276 lines
13 KiB
JSON
276 lines
13 KiB
JSON
{
|
||
"schema_version": "security_mirror_status_rollup_v1",
|
||
"status": "draft",
|
||
"date": "2026-05-13",
|
||
"mode": "mirror_only",
|
||
"rollup_status": "framework_ready_waiting_approval",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
|
||
"docs/security/security-mirror-readiness.snapshot.json",
|
||
"docs/security/security-mirror-intake-plan.snapshot.json",
|
||
"docs/security/security-mirror-route.snapshot.json",
|
||
"docs/security/security-mirror-acceptance.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json",
|
||
"docs/security/security-mirror-dry-run.snapshot.json",
|
||
"docs/security/security-approval-queue.snapshot.json",
|
||
"docs/security/security-approval-gate.snapshot.json",
|
||
"docs/security/security-approval-decision-record.snapshot.json",
|
||
"docs/security/security-approval-review-packet.snapshot.json",
|
||
"docs/security/security-approval-state-transition.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/security-rollout-policy.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"total_contracts": 34,
|
||
"ready_for_mirror_count": 31,
|
||
"partial_ready_count": 2,
|
||
"contract_only_count": 1,
|
||
"blocked_count": 0,
|
||
"approval_queue_total": 8,
|
||
"approval_review_packet_total": 8,
|
||
"approval_state_transition_rule_total": 5,
|
||
"followup_runtime_gate_template_total": 8,
|
||
"active_runtime_gate_count": 0,
|
||
"primary_readiness_candidate_repo_count": 8,
|
||
"github_primary_ready_count": 0,
|
||
"workflow_secret_inventory_candidate_repo_count": 8,
|
||
"workflow_secret_inventory_complete_count": 0,
|
||
"workflow_secret_inventory_local_evidence_repo_count": 4,
|
||
"workflow_secret_inventory_local_workflow_file_count": 31,
|
||
"workflow_secret_inventory_unique_secret_name_count": 43,
|
||
"secret_value_collection_allowed": false,
|
||
"secret_value_detected": false,
|
||
"pending_approval_count": 7,
|
||
"block_candidate_count": 1,
|
||
"dry_run_status": "contract_defined_not_executed",
|
||
"runtime_actions_executed": false,
|
||
"payloads_ingested": false
|
||
},
|
||
"phase_status": [
|
||
{
|
||
"phase_id": "S0_contracts_and_boundaries",
|
||
"state": "completed",
|
||
"current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立。",
|
||
"next_gate": "AwoooP 只讀 mirror 消費。"
|
||
},
|
||
{
|
||
"phase_id": "S1_readonly_inventory",
|
||
"state": "in_progress",
|
||
"current_result": "已完成多項 read-only evidence;Gitea private/internal 全量 repo list 仍需批准後補齊。",
|
||
"next_gate": "只讀 token 或 redacted admin export approval。"
|
||
},
|
||
{
|
||
"phase_id": "S2_mirror_only_consumption",
|
||
"state": "draft_ready",
|
||
"current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
|
||
"next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence,不新增 execution router。"
|
||
},
|
||
{
|
||
"phase_id": "S3_approval_gate",
|
||
"state": "draft_ready",
|
||
"current_result": "Approval queue 已列出 8 個候選,security_approval_gate_v1 已定義人工 gate,security_approval_decision_record_v1 已定義決策紀錄格式,security_approval_review_packet_v1 已定義人工審查封包,security_approval_state_transition_v1 已定義決策狀態轉移語義,security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板。",
|
||
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventory;review packet、decision record、state transition 與 follow-up runtime gate template 都不等於執行授權。"
|
||
},
|
||
{
|
||
"phase_id": "S4_migration_execution",
|
||
"state": "not_started",
|
||
"current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidence,inventory_complete_count=0。",
|
||
"next_gate": "Gitea authenticated inventory、refs truth、webhook / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。"
|
||
}
|
||
],
|
||
"next_safe_actions": [
|
||
{
|
||
"action_id": "mirror_status_rollup_to_awooop",
|
||
"title": "AwoooP 顯示資安供應鏈總覽",
|
||
"mode": "observe",
|
||
"source_contract": "security_mirror_status_rollup_v1",
|
||
"allowed_processing": [
|
||
"顯示階段狀態、contract readiness、approval queue summary",
|
||
"顯示下一個 gate",
|
||
"寫入 audit evidence"
|
||
],
|
||
"blocked_processing": [
|
||
"把 rollup 當成 runtime authorization",
|
||
"新增 scan / execute / repo / refs action button",
|
||
"把 LOW / MEDIUM observation 變成 blocking gate"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_approval_review_packets",
|
||
"title": "AwoooP 顯示 8 個人工審查封包",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_approval_review_packet_v1",
|
||
"allowed_processing": [
|
||
"顯示 review order、review lane、required reviewers 與 requested decision",
|
||
"顯示仍然禁止事項與 follow-up runtime gate",
|
||
"將人工決策另寫入 security_approval_decision_record_v1"
|
||
],
|
||
"blocked_processing": [
|
||
"把 review packet 當成批准",
|
||
"把 review packet 當成 execution authorization",
|
||
"新增 scan / execute / repo / refs action button"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_approval_state_transitions",
|
||
"title": "AwoooP 顯示人工決策後狀態轉移",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_approval_state_transition_v1",
|
||
"allowed_processing": [
|
||
"顯示 approve/reject/defer/request_more_evidence/keep_blocked 的 next state",
|
||
"顯示 approve_scope 仍需 follow-up runtime gate",
