diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 934f8442..5bcc03c8 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,18 @@ +## 2026-05-19 | 資安供應鏈 S4.13:Owner Response Validation Parallel Session Recovery Checks + +**背景**:S4.13 已有四包 owner response validation rollup、22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes;本輪補上 6 個 parallel session recovery checks,讓 AwoooP / 另一個 Session 在命中 conflict lane 後,只能重抓遠端、重讀 ledger、重跑只讀 guard、review diff、確認 false flags 與回到 S4.9 next focus。 + +**完成**: +- `source_control_owner_response_validation_rollup_v1` schema 新增 optional `owner_response_validation_parallel_session_recovery_checks`,summary 新增 `owner_response_validation_parallel_session_recovery_check_count=6`。 +- `source-control-owner-response-validation-rollup.snapshot.json` 新增 6 個 parallel session recovery checks,全部維持 `awooop_display_mode=display_parallel_session_recovery_check_only`、`execution_authorized=false` 與 `not_approval=true`。 +- `source-control-owner-response-guard.py` 反查 S4.13 parallel session recovery check count、check id 順序、display order、display mode 與 approval / execution 禁令。 +- `security-mirror-progress-guard.py` 與 status rollup delta ledger 納入 S4.13 parallel session recovery checks framework detail,headline progress 維持 58%。 + +**仍禁止**: +- 不把 parallel session recovery check pass 當成 owner response、production ingestion、received、accepted、approval、runtime gate、execution queue 或 action button。 +- 不讓 recovery check 觸發 rebase、merge、force push、覆蓋另一個 Session 變更、repo creation、visibility change、refs sync / delete / force push、workflow/webhook/runner/deploy key/branch protection/repository secret 變更、Kali scan、GitHub hosted runner、GitHub primary switch、Gitea disable 或任何 runtime action。 +- 不保存 raw owner response、token、secret、private key、deploy key material、cookie、session、runner token、webhook secret、authorization header、private URL credential、partial credential、未脫敏截圖、credential value、raw request / response body 或 execution payload。 + ## 2026-05-19 | 資安供應鏈 S4.13:Owner Response Validation Parallel Session Conflict Lanes **背景**:S4.13 已有四包 owner response validation rollup、22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks 與 6 個 parallel session sync checks;本輪補上 6 個 parallel session conflict lanes,讓 AwoooP / 另一個 Session 在分支、delta、counter、runtime flag、source-control mutation request 或 next focus 發生衝突時,只能停下重讀與人工 review。 diff --git a/docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json b/docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json index 162f8e5e..2fd3cb58 100644 --- a/docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json +++ b/docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json @@ -76,6 +76,7 @@ "owner_response_validation_reviewer_audit_handoff_check_count", "owner_response_validation_parallel_session_sync_check_count", "owner_response_validation_parallel_session_conflict_lane_count", + "owner_response_validation_parallel_session_recovery_check_count", "quarantine_required", "primary_ready_count", "runtime_execution_authorized", @@ -119,6 +120,7 @@ "owner_response_validation_reviewer_audit_handoff_check_count": {"type": "integer", "minimum": 0}, "owner_response_validation_parallel_session_sync_check_count": {"type": "integer", "minimum": 0}, "owner_response_validation_parallel_session_conflict_lane_count": {"type": "integer", "minimum": 0}, + "owner_response_validation_parallel_session_recovery_check_count": {"type": "integer", "minimum": 0}, "quarantine_required": {"type": "boolean"}, "primary_ready_count": {"type": "integer", "minimum": 0}, "runtime_execution_authorized": {"type": "boolean", "const": false}, @@ -755,6 +757,41 @@ }, "minItems": 1 }, + "owner_response_validation_parallel_session_recovery_checks": { + "type": "array", + "description": "AwoooP 與另一個 Security Supply Chain Session 在命中 conflict lane 後的只讀復原檢查;只確認重新 fetch、重讀 ledger、重跑 guards、審查 staged diff、維持 false flags 與回到 S4.9 next focus,不授權 merge、push、runtime 或 source-control 變更。", + "items": { + "type": "object", + "required": [ + "check_id", + "display_order", + "title", + "check_requirement", + "safe_result", + "blocked_interpretations", + "awooop_display_mode", + "execution_authorized", + "not_approval" + ], + "properties": { + "check_id": {"type": "string"}, + "display_order": {"type": "integer", "minimum": 1}, + "title": {"type": "string"}, + "check_requirement": {"type": "string"}, + "safe_result": {"type": "string"}, + "blocked_interpretations": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "awooop_display_mode": {"type": "string", "enum": ["display_parallel_session_recovery_check_only"]}, + "execution_authorized": {"type": "boolean", "const": false}, + "not_approval": {"type": "boolean", "const": true} + }, + "additionalProperties": false + }, + "minItems": 1 + }, "readiness_effects": { "type": "array", "items": { diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index 7ed5e90c..773aa57c 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -42,7 +42,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_mirror_quarantine_v1` | AwoooP 鏡像隔離契約 | Operator Console、Audit | mirror-only | 只隔離驗收失敗 payload、顯示 recovery request 與 retry gate;不作 runtime blocker | | `security_mirror_dry_run_v1` | AwoooP 鏡像 dry-run 報告契約 | Operator Console、Audit | mirror-only | 只回報接入演練結果,且必須包含 progress guard、owner response guard 與 latest local validation;不得轉成 production ingestion | | `security_mirror_status_rollup_v1` | AwoooP 鏡像狀態彙整契約 | Operator Console、Runtime State、Audit | mirror-only | 只顯示階段狀態、58% headline 進度、progress display policy、delta ledger、下一個 gate 與禁止事項;不得視為 runtime authorization | -| `source_control_owner_response_validation_rollup_v1` | S4.9 / S4.10 / S4.11 / S4.12 owner response validation rollup | Operator Console、Source-control review、Audit | mirror-only | 只顯示四包 response packets、22 個 templates、missing response lanes、owner response collection order、next collection candidate、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、quarantine rules 與 latest local validation;不得視為 approval 或 runtime gate | +| `source_control_owner_response_validation_rollup_v1` | S4.9 / S4.10 / S4.11 / S4.12 owner response validation rollup | Operator Console、Source-control review、Audit | mirror-only | 只顯示四包 response packets、22 個 templates、missing response lanes、owner response collection order、next collection candidate、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、quarantine rules 與 latest local validation;不得視為 