diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index a5a51532..1e492fba 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,35 @@ +## 2026-05-13 | 資安供應鏈 S4.3:Workflow / Secret 名稱 Redacted Export Request + +**背景**:S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、runner owner、deploy key、branch protection / required checks、repository secret name parity 還不能靠本機 working tree 完成。為了維持低摩擦,本輪只建立 redacted export request package,不呼叫 GitHub/Gitea API、不使用 token、不修改任何 repo 設定。 + +**完成**: +- 新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json`。 +- 新增 `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`。 +- 定義 7 個 in-scope repos 的 owner / read-only export request。 +- 定義 5 類 export lanes:webhook、runner label / hosted minutes 風險、deploy key、branch protection / CODEOWNERS、repository secret name parity。 +- 明確標示 `secret_value_collection_allowed=false`、`write_token_allowed=false`、`runtime_actions_authorized=false`、`action_buttons_allowed=false`。 +- 更新 `source_control_workflow_secret_name_inventory_v1`、manifest、mirror readiness、status rollup、AwoooP checklist、handoff 與 progress,使 AwoooP 能顯示 S4.3 request 而不新增 execution action。 + +**仍未完成**: +- 實際 webhook redacted export。 +- 實際 runner owner / self-hosted vs hosted runner inventory。 +- 實際 deploy key / machine key redacted export。 +- 實際 branch protection / required status checks redacted export。 +- 實際 repository secret name parity redacted export。 +- GitHub primary rollback ADR 與逐 repo owner approval。 + +**仍禁止**: +- 不收集、不保存、不搬移 secret value、token value、cookie、private key、webhook secret、runner registration token。 +- 不使用 write token。 +- 不修改 workflow、webhook、runner、deploy key、branch protection 或 repo secret。 +- 不建立 GitHub repo、不 sync refs、不切 GitHub primary、不停用 Gitea。 + +**驗證**: +- JSON 全量 parse 通過:79 個 JSON files。 +- S4.3 assertion 通過:7 個 in-scope export requests、5 類 export lanes、34-contract graph unchanged。 +- `git diff --check` 通過。 +- 敏感字串掃描確認本輪未保存 Kali SSH 密碼、常見 token pattern、private key material,也未出現 runtime / write / secret value 授權被打開。 + ## 2026-05-13 | 資安供應鏈 S4.2:Workflow / Secret 名稱 Local Evidence **背景**:S4.1 已建立 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate,但仍停在 contract-only。為了維持低摩擦並避免一開始拉高資安限制,本輪只補本機可見 working tree 的 read-only / redacted evidence,不呼叫 GitHub/Gitea API、不讀 `.env`、不讀 secret store、不保存 secret value。 diff --git a/docs/schemas/security_mirror_status_rollup_v1.schema.json b/docs/schemas/security_mirror_status_rollup_v1.schema.json index faf39846..962354e8 100644 --- a/docs/schemas/security_mirror_status_rollup_v1.schema.json +++ b/docs/schemas/security_mirror_status_rollup_v1.schema.json @@ -73,6 +73,9 @@ "workflow_secret_inventory_local_evidence_repo_count", "workflow_secret_inventory_local_workflow_file_count", "workflow_secret_inventory_unique_secret_name_count", + "workflow_secret_inventory_export_request_count", + "workflow_secret_inventory_export_lane_count", + "workflow_secret_inventory_write_token_allowed", "secret_value_collection_allowed", "secret_value_detected", "pending_approval_count", @@ -150,6 +153,18 @@ "type": "integer", "minimum": 0 }, + "workflow_secret_inventory_export_request_count": { + "type": "integer", + "minimum": 0 + }, + "workflow_secret_inventory_export_lane_count": { + "type": "integer", + "minimum": 0 + }, + "workflow_secret_inventory_write_token_allowed": { + "type": "boolean", + "const": false + }, "secret_value_collection_allowed": { "type": "boolean", "const": false diff --git a/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json b/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json new file mode 100644 index 00000000..d48afd88 --- /dev/null +++ b/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json @@ -0,0 +1,220 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:source-control-workflow-secret-name-export-request-v1", + "title": "Source Control Workflow / Secret Name Export Request v1", + "description": "定義 S4.3 後續需要 owner 或只讀 API 補齊的 workflow / webhook / runner / deploy key / branch protection / secret 名稱 redacted export request。此 schema 只允許名稱與 metadata,不允許 secret value。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "runtime_execution_authorized", + "source_contract", + "source_indexes", + "summary", + "export_lanes", + "repo_export_requests", + "acceptance_rules", + "redaction_rules", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "source_control_workflow_secret_name_export_request_v1" + }, + "status": { + "type": "string", + "enum": ["draft_waiting_owner_export"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["redacted_export_request_only"] + }, + "runtime_execution_authorized": { + "type": "boolean", + "const": false + }, + "source_contract": { + "type": "string", + "const": "source_control_workflow_secret_name_inventory_v1" + }, + "source_indexes": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "candidate_repo_count", + "in_scope_request_count", + "external_scope_review_count", + "export_request_count", + "export_lane_count", + "webhook_export_request_repo_count", + "runner_export_request_repo_count", + "deploy_key_export_request_repo_count", + "branch_protection_codeowners_export_request_repo_count", + "repository_secret_name_parity_export_request_repo_count", + "secret_value_collection_allowed", + "write_token_allowed", + "runtime_actions_authorized", + "action_buttons_allowed" + ], + "properties": { + "candidate_repo_count": {"type": "integer", "minimum": 0}, + "in_scope_request_count": {"type": "integer", "minimum": 0}, + "external_scope_review_count": {"type": "integer", "minimum": 0}, + "export_request_count": {"type": "integer", "minimum": 0}, + "export_lane_count": {"type": "integer", "minimum": 