wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity

docs(security): add primary rollback ADR gate [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-05-13 20:15:00 +08:00
parent 206b5d7093
commit 82d98c6b45
25 changed files with 1008 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/LOGBOOK.md
View File

@@ -1,3 +1,34 @@
## 2026-05-13 | 資安供應鏈 S4.4GitHub Primary Rollback ADR 草案
**背景**S4.0 已把 GitHub primary readiness gate 定義出來S4.1-S4.3 已補 workflow / secret 名稱 inventory 與 redacted export request但 GitHub primary cutover 前仍缺 rollback ADR。為了維持低摩擦本輪只建立 rollback ADR 草案與鏡像契約,不切 GitHub primary、不執行 rollback、不修改 GitHub/Gitea。
**完成**
- 新增 `docs/schemas/source_control_primary_rollback_adr_v1.schema.json`
- 新增 `docs/security/source-control-primary-rollback-adr.snapshot.json``docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md`
- 定義 7 個 in-scope repo rollback draft、1 個 external scope review。
- 定義 cutover preconditions、rollback triggers、pre-cutover / 1h / 24h validation windows 與逐 repo manual recovery outline。
- 明確標示 `owner_approved_count=0``dry_run_completed_count=0``active_cutover_count=0``rollback_execution_authorized=false``github_primary_switch_authorized=false``gitea_disable_authorized=false`
- 更新 `source_control_primary_readiness_gate_v1`、manifest、mirror readiness、route、acceptance、intake、dry-run、event sample、quarantine、status rollup、AwoooP checklist、handoff 與 progress使 AwoooP 能顯示 S4.4 rollback ADR 草案而不新增 execution action。
**仍未完成**
- repo owner 對 7 個 in-scope rollback drafts 的人工批准。
- GitHub primary cutover dry-run。
- Gitea authenticated inventory、refs truth / parity、workflow / secret redacted evidence 的完整驗收。
- 任何實際 primary switch 或 rollback runtime gate。
**仍禁止**
- 不切 GitHub primary。
- 不執行 rollback。
- 不建立 GitHub repo、不修改 visibility、不 sync refs、不 delete refs、不 force push。
- 不修改 webhook、workflow、branch protection、runner、deploy key 或 secret。
- 不停用、刪除、封存或降級 Gitea repo。
**驗證**
- JSON 全量 parse 通過81 個 JSON files。
- S4.4 assertion 通過35 個 contracts、route coverage 完整、7 個 rollback drafts、0 owner approved、0 dry-run completed、primary still blocked。
- `git diff --check` 通過。
- 敏感字串掃描確認本輪未保存 Kali SSH 密碼、常見 token pattern、private key material也未出現 rollback / primary switch / Gitea disable 授權被打開。
## 2026-05-13 | 資安供應鏈 S4.3Workflow / Secret 名稱 Redacted Export Request
**背景**S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence但 webhook、runner owner、deploy key、branch protection / required checks、repository secret name parity 還不能靠本機 working tree 完成。為了維持低摩擦,本輪只建立 redacted export request package不呼叫 GitHub/Gitea API、不使用 token、不修改任何 repo 設定。

20
docs/schemas/security_mirror_status_rollup_v1.schema.json
View File

@@ -68,6 +68,10 @@
"active_runtime_gate_count",
"primary_readiness_candidate_repo_count",
"github_primary_ready_count",
"primary_rollback_adr_repo_plan_count",
"primary_rollback_adr_owner_approved_count",
"primary_rollback_adr_dry_run_completed_count",
"primary_rollback_execution_authorized",
"workflow_secret_inventory_candidate_repo_count",
"workflow_secret_inventory_complete_count",
"workflow_secret_inventory_local_evidence_repo_count",
@@ -133,6 +137,22 @@
"type": "integer",
"minimum": 0
},
"primary_rollback_adr_repo_plan_count": {
"type": "integer",
"minimum": 0
},
"primary_rollback_adr_owner_approved_count": {
"type": "integer",
"minimum": 0
},
"primary_rollback_adr_dry_run_completed_count": {
"type": "integer",
"minimum": 0
},
"primary_rollback_execution_authorized": {
"type": "boolean",
"const": false
},
"workflow_secret_inventory_candidate_repo_count": {
"type": "integer",
"minimum": 0

225
docs/schemas/source_control_primary_rollback_adr_v1.schema.json Normal file
View File

@@ -0,0 +1,225 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:source-control-primary-rollback-adr-v1",
"title": "Source Control Primary Rollback ADR v1",
"description": "定義 GitHub primary cutover 前必備的 rollback ADR 草案、回退觸發條件、逐 repo owner review 與仍然禁止事項。此契約不授權 primary switch、refs sync 或 repo 修改。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"mode",
"runtime_execution_authorized",
"source_indexes",
"summary",
"rollback_principles",
"cutover_preconditions",
"repo_rollback_plans",
"rollback_triggers",
"validation_windows",
"acceptance_rules",
"forbidden_actions"
],
"properties": {
"schema_version": {
"const": "source_control_primary_rollback_adr_v1"
},
"status": {
"type": "string",
"enum": ["draft_waiting_owner_review"]
},
"date": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["rollback_adr_only"]
},
"runtime_execution_authorized": {
"type": "boolean",
"const": false
},
"source_indexes": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"summary": {
"type": "object",
"required": [
"candidate_repo_count",
"in_scope_repo_count",
"external_scope_count",
"repo_rollback_plan_count",
"owner_approved_count",
"dry_run_completed_count",
"active_cutover_count",
"rollback_execution_authorized",
"github_primary_switch_authorized",
"gitea_disable_authorized",
"action_buttons_allowed"
],
"properties": {
"candidate_repo_count": {"type": "integer", "minimum": 0},
"in_scope_repo_count": {"type": "integer", "minimum": 0},
"external_scope_count": {"type": "integer", "minimum": 0},
"repo_rollback_plan_count": {"type": "integer", "minimum": 0},
"owner_approved_count": {"type": "integer", "minimum": 0},
"dry_run_completed_count": {"type": "integer", "minimum": 0},
"active_cutover_count": {"type": "integer", "minimum": 0},
"rollback_execution_authorized": {"type": "boolean", "const": false},
"github_primary_switch_authorized": {"type": "boolean", "const": false},
"gitea_disable_authorized": {"type": "boolean", "const": false},
"action_buttons_allowed": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"rollback_principles": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"cutover_preconditions": {
"type": "array",
"items": {
"type": "object",
"required": [
"gate_id",
"title",
"required_evidence",
"current_status",
"execution_authorized"
],
"properties": {
"gate_id": {"type": "string"},
"title": {"type": "string"},
"required_evidence": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"current_status": {
"type": "string",
"enum": ["missing", "draft_only", "waiting_owner_review", "blocked"]
},
"execution_authorized": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"minItems": 1
},
"repo_rollback_plans": {
"type": "array",
"items": {
"type": "object",
"required": [
"repo_key",
"github_repo",
"source_key",
"scope_status",
"risk",
"rollback_state",
"primary_ready",
"fallback_role",
"required_owner_decisions",
"rollback_evidence_required",
"rollback_triggers",
"manual_recovery_outline",
"execution_authorized",
"still_forbidden"
],
"properties": {
"repo_key": {"type": "string"},
"github_repo": {"type": "string"},
"source_key": {"type": "string"},
"scope_status": {
"type": "string",
"enum": ["in_scope", "external_scope_review"]
},
"risk": {
"type": "string",
"enum": ["LOW", "MEDIUM", "HIGH"]
},
"rollback_state": {
"type": "string",
"enum": [
"draft_waiting_owner_review",
"scope_review_only"
]
},
"primary_ready": {"type": "boolean", "const": false},
"fallback_role": {"type": "string"},
"required_owner_decisions": {
"type": "array",
"items": {"type": "string"}
},
"rollback_evidence_required": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"rollback_triggers": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"manual_recovery_outline": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"execution_authorized": {"type": "boolean", "const": false},
"still_forbidden": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
},
"minItems": 1
},
"rollback_triggers": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"validation_windows": {
"type": "array",
"items": {
"type": "object",
"required": [
"window_id",
"title",
"required_checks",
"failure_handling",
"execution_authorized"
],
"properties": {
"window_id": {"type": "string"},
"title": {"type": "string"},
"required_checks": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"failure_handling": {"type": "string"},
"execution_authorized": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"minItems": 1
},
"acceptance_rules": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"forbidden_actions": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
}

