wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

docs(security): add redacted export request gate [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-05-13 20:00:27 +08:00
parent e2425f6446
commit 6b1f150f79
17 changed files with 843 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/LOGBOOK.md
View File

@@ -1,3 +1,35 @@
## 2026-05-13 | 資安供應鏈 S4.3Workflow / Secret 名稱 Redacted Export Request
**背景**S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence但 webhook、runner owner、deploy key、branch protection / required checks、repository secret name parity 還不能靠本機 working tree 完成。為了維持低摩擦,本輪只建立 redacted export request package不呼叫 GitHub/Gitea API、不使用 token、不修改任何 repo 設定。
**完成**
- 新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json`
- 新增 `docs/security/source-control-workflow-secret-name-export-request.snapshot.json``docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`
- 定義 7 個 in-scope repos 的 owner / read-only export request。
- 定義 5 類 export laneswebhook、runner label / hosted minutes 風險、deploy key、branch protection / CODEOWNERS、repository secret name parity。
- 明確標示 `secret_value_collection_allowed=false``write_token_allowed=false``runtime_actions_authorized=false``action_buttons_allowed=false`
- 更新 `source_control_workflow_secret_name_inventory_v1`、manifest、mirror readiness、status rollup、AwoooP checklist、handoff 與 progress使 AwoooP 能顯示 S4.3 request 而不新增 execution action。
**仍未完成**
- 實際 webhook redacted export。
- 實際 runner owner / self-hosted vs hosted runner inventory。
- 實際 deploy key / machine key redacted export。
- 實際 branch protection / required status checks redacted export。
- 實際 repository secret name parity redacted export。
- GitHub primary rollback ADR 與逐 repo owner approval。
**仍禁止**
- 不收集、不保存、不搬移 secret value、token value、cookie、private key、webhook secret、runner registration token。
- 不使用 write token。
- 不修改 workflow、webhook、runner、deploy key、branch protection 或 repo secret。
- 不建立 GitHub repo、不 sync refs、不切 GitHub primary、不停用 Gitea。
**驗證**
- JSON 全量 parse 通過79 個 JSON files。
- S4.3 assertion 通過7 個 in-scope export requests、5 類 export lanes、34-contract graph unchanged。
- `git diff --check` 通過。
- 敏感字串掃描確認本輪未保存 Kali SSH 密碼、常見 token pattern、private key material也未出現 runtime / write / secret value 授權被打開。
## 2026-05-13 | 資安供應鏈 S4.2Workflow / Secret 名稱 Local Evidence
**背景**S4.1 已建立 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate但仍停在 contract-only。為了維持低摩擦並避免一開始拉高資安限制本輪只補本機可見 working tree 的 read-only / redacted evidence不呼叫 GitHub/Gitea API、不讀 `.env`、不讀 secret store、不保存 secret value。

15
docs/schemas/security_mirror_status_rollup_v1.schema.json
View File

@@ -73,6 +73,9 @@
"workflow_secret_inventory_local_evidence_repo_count",
"workflow_secret_inventory_local_workflow_file_count",
"workflow_secret_inventory_unique_secret_name_count",
"workflow_secret_inventory_export_request_count",
"workflow_secret_inventory_export_lane_count",
"workflow_secret_inventory_write_token_allowed",
"secret_value_collection_allowed",
"secret_value_detected",
"pending_approval_count",
@@ -150,6 +153,18 @@
"type": "integer",
"minimum": 0
},
"workflow_secret_inventory_export_request_count": {
"type": "integer",
"minimum": 0
},
"workflow_secret_inventory_export_lane_count": {
"type": "integer",
"minimum": 0
},
"workflow_secret_inventory_write_token_allowed": {
"type": "boolean",
"const": false
},
"secret_value_collection_allowed": {
"type": "boolean",
"const": false

220
docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json Normal file
View File