0}, + "webhook_export_request_repo_count": {"type": "integer", "minimum": 0}, + "runner_export_request_repo_count": {"type": "integer", "minimum": 0}, + "deploy_key_export_request_repo_count": {"type": "integer", "minimum": 0}, + "branch_protection_codeowners_export_request_repo_count": {"type": "integer", "minimum": 0}, + "repository_secret_name_parity_export_request_repo_count": {"type": "integer", "minimum": 0}, + "secret_value_collection_allowed": {"type": "boolean", "const": false}, + "write_token_allowed": {"type": "boolean", "const": false}, + "runtime_actions_authorized": {"type": "boolean", "const": false}, + "action_buttons_allowed": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "export_lanes": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "required": [ + "lane_id", + "title", + "request_status", + "allowed_fields", + "forbidden_fields", + "accepted_producer_modes", + "acceptance_gate", + "execution_authorized" + ], + "properties": { + "lane_id": {"type": "string"}, + "title": {"type": "string"}, + "request_status": { + "type": "string", + "enum": ["waiting_owner_or_readonly_export"] + }, + "allowed_fields": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_fields": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "accepted_producer_modes": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "acceptance_gate": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "execution_authorized": { + "type": "boolean", + "const": false + } + }, + "additionalProperties": false + } + }, + "repo_export_requests": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "required": [ + "repo_key", + "github_repo", + "source_key", + "scope_status", + "risk", + "request_state", + "requested_lanes", + "owner_export_required", + "read_only_api_allowed", + "write_api_allowed", + "secret_value_allowed", + "acceptance_notes", + "still_forbidden" + ], + "properties": { + "repo_key": {"type": "string"}, + "github_repo": {"type": "string"}, + "source_key": {"type": "string"}, + "scope_status": { + "type": "string", + "enum": ["in_scope", "external_scope_review"] + }, + "risk": { + "type": "string", + "enum": ["LOW", "MEDIUM", "HIGH"] + }, + "request_state": { + "type": "string", + "enum": [ + "waiting_owner_export", + "waiting_scope_review" + ] + }, + "requested_lanes": { + "type": "array", + "items": {"type": "string"} + }, + "owner_export_required": {"type": "boolean"}, + "read_only_api_allowed": {"type": "boolean"}, + "write_api_allowed": { + "type": "boolean", + "const": false + }, + "secret_value_allowed": { + "type": "boolean", + "const": false + }, + "acceptance_notes": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "still_forbidden": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "acceptance_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "redaction_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_actions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index f477c452..667a1c5d 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -54,7 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs | | `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete | | `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` | -| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口與 S4.2 local evidence;目前 `inventory_complete_count=0`,不得保存 secret value | +| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence 與 S4.3 redacted export request;目前 `inventory_complete_count=0`,不得保存 secret value | | `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 | | `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror | | `approval_required_event_v1` | 上述事件的高風險 gate | Approval queue、Audit | approval-only | `blocked_until_approved=true` | @@ -100,7 +100,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state;不得把 transition 當 execution authorization | | `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates;不得新增 action button | | `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;不得切 primary | -| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、0 個 complete;不得收集 secret value、不得修改 workflow | +| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、S4.3 export request 7 repos / 5 lanes、0 個 complete;不得收集 secret value、不得修改 workflow | | `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness;不得把 readiness 當 execution authorization | | `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates;不得執行 wave | | `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload,明確不授權執行、不顯示執行按鈕 | @@ -172,6 +172,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` | | Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` | | Source Control workflow / secret name local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` | +| Source Control workflow / secret name export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` | | Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` | | Security finding contract | `docs/security/security-finding-kali-sample.snapshot.json` / `docs/security/SECURITY-FINDING-CONTRACT.md` | | Kali scan scope approval package | `docs/security/kali-scan-scope-approval.snapshot.json` / `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index f1407f13..c988f969 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -219,7 +219,9 @@ Snapshot:`docs/security/source-control-workflow-secret-name-inventory.snapshot S4.2 local evidence:已新增本機只讀 collector 與 snapshot,7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、5 個 runner labels、`secret_value_detected=false`。webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted evidence。 -AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。 +S4.3 export request:已新增 `source_control_workflow_secret_name_export_request_v1` supporting schema、snapshot 與人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity。`write_token_allowed=false`、`secret_value_collection_allowed=false`。 + +AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、S4.3 export request、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。 ### `security_mirror_readiness_v1` @@ -649,7 +651,7 @@ Schema:`docs/schemas/approval_required_event_v1.schema.json` - `github_target_repo_approval_package_v1` 進來後,AwoooP 回傳逐 repo approval queue draft,不阻擋 read-only evidence。 - `security_rollout_policy_v1` 進來後,AwoooP 回傳 observe / warn / approve_required 建議,不做 enforcement。 - `security_supply_chain_contract_manifest_v1` 進來後,AwoooP 回傳可消費 contract 清單,不新增 execution router。 -- `source_control_workflow_secret_name_inventory_v1` 進來後,AwoooP 回傳缺哪些 redacted workflow / secret name evidence,不收集 secret value、不修改 workflow。 +- `source_control_workflow_secret_name_inventory_v1` 進來後,AwoooP 回傳缺哪些 redacted workflow / secret name evidence,並顯示 S4.3 export request 的 webhook / runner / deploy key / branch protection / repository secret parity lanes;不收集 secret value、不修改 workflow。 ### Phase S3:Approval Gate @@ -704,7 +706,7 @@ Console 初期不提供高風險執行按鈕。 10. Approval queue 可容納 `github_target_decision_v1` 與 `github_target_repo_approval_package_v1`,但不得直接建立 repo 或改 visibility。 11. Read-only policy 可容納 `security_rollout_policy_v1`,但初期不得把它變成 runtime blocking rule。 12. Contract registry 可容納 `security_supply_chain_contract_manifest_v1`,但初期不得把它變成 direct tool router。 -13. Source-control review 可容納 `source_control_workflow_secret_name_inventory_v1`,但只能顯示 workflow / secret 名稱缺口,不得收集 value 或修改 workflow。 +13. Source-control review 可容納 `source_control_workflow_secret_name_inventory_v1` 與 S4.3 redacted export request,但只能顯示 workflow / secret 名稱缺口、owner export lanes 與 hosted runner 額度風險,不得收集 value 或修改 workflow。 ## 7. Security Supply Chain Session 下一步 @@ -793,6 +795,8 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 S4.2 workflow / secret name local evidence 追加:已新增 `scripts/security/source-control-workflow-secret-name-local-inventory.py`、`docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json`、`docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md`。本輪只從本機 working tree 的 `.github/workflows`、`.gitea/workflows` 與 CODEOWNERS 萃取名稱級 metadata:7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、`secret_value_detected=false`;不得視為 GitHub primary ready。 +2026-05-13 S4.3 workflow / secret name redacted export request 追加:已新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json`、`docs/security/source-control-workflow-secret-name-export-request.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`。本輪只定義 7 個 in-scope repos、5 類 export lanes 的 owner / read-only export 欄位與拒收規則:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;`write_token_allowed=false`、`secret_value_collection_allowed=false`,不得呼叫 API 或修改 GitHub/Gitea。 + 2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 本波仍不做: @@ -855,6 +859,8 @@ Console 初期不提供高風險執行按鈕。 - [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json) - [Source Control workflow / secret name local evidence](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md) - [source_control_workflow_secret_name_local_evidence_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json) +- [Source Control workflow / secret name redacted export request](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md) +- [source_control_workflow_secret_name_export_request_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-export-request.snapshot.json) - [source-control workflow / secret name local collector](/Users/ogt/awoooi/scripts/security/source-control-workflow-secret-name-local-inventory.py) - [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md) - [local_repo_canonical_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/local-repo-canonical-ewoooc-momo.snapshot.json) @@ -888,6 +894,7 @@ Console 初期不提供高風險執行按鈕。 - [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json) - [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json) - [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json) +- [source_control_workflow_secret_name_export_request_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json) - [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json) - [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json) - [approval_required_event_v1 schema](/Users/ogt/awoooi/docs/schemas/approval_required_event_v1.schema.json) diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 41dcc9f3..0181897f 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -81,7 +81,7 @@ AwoooP 可以將 ready / partial contracts mirror 到: 13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。 14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。 15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。 -16. 再 mirror `source_control_workflow_secret_name_inventory_v1` 與 S4.2 local evidence,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,不保存 secret value。 +16. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,export request 有 7 個 repos、5 類 lanes,不保存 secret value。 17. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 18. 最後再 mirror source-control 其他 contracts。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 7226649b..bd821474 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -28,7 +28,7 @@ | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | | GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | -| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;0 個 inventory complete、禁止收集 secret value | +| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;0 個 inventory complete、禁止收集 secret value、禁止 write token | | Dry-run | `contract_defined_not_executed` | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -61,6 +61,6 @@ 4. GitHub target / owner / visibility / canonical。 