docs(security): add workflow secret owner handoff [skip ci]
This commit is contained in:
Your Name
@@ -1,3 +1,38 @@
|
||||
## 2026-06-04|IwoooS P1-4 Workflow / Secret Owner Response Handoff
|
||||
|
||||
**背景**:P1-3 已補 GitHub target owner response handoff;本段接著補 P1-4 / S4.12 workflow、webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 owner response handoff。目標是只收名稱與脫敏 metadata,不收 secret value、hash、masked token、partial token 或任何可還原 credential material。
|
||||
|
||||
**本輪完成**:
|
||||
- 更新 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md`:日期改為 2026-06-04,新增 P1-4 handoff 摘要、6 項送件前檢查、9 欄交接封套與送後不變條件。
|
||||
- 校正 S4.12 local referenced secret names:依 2026-06-04 local evidence 從 `43` 改為 `42`。
|
||||
- 更新 `source-control-workflow-secret-name-owner-response.snapshot.json`:新增 `workflow_secret_owner_handoff_package_ready=true`、`workflow_secret_owner_handoff_completion_percent=100`、`workflow_secret_owner_handoff_check_count=6`、`workflow_secret_owner_handoff_packet_field_count=9`,並維持 received / accepted / rejected 全部 `0`。
|
||||
- 更新 `source_control_workflow_secret_name_owner_response_v1.schema.json`:同步納入 handoff preflight、handoff packet 與 post-dispatch invariants。
|
||||
- 更新 IwoooS P0/P1 主控總帳:P1 只讀重盤工作完成度從 `66%` 調到 `68%`;GitHub primary readiness gate 仍 `0`。
|
||||
|
||||
**完成度更新**:
|
||||
- P1-4 Workflow / secret owner response handoff:`100%`。
|
||||
- P1 GitHub primary readiness 只讀重盤階段:`68%`。
|
||||
- S4.12 owner response gate:`0%`,received / accepted / rejected 全部為 `0`。
|
||||
- Workflow / secret parity complete:`false`。
|
||||
- GitHub primary readiness gate:`0`。
|
||||
|
||||
**驗證**:
|
||||
- `python3 -m json.tool docs/security/source-control-workflow-secret-name-owner-response.snapshot.json`:通過。
|
||||
- `python3 -m json.tool docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json`:通過。
|
||||
- 本段自訂結構檢查:`WORKFLOW_SECRET_OWNER_HANDOFF_STRUCTURE_OK`。
|
||||
- `git diff --check`:通過。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .`:`SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- URL credential pattern 檢查:本段異動檔案無命中。
|
||||
- Schema validator 限制:本地沒有 Python `jsonschema` 與 Node AJV,未跑完整 JSON Schema validator;本段以 JSON parse、自訂結構檢查與既有 guard 補位。
|
||||
- Production 頁面檢查:本段只改 docs / snapshot / schema / LOGBOOK,未改前端、未部署、未宣稱新的 production 狀態;沿用 P0 `/zh-TW/iwooos` desktop / mobile live sanity 作為基準。
|
||||
|
||||
**目前邊界**:
|
||||
- 只收 redacted host、event types、runner label、key name、ruleset / CODEOWNERS metadata、secret name、scope、present-absent 與 owner metadata。
|
||||
- 不收 secret value、secret hash、masked token、partial token、token value、runner registration token、webhook secret、private key、deploy key private key 或 authorization header。
|
||||
- 不建立、複製、rotate、修改或刪除 secret;不改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS;不啟用 GitHub hosted runner。
|
||||
- S4.12 response 即使未來通過,也只能更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup。
|
||||
|
||||
## 2026-06-04|IwoooS P1-3 GitHub Target Owner Response Handoff
|
||||
|
||||
**背景**:P1-2 已把 Gitea authenticated inventory request handoff 補齊;本段接著補 P1-3 / S4.10 GitHub target owner response handoff。目標是讓 owner 逐項回覆 7 個 GitHub target 的 owner、visibility、canonical 與 target disposition,同時避免把 `not_found_or_private` 誤讀成 repo 不存在或可直接建立。
|
||||
|
||||
@@ -14,6 +14,9 @@
|
||||
"target_contract",
|
||||
"source_indexes",
|
||||
"summary",
|
||||
