From 82d98c6b456ff4883f159600b0910142dcd3e0c0 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 13 May 2026 20:15:00 +0800 Subject: [PATCH] docs(security): add primary rollback ADR gate [skip ci] --- docs/LOGBOOK.md | 31 ++ ...curity_mirror_status_rollup_v1.schema.json | 20 + ...ontrol_primary_rollback_adr_v1.schema.json | 225 +++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 5 +- ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 31 +- docs/security/SECURITY-MIRROR-ACCEPTANCE.md | 2 +- docs/security/SECURITY-MIRROR-INTAKE-PLAN.md | 9 +- docs/security/SECURITY-MIRROR-READINESS.md | 9 +- docs/security/SECURITY-MIRROR-ROUTE.md | 8 +- .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 10 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 5 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 15 +- .../SOURCE-CONTROL-PRIMARY-READINESS-GATE.md | 8 +- .../SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md | 98 ++++ .../security-mirror-acceptance.snapshot.json | 8 +- .../security-mirror-dry-run.snapshot.json | 8 +- ...security-mirror-event-sample.snapshot.json | 5 +- .../security-mirror-intake-plan.snapshot.json | 7 +- .../security-mirror-quarantine.snapshot.json | 2 +- .../security-mirror-readiness.snapshot.json | 14 +- .../security-mirror-route.snapshot.json | 16 +- ...ecurity-mirror-status-rollup.snapshot.json | 33 +- ...pply-chain-contract-manifest.snapshot.json | 27 +- ...ntrol-primary-readiness-gate.snapshot.json | 11 +- ...control-primary-rollback-adr.snapshot.json | 469 ++++++++++++++++++ 25 files changed, 1008 insertions(+), 68 deletions(-) create mode 100644 docs/schemas/source_control_primary_rollback_adr_v1.schema.json create mode 100644 docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md create mode 100644 docs/security/source-control-primary-rollback-adr.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 322d4884..6d505625 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,34 @@ +## 2026-05-13 | 資安供應鏈 S4.4:GitHub Primary Rollback ADR 草案 + +**背景**:S4.0 已把 GitHub primary readiness gate 定義出來,S4.1-S4.3 已補 workflow / secret 名稱 inventory 與 redacted export request,但 GitHub primary cutover 前仍缺 rollback ADR。為了維持低摩擦,本輪只建立 rollback ADR 草案與鏡像契約,不切 GitHub primary、不執行 rollback、不修改 GitHub/Gitea。 + +**完成**: +- 新增 `docs/schemas/source_control_primary_rollback_adr_v1.schema.json`。 +- 新增 `docs/security/source-control-primary-rollback-adr.snapshot.json` 與 `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md`。 +- 定義 7 個 in-scope repo rollback draft、1 個 external scope review。 +- 定義 cutover preconditions、rollback triggers、pre-cutover / 1h / 24h validation windows 與逐 repo manual recovery outline。 +- 明確標示 `owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`、`rollback_execution_authorized=false`、`github_primary_switch_authorized=false`、`gitea_disable_authorized=false`。 +- 更新 `source_control_primary_readiness_gate_v1`、manifest、mirror readiness、route、acceptance、intake、dry-run、event sample、quarantine、status rollup、AwoooP checklist、handoff 與 progress,使 AwoooP 能顯示 S4.4 rollback ADR 草案而不新增 execution action。 + +**仍未完成**: +- repo owner 對 7 個 in-scope rollback drafts 的人工批准。 +- GitHub primary cutover dry-run。 +- Gitea authenticated inventory、refs truth / parity、workflow / secret redacted evidence 的完整驗收。 +- 任何實際 primary switch 或 rollback runtime gate。 + +**仍禁止**: +- 不切 GitHub primary。 +- 不執行 rollback。 +- 不建立 GitHub repo、不修改 visibility、不 sync refs、不 delete refs、不 force push。 +- 不修改 webhook、workflow、branch protection、runner、deploy key 或 secret。 +- 不停用、刪除、封存或降級 Gitea repo。 + +**驗證**: +- JSON 全量 parse 通過:81 個 JSON files。 +- S4.4 assertion 通過:35 個 contracts、route coverage 完整、7 個 rollback drafts、0 owner approved、0 dry-run completed、primary still blocked。 +- `git diff --check` 通過。 +- 敏感字串掃描確認本輪未保存 Kali SSH 密碼、常見 token pattern、private key material,也未出現 rollback / primary switch / Gitea disable 授權被打開。 + ## 2026-05-13 | 資安供應鏈 S4.3:Workflow / Secret 名稱 Redacted Export Request **背景**:S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、runner owner、deploy key、branch protection / required checks、repository secret name parity 還不能靠本機 working tree 完成。為了維持低摩擦,本輪只建立 redacted export request package,不呼叫 GitHub/Gitea API、不使用 token、不修改任何 repo 設定。 diff --git a/docs/schemas/security_mirror_status_rollup_v1.schema.json b/docs/schemas/security_mirror_status_rollup_v1.schema.json index 962354e8..ef56dcf7 100644 --- a/docs/schemas/security_mirror_status_rollup_v1.schema.json +++ b/docs/schemas/security_mirror_status_rollup_v1.schema.json @@ -68,6 +68,10 @@ "active_runtime_gate_count", "primary_readiness_candidate_repo_count", "github_primary_ready_count", + "primary_rollback_adr_repo_plan_count", + "primary_rollback_adr_owner_approved_count", + "primary_rollback_adr_dry_run_completed_count", + "primary_rollback_execution_authorized", "workflow_secret_inventory_candidate_repo_count", "workflow_secret_inventory_complete_count", "workflow_secret_inventory_local_evidence_repo_count", @@ -133,6 +137,22 @@ "type": "integer", "minimum": 0 }, + "primary_rollback_adr_repo_plan_count": { + "type": "integer", + "minimum": 0 + }, + "primary_rollback_adr_owner_approved_count": { + "type": "integer", + "minimum": 0 + }, + "primary_rollback_adr_dry_run_completed_count": { + "type": "integer", + "minimum": 0 + }, + "primary_rollback_execution_authorized": { + "type": "boolean", + "const": false + }, "workflow_secret_inventory_candidate_repo_count": { "type": "integer", "minimum": 0 diff --git a/docs/schemas/source_control_primary_rollback_adr_v1.schema.json b/docs/schemas/source_control_primary_rollback_adr_v1.schema.json new file mode 100644 index 00000000..cfa956f2 --- /dev/null +++ b/docs/schemas/source_control_primary_rollback_adr_v1.schema.json @@ -0,0 +1,225 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:source-control-primary-rollback-adr-v1", + "title": "Source Control Primary Rollback ADR v1", + "description": "定義 GitHub primary cutover 前必備的 rollback ADR 草案、回退觸發條件、逐 repo owner review 與仍然禁止事項。此契約不授權 primary switch、refs sync 或 repo 修改。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "runtime_execution_authorized", + "source_indexes", + "summary", + "rollback_principles", + "cutover_preconditions", + "repo_rollback_plans", + "rollback_triggers", + "validation_windows", + "acceptance_rules", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "source_control_primary_rollback_adr_v1" + }, + "status": { + "type": "string", + "enum": ["draft_waiting_owner_review"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["rollback_adr_only"] + }, + "runtime_execution_authorized": { + "type": "boolean", + "const": false + }, + "source_indexes": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "candidate_repo_count", + "in_scope_repo_count", + "external_scope_count", + "repo_rollback_plan_count", + "owner_approved_count", + "dry_run_completed_count", + "active_cutover_count", + "rollback_execution_authorized", + "github_primary_switch_authorized", + "gitea_disable_authorized", + "action_buttons_allowed" + ], + "properties": { + "candidate_repo_count": {"type": "integer", "minimum": 0}, + "in_scope_repo_count": {"type": "integer", "minimum": 0}, + "external_scope_count": {"type": "integer", "minimum": 0}, + "repo_rollback_plan_count": {"type": "integer", "minimum": 0}, + "owner_approved_count": {"type": "integer", "minimum": 0}, + "dry_run_completed_count": {"type": "integer", "minimum": 0}, + "active_cutover_count": {"type": "integer", "minimum": 0}, + "rollback_execution_authorized": {"type": "boolean", "const": false}, + "github_primary_switch_authorized": {"type": "boolean", "const": false}, + "gitea_disable_authorized": {"type": "boolean", "const": false}, + "action_buttons_allowed": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "rollback_principles": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "cutover_preconditions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "gate_id", + "title", + "required_evidence", + "current_status", + "execution_authorized" + ], + "properties": { + "gate_id": {"type": "string"}, + "title": {"type": "string"}, + "required_evidence": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "current_status": { + "type": "string", + "enum": ["missing", "draft_only", "waiting_owner_review", "blocked"] + }, + "execution_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "repo_rollback_plans": { + "type": "array", + "items": { + "type": "object", + "required": [ + "repo_key", + "github_repo", + "source_key", + "scope_status", + "risk", + "rollback_state", + "primary_ready", + "fallback_role", + "required_owner_decisions", + "rollback_evidence_required", + "rollback_triggers", + "manual_recovery_outline", + "execution_authorized", + "still_forbidden" + ], + "properties": { + "repo_key": {"type": "string"}, + "github_repo": {"type": "string"}, + "source_key": {"type": "string"}, + "scope_status": { + "type": "string", + "enum": ["in_scope", "external_scope_review"] + }, + "risk": { + "type": "string", + "enum": ["LOW", "MEDIUM", "HIGH"] + }, + "rollback_state": { + "type": "string", + "enum": [ + "draft_waiting_owner_review", + "scope_review_only" + ] + }, + "primary_ready": {"type": "boolean", "const": false}, + "fallback_role": {"type": "string"}, + "required_owner_decisions": { + "type": "array", + "items": {"type": "string"} + }, + "rollback_evidence_required": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "rollback_triggers": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "manual_recovery_outline": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "execution_authorized": {"type": "boolean", "const": false}, + "still_forbidden": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "rollback_triggers": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "validation_windows": { + "type": "array", + "items": { + "type": "object", + "required": [ + "window_id", + "title", + "required_checks", + "failure_handling", + "execution_authorized" + ], + "properties": { + "window_id": {"type": "string"}, + "title": {"type": "string"}, + "required_checks": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "failure_handling": {"type": "string"}, + "execution_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "acceptance_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_actions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index 667a1c5d..77eb10b7 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -54,6 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs | | `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete | | `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` | +| `source_control_primary_rollback_adr_v1` | GitHub primary rollback ADR 草案與 validation window | Source-control review、Operator Console、Audit | approval-only | 只顯示 7 個 repo 的 rollback draft、owner review、validation window;不得執行 rollback 或切 primary | | `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence 與 S4.3 redacted export request;目前 `inventory_complete_count=0`,不得保存 secret value | | `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 | | `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror | @@ -100,8 +101,9 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state;不得把 transition 當 execution authorization | | `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates;不得新增 action button | | `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;不得切 primary | +| `source_control_primary_rollback_adr_v1.status=draft_waiting_owner_review` | `approve_required` | 顯示 7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed;不得執行 rollback 或切 primary | | `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、S4.3 export request 7 repos / 5 lanes、0 個 complete;不得收集 secret value、不得修改 workflow | -| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness;不得把 readiness 當 execution authorization | +| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 35 個 contracts 的 readiness;不得把 readiness 當 execution authorization | | `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates;不得執行 wave | | `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload,明確不授權執行、不顯示執行按鈕 | | `security_mirror_route_v1.status=draft` | `observe` | 顯示 5 個 route groups、channel policy 與 review lane;不得轉成 execution router | @@ -170,6 +172,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` | | Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` | | Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` | +| Source Control GitHub primary rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md` | | Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` | | Source Control workflow / secret name local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` | | Source Control workflow / secret name export request | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index c988f969..c50c65f9 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -73,7 +73,7 @@ ```text Kali / Code Review / GitHub / Gitea / Codex -> security_supply_chain_contract_manifest_v1 - -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 + -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_primary_rollback_adr_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 -> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL -> mirror 到 AwoooP Runtime State / Channel Event / Audit -> AwoooP Policy / Approval / Exception / Operator Console @@ -207,6 +207,18 @@ Snapshot:`docs/security/source-control-primary-readiness-gate.snapshot.json` AwoooP 初期處理方式:只顯示 blockers、evidence refs 與 required review,不建立 GitHub repo、不修改 visibility、不 sync refs、不切 primary、不停用 Gitea。 +### `source_control_primary_rollback_adr_v1` + +用途:定義 S4.4 GitHub primary rollback ADR 草案,讓 AwoooP 在任何 primary cutover 前能顯示 rollback owner、validation window、rollback triggers 與逐 repo owner review。 + +Schema:`docs/schemas/source_control_primary_rollback_adr_v1.schema.json` + +Snapshot:`docs/security/source-control-primary-rollback-adr.snapshot.json` + +目前 rollback ADR:7 個 in-scope repo rollback drafts、1 個 external scope review、0 個 owner approved、0 個 dry-run completed、0 個 active cutover。所有 rollback / primary switch / refs sync 動作都必須維持 disabled。 + +AwoooP 初期處理方式:只顯示 rollback ADR 草案、owner review、validation window 與仍然禁止事項,不執行 rollback、不切 GitHub primary、不停用 Gitea。 + ### `source_control_workflow_secret_name_inventory_v1` 用途:定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate,補上 GitHub primary 前不能缺的 CI/CD 與 secret hygiene evidence。 @@ -231,7 +243,7 @@ Schema:`docs/schemas/security_mirror_readiness_v1.schema.json` Snapshot:`docs/security/security-mirror-readiness.snapshot.json` -目前 readiness:34 個 contracts,31 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。 +目前 readiness:35 個 contracts,32 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。 AwoooP 初期處理方式:先 mirror readiness index,再依 readiness 分批 mirror 其他 snapshots;不得把 readiness 當 execution authorization。 @@ -267,7 +279,7 @@ Schema:`docs/schemas/security_mirror_route_v1.schema.json` Snapshot:`docs/security/security-mirror-route.snapshot.json` -目前 route:5 個 route groups,涵蓋 34 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。 +目前 route:5 個 route groups,涵蓋 35 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。 AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue,不把 route 轉成 execution router。 @@ -315,7 +327,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;34 個 contracts、31 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -351,7 +363,7 @@ Schema:`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json` "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 34 + "contract_count": 35 } ``` @@ -769,7 +781,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`、`docs/security/security-supply-chain-contract-manifest.snapshot.json` 與 `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry,不把 manifest 當 execution router。 -2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 34 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。 +2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 35 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。 2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json`、`docs/security/security-mirror-acceptance.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestion;blocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence,不得阻擋 runtime 流程。 @@ -777,7 +789,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 mirror dry-run 追加:已新增 `docs/schemas/security_mirror_dry_run_v1.schema.json`、`docs/security/security-mirror-dry-run.snapshot.json` 與 `docs/security/SECURITY-MIRROR-DRY-RUN.md`。AwoooP 未來可用 6 個 dry-run steps 回報接入演練結果;本 snapshot 狀態為 `contract_defined_not_executed`,不得視為 production ingestion 已啟用。 -2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json`、`docs/security/security-mirror-status-rollup.snapshot.json` 與 `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、34 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary、GitHub primary readiness summary、workflow / secret name inventory summary 與下一個安全 gate;本契約不授權任何 runtime action。 +2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json`、`docs/security/security-mirror-status-rollup.snapshot.json` 與 `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、35 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary、GitHub primary readiness summary、rollback ADR summary、workflow / secret name inventory summary 與下一個安全 gate;本契約不授權任何 runtime action。 2026-05-13 S3 approval gate 追加:已新增 `docs/schemas/security_approval_gate_v1.schema.json`、`docs/security/security-approval-gate.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-GATE.md`。AwoooP 可用 8 個 gate items 記錄人工批准、拒絕、延後或補 evidence;批准後仍需 follow-up runtime gate,不得直接執行。 @@ -797,6 +809,8 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 S4.3 workflow / secret name redacted export request 追加:已新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json`、`docs/security/source-control-workflow-secret-name-export-request.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`。本輪只定義 7 個 in-scope repos、5 類 export lanes 的 owner / read-only export 欄位與拒收規則:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;`write_token_allowed=false`、`secret_value_collection_allowed=false`,不得呼叫 API 或修改 GitHub/Gitea。 +2026-05-13 S4.4 GitHub primary rollback ADR 追加:已新增 `docs/schemas/source_control_primary_rollback_adr_v1.schema.json`、`docs/security/source-control-primary-rollback-adr.snapshot.json` 與 `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md`。本輪只定義 7 個 in-scope repos 的 rollback ADR 草案、precondition、trigger、validation window 與 owner review;`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`,不得切 GitHub primary、不得執行 rollback、不得停用 Gitea。 + 2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 本波仍不做: @@ -855,6 +869,8 @@ Console 初期不提供高風險執行按鈕。 - [security_approval_decision_record_v1 snapshot](/Users/ogt/awoooi/docs/security/security-approval-decision-record.snapshot.json) - [Source Control ref truth classification](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md) - [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json) +- [Source Control GitHub primary rollback ADR](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md) +- [source_control_primary_rollback_adr_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-primary-rollback-adr.snapshot.json) - [Source Control workflow / secret name inventory](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md) - [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json) - [Source Control workflow / secret name local evidence](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md) @@ -892,6 +908,7 @@ Console 初期不提供高風險執行按鈕。 - [security_approval_gate_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_gate_v1.schema.json) - [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json) - [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json) +- [source_control_primary_rollback_adr_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_primary_rollback_adr_v1.schema.json) - [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json) - [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json) - [source_control_workflow_secret_name_export_request_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json) diff --git a/docs/security/SECURITY-MIRROR-ACCEPTANCE.md b/docs/security/SECURITY-MIRROR-ACCEPTANCE.md index d3a36615..ecb90859 100644 --- a/docs/security/SECURITY-MIRROR-ACCEPTANCE.md +++ b/docs/security/SECURITY-MIRROR-ACCEPTANCE.md @@ -27,7 +27,7 @@ | Check | 目的 | 失敗時是否阻擋鏡像 | |-------|------|--------------------| -| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 34 個 contracts | 是 | +| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 35 個 contracts | 是 | | `EVENT_ENVELOPE_REQUIRED` | 確認每筆 payload 都不可執行、不可顯示執行按鈕 | 是 | | `ROUTE_GROUP_COVERAGE` | 確認 5 個 route groups 覆蓋所有 contracts | 是 | | `REDACTION_ONLY` | 確認不保存 raw sensitive value | 是 | diff --git a/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md b/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md index 5083728d..75f57c64 100644 --- a/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md +++ b/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md @@ -19,10 +19,10 @@ | Wave | 目的 | 主要 contracts | Exit gate | |------|------|----------------|-----------| -| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / workflow-secret inventory | 顯示 34 個 contract 且 `execution_allowed=false` | +| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory gate | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / rollback ADR / workflow-secret inventory | 顯示 35 個 contract 且 `execution_allowed=false` | | `M1_kali_visibility` | 顯示 Kali 112、scan scope、approval queue | Kali status / scan scope / approval queue / finding sample | 顯示 5 個 scope groups 與 8 個 queue items,沒有執行按鈕 | -| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence、GitHub primary readiness blockers 與 workflow / secret 名稱 inventory 缺口 | migration / inventory / refs / approval board / primary readiness gate / workflow-secret inventory | 顯示 blocking reasons,repo/refs/primary/workflow/secret actions 全 disabled | -| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、workflow / secret 名稱 inventory gate 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / workflow-secret inventory / source-control board | 可留痕,不可自動批准或執行 | +| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence、GitHub primary readiness blockers、rollback ADR 草案與 workflow / secret 名稱 inventory 缺口 | migration / inventory / refs / approval board / primary readiness gate / rollback ADR / workflow-secret inventory | 顯示 blocking reasons,repo/refs/primary/workflow/secret actions 全 disabled | +| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR、workflow / secret 名稱 inventory gate 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / rollback ADR / workflow-secret inventory / source-control board | 可留痕,不可自動批准或執行 | | `M4_patch_only_backlog` | 顯示 Codex patch-only backlog lane | coding task | 只顯示 lane,不接 Codex runner action | ## 2. AwoooP 可做 @@ -42,7 +42,8 @@ 13. 使用 `security_approval_state_transition_v1` 顯示人工決策後的 next state,但不自動執行後續動作。 14. 使用 `security_followup_runtime_gate_v1` 顯示未來 runtime gate 的準備模板,但不啟用 runtime gate。 15. 使用 `source_control_primary_readiness_gate_v1` 顯示 GitHub primary parity、owner、rollback 與人工批准缺口,但不切 primary。 -16. 使用 `source_control_workflow_secret_name_inventory_v1` 顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,但不保存 secret value、不修改 workflow。 +16. 使用 `source_control_primary_rollback_adr_v1` 顯示 rollback ADR 草案、validation window 與 owner review;不執行 rollback。 +17. 使用 `source_control_workflow_secret_name_inventory_v1` 顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,但不保存 secret value、不修改 workflow。 ## 3. AwoooP 不可做 diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 0181897f..d7963ee9 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -23,7 +23,7 @@ | 狀態 | 數量 | 說明 | |------|------|------| -| `ready_for_mirror` | 31 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence | +| `ready_for_mirror` | 32 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence | | `partial_ready` | 2 | 可 mirror,但 evidence 仍不完整 | | `contract_only` | 1 | 有 schema / handoff,尚無正式 snapshot | | `blocked` | 0 | 目前沒有禁止 mirror 的 contract | @@ -81,8 +81,9 @@ AwoooP 可以將 ready / partial contracts mirror 到: 13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。 14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。 15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。 -16. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,export request 有 7 個 repos、5 類 lanes,不保存 secret value。 -17. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 -18. 最後再 mirror source-control 其他 contracts。 +16. 再 mirror `source_control_primary_rollback_adr_v1`,只顯示 7 個 in-scope repo 的 rollback ADR 草案、validation window 與 owner review;不執行 rollback、不切 primary。 +17. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,export request 有 7 個 repos、5 類 lanes,不保存 secret value。 +18. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 +19. 最後再 mirror source-control 其他 contracts。 整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。 diff --git a/docs/security/SECURITY-MIRROR-ROUTE.md b/docs/security/SECURITY-MIRROR-ROUTE.md index 19c9ba6a..e23b0f45 100644 --- a/docs/security/SECURITY-MIRROR-ROUTE.md +++ b/docs/security/SECURITY-MIRROR-ROUTE.md @@ -25,10 +25,10 @@ | Route group | 目的 | 初期 channel policy | review lane | |-------------|------|---------------------|-------------| -| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packet、state transition、follow-up runtime gate、GitHub primary readiness gate 與 workflow / secret name inventory 位置 | `no_channel_event` | `observe` | +| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packet、state transition、follow-up runtime gate、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory 位置 | `no_channel_event` | `observe` | | `M1_kali_visibility` | 顯示 Kali 112、111 / 168 scope、approval queue 與 finding sample | `approval_required_only` | `approval_required` | -| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異、GitHub primary readiness blockers 與 workflow / secret 名稱 inventory 缺口 | `low_noise_status` | `source_control_review` | -| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、workflow / secret 名稱 inventory gate 與留痕 | `approval_required_only` | `approval_required` | +| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異、GitHub primary readiness blockers、rollback ADR 草案與 workflow / secret 名稱 inventory 缺口 | `low_noise_status` | `source_control_review` | +| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR、workflow / secret 名稱 inventory gate 與留痕 | `approval_required_only` | `approval_required` | | `M4_patch_only_backlog` | 顯示 Code Review 後的 Codex patch-only backlog lane | `no_channel_event` | `patch_only` | ## 2. AwoooP 可做 @@ -52,7 +52,7 @@ S2.7 後,AwoooP 主線只需要能讀到: -1. 