5. Kali `/execute` 維持 block candidate。 6. GitHub primary readiness blockers 與 rollback ADR 缺口。 -7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再補 webhook / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value。 +7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。 任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence,不得由本 rollup 自動觸發。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index 89d27273..42321089 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -49,7 +49,7 @@ | `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` | | `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` | | `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` | -| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` | +| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence,S4.3 已補 redacted export request | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` | | `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` | | `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang`、`wooo-infra-config` | | `approval_required_event_v1` | approval-only | 高風險 / 敏感邊界 approval | `gitea-readonly-inventory-approval.snapshot.json` | @@ -59,7 +59,7 @@ 1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 -4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate。 +4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate / redacted export request display。 5. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 6e288597..76b568d3 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-13 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | +| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -41,6 +41,7 @@ | S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary | | S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret | | S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary | +| S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR | ## 1. 已建立的主要 evidence @@ -76,6 +77,8 @@ | Source Control workflow / secret name local evidence | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` | | Source Control workflow / secret name local evidence JSON | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` | | Source Control workflow / secret name local collector | `scripts/security/source-control-workflow-secret-name-local-inventory.py` | +| Source Control workflow / secret name export request | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` | +| Source Control workflow / secret name export request JSON | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` | | Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` | | Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` | | Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` | @@ -139,6 +142,6 @@ 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 +6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export request。 7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口與 blocked reason,不新增 execution router。 +8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md new file mode 100644 index 00000000..d13f15c3 --- /dev/null +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md @@ -0,0 +1,79 @@ +# Workflow / Secret 名稱 Redacted Export Request + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-13 | +| 狀態 | 草案,等待 owner / read-only export | +| Schema | `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json` | +| Snapshot | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` | +| 來源契約 | `source_control_workflow_secret_name_inventory_v1` | +| 模式 | `redacted_export_request_only` | +| runtime 執行授權 | `false` | + +## 0. 核心結論 + +S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export request。 + +這不是 API 執行、不是 GitHub primary cutover、也不是 workflow / secret 修改。它只是告訴 repo owner 或未來只讀匯出工具:每個 repo 要補哪些欄位、哪些欄位可以保存、哪些敏感值必須拒收。 + +## 1. 摘要 + +| 指標 | 數量 | +|------|------| +| Candidate repos | 8 | +| In-scope export requests | 7 | +| External scope review | 1 | +| Export lanes | 5 | +| Webhook export request repos | 2 | +| Runner export request repos | 4 | +| Deploy key export request repos | 1 | +| Branch protection / CODEOWNERS export request repos | 4 | +| Repository secret name parity export request repos | 7 | +| Secret value collection allowed | `false` | +| Write token allowed | `false` | +| Runtime actions authorized | `false` | + +## 2. Export Lanes + +| Lane | 可保存 | 禁止保存 | +|------|--------|----------| +| Webhook | provider、webhook name、redacted host、event types、enabled flag、owner | webhook secret、含 token URL、header、cookie、body | +| Runner | runner label、scope、executor type、host alias、self-hosted / hosted、owner | registration token、admin token、SSH key、host password | +| Deploy key | key name、read-only flag、repo scope、owner、last seen metadata | private key、完整 public key、token、password | +| Branch protection / CODEOWNERS | protected branch、required checks、review count、CODEOWNERS path、owner teams | team secret、PAT、admin override token | +| Repository secret names | secret name、scope、owner、used by workflow、present in Gitea / GitHub | secret value、plaintext、token、private key、credential value | + +## 3. Repo Request + +| Repo | Request state | Requested lanes | +|------|---------------|-----------------| +| `owenhytsai/awoooi` | waiting owner export | webhook、runner、branch protection / CODEOWNERS、repository secret name parity | +| `owenhytsai/clawbot-v5` | waiting owner export | branch protection / CODEOWNERS、repository secret name parity | +| `owenhytsai/wooo-aiops` | waiting owner export | webhook、runner、repository secret name parity | +| `owenhytsai/wooo-infra-config` | waiting owner export | runner、deploy key、branch protection / CODEOWNERS、repository secret name parity | +| `owenhytsai/ewoooc` | waiting owner export | runner、branch protection / CODEOWNERS、repository secret name parity | +| `owenhytsai/bitan-pharmacy` | waiting owner export | repository secret name parity | +| `owenhytsai/tsenyang-website` | waiting owner export | repository secret name parity | +| `nexu-io/open-design` | waiting scope review | 不進 AWOOOI primary cutover queue | + +## 4. AwoooP 可做 + +1. 