docs(security): refresh S4.9 owner response gate
This commit is contained in:
Your Name
@@ -4243,7 +4243,7 @@
|
||||
"verifier": "verifier live: {value}",
|
||||
"send": "send: {value}",
|
||||
"directApi": "direct API: {value}",
|
||||
"secret": "secret value: {value}"
|
||||
"secret": "機密明文: {value}"
|
||||
},
|
||||
"labels": {
|
||||
"owner": "owner: {value}",
|
||||
@@ -4294,7 +4294,7 @@
|
||||
"queueWrite": "queue write: {value}",
|
||||
"send": "send: {value}",
|
||||
"directApi": "direct API: {value}",
|
||||
"secret": "secret value: {value}",
|
||||
"secret": "機密明文: {value}",
|
||||
"verifier": "verifier live: {value}",
|
||||
"resultWrite": "result write: {value}"
|
||||
},
|
||||
@@ -4350,7 +4350,7 @@
|
||||
"queueWrite": "queue write: {value}",
|
||||
"send": "send: {value}",
|
||||
"productionWrite": "prod write: {value}",
|
||||
"secret": "secret value: {value}",
|
||||
"secret": "機密明文: {value}",
|
||||
"resultWrite": "result write: {value}",
|
||||
"verifier": "verifier live: {value}"
|
||||
},
|
||||
@@ -4405,7 +4405,7 @@
|
||||
"queueWrite": "queue write: {value}",
|
||||
"send": "send: {value}",
|
||||
"productionWrite": "prod write: {value}",
|
||||
"secret": "secret value: {value}",
|
||||
"secret": "機密明文: {value}",
|
||||
"destructive": "destructive: {value}",
|
||||
"liveExecution": "live execution: {value}",
|
||||
"opensLive": "opens live: {value}",
|
||||
@@ -4468,7 +4468,7 @@
|
||||
"queueWrite": "queue write: {value}",
|
||||
"send": "send: {value}",
|
||||
"productionWrite": "prod write: {value}",
|
||||
"secret": "secret value: {value}",
|
||||
"secret": "機密明文: {value}",
|
||||
"destructive": "destructive: {value}",
|
||||
"liveReadback": "live readback: {value}",
|
||||
"resultWrite": "result write: {value}",
|
||||
@@ -15652,7 +15652,7 @@
|
||||
"dataClass": {
|
||||
"title": "任務、agent 與 webhook 資料分級",
|
||||
"missing": "尚未標示 task、solution、agent reputation、traffic、webhook、admin 與 settlement 的資料分級。",
|
||||
"next": "只收欄位類型與脫敏摘要,不收 raw payload、未脫敏互動內容、cookie 或 token。"
|
||||
"next": "只收欄位類型與脫敏摘要,不收原始載荷、未脫敏互動內容、cookie 或 token。"
|
||||
},
|
||||
"sourceRepo": {
|
||||
"title": "版本來源與 dirty workspace 判定",
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-05 |
|
||||
| 基準 | `gitea/main=b615bde5 docs(security): 補 S4.9 owner response 缺口稽核 [skip ci]` |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 基準 | `gitea/main=2afb7c0a fix(governance): harden agent evidence redaction` |
|
||||
| 範圍 | S4.9 owner response 收件信封、欄位別名、隔離規則與驗收前狀態邊界 |
|
||||
| 模式 | 只讀文件規範,不送 request、不收 owner response、不改 API、不改 UI、不改 runtime |
|
||||
| 不可誤讀 | 本文件不是 request sent、不是 owner response received、不是 accepted、不是 Gitea / GitHub / refs / workflow / secret / runner / runtime 授權 |
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-12 |
|
||||
| 基準 | `gitea/main=7cea7ef0 docs(logbook): 記錄 IwoooS 修正候選卡驗證 [skip ci]` |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 基準 | `gitea/main=2afb7c0a fix(governance): harden agent evidence redaction` |
|
||||
| 範圍 | S4.9 Gitea owner attestation response gate 與 S4.13 owner response validation rollup |
|
||||
| 模式 | 只讀 committed snapshot / 文件稽核 |
|
||||
| 不可誤讀 | 不是 request sent、不是 owner response received、不是 accepted、不是 repo / refs / workflow / secret / runtime 授權 |
|
||||
@@ -30,13 +30,14 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
|
||||
|
||||
| 缺口 | 影響 | 下一步 |
|
||||
|------|------|--------|
|
||||
| P0 主控總帳與缺口稽核基準需跟上最新 `gitea/main` | 平行 Session 已推進 P2-403I/J/K、Public Gateway Preflight、SRE 戰情室路由、Knowledge Base tenant context、報表 runtime 啟動前閘門、IwoooS 審查後修正候選卡與 S4.13 rollup 口徑修正;舊 commit 基準會讓新 Session 誤判下一步 | 本輪已更新到 `7cea7ef0`,最新 deploy marker 為 `8a8843e3`;後續每次推送前仍需 fetch、讀 LOGBOOK 最新段落與同步 runs / deploy marker |
|
||||
| P0 主控總帳與缺口稽核基準需跟上最新 `gitea/main` | 平行 Session 已推進 P0-PUBLICENV public host alias redaction、P2-105 critic / reviewer result capture、governance evidence redaction hardening 與多次正式 Browser smoke;舊 commit 基準會讓新 Session 誤判下一步 | 本輪已更新到 `2afb7c0a`;最新 S4.9 仍是等待 owner response,後續每次推送前仍需 fetch、讀 LOGBOOK 最新段落與同步 runs / deploy marker |