"workflow_secret_owner_handoff_preflight_checks",
|
||||
"workflow_secret_owner_handoff_packet",
|
||||
"post_dispatch_invariants",
|
||||
"response_templates",
|
||||
"acceptance_checks",
|
||||
"rejection_rules",
|
||||
@@ -86,7 +89,15 @@
|
||||
"github_hosted_runner_enable_authorized",
|
||||
"refs_sync_authorized",
|
||||
"github_primary_switch_authorized",
|
||||
"action_buttons_allowed"
|
||||
"action_buttons_allowed",
|
||||
"workflow_secret_owner_handoff_package_ready",
|
||||
"workflow_secret_owner_handoff_completion_percent",
|
||||
"workflow_secret_owner_handoff_check_count",
|
||||
"workflow_secret_owner_handoff_packet_field_count",
|
||||
"workflow_secret_owner_request_dispatch_authorized",
|
||||
"secret_name_parity_complete",
|
||||
"secret_value_or_hash_collection_allowed",
|
||||
"workflow_secret_owner_response_handoff_not_approval"
|
||||
],
|
||||
"properties": {
|
||||
"owner_response_status": {"type": "string", "enum": ["waiting_owner_response"]},
|
||||
@@ -120,10 +131,111 @@
|
||||
"github_hosted_runner_enable_authorized": {"type": "boolean", "const": false},
|
||||
"refs_sync_authorized": {"type": "boolean", "const": false},
|
||||
"github_primary_switch_authorized": {"type": "boolean", "const": false},
|
||||
"action_buttons_allowed": {"type": "boolean", "const": false}
|
||||
"action_buttons_allowed": {"type": "boolean", "const": false},
|
||||
"workflow_secret_owner_handoff_package_ready": {"type": "boolean", "const": true},
|
||||
"workflow_secret_owner_handoff_completion_percent": {
|
||||
"type": "integer",
|
||||
"minimum": 0,
|
||||
"maximum": 100
|
||||
},
|
||||
"workflow_secret_owner_handoff_check_count": {"type": "integer", "minimum": 0},
|
||||
"workflow_secret_owner_handoff_packet_field_count": {"type": "integer", "minimum": 0},
|
||||
"workflow_secret_owner_request_dispatch_authorized": {"type": "boolean", "const": false},
|
||||
"secret_name_parity_complete": {"type": "boolean", "const": false},
|
||||
"secret_value_or_hash_collection_allowed": {"type": "boolean", "const": false},
|
||||
"workflow_secret_owner_response_handoff_not_approval": {"type": "boolean", "const": true}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"workflow_secret_owner_handoff_preflight_checks": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"check_id",
|
||||
"display_order",
|
||||
"check",
|
||||
"current_status",
|
||||
"execution_authorized"
|
||||
],
|
||||
"properties": {
|
||||
"check_id": {"type": "string"},
|
||||
"display_order": {"type": "integer", "minimum": 1},
|
||||
"check": {"type": "string"},
|
||||
"current_status": {
|
||||
"type": "string",
|
||||
"enum": ["defined_not_dispatched"]
|
||||
},
|
||||
"execution_authorized": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"workflow_secret_owner_handoff_packet": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"request_id",
|
||||
"stage_id",
|
||||
"source_evidence_summary",
|
||||
"requested_templates",
|
||||
"recipient_role_or_team_required",
|
||||
"required_response_fields",
|
||||
"allowed_metadata",
|
||||
"forbidden_inputs",
|
||||
"not_approval",
|
||||
"execution_authorized"
|
||||
],
|
||||
"properties": {
|
||||
"request_id": {"type": "string"},
|
||||
"stage_id": {"type": "string"},
|
||||
"source_evidence_summary": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"local_evidence_repo_count",