@@ -0,0 +1,220 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:source-control-workflow-secret-name-export-request-v1",
"title": "Source Control Workflow / Secret Name Export Request v1",
"description": "定義 S4.3 後續需要 owner 或只讀 API 補齊的 workflow / webhook / runner / deploy key / branch protection / secret 名稱 redacted export request。此 schema 只允許名稱與 metadata不允許 secret value。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"mode",
"runtime_execution_authorized",
"source_contract",
"source_indexes",
"summary",
"export_lanes",
"repo_export_requests",
"acceptance_rules",
"redaction_rules",
"forbidden_actions"
],
"properties": {
"schema_version": {
"const": "source_control_workflow_secret_name_export_request_v1"
},
"status": {
"type": "string",
"enum": ["draft_waiting_owner_export"]
},
"date": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["redacted_export_request_only"]
},
"runtime_execution_authorized": {
"type": "boolean",
"const": false
},
"source_contract": {
"type": "string",
"const": "source_control_workflow_secret_name_inventory_v1"
},
"source_indexes": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"summary": {
"type": "object",
"required": [
"candidate_repo_count",
"in_scope_request_count",
"external_scope_review_count",
"export_request_count",
"export_lane_count",
"webhook_export_request_repo_count",
"runner_export_request_repo_count",
"deploy_key_export_request_repo_count",
"branch_protection_codeowners_export_request_repo_count",
"repository_secret_name_parity_export_request_repo_count",
"secret_value_collection_allowed",
"write_token_allowed",
"runtime_actions_authorized",
"action_buttons_allowed"
],
"properties": {
"candidate_repo_count": {"type": "integer", "minimum": 0},
"in_scope_request_count": {"type": "integer", "minimum": 0},
"external_scope_review_count": {"type": "integer", "minimum": 0},
"export_request_count": {"type": "integer", "minimum": 0},
"export_lane_count": {"type": "integer", "minimum": 0},
"webhook_export_request_repo_count": {"type": "integer", "minimum": 0},
"runner_export_request_repo_count": {"type": "integer", "minimum": 0},
"deploy_key_export_request_repo_count": {"type": "integer", "minimum": 0},
"branch_protection_codeowners_export_request_repo_count": {"type": "integer", "minimum": 0},
"repository_secret_name_parity_export_request_repo_count": {"type": "integer", "minimum": 0},
"secret_value_collection_allowed": {"type": "boolean", "const": false},
"write_token_allowed": {"type": "boolean", "const": false},
"runtime_actions_authorized": {"type": "boolean", "const": false},
"action_buttons_allowed": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"export_lanes": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": [
"lane_id",
"title",
"request_status",
"allowed_fields",
"forbidden_fields",
"accepted_producer_modes",
"acceptance_gate",
"execution_authorized"
],
"properties": {
"lane_id": {"type": "string"},
"title": {"type": "string"},
"request_status": {
"type": "string",
"enum": ["waiting_owner_or_readonly_export"]
},
"allowed_fields": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"forbidden_fields": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"accepted_producer_modes": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"acceptance_gate": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"execution_authorized": {
"type": "boolean",
"const": false
}
},
"additionalProperties": false
}
},
"repo_export_requests": {
"type": "array",
"minItems": 1,
"items": {
"type": "object",
"required": [
"repo_key",
"github_repo",
"source_key",
"scope_status",
"risk",
"request_state",
"requested_lanes",
"owner_export_required",
"read_only_api_allowed",
"write_api_allowed",
"secret_value_allowed",
"acceptance_notes",
"still_forbidden"
],
"properties": {
"repo_key": {"type": "string"},
"github_repo": {"type": "string"},
"source_key": {"type": "string"},
"scope_status": {
"type": "string",
"enum": ["in_scope", "external_scope_review"]
},
"risk": {
"type": "string",
"enum": ["LOW", "MEDIUM", "HIGH"]
},
"request_state": {
"type": "string",
"enum": [
"waiting_owner_export",
"waiting_scope_review"
]
},
"requested_lanes": {
"type": "array",
"items": {"type": "string"}
},
"owner_export_required": {"type": "boolean"},
"read_only_api_allowed": {"type": "boolean"},
"write_api_allowed": {
"type": "boolean",
"const": false
},
"secret_value_allowed": {
"type": "boolean",
"const": false
},
"acceptance_notes": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"still_forbidden": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
}
},
"acceptance_rules": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"redaction_rules": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"forbidden_actions": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
}

5
docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
View File

@@ -54,7 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff不 fetch、不 push、不刪 refs |
| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete |
| `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` |
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口S4.2 local evidence目前 `inventory_complete_count=0`,不得保存 secret value |
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口S4.2 local evidence 與 S4.3 redacted export request;目前 `inventory_complete_count=0`,不得保存 secret value |
| `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 |
| `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror |
| `approval_required_event_v1` | 上述事件的高風險 gate | Approval queue、Audit | approval-only | `blocked_until_approved=true` |
@@ -100,7 +100,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state不得把 transition 當 execution authorization |
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates不得新增 action button |
| `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready不得切 primary |
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、0 個 complete不得收集 secret value、不得修改 workflow |
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、S4.3 export request 7 repos / 5 lanes、0 個 complete不得收集 secret value、不得修改 workflow |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates不得執行 wave |
| `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload明確不授權執行、不顯示執行按鈕 |
@@ -172,6 +172,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
| Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
| Source Control workflow / secret name local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
| Source Control workflow / secret name export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` |
| Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` |
| Security finding contract | `docs/security/security-finding-kali-sample.snapshot.json` / `docs/security/SECURITY-FINDING-CONTRACT.md` |
| Kali scan scope approval package | `docs/security/kali-scan-scope-approval.snapshot.json` / `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` |