34 個 contracts。 +1. 35 個 contracts。 2. 5 個 route groups。 3. 所有 route group 都是 `runtime_execution_authorized=false`。 4. Channel Event 初期低噪音。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index bd821474..a8d99846 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -19,8 +19,8 @@ | 類型 | 狀態 | |------|------| -| Contract manifest | 34 個 contracts | -| Mirror readiness | 31 ready、2 partial、1 contract-only、0 blocked | +| Contract manifest | 35 個 contracts | +| Mirror readiness | 32 ready、2 partial、1 contract-only、0 blocked | | Approval queue | 8 items:7 pending approval、1 block candidate | | Approval gate | S3.0 已建立;0 approved、7 pending、1 block candidate | | Decision records | S3.1 已建立;目前 0 筆決策紀錄 | @@ -28,6 +28,7 @@ | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | | GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | +| GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;0 個 inventory complete、禁止收集 secret value、禁止 write token | | Dry-run | `contract_defined_not_executed` | | Runtime actions | `false` | @@ -53,7 +54,7 @@ 下一步仍不是 runtime enforcement。 -建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1`,並由人工依序 review: +建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,並由人工依序 review: 1. redacted finding ingestion adapter。 2. safe web crawl scope。 @@ -61,6 +62,7 @@ 4. GitHub target / owner / visibility / canonical。 5. Kali `/execute` 維持 block candidate。 6. GitHub primary readiness blockers 與 rollback ADR 缺口。 -7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。 +7. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggers,owner approval 前不可執行。 +8. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。 任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence,不得由本 rollup 自動觸發。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index 42321089..ac81eac3 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -11,7 +11,7 @@ ## 0. 核心結論 -目前 Security Supply Chain 已有 34 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 +目前 Security Supply Chain 已有 35 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。 @@ -49,6 +49,7 @@ | `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` | | `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` | | `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` | +| `source_control_primary_rollback_adr_v1` | approval-only | GitHub primary rollback ADR 草案與 validation window | `source-control-primary-rollback-adr.snapshot.json` | | `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence,S4.3 已補 redacted export request | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` | | `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` | | `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang`、`wooo-infra-config` | @@ -59,7 +60,7 @@ 1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 -4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate / redacted export request display。 +4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display。 5. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 76b568d3..c7ce03b4 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-13 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | +| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -20,11 +20,11 @@ | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | | S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 | | S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 | -| S1.4 契約索引 | 完成草案 | 34 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | +| S1.4 契約索引 | 完成草案 | 35 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | | S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate | | S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立;111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate | | S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中:7 pending approval、1 block candidate;AwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion,再 review safe crawl / Gitea inventory | -| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 34 個 contracts:31 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 | +| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 35 個 contracts:32 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 | | S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror,不新增 execution router | | S2.2 AwoooP 鏡像事件信封 | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆鏡像 payload 標示 `execution_authorized=false` 與 `action_buttons_allowed=false` | AwoooP 鏡像 payload 統一信封 | | S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | `security_mirror_route_v1` 已建立 5 個 route groups,定義目的地、channel policy 與 review lane | AwoooP 消費時不猜路由、不新增執行入口 | @@ -42,7 +42,8 @@ | S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret | | S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary | | S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea | -| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR | +| S4.4 GitHub Primary rollback ADR | 完成草案 | 已建立 rollback ADR schema / snapshot / 人讀版;7 個 in-scope rollback drafts、0 owner approved、0 dry-run completed、0 active cutover | repo owner 審查 rollback owner、validation window 與 triggers;仍不可切 primary 或執行 rollback | +| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate | ## 1. 已建立的主要 evidence @@ -72,6 +73,8 @@ | Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` | | Source Control GitHub primary readiness gate | `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` | | Source Control GitHub primary readiness gate JSON | `docs/security/source-control-primary-readiness-gate.snapshot.json` | +| Source Control GitHub primary rollback ADR | `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md` | +| Source Control GitHub primary rollback ADR JSON | `docs/security/source-control-primary-rollback-adr.snapshot.json` | | Source Control workflow / secret name inventory | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` | | Source Control workflow / secret name inventory JSON | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` | | Source Control workflow / secret name local evidence | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` | @@ -142,6 +145,6 @@ 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export request。 +6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index b859192e..98e74e75 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -6,6 +6,7 @@ | 狀態 | 草案,blocked by default | | Schema | `docs/schemas/source_control_primary_readiness_gate_v1.schema.json` | | Snapshot | `docs/security/source-control-primary-readiness-gate.snapshot.json` | +| Rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` | | 模式 | `primary_readiness_gate_only` | | runtime 執行授權 | `false` | @@ -36,7 +37,7 @@ | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift | | workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | | owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策 | -| rollback ADR | not started | 尚未有逐 repo GitHub primary ADR 與 rollback plan | +| rollback ADR | pending review | S4.4 已建立 rollback ADR 草案;7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window | ## 3. AwoooP 可做 @@ -45,7 +46,8 @@ 3. 將 7 個 in-scope repos 維持在 approval / review lane。 4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、refs truth、workflow/runner/secret name inventory、rollback ADR。 5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 -6. 把狀態寫入 Audit evidence 與 Operator Console。 +6. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。 +7. 把狀態寫入 Audit evidence 與 Operator Console。 ## 4. AwoooP 不可做 @@ -61,4 +63,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 + 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md b/docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md new file mode 100644 index 00000000..55a87688 --- /dev/null +++ b/docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md @@ -0,0 +1,98 @@ +# GitHub Primary Rollback ADR 草案 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-13 | +| 狀態 | 草案,等待 owner review | +| Schema | `docs/schemas/source_control_primary_rollback_adr_v1.schema.json` | +| Snapshot | `docs/security/source-control-primary-rollback-adr.snapshot.json` | +| 模式 | `rollback_adr_only` | +| runtime 執行授權 | `false` | + +## 0. 核心結論 + +S4.4 補上 GitHub primary cutover 前必備的 rollback ADR 草案。 + +這不是 cutover plan,也不是 rollback 執行計畫。它只定義:每個 repo 在未來要切 GitHub primary 前,必須先有什麼 evidence、誰是 rollback owner、哪些狀況要停下來、以及切換後 1 小時 / 24 小時要看什麼。 + +目前 `owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`,所以 `primary_ready_count` 仍必須維持 0。 + +## 1. 