|
||||
"local_workflow_file_count",
|
||||
"local_referenced_secret_name_count",
|
||||
"runner_label_count"
|
||||
],
|
||||
"properties": {
|
||||
"local_evidence_repo_count": {"type": "integer", "minimum": 0},
|
||||
"local_workflow_file_count": {"type": "integer", "minimum": 0},
|
||||
"local_referenced_secret_name_count": {"type": "integer", "minimum": 0},
|
||||
"runner_label_count": {"type": "integer", "minimum": 0}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"requested_templates": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"recipient_role_or_team_required": {"type": "boolean", "const": true},
|
||||
"required_response_fields": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"allowed_metadata": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"forbidden_inputs": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"not_approval": {"type": "boolean", "const": true},
|
||||
"execution_authorized": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"post_dispatch_invariants": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"owner_response_template_statuses": {
|
||||
"type": "array",
|
||||
"description": "S4.12 五個 workflow / secret name response templates 的逐項收件狀態;只供 AwoooP 顯示,不代表 request sent、response received、workflow / secret execution queue 或 primary readiness。",
|
||||
|
||||
@@ -2,8 +2,8 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | 草案,等待 owner response |
|
||||
| 日期 | 2026-06-04 |
|
||||
| 狀態 | 草案與 P1-4 handoff 已整理,等待 owner response |
|
||||
| 資料契約 | `docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json` |
|
||||
| 快照 | `docs/security/source-control-workflow-secret-name-owner-response.snapshot.json` |
|
||||
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
|
||||
@@ -30,7 +30,7 @@ S4.12 不是 secret 搬移、不是 workflow 修改、不是 runner 啟用、不
|
||||
| export lanes | 5 |
|
||||
| local evidence repos | 4 |
|
||||
| local workflow files | 31 |
|
||||
| local referenced secret names | 43 |
|
||||
| local referenced secret names | 42 |
|
||||
| owner response request packet | 1 |
|
||||
| template status ledger | 5 |
|
||||
| audit event templates | 3 |
|
||||
@@ -48,6 +48,55 @@ S4.12 不是 secret 搬移、不是 workflow 修改、不是 runner 啟用、不
|
||||
| 授權修改 workflow / webhook / runner / deploy key / branch protection / secret | `false` |
|
||||
| 授權啟用 GitHub hosted runner | `false` |
|
||||
| 授權 sync refs / 切 GitHub primary | `false` |
|
||||
| P1-4 handoff package | `ready` |
|
||||
| request dispatch authorized | `false` |
|
||||
| secret value / hash / partial token collection | `false` |
|
||||
|
||||
## 1.0 2026-06-04 P1-4 Workflow / Secret Owner Handoff
|
||||
|
||||
本段把 S4.12 從「收件包已定義」推到「P1-4 可交接請 owner 逐項回覆」。這是 workflow / runner / secret parity 的 handoff readiness,不是 request sent、不是 owner response received、不是 secret parity complete,也不是 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret 變更批准。
|
||||
|
||||
| 指標 | 值 |
|
||||
|------|----|
|
||||
| P1-4 handoff package | ready |
|
||||
| handoff completion | 100% |
|
||||
| local workflow files | 31 |
|
||||
| local referenced secret names | 42 |
|
||||
| runner label names | 5 |
|
||||
| request dispatch authorized | false |
|
||||
| owner response received | 0 |
|
||||
| owner response accepted | 0 |
|
||||
| workflow / secret modification authorized | false |
|
||||