approval 或 runtime gate | | `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge | | `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary | | `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidence、S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation、S4.9 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;不保存 token value、不刪除或停用 Gitea repo | @@ -112,7 +112,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_mirror_quarantine_v1.status=draft` | `observe` | 顯示 5 個 quarantine lanes、recovery request 與 retry gate;不得自動重試失敗 payload | | `security_mirror_dry_run_v1.dry_run_status=contract_defined_not_executed` | `observe` | 顯示 8 個 dry-run steps 與 `latest_local_validation.status=repo_snapshot_guard_pass`;`CHECK_PROGRESS_GUARD` 必須維持 58% 不是執行授權,`CHECK_OWNER_RESPONSE_GUARD` 必須維持 owner response received / accepted 皆為 0,不得視為 production ingestion 已啟用 | | `security_mirror_status_rollup_v1.rollup_status=framework_ready_waiting_approval` | `observe` | 顯示 S0-S4 階段、58% headline 進度、micro progress delta ledger、approval queue summary 與下一個 gate;不得新增 execution action | -| `source_control_owner_response_validation_rollup_v1.status=draft_waiting_owner_responses` | `observe` | 顯示四包 owner response packets、4 條 missing response lanes、4 步收件順序、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、received / accepted / rejected 皆為 0,且 `latest_local_validation.result=SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`;不得當成 approval 或 execution authorization | +| `source_control_owner_response_validation_rollup_v1.status=draft_waiting_owner_responses` | `observe` | 顯示四包 owner response packets、4 條 missing response lanes、4 步收件順序、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、received / accepted / rejected 皆為 0,且 `latest_local_validation.result=SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`;不得當成 approval 或 execution authorization | | `coding_task_v1.risk=LOW|MEDIUM` | `warn` | 可排入 Codex patch-only backlog | | `coding_task_v1.risk=HIGH|CRITICAL` | `approve_required` | 必須指定 `critic`、`vuln-verifier` | | `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason,不允許切 primary | @@ -216,7 +216,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 1. AwoooP 主線先把本清單視為契約消費檢查清單。 2. Security Supply Chain Session 補齊 Gitea 全量 repo inventory 的只讀 token 或管理匯出來源。 -3. AwoooP 先 mirror S4.13 owner response validation rollup,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes;不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 視為 approval、production ingestion 或 execution authorization。 +3. AwoooP 先 mirror S4.13 owner response validation rollup,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks;不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 視為 approval、production ingestion 或 execution authorization。 4. Security Supply Chain Session 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response。 5. Security Supply Chain Session 依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates;audit event templates 目前 0 emitted,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,preflight 只分類可審、補證、隔離、拒收或等待,response 通過也只更新 read-only classification / reconcile / readiness wording。 6. Security Supply Chain Session 依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates;request packet 只提示 owner 要回覆什麼,template status ledger 只逐項顯示 waiting,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,response 通過也只更新 read-only inventory / export request / readiness wording。 diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index 57ab4191..705e3221 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -52,9 +52,9 @@ Source-control owner response 缺口可另跑: python3 scripts/security/source-control-owner-response-guard.py ``` -此腳本只讀 S4.9 / S4.10 / S4.11 / S4.12 四包 response snapshots 與 S4.13 validation rollup / evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks 與 parallel session conflict lanes,確認目前 response received / accepted 仍為 0、reviewer audit emitted 仍為 0,且 repo、refs、workflow、secret、runner、GitHub primary 與 runtime action 皆未授權。 +此腳本只讀 S4.9 / S4.10 / S4.11 / S4.12 四包 response snapshots 與 S4.13 validation rollup / evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks,確認目前 response received / accepted 仍為 0、reviewer audit emitted 仍為 0,且 repo、refs、workflow、secret、runner、GitHub primary 與 runtime action 皆未授權。 -AwoooP 顯示 S4.13 時,應把 `missing_response_lanes` 當成 Operator Console 的主要缺口摘要:4 條 lane、22 個 response templates、目前 received / accepted 皆為 0;同時顯示 6 條 `owner_response_evidence_routing_rules`、8 個 `owner_response_validation_display_sections`、7 條 `owner_response_validation_state_transition_rules`、9 個 `owner_response_validation_reviewer_checklist` items、7 條 `owner_response_validation_reviewer_outcome_lanes`、4 個 `owner_response_validation_reviewer_audit_event_templates`、5 個 `owner_response_validation_reviewer_audit_display_sections`、6 個 `owner_response_validation_reviewer_audit_collection_checks`、5 個 `owner_response_validation_reviewer_audit_redaction_examples`、5 條 `owner_response_validation_reviewer_audit_retention_rules`、6 個 `owner_response_validation_reviewer_audit_retention_checks`、6 個 `owner_response_validation_reviewer_audit_handoff_packets`、6 個 `owner_response_validation_reviewer_audit_handoff_checks`、6 個 `owner_response_validation_parallel_session_sync_checks` 與 6 條 `owner_response_validation_parallel_session_conflict_lanes`,讓 reviewer 知道 evidence pointer 應補證、隔離、拒收、送跨包 review 或只讀更新,UI 應如何固定顯示總覽、缺口、收件順序、下一個收件、checks、routing、quarantine 與本機驗證,以及 waiting / pending validation / read-only update / waiting runtime gate 的狀態語義,也讓 reviewer 能把結果歸到等待、補證、隔離、拒收、跨包 review、只讀候選或等待後續 runtime gate,並只用脫敏 metadata 形狀留痕,同時固定顯示 audit templates、允許 metadata、禁止 payload、0 emitted 狀態、非授權邊界、只讀收件檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、平行 Session 同步檢查與衝突 lane。這只是在告訴 reviewer 下一步要補哪些 owner response、evidence 該如何安全路由、狀態應如何判讀、結果如何只讀分類、audit metadata 如何脫敏、audit 顯示如何不越界、audit collection check 如何不產生副作用、redaction example 如何避免顯示 payload、retention rule 如何避免保存 raw payload、retention check 如何避免變成 ingestion、parallel session sync / conflict lane 如何避免分支、ledger 或衝突誤判,不代表可以建立 repo、sync refs、修改 workflow / secret、啟用 runner、寫入 production ingestion 或切 GitHub primary。 +AwoooP 顯示 S4.13 時,應把 `missing_response_lanes` 當成 Operator Console 的主要缺口摘要:4 條 lane、22 個 response templates、目前 received / accepted 皆為 0;同時顯示 6 條 `owner_response_evidence_routing_rules`、8 個 `owner_response_validation_display_sections`、7 條 `owner_response_validation_state_transition_rules`、9 個 `owner_response_validation_reviewer_checklist` items、7 條 `owner_response_validation_reviewer_outcome_lanes`、4 個 `owner_response_validation_reviewer_audit_event_templates`、5 個 `owner_response_validation_reviewer_audit_display_sections`、6 個 `owner_response_validation_reviewer_audit_collection_checks`、5 個 `owner_response_validation_reviewer_audit_redaction_examples`、5 條 `owner_response_validation_reviewer_audit_retention_rules`、6 個 `owner_response_validation_reviewer_audit_retention_checks`、6 個 `owner_response_validation_reviewer_audit_handoff_packets`、6 個 `owner_response_validation_reviewer_audit_handoff_checks`、6 個 `owner_response_validation_parallel_session_sync_checks`、6 條 `owner_response_validation_parallel_session_conflict_lanes` 與 6 個 `owner_response_validation_parallel_session_recovery_checks`,讓 reviewer 知道 evidence pointer 應補證、隔離、拒收、送跨包 review 或只讀更新,UI 應如何固定顯示總覽、缺口、收件順序、下一個收件、checks、routing、quarantine 與本機驗證,以及 waiting / pending validation / read-only update / waiting runtime gate 的狀態語義,也讓 reviewer 能把結果歸到等待、補證、隔離、拒收、跨包 review、只讀候選或等待後續 runtime gate,並只用脫敏 metadata 形狀留痕,同時固定顯示 audit templates、允許 metadata、禁止 payload、0 emitted 狀態、非授權邊界、只讀收件檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、平行 Session 同步檢查、衝突 lane 與復原前檢查。這只是在告訴 reviewer 下一步要補哪些 owner response、evidence 該如何安全路由、狀態應如何判讀、結果如何只讀分類、audit metadata 如何脫敏、audit 顯示如何不越界、audit collection check 如何不產生副作用、redaction example 如何避免顯示 payload、retention rule 如何避免保存 raw payload、retention check 如何避免變成 ingestion、parallel session sync / conflict lane / recovery checks 如何避免分支、ledger、衝突或復原誤判,不代表可以建立 repo、sync refs、修改 workflow / secret、啟用 runner、寫入 production ingestion 或切 GitHub primary。 建議顯示 `owner_response_collection_order` 作為下一步收件順序:先 S4.9 Gitea scope / canonical owner,再 S4.10 GitHub target owner / visibility / canonical,再 S4.11 refs truth,最後 S4.12 workflow / secret name parity。這只是 review 順序,不是 approval queue 或 execution queue。 @@ -393,7 +393,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;S4.13 owner response validation rollup 彙整 4 包、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、received response 0 筆、accepted response 0 筆、reviewer audit emitted 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response request packet 1 筆、S4.12 template statuses 5 筆、S4.12 audit event templates 3 筆、S4.12 redaction examples 5 筆、S4.12 collection checks 6 筆、S4.12 intake preflight checks 6 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;S4.13 owner response validation rollup 彙整 4 包、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、received response 0 筆、accepted response 0 筆、reviewer audit emitted 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response request packet 1 筆、S4.12 template statuses 5 筆、S4.12 audit event templates 3 筆、S4.12 redaction examples 5 筆、S4.12 collection checks 6 筆、S4.12 intake preflight checks 6 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -816,7 +816,7 @@ Console 初期不提供高風險執行按鈕。 11. Read-only policy 可容納 `security_rollout_policy_v1`,但初期不得把它變成 runtime blocking rule。 12. Contract registry 可容納 `security_supply_chain_contract_manifest_v1`,但初期不得把它變成 direct tool router。 13. Source-control review 可容納 `source_control_workflow_secret_name_inventory_v1` 與 S4.3 redacted export request,但只能顯示 workflow / secret 名稱缺口、owner export lanes 與 hosted runner 額度風險,不得收集 value 或修改 workflow。 -14. Source-control review 可容納 S4.13 `source_control_owner_response_validation_rollup_v1`,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response validation 狀態、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks 與 parallel session conflict lanes;不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當成 approval、runtime gate、production ingestion 或 execution authorization。 +14. Source-control review 可容納 S4.13 `source_control_owner_response_validation_rollup_v1`,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response validation 狀態、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks;不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當成 approval、runtime gate、production ingestion 或 execution authorization。 ## 7. Security Supply Chain Session 下一步 @@ -913,7 +913,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-17 S4.12 workflow / secret name owner response 追加,2026-05-19 補 request packet、template status ledger、audit event templates、redaction examples 與 collection checks:已新增 `docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json`、`docs/security/source-control-workflow-secret-name-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md`。目前 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0、audit events emitted 仍為 0。AwoooP 可 mirror 成 owner response intake queue,但不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。 -2026-05-17 S4.13 owner response validation rollup 追加:已新增 `docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json`、`docs/security/source-control-owner-response-validation-rollup.snapshot.json` 與 `docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md`。目前彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,22 個 response templates、received / accepted / rejected response 皆為 0、cross-packet checks 10 個;2026-05-19 再補 6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes,讓 AwoooP 只讀判斷補證、隔離、拒收、跨包 review 或只讀更新,固定 Operator Console 顯示順序,顯示 waiting、pending validation、read-only update 與 waiting runtime gate 的狀態語義,提供人工審查順序,把 reviewer 結果只讀分類成等待、補證、隔離、拒收、跨包 review、只讀候選或等待後續 runtime gate,定義未來可留痕的脫敏 metadata 形狀,固定 audit templates、允許 metadata、禁止 payload、0 emitted 狀態與非授權邊界的顯示方式,確認 metadata-only、forbidden payload blocked、emitted=0、無 runtime side effect 與 counters 不變,示範 reviewer role lane、classification reason、quarantine pointer、read-only update target 與 runtime gate counter 的安全 metadata 顯示形狀,固定未來只能保留已脫敏 metadata、reason code、pointer 與 counters,確認 retention rules 可見、raw payload / secret retention blocked、counter snapshot-only 與無 runtime side effect,並確認平行 Session 接手前需對齊同一 PR 分支、latest delta、0 counters、false flags、source-control mutation 禁令與 S4.9 next focus;衝突時只進停下重讀或人工 review,目前 reviewer audit emitted 仍為 0。AwoooP 可 mirror 成只讀驗收總覽,但不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當成 approval、runtime gate、production ingestion、repo / refs / workflow / secret / runner 執行授權或 GitHub primary approval。 +2026-05-17 S4.13 owner response validation rollup 追加:已新增 `docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json`、`docs/security/source-control-owner-response-validation-rollup.snapshot.json` 與 `docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md`。