摘要 + +| 指標 | 數量 | +|------|------| +| Candidate repos | 8 | +| In-scope repos | 7 | +| External scope review | 1 | +| Repo rollback plan drafts | 7 | +| Owner approved | 0 | +| Dry-run completed | 0 | +| Active cutover | 0 | +| Rollback execution authorized | `false` | +| GitHub primary switch authorized | `false` | +| Gitea disable authorized | `false` | + +## 2. Rollback 原則 + +1. GitHub primary 是長期方向,但每個 repo 必須先有 owner-approved rollback plan 才能進入 cutover review。 +2. Gitea 在 cutover 前後都必須保留為本地 mirror / fallback,不得因 GitHub primary 準備而停用、刪除或封存。 +3. Rollback ADR 只定義人工決策、驗證窗口與回退條件;不授權任何 refs sync、primary switch 或 webhook 修改。 +4. 任何回退都必須有新的 runtime gate、人工批准與 evidence snapshot,不得由本 ADR 自動觸發。 +5. 初期只做 observe / approval_required,不把缺 LOW / MEDIUM evidence 變成 production blocker。 + +## 3. 切換前必要 Gate + +| Gate | 目前狀態 | 必要 evidence | +|------|----------|---------------| +| Gitea authenticated inventory | blocked | private/internal 全量 repo list、redacted admin export 或 read-only token evidence | +| refs truth / parity | waiting owner review | main/dev、release tags、deprecated refs 的 owner 判定 | +| workflow / secret export | draft only | webhook、runner、deploy key、branch protection、repository secret name parity redacted evidence | +| owner / visibility / canonical | waiting owner review | 7 個 in-scope repo 的 owner / target / canonical 決策 | +| rollback owner / monitoring | draft only | 每個 repo 的 rollback owner、1h / 24h 驗證窗口與 decision record 格式 | + +## 4. Repo Rollback Draft + +| Repo | Risk | Rollback state | 主要缺口 | +|------|------|----------------|----------| +| `owenhytsai/awoooi` | HIGH | waiting owner review | refs parity、deploy workflow、webhook single-sender、runner owner、secret name parity | +| `owenhytsai/clawbot-v5` | MEDIUM | waiting owner review | tag policy、workflow / secret need attestation、rollback owner | +| `owenhytsai/wooo-aiops` | MEDIUM | waiting owner review | GitHub-only refs、webhook owner、runner owner | +| `owenhytsai/wooo-infra-config` | MEDIUM | waiting owner review | 110 internal remote、deploy key、infra secret name parity | +| `owenhytsai/ewoooc` | HIGH | waiting owner review | target access、canonical repo、unrelated history risk | +| `owenhytsai/bitan-pharmacy` | MEDIUM | waiting owner review | active status、GitHub target、secret / deploy owner | +| `owenhytsai/tsenyang-website` | MEDIUM | waiting owner review | active status、GitHub target、secret / deploy owner | +| `nexu-io/open-design` | LOW | scope review only | 不進 AWOOOI primary cutover queue | + +## 5. Rollback 觸發條件 + +1. main/dev SHA 或 tag parity 與 owner-approved truth 不一致。 +2. workflow、webhook、runner、deploy key、branch protection 或 repository secret name parity evidence 不完整。 +3. GitHub hosted runner 使用量或 billing risk 超出 owner-approved 範圍。 +4. deploy marker、release workflow 或 required status check 在 cutover 後失敗。 +5. duplicate webhook 造成重複部署、重複通知或 approval queue 重複事件。 +6. owner / visibility / canonical decision 被撤回或出現衝突。 +7. post-cutover 1h 或 24h validation window 未通過。 + +## 6. AwoooP 可做 + +1. 顯示 7 個 in-scope repo 的 rollback ADR draft。 +2. 顯示 owner-approved count、dry-run completed count、active cutover count 都是 0。 +3. 將 rollback owner、precondition、validation window 與 trigger 顯示在 Operator Console。 +4. 把 rollback ADR 缺口寫入 Audit evidence。 +5. 若未來 owner 提交決策,另寫入 `security_approval_decision_record_v1`。 + +## 7. AwoooP 不可做 + +1. 不把 ADR 草案當成 cutover approval。 +2. 不切 GitHub primary。 +3. 不執行 rollback。 +4. 不 sync refs、不 delete refs、不 force push。 +5. 不修改 webhook、workflow、branch protection 或 secret。 +6. 不停用、刪除、封存或降級 Gitea repo。 +7. 不新增 repo、refs、primary switch、rollback 類 action button。 + +## 8. 階段定位 + +S4.0 定義 primary readiness gate,S4.1 到 S4.3 補 workflow / secret inventory 與 export request,S4.4 補 rollback ADR 草案。 + +這讓「長期改回 GitHub primary」有更完整的安全出口,但仍然停在框架期:先讓 AwoooP 看見風險與 owner review,不啟動任何切換、不執行任何回退。 diff --git a/docs/security/security-mirror-acceptance.snapshot.json b/docs/security/security-mirror-acceptance.snapshot.json index ffb38dab..a81b4f6c 100644 --- a/docs/security/security-mirror-acceptance.snapshot.json +++ b/docs/security/security-mirror-acceptance.snapshot.json @@ -11,8 +11,8 @@ "docs/security/security-mirror-route.snapshot.json" ], "summary": { - "total_contracts": 34, - "ready_for_mirror_count": 31, + "total_contracts": 35, + "ready_for_mirror_count": 32, "route_group_count": 5, "acceptance_check_count": 7, "blocking_check_count": 4 @@ -21,7 +21,7 @@ { "check_id": "CONTRACT_COUNT_MATCH", "title": "契約數量一致", - "expected_result": "AwoooP 讀到 34 個 contracts,且 manifest、readiness、route coverage 的 contract 集合一致。", + "expected_result": "AwoooP 讀到 35 個 contracts,且 manifest、readiness、route coverage 的 contract 集合一致。", "evidence_refs": [ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json", @@ -60,7 +60,7 @@ { "check_id": "ROUTE_GROUP_COVERAGE", "title": "路由群組覆蓋", - "expected_result": "5 個 route groups 合併後涵蓋 manifest 34 個 contracts,且每個 group 都有 destinations、channel_policy 與 review_lane。", + "expected_result": "5 個 route groups 合併後涵蓋 manifest 35 個 contracts,且每個 group 都有 destinations、channel_policy 與 review_lane。", "evidence_refs": [ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" diff --git a/docs/security/security-mirror-dry-run.snapshot.json b/docs/security/security-mirror-dry-run.snapshot.json index 1cd9dca4..30d94599 100644 --- a/docs/security/security-mirror-dry-run.snapshot.json +++ b/docs/security/security-mirror-dry-run.snapshot.json @@ -14,8 +14,8 @@ "docs/security/security-mirror-quarantine.snapshot.json" ], "summary": { - "total_contracts": 34, - "ready_for_mirror_count": 31, + "total_contracts": 35, + "ready_for_mirror_count": 32, "route_group_count": 5, "acceptance_check_count": 7, "quarantine_lane_count": 5, @@ -30,7 +30,7 @@ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json" ], - "pass_condition": "看到 34 個 contracts、31 個 ready for mirror,且所有 contract execution_allowed=false。", + "pass_condition": "看到 35 個 contracts、32 個 ready for mirror,且所有 contract execution_allowed=false。", "execution_allowed": false, "blocked_actions": [ "execute_contract", @@ -60,7 +60,7 @@ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" ], - "pass_condition": "route groups 合併後涵蓋 34 個 contracts,沒有未知 execution route。", + "pass_condition": "route groups 合併後涵蓋 35 個 contracts,沒有未知 execution route。", "execution_allowed": false, "blocked_actions": [ "fallback_to_execution_route", diff --git a/docs/security/security-mirror-event-sample.snapshot.json b/docs/security/security-mirror-event-sample.snapshot.json index ceba954c..02960be3 100644 --- a/docs/security/security-mirror-event-sample.snapshot.json +++ b/docs/security/security-mirror-event-sample.snapshot.json @@ -16,8 +16,8 @@ "risk": "LOW", "summary": "AwoooP 可 mirror Security Supply Chain readiness index,但不得把 readiness 視為執行授權。", "payload_summary": { - "total_contracts": 34, - "ready_for_mirror_count": 31, + "total_contracts": 35, + "ready_for_mirror_count": 32, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0, @@ -38,6 +38,7 @@ "docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md", "docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md", "docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md", + "docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md" ], "blocked_actions": [ diff --git a/docs/security/security-mirror-intake-plan.snapshot.json b/docs/security/security-mirror-intake-plan.snapshot.json index 9c9bc839..557d0fb5 100644 --- a/docs/security/security-mirror-intake-plan.snapshot.json +++ b/docs/security/security-mirror-intake-plan.snapshot.json @@ -20,6 +20,7 @@ "docs/security/security-approval-state-transition.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/source-control-primary-rollback-adr.snapshot.json", "docs/security/source-control-workflow-secret-name-inventory.snapshot.json" ], "intake_waves": [ @@ -58,7 +59,7 @@ "execution_router", "blocking_gate" ], - "exit_gate": "Operator Console 能顯示 34 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate,且 mirror event envelope action_buttons_allowed=false。" + "exit_gate": "Operator Console 能顯示 35 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory gate,且 mirror event envelope action_buttons_allowed=false。" }, { "wave_id": "M1_kali_visibility", @@ -105,6 +106,7 @@ "source_control_ref_detail_diff_v1", "source_control_ref_truth_classification_v1", "source_control_primary_readiness_gate_v1", + "source_control_primary_rollback_adr_v1", "source_control_workflow_secret_name_inventory_v1", "local_repo_canonical_probe_v1", "git_remote_refs_probe_v1" @@ -119,7 +121,7 @@ "mirror repo/branch/tag 差異", "顯示 pending owner / visibility / canonical decision", "顯示 refs truth review lane", - "顯示 GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口", + "顯示 GitHub primary readiness blockers、parity gates 與 rollback ADR 草案", "顯示 workflow / webhook / runner / secret 名稱 inventory 缺口,不保存 secret value", "顯示 Gitea inventory partial reason" ], @@ -144,6 +146,7 @@ "security_approval_state_transition_v1", "security_followup_runtime_gate_v1", "source_control_primary_readiness_gate_v1", + "source_control_primary_rollback_adr_v1", "source_control_workflow_secret_name_inventory_v1", "github_target_repo_approval_package_v1", "source_control_approval_board_v1", diff --git a/docs/security/security-mirror-quarantine.snapshot.json b/docs/security/security-mirror-quarantine.snapshot.json index 684928a5..d0e4bbbf 100644 --- a/docs/security/security-mirror-quarantine.snapshot.json +++ b/docs/security/security-mirror-quarantine.snapshot.json @@ -11,7 +11,7 @@ "docs/security/security-supply-chain-contract-manifest.snapshot.json" ], "summary": { - "total_contracts": 34, + "total_contracts": 35, "quarantine_lane_count": 5, "auto_retry_allowed": false, "runtime_blocking_allowed": false diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index efd737a5..dc1b7c52 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -5,8 +5,8 @@ "default_enforcement_level": "mirror_only", "runtime_execution_authorized": false, "summary": { - "total_contracts": 34, - "ready_for_mirror_count": 31, + "total_contracts": 35, + "ready_for_mirror_count": 32, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0 @@ -327,6 +327,16 @@ "human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"], "notes": "可 mirror GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口;目前 primary_ready_count=0。" }, + { + "contract": "source_control_primary_rollback_adr_v1", + "readiness": "ready_for_mirror", + "consumption_mode": "approval_only", + "mirror_allowed": true, + "execution_allowed": false, + "snapshot_paths": ["docs/security/source-control-primary-rollback-adr.snapshot.json"], + "human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"], + "notes": "可 mirror S4.4 GitHub primary rollback ADR 草案、7 個 in-scope repo rollback plans、validation windows 與仍禁止事項;owner_approved_count=0、active_cutover_count=0。" + }, { "contract": "source_control_workflow_secret_name_inventory_v1", "readiness": "ready_for_mirror", diff --git a/docs/security/security-mirror-route.snapshot.json b/docs/security/security-mirror-route.snapshot.json index 1c9c1e60..07f710ce 100644 --- a/docs/security/security-mirror-route.snapshot.json +++ b/docs/security/security-mirror-route.snapshot.json @@ -9,10 +9,11 @@ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-intake-plan.snapshot.json", "docs/security/security-mirror-event-sample.snapshot.json", - "docs/security/source-control-workflow-secret-name-inventory.snapshot.json" + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", + "docs/security/source-control-primary-rollback-adr.snapshot.json" ], "summary": { - "total_contracts": 34, + "total_contracts": 35, "route_group_count": 5, "channel_event_policy": "初期只對階段完成、blocked 狀態或需要人工批准的高風險候選發低噪音事件;LOW / MEDIUM observation 不發阻擋事件。", "approval_queue_policy": "只有 approval-only、suggest-only 或 blocked-until-approved 項目可進 approval queue;approval queue 不代表可執行。" @@ -48,7 +49,7 @@ "顯示 security_mirror_quarantine_v1 隔離 lane 與 retry gate", "顯示 security_mirror_dry_run_v1 dry-run steps", "顯示 security_mirror_status_rollup_v1 跨 Session 狀態與下一個 gate", - "顯示 S3 review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory contract 位置" + "顯示 S3 review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory contract 位置" ], "blocked_processing": [ "新增執行按鈕", @@ -56,7 +57,7 @@ "runtime blocking", "自動批准任何 queue item" ], - "exit_gate": "AwoooP 可顯示 34 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate,且所有 route 都維持 runtime_execution_authorized=false。" + "exit_gate": "AwoooP 可顯示 35 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、rollback ADR 與 workflow / secret name inventory gate,且所有 route 都維持 runtime_execution_authorized=false。" }, { "wave_id": "M1_kali_visibility", @@ -106,6 +107,7 @@ "source_control_ref_detail_diff_v1", "source_control_ref_truth_classification_v1", "source_control_primary_readiness_gate_v1", + "source_control_primary_rollback_adr_v1", "source_control_workflow_secret_name_inventory_v1", "local_repo_canonical_probe_v1", "git_remote_refs_probe_v1", @@ -122,7 +124,7 @@ "allowed_processing": [ "顯示 repo / branch / tag 差異", "顯示 owner、visibility、canonical 與 refs review lane", - "顯示 GitHub primary readiness blockers 與 rollback ADR 缺口", + "顯示 GitHub primary readiness blockers 與 rollback ADR 草案", "顯示 workflow / webhook / runner / secret 名稱 inventory 缺口,不保存 secret value", "顯示 Gitea inventory partial reason", "顯示 GitHub primary cutover blocked reason" @@ -148,6 +150,7 @@ "security_approval_state_transition_v1", "security_followup_runtime_gate_v1", "source_control_primary_readiness_gate_v1", + "source_control_primary_rollback_adr_v1", "source_control_workflow_secret_name_inventory_v1", "github_target_repo_approval_package_v1", "source_control_approval_board_v1", @@ -168,6 +171,7 @@ "顯示人工 decision next state,且 approve_scope 仍需 follow-up runtime gate", "顯示 follow-up runtime gate template,且 active_runtime_gates=0", "顯示 GitHub primary readiness gate,且 primary_ready_count=0", + "顯示 GitHub primary rollback ADR 草案,且 owner_approved_count=0、active_cutover_count=0", "顯示 workflow / secret 名稱 inventory gate,且 inventory_complete_count=0", "顯示 required reviewers", "顯示 blocked_until_approved", @@ -211,7 +215,7 @@ "acceptance_gates": [ { "gate_id": "ROUTE_COVERS_ALL_CONTRACTS", - "requirement": "route_groups 合併後必須涵蓋 manifest 的 34 個 contracts。" + "requirement": "route_groups 合併後必須涵蓋 manifest 的 35 個 contracts。" }, { "gate_id": "NO_EXECUTION_SURFACE", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 83f63880..b683fd94 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -20,14 +20,15 @@ "docs/security/security-approval-state-transition.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/source-control-primary-rollback-adr.snapshot.json", "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/security-rollout-policy.snapshot.json" ], "summary": { - "total_contracts": 34, - "ready_for_mirror_count": 31, + "total_contracts": 35, + "ready_for_mirror_count": 32, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0, @@ -38,6 +39,10 @@ "active_runtime_gate_count": 0, "primary_readiness_candidate_repo_count": 8, "github_primary_ready_count": 0, + "primary_rollback_adr_repo_plan_count": 7, + "primary_rollback_adr_owner_approved_count": 0, + "primary_rollback_adr_dry_run_completed_count": 0, + "primary_rollback_execution_authorized": false, "workflow_secret_inventory_candidate_repo_count": 8, "workflow_secret_inventory_complete_count": 0, "workflow_secret_inventory_local_evidence_repo_count": 4, @@ -82,8 +87,8 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidence;S4.3 已補 7 個 repos、5 類 lanes 的 redacted export request,inventory_complete_count=0。", - "next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 7 個 in-scope repos 的 rollback ADR 草案,owner_approved_count=0、dry_run_completed_count=0。", + "next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。" } ], "next_safe_actions": [ @@ -218,6 +223,23 @@ "停用或封存 Gitea repo" ] }, + { + "action_id": "review_github_primary_rollback_adr", + "title": "審查 GitHub primary rollback ADR 草案", + "mode": "approval_required", + "source_contract": "source_control_primary_rollback_adr_v1", + "allowed_processing": [ + "顯示 7 個 in-scope repos 的 rollback ADR draft", + "顯示 owner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0", + "顯示 rollback triggers、validation windows 與仍禁止事項" + ], + "blocked_processing": [ + "執行 rollback", + "切 GitHub primary", + "sync refs 或修改 webhook", + "停用 Gitea" + ] + }, { "action_id": "review_workflow_secret_name_inventory", "title": "審查 workflow / secret 名稱 inventory 缺口", @@ -263,7 +285,8 @@ "S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。", "S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。", "S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。", - "S4.3 只新增 redacted export request package;export_request_count=7、export_lane_count=5、write_token_allowed=false,不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。" + "S4.3 只新增 redacted export request package;export_request_count=7、export_lane_count=5、write_token_allowed=false,不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。", + "S4.4 只新增 GitHub primary rollback ADR 草案;repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false,不切 primary、不執行 rollback。