| secret value collection allowed | false |
|
||||
|
||||
### 1.0.1 送件前檢查
|
||||
|
||||
| 順序 | 檢查項 | 完成條件 | 目前狀態 |
|
||||
|------|--------|----------|----------|
|
||||
| 1 | 基線同步 | 送件前確認 `gitea/main`、local evidence、S4.9-S4.12 source packets 最新狀態 | 已定義,未送件 |
|
||||
| 2 | local evidence freshness | 以 2026-06-04 local evidence 的 31 個 workflow files、42 個 unique secret names、5 個 runner labels 為基準 | 已定義,未送件 |
|
||||
| 3 | 五個 response lane | webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 逐項追蹤 | 已定義,未送件 |
|
||||
| 4 | metadata only | 只收 redacted host、runner label、key name、ruleset / CODEOWNERS metadata、secret name / scope / present-absent | 已定義,未送件 |
|
||||
| 5 | secret material 拒收 | secret value、hash、masked token、partial token、private key、runner token、webhook secret 全部拒收或隔離 | 已定義,未送件 |
|
||||
| 6 | 執行要求拒收 | workflow / webhook / runner / deploy key / branch protection / repository secret 修改、hosted runner enable、refs sync、primary switch 全部 hard reject | 已定義,未送件 |
|
||||
|
||||
### 1.0.2 交接封套欄位
|
||||
|
||||
| 欄位 | 內容規則 |
|
||||
|------|----------|
|
||||
| `request_id` | `p1_4_workflow_secret_owner_response_handoff` |
|
||||
| `stage_id` | `S4.12` |
|
||||
| `source_evidence_summary` | local repos 4、workflow files 31、unique secret names 42、runner labels 5 |
|
||||
| `requested_templates` | 只引用本文件第 3 節五個 template id |
|
||||
| `recipient_role_or_team` | 只填 role / team,不收個人敏感資料或 credential |
|
||||
| `required_response_fields` | owner role/team、decision、repo、provider、lane、lane-specific owner、lane-specific metadata、redacted evidence refs、followup owner |
|
||||
| `allowed_metadata` | redacted host、event types、runner label、key name、required checks、CODEOWNERS path、secret name、scope、present-absent |
|
||||
| `forbidden_inputs` | secret value、secret hash、masked token、partial token、token value、runner token、webhook secret、private key、deploy key private key、authorization header |
|
||||
| `not_approval` | 必須為 `true` |
|
||||
|
||||
### 1.0.3 送件後不變條件
|
||||
|
||||
即使後續 owner 實際回覆,也只能先進 S4.12 intake preflight 與 reviewer validation。通過後可更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup;不得建立、複製、rotate、修改或刪除 secret,不得改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS,不得啟用 GitHub hosted runner,不得 sync refs、切 GitHub primary 或停用 Gitea。
|
||||
|
||||
## 1.1 Owner Response Request Packet
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
|
||||
"status": "draft_waiting_owner_response",
|
||||
"date": "2026-05-17",
|
||||
"date": "2026-06-04",
|
||||
"mode": "owner_workflow_secret_name_response_intake_only",
|
||||
"runtime_execution_authorized": false,
|
||||
"source_contract": "source_control_workflow_secret_name_inventory_v1",
|
||||
@@ -25,7 +25,7 @@
|
||||
"export_lane_count": 5,
|
||||
"local_evidence_repo_count": 4,
|
||||
"local_workflow_file_count": 31,
|
||||
"local_referenced_secret_name_count": 43,
|
||||
"local_referenced_secret_name_count": 42,
|
||||
"owner_response_request_packet_count": 1,
|
||||
"owner_response_template_status_count": 5,
|
||||
"owner_response_audit_event_template_count": 3,
|
||||
@@ -49,8 +49,126 @@
|
||||
"github_primary_switch_authorized": false,
|
||||
"action_buttons_allowed": false,
|
||||
"owner_response_collection_check_count": 6,
|
||||
"intake_preflight_check_count": 6
|
||||
"intake_preflight_check_count": 6,
|
||||
"workflow_secret_owner_handoff_package_ready": true,