5
docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
View File

@@ -54,6 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff不 fetch、不 push、不刪 refs |
| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete |
| `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` |
| `source_control_primary_rollback_adr_v1` | GitHub primary rollback ADR 草案與 validation window | Source-control review、Operator Console、Audit | approval-only | 只顯示 7 個 repo 的 rollback draft、owner review、validation window不得執行 rollback 或切 primary |
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence 與 S4.3 redacted export request目前 `inventory_complete_count=0`,不得保存 secret value |
| `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 |
| `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror |
@@ -100,8 +101,9 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state不得把 transition 當 execution authorization |
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates不得新增 action button |
| `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready不得切 primary |
| `source_control_primary_rollback_adr_v1.status=draft_waiting_owner_review` | `approve_required` | 顯示 7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed不得執行 rollback 或切 primary |
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、S4.3 export request 7 repos / 5 lanes、0 個 complete不得收集 secret value、不得修改 workflow |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 35 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates不得執行 wave |
| `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload明確不授權執行、不顯示執行按鈕 |
| `security_mirror_route_v1.status=draft` | `observe` | 顯示 5 個 route groups、channel policy 與 review lane不得轉成 execution router |
@@ -170,6 +172,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` |
| Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
| Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
| Source Control GitHub primary rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md` |
| Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
| Source Control workflow / secret name local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
| Source Control workflow / secret name export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` |

31
docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
View File

@@ -73,7 +73,7 @@
```text
Kali / Code Review / GitHub / Gitea / Codex
-> security_supply_chain_contract_manifest_v1
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_primary_rollback_adr_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
-> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL
-> mirror 到 AwoooP Runtime State / Channel Event / Audit
-> AwoooP Policy / Approval / Exception / Operator Console
@@ -207,6 +207,18 @@ Snapshot`docs/security/source-control-primary-readiness-gate.snapshot.json`
AwoooP 初期處理方式:只顯示 blockers、evidence refs 與 required review不建立 GitHub repo、不修改 visibility、不 sync refs、不切 primary、不停用 Gitea。
### `source_control_primary_rollback_adr_v1`
用途:定義 S4.4 GitHub primary rollback ADR 草案,讓 AwoooP 在任何 primary cutover 前能顯示 rollback owner、validation window、rollback triggers 與逐 repo owner review。
Schema`docs/schemas/source_control_primary_rollback_adr_v1.schema.json`
Snapshot`docs/security/source-control-primary-rollback-adr.snapshot.json`
目前 rollback ADR7 個 in-scope repo rollback drafts、1 個 external scope review、0 個 owner approved、0 個 dry-run completed、0 個 active cutover。所有 rollback / primary switch / refs sync 動作都必須維持 disabled。
AwoooP 初期處理方式:只顯示 rollback ADR 草案、owner review、validation window 與仍然禁止事項,不執行 rollback、不切 GitHub primary、不停用 Gitea。
### `source_control_workflow_secret_name_inventory_v1`
用途:定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate補上 GitHub primary 前不能缺的 CI/CD 與 secret hygiene evidence。
@@ -231,7 +243,7 @@ Schema`docs/schemas/security_mirror_readiness_v1.schema.json`
Snapshot`docs/security/security-mirror-readiness.snapshot.json`
目前 readiness34 個 contracts31 個 ready for mirror2 個 partial ready1 個 contract-only0 個 blocked。所有 contract 都是 `execution_allowed=false`
目前 readiness35 個 contracts32 個 ready for mirror2 個 partial ready1 個 contract-only0 個 blocked。所有 contract 都是 `execution_allowed=false`
AwoooP 初期處理方式:先 mirror readiness index再依 readiness 分批 mirror 其他 snapshots不得把 readiness 當 execution authorization。
@@ -267,7 +279,7 @@ Schema`docs/schemas/security_mirror_route_v1.schema.json`
Snapshot`docs/security/security-mirror-route.snapshot.json`
目前 route5 個 route groups涵蓋 34 個 contracts所有 route 都是 `runtime_execution_authorized=false`
目前 route5 個 route groups涵蓋 35 個 contracts所有 route 都是 `runtime_execution_authorized=false`
AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue不把 route 轉成 execution router。
@@ -315,7 +327,7 @@ Schema`docs/schemas/security_mirror_status_rollup_v1.schema.json`
Snapshot`docs/security/security-mirror-status-rollup.snapshot.json`
目前 rollup`framework_ready_waiting_approval`34 個 contracts、31 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆follow-up runtime gate templates 8 筆active runtime gates 0 筆GitHub primary candidate repos 8 筆primary ready 0 筆workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆decision records 目前 0 筆。
目前 rollup`framework_ready_waiting_approval`35 個 contracts、32 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆follow-up runtime gate templates 8 筆active runtime gates 0 筆GitHub primary candidate repos 8 筆primary ready 0 S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆decision records 目前 0 筆。
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence不得把 rollup 當 runtime authorization。
@@ -351,7 +363,7 @@ Schema`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 34
"contract_count": 35
}
```
@@ -769,7 +781,7 @@ Console 初期不提供高風險執行按鈕。
2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json``docs/security/security-supply-chain-contract-manifest.snapshot.json``docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry不把 manifest 當 execution router。
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json``docs/security/security-mirror-route.snapshot.json``docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 34 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queueroute 只決定目的地、channel policy 與 review lane不是 execution router。
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json``docs/security/security-mirror-route.snapshot.json``docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 35 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queueroute 只決定目的地、channel policy 與 review lane不是 execution router。
2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json``docs/security/security-mirror-acceptance.snapshot.json``docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestionblocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence不得阻擋 runtime 流程。
@@ -777,7 +789,7 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 mirror dry-run 追加:已新增 `docs/schemas/security_mirror_dry_run_v1.schema.json``docs/security/security-mirror-dry-run.snapshot.json``docs/security/SECURITY-MIRROR-DRY-RUN.md`。AwoooP 未來可用 6 個 dry-run steps 回報接入演練結果;本 snapshot 狀態為 `contract_defined_not_executed`,不得視為 production ingestion 已啟用。
2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json``docs/security/security-mirror-status-rollup.snapshot.json``docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、34 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary、GitHub primary readiness summary、workflow / secret name inventory summary 與下一個安全 gate本契約不授權任何 runtime action。
2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json``docs/security/security-mirror-status-rollup.snapshot.json``docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、35 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary、GitHub primary readiness summary、rollback ADR summary、workflow / secret name inventory summary 與下一個安全 gate本契約不授權任何 runtime action。
2026-05-13 S3 approval gate 追加:已新增 `docs/schemas/security_approval_gate_v1.schema.json``docs/security/security-approval-gate.snapshot.json``docs/security/SECURITY-APPROVAL-GATE.md`。AwoooP 可用 8 個 gate items 記錄人工批准、拒絕、延後或補 evidence批准後仍需 follow-up runtime gate不得直接執行。
@@ -797,6 +809,8 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 S4.3 workflow / secret name redacted export request 追加:已新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json``docs/security/source-control-workflow-secret-name-export-request.snapshot.json``docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`。本輪只定義 7 個 in-scope repos、5 類 export lanes 的 owner / read-only export 欄位與拒收規則webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity`write_token_allowed=false``secret_value_collection_allowed=false`,不得呼叫 API 或修改 GitHub/Gitea。
2026-05-13 S4.4 GitHub primary rollback ADR 追加:已新增 `docs/schemas/source_control_primary_rollback_adr_v1.schema.json``docs/security/source-control-primary-rollback-adr.snapshot.json``docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md`。本輪只定義 7 個 in-scope repos 的 rollback ADR 草案、precondition、trigger、validation window 與 owner review`owner_approved_count=0``dry_run_completed_count=0``active_cutover_count=0`,不得切 GitHub primary、不得執行 rollback、不得停用 Gitea。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:
@@ -855,6 +869,8 @@ Console 初期不提供高風險執行按鈕。
- [security_approval_decision_record_v1 snapshot](/Users/ogt/awoooi/docs/security/security-approval-decision-record.snapshot.json)
- [Source Control ref truth classification](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md)
- [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json)
- [Source Control GitHub primary rollback ADR](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md)
- [source_control_primary_rollback_adr_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-primary-rollback-adr.snapshot.json)
- [Source Control workflow / secret name inventory](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md)
- [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json)
- [Source Control workflow / secret name local evidence](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md)
@@ -892,6 +908,7 @@ Console 初期不提供高風險執行按鈕。
- [security_approval_gate_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_gate_v1.schema.json)
- [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json)
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
- [source_control_primary_rollback_adr_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_primary_rollback_adr_v1.schema.json)
- [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json)
- [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json)
- [source_control_workflow_secret_name_export_request_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json)