顯示每個 repo 等待哪一類 redacted export。 +2. 顯示 owner export / read-only API export 的 acceptance gate。 +3. 顯示 GitHub hosted runner 可能造成額度消耗的 review lane。 +4. 把完成的 redacted export 作為 Audit evidence 等待人工審查。 +5. 若 payload 含敏感值,送進 mirror quarantine。 + +## 5. AwoooP 不可做 + +1. 不呼叫 write API。 +2. 不顯示或保存 secret value、token value、cookie、private key、webhook secret、runner registration token。 +3. 不修改 workflow、webhook、runner、deploy key、branch protection 或 secret。 +4. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。 +5. 不把 export request 當成已批准或已完成的 evidence。 + +## 6. 階段定位 + +S4.1 建立 inventory gate,S4.2 補本機 workflow / CODEOWNERS / referenced secret name evidence,S4.3 補「下一步匯出請求包」。 + +這仍然是低摩擦框架期:先把資料責任、欄位邊界與拒收規則定清楚,避免後續真的接 owner export 或只讀 API 時誤收秘密值、誤用 write token,或誤把資料補齊當成主控切換批准。 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md index 9fcd2fcf..ec2101b8 100644 --- a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md @@ -7,6 +7,7 @@ | Schema | `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` | | Snapshot | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` | | Local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` | +| Export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` | | 模式 | `inventory_contract_only` | | runtime 執行授權 | `false` | @@ -20,6 +21,8 @@ S4.2 已補本機可見 evidence:4 個 repos 有 workflow / CODEOWNERS evidence、31 個 workflow files、43 個 referenced secret names、5 個 runner labels。這只是 local partial evidence,仍不代表 GitHub primary ready。 +S4.3 已補 redacted export request package:7 個 in-scope repos 需要 owner / read-only export,5 類 export lanes 包含 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;所有 export 都禁止 secret value 與 write token。 + ## 1. 目前狀態 | 指標 | 數量 | @@ -33,6 +36,8 @@ S4.2 已補本機可見 evidence:4 個 repos 有 workflow / CODEOWNERS evidenc | Local evidence repos | 4 | | Local workflow files | 31 | | Local referenced secret names | 43 | +| Redacted export request repos | 7 | +| Redacted export lanes | 5 | ## 2. Inventory Lanes @@ -54,6 +59,7 @@ S4.2 已補本機可見 evidence:4 個 repos 有 workflow / CODEOWNERS evidenc 4. 對缺資料 repo 顯示 owner review lane。 5. 將失敗或含敏感值 payload 交給 mirror quarantine。 6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。 +7. 顯示 S4.3 export request 的欄位清單、拒收欄位與 acceptance gate。 ## 4. AwoooP 不可做 @@ -71,4 +77,6 @@ S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口 S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 partial evidence。 -這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。webhook、deploy key、branch protection 與 repository secret parity 仍需要後續 redacted export 或 read-only API evidence。 +S4.3 讓後續 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret parity 的 owner / read-only export 有明確的欄位、拒收規則與驗收 gate。 + +這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。後續即使取得 redacted export,也只代表 evidence 可 review,不代表 GitHub primary ready。 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md index 20c032cd..792c06a6 100644 --- a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md @@ -18,6 +18,8 @@ S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence 這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。 +S4.3 已把這些後續缺口整理成 redacted export request,並額外納入 runner owner / GitHub hosted minutes 風險 lane;仍禁止 write token 與 secret value。 + ## 1. 摘要 | 指標 | 數量 | @@ -61,10 +63,11 @@ S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence ## 4. 仍需補齊 1. Gitea / GitHub webhook inventory:只列 destination host、event types、enabled flag,不保存 webhook secret。 -2. Deploy key / machine key inventory:只列 key name、read-only flag、owner,不保存 private key。 -3. Branch protection inventory:只列 protected branch、required status checks、review count。 -4. Repository secret parity:只比對 secret 名稱與 owner,不輸出 value。 -5. 逐 repo owner review:確認本機可見 workflow 是否為 canonical,尤其是 `ewoooc` / `momo-pro-system`。 +2. Runner owner / hosted minutes 風險 inventory:只列 label、executor、self-hosted / hosted、owner,不保存 registration token。 +3. Deploy key / machine key inventory:只列 key name、read-only flag、owner,不保存 private key。 +4. Branch protection inventory:只列 protected branch、required status checks、review count。 +5. Repository secret parity:只比對 secret 名稱與 owner,不輸出 value。 +6. 逐 repo owner review:確認本機可見 workflow 是否為 canonical,尤其是 `ewoooc` / `momo-pro-system`。 ## 5. 永久禁止 diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index 71560f6d..efd737a5 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -335,13 +335,15 @@ "execution_allowed": false, "snapshot_paths": [ "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", - "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json" + "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", + "docs/security/source-control-workflow-secret-name-export-request.