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 117aea87..2234a582 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -2,7 +2,7 @@ "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 34, + "contract_count": 35, "contracts": [ { "contract": "security_rollout_policy_v1", @@ -203,7 +203,7 @@ "switch_github_primary", "store_secret_value" ], - "notes": "整理 34 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。" + "notes": "整理 35 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。" }, { "contract": "security_mirror_intake_plan_v1", @@ -535,6 +535,29 @@ ], "notes": "定義 S4.0 GitHub primary readiness gate;7 個 in-scope repos 仍 blocked,primary_ready_count=0。" }, + { + "contract": "source_control_primary_rollback_adr_v1", + "schema_path": "docs/schemas/source_control_primary_rollback_adr_v1.schema.json", + "snapshot_paths": ["docs/security/source-control-primary-rollback-adr.snapshot.json"], + "human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"], + "consumer": "AwoooP source-control review / Operator Console / Audit", + "consumption_mode": "approval_only", + "allowed_actions": [ + "mirror_rollback_adr_draft", + "display_rollback_owner_review", + "display_validation_windows", + "request_owner_rollback_approval" + ], + "forbidden_actions": [ + "execute_rollback", + "switch_github_primary", + "sync_refs", + "modify_webhook", + "disable_gitea", + "add_action_button" + ], + "notes": "定義 S4.4 GitHub primary rollback ADR 草案;7 個 in-scope repos 有 rollback draft,owner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0。" + }, { "contract": "source_control_workflow_secret_name_inventory_v1", "schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index 272e0edd..0e9ba087 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -11,6 +11,7 @@ "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", + "docs/security/source-control-primary-rollback-adr.snapshot.json", "docs/security/gitea-repo-inventory.snapshot.json", "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json" @@ -115,19 +116,19 @@ { "gate_id": "ROLLBACK_ADR_REQUIRED", "title": "GitHub primary ADR 與 rollback plan", - "status": "not_started", + "status": "pending_review", "required_before_primary": [ "逐 repo GitHub primary ADR 完成", "rollback plan 與 Gitea mirror/fallback 角色明確", "切換前後監控與驗證 gate 已定義" ], "current_gap": [ - "目前只有長期方向,尚無逐 repo primary ADR", - "尚未定義 rollback ownership", - "不得切換 GitHub primary" + "S4.4 已建立 rollback ADR 草案,但尚無 owner-approved decision record", + "7 個 in-scope repos 的 rollback owner、validation window 與 trigger 仍需人工審查", + "dry_run_completed_count=0,active_cutover_count=0,不得切換 GitHub primary" ], "allowed_now": [ - "建立 ADR 草案", + "mirror rollback ADR 草案", "列出 rollback evidence requirements", "讓 AwoooP mirror blocked state" ], diff --git a/docs/security/source-control-primary-rollback-adr.snapshot.json b/docs/security/source-control-primary-rollback-adr.snapshot.json new file mode 100644 index 00000000..a186f655 --- /dev/null +++ b/docs/security/source-control-primary-rollback-adr.snapshot.json @@ -0,0 +1,469 @@ +{ + "schema_version": "source_control_primary_rollback_adr_v1", + "status": "draft_waiting_owner_review", + "date": "2026-05-13", + "mode": "rollback_adr_only", + "runtime_execution_authorized": false, + "source_indexes": [ + "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/source-control-ref-truth-classification.snapshot.json", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", + "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", + "docs/security/source-control-approval-board.snapshot.json", + "docs/security/security-followup-runtime-gate.snapshot.json", + "docs/security/security-rollout-policy.snapshot.json" + ], + "summary": { + "candidate_repo_count": 8, + "in_scope_repo_count": 7, + "external_scope_count": 1, + "repo_rollback_plan_count": 7, + "owner_approved_count": 0, + "dry_run_completed_count": 0, + "active_cutover_count": 0, + "rollback_execution_authorized": false, + "github_primary_switch_authorized": false, + "gitea_disable_authorized": false, + "action_buttons_allowed": false + }, + "rollback_principles": [ + "GitHub primary 是長期方向,但每個 repo 必須先有 owner-approved rollback plan 才能進入 cutover review。", + "Gitea 在 cutover 前後都必須保留為本地 mirror / fallback,不得因 GitHub primary 準備而停用、刪除或封存。", + "Rollback ADR 只定義人工決策、驗證窗口與回退條件;不授權任何 refs sync、primary switch 或 webhook 修改。", + "任何回退都必須有新的 runtime gate、人工批准與 evidence snapshot,不得由本 ADR 自動觸發。", + "初期只做 observe / approval_required,不把缺 LOW / MEDIUM evidence 變成 production blocker。" + ], + "cutover_preconditions": [ + { + "gate_id": "gitea_authenticated_inventory_approved", + "title": "Gitea private/internal 全量 inventory 已完成", + "required_evidence": [ + "Gitea authenticated inventory 或 redacted admin export status=ok", + "確認所有 private/internal repos 都在 migration matrix", + "只保存 token_present=true/false,不保存 token value" + ], + "current_status": "blocked", + "execution_authorized": false + }, + { + "gate_id": "refs_truth_and_parity_approved", + "title": "refs truth / branch-tag parity 已由 owner 批准", + "required_evidence": [ + "main/dev 真相來源已人工判定", + "release tags 保留 / 棄用決策完成", + "deprecated refs 已由 repo owner review" + ], + "current_status": "waiting_owner_review", + "execution_authorized": false + }, + { + "gate_id": "workflow_secret_export_accepted", + "title": "workflow / runner / webhook / secret name redacted export 已驗收", + "required_evidence": [ + "S4.3 export request 對應的 webhook、runner、deploy key、branch protection 與 repository secret name parity evidence 已補齊", + "任何 secret value、token value、private key 或 webhook secret 都未被保存", + "GitHub hosted runner 額度風險與 self-hosted runner owner 已確認" + ], + "current_status": "draft_only", + "execution_authorized": false + }, + { + "gate_id": "owner_visibility_canonical_approved", + "title": "owner / visibility / canonical 已批准", + "required_evidence": [ + "7 個 in-scope repos 都有 owner approval", + "not_found_or_private repo 已明確判定建立、取得權限或排除", + "ewoooc / momo-pro-system canonical 關係已定案" + ], + "current_status": "waiting_owner_review", + "execution_authorized": false + }, + { + "gate_id": "rollback_owner_and_monitoring_approved", + "title": "rollback owner、監控窗口與通知責任已批准", + "required_evidence": [ + "每個 repo 都有 rollback owner 與值班窗口", + "cutover 後 1h / 24h 的驗證項目已明確", + "失敗時的人工停損與回退 decision record 格式已確認" + ], + "current_status": "draft_only", + "execution_authorized": false + } + ], + "repo_rollback_plans": [ + { + "repo_key": "awoooi", + "github_repo": "owenhytsai/awoooi", + "source_key": "wooo/awoooi", + "scope_status": "in_scope", + "risk": "HIGH", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "Gitea remains protected local fallback until owner-approved cutover and rollback drill are complete.", + "required_owner_decisions": [ + "main/dev 真相來源", + "production deploy workflow canonical", + "webhook single-sender policy", + "rollback owner" + ], + "rollback_evidence_required": [ + "main SHA / tag parity evidence", + "deployment marker workflow evidence", + "runner owner / self-hosted evidence", + "repository secret name parity evidence", + "post-cutover health and deploy verification checklist" + ], + "rollback_triggers": [ + "production deploy workflow fails after primary switch", + "duplicate webhook causes duplicate deploy or duplicate notification", + "required runner label unavailable", + "secret name parity gap blocks deployment" + ], + "manual_recovery_outline": [ + "Freeze additional refs changes and record decision in approval audit.", + "Keep Gitea fallback intact and route deploy decision back to approved source after runtime gate approval.", + "Collect post-rollback evidence before re-entering primary readiness review." + ], + "execution_authorized": false, + "still_forbidden": [ + "switch_github_primary", + "disable_gitea", + "sync_refs", + "modify_workflow", + "move_secret_values" + ] + }, + { + "repo_key": "clawbot-v5", + "github_repo": "owenhytsai/clawbot-v5", + "source_key": "wooo/clawbot-v5", + "scope_status": "in_scope", + "risk": "MEDIUM", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "Gitea remains fallback until tag retention and refs truth are approved.", + "required_owner_decisions": [ + "main 真相來源", + "Gitea-only tag 保留或棄用", + "是否需要 workflow / secret inventory", + "rollback owner" + ], + "rollback_evidence_required": [ + "branch/tag parity evidence", + "owner-approved tag policy", + "repository secret name parity or no-secret attestation", + "post-cutover smoke check" + ], + "rollback_triggers": [ + "GitHub target misses owner-approved tag", + "automation expects a Gitea-only ref", + "repo owner rejects target canonical decision" + ], + "manual_recovery_outline": [ + "Pause primary review and keep Gitea as canonical fallback.", + "Ask owner to classify missing refs before any retry.", + "Require new approval record before resuming cutover preparation." + ], + "execution_authorized": false, + "still_forbidden": [ + "push_refs", + "delete_refs", + "switch_github_primary", + "delete_gitea_repo" + ] + }, + { + "repo_key": "wooo-aiops", + "github_repo": "owenhytsai/wooo-aiops", + "source_key": "wooo/wooo-aiops", + "scope_status": "in_scope", + "risk": "MEDIUM", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "Gitea remains fallback until GitHub-only refs and workflow ownership are resolved.", + "required_owner_decisions": [ + "GitHub-only branch / tag 來源", + "webhook owner", + "runner / workflow owner", + "rollback owner" + ], + "rollback_evidence_required": [ + "GitHub-only refs classification", + "webhook redacted export", + "runner owner evidence", + "repository secret name parity evidence" + ], + "rollback_triggers": [ + "GitHub-only