2
docs/security/SECURITY-MIRROR-ACCEPTANCE.md
View File

@@ -27,7 +27,7 @@
| Check | 目的 | 失敗時是否阻擋鏡像 |
|-------|------|--------------------|
| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 34 個 contracts | 是 |
| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 35 個 contracts | 是 |
| `EVENT_ENVELOPE_REQUIRED` | 確認每筆 payload 都不可執行、不可顯示執行按鈕 | 是 |
| `ROUTE_GROUP_COVERAGE` | 確認 5 個 route groups 覆蓋所有 contracts | 是 |
| `REDACTION_ONLY` | 確認不保存 raw sensitive value | 是 |

9
docs/security/SECURITY-MIRROR-INTAKE-PLAN.md
View File

@@ -19,10 +19,10 @@
| Wave | 目的 | 主要 contracts | Exit gate |
|------|------|----------------|-----------|
| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / workflow-secret inventory | 顯示 34 個 contract 且 `execution_allowed=false` |
| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory gate | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / rollback ADR / workflow-secret inventory | 顯示 35 個 contract 且 `execution_allowed=false` |
| `M1_kali_visibility` | 顯示 Kali 112、scan scope、approval queue | Kali status / scan scope / approval queue / finding sample | 顯示 5 個 scope groups 與 8 個 queue items沒有執行按鈕 |
| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence、GitHub primary readiness blockers 與 workflow / secret 名稱 inventory 缺口 | migration / inventory / refs / approval board / primary readiness gate / workflow-secret inventory | 顯示 blocking reasonsrepo/refs/primary/workflow/secret actions 全 disabled |
| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、workflow / secret 名稱 inventory gate 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / workflow-secret inventory / source-control board | 可留痕,不可自動批准或執行 |
| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence、GitHub primary readiness blockers、rollback ADR 草案與 workflow / secret 名稱 inventory 缺口 | migration / inventory / refs / approval board / primary readiness gate / rollback ADR / workflow-secret inventory | 顯示 blocking reasonsrepo/refs/primary/workflow/secret actions 全 disabled |
| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR、workflow / secret 名稱 inventory gate 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / rollback ADR / workflow-secret inventory / source-control board | 可留痕,不可自動批准或執行 |
| `M4_patch_only_backlog` | 顯示 Codex patch-only backlog lane | coding task | 只顯示 lane不接 Codex runner action |
## 2. AwoooP 可做
@@ -42,7 +42,8 @@
13. 使用 `security_approval_state_transition_v1` 顯示人工決策後的 next state但不自動執行後續動作。
14. 使用 `security_followup_runtime_gate_v1` 顯示未來 runtime gate 的準備模板,但不啟用 runtime gate。
15. 使用 `source_control_primary_readiness_gate_v1` 顯示 GitHub primary parity、owner、rollback 與人工批准缺口,但不切 primary。
16. 使用 `source_control_workflow_secret_name_inventory_v1` 顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,但不保存 secret value、不修改 workflow
16. 使用 `source_control_primary_rollback_adr_v1` 顯示 rollback ADR 草案、validation window 與 owner review不執行 rollback
17. 使用 `source_control_workflow_secret_name_inventory_v1` 顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,但不保存 secret value、不修改 workflow。
## 3. AwoooP 不可做

9
docs/security/SECURITY-MIRROR-READINESS.md
View File

@@ -23,7 +23,7 @@
| 狀態 | 數量 | 說明 |
|------|------|------|
| `ready_for_mirror` | 31 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence |
| `ready_for_mirror` | 32 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence |
| `partial_ready` | 2 | 可 mirror但 evidence 仍不完整 |
| `contract_only` | 1 | 有 schema / handoff尚無正式 snapshot |
| `blocked` | 0 | 目前沒有禁止 mirror 的 contract |
@@ -81,8 +81,9 @@ AwoooP 可以將 ready / partial contracts mirror 到:
13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。
14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。
15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。
16. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namesexport request 有 7 個 repos、5 類 lanes不保存 secret value
17. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
18. 最後再 mirror source-control 其他 contracts
16. 再 mirror `source_control_primary_rollback_adr_v1`,只顯示 7 個 in-scope repo 的 rollback ADR 草案、validation window 與 owner review不執行 rollback、不切 primary
17. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namesexport request 有 7 個 repos、5 類 lanes不保存 secret value
18. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
19. 最後再 mirror source-control 其他 contracts。
整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。

8
docs/security/SECURITY-MIRROR-ROUTE.md
View File

@@ -25,10 +25,10 @@
| Route group | 目的 | 初期 channel policy | review lane |
|-------------|------|---------------------|-------------|
| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packet、state transition、follow-up runtime gate、GitHub primary readiness gate 與 workflow / secret name inventory 位置 | `no_channel_event` | `observe` |
| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packet、state transition、follow-up runtime gate、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory 位置 | `no_channel_event` | `observe` |
| `M1_kali_visibility` | 顯示 Kali 112、111 / 168 scope、approval queue 與 finding sample | `approval_required_only` | `approval_required` |
| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異、GitHub primary readiness blockers 與 workflow / secret 名稱 inventory 缺口 | `low_noise_status` | `source_control_review` |
| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、workflow / secret 名稱 inventory gate 與留痕 | `approval_required_only` | `approval_required` |
| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異、GitHub primary readiness blockers、rollback ADR 草案與 workflow / secret 名稱 inventory 缺口 | `low_noise_status` | `source_control_review` |
| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR、workflow / secret 名稱 inventory gate 與留痕 | `approval_required_only` | `approval_required` |
| `M4_patch_only_backlog` | 顯示 Code Review 後的 Codex patch-only backlog lane | `no_channel_event` | `patch_only` |
## 2. AwoooP 可做
@@ -52,7 +52,7 @@
S2.7 後AwoooP 主線只需要能讀到:
1. 34 個 contracts。
1. 35 個 contracts。
2. 5 個 route groups。
3. 所有 route group 都是 `runtime_execution_authorized=false`
4. Channel Event 初期低噪音。