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md", - "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md" + "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md", + "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md" ], - "notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names;secret_value_collection_allowed=false。" + "notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names;S4.3 export request 有 7 個 repos、5 類 export lanes;secret_value_collection_allowed=false。" }, { "contract": "local_repo_canonical_probe_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index cc9f48a3..83f63880 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -22,6 +22,7 @@ "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", + "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/security-rollout-policy.snapshot.json" ], "summary": { @@ -42,6 +43,9 @@ "workflow_secret_inventory_local_evidence_repo_count": 4, "workflow_secret_inventory_local_workflow_file_count": 31, "workflow_secret_inventory_unique_secret_name_count": 43, + "workflow_secret_inventory_export_request_count": 7, + "workflow_secret_inventory_export_lane_count": 5, + "workflow_secret_inventory_write_token_allowed": false, "secret_value_collection_allowed": false, "secret_value_detected": false, "pending_approval_count": 7, @@ -78,8 +82,8 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidence,inventory_complete_count=0。", - "next_gate": "Gitea authenticated inventory、refs truth、webhook / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidence;S4.3 已補 7 個 repos、5 類 lanes 的 redacted export request,inventory_complete_count=0。", + "next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。" } ], "next_safe_actions": [ @@ -220,8 +224,9 @@ "mode": "approval_required", "source_contract": "source_control_workflow_secret_name_inventory_v1", "allowed_processing": [ - "顯示 8 個 candidate repos 的 inventory lanes 與 4 個 repos 的 local evidence", + "顯示 8 個 candidate repos 的 inventory lanes、4 個 repos 的 local evidence 與 7 個 repos 的 redacted export request", "要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot", + "顯示 GitHub hosted runner 額度風險與 self-hosted runner owner review lane", "只保存 secret name、owner 與 present/absent metadata,不保存 value" ], "blocked_processing": [ @@ -257,7 +262,8 @@ "S3.4 只新增後續 runtime gate 準備模板;active_runtime_gates=0,不新增 action button。", "S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。", "S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。", - "S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。" + "S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。", + "S4.3 只新增 redacted export request package;export_request_count=7、export_lane_count=5、write_token_allowed=false,不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index f0a7890e..117aea87 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -540,18 +540,21 @@ "schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json", "snapshot_paths": [ "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", - "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json" + "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", + "docs/security/source-control-workflow-secret-name-export-request.snapshot.json" ], "human_docs": [ "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md", - "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md" + "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md", + "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md" ], "consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console", "consumption_mode": "approval_only", "allowed_actions": [ "mirror_workflow_secret_name_inventory_gap", "display_missing_inventory_lanes", - "request_redacted_workflow_secret_snapshot" + "request_redacted_workflow_secret_snapshot", + "display_redacted_export_request_lanes" ], "forbidden_actions": [ "collect_secret_value", @@ -561,7 +564,7 @@ "sync_refs", "switch_github_primary" ], - "notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence:4 repos、31 workflow files、43 個 referenced secret names;仍不保存 secret value。" + "notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence:4 repos、31 workflow files、43 個 referenced secret names;S4.3 已補 7 repos / 5 lanes 的 redacted export request;仍不保存 secret value。" }, { "contract": "local_repo_canonical_probe_v1", diff --git a/docs/security/source-control-workflow-secret-name-export-request.snapshot.json b/docs/security/source-control-workflow-secret-name-export-request.snapshot.json new file mode 100644 index 00000000..198a14cc --- /dev/null +++ b/docs/security/source-control-workflow-secret-name-export-request.snapshot.json @@ -0,0 +1,433 @@ +{ + "schema_version": "source_control_workflow_secret_name_export_request_v1", + "status": "draft_waiting_owner_export", + "date": "2026-05-13", + "mode": "redacted_export_request_only", + "runtime_execution_authorized": false, + "source_contract": "source_control_workflow_secret_name_inventory_v1", + "source_indexes": [ + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", + "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", + "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/security-rollout-policy.snapshot.json" + ], + "summary": { + "candidate_repo_count": 8, + "in_scope_request_count": 7, + "external_scope_review_count": 1, + "export_request_count": 7, + "export_lane_count": 5, + "webhook_export_request_repo_count": 2, + "runner_export_request_repo_count": 4, + "deploy_key_export_request_repo_count": 1, + "branch_protection_codeowners_export_request_repo_count": 4, + "repository_secret_name_parity_export_request_repo_count": 7, + "secret_value_collection_allowed": false, + "write_token_allowed": false, + "runtime_actions_authorized": false, + "action_buttons_allowed": false + }, + "export_lanes": [ + { + "lane_id": "webhook_redacted_export_request", + "title": "Webhook 名稱、目的地 host 與事件類型 redacted export", + "request_status": "waiting_owner_or_readonly_export", + "allowed_fields": [ + "provider", + "webhook_name", + "destination_host_redacted", + "event_types", + "active_enabled_flag", + "owner", + "last_updated_metadata" + ], + "forbidden_fields": [ + "webhook_secret", + "full_payload_url_with_token", + "authorization_header", + "cookie", + "request_body", + "secret_value" + ], + "accepted_producer_modes": [ + "owner_attested_redacted_export", + "read_only_api_summary", + "admin_export_after_manual_redaction" + ], + "acceptance_gate": [ + "每筆 webhook 必須只保留 host 或 redacted URL,不得包含 query token。", + "必須標示 Gitea / GitHub 哪一端在 primary cutover 後負責發 webhook。", + "若偵測到 secret value 或 token value,整份 export 必須進 mirror quarantine。" + ], + "execution_authorized": false + }, + { + "lane_id": "runner_label_owner_export_request", + "title": "Runner label / executor / hosted minutes 風險 redacted export", + "request_status": "waiting_owner_or_readonly_export", + "allowed_fields": [ + "provider", + "runner_label", + "runner_scope", + "executor_type", + "host_alias", + "hosted_or_self_hosted", + "owner", + "maintenance_window" + ], + "forbidden_fields": [ + "runner_registration_token", + "runner_admin_token", + "ssh_private_key", + "host_password", + "api_token" + ], + "accepted_producer_modes": [ + "owner_attested_redacted_export", + "read_only_runner_inventory_summary" + ], + "acceptance_gate": [ + "必須確認 GitHub primary 後哪些 workflow 仍使用 self-hosted runner,避免誤用 GitHub hosted minutes。", + "只保存 label、owner 與 executor metadata,不保存 runner token。", + "若 runner label 無 owner,必須保持 primary readiness blocked。" + ], + "execution_authorized": false + }, + { + "lane_id": "deploy_key_redacted_export_request", + "title": "Deploy key / machine key 名稱與 read-only 狀態 redacted export", + "request_status": "waiting_owner_or_readonly_export", + "allowed_fields": [ + "provider", + "key_name", + "read_only_flag", + "repo_scope", + "owner", + "last_seen_metadata" + ], + "forbidden_fields": [ + "private_key", + "public_key_full_value", + "token_value", + "password", + "credential_value" + ], + "accepted_producer_modes": [ + "owner_attested_redacted_export", + "read_only_api_summary", + "admin_export_after_manual_redaction" + ], + "acceptance_gate": [ + "只允許列 key 名稱、read-only flag、repo scope 與 owner。", + "不得保存 private key 或完整 public key material。", + "write-capable key 必須只標成風險與 owner review,不得自動 rotate。" + ], + "execution_authorized": false + }, + { + "lane_id": "branch_protection_codeowners_export_request", + "title": "Branch protection / required checks / CODEOWNERS redacted export", + "request_status": "waiting_owner_or_readonly_export", + "allowed_fields": [ + "provider", + "protected_branch_name", + "required_review_count", + "required_status_check_names", + "codeowners_path", + "owner_team_names" + ], + "forbidden_fields": [ + "team_secret", + "personal_access_token", + "admin_override_token", + "session_cookie" + ], + "accepted_producer_modes": [ + "owner_attested_redacted_export", + "read_only_api_summary", + "local_codeowners_snapshot" + ], + "acceptance_gate": [ + "必須列出 GitHub primary 前 main/dev branch 的 protection 差異。", + "required status checks 名稱必須與實際 workflow 或 runner label 對上。", + "缺 CODEOWNERS 不等於 blocked runtime,只代表 primary readiness 未完成。" + ], + "execution_authorized": false + }, + { + "lane_id": "repository_secret_name_parity_export_request", + "title": "Repository secret 名稱 parity redacted export", + "request_status": "waiting_owner_or_readonly_export", + "allowed_fields": [ + "provider", + "secret_name", + "secret_scope", + "owning_team", + "used_by_workflow_name", + "rotation_owner", + "present_in_gitea", + "present_in_github" + ], + "forbidden_fields": [ + "secret_value", + "secret_plaintext", + "token_value", + "private_key", + "credential_value" + ], + "accepted_producer_modes": [ + "owner_attested_redacted_export", + "read_only_secret_name_summary", + "admin_export_after_manual_redaction" + ], + "acceptance_gate": [ + "只比對 secret 名稱、scope、owner 與 present/absent metadata。", + "不得輸出 value、hash、partial token 或可還原片段。", + "缺漏 secret 只建立 owner review lane,不自動建立或 rotate secret。" + ], + "execution_authorized": false + } + ], + "repo_export_requests": [ + { + "repo_key": "awoooi", + "github_repo": "owenhytsai/awoooi", + "source_key": "wooo/awoooi", + "scope_status": "in_scope", + "risk": "HIGH", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "webhook_redacted_export_request", + "runner_label_owner_export_request", + "branch_protection_codeowners_export_request", + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "此 repo 是核心產品與 deploy workflow 主線,必須先確認 webhook、runner label、branch protection 與 secret name parity。", + "若未證明 self-hosted runner owner 與 label 對齊,不可宣告 GitHub primary ready。" + ], + "still_forbidden": [ + "修改 workflow", + "rotate secret", + "sync refs", + "switch_github_primary" + ] + }, + { + "repo_key": "clawbot-v5", + "github_repo": "owenhytsai/clawbot-v5", + "source_key": "wooo/clawbot-v5", + "scope_status": "in_scope", + "risk": "MEDIUM", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "branch_protection_codeowners_export_request", + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "本機 repo 可見但未找到 workflow / CODEOWNERS,仍需 owner 確認是否真的不需要 workflow 與 repo secret。", + "若 GitHub target 另有 private workflow,必須用 redacted export 補證。" + ], + "still_forbidden": [ + "建立 secret", + "修改 branch protection", + "push refs", + "switch_github_primary" + ] + }, + { + "repo_key": "wooo-aiops", + "github_repo": "owenhytsai/wooo-aiops", + "source_key": "wooo/wooo-aiops", + "scope_status": "in_scope", + "risk": "MEDIUM", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "webhook_redacted_export_request", + "runner_label_owner_export_request", + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "S4.2 已看到 workflow 與 CODEOWNERS,本階段要補 webhook 與 secret name parity。", + "若 workflow 使用 hosted runner,必須標出費用與額度風險,不自動切換 runner。" + ], + "still_forbidden": [ + "delete GitHub-only refs", + "修改 webhook", + "搬移 secret