13
docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
View File

@@ -219,7 +219,9 @@ Snapshot`docs/security/source-control-workflow-secret-name-inventory.snapshot
S4.2 local evidence已新增本機只讀 collector 與 snapshot7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、5 個 runner labels、`secret_value_detected=false`。webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted evidence。
AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、要求 redacted snapshot 與人工 review不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary
S4.3 export request已新增 `source_control_workflow_secret_name_export_request_v1` supporting schema、snapshot 與人讀版7 個 in-scope repos、5 類 export laneswebhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity。`write_token_allowed=false``secret_value_collection_allowed=false`
AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、S4.3 export request、要求 redacted snapshot 與人工 review不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。
### `security_mirror_readiness_v1`
@@ -649,7 +651,7 @@ Schema`docs/schemas/approval_required_event_v1.schema.json`
- `github_target_repo_approval_package_v1` 進來後AwoooP 回傳逐 repo approval queue draft不阻擋 read-only evidence。
- `security_rollout_policy_v1` 進來後AwoooP 回傳 observe / warn / approve_required 建議,不做 enforcement。
- `security_supply_chain_contract_manifest_v1` 進來後AwoooP 回傳可消費 contract 清單,不新增 execution router。
- `source_control_workflow_secret_name_inventory_v1` 進來後AwoooP 回傳缺哪些 redacted workflow / secret name evidence不收集 secret value、不修改 workflow。
- `source_control_workflow_secret_name_inventory_v1` 進來後AwoooP 回傳缺哪些 redacted workflow / secret name evidence並顯示 S4.3 export request 的 webhook / runner / deploy key / branch protection / repository secret parity lanes不收集 secret value、不修改 workflow。
### Phase S3Approval Gate
@@ -704,7 +706,7 @@ Console 初期不提供高風險執行按鈕。
10. Approval queue 可容納 `github_target_decision_v1``github_target_repo_approval_package_v1`,但不得直接建立 repo 或改 visibility。
11. Read-only policy 可容納 `security_rollout_policy_v1`,但初期不得把它變成 runtime blocking rule。
12. Contract registry 可容納 `security_supply_chain_contract_manifest_v1`,但初期不得把它變成 direct tool router。
13. Source-control review 可容納 `source_control_workflow_secret_name_inventory_v1`,但只能顯示 workflow / secret 名稱缺口,不得收集 value 或修改 workflow。
13. Source-control review 可容納 `source_control_workflow_secret_name_inventory_v1` 與 S4.3 redacted export request但只能顯示 workflow / secret 名稱缺口、owner export lanes 與 hosted runner 額度風險,不得收集 value 或修改 workflow。
## 7. Security Supply Chain Session 下一步
@@ -793,6 +795,8 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 S4.2 workflow / secret name local evidence 追加:已新增 `scripts/security/source-control-workflow-secret-name-local-inventory.py``docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json``docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json``docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md`。本輪只從本機 working tree 的 `.github/workflows``.gitea/workflows` 與 CODEOWNERS 萃取名稱級 metadata7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、`secret_value_detected=false`;不得視為 GitHub primary ready。
2026-05-13 S4.3 workflow / secret name redacted export request 追加:已新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json``docs/security/source-control-workflow-secret-name-export-request.snapshot.json``docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`。本輪只定義 7 個 in-scope repos、5 類 export lanes 的 owner / read-only export 欄位與拒收規則webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity`write_token_allowed=false``secret_value_collection_allowed=false`,不得呼叫 API 或修改 GitHub/Gitea。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:
@@ -855,6 +859,8 @@ Console 初期不提供高風險執行按鈕。
- [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json)
- [Source Control workflow / secret name local evidence](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md)
- [source_control_workflow_secret_name_local_evidence_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json)
- [Source Control workflow / secret name redacted export request](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md)
- [source_control_workflow_secret_name_export_request_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-export-request.snapshot.json)
- [source-control workflow / secret name local collector](/Users/ogt/awoooi/scripts/security/source-control-workflow-secret-name-local-inventory.py)
- [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md)
- [local_repo_canonical_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/local-repo-canonical-ewoooc-momo.snapshot.json)
@@ -888,6 +894,7 @@ Console 初期不提供高風險執行按鈕。
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
- [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json)
- [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json)
- [source_control_workflow_secret_name_export_request_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json)
- [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json)
- [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json)
- [approval_required_event_v1 schema](/Users/ogt/awoooi/docs/schemas/approval_required_event_v1.schema.json)