10
docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
View File

@@ -19,8 +19,8 @@
| 類型 | 狀態 |
|------|------|
| Contract manifest | 34 個 contracts |
| Mirror readiness | 31 ready、2 partial、1 contract-only、0 blocked |
| Contract manifest | 35 個 contracts |
| Mirror readiness | 32 ready、2 partial、1 contract-only、0 blocked |
| Approval queue | 8 items7 pending approval、1 block candidate |
| Approval gate | S3.0 已建立0 approved、7 pending、1 block candidate |
| Decision records | S3.1 已建立;目前 0 筆決策紀錄 |
@@ -28,6 +28,7 @@
| State transitions | S3.3 已建立5 個 decision options 都有 next state且都不授權執行 |
| Follow-up runtime gate templates | S3.4 已建立8 個 templates、0 個 active runtime gates |
| GitHub primary readiness gate | S4.0 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready |
| GitHub primary rollback ADR | S4.4 已建立7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover |
| Workflow / secret name inventory | S4.1 已建立S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidenceS4.3 補 7 個 repos、5 類 lanes 的 redacted export request0 個 inventory complete、禁止收集 secret value、禁止 write token |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
@@ -53,7 +54,7 @@
下一步仍不是 runtime enforcement。
建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1`,並由人工依序 review
建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1`,並由人工依序 review
1. redacted finding ingestion adapter。
2. safe web crawl scope。
@@ -61,6 +62,7 @@
4. GitHub target / owner / visibility / canonical。
5. Kali `/execute` 維持 block candidate。
6. GitHub primary readiness blockers 與 rollback ADR 缺口。
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity只保存名稱與 owner不保存 value不使用 write token
7. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggersowner approval 前不可執行
8. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity只保存名稱與 owner不保存 value不使用 write token。
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence不得由本 rollup 自動觸發。

5
docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
View File

@@ -11,7 +11,7 @@
## 0. 核心結論
目前 Security Supply Chain 已有 34 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
目前 Security Supply Chain 已有 35 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口避免不同 Session 各自解讀。
初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。
@@ -49,6 +49,7 @@
| `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` |
| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` |
| `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` |
| `source_control_primary_rollback_adr_v1` | approval-only | GitHub primary rollback ADR 草案與 validation window | `source-control-primary-rollback-adr.snapshot.json` |
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gateS4.2 已補 local evidenceS4.3 已補 redacted export request | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` |
| `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` |
| `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang``wooo-infra-config` |
@@ -59,7 +60,7 @@
1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`
2. 再讀本 manifest取得可消費 contract 與禁止動作。
3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate / redacted export request display。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display。
5. 不新增執行按鈕,不做 runtime enforcement。
## 3. 永久禁止

15
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -20,11 +20,11 @@
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
| S1.4 契約索引 | 完成草案 | 34 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.4 契約索引 | 完成草案 | 35 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
| S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate |
| S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中7 pending approval、1 block candidateAwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion再 review safe crawl / Gitea inventory |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 34 個 contracts31 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 35 個 contracts32 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 |
| S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror不新增 execution router |
| S2.2 AwoooP 鏡像事件信封 | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆鏡像 payload 標示 `execution_authorized=false``action_buttons_allowed=false` | AwoooP 鏡像 payload 統一信封 |
| S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | `security_mirror_route_v1` 已建立 5 個 route groups定義目的地、channel policy 與 review lane | AwoooP 消費時不猜路由、不新增執行入口 |
@@ -42,7 +42,8 @@
| S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret |
| S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence仍不可切 primary |
| S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版7 個 in-scope repos、5 類 export laneswebhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name paritywrite token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export仍不可收 secret value、不可修改 GitHub/Gitea |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
| S4.4 GitHub Primary rollback ADR | 完成草案 | 已建立 rollback ADR schema / snapshot / 人讀版7 個 in-scope rollback drafts、0 owner approved、0 dry-run completed、0 active cutover | repo owner 審查 rollback owner、validation window 與 triggers仍不可切 primary 或執行 rollback |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate |
## 1. 已建立的主要 evidence
@@ -72,6 +73,8 @@
| Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` |
| Source Control GitHub primary readiness gate | `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
| Source Control GitHub primary readiness gate JSON | `docs/security/source-control-primary-readiness-gate.snapshot.json` |
| Source Control GitHub primary rollback ADR | `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md` |
| Source Control GitHub primary rollback ADR JSON | `docs/security/source-control-primary-rollback-adr.snapshot.json` |
| Source Control workflow / secret name inventory | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
| Source Control workflow / secret name inventory JSON | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
| Source Control workflow / secret name local evidence | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
@@ -142,6 +145,6 @@
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5.`KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export request。
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export requestprimary readiness 需同時顯示 S4.4 rollback ADR 草案
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_workflow_secret_name_inventory_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason不新增 execution router。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason不新增 execution router。

8
docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md
View File

@@ -6,6 +6,7 @@
| 狀態 | 草案blocked by default |
| Schema | `docs/schemas/source_control_primary_readiness_gate_v1.schema.json` |
| Snapshot | `docs/security/source-control-primary-readiness-gate.snapshot.json` |
| Rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` |
| 模式 | `primary_readiness_gate_only` |
| runtime 執行授權 | `false` |
@@ -36,7 +37,7 @@
| refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift |
| workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot |
| owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策 |
| rollback ADR | not started | 尚未有逐 repo GitHub primary ADR 與 rollback plan |
| rollback ADR | pending review | S4.4 已建立 rollback ADR 草案7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window |
## 3. AwoooP 可做
@@ -45,7 +46,8 @@
3. 將 7 個 in-scope repos 維持在 approval / review lane。
4. 顯示哪些 evidence 仍缺Gitea authenticated inventory、refs truth、workflow/runner/secret name inventory、rollback ADR。
5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence只保存 secret 名稱與 owner不保存 value。
6. 把狀態寫入 Audit evidence 與 Operator Console
6. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案
7. 把狀態寫入 Audit evidence 與 Operator Console。
## 4. AwoooP 不可做
@@ -61,4 +63,6 @@
S4.0 只是把「切換前一定要看見什麼」先定義清楚。
S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。`owner_approved_count=0``dry_run_completed_count=0``active_cutover_count=0`
這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕不執行。

98
docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md Normal file
View File