|
||||
| S4.9 gate 仍只有 request-ready,沒有 owner response | IwoooS 64% 不能因規範存在而往前解鎖 | 維持 `0%`,只準備收件缺口,不調高 progress |
|
||||
| S4.13 rollup 文件曾殘留舊模板總數 | Snapshot 已是 `5 + 9 + 5 + 5 = 24`,但文件仍可能寫成 `22`,會造成 reviewer 誤判 S4.10 目標數 | 已同步文件並把 `source-control-owner-response-guard.py` 納入文件一致性檢查 |
|
||||
| request packet 的欄位名稱存在同義詞 | `affected_repos`、`affected_sources`、`affected_repos_or_sources_or_namespace`、`evidence_refs` 與使用者要求的 `affected_scope`、`redacted_evidence_refs` 容易在 UI / handoff 中混用 | 已補 `S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`,後續顯示層以六欄 canonical envelope 呈現;source templates 可保留細分欄位 |
|
||||
| 沒有實際 dispatch / received audit event | 目前 audit event templates 仍是 template-only,不能證明已送件或已收件 | 等人工送件後才增加 request_sent metadata;未送前所有 count 維持 0 |
|
||||
| 尚未有 owner response reviewer outcome | reviewer checklist 存在,但沒有任何可分類 response | 等脫敏 metadata 進來後,才能進補件、隔離、拒收、只讀更新候選 |
|
||||
| 部分文件仍可能把近期 P2-403I/J/K 或資安 P1 工作誤當 S4.9 已解鎖 | 平行 Session 已推進 AI Agent 報表 / 告警路由,但 S4.9 owner response 仍是獨立 P0 gate | 後續 LOGBOOK / workplan 每次都標註平行 Session、最新基線與 S4.9 received / accepted 仍為 `0 / 0` |
|
||||
| P0-PUBLICENV 與 P2-105 容易被誤讀為 S4.9 owner response | 公開主機 alias redaction、bundle clean、production smoke、critic / reviewer scorecard 都不是 owner role / team、decision、reason、scope、redacted refs、followup owner 的實際回覆 | 在 rollup 與 LOGBOOK 明確標記:這些進展不增加 request_sent、received、accepted 或 runtime gate |
|
||||
|
||||
## 4. 需要新增或強化的規範
|
||||
|
||||
@@ -88,7 +89,7 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
|
||||
| S4.9 現況缺口稽核 | 100% | 已列出已符合、仍不符合、需新增、需調整、五題回覆與 0 / false 邊界 |
|
||||
| S4.9 canonical owner response envelope | 100% | 已補六欄信封、alias 映射、五題投影、quarantine-first 與 reviewer checklist |
|
||||
| S4.9 owner response gate | 0% | 沒有收到 owner response,不得調高 |
|
||||
| S4.9 基準與日期一致性 | 100% | 已跟到 `gitea/main=7cea7ef0` 與 deploy marker `8a8843e3`,並要求 guard 擋下過期基準、過期日期與舊模板公式 |
|
||||
| S4.9 基準與日期一致性 | 100% | 已跟到 `gitea/main=2afb7c0a`,並要求 guard 擋下過期 rollup 日期與舊模板公式 |
|
||||
| S4.13 rollup 文件一致性 | 100% | 已把 `22` 舊口徑修正為 `24`,並由 guard 檢查 |
|
||||
| IwoooS 整體 | 維持 64% | 只讀稽核不改 runtime readiness |
|
||||
| active runtime gate | 0 | 不變 |
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-05 |
|
||||
| 基準 | `gitea/main=37c0e171 docs(governance): 對齊 P1-001 最新正式 deploy marker [skip ci]` |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 基準 | `gitea/main=2afb7c0a fix(governance): harden agent evidence redaction` |
|
||||
| 對應規範 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md` |
|
||||
| 對應收件包 | `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` |
|
||||
| 模式 | owner response intake form only |
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-05 |
|
||||
| 基準 | `gitea/main=a516d3f8 docs(security): 補 S4.9 owner response intake form [skip ci]` |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 基準 | `gitea/main=2afb7c0a fix(governance): harden agent evidence redaction` |
|
||||
| 上游文件 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`、`docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md` |
|
||||
| 模式 | reviewer validation checklist only |
|
||||
| 不可誤讀 | 本文件不是 request dispatch、不是 owner response、不是 accepted record、不是 repo / refs / workflow / secret / runner / host / runtime 執行授權 |
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-05 |
|
||||
| 基準 | `gitea/main=70c01003 docs(governance): 記錄 P1-002 正式驗證 [skip ci]` |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 基準 | `gitea/main=2afb7c0a fix(governance): harden agent evidence redaction` |
|
||||
| 上游文件 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`、`docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md`、`docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md` |
|
||||
| 模式 | security acceptance record template only |
|
||||