2
docs/security/SECURITY-MIRROR-READINESS.md
View File

@@ -81,7 +81,7 @@ AwoooP 可以將 ready / partial contracts mirror 到:
13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。
14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。
15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。
16. 再 mirror `source_control_workflow_secret_name_inventory_v1`S4.2 local evidence只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names不保存 secret value。
16. 再 mirror `source_control_workflow_secret_name_inventory_v1`S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namesexport request 有 7 個 repos、5 類 lanes不保存 secret value。
17. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
18. 最後再 mirror source-control 其他 contracts。

4
docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
View File

@@ -28,7 +28,7 @@
| State transitions | S3.3 已建立5 個 decision options 都有 next state且都不授權執行 |
| Follow-up runtime gate templates | S3.4 已建立8 個 templates、0 個 active runtime gates |
| GitHub primary readiness gate | S4.0 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready |
| Workflow / secret name inventory | S4.1 已建立S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence0 個 inventory complete、禁止收集 secret value |
| Workflow / secret name inventory | S4.1 已建立S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidenceS4.3 補 7 個 repos、5 類 lanes 的 redacted export request0 個 inventory complete、禁止收集 secret value、禁止 write token |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
| Payload ingestion | `false` |
@@ -61,6 +61,6 @@
4. GitHub target / owner / visibility / canonical。
5. Kali `/execute` 維持 block candidate。
6. GitHub primary readiness blockers 與 rollback ADR 缺口。
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence補 webhook / deploy key / branch protection / repository secret parity只保存名稱與 owner不保存 value。
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity只保存名稱與 owner不保存 value,不使用 write token
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence不得由本 rollup 自動觸發。

4
docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
View File

@@ -49,7 +49,7 @@
| `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` |
| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` |
| `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` |
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gateS4.2 已補 local evidence | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` |
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gateS4.2 已補 local evidenceS4.3 已補 redacted export request | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` |
| `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` |
| `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang``wooo-infra-config` |
| `approval_required_event_v1` | approval-only | 高風險 / 敏感邊界 approval | `gitea-readonly-inventory-approval.snapshot.json` |
@@ -59,7 +59,7 @@
1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`
2. 再讀本 manifest取得可消費 contract 與禁止動作。
3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate / redacted export request display
5. 不新增執行按鈕,不做 runtime enforcement。
## 3. 永久禁止

9
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -41,6 +41,7 @@
| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary |
| S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret |
| S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence仍不可切 primary |
| S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版7 個 in-scope repos、5 類 export laneswebhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name paritywrite token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export仍不可收 secret value、不可修改 GitHub/Gitea |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
## 1. 已建立的主要 evidence
@@ -76,6 +77,8 @@
| Source Control workflow / secret name local evidence | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
| Source Control workflow / secret name local evidence JSON | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
| Source Control workflow / secret name local collector | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
| Source Control workflow / secret name export request | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` |
| Source Control workflow / secret name export request JSON | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` |
| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` |
| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` |
| Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` |
@@ -139,6 +142,6 @@
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5.`KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export request
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口與 blocked reason不新增 execution router。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason不新增 execution router。

79
docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md Normal file
View File