@@ -0,0 +1,98 @@
# GitHub Primary Rollback ADR 草案
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | 草案,等待 owner review |
| Schema | `docs/schemas/source_control_primary_rollback_adr_v1.schema.json` |
| Snapshot | `docs/security/source-control-primary-rollback-adr.snapshot.json` |
| 模式 | `rollback_adr_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
S4.4 補上 GitHub primary cutover 前必備的 rollback ADR 草案。
這不是 cutover plan也不是 rollback 執行計畫。它只定義:每個 repo 在未來要切 GitHub primary 前,必須先有什麼 evidence、誰是 rollback owner、哪些狀況要停下來、以及切換後 1 小時 / 24 小時要看什麼。
目前 `owner_approved_count=0``dry_run_completed_count=0``active_cutover_count=0`,所以 `primary_ready_count` 仍必須維持 0。
## 1. 摘要
| 指標 | 數量 |
|------|------|
| Candidate repos | 8 |
| In-scope repos | 7 |
| External scope review | 1 |
| Repo rollback plan drafts | 7 |
| Owner approved | 0 |
| Dry-run completed | 0 |
| Active cutover | 0 |
| Rollback execution authorized | `false` |
| GitHub primary switch authorized | `false` |
| Gitea disable authorized | `false` |
## 2. Rollback 原則
1. GitHub primary 是長期方向,但每個 repo 必須先有 owner-approved rollback plan 才能進入 cutover review。
2. Gitea 在 cutover 前後都必須保留為本地 mirror / fallback不得因 GitHub primary 準備而停用、刪除或封存。
3. Rollback ADR 只定義人工決策、驗證窗口與回退條件;不授權任何 refs sync、primary switch 或 webhook 修改。
4. 任何回退都必須有新的 runtime gate、人工批准與 evidence snapshot不得由本 ADR 自動觸發。
5. 初期只做 observe / approval_required不把缺 LOW / MEDIUM evidence 變成 production blocker。
## 3. 切換前必要 Gate
| Gate | 目前狀態 | 必要 evidence |
|------|----------|---------------|
| Gitea authenticated inventory | blocked | private/internal 全量 repo list、redacted admin export 或 read-only token evidence |
| refs truth / parity | waiting owner review | main/dev、release tags、deprecated refs 的 owner 判定 |
| workflow / secret export | draft only | webhook、runner、deploy key、branch protection、repository secret name parity redacted evidence |
| owner / visibility / canonical | waiting owner review | 7 個 in-scope repo 的 owner / target / canonical 決策 |
| rollback owner / monitoring | draft only | 每個 repo 的 rollback owner、1h / 24h 驗證窗口與 decision record 格式 |
## 4. Repo Rollback Draft
| Repo | Risk | Rollback state | 主要缺口 |
|------|------|----------------|----------|
| `owenhytsai/awoooi` | HIGH | waiting owner review | refs parity、deploy workflow、webhook single-sender、runner owner、secret name parity |
| `owenhytsai/clawbot-v5` | MEDIUM | waiting owner review | tag policy、workflow / secret need attestation、rollback owner |
| `owenhytsai/wooo-aiops` | MEDIUM | waiting owner review | GitHub-only refs、webhook owner、runner owner |
| `owenhytsai/wooo-infra-config` | MEDIUM | waiting owner review | 110 internal remote、deploy key、infra secret name parity |
| `owenhytsai/ewoooc` | HIGH | waiting owner review | target access、canonical repo、unrelated history risk |
| `owenhytsai/bitan-pharmacy` | MEDIUM | waiting owner review | active status、GitHub target、secret / deploy owner |
| `owenhytsai/tsenyang-website` | MEDIUM | waiting owner review | active status、GitHub target、secret / deploy owner |
| `nexu-io/open-design` | LOW | scope review only | 不進 AWOOOI primary cutover queue |
## 5. Rollback 觸發條件
1. main/dev SHA 或 tag parity 與 owner-approved truth 不一致。
2. workflow、webhook、runner、deploy key、branch protection 或 repository secret name parity evidence 不完整。
3. GitHub hosted runner 使用量或 billing risk 超出 owner-approved 範圍。
4. deploy marker、release workflow 或 required status check 在 cutover 後失敗。
5. duplicate webhook 造成重複部署、重複通知或 approval queue 重複事件。
6. owner / visibility / canonical decision 被撤回或出現衝突。
7. post-cutover 1h 或 24h validation window 未通過。
## 6. AwoooP 可做
1. 顯示 7 個 in-scope repo 的 rollback ADR draft。
2. 顯示 owner-approved count、dry-run completed count、active cutover count 都是 0。
3. 將 rollback owner、precondition、validation window 與 trigger 顯示在 Operator Console。
4. 把 rollback ADR 缺口寫入 Audit evidence。
5. 若未來 owner 提交決策,另寫入 `security_approval_decision_record_v1`
## 7. AwoooP 不可做
1. 不把 ADR 草案當成 cutover approval。
2. 不切 GitHub primary。
3. 不執行 rollback。
4. 不 sync refs、不 delete refs、不 force push。
5. 不修改 webhook、workflow、branch protection 或 secret。
6. 不停用、刪除、封存或降級 Gitea repo。
7. 不新增 repo、refs、primary switch、rollback 類 action button。
## 8. 階段定位
S4.0 定義 primary readiness gateS4.1 到 S4.3 補 workflow / secret inventory 與 export requestS4.4 補 rollback ADR 草案。
這讓「長期改回 GitHub primary」有更完整的安全出口但仍然停在框架期先讓 AwoooP 看見風險與 owner review不啟動任何切換、不執行任何回退。

8
docs/security/security-mirror-acceptance.snapshot.json
View File

@@ -11,8 +11,8 @@
"docs/security/security-mirror-route.snapshot.json"
],
"summary": {
"total_contracts": 34,
"ready_for_mirror_count": 31,
"total_contracts": 35,
"ready_for_mirror_count": 32,
"route_group_count": 5,
"acceptance_check_count": 7,
"blocking_check_count": 4
@@ -21,7 +21,7 @@
{
"check_id": "CONTRACT_COUNT_MATCH",
"title": "契約數量一致",
"expected_result": "AwoooP 讀到 34 個 contracts且 manifest、readiness、route coverage 的 contract 集合一致。",
"expected_result": "AwoooP 讀到 35 個 contracts且 manifest、readiness、route coverage 的 contract 集合一致。",
"evidence_refs": [
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json",
@@ -60,7 +60,7 @@
{
"check_id": "ROUTE_GROUP_COVERAGE",
"title": "路由群組覆蓋",
"expected_result": "5 個 route groups 合併後涵蓋 manifest 34 個 contracts且每個 group 都有 destinations、channel_policy 與 review_lane。",
"expected_result": "5 個 route groups 合併後涵蓋 manifest 35 個 contracts且每個 group 都有 destinations、channel_policy 與 review_lane。",
"evidence_refs": [
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"

8
docs/security/security-mirror-dry-run.snapshot.json
View File

@@ -14,8 +14,8 @@
"docs/security/security-mirror-quarantine.snapshot.json"
],
"summary": {
"total_contracts": 34,
"ready_for_mirror_count": 31,
"total_contracts": 35,
"ready_for_mirror_count": 32,
"route_group_count": 5,
"acceptance_check_count": 7,
"quarantine_lane_count": 5,
@@ -30,7 +30,7 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-readiness.snapshot.json"
],
"pass_condition": "看到 34 個 contracts、31 個 ready for mirror且所有 contract execution_allowed=false。",
"pass_condition": "看到 35 個 contracts、32 個 ready for mirror且所有 contract execution_allowed=false。",
"execution_allowed": false,
"blocked_actions": [
"execute_contract",
@@ -60,7 +60,7 @@
"docs/security/security-mirror-route.snapshot.json",
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"pass_condition": "route groups 合併後涵蓋 34 個 contracts沒有未知 execution route。",
"pass_condition": "route groups 合併後涵蓋 35 個 contracts沒有未知 execution route。",
"execution_allowed": false,
"blocked_actions": [
"fallback_to_execution_route",

5
docs/security/security-mirror-event-sample.snapshot.json
View File

@@ -16,8 +16,8 @@
"risk": "LOW",
"summary": "AwoooP 可 mirror Security Supply Chain readiness index但不得把 readiness 視為執行授權。",
"payload_summary": {
"total_contracts": 34,
"ready_for_mirror_count": 31,
"total_contracts": 35,
"ready_for_mirror_count": 32,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
@@ -38,6 +38,7 @@
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md",
"docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md",
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md",
"docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"
],
"blocked_actions": [

7
docs/security/security-mirror-intake-plan.snapshot.json
View File

@@ -20,6 +20,7 @@
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json"
],
"intake_waves": [
@@ -58,7 +59,7 @@
"execution_router",
"blocking_gate"
],
"exit_gate": "Operator Console 能顯示 34 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate且 mirror event envelope action_buttons_allowed=false。"
"exit_gate": "Operator Console 能顯示 35 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory gate且 mirror event envelope action_buttons_allowed=false。"
},
{
"wave_id": "M1_kali_visibility",
@@ -105,6 +106,7 @@
"source_control_ref_detail_diff_v1",
"source_control_ref_truth_classification_v1",
"source_control_primary_readiness_gate_v1",
"source_control_primary_rollback_adr_v1",
"source_control_workflow_secret_name_inventory_v1",
"local_repo_canonical_probe_v1",
"git_remote_refs_probe_v1"
@@ -119,7 +121,7 @@
"mirror repo/branch/tag 差異",
"顯示 pending owner / visibility / canonical decision",
"顯示 refs truth review lane",
"顯示 GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口",
"顯示 GitHub primary readiness blockers、parity gates 與 rollback ADR 草案",
"顯示 workflow / webhook / runner / secret 名稱 inventory 缺口,不保存 secret value",
"顯示 Gitea inventory partial reason"
],
@@ -144,6 +146,7 @@
"security_approval_state_transition_v1",
"security_followup_runtime_gate_v1",
"source_control_primary_readiness_gate_v1",
"source_control_primary_rollback_adr_v1",
"source_control_workflow_secret_name_inventory_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",

2
docs/security/security-mirror-quarantine.snapshot.json
View File

@@ -11,7 +11,7 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json"
],
"summary": {
"total_contracts": 34,
"total_contracts": 35,
"quarantine_lane_count": 5,
"auto_retry_allowed": false,
"runtime_blocking_allowed": false