目前彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,22 個 response templates、received / accepted / rejected response 皆為 0、cross-packet checks 10 個;2026-05-19 再補 6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks,讓 AwoooP 只讀判斷補證、隔離、拒收、跨包 review、只讀更新、平行 Session 同步、衝突分流或復原前檢查,固定 Operator Console 顯示順序,顯示 waiting、pending validation、read-only update 與 waiting runtime gate 的狀態語義,提供人工審查順序,把 reviewer 結果只讀分類成等待、補證、隔離、拒收、跨包 review、只讀候選或等待後續 runtime gate,定義未來可留痕的脫敏 metadata 形狀,固定 audit templates、允許 metadata、禁止 payload、0 emitted 狀態與非授權邊界的顯示方式,確認 metadata-only、forbidden payload blocked、emitted=0、無 runtime side effect 與 counters 不變,示範 reviewer role lane、classification reason、quarantine pointer、read-only update target 與 runtime gate counter 的安全 metadata 顯示形狀,固定未來只能保留已脫敏 metadata、reason code、pointer 與 counters,確認 retention rules 可見、raw payload / secret retention blocked、counter snapshot-only 與無 runtime side effect,並確認平行 Session 接手前需對齊同一 PR 分支、latest delta、0 counters、false flags、source-control mutation 禁令與 S4.9 next focus;衝突時只進停下重讀或人工 review;復原前只能重抓遠端、重讀 latest ledger、重跑只讀 guards、review staged diff、確認 runtime false flags 與回到 S4.9 next focus,目前 reviewer audit emitted 仍為 0。AwoooP 可 mirror 成只讀驗收總覽,但不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當成 approval、runtime gate、production ingestion、repo / refs / workflow / secret / runner 執行授權或 GitHub primary approval。 2026-05-13 S4.4 GitHub primary rollback ADR 追加:已新增 `docs/schemas/source_control_primary_rollback_adr_v1.schema.json`、`docs/security/source-control-primary-rollback-adr.snapshot.json` 與 `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md`。本輪只定義 7 個 in-scope repos 的 rollback ADR 草案、precondition、trigger、validation window 與 owner review;`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`,不得切 GitHub primary、不得執行 rollback、不得停用 Gitea。 diff --git a/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md b/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md index e0dd0c61..3dc63b67 100644 --- a/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md +++ b/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md @@ -53,7 +53,7 @@ - GitHub target repo-by-repo approval package 已建立,7 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認三條路徑;此 package 採低摩擦原則,只 gate 高風險執行,不阻擋 read-only evidence。 - Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;S4.11 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates,received / accepted response 皆為 0、audit events emitted 仍為 0。這是人工判定隊列與收件框架,不是同步批准。 - Workflow / secret 名稱 owner response 已建立,S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates,received / accepted response 皆為 0、audit events emitted 仍為 0;這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition,不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。 -- Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,共 22 個 response templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、received / accepted response 皆為 0 且 reviewer audit emitted 仍為 0;這只是驗收總覽、只讀路由、顯示順序、狀態語義、人工審查提示、結果分類、脫敏稽核格式、稽核顯示邊界、只讀稽核檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、交接消費檢查、平行 Session 同步檢查與衝突 lane,不是 approval、runtime gate、production ingestion 或執行授權。 +- Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,共 22 個 response templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、received / accepted response 皆為 0 且 reviewer audit emitted 仍為 0;這只是驗收總覽、只讀路由、顯示順序、狀態語義、人工審查提示、結果分類、脫敏稽核格式、稽核顯示邊界、只讀稽核檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、交接消費檢查、平行 Session 同步檢查、衝突 lane 與復原前檢查,不是 approval、runtime gate、production ingestion 或執行授權。 - 本機可見 Git working tree 輔助盤點已找到 13 個 repo,其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個;此結果可用來補遷移矩陣,但不能取代 Gitea server 全量清單。 因此後續必須先完成「repo/branch/tag/workflow/webhook/permission/secrets 名稱」全量 inventory,再逐步 mirror 與驗證。 @@ -85,7 +85,7 @@ | Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json`,保存 3 個 refs-blocked mapped repos 的 branch/tag 明細,不授權 fetch/push | | Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json`,將 ref diff 轉成單 ref 人工判定隊列,不授權 sync/delete | | Workflow / secret name owner response | `docs/security/source-control-workflow-secret-name-owner-response.snapshot.json`,固定 5 類 response templates,不授權 secret value collection、workflow modification、hosted runner enablement 或 primary switch | -| Owner response validation rollup | `docs/security/source-control-owner-response-validation-rollup.snapshot.json`,集中顯示 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks 與 parallel session conflict lanes,不授權 approval、production ingestion 或 runtime action | +| Owner response validation rollup | `docs/security/source-control-owner-response-validation-rollup.snapshot.json`,集中顯示 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks,不授權 approval、production ingestion 或 runtime action | ## 1.1 Gitea repo list snapshot @@ -230,6 +230,6 @@ GitHub target repo-by-repo approval package 已建立於 `docs/security/GITHUB-T 3. 依 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 由 repo owner 對 main/dev、release tags、GitHub-only refs 與 drift deprecated 候選逐項判定;仍不 push refs。 4. 標記「可 mirror」、「需人工判斷」、「需封存」、「不可搬」。 5. 依 S4.12 workflow / secret name owner response request packet、template status ledger、audit event templates、redaction examples 與收件包驗收 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;仍不得收 secret value、改 workflow 或啟用 hosted runner。 -6. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes;仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當 approval、production ingestion 或 execution authorization。 +6. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks;仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當 approval、production ingestion 或 execution authorization。 7. 產出 GitHub primary ADR,定義切換 gate 與 rollback。 8. 將 `source_control_migration_event_v1`、`gitea_repo_inventory_v1`、`local_git_remote_inventory_v1` mirror 到 AwoooP,初期只作為 evidence。 diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 970eb6c2..d733b325 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -72,7 +72,7 @@ AwoooP 可以將 ready / partial contracts mirror 到: 4. 再 mirror `security_mirror_acceptance_v1`,驗收 contract count、event envelope、route coverage 與 redaction。 5. 再 mirror `security_mirror_quarantine_v1`,定義驗收失敗時的隔離與 retry gate。 6. 再 mirror `security_mirror_dry_run_v1`,定義接入演練回報格式。 -7. 再 mirror `security_mirror_status_rollup_v1` 與 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md`,顯示跨 Session 狀態、四個 owner response packets、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與下一個 gate。 +7. 再 mirror `security_mirror_status_rollup_v1` 與 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md`,顯示跨 Session 狀態、四個 owner response packets、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與下一個 gate。 8. 再 mirror `security_mirror_intake_plan_v1`,照 wave 執行 read-only intake。 9. 再 mirror `security_approval_queue_v1`,只顯示 review order。 10. 再 mirror `security_approval_gate_v1`,只記錄人工決策與 follow-up runtime gate。 @@ -93,6 +93,6 @@ Ref truth 決策面需同時 mirror S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPON Workflow / secret 名稱決策面需同時 mirror S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` 與 `source-control-workflow-secret-name-owner-response.snapshot.json`,只顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、received / accepted response 皆為 0、audit events emitted 仍為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 GitHub primary approval。 -Owner response validation 決策面需同時 mirror S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 與 `source-control-owner-response-validation-rollup.snapshot.json`,只顯示 S4.9 / S4.10 / S4.11 / S4.12 四個 response packets 的驗收總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個、evidence routing rules 6 條、display sections 8 個、state transition rules 7 條、reviewer checklist 9 個、reviewer outcome lanes 7 條、reviewer audit event templates 4 個、reviewer audit display sections 5 個、reviewer audit collection checks 6 個、reviewer audit redaction examples 5 個、reviewer audit retention rules 5 條、reviewer audit retention checks 6 個、reviewer audit handoff packets 6 個、reviewer audit handoff checks 6 個、parallel session sync checks 6 個、parallel session conflict lanes 6 條,且 reviewer audit emitted 仍為 0;不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當成 approval、runtime gate、production ingestion 或 execution authorization。 +Owner response validation 決策面需同時 mirror S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 與 `source-control-owner-response-validation-rollup.snapshot.json`,只顯示 S4.9 / S4.10 / S4.11 / S4.12 四個 response packets 的驗收總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個、evidence routing rules 6 條、display sections 8 個、state transition rules 7 條、reviewer checklist 9 個、reviewer outcome lanes 7 條、reviewer audit event templates 4 個、reviewer audit display sections 5 個、reviewer audit collection checks 6 個、reviewer audit redaction examples 5 個、reviewer audit retention rules 5 條、reviewer audit retention checks 6 個、reviewer audit handoff packets 6 個、reviewer audit handoff checks 6 個、parallel session sync checks 6 個、parallel session conflict lanes 6 條、parallel session recovery checks 6 個,且 reviewer audit emitted 仍為 0;不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當成 approval、runtime gate、production ingestion 或 execution authorization。 整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 69911ce9..e4b1a4f0 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -28,11 +28,11 @@ | Review packets | S3.2 已建立;8 packets、7 ready for human review、1 block candidate | | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | -| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.13 已補四包 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes,22 個 templates、received / accepted / rejected 皆為 0、reviewer audit emitted 仍為 0 | +| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.13 已補四包 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks,22 個 templates、received / accepted / rejected 皆為 0、reviewer audit emitted 仍為 0 | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | | Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、audit events emitted 0 筆、敏感 payload 必須隔離、允許收集 token value=false | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates;0 個 inventory complete、audit events emitted 0 筆、禁止收集 secret value、禁止 write token | -| Owner response validation | S4.13 已建立;四包 owner response 目前 received/accepted 皆為 0;4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes 可供 AwoooP 直接顯示;下一個建議收件為 S4.9 Gitea owner attestation;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`,reviewer audit emitted 仍為 0,不代表 owner response 已收到或任何執行授權 | +| Owner response validation | S4.13 已建立;四包 owner response 目前 received/accepted 皆為 0;4 條 missing response lanes、4 步 collection order、next collection candidate、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks 可供 AwoooP 直接顯示;下一個建議收件為 S4.9 Gitea owner attestation;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`,reviewer audit emitted 仍為 0,不代表 owner response 已收到或任何執行授權 | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -85,6 +85,7 @@ | S4.13 reviewer audit handoff checks | framework detail | 0 | 只確認 handoff packets 可見、counters 不變、source packets 必讀、安全顯示欄位、runtime 誤讀阻擋與 next focus 未被標記 received,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | | S4.13 parallel session sync checks | framework detail | 0 | 只確認同一 PR 分支、latest delta 可見、counters 仍為 0、runtime flags 仍為 false、source-control mutation 阻擋與 next focus 維持 S4.9,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | | S4.13 parallel session conflict lanes | framework detail | 0 | 只把 stale branch、stale delta、counter drift、runtime flag drift、source-control mutation request 與 next focus drift 分流到停下重讀或人工 review,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | +| S4.13 parallel session recovery checks | framework detail | 0 | 只確認 conflict lane 後要重抓遠端、重讀 latest ledger、重跑只讀 guards、review staged diff、確認 runtime false flags 與回到 S4.9 next focus,不代表 owner response、production ingestion、approval、runtime gate 或 execution authorization | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: @@ -132,7 +133,7 @@ python3 scripts/security/security-mirror-progress-guard.py 5. Kali `/execute` 維持 block candidate。 6. Refs truth owner response:先依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templates;received / accepted response 目前皆為 0,audit events emitted 仍為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 refs sync、delete、force push 或 primary approval。 7. Workflow / secret 名稱 owner response:先依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 顯示 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 5 個 response templates;received / accepted response 目前皆為 0,audit events emitted 仍為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 primary approval。 -8. Owner response validation rollup:先依 S4.13 顯示 S4.9/S4.10/S4.11/S4.12 四包 response packets、22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 quarantine rules;不得把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當成 approval、runtime gate、production ingestion 或 execution authorization。 +8. Owner response validation rollup:先依 S4.13 顯示 S4.9/S4.10/S4.11/S4.12 四包 response packets、22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 quarantine rules;不得把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當成 approval、runtime gate、production ingestion 或 execution authorization。 9. GitHub primary readiness blockers 與 rollback ADR 缺口。 10. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggers,owner approval 前不可執行。 11. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 與 S4.12 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index 7bc09514..e8c6a18c 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -36,7 +36,7 @@ | `security_mirror_acceptance_v1` | mirror-only | AwoooP 只讀鏡像接入驗收 checks | `security-mirror-acceptance.snapshot.json` | | `security_mirror_quarantine_v1` | mirror-only | AwoooP 鏡像驗收失敗隔離與 retry gate | `security-mirror-quarantine.snapshot.json` | | `security_mirror_dry_run_v1` | mirror-only | AwoooP 鏡像接入演練回報格式 | `security-mirror-dry-run.snapshot.json` | -| `security_mirror_status_rollup_v1` | mirror-only | AwoooP / Security Supply Chain 跨 Session 狀態總覽;含 58% headline progress、progress display policy、micro progress delta ledger、S4.13 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與 next collection candidate | `security-mirror-status-rollup.snapshot.json` / `source-control-owner-response-validation-rollup.snapshot.json` | +| `security_mirror_status_rollup_v1` | mirror-only | AwoooP / Security Supply Chain 跨 Session 狀態總覽;含 58% headline progress、progress display policy、micro progress delta ledger、S4.13 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 next collection candidate | `security-mirror-status-rollup.snapshot.json` / `source-control-owner-response-validation-rollup.snapshot.json` | | `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot | | `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi`、`clawbot-v5`、`wooo-aiops` | | `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks 與 outcome lanes | public-only / blocked endpoint / S4.5 export request / S4.6 import acceptance / S4.7 coverage attestation / S4.9 response snapshots | @@ -61,7 +61,7 @@ 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、response templates、acceptance checks 與 rejection rules;不得新增 refs action。 -5. 讀到 `source-control-owner-response-validation-rollup.snapshot.json` 時,只顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets 的總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個、evidence routing rules 6 條、display sections 8 個、state transition rules 7 條、reviewer checklist 9 個、reviewer outcome lanes 7 條、reviewer audit event templates 4 個、reviewer audit display sections 5 個、reviewer audit collection checks 6 個、reviewer audit redaction examples 5 個、reviewer audit retention rules 5 條、reviewer audit retention checks 6 個、reviewer audit handoff packets 6 個、reviewer audit handoff checks 6 個、parallel session sync checks 6 個、parallel session conflict lanes 6 條,且 reviewer audit emitted 仍為 0;不得把 rollup、routing、sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當成 approval、production ingestion 或 execution authorization。 +5. 讀到 `source-control-owner-response-validation-rollup.snapshot.json` 時,只顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets 的總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個、evidence routing rules 6 條、display sections 8 個、state transition rules 7 條、reviewer checklist 9 個、reviewer outcome lanes 7 條、reviewer audit event templates 4 個、reviewer audit display sections 5 個、reviewer audit collection checks 6 個、reviewer audit redaction examples 5 個、reviewer audit retention rules 5 條、reviewer audit retention checks 6 個、reviewer audit handoff packets 6 個、reviewer audit handoff checks 6 個、parallel session sync checks 6 個、parallel session conflict lanes 6 條、parallel session recovery checks 6 個,且 reviewer audit emitted 仍為 0;不得把 rollup、routing、sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當成 approval、production ingestion 或 execution authorization。 6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`source_control_workflow_secret_name_inventory_v1` 只能顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 secret collection、workflow 修改或 runner 啟用;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 7. 不新增執行按鈕,不做 runtime enforcement。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index b5b1ede1..e7d8c21e 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -27,7 +27,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate、production ingestion 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 | 最近完成 | 目前狀態 | headline delta | |----------|----------|----------------| @@ -64,6 +64,7 @@ python3 scripts/security/security-mirror-progress-guard.py | S4.13 reviewer audit handoff checks | 已完成草案,只確認 handoff packets 可見、counters 不變、source packets 必讀、安全顯示欄位、runtime 誤讀阻擋與 next focus 未被標記 received | 0 | | S4.13 parallel session sync checks | 已完成草案,只確認同一 PR 分支、latest delta、0 counters、false flags、source-control mutation 禁令與 S4.9 next focus | 0 | | S4.13 parallel session conflict lanes | 已完成草案,只把 stale branch、stale delta、counter drift、runtime flag drift、source-control mutation request 與 next focus drift 分流到停下重讀或人工 review | 0 | +| S4.13 parallel session recovery checks | 已完成草案,只確認 conflict lane 後要重抓遠端、重讀 latest ledger、重跑只讀 guards、review diff、確認 false flags 與回到 S4.9 next focus | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -89,7 +90,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S2.4 AwoooP 鏡像驗收契約 | 完成草案 | `security_mirror_acceptance_v1` 已建立 8 個 acceptance checks;blocking 只針對鏡像資料不完整、未脫敏或進度估算被誤當授權 | AwoooP 接入時可驗收,不升級成 runtime enforcement | | S2.5 AwoooP 鏡像隔離契約 | 完成草案 | `security_mirror_quarantine_v1` 已建立 5 個 quarantine lanes;失敗 payload 必須等新 snapshot commit 後才能 retry | AwoooP 可隔離壞資料,不阻擋 runtime | | S2.6 AwoooP 鏡像 dry-run 報告契約 | 完成草案 | `security_mirror_dry_run_v1` 已建立 8 個 dry-run steps,已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`;latest local validation 為 `repo_snapshot_guard_pass`;目前狀態仍為 contract defined not executed | AwoooP 未來可回報演練結果,但不啟動 production ingestion | -| S2.7 AwoooP 鏡像狀態彙整契約 | 完成草案 | `security_mirror_status_rollup_v1` 已建立,彙整 S0-S4、approval queue summary 與下一個安全 gate;S4.13 已補 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks 與 parallel session conflict lanes | 兩個 Session 用同一份 rollup 同步,不誤啟執行面 | +| S2.7 AwoooP 鏡像狀態彙整契約 | 