@@ -0,0 +1,79 @@
# Workflow / Secret 名稱 Redacted Export Request
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | 草案,等待 owner / read-only export |
| Schema | `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json` |
| Snapshot | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` |
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
| 模式 | `redacted_export_request_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export request。
這不是 API 執行、不是 GitHub primary cutover、也不是 workflow / secret 修改。它只是告訴 repo owner 或未來只讀匯出工具:每個 repo 要補哪些欄位、哪些欄位可以保存、哪些敏感值必須拒收。
## 1. 摘要
| 指標 | 數量 |
|------|------|
| Candidate repos | 8 |
| In-scope export requests | 7 |
| External scope review | 1 |
| Export lanes | 5 |
| Webhook export request repos | 2 |
| Runner export request repos | 4 |
| Deploy key export request repos | 1 |
| Branch protection / CODEOWNERS export request repos | 4 |
| Repository secret name parity export request repos | 7 |
| Secret value collection allowed | `false` |
| Write token allowed | `false` |
| Runtime actions authorized | `false` |
## 2. Export Lanes
| Lane | 可保存 | 禁止保存 |
|------|--------|----------|
| Webhook | provider、webhook name、redacted host、event types、enabled flag、owner | webhook secret、含 token URL、header、cookie、body |
| Runner | runner label、scope、executor type、host alias、self-hosted / hosted、owner | registration token、admin token、SSH key、host password |
| Deploy key | key name、read-only flag、repo scope、owner、last seen metadata | private key、完整 public key、token、password |
| Branch protection / CODEOWNERS | protected branch、required checks、review count、CODEOWNERS path、owner teams | team secret、PAT、admin override token |
| Repository secret names | secret name、scope、owner、used by workflow、present in Gitea / GitHub | secret value、plaintext、token、private key、credential value |
## 3. Repo Request
| Repo | Request state | Requested lanes |
|------|---------------|-----------------|
| `owenhytsai/awoooi` | waiting owner export | webhook、runner、branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/clawbot-v5` | waiting owner export | branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/wooo-aiops` | waiting owner export | webhook、runner、repository secret name parity |
| `owenhytsai/wooo-infra-config` | waiting owner export | runner、deploy key、branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/ewoooc` | waiting owner export | runner、branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/bitan-pharmacy` | waiting owner export | repository secret name parity |
| `owenhytsai/tsenyang-website` | waiting owner export | repository secret name parity |
| `nexu-io/open-design` | waiting scope review | 不進 AWOOOI primary cutover queue |
## 4. AwoooP 可做
1. 顯示每個 repo 等待哪一類 redacted export。
2. 顯示 owner export / read-only API export 的 acceptance gate。
3. 顯示 GitHub hosted runner 可能造成額度消耗的 review lane。
4. 把完成的 redacted export 作為 Audit evidence 等待人工審查。
5. 若 payload 含敏感值,送進 mirror quarantine。
## 5. AwoooP 不可做
1. 不呼叫 write API。
2. 不顯示或保存 secret value、token value、cookie、private key、webhook secret、runner registration token。
3. 不修改 workflow、webhook、runner、deploy key、branch protection 或 secret。
4. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
5. 不把 export request 當成已批准或已完成的 evidence。
## 6. 階段定位
S4.1 建立 inventory gateS4.2 補本機 workflow / CODEOWNERS / referenced secret name evidenceS4.3 補「下一步匯出請求包」。
這仍然是低摩擦框架期:先把資料責任、欄位邊界與拒收規則定清楚,避免後續真的接 owner export 或只讀 API 時誤收秘密值、誤用 write token或誤把資料補齊當成主控切換批准。

10
docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md
View File

@@ -7,6 +7,7 @@
| Schema | `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` |
| Snapshot | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
| Local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
| Export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` |
| 模式 | `inventory_contract_only` |
| runtime 執行授權 | `false` |
@@ -20,6 +21,8 @@
S4.2 已補本機可見 evidence4 個 repos 有 workflow / CODEOWNERS evidence、31 個 workflow files、43 個 referenced secret names、5 個 runner labels。這只是 local partial evidence仍不代表 GitHub primary ready。
S4.3 已補 redacted export request package7 個 in-scope repos 需要 owner / read-only export5 類 export lanes 包含 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity所有 export 都禁止 secret value 與 write token。
## 1. 目前狀態
| 指標 | 數量 |
@@ -33,6 +36,8 @@ S4.2 已補本機可見 evidence4 個 repos 有 workflow / CODEOWNERS evidenc
| Local evidence repos | 4 |
| Local workflow files | 31 |
| Local referenced secret names | 43 |
| Redacted export request repos | 7 |
| Redacted export lanes | 5 |
## 2. Inventory Lanes
@@ -54,6 +59,7 @@ S4.2 已補本機可見 evidence4 個 repos 有 workflow / CODEOWNERS evidenc
4. 對缺資料 repo 顯示 owner review lane。
5. 將失敗或含敏感值 payload 交給 mirror quarantine。
6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。
7. 顯示 S4.3 export request 的欄位清單、拒收欄位與 acceptance gate。
## 4. AwoooP 不可做
@@ -71,4 +77,6 @@ S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口
S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 partial evidence。
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。webhook、deploy key、branch protection 與 repository secret parity 仍需要後續 redacted export 或 read-only API evidence。
S4.3 讓後續 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret parity 的 owner / read-only export 有明確的欄位、拒收規則與驗收 gate。
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。後續即使取得 redacted export也只代表 evidence 可 review不代表 GitHub primary ready。

11
docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md
View File

@@ -18,6 +18,8 @@ S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence
這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。
S4.3 已把這些後續缺口整理成 redacted export request並額外納入 runner owner / GitHub hosted minutes 風險 lane仍禁止 write token 與 secret value。
## 1. 摘要
| 指標 | 數量 |
@@ -61,10 +63,11 @@ S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence
## 4. 仍需補齊
1. Gitea / GitHub webhook inventory只列 destination host、event types、enabled flag不保存 webhook secret。
2. Deploy key / machine key inventory只列 key name、read-only flag、owner不保存 private key
3. Branch protection inventory只列 protected branch、required status checks、review count
4. Repository secret parity只比對 secret 名稱與 owner不輸出 value
5. 逐 repo owner review確認本機可見 workflow 是否為 canonical尤其是 `ewoooc` / `momo-pro-system`
2. Runner owner / hosted minutes 風險 inventory只列 label、executor、self-hosted / hosted、owner不保存 registration token
3. Deploy key / machine key inventory只列 key name、read-only flag、owner不保存 private key
4. Branch protection inventory只列 protected branch、required status checks、review count
5. Repository secret parity只比對 secret 名稱與 owner不輸出 value
6. 逐 repo owner review確認本機可見 workflow 是否為 canonical尤其是 `ewoooc` / `momo-pro-system`
## 5. 永久禁止