14
docs/security/security-mirror-readiness.snapshot.json
View File

@@ -5,8 +5,8 @@
"default_enforcement_level": "mirror_only",
"runtime_execution_authorized": false,
"summary": {
"total_contracts": 34,
"ready_for_mirror_count": 31,
"total_contracts": 35,
"ready_for_mirror_count": 32,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0
@@ -327,6 +327,16 @@
"human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"],
"notes": "可 mirror GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口;目前 primary_ready_count=0。"
},
{
"contract": "source_control_primary_rollback_adr_v1",
"readiness": "ready_for_mirror",
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": ["docs/security/source-control-primary-rollback-adr.snapshot.json"],
"human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"],
"notes": "可 mirror S4.4 GitHub primary rollback ADR 草案、7 個 in-scope repo rollback plans、validation windows 與仍禁止事項owner_approved_count=0、active_cutover_count=0。"
},
{
"contract": "source_control_workflow_secret_name_inventory_v1",
"readiness": "ready_for_mirror",

16
docs/security/security-mirror-route.snapshot.json
View File

@@ -9,10 +9,11 @@
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/security/security-mirror-intake-plan.snapshot.json",
"docs/security/security-mirror-event-sample.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json"
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json"
],
"summary": {
"total_contracts": 34,
"total_contracts": 35,
"route_group_count": 5,
"channel_event_policy": "初期只對階段完成、blocked 狀態或需要人工批准的高風險候選發低噪音事件LOW / MEDIUM observation 不發阻擋事件。",
"approval_queue_policy": "只有 approval-only、suggest-only 或 blocked-until-approved 項目可進 approval queueapproval queue 不代表可執行。"
@@ -48,7 +49,7 @@
"顯示 security_mirror_quarantine_v1 隔離 lane 與 retry gate",
"顯示 security_mirror_dry_run_v1 dry-run steps",
"顯示 security_mirror_status_rollup_v1 跨 Session 狀態與下一個 gate",
"顯示 S3 review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory contract 位置"
"顯示 S3 review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory contract 位置"
],
"blocked_processing": [
"新增執行按鈕",
@@ -56,7 +57,7 @@
"runtime blocking",
"自動批准任何 queue item"
],
"exit_gate": "AwoooP 可顯示 34 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate且所有 route 都維持 runtime_execution_authorized=false。"
"exit_gate": "AwoooP 可顯示 35 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory gate且所有 route 都維持 runtime_execution_authorized=false。"
},
{
"wave_id": "M1_kali_visibility",
@@ -106,6 +107,7 @@
"source_control_ref_detail_diff_v1",
"source_control_ref_truth_classification_v1",
"source_control_primary_readiness_gate_v1",
"source_control_primary_rollback_adr_v1",
"source_control_workflow_secret_name_inventory_v1",
"local_repo_canonical_probe_v1",
"git_remote_refs_probe_v1",
@@ -122,7 +124,7 @@
"allowed_processing": [
"顯示 repo / branch / tag 差異",
"顯示 owner、visibility、canonical 與 refs review lane",
"顯示 GitHub primary readiness blockers 與 rollback ADR 缺口",
"顯示 GitHub primary readiness blockers 與 rollback ADR 草案",
"顯示 workflow / webhook / runner / secret 名稱 inventory 缺口,不保存 secret value",
"顯示 Gitea inventory partial reason",
"顯示 GitHub primary cutover blocked reason"
@@ -148,6 +150,7 @@
"security_approval_state_transition_v1",
"security_followup_runtime_gate_v1",
"source_control_primary_readiness_gate_v1",
"source_control_primary_rollback_adr_v1",
"source_control_workflow_secret_name_inventory_v1",
"github_target_repo_approval_package_v1",
"source_control_approval_board_v1",
@@ -168,6 +171,7 @@
"顯示人工 decision next state且 approve_scope 仍需 follow-up runtime gate",
"顯示 follow-up runtime gate template且 active_runtime_gates=0",
"顯示 GitHub primary readiness gate且 primary_ready_count=0",
"顯示 GitHub primary rollback ADR 草案,且 owner_approved_count=0、active_cutover_count=0",
"顯示 workflow / secret 名稱 inventory gate且 inventory_complete_count=0",
"顯示 required reviewers",
"顯示 blocked_until_approved",
@@ -211,7 +215,7 @@
"acceptance_gates": [
{
"gate_id": "ROUTE_COVERS_ALL_CONTRACTS",
"requirement": "route_groups 合併後必須涵蓋 manifest 的 34 個 contracts。"
"requirement": "route_groups 合併後必須涵蓋 manifest 的 35 個 contracts。"
},
{
"gate_id": "NO_EXECUTION_SURFACE",

33
docs/security/security-mirror-status-rollup.snapshot.json
View File

@@ -20,14 +20,15 @@
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"total_contracts": 34,
"ready_for_mirror_count": 31,
"total_contracts": 35,
"ready_for_mirror_count": 32,
"partial_ready_count": 2,
"contract_only_count": 1,
"blocked_count": 0,
@@ -38,6 +39,10 @@
"active_runtime_gate_count": 0,
"primary_readiness_candidate_repo_count": 8,
"github_primary_ready_count": 0,
"primary_rollback_adr_repo_plan_count": 7,
"primary_rollback_adr_owner_approved_count": 0,
"primary_rollback_adr_dry_run_completed_count": 0,
"primary_rollback_execution_authorized": false,
"workflow_secret_inventory_candidate_repo_count": 8,
"workflow_secret_inventory_complete_count": 0,
"workflow_secret_inventory_local_evidence_repo_count": 4,
@@ -82,8 +87,8 @@
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidenceS4.3 已補 7 個 repos、5 類 lanes 的 redacted export requestinventory_complete_count=0。",
"next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。"
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 local evidenceS4.3 已補 redacted export requestS4.4 已補 7 個 in-scope repos 的 rollback ADR 草案owner_approved_count=0、dry_run_completed_count=0。",
"next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
@@ -218,6 +223,23 @@
"停用或封存 Gitea repo"
]
},
{
"action_id": "review_github_primary_rollback_adr",
"title": "審查 GitHub primary rollback ADR 草案",
"mode": "approval_required",
"source_contract": "source_control_primary_rollback_adr_v1",
"allowed_processing": [
"顯示 7 個 in-scope repos 的 rollback ADR draft",
"顯示 owner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0",
"顯示 rollback triggers、validation windows 與仍禁止事項"
],
"blocked_processing": [
"執行 rollback",
"切 GitHub primary",
"sync refs 或修改 webhook",
"停用 Gitea"
]
},
{
"action_id": "review_workflow_secret_name_inventory",
"title": "審查 workflow / secret 名稱 inventory 缺口",
@@ -263,7 +285,8 @@
"S4.0 只新增 GitHub primary readiness gategithub_primary_ready_count=0不新增 repo / refs / primary switch action。",
"S4.1 只新增 workflow / secret 名稱 inventory 契約workflow_secret_inventory_complete_count=0secret_value_collection_allowed=false不新增 workflow、secret、repo、refs 或 primary switch action。",
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidencelocal_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43secret_value_detected=false。",
"S4.3 只新增 redacted export request packageexport_request_count=7、export_lane_count=5、write_token_allowed=false不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。"
"S4.3 只新增 redacted export request packageexport_request_count=7、export_lane_count=5、write_token_allowed=false不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。",
"S4.4 只新增 GitHub primary rollback ADR 草案repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false不切 primary、不執行 rollback。"
],
"forbidden_actions": [
"start_kali_scan",