|
||||
"workflow_secret_owner_handoff_completion_percent": 100,
|
||||
"workflow_secret_owner_handoff_check_count": 6,
|
||||
"workflow_secret_owner_handoff_packet_field_count": 9,
|
||||
"workflow_secret_owner_request_dispatch_authorized": false,
|
||||
"secret_name_parity_complete": false,
|
||||
"secret_value_or_hash_collection_allowed": false,
|
||||
"workflow_secret_owner_response_handoff_not_approval": true
|
||||
},
|
||||
"workflow_secret_owner_handoff_preflight_checks": [
|
||||
{
|
||||
"check_id": "p1-4-baseline-sync",
|
||||
"display_order": 1,
|
||||
"check": "送件前確認 gitea/main、local evidence、S4.9-S4.12 source packets 最新狀態。",
|
||||
"current_status": "defined_not_dispatched",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "p1-4-local-evidence-freshness",
|
||||
"display_order": 2,
|
||||
"check": "以 2026-06-04 local evidence 的 31 個 workflow files、42 個 unique secret names、5 個 runner labels 為基準。",
|
||||
"current_status": "defined_not_dispatched",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "p1-4-five-response-lanes",
|
||||
"display_order": 3,
|
||||
"check": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 逐項追蹤。",
|
||||
"current_status": "defined_not_dispatched",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "p1-4-metadata-only",
|
||||
"display_order": 4,
|
||||
"check": "只收 redacted host、runner label、key name、ruleset / CODEOWNERS metadata、secret name / scope / present-absent。",
|
||||
"current_status": "defined_not_dispatched",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "p1-4-secret-material-rejected",
|
||||
"display_order": 5,
|
||||
"check": "secret value、hash、masked token、partial token、private key、runner token、webhook secret 全部拒收或隔離。",
|
||||
"current_status": "defined_not_dispatched",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "p1-4-execution-request-rejected",
|
||||
"display_order": 6,
|
||||
"check": "workflow / webhook / runner / deploy key / branch protection / repository secret 修改、hosted runner enable、refs sync、primary switch 全部 hard reject。",
|
||||
"current_status": "defined_not_dispatched",
|
||||
"execution_authorized": false
|
||||
}
|
||||
],
|
||||
"workflow_secret_owner_handoff_packet": {
|
||||
"request_id": "p1_4_workflow_secret_owner_response_handoff",
|
||||
"stage_id": "S4.12",
|
||||
"source_evidence_summary": {
|
||||
"local_evidence_repo_count": 4,
|
||||
"local_workflow_file_count": 31,
|
||||
"local_referenced_secret_name_count": 42,
|
||||
"runner_label_count": 5
|
||||
},
|
||||
"requested_templates": [
|
||||
"response-webhook-redacted-export",
|
||||
"response-runner-label-owner",
|
||||
"response-deploy-key-redacted-export",
|
||||
"response-branch-protection-codeowners",
|
||||
"response-repository-secret-name-parity"
|
||||
],
|
||||
"recipient_role_or_team_required": true,
|
||||
"required_response_fields": [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"repo",
|
||||
"provider",
|
||||
"lane",
|
||||
"lane_specific_owner",
|
||||
"lane_specific_metadata",
|
||||
"redacted_evidence_refs",
|
||||
"followup_owner"
|
||||
],
|
||||
"allowed_metadata": [
|
||||
"redacted_host",
|
||||
"event_types",
|
||||
"runner_label",
|
||||
"key_name",
|
||||
"required_checks",
|
||||
"codeowners_path",
|
||||
"secret_name",
|
||||
"scope",
|
||||
"present_absent"
|
||||
],
|
||||
"forbidden_inputs": [
