Files
awoooi/docs/security/security-mirror-intake-plan.snapshot.json

197 lines
6.5 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_intake_plan_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-mirror-event-sample.snapshot.json"
],
"intake_waves": [
{
"wave_id": "M0_index_bootstrap",
"title": "載入 readiness、manifest 與低摩擦 policy",
"contracts": [
"security_mirror_readiness_v1",
"security_supply_chain_contract_manifest_v1",
"security_rollout_policy_v1",
"security_mirror_event_v1"
],
"destinations": [
"operator_console",
"runtime_state",
"audit_evidence"
],
"allowed_processing": [
"顯示 contract readiness",
"顯示 mirror_only enforcement",
"顯示 partial_ready / contract_only 原因",
"使用 security_mirror_event_v1 包裝 mirror payload"
],
"blocked_processing": [
"runtime_enforcement",
"execution_router",
"blocking_gate"
],
"exit_gate": "Operator Console 能顯示 22 個 contract 與 execution_allowed=false且 mirror event envelope action_buttons_allowed=false。"
},
{
"wave_id": "M1_kali_visibility",
"title": "Kali 112 狀態、scope 與 approval queue visibility",
"contracts": [
"kali_integration_status_v1",
"kali_scan_scope_approval_v1",
"security_approval_queue_v1",
"security_finding_v1"
],
"destinations": [
"operator_console",
"runtime_state",
"channel_event",
"approval_queue",
"audit_evidence"
],
"allowed_processing": [
"mirror Kali health / update / gap evidence",
"顯示 scan scope group",
"顯示 approval queue review order",
"顯示 redacted finding sample"
],
"blocked_processing": [
"start_kali_scan",
"call_kali_execute_endpoint",
"credentialed_scan",
"full_upgrade_or_reboot"
],
"exit_gate": "AwoooP 顯示 Kali health、5 個 scan scope groups、8 個 approval queue items但沒有 action button。"
},
{
"wave_id": "M2_source_control_visibility",
"title": "Gitea/GitHub source-control evidence visibility",
"contracts": [
"source_control_migration_event_v1",
"gitea_repo_inventory_v1",
"local_git_remote_inventory_v1",
"github_target_probe_v1",
"github_target_decision_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
"source_control_reconcile_plan_v1",
"source_control_ref_detail_diff_v1",
"source_control_ref_truth_classification_v1",
"local_repo_canonical_probe_v1",
"git_remote_refs_probe_v1"
],
"destinations": [
"operator_console",
"runtime_state",
"approval_queue",
"audit_evidence"
],
"allowed_processing": [
"mirror repo/branch/tag 差異",
"顯示 pending owner / visibility / canonical decision",
"顯示 refs truth review lane",
"顯示 Gitea inventory partial reason"
],
"blocked_processing": [
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"delete_or_archive_gitea_repo"
],
"exit_gate": "AwoooP 能顯示 source-control blocking reasons且所有 repo/refs actions 都 disabled。"
},
{
"wave_id": "M3_approval_candidates",
"title": "Approval candidate mirror 與人工決策留痕",
"contracts": [
"approval_required_event_v1",
"security_approval_queue_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
"kali_scan_scope_approval_v1"
],
"destinations": [
"approval_queue",
"operator_console",
"audit_evidence"
],
"allowed_processing": [
"create_approval_candidate",
"record_human_decision",
"display_required_reviewers",
"display_blocked_until_approved"
],
"blocked_processing": [
"auto_approve",
"execute_after_approval_without_new_runtime_gate",
"store_secret_value"
],
"exit_gate": "Approval candidate 可顯示與留痕,但任何批准後執行仍需要下一階段 runtime gate。"
},
{
"wave_id": "M4_patch_only_backlog",
"title": "Code review / Codex patch-only backlog",
"contracts": [
"coding_task_v1"
],
"destinations": [
"operator_console",
"approval_queue",
"audit_evidence"
],
"allowed_processing": [
"display_patch_backlog_contract",
"create_draft_patch_task_after_review",
"request_reviewers"
],
"blocked_processing": [
"auto_merge",
"production_deploy",
"secret_rotation",
"network_policy_change"
],
"exit_gate": "AwoooP 只顯示 patch-only backlog lane沒有 Codex runner action。"
}
],
"acceptance_gates": [
{
"gate_id": "MIRROR_ONLY_DEFAULT",
"requirement": "所有 intake waves 都必須維持 runtime_execution_authorized=false。",
"evidence_ref": "docs/security/security-mirror-intake-plan.snapshot.json"
},
{
"gate_id": "NO_ACTION_BUTTONS",
"requirement": "Operator Console 不得新增 scan、execute、repo、refs、deploy、secret 類 action button。",
"evidence_ref": "docs/security/SECURITY-MIRROR-READINESS.md"
},
{
"gate_id": "REDACTION_ONLY",
"requirement": "Mirror payload 不得保存 raw secret、token、cookie、private key 或 exploit payload。",
"evidence_ref": "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
},
{
"gate_id": "LOW_MEDIUM_NOT_BLOCKING",
"requirement": "LOW / MEDIUM observation 初期只能 observe / warn不得升為 blocking gate。",
"evidence_ref": "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md"
}
],
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload"
]
}