|
||
"將實際決策另寫入 security_approval_decision_record_v1"
|
||
],
|
||
"blocked_processing": [
|
||
"把 state transition 當成執行命令",
|
||
"批准後立即執行 scan / execute / repo / refs 動作",
|
||
"把 LOW / MEDIUM observation 變成 blocking gate"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "mirror_followup_runtime_gate_templates",
|
||
"title": "AwoooP 顯示後續 runtime gate 準備模板",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_followup_runtime_gate_v1",
|
||
"allowed_processing": [
|
||
"顯示 minimum evidence、preflight checks 與 rollback/disable requirement",
|
||
"顯示 active_runtime_gates=0",
|
||
"提醒 approve_scope 後仍需獨立 runtime gate"
|
||
],
|
||
"blocked_processing": [
|
||
"啟用 runtime gate",
|
||
"新增 scan / execute / repo / refs action button",
|
||
"把 template 當成執行授權"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_redacted_finding_ingestion",
|
||
"title": "先審 redacted finding ingestion adapter",
|
||
"mode": "approval_required",
|
||
"source_contract": "security_approval_queue_v1",
|
||
"allowed_processing": [
|
||
"依 security_approval_gate_v1 人工審查是否可設計 redacted security_finding_v1 ingestion",
|
||
"依 security_approval_decision_record_v1 記錄人工決策",
|
||
"維持只接收摘要與 evidence_ref",
|
||
"保留 patch-only / review gate"
|
||
],
|
||
"blocked_processing": [
|
||
"保存 raw secret/token/cookie/private key/exploit payload",
|
||
"讓 AwoooP 直接啟動 scan",
|
||
"自動修復或自動封鎖 deploy"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_gitea_readonly_inventory",
|
||
"title": "審查 Gitea private/internal 只讀 inventory",
|
||
"mode": "approval_required",
|
||
"source_contract": "gitea_repo_inventory_v1",
|
||
"allowed_processing": [
|
||
"使用 read-only token 或 redacted admin export 補齊 repo list",
|
||
"只保存 token_present=true/false",
|
||
"更新 migration matrix 與 decision table"
|
||
],
|
||
"blocked_processing": [
|
||
"保存 token value",
|
||
"使用 write-capable token",
|
||
"建立 GitHub repo 或 sync refs"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_github_target_decisions",
|
||
"title": "逐 repo 審 GitHub target / owner / visibility / canonical",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_approval_board_v1",
|
||
"allowed_processing": [
|
||
"逐 repo 更新 owner / visibility / canonical decision",
|
||
"產生 draft reconcile plan 或 ADR",
|
||
"維持 refs action disabled"
|
||
],
|
||
"blocked_processing": [
|
||
"建立 repo",
|
||
"修改 visibility",
|
||
"push / delete refs",
|
||
"切 GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_github_primary_readiness_gate",
|
||
"title": "審查 GitHub primary readiness blockers",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_primary_readiness_gate_v1",
|
||
"allowed_processing": [
|
||
"顯示 7 個 in-scope repos 仍 blocked",
|
||
"顯示 Gitea inventory、refs truth、workflow/secret name parity 與 rollback ADR 缺口",
|
||
"要求 repo owner 補 owner / visibility / canonical 決策"
|
||
],
|
||
"blocked_processing": [
|
||
"建立 GitHub repo",
|
||
"sync refs",
|
||
"切 GitHub primary",
|
||
"停用或封存 Gitea repo"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "review_workflow_secret_name_inventory",
|
||
"title": "審查 workflow / secret 名稱 inventory 缺口",
|
||
"mode": "approval_required",
|
||
"source_contract": "source_control_workflow_secret_name_inventory_v1",
|
||
"allowed_processing": [
|
||
"顯示 8 個 candidate repos 的 inventory lanes 與 4 個 repos 的 local evidence",
|
||
"要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot",
|
||
"只保存 secret name、owner 與 present/absent metadata,不保存 value"
|
||
],
|
||
"blocked_processing": [
|
||
"收集或保存 secret value",
|
||
"修改 workflow 或 webhook",
|
||
"rotate secret",
|
||
"sync refs 或切 GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"action_id": "keep_kali_execute_blocked",
|
||
"title": "Kali /execute 維持 block candidate",
|
||
"mode": "block_candidate",
|
||
"source_contract": "kali_scan_scope_approval_v1",
|
||
"allowed_processing": [
|
||
"只設計 disable / allowlist / audit gate",
|
||
"保留人工 exception 記錄",
|
||
"持續顯示 blocked reason"
|
||
],
|
||
"blocked_processing": [
|
||
"AwoooP runtime 直接呼叫 /execute",
|
||
"把 /execute 當成一般 MCP action",
|
||
"執行 shell command 自動修復"
|
||
]
|
||
}
|
||
],
|
||
"session_sync_notes": [
|
||
"本 rollup 是跨 Session 的共同讀取入口,避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
|
||
"S2/S3 目前仍屬框架期;狀態與人工 gate 可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
|
||
"S3.1 只新增人工決策紀錄格式;決策紀錄仍維持 execution_authorized=false,不可直接跳到執行面。",
|
||
"S3.2 只新增人工審查封包格式;review packet 只讓 AwoooP 顯示與準備人審,不代表批准。",
|
||
"S3.3 只新增人工決策狀態轉移語義;approve_scope 只進入 waiting runtime gate,不代表可立即執行。",
|
||
"S3.4 只新增後續 runtime gate 準備模板;active_runtime_gates=0,不新增 action button。",
|
||
"S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。",
|
||
"S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。",
|
||
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。"
|
||
],
|
||
"forbidden_actions": [
|
||
"start_kali_scan",
|
||
"call_kali_execute_endpoint",
|
||
"run_credentialed_scan",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"auto_merge",
|
||
"production_deploy",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload",
|
||
"turn_low_medium_observations_into_blocking_gates"
|
||
]
|
||
}
|