27
docs/security/security-supply-chain-contract-manifest.snapshot.json
View File

@@ -2,7 +2,7 @@
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 34,
"contract_count": 35,
"contracts": [
{
"contract": "security_rollout_policy_v1",
@@ -203,7 +203,7 @@
"switch_github_primary",
"store_secret_value"
],
"notes": "整理 34 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
"notes": "整理 35 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
},
{
"contract": "security_mirror_intake_plan_v1",
@@ -535,6 +535,29 @@
],
"notes": "定義 S4.0 GitHub primary readiness gate7 個 in-scope repos 仍 blockedprimary_ready_count=0。"
},
{
"contract": "source_control_primary_rollback_adr_v1",
"schema_path": "docs/schemas/source_control_primary_rollback_adr_v1.schema.json",
"snapshot_paths": ["docs/security/source-control-primary-rollback-adr.snapshot.json"],
"human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"],
"consumer": "AwoooP source-control review / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_rollback_adr_draft",
"display_rollback_owner_review",
"display_validation_windows",
"request_owner_rollback_approval"
],
"forbidden_actions": [
"execute_rollback",
"switch_github_primary",
"sync_refs",
"modify_webhook",
"disable_gitea",
"add_action_button"
],
"notes": "定義 S4.4 GitHub primary rollback ADR 草案7 個 in-scope repos 有 rollback draftowner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0。"
},
{
"contract": "source_control_workflow_secret_name_inventory_v1",
"schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json",

11
docs/security/source-control-primary-readiness-gate.snapshot.json
View File

@@ -11,6 +11,7 @@
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
@@ -115,19 +116,19 @@
{
"gate_id": "ROLLBACK_ADR_REQUIRED",
"title": "GitHub primary ADR 與 rollback plan",
"status": "not_started",
"status": "pending_review",
"required_before_primary": [
"逐 repo GitHub primary ADR 完成",
"rollback plan 與 Gitea mirror/fallback 角色明確",
"切換前後監控與驗證 gate 已定義"
],
"current_gap": [
"目前只有長期方向,尚無逐 repo primary ADR",
"尚未定義 rollback ownership",
"不得切換 GitHub primary"
"S4.4 已建立 rollback ADR 草案,但尚無 owner-approved decision record",
"7 個 in-scope repos 的 rollback owner、validation window 與 trigger 仍需人工審查",
"dry_run_completed_count=0active_cutover_count=0不得切換 GitHub primary"
],
"allowed_now": [
"建立 ADR 草案",
"mirror rollback ADR 草案",
"列出 rollback evidence requirements",
"讓 AwoooP mirror blocked state"
],

469
docs/security/source-control-primary-rollback-adr.snapshot.json Normal file
View File