| 不可誤讀 | 本文件不是 owner response、不是 reviewer validation 已通過、不是 accepted record、不是 GitHub primary / repo / refs / workflow / secret / runner / host / runtime 執行授權 |
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-12 |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 狀態 | 草案,等待 owner responses;S4.9 是目前第一優先收件 gate |
|
||||
| 資料契約 | `docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json` |
|
||||
| 快照 | `docs/security/source-control-owner-response-validation-rollup.snapshot.json` |
|
||||
@@ -56,7 +56,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt
|
||||
|
||||
| 項目 | 結果 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-12 |
|
||||
| 日期 | 2026-06-13 |
|
||||
| 範圍 | `repo_snapshot_only` |
|
||||
| 指令 | `python3 scripts/security/source-control-owner-response-guard.py --root .` |
|
||||
| 結果 | `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK` |
|
||||
@@ -68,6 +68,18 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt
|
||||
|
||||
這表示四包 owner response snapshot 與 S4.13 rollup 的只讀 guard 已通過;不表示 owner response 已收到,也不授權 repo、refs、workflow、secret、runner、GitHub primary 或任何 runtime 動作。
|
||||
|
||||
### 1.1.1 2026-06-13 S4.9 狀態刷新
|
||||
|
||||
| 項目 | 結果 |
|
||||
|------|------|
|
||||
| 基準 | `gitea/main=2afb7c0a fix(governance): harden agent evidence redaction` |
|
||||
| 平行進展 | P0-PUBLICENV public host alias redaction 已正式收斂;P2-105 critic / reviewer result capture gate 已完成正式驗證 |
|
||||
| S4.9 影響 | 無直接解鎖;上述進展只改善公開面脫敏與 AI Agent 評估/結果捕捉可見性 |
|
||||
| 下一步 | 仍以 S4.9 Gitea owner attestation response 作為第一個收件候選 |
|
||||
| 必須維持 | `request_sent=false`、`received / accepted / rejected=0 / 0 / 0`、`runtime_execution_authorized=false`、`action_buttons_allowed=false` |
|
||||
|
||||
本刷新只更新基準與只讀狀態,不送 request、不代填 owner response、不新增 accepted record,也不把任何 UI 或 production smoke 結果視為 owner response。
|
||||
|
||||
## 2. 四條驗收 Lane
|
||||
|
||||
| Lane | 來源 | Templates | 目前狀態 |
|
||||
@@ -111,7 +123,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt
|
||||
|
||||
AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-response.snapshot.json` 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、6 個 intake preflight checks 與 5 個 outcome lanes;request packet 只提示 owner 要填什麼與不得貼什麼,template statuses 只逐項顯示 waiting / request ready,audit event templates 只定義 request shown / response received metadata / outcome classified 的脫敏 metadata 欄位且目前 0 emitted,redaction examples 只提供安全回覆形狀,display sections 只固定只讀 UI 順序,collection checks 只維持 request / received / accepted 狀態分離,preflight / outcome 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或 AwoooP production ingestion 已啟用。
|
||||
|
||||
### 2.3.1 2026-06-12 S4.9 Current Intake Readiness
|
||||
### 2.3.1 2026-06-13 S4.9 Current Intake Readiness
|
||||
|
||||
S4.9 目前已具備可直接照表收件與預檢的準備度,但尚未收到任何 owner response。這個狀態應顯示在 AwoooP 操作控制台作為下一個收件焦點,不得變成 approval queue 或 execution queue。
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"schema_version": "source_control_owner_response_validation_rollup_v1",
|
||||
"status": "draft_waiting_owner_responses",
|
||||
"date": "2026-06-12",
|
||||
"date": "2026-06-13",
|
||||
"mode": "owner_response_validation_rollup_only",
|
||||
"runtime_execution_authorized": false,
|
||||
"source_contracts": [
|
||||
@@ -2242,7 +2242,7 @@
|
||||
},
|
||||
"latest_local_validation": {
|
||||
"status": "repo_snapshot_guard_pass",
|
||||
"date": "2026-06-12",
|
||||
"date": "2026-06-13",
|
||||
"scope": "repo_snapshot_only",
|
||||
"command": "python3 scripts/security/source-control-owner-response-guard.py --root .",
|
||||
"result": "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK",
|
||||
|
||||
@@ -13,7 +13,7 @@ from pathlib import Path
|
||||
from typing import Any
|
||||
|
||||
|
||||
EXPECTED_ROLLUP_DATE = "2026-06-12"
|
||||
EXPECTED_ROLLUP_DATE = "2026-06-13"
|
||||
EXPECTED_TEMPLATE_COUNT_FORMULA = "5 + 9 + 5 + 5 = 24"
|
||||
STALE_TEMPLATE_COUNT_FORMULA = "5 + 7 + 5 + 5 = 22"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user