 observe-only、active/credentialed/execute gate kali-scan-scope-approval.snapshot.json
security_approval_queue_v1 approval-only AwoooP 可 mirror 的 Security Supply Chain approval queue security-approval-queue.snapshot.json
security_approval_gate_v1 approval-only S3 人工批准 gate 與 follow-up runtime gate 邊界 security-approval-gate.snapshot.json
security_approval_decision_record_v1 approval-only S3 人工決策稽核紀錄 security-approval-decision-record.snapshot.json
security_approval_review_packet_v1 approval-only S3 人工審查封包與 review lane security-approval-review-packet.snapshot.json
security_approval_state_transition_v1 approval-only S3 人工決策狀態轉移語義 security-approval-state-transition.snapshot.json
security_mirror_readiness_v1 mirror-only AwoooP mirror/read-only readiness index security-mirror-readiness.snapshot.json
security_mirror_intake_plan_v1 mirror-only AwoooP mirror-only intake waves 與 acceptance gates security-mirror-intake-plan.snapshot.json
security_mirror_event_v1 mirror-only AwoooP mirror event envelope security-mirror-event-sample.snapshot.json
security_mirror_route_v1 mirror-only AwoooP 鏡像目的地、channel policy 與 review lane 路由 security-mirror-route.snapshot.json
security_mirror_acceptance_v1 mirror-only AwoooP 只讀鏡像接入驗收 checks security-mirror-acceptance.snapshot.json
security_mirror_quarantine_v1 mirror-only AwoooP 鏡像驗收失敗隔離與 retry gate security-mirror-quarantine.snapshot.json
security_mirror_dry_run_v1 mirror-only AwoooP 鏡像接入演練回報格式 security-mirror-dry-run.snapshot.json
security_mirror_status_rollup_v1 mirror-only AwoooP / Security Supply Chain 跨 Session 狀態總覽 security-mirror-status-rollup.snapshot.json
coding_task_v1 suggest-only Code Review 接 Codex patch-only 無正式 snapshot
source_control_migration_event_v1 mirror-only Gitea/GitHub refs 差異 gitea-github-awoooiclawbot-v5wooo-aiops
gitea_repo_inventory_v1 mirror-only Gitea repo inventory public-only / blocked endpoint snapshots
local_git_remote_inventory_v1 mirror-only 本機 remote coverage local-git-remote-inventory.snapshot.json
github_target_probe_v1 mirror-only GitHub target visibility github-target-probe.snapshot.json
github_target_decision_v1 mirror-only GitHub target 決策 github-target-decision.snapshot.json
github_target_repo_approval_package_v1 approval-only 逐 repo approval queue draft github-target-repo-approval-package.snapshot.json
source_control_approval_board_v1 approval-only 逐 repo owner / visibility / canonical / refs 決策 board source-control-approval-board.snapshot.json
source_control_reconcile_plan_v1 approval-only refs-blocked repo 的 draft reconcile plan source-control-reconcile-plan.snapshot.json
source_control_ref_detail_diff_v1 mirror-only refs-blocked repo 的 branch/tag 明細 diff source-control-ref-detail-diff.snapshot.json
source_control_ref_truth_classification_v1 approval-only refs diff 的真相來源候選與 deprecated 候選分類 source-control-ref-truth-classification.snapshot.json
local_repo_canonical_probe_v1 mirror-only momo/ewoooc lineage evidence local-repo-canonical-ewoooc-momo.snapshot.json
git_remote_refs_probe_v1 mirror-only 110 / GitHub remote refs readiness bitan-tsenyangwooo-infra-config
approval_required_event_v1 approval-only 高風險 / 敏感邊界 approval gitea-readonly-inventory-approval.snapshot.json

2. AwoooP 消費順序

  1. 先讀 security_rollout_policy_v1,確認目前仍是 mirror_only
  2. 再讀本 manifest取得可消費 contract 與禁止動作。
  3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。
  4. 只對 approval_required_event_v1、repo approval package、security_approval_review_packet_v1security_approval_state_transition_v1 建 approval candidate / review lane / next-state display。
  5. 不新增執行按鈕,不做 runtime enforcement。

3. 永久禁止

  1. 不保存 raw secret、token、cookie、private key。
  2. 不直接啟動 Kali active scan。
  3. 不直接呼叫 Codex patch runner。
  4. 不直接建立 GitHub repo 或修改 visibility。
  5. 不直接同步 refs。
  6. 不切 GitHub primary。
  7. 不停用、刪除、封存 Gitea repo。

4. 下一步

  1. AwoooP 主線可把 manifest 當作 mirror-only contract index。
  2. Security Supply Chain Session 後續新增 schema / snapshot 時,必須同步更新本 manifest。
  3. 等 runtime integration 被正式批准前,本 manifest 只作文件與 evidence 路由,不作 execution router。