Files
awoooi/docs/security/security-mirror-status-rollup.snapshot.json

166 lines
6.4 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_mirror_status_rollup_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "mirror_only",
"rollup_status": "framework_ready_waiting_approval",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
"docs/security/security-mirror-intake-plan.snapshot.json",
"docs/security/security-mirror-route.snapshot.json",
"docs/security/security-mirror-acceptance.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json",
"docs/security/security-mirror-dry-run.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_contracts": 27,
"ready_for_mirror_count": 24,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
"approval_queue_total": 8,
"pending_approval_count": 7,
"block_candidate_count": 1,
"dry_run_status": "contract_defined_not_executed",
"runtime_actions_executed": false,
"payloads_ingested": false
},
"phase_status": [
{
"phase_id": "S0_contracts_and_boundaries",
"state": "completed",
"current_result": "Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立。",
"next_gate": "AwoooP 只讀 mirror 消費。"
},
{
"phase_id": "S1_readonly_inventory",
"state": "in_progress",
"current_result": "已完成多項 read-only evidenceGitea private/internal 全量 repo list 仍需批准後補齊。",
"next_gate": "只讀 token 或 redacted admin export approval。"
},
{
"phase_id": "S2_mirror_only_consumption",
"state": "draft_ready",
"current_result": "Mirror readiness、intake、event、route、acceptance、quarantine、dry-run 與 status rollup 契約已建立。",
"next_gate": "AwoooP 主線只建立 read-only / mirror-only UI 與 audit evidence不新增 execution router。"
},
{
"phase_id": "S3_approval_gate",
"state": "not_started",
"current_result": "Approval queue 已列出 8 個候選,其中 7 pending approval、1 block candidate。",
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventory。"
},
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向,但 refs / tags / workflow / secret 名稱尚未全量驗證。",
"next_gate": "SHA/tag/workflow parity、rollback ADR 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
{
"action_id": "mirror_status_rollup_to_awooop",
"title": "AwoooP 顯示資安供應鏈總覽",
"mode": "observe",
"source_contract": "security_mirror_status_rollup_v1",
"allowed_processing": [
"顯示階段狀態、contract readiness、approval queue summary",
"顯示下一個 gate",
"寫入 audit evidence"
],
"blocked_processing": [
"把 rollup 當成 runtime authorization",
"新增 scan / execute / repo / refs action button",
"把 LOW / MEDIUM observation 變成 blocking gate"
]
},
{
"action_id": "review_redacted_finding_ingestion",
"title": "先審 redacted finding ingestion adapter",
"mode": "approval_required",
"source_contract": "security_approval_queue_v1",
"allowed_processing": [
"人工審查是否可設計 redacted security_finding_v1 ingestion",
"維持只接收摘要與 evidence_ref",
"保留 patch-only / review gate"
],
"blocked_processing": [
"保存 raw secret/token/cookie/private key/exploit payload",
"讓 AwoooP 直接啟動 scan",
"自動修復或自動封鎖 deploy"
]
},
{
"action_id": "review_gitea_readonly_inventory",
"title": "審查 Gitea private/internal 只讀 inventory",
"mode": "approval_required",
"source_contract": "gitea_repo_inventory_v1",
"allowed_processing": [
"使用 read-only token 或 redacted admin export 補齊 repo list",
"只保存 token_present=true/false",
"更新 migration matrix 與 decision table"
],
"blocked_processing": [
"保存 token value",
"使用 write-capable token",
"建立 GitHub repo 或 sync refs"
]
},
{
"action_id": "review_github_target_decisions",
"title": "逐 repo 審 GitHub target / owner / visibility / canonical",
"mode": "approval_required",
"source_contract": "source_control_approval_board_v1",
"allowed_processing": [
"逐 repo 更新 owner / visibility / canonical decision",
"產生 draft reconcile plan 或 ADR",
"維持 refs action disabled"
],
"blocked_processing": [
"建立 repo",
"修改 visibility",
"push / delete refs",
"切 GitHub primary"
]
},
{
"action_id": "keep_kali_execute_blocked",
"title": "Kali /execute 維持 block candidate",
"mode": "block_candidate",
"source_contract": "kali_scan_scope_approval_v1",
"allowed_processing": [
"只設計 disable / allowlist / audit gate",
"保留人工 exception 記錄",
"持續顯示 blocked reason"
],
"blocked_processing": [
"AwoooP runtime 直接呼叫 /execute",
"把 /execute 當成一般 MCP action",
"執行 shell command 自動修復"
]
}
],
"session_sync_notes": [
"本 rollup 是跨 Session 的共同讀取入口,避免 AwoooP 主線與 Security Supply Chain Session 對進度與 gate 判讀不一致。",
"S2.7 仍屬框架期;它讓狀態可見,不代表 production ingestion、scan、repo migration 或 runtime enforcement 已啟用。",
"下一個可安全推進的工作是 AwoooP read-only UI / audit evidence 消費,或人工 review queue不可直接跳到執行面。"
],
"forbidden_actions": [
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload",
"turn_low_medium_observations_into_blocking_gates"
]
}