|
||||
"secret_value",
|
||||
"secret_hash",
|
||||
"masked_token",
|
||||
"partial_token",
|
||||
"token_value",
|
||||
"runner_registration_token",
|
||||
"webhook_secret",
|
||||
"private_key",
|
||||
"deploy_key_private_key",
|
||||
"authorization_header",
|
||||
"workflow_modification_request",
|
||||
"runner_enablement_request",
|
||||
"github_hosted_runner_enable_request",
|
||||
"repository_secret_change_request",
|
||||
"github_primary_switch_request"
|
||||
],
|
||||
"not_approval": true,
|
||||
"execution_authorized": false
|
||||
},
|
||||
"post_dispatch_invariants": [
|
||||
"Owner response 到來後仍需先進 S4.12 intake preflight 與 reviewer validation。",
|
||||
"通過後只可更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup。",
|
||||
"不得建立、複製、rotate、修改或刪除 secret。",
|
||||
"不得改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS,不得啟用 GitHub hosted runner。",
|
||||
"不得 sync refs、切 GitHub primary 或停用 Gitea。"
|
||||
],
|
||||
"owner_response_request_packet": {
|
||||
"request_id": "s4_12_workflow_secret_name_owner_response_request",
|
||||
"display_status": "ready_to_request_owner_response",
|
||||
|
||||
@@ -23,7 +23,7 @@
|
||||
| runtime landing | 40-45% | 否 | production 只讀頁存在,不等於 runtime ingestion 或 execution router |
|
||||
| active runtime gate | 0 | 否 | 必須維持 0,直到獨立人工批准、rollback、post-check 與 guard 成立 |
|
||||
| S4.9 owner response gate | 0% | 可在收到合格回覆後調整 | 目前只定義欄位、預檢、收件與驗收,不標記 received / accepted |
|
||||
| GitHub primary readiness | 0 | 否 | primary gate 仍為 0;P1 只讀重盤工作本身目前約 66%,不代表可切 primary |
|
||||
| GitHub primary readiness | 0 | 否 | primary gate 仍為 0;P1 只讀重盤工作本身目前約 68%,不代表可切 primary |
|
||||
| Kali 112 維護準備 | 只讀證據已納管,維護尚未開始 | 否 | 不更新套件、不重啟、不 hardening、不 active scan |
|
||||
| 111 / 168 開發主機納管 | observe-only mapping 已有,維護包需補強 | 可補文件,不調 runtime | 仍不 credentialed scan、不讀未授權資料、不自動修復 |
|
||||
| VibeWork 納入 IwoooS | 前端態勢已有 onboarding 欄位,產品邊界需補規範 | 可補文件 | 保留 VibeWork 獨立產品邊界 |
|
||||
@@ -154,10 +154,10 @@ S4.9 是目前 IwoooS 64% 能往前的第一優先 gate。驗收前所有 count
|
||||
| GitHub target owner response handoff | 100% | S4.10 已對齊 2026-06-04 target probe,補 6 項 target owner handoff preflight、9 欄 handoff packet 與送後不變條件 | `not_found_or_private` 不得視為不存在;received / accepted 仍 0,不建 repo、不改 visibility |
|
||||
| 全量 Gitea 專案版本盤點 | 25% | 目前仍是 public-only + 本機輔助 evidence | 需只讀 token / admin export;不使用 write credential |
|
||||
| 逐 repo refs truth queue | 100% | S4.11 current queue 已重產為 `194` refs review items:真相來源 `4`、deprecated / archive 候選 `142`、release tag `3`、GitHub-only `20` | 送 owner response;received / accepted 仍維持 0 |
|
||||
| Workflow / runner / secret parity owner response | 15% | 有 local evidence 與 template,但 received / accepted 皆 0 | 只收 redacted metadata,不收 value |
|
||||
| Workflow / runner / secret parity owner response handoff | 100% | S4.12 已對齊 2026-06-04 local evidence,補 6 項 workflow / secret handoff preflight、9 欄 handoff packet 與送後不變條件;local secret names 校正為 `42` | 只收 redacted metadata,不收 value / hash / partial token;received / accepted 仍 0 |
|
||||
| GitHub primary cutover readiness | 0% | `primary_ready_count=0`、`github_primary_switch_authorized=false` | 需 owner、parity、rollback ADR、人工批准全部成立 |
|
||||
|
||||
P1 只讀重盤階段整體完成度:`66%`。它代表 freshness / inventory / handoff 工作進度,不代表 GitHub primary gate、authenticated inventory gate、owner response accepted 或 runtime gate 提升。
|
||||