refs are later classified as active source", + "webhook route changes produce duplicate events", + "workflow runner mismatch increases hosted runner usage unexpectedly" + ], + "manual_recovery_outline": [ + "Stop cutover review and preserve both remote states.", + "Route owner decision back through source-control approval board.", + "Re-run readiness gate only after redacted evidence is updated." + ], + "execution_authorized": false, + "still_forbidden": [ + "delete_github_only_refs", + "modify_webhook", + "switch_github_primary", + "force_push" + ] + }, + { + "repo_key": "wooo-infra-config", + "github_repo": "owenhytsai/wooo-infra-config", + "source_key": "wooo/wooo-infra-config", + "scope_status": "in_scope", + "risk": "MEDIUM", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "Gitea and internal 110 remote roles stay unchanged until infra owner signs off.", + "required_owner_decisions": [ + "110 internal remote purpose", + "deploy key owner", + "infra secret name owner", + "rollback owner" + ], + "rollback_evidence_required": [ + "internal remote purpose decision", + "deploy key redacted inventory", + "branch protection / required check export", + "infra secret name parity evidence" + ], + "rollback_triggers": [ + "internal remote is still an active source", + "deploy key ownership is ambiguous", + "required status checks are missing on GitHub target", + "infra secret parity gap blocks validation" + ], + "manual_recovery_outline": [ + "Keep current infra source untouched and do not delete remotes.", + "Escalate to infra owner for manual source-of-truth decision.", + "Resume only after a new redacted export snapshot is committed." + ], + "execution_authorized": false, + "still_forbidden": [ + "delete_remote", + "move_secret_values", + "export_private_key", + "switch_github_primary" + ] + }, + { + "repo_key": "ewoooc", + "github_repo": "owenhytsai/ewoooc", + "source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees", + "scope_status": "in_scope", + "risk": "HIGH", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "No primary decision until canonical repository and unrelated history risk are resolved.", + "required_owner_decisions": [ + "GitHub target access or creation decision", + "ewoooc / momo-pro-system canonical decision", + "unrelated history handling", + "rollback owner" + ], + "rollback_evidence_required": [ + "canonical repo decision record", + "server-side refs diff", + "workflow / secret name redacted export", + "post-cutover web and deploy health checks" + ], + "rollback_triggers": [ + "target repo access remains unresolved", + "canonical decision conflicts with local lineage evidence", + "unrelated histories cannot be reconciled without data loss risk" + ], + "manual_recovery_outline": [ + "Keep all existing working trees untouched.", + "Do not create or merge GitHub target automatically.", + "Require canonical owner approval before any new cutover attempt." + ], + "execution_authorized": false, + "still_forbidden": [ + "auto_create_repo", + "auto_merge_unrelated_histories", + "delete_working_tree", + "switch_github_primary" + ] + }, + { + "repo_key": "bitan-pharmacy", + "github_repo": "owenhytsai/bitan-pharmacy", + "source_key": "bitan-pharmacy", + "scope_status": "in_scope", + "risk": "MEDIUM", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "Current local / 110 source remains evidence source until active-state and GitHub target are approved.", + "required_owner_decisions": [ + "repo active or archive decision", + "GitHub target decision", + "secret name / deploy owner decision", + "rollback owner" + ], + "rollback_evidence_required": [ + "GitHub target visibility decision", + "repository secret name parity or no-secret attestation", + "active-state owner decision", + "post-cutover smoke check if active" + ], + "rollback_triggers": [ + "repo is confirmed inactive or out of scope", + "GitHub target cannot be verified", + "owner cannot confirm deploy / secret requirements" + ], + "manual_recovery_outline": [ + "Keep repo out of primary cutover queue until owner decision exists.", + "Do not create GitHub target automatically.", + "If inactive, record owner decision rather than deleting source." + ], + "execution_authorized": false, + "still_forbidden": [ + "auto_create_repo", + "push_refs", + "delete_110_remote", + "switch_github_primary" + ] + }, + { + "repo_key": "tsenyang-website", + "github_repo": "owenhytsai/tsenyang-website", + "source_key": "tsenyang-website", + "scope_status": "in_scope", + "risk": "MEDIUM", + "rollback_state": "draft_waiting_owner_review", + "primary_ready": false, + "fallback_role": "Current local / 110 source remains evidence source until active-state and GitHub target are approved.", + "required_owner_decisions": [ + "repo active or archive decision", + "GitHub target decision", + "secret name / deploy owner decision", + "rollback owner" + ], + "rollback_evidence_required": [ + "GitHub target visibility decision", + "repository secret name parity or no-secret attestation", + "active-state owner decision", + "post-cutover smoke check if active" + ], + "rollback_triggers": [ + "repo is confirmed inactive or out of scope", + "GitHub target cannot be verified", + "owner cannot confirm deploy / secret requirements" + ], + "manual_recovery_outline": [ + "Keep repo out of primary cutover queue until owner decision exists.", + "Do not create GitHub target automatically.", + "If inactive, record owner decision rather than deleting source." + ], + "execution_authorized": false, + "still_forbidden": [ + "auto_create_repo", + "push_refs", + "delete_110_remote", + "switch_github_primary" + ] + }, + { + "repo_key": "open-design", + "github_repo": "nexu-io/open-design", + "source_key": "open-design", + "scope_status": "external_scope_review", + "risk": "LOW", + "rollback_state": "scope_review_only", + "primary_ready": false, + "fallback_role": "Not in AWOOOI primary cutover scope until ownership is confirmed.", + "required_owner_decisions": [ + "scope ownership decision" + ], + "rollback_evidence_required": [ + "scope review evidence" + ], + "rollback_triggers": [ + "repo is later confirmed in scope and needs a separate ADR" + ], + "manual_recovery_outline": [ + "Keep out of primary queue.", + "Create a separate in-scope approval item if ownership changes." + ], + "execution_authorized": false, + "still_forbidden": [ + "加入 primary cutover queue", + "修改 repo visibility", + "sync refs" + ] + } + ], + "rollback_triggers": [ + "main/dev SHA 或 tag parity 與 owner-approved truth 不一致", + "workflow、webhook、runner、deploy key、branch protection 或 repository secret name parity evidence 不完整", + "GitHub hosted runner 使用量或 billing risk 超出 owner-approved 範圍", + "deploy marker、release workflow 或 required status check 在 cutover 後失敗", + "duplicate webhook 造成重複部署、重複通知或 approval queue 重複事件", + "owner / visibility / canonical decision 被撤回或出現衝突", + "post-cutover 1h 或 24h validation window 未通過" + ], + "validation_windows": [ + { + "window_id": "pre_cutover_freeze_review", + "title": "切換前 freeze review", + "required_checks": [ + "確認 refs truth、workflow / secret export、owner / visibility / canonical、rollback owner 全部已批准", + "確認沒有 unresolved HIGH risk blocker", + "確認 Gitea fallback 保持可用" + ], + "failure_handling": "任何缺口都只回到 approval review,不執行 cutover。", + "execution_authorized": false + }, + { + "window_id": "post_cutover_one_hour_observe", + "title": "切換後 1 小時觀察窗口", + "required_checks": [ + "deploy workflow / required checks 成功", + "webhook 沒有重複事件", + "runner 使用符合 owner-approved self-hosted / hosted policy", + "核心服務健康與告警量未異常升高" + ], + "failure_handling": "只建立 rollback approval candidate;不得自動切回或自動改 webhook。", + "execution_authorized": false + }, + { + "window_id": "post_cutover_twenty_four_hour_review", + "title": "切換後 24 小時 review", + "required_checks": [ + "refs、deploy、webhook、runner、secret name parity 沒有新增 drift", + "AwoooP audit evidence 完整", + "repo owner 確認可維持 GitHub primary 或要求 rollback review" + ], + "failure_handling": "若未通過,保留 Gitea fallback 並等待人工 rollback decision record。", + "execution_authorized": false + } + ], + "acceptance_rules": [ + "本 ADR 草案完成不代表任何 repo 可切 GitHub primary。", + "每個 in-scope repo 必須有 owner-approved rollback plan、pre-cutover evidence、post-cutover validation window 與 rollback owner。", + "任何 rollback 或 primary switch 都必須另有 runtime gate 與人工批准,不得由本 snapshot 自動觸發。", + "Gitea fallback 不得在 24h review 完成前停用、刪除、封存或降級。", + "任何 secret、token、cookie、private key、webhook secret 或 runner token 都不得保存。" + ], + "forbidden_actions": [ + "switch_github_primary", + "execute_rollback", + "create_github_repo", + "change_repo_visibility", + "sync_git_refs", + "delete_git_refs", + "force_push", + "modify_webhook", + "modify_workflow", + "modify_branch_protection", + "move_secret_values", + "disable_gitea", + "delete_or_archive_gitea_repo", + "add_action_button" + ] +}