value", + "switch_github_primary" + ] + }, + { + "repo_key": "wooo-infra-config", + "github_repo": "owenhytsai/wooo-infra-config", + "source_key": "wooo/wooo-infra-config", + "scope_status": "in_scope", + "risk": "MEDIUM", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "runner_label_owner_export_request", + "deploy_key_redacted_export_request", + "branch_protection_codeowners_export_request", + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "infra repo 只允許輸出 key 名稱、read-only flag 與 owner,不允許輸出 key material。", + "110 internal remote 用途仍需 owner 決策,本 request 不授權改 remote。" + ], + "still_forbidden": [ + "輸出 private key", + "搬 infra secret value", + "刪除 remote", + "switch_github_primary" + ] + }, + { + "repo_key": "ewoooc", + "github_repo": "owenhytsai/ewoooc", + "source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees", + "scope_status": "in_scope", + "risk": "HIGH", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "runner_label_owner_export_request", + "branch_protection_codeowners_export_request", + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "此 repo 仍有 canonical target 與 unrelated history 風險,export request 只用來補 workflow / secret 名稱 evidence。", + "必須先完成 canonical repo 人工確認,才可談 primary readiness。" + ], + "still_forbidden": [ + "auto_create_repo", + "auto_merge_unrelated_histories", + "搬 secret value", + "switch_github_primary" + ] + }, + { + "repo_key": "bitan-pharmacy", + "github_repo": "owenhytsai/bitan-pharmacy", + "source_key": "bitan-pharmacy", + "scope_status": "in_scope", + "risk": "MEDIUM", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "本機 repo 可見但未找到 workflow;先要求 owner 確認是否有 repo secret 或外部 deploy key。", + "若 repo 不再 active,需 owner 在 primary readiness board 標註,不自動封存。" + ], + "still_forbidden": [ + "auto_create_repo", + "push refs", + "搬 secret value", + "switch_github_primary" + ] + }, + { + "repo_key": "tsenyang-website", + "github_repo": "owenhytsai/tsenyang-website", + "source_key": "tsenyang-website", + "scope_status": "in_scope", + "risk": "MEDIUM", + "request_state": "waiting_owner_export", + "requested_lanes": [ + "repository_secret_name_parity_export_request" + ], + "owner_export_required": true, + "read_only_api_allowed": true, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "本機 repo 可見但未找到 workflow;先要求 owner 確認是否有 repo secret 或外部 deploy key。", + "若 repo 不再 active,需 owner 在 primary readiness board 標註,不自動封存。" + ], + "still_forbidden": [ + "auto_create_repo", + "push refs", + "搬 secret value", + "switch_github_primary" + ] + }, + { + "repo_key": "open-design", + "github_repo": "nexu-io/open-design", + "source_key": "open-design", + "scope_status": "external_scope_review", + "risk": "LOW", + "request_state": "waiting_scope_review", + "requested_lanes": [], + "owner_export_required": false, + "read_only_api_allowed": false, + "write_api_allowed": false, + "secret_value_allowed": false, + "acceptance_notes": [ + "此 repo 目前只做 external scope review,不進 AWOOOI GitHub primary cutover queue。", + "若未來確認納入範圍,必須先建立新的 in-scope approval item。" + ], + "still_forbidden": [ + "加入 primary cutover queue", + "修改 repo visibility", + "sync refs" + ] + } + ], + "acceptance_rules": [ + "每份 export 必須標示 producer、collection timestamp、redaction_status 與 evidence_ref。", + "只讀 API export 只能使用 read-only token;若 token 具有 write scope,必須停止並改用 owner attestation 或管理匯出後手動脫敏。", + "任何 secret value、token value、cookie、private key、webhook secret、runner registration token 都必須拒收並進 mirror quarantine。", + "export request 完成只代表 evidence 可 review,不代表 GitHub primary ready。", + "缺漏欄位只建立 owner review lane,不自動修改 repo、workflow、webhook、runner、deploy key、branch protection 或 secret。" + ], + "redaction_rules": [ + "URL 必須移除 username、password、token 與 query secret,只保留 host 或 redacted path。", + "secret 只能保存名稱、scope、owner、used_by_workflow 與 present/absent metadata。", + "key 只能保存 key name、read_only_flag、repo_scope、owner,不保存 key material。", + "runner 只能保存 label、scope、executor_type、host_alias、hosted_or_self_hosted 與 owner。", + "任何可還原 credential 的 hash、prefix、suffix 或 partial token 都不得保存。" + ], + "forbidden_actions": [ + "collect_secret_value", + "store_secret_token_cookie_private_key_or_webhook_secret", + "use_write_token", + "call_runtime_execute", + "modify_workflow", + "modify_webhook", + "modify_runner", + "modify_deploy_key", + "modify_branch_protection", + "create_or_rotate_secret", + "create_github_repo", + "change_repo_visibility", + "sync_git_refs", + "switch_github_primary", + "disable_gitea", + "add_action_button" + ] +} diff --git a/docs/security/source-control-workflow-secret-name-inventory.snapshot.json b/docs/security/source-control-workflow-secret-name-inventory.snapshot.json index 426a5c49..818eb5d2 100644 --- a/docs/security/source-control-workflow-secret-name-inventory.snapshot.json +++ b/docs/security/source-control-workflow-secret-name-inventory.snapshot.json @@ -7,6 +7,7 @@ "source_indexes": [ "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", + "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/github-target-decision.snapshot.json", "docs/security/source-control-approval-board.snapshot.json", "docs/security/source-control-reconcile-plan.snapshot.json", @@ -411,6 +412,7 @@ "任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。", "此 inventory 完成前,GitHub primary readiness gate 必須維持 blocked。", "S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。", + "S4.3 已補 redacted export request package,將 webhook、runner、deploy key、branch protection/CODEOWNERS 與 repository secret name parity 的 owner / read-only export 欄位、拒收欄位與 acceptance gate 文件化;它仍不是 API 執行或 primary cutover 批准。", "inventory snapshot 只能 mirror 成 Operator Console / Audit evidence,不得新增 execution action。" ], "forbidden_actions": [