@@ -0,0 +1,469 @@
{
"schema_version": "source_control_primary_rollback_adr_v1",
"status": "draft_waiting_owner_review",
"date": "2026-05-13",
"mode": "rollback_adr_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"candidate_repo_count": 8,
"in_scope_repo_count": 7,
"external_scope_count": 1,
"repo_rollback_plan_count": 7,
"owner_approved_count": 0,
"dry_run_completed_count": 0,
"active_cutover_count": 0,
"rollback_execution_authorized": false,
"github_primary_switch_authorized": false,
"gitea_disable_authorized": false,
"action_buttons_allowed": false
},
"rollback_principles": [
"GitHub primary 是長期方向,但每個 repo 必須先有 owner-approved rollback plan 才能進入 cutover review。",
"Gitea 在 cutover 前後都必須保留為本地 mirror / fallback不得因 GitHub primary 準備而停用、刪除或封存。",
"Rollback ADR 只定義人工決策、驗證窗口與回退條件;不授權任何 refs sync、primary switch 或 webhook 修改。",
"任何回退都必須有新的 runtime gate、人工批准與 evidence snapshot不得由本 ADR 自動觸發。",
"初期只做 observe / approval_required不把缺 LOW / MEDIUM evidence 變成 production blocker。"
],
"cutover_preconditions": [
{
"gate_id": "gitea_authenticated_inventory_approved",
"title": "Gitea private/internal 全量 inventory 已完成",
"required_evidence": [
"Gitea authenticated inventory 或 redacted admin export status=ok",
"確認所有 private/internal repos 都在 migration matrix",
"只保存 token_present=true/false不保存 token value"
],
"current_status": "blocked",
"execution_authorized": false
},
{
"gate_id": "refs_truth_and_parity_approved",
"title": "refs truth / branch-tag parity 已由 owner 批准",
"required_evidence": [
"main/dev 真相來源已人工判定",
"release tags 保留 / 棄用決策完成",
"deprecated refs 已由 repo owner review"
],
"current_status": "waiting_owner_review",
"execution_authorized": false
},
{
"gate_id": "workflow_secret_export_accepted",
"title": "workflow / runner / webhook / secret name redacted export 已驗收",
"required_evidence": [
"S4.3 export request 對應的 webhook、runner、deploy key、branch protection 與 repository secret name parity evidence 已補齊",
"任何 secret value、token value、private key 或 webhook secret 都未被保存",
"GitHub hosted runner 額度風險與 self-hosted runner owner 已確認"
],
"current_status": "draft_only",
"execution_authorized": false
},
{
"gate_id": "owner_visibility_canonical_approved",
"title": "owner / visibility / canonical 已批准",
"required_evidence": [
"7 個 in-scope repos 都有 owner approval",
"not_found_or_private repo 已明確判定建立、取得權限或排除",
"ewoooc / momo-pro-system canonical 關係已定案"
],
"current_status": "waiting_owner_review",
"execution_authorized": false
},
{
"gate_id": "rollback_owner_and_monitoring_approved",
"title": "rollback owner、監控窗口與通知責任已批准",
"required_evidence": [
"每個 repo 都有 rollback owner 與值班窗口",
"cutover 後 1h / 24h 的驗證項目已明確",
"失敗時的人工停損與回退 decision record 格式已確認"
],
"current_status": "draft_only",
"execution_authorized": false
}
],
"repo_rollback_plans": [
{
"repo_key": "awoooi",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"risk": "HIGH",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "Gitea remains protected local fallback until owner-approved cutover and rollback drill are complete.",
"required_owner_decisions": [
"main/dev 真相來源",
"production deploy workflow canonical",
"webhook single-sender policy",
"rollback owner"
],
"rollback_evidence_required": [
"main SHA / tag parity evidence",
"deployment marker workflow evidence",
"runner owner / self-hosted evidence",
"repository secret name parity evidence",
"post-cutover health and deploy verification checklist"
],
"rollback_triggers": [
"production deploy workflow fails after primary switch",
"duplicate webhook causes duplicate deploy or duplicate notification",
"required runner label unavailable",
"secret name parity gap blocks deployment"
],
"manual_recovery_outline": [
"Freeze additional refs changes and record decision in approval audit.",
"Keep Gitea fallback intact and route deploy decision back to approved source after runtime gate approval.",
"Collect post-rollback evidence before re-entering primary readiness review."
],
"execution_authorized": false,
"still_forbidden": [
"switch_github_primary",
"disable_gitea",
"sync_refs",
"modify_workflow",
"move_secret_values"
]
},
{
"repo_key": "clawbot-v5",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"risk": "MEDIUM",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "Gitea remains fallback until tag retention and refs truth are approved.",
"required_owner_decisions": [
"main 真相來源",
"Gitea-only tag 保留或棄用",
"是否需要 workflow / secret inventory",
"rollback owner"
],
"rollback_evidence_required": [
"branch/tag parity evidence",
"owner-approved tag policy",
"repository secret name parity or no-secret attestation",
"post-cutover smoke check"
],
"rollback_triggers": [
"GitHub target misses owner-approved tag",
"automation expects a Gitea-only ref",
"repo owner rejects target canonical decision"
],
"manual_recovery_outline": [
"Pause primary review and keep Gitea as canonical fallback.",
"Ask owner to classify missing refs before any retry.",
"Require new approval record before resuming cutover preparation."
],
"execution_authorized": false,
"still_forbidden": [
"push_refs",
"delete_refs",
"switch_github_primary",
"delete_gitea_repo"
]
},
{
"repo_key": "wooo-aiops",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"risk": "MEDIUM",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "Gitea remains fallback until GitHub-only refs and workflow ownership are resolved.",
"required_owner_decisions": [
"GitHub-only branch / tag 來源",
"webhook owner",
"runner / workflow owner",
"rollback owner"
],
"rollback_evidence_required": [
"GitHub-only refs classification",
"webhook redacted export",
"runner owner evidence",
"repository secret name parity evidence"
],
"rollback_triggers": [
"GitHub-only refs are later classified as active source",
"webhook route changes produce duplicate events",
"workflow runner mismatch increases hosted runner usage unexpectedly"
],
"manual_recovery_outline": [
"Stop cutover review and preserve both remote states.",
"Route owner decision back through source-control approval board.",
"Re-run readiness gate only after redacted evidence is updated."
],
"execution_authorized": false,
"still_forbidden": [
"delete_github_only_refs",
"modify_webhook",
"switch_github_primary",
"force_push"
]
},
{
"repo_key": "wooo-infra-config",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"risk": "MEDIUM",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "Gitea and internal 110 remote roles stay unchanged until infra owner signs off.",
"required_owner_decisions": [
"110 internal remote purpose",
"deploy key owner",
"infra secret name owner",
"rollback owner"
],
"rollback_evidence_required": [
"internal remote purpose decision",
"deploy key redacted inventory",
"branch protection / required check export",
"infra secret name parity evidence"
],
"rollback_triggers": [
"internal remote is still an active source",
"deploy key ownership is ambiguous",
"required status checks are missing on GitHub target",
"infra secret parity gap blocks validation"
],
"manual_recovery_outline": [
"Keep current infra source untouched and do not delete remotes.",
"Escalate to infra owner for manual source-of-truth decision.",
"Resume only after a new redacted export snapshot is committed."
],
"execution_authorized": false,
"still_forbidden": [
"delete_remote",
"move_secret_values",
"export_private_key",
"switch_github_primary"
]
},
{
"repo_key": "ewoooc",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"risk": "HIGH",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "No primary decision until canonical repository and unrelated history risk are resolved.",
"required_owner_decisions": [
"GitHub target access or creation decision",
"ewoooc / momo-pro-system canonical decision",
"unrelated history handling",
"rollback owner"
],
"rollback_evidence_required": [
"canonical repo decision record",
"server-side refs diff",
"workflow / secret name redacted export",
"post-cutover web and deploy health checks"
],
"rollback_triggers": [
"target repo access remains unresolved",
"canonical decision conflicts with local lineage evidence",
"unrelated histories cannot be reconciled without data loss risk"
],
"manual_recovery_outline": [
"Keep all existing working trees untouched.",
"Do not create or merge GitHub target automatically.",
"Require canonical owner approval before any new cutover attempt."
],
"execution_authorized": false,
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
"delete_working_tree",
"switch_github_primary"
]
},
{
"repo_key": "bitan-pharmacy",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"risk": "MEDIUM",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "Current local / 110 source remains evidence source until active-state and GitHub target are approved.",
"required_owner_decisions": [
"repo active or archive decision",
"GitHub target decision",
"secret name / deploy owner decision",
"rollback owner"
],
"rollback_evidence_required": [
"GitHub target visibility decision",
"repository secret name parity or no-secret attestation",
"active-state owner decision",
"post-cutover smoke check if active"
],
"rollback_triggers": [
"repo is confirmed inactive or out of scope",
"GitHub target cannot be verified",
"owner cannot confirm deploy / secret requirements"
],
"manual_recovery_outline": [
"Keep repo out of primary cutover queue until owner decision exists.",
"Do not create GitHub target automatically.",
"If inactive, record owner decision rather than deleting source."
],
"execution_authorized": false,
"still_forbidden": [
"auto_create_repo",
"push_refs",
"delete_110_remote",
"switch_github_primary"
]
},
{
"repo_key": "tsenyang-website",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"risk": "MEDIUM",
"rollback_state": "draft_waiting_owner_review",
"primary_ready": false,
"fallback_role": "Current local / 110 source remains evidence source until active-state and GitHub target are approved.",
"required_owner_decisions": [
"repo active or archive decision",
"GitHub target decision",
"secret name / deploy owner decision",
"rollback owner"
],
"rollback_evidence_required": [
"GitHub target visibility decision",
"repository secret name parity or no-secret attestation",
"active-state owner decision",
"post-cutover smoke check if active"
],
"rollback_triggers": [
"repo is confirmed inactive or out of scope",
"GitHub target cannot be verified",
"owner cannot confirm deploy / secret requirements"
],
"manual_recovery_outline": [
"Keep repo out of primary cutover queue until owner decision exists.",
"Do not create GitHub target automatically.",
"If inactive, record owner decision rather than deleting source."
],
"execution_authorized": false,
"still_forbidden": [
"auto_create_repo",
"push_refs",
"delete_110_remote",
"switch_github_primary"
]
},
{
"repo_key": "open-design",
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"risk": "LOW",
"rollback_state": "scope_review_only",
"primary_ready": false,
"fallback_role": "Not in AWOOOI primary cutover scope until ownership is confirmed.",
"required_owner_decisions": [
"scope ownership decision"
],
"rollback_evidence_required": [
"scope review evidence"
],
"rollback_triggers": [
"repo is later confirmed in scope and needs a separate ADR"
],
"manual_recovery_outline": [
"Keep out of primary queue.",
"Create a separate in-scope approval item if ownership changes."
],
"execution_authorized": false,
"still_forbidden": [
"加入 primary cutover queue",
"修改 repo visibility",
"sync refs"
]
}
],
"rollback_triggers": [
"main/dev SHA 或 tag parity 與 owner-approved truth 不一致",
"workflow、webhook、runner、deploy key、branch protection 或 repository secret name parity evidence 不完整",
"GitHub hosted runner 使用量或 billing risk 超出 owner-approved 範圍",
"deploy marker、release workflow 或 required status check 在 cutover 後失敗",
"duplicate webhook 造成重複部署、重複通知或 approval queue 重複事件",
"owner / visibility / canonical decision 被撤回或出現衝突",
"post-cutover 1h 或 24h validation window 未通過"
],
"validation_windows": [
{
"window_id": "pre_cutover_freeze_review",
"title": "切換前 freeze review",
"required_checks": [
"確認 refs truth、workflow / secret export、owner / visibility / canonical、rollback owner 全部已批准",
"確認沒有 unresolved HIGH risk blocker",
"確認 Gitea fallback 保持可用"
],
"failure_handling": "任何缺口都只回到 approval review不執行 cutover。",
"execution_authorized": false
},
{
"window_id": "post_cutover_one_hour_observe",
"title": "切換後 1 小時觀察窗口",
"required_checks": [
"deploy workflow / required checks 成功",
"webhook 沒有重複事件",
"runner 使用符合 owner-approved self-hosted / hosted policy",
"核心服務健康與告警量未異常升高"
],
"failure_handling": "只建立 rollback approval candidate不得自動切回或自動改 webhook。",
"execution_authorized": false
},
{
"window_id": "post_cutover_twenty_four_hour_review",
"title": "切換後 24 小時 review",
"required_checks": [
"refs、deploy、webhook、runner、secret name parity 沒有新增 drift",
"AwoooP audit evidence 完整",
"repo owner 確認可維持 GitHub primary 或要求 rollback review"
],
"failure_handling": "若未通過,保留 Gitea fallback 並等待人工 rollback decision record。",
"execution_authorized": false
}
],
"acceptance_rules": [
"本 ADR 草案完成不代表任何 repo 可切 GitHub primary。",
"每個 in-scope repo 必須有 owner-approved rollback plan、pre-cutover evidence、post-cutover validation window 與 rollback owner。",
"任何 rollback 或 primary switch 都必須另有 runtime gate 與人工批准,不得由本 snapshot 自動觸發。",
"Gitea fallback 不得在 24h review 完成前停用、刪除、封存或降級。",
"任何 secret、token、cookie、private key、webhook secret 或 runner token 都不得保存。"
],
"forbidden_actions": [
"switch_github_primary",
"execute_rollback",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"delete_git_refs",
"force_push",
"modify_webhook",
"modify_workflow",
"modify_branch_protection",
"move_secret_values",
"disable_gitea",
"delete_or_archive_gitea_repo",
"add_action_button"
]
}