P1 只讀重盤階段整體完成度:`68%`。它代表 freshness / inventory / handoff 工作進度,不代表 GitHub primary gate、authenticated inventory gate、workflow / secret parity complete、owner response accepted 或 runtime gate 提升。
|
||||
|
||||
## 6.2 規範分析:已不符合、需新增、需調整
|
||||
|
||||
@@ -181,7 +181,7 @@ P1 只讀重盤階段整體完成度:`66%`。它代表 freshness / inventory /
|
||||
| P1-1 | Source-control refs truth 重產 | 以 2026-06-04 `awoooi` refs refresh 重產 detail diff / truth classification | 新 queue 已改為 `194` items,不再引用舊 `141` 為 current |
|
||||
| P1-2 | Gitea authenticated inventory request | 已補 2026-06-04 request handoff package;S4.9 owner response gate 作先行條件,只讀 token API / redacted admin export 二選一 | 只收 metadata,不保存 token value;received / accepted / imported 全部仍為 0 |
|
||||
| P1-3 | GitHub target owner response | 已補 2026-06-04 target owner handoff package;對 7 個 in-scope targets 收 owner / visibility / canonical 決策 | received / accepted 前仍全部 0;`not_found_or_private` 不代表不存在或可建立 |
|
||||
| P1-4 | Workflow / runner / secret parity evidence | webhook、runner owner、deploy key、branch protection、CODEOWNERS、secret name parity | redacted evidence refs 完整,secret value 仍拒收 |
|
||||
| P1-4 | Workflow / runner / secret parity evidence | 已補 2026-06-04 owner response handoff package;webhook、runner owner、deploy key、branch protection、CODEOWNERS、secret name parity 只收 redacted metadata | secret value、hash、masked token、partial token 仍拒收;received / accepted 前全部 0 |
|
||||
| P1-5 | Primary rollback ADR 補強 | 逐 repo rollback owner、trigger、validation window、fallback role | ADR approved 前不切 primary |
|
||||
| P1-6 | AwoooP Session 同步 | 同步 commits、runs、production sanity、P1 refresh counts、gate 0 / false | 另一 Session 不再使用舊 refs count |
|
||||
| P1-7 | Kali 112 maintenance window 草案 | packages、`networking.service` failed、hardening 0/4、rollback、post-check | 文件草案,不執行 `apt upgrade` / restart / scan |
|
||||
@@ -210,6 +210,8 @@ P1 只讀重盤階段整體完成度:`66%`。它代表 freshness / inventory /
|
||||
| P1-2 JSON parse / structure check | `gitea-authenticated-inventory-export-request.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `GITEA_AUTHENTICATED_INVENTORY_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator |
|
||||
| P1-3 GitHub target owner response handoff | S4.10 日期更新為 2026-06-04;補 6 項 target owner handoff preflight、9 欄 handoff packet、送後不變條件;received / accepted / rejected 仍 0 |
|
||||
| P1-3 JSON parse / structure check | `github-target-owner-decision-response.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `GITHUB_TARGET_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator |
|
||||
| P1-4 Workflow / secret owner response handoff | S4.12 日期更新為 2026-06-04;補 6 項 workflow / secret handoff preflight、9 欄 handoff packet、送後不變條件;local referenced secret names 校正為 `42`;received / accepted / rejected 仍 0 |
|
||||
| P1-4 JSON parse / structure check | `source-control-workflow-secret-name-owner-response.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `WORKFLOW_SECRET_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator |
|
||||
| P1 JSON parse | `gitea-github-awoooi-inventory`、`github-target-probe`、`source-control-primary-readiness-gate`、`source-control-workflow-secret-name-local-evidence`、Gitea repo / search / org blocked snapshots 皆通過 |
|
||||
| P1 production 頁面檢查 | 本輪未改前端、未改 production 文案、未新增 deploy;不宣稱新的 production 狀態,沿用 P0 live sanity 作為基準 |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user