完成草案 | `security_mirror_status_rollup_v1` 已建立,彙整 S0-S4、approval queue summary 與下一個安全 gate;S4.13 已補 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks | 兩個 Session 用同一份 rollup 同步,不誤啟執行面 | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | @@ -101,7 +102,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary | | S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea | | S4.12 Workflow / Secret Name Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 response templates、8 個 acceptance checks、10 個 rejection rules、candidate repos 8、in-scope repos 7、received response 0、accepted 0、audit events emitted 0、execution authorized=false | owner 依 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與模板回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;response 通過只更新 read-only inventory / export request / readiness wording,不代表收 secret value、改 workflow、啟用 runner 或 primary approval | -| S4.13 Source Control Owner Response Validation Rollup | 完成草案 | 已建立 validation rollup schema / snapshot / 人讀版;彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、4 條 missing response lanes、4 步 owner response collection order、next collection candidate、22 個 response templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、40 個 rejection rules、received / accepted / rejected response 皆為 0、reviewer audit emitted 仍為 0、execution authorized=false;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK` | AwoooP 可顯示四包 owner response 驗收總覽、缺口摘要、建議收件順序、下一個建議收件項目、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 quarantine rules;rollup 不代表 approval、runtime gate、production ingestion、repo / refs / workflow / secret / runner 執行授權或 primary approval | +| S4.13 Source Control Owner Response Validation Rollup | 完成草案 | 已建立 validation rollup schema / snapshot / 人讀版;彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、4 條 missing response lanes、4 步 owner response collection order、next collection candidate、22 個 response templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、40 個 rejection rules、received / accepted / rejected response 皆為 0、reviewer audit emitted 仍為 0、execution authorized=false;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK` | AwoooP 可顯示四包 owner response 驗收總覽、缺口摘要、建議收件順序、下一個建議收件項目、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 quarantine rules;rollup 不代表 approval、runtime gate、production ingestion、repo / refs / workflow / secret / runner 執行授權或 primary approval | | S4.4 GitHub Primary rollback ADR | 完成草案 | 已建立 rollback ADR schema / snapshot / 人讀版;7 個 in-scope rollback drafts、0 owner approved、0 dry-run completed、0 active cutover | repo owner 審查 rollback owner、validation window 與 triggers;仍不可切 primary 或執行 rollback | | S4.5 Gitea 認證清冊匯出請求 | 完成草案 | 已建立匯出請求 schema / snapshot / 人讀版;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;允許收集 token value=false | repo owner 依只讀 token API 或已脫敏管理匯出補私有 / 內部全量 repo list;仍不可保存 token、不可 write Gitea、不可 refs sync | | S4.6 Gitea 認證清冊匯入驗收契約 | 完成草案 | 已建立匯入驗收 schema / snapshot / 人讀版;目前 received payload 0、accepted 0、rejected 0;定義 10 個驗收檢查、10 個拒收規則與 4 個 quarantine lanes | owner 提供脫敏 payload 後先驗收 / 拒收 / 隔離;仍不可把驗收當 primary approval | @@ -227,9 +228,9 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons 2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。 3. 依 S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner response 驗收;audit event templates 目前 0 emitted,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,preflight 只分類可審、補證、隔離、拒收或等待,response 通過也只更新 read-only classification / reconcile / readiness wording,仍不得 push/delete refs 或 force push。 4. 依 S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 與 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` 對 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 做 owner response 驗收;request packet 只顯示要回覆欄位與拒收 payload,template status ledger 只顯示 waiting,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,preflight 只分類可審、補證、隔離或拒收,不代表已送出、已收到、已接受或 production ingestion,response 通過也只更新 read-only inventory / export request / readiness wording,仍不得收 secret value、改 workflow 或啟用 runner。 -5. 依 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 集中檢查 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes;rollup / routing / sections / transition rules / checklist / outcome lanes / audit templates / audit display sections / audit collection checks / audit redaction examples / audit retention rules / audit retention checks / audit handoff packets / handoff checks / parallel session sync checks / parallel session conflict lanes 通過也只更新 read-only wording,不代表 approval、production ingestion 或 execution authorization。 +5. 依 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 集中檢查 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks;rollup / routing / sections / transition rules / checklist / outcome lanes / audit templates / audit display sections / audit collection checks / audit redaction examples / audit retention rules / audit retention checks / audit handoff packets / handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks 通過也只更新 read-only wording,不代表 approval、production ingestion 或 execution authorization。 6. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 7. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 S4.13 需顯示四包 owner response validation rollup、missing lanes、collection order、next collection candidate、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes,Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 5 個 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 S4.13 需顯示四包 owner response validation rollup、missing lanes、collection order、next collection candidate、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks,Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 5 個 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 9. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response intake preflight checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response request packet、S4.11 refs truth owner response template status ledger、S4.11 refs truth owner response audit event templates、S4.11 refs truth owner response redaction examples、S4.11 refs truth owner response collection checks、S4.11 refs truth owner response intake preflight checks、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response request packet、S4.12 workflow / secret 名稱 owner response template status ledger、S4.12 workflow / secret 名稱 owner response audit event templates、S4.12 workflow / secret 名稱 owner response redaction examples、S4.12 workflow / secret 名稱 owner response collection checks、S4.12 workflow / secret 名稱 owner response intake preflight checks、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks 與 reviewer audit handoff packets、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response intake preflight checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response request packet、S4.11 refs truth owner response template status ledger、S4.11 refs truth owner response audit event templates、S4.11 refs truth owner response redaction examples、S4.11 refs truth owner response collection checks、S4.11 refs truth owner response intake preflight checks、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response request packet、S4.12 workflow / secret 名稱 owner response template status ledger、S4.12 workflow / secret 名稱 owner response audit event templates、S4.12 workflow / secret 名稱 owner response redaction examples、S4.12 workflow / secret 名稱 owner response collection checks、S4.12 workflow / secret 名稱 owner response intake preflight checks、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md b/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md index bbc160bd..c7b6bec3 100644 --- a/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md +++ b/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md @@ -126,7 +126,7 @@ Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops` Workflow / secret name owner response 已建立,S4.12 補 1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 templates,對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0、audit events emitted 仍為 0。不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 primary approval。 -Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes,received / accepted response 皆為 0,reviewer audit emitted 仍為 0。不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當成 approval、runtime gate、production ingestion 或 execution authorization。 +Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks,received / accepted response 皆為 0,reviewer audit emitted 仍為 0。不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當成 approval、runtime gate、production ingestion 或 execution authorization。 ## 3. 必要驗收 gate @@ -159,7 +159,7 @@ Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-C 2. 依 GitHub target repo-by-repo approval package 處理 7 個 approval-required target。 3. 依 S4.11 ref truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包與 classification 釐清 `wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。 4. 依 S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition;仍不得收 secret value、改 workflow 或啟用 hosted runner。 -5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes;仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當 approval、production ingestion 或 execution authorization。 +5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks;仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當 approval、production ingestion 或 execution authorization。 6. 釐清 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 的 canonical 關係。 7. 釐清 `bitan-pharmacy`、`tsenyang-website` 是否仍 active,並決定 GitHub owner / visibility。 8. 產出 GitHub primary ADR 前,不做主控切換。 diff --git a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md index 7eaaf17e..3729413c 100644 --- a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md +++ b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md @@ -15,7 +15,7 @@ S4.13 補的是「四個 owner response 收件包的只讀驗收彙整」。 它彙整 S4.9 Gitea owner attestation response、S4.10 GitHub target owner decision response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response。目的只是讓 AwoooP 有單一入口看到哪些 owner response 尚未收到、哪些可驗收、哪些必須拒收或隔離。 -S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runtime gate,不新增 action button,也不把任何 response、reviewer audit retention check、handoff packet、parallel session sync check 或 parallel session conflict lane 當成 repo creation、visibility change、refs sync、workflow 修改、secret 搬移、runner 啟用或 GitHub primary approval。 +S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runtime gate,不新增 action button,也不把任何 response、reviewer audit retention check、handoff packet、parallel session sync check、parallel session conflict lane 或 parallel session recovery check 當成 repo creation、visibility change、refs sync、workflow 修改、secret 搬移、runner 啟用或 GitHub primary approval。 ## 1. Rollup 摘要 @@ -45,6 +45,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt | reviewer audit handoff checks | 6 | | parallel session sync checks | 6 | | parallel session conflict lanes | 6 | +| parallel session recovery checks | 6 | | quarantine required | `true` | | primary ready count | 0 | | runtime execution authorized | `false` | @@ -319,6 +320,19 @@ AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-resp 這 6 條 conflict lanes 只是在兩個 Session 對分支、ledger、counter、false flags、source-control mutation 或下一步 focus 看法不一致時,固定「停下、重讀、人工 review」的顯示語義;不授權 merge、rebase、force push、repo / refs / workflow / secret / runner 變更、Kali scan、GitHub primary switch 或任何 runtime action。 +## 3.16 Parallel Session Recovery Checks + +| 順序 | Recovery check | 檢查要求 | 安全結果 | +|------|----------------|----------|----------| +| 1 | fetch and compare branch | 命中 conflict lane 後先確認本地 HEAD 與遠端 PR 分支為 0/0 | branch compare read-only | +| 2 | read latest ledger and LOGBOOK | 重新讀 latest delta、ledger length、LOGBOOK latest entry 與 handoff summary | latest ledger read-only | +| 3 | rerun read-only guards | 重跑 owner response guard 與 mirror progress guard | guard pass display-only | +| 4 | review staged diff only | staged / unstaged diff 只能是 docs/schema/snapshot/guard 類更新 | diff review read-only | +| 5 | keep runtime flags false | runtime、repo、refs、workflow、primary 與 action button flags 仍為 false | runtime flags false | +| 6 | record next focus remains S4.9 | 復原後 next_collection_candidate 仍只顯示 S4.9 | S4.9 display only | + +這 6 個 recovery checks 只是在 conflict lane 命中後,固定「重抓遠端、重讀 ledger、重跑 guard、看 diff、確認 false flags、回到 S4.9」的只讀復原順序;不授權 rebase、merge、force push、覆蓋另一個 Session 變更、repo / refs / workflow / secret / runner 變更、Kali scan、GitHub primary switch 或任何 runtime action。 + ## 4. AwoooP 可做 1. 顯示四個 response packets 的總覽與缺口。 @@ -340,7 +354,8 @@ AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-resp 17. 顯示 6 個 reviewer audit handoff checks,確認 handoff packets 可見、counters 不變、source packets 必讀、安全顯示欄位、runtime 誤讀阻擋與 next focus 未被標記 received。 18. 顯示 6 個 parallel session sync checks,確認另一個 Session 接手前已同步同一 PR 分支、latest delta、0 counters、false flags、source-control mutation 禁令與