8
docs/security/security-mirror-readiness.snapshot.json
View File

@@ -335,13 +335,15 @@
"execution_allowed": false,
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md"
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md"
],
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namessecret_value_collection_allowed=false。"
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namesS4.3 export request 有 7 個 repos、5 類 export lanessecret_value_collection_allowed=false。"
},
{
"contract": "local_repo_canonical_probe_v1",

14
docs/security/security-mirror-status-rollup.snapshot.json
View File

@@ -22,6 +22,7 @@
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
@@ -42,6 +43,9 @@
"workflow_secret_inventory_local_evidence_repo_count": 4,
"workflow_secret_inventory_local_workflow_file_count": 31,
"workflow_secret_inventory_unique_secret_name_count": 43,
"workflow_secret_inventory_export_request_count": 7,
"workflow_secret_inventory_export_lane_count": 5,
"workflow_secret_inventory_write_token_allowed": false,
"secret_value_collection_allowed": false,
"secret_value_detected": false,
"pending_approval_count": 7,
@@ -78,8 +82,8 @@
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidenceinventory_complete_count=0。",
"next_gate": "Gitea authenticated inventory、refs truth、webhook / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。"
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidenceS4.3 已補 7 個 repos、5 類 lanes 的 redacted export requestinventory_complete_count=0。",
"next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
@@ -220,8 +224,9 @@
"mode": "approval_required",
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"allowed_processing": [
"顯示 8 個 candidate repos 的 inventory lanes4 個 repos 的 local evidence",
"顯示 8 個 candidate repos 的 inventory lanes4 個 repos 的 local evidence 與 7 個 repos 的 redacted export request",
"要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot",
"顯示 GitHub hosted runner 額度風險與 self-hosted runner owner review lane",
"只保存 secret name、owner 與 present/absent metadata不保存 value"
],
"blocked_processing": [
@@ -257,7 +262,8 @@
"S3.4 只新增後續 runtime gate 準備模板active_runtime_gates=0不新增 action button。",
"S4.0 只新增 GitHub primary readiness gategithub_primary_ready_count=0不新增 repo / refs / primary switch action。",
"S4.1 只新增 workflow / secret 名稱 inventory 契約workflow_secret_inventory_complete_count=0secret_value_collection_allowed=false不新增 workflow、secret、repo、refs 或 primary switch action。",
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidencelocal_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43secret_value_detected=false。"
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidencelocal_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43secret_value_detected=false。",
"S4.3 只新增 redacted export request packageexport_request_count=7、export_lane_count=5、write_token_allowed=false不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。"
],
"forbidden_actions": [
"start_kali_scan",

11
docs/security/security-supply-chain-contract-manifest.snapshot.json
View File

@@ -540,18 +540,21 @@
"schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md"
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md"
],
"consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_workflow_secret_name_inventory_gap",
"display_missing_inventory_lanes",
"request_redacted_workflow_secret_snapshot"
"request_redacted_workflow_secret_snapshot",
"display_redacted_export_request_lanes"
],
"forbidden_actions": [
"collect_secret_value",
@@ -561,7 +564,7 @@
"sync_refs",
"switch_github_primary"
],
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約S4.2 已補 local evidence4 repos、31 workflow files、43 個 referenced secret names仍不保存 secret value。"
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約S4.2 已補 local evidence4 repos、31 workflow files、43 個 referenced secret namesS4.3 已補 7 repos / 5 lanes 的 redacted export request仍不保存 secret value。"
},
{
"contract": "local_repo_canonical_probe_v1",

433
docs/security/source-control-workflow-secret-name-export-request.snapshot.json Normal file
View File

@@ -0,0 +1,433 @@
{
"schema_version": "source_control_workflow_secret_name_export_request_v1",
"status": "draft_waiting_owner_export",
"date": "2026-05-13",
"mode": "redacted_export_request_only",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"source_indexes": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"candidate_repo_count": 8,
"in_scope_request_count": 7,
"external_scope_review_count": 1,
"export_request_count": 7,
"export_lane_count": 5,
"webhook_export_request_repo_count": 2,
"runner_export_request_repo_count": 4,
"deploy_key_export_request_repo_count": 1,
"branch_protection_codeowners_export_request_repo_count": 4,
"repository_secret_name_parity_export_request_repo_count": 7,
"secret_value_collection_allowed": false,
"write_token_allowed": false,
"runtime_actions_authorized": false,
"action_buttons_allowed": false
},
"export_lanes": [
{
"lane_id": "webhook_redacted_export_request",
"title": "Webhook 名稱、目的地 host 與事件類型 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"webhook_name",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"owner",
"last_updated_metadata"
],
"forbidden_fields": [
"webhook_secret",
"full_payload_url_with_token",
"authorization_header",
"cookie",
"request_body",
"secret_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"每筆 webhook 必須只保留 host 或 redacted URL不得包含 query token。",
"必須標示 Gitea / GitHub 哪一端在 primary cutover 後負責發 webhook。",
"若偵測到 secret value 或 token value整份 export 必須進 mirror quarantine。"
],
"execution_authorized": false
},
{
"lane_id": "runner_label_owner_export_request",
"title": "Runner label / executor / hosted minutes 風險 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"runner_label",
"runner_scope",
"executor_type",
"host_alias",
"hosted_or_self_hosted",
"owner",
"maintenance_window"
],
"forbidden_fields": [
"runner_registration_token",
"runner_admin_token",
"ssh_private_key",
"host_password",
"api_token"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_runner_inventory_summary"
],
"acceptance_gate": [
"必須確認 GitHub primary 後哪些 workflow 仍使用 self-hosted runner避免誤用 GitHub hosted minutes。",
"只保存 label、owner 與 executor metadata不保存 runner token。",
"若 runner label 無 owner必須保持 primary readiness blocked。"
],
"execution_authorized": false
},
{
"lane_id": "deploy_key_redacted_export_request",
"title": "Deploy key / machine key 名稱與 read-only 狀態 redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"key_name",
"read_only_flag",
"repo_scope",
"owner",
"last_seen_metadata"
],
"forbidden_fields": [
"private_key",
"public_key_full_value",
"token_value",
"password",
"credential_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"只允許列 key 名稱、read-only flag、repo scope 與 owner。",
"不得保存 private key 或完整 public key material。",
"write-capable key 必須只標成風險與 owner review不得自動 rotate。"
],
"execution_authorized": false
},
{
"lane_id": "branch_protection_codeowners_export_request",
"title": "Branch protection / required checks / CODEOWNERS redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"protected_branch_name",
"required_review_count",
"required_status_check_names",
"codeowners_path",
"owner_team_names"
],
"forbidden_fields": [
"team_secret",
"personal_access_token",
"admin_override_token",
"session_cookie"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_api_summary",
"local_codeowners_snapshot"
],
"acceptance_gate": [
"必須列出 GitHub primary 前 main/dev branch 的 protection 差異。",
"required status checks 名稱必須與實際 workflow 或 runner label 對上。",
"缺 CODEOWNERS 不等於 blocked runtime只代表 primary readiness 未完成。"
],
"execution_authorized": false
},
{
"lane_id": "repository_secret_name_parity_export_request",
"title": "Repository secret 名稱 parity redacted export",
"request_status": "waiting_owner_or_readonly_export",
"allowed_fields": [
"provider",
"secret_name",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"rotation_owner",
"present_in_gitea",
"present_in_github"
],
"forbidden_fields": [
"secret_value",
"secret_plaintext",
"token_value",
"private_key",
"credential_value"
],
"accepted_producer_modes": [
"owner_attested_redacted_export",
"read_only_secret_name_summary",
"admin_export_after_manual_redaction"
],
"acceptance_gate": [
"只比對 secret 名稱、scope、owner 與 present/absent metadata。",
"不得輸出 value、hash、partial token 或可還原片段。",
"缺漏 secret 只建立 owner review lane不自動建立或 rotate secret。"
],
"execution_authorized": false
}
],
"repo_export_requests": [
{
"repo_key": "awoooi",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"webhook_redacted_export_request",
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 是核心產品與 deploy workflow 主線,必須先確認 webhook、runner label、branch protection 與 secret name parity。",
"若未證明 self-hosted runner owner 與 label 對齊,不可宣告 GitHub primary ready。"
],
"still_forbidden": [
"修改 workflow",
"rotate secret",
"sync refs",
"switch_github_primary"
]
},
{
"repo_key": "clawbot-v5",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow / CODEOWNERS仍需 owner 確認是否真的不需要 workflow 與 repo secret。",
"若 GitHub target 另有 private workflow必須用 redacted export 補證。"
],
"still_forbidden": [
"建立 secret",
"修改 branch protection",
"push refs",
"switch_github_primary"
]
},
{
"repo_key": "wooo-aiops",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"webhook_redacted_export_request",
"runner_label_owner_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"S4.2 已看到 workflow 與 CODEOWNERS本階段要補 webhook 與 secret name parity。",
"若 workflow 使用 hosted runner必須標出費用與額度風險不自動切換 runner。"
],
"still_forbidden": [
"delete GitHub-only refs",
"修改 webhook",
"搬移 secret value",
"switch_github_primary"
]
},
{
"repo_key": "wooo-infra-config",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"deploy_key_redacted_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"infra repo 只允許輸出 key 名稱、read-only flag 與 owner不允許輸出 key material。",
"110 internal remote 用途仍需 owner 決策,本 request 不授權改 remote。"
],
"still_forbidden": [
"輸出 private key",
"搬 infra secret value",
"刪除 remote",
"switch_github_primary"
]
},
{
"repo_key": "ewoooc",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"risk": "HIGH",
"request_state": "waiting_owner_export",
"requested_lanes": [
"runner_label_owner_export_request",
"branch_protection_codeowners_export_request",
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 仍有 canonical target 與 unrelated history 風險export request 只用來補 workflow / secret 名稱 evidence。",
"必須先完成 canonical repo 人工確認,才可談 primary readiness。"
],
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
"搬 secret value",
"switch_github_primary"
]
},
{
"repo_key": "bitan-pharmacy",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow先要求 owner 確認是否有 repo secret 或外部 deploy key。",
"若 repo 不再 active需 owner 在 primary readiness board 標註,不自動封存。"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"搬 secret value",
"switch_github_primary"
]
},
{
"repo_key": "tsenyang-website",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"risk": "MEDIUM",
"request_state": "waiting_owner_export",
"requested_lanes": [
"repository_secret_name_parity_export_request"
],
"owner_export_required": true,
"read_only_api_allowed": true,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"本機 repo 可見但未找到 workflow先要求 owner 確認是否有 repo secret 或外部 deploy key。",
"若 repo 不再 active需 owner 在 primary readiness board 標註,不自動封存。"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"搬 secret value",
"switch_github_primary"
]
},
{
"repo_key": "open-design",
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"risk": "LOW",
"request_state": "waiting_scope_review",
"requested_lanes": [],
"owner_export_required": false,
"read_only_api_allowed": false,
"write_api_allowed": false,
"secret_value_allowed": false,
"acceptance_notes": [
"此 repo 目前只做 external scope review不進 AWOOOI GitHub primary cutover queue。",
"若未來確認納入範圍,必須先建立新的 in-scope approval item。"
],
"still_forbidden": [
"加入 primary cutover queue",
"修改 repo visibility",
"sync refs"
]
}
],
"acceptance_rules": [
"每份 export 必須標示 producer、collection timestamp、redaction_status 與 evidence_ref。",
"只讀 API export 只能使用 read-only token若 token 具有 write scope必須停止並改用 owner attestation 或管理匯出後手動脫敏。",
"任何 secret value、token value、cookie、private key、webhook secret、runner registration token 都必須拒收並進 mirror quarantine。",
"export request 完成只代表 evidence 可 review不代表 GitHub primary ready。",
"缺漏欄位只建立 owner review lane不自動修改 repo、workflow、webhook、runner、deploy key、branch protection 或 secret。"
],
"redaction_rules": [
"URL 必須移除 username、password、token 與 query secret只保留 host 或 redacted path。",
"secret 只能保存名稱、scope、owner、used_by_workflow 與 present/absent metadata。",
"key 只能保存 key name、read_only_flag、repo_scope、owner不保存 key material。",
"runner 只能保存 label、scope、executor_type、host_alias、hosted_or_self_hosted 與 owner。",
"任何可還原 credential 的 hash、prefix、suffix 或 partial token 都不得保存。"
],
"forbidden_actions": [
"collect_secret_value",
"store_secret_token_cookie_private_key_or_webhook_secret",
"use_write_token",
"call_runtime_execute",
"modify_workflow",
"modify_webhook",
"modify_runner",
"modify_deploy_key",
"modify_branch_protection",
"create_or_rotate_secret",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"disable_gitea",
"add_action_button"
]
}

2
docs/security/source-control-workflow-secret-name-inventory.snapshot.json
View File

@@ -7,6 +7,7 @@
"source_indexes": [
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/github-target-decision.snapshot.json",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/source-control-reconcile-plan.snapshot.json",
@@ -411,6 +412,7 @@
"任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。",
"此 inventory 完成前GitHub primary readiness gate 必須維持 blocked。",
"S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。",
"S4.3 已補 redacted export request package將 webhook、runner、deploy key、branch protection/CODEOWNERS 與 repository secret name parity 的 owner / read-only export 欄位、拒收欄位與 acceptance gate 文件化;它仍不是 API 執行或 primary cutover 批准。",
"inventory snapshot 只能 mirror 成 Operator Console / Audit evidence不得新增 execution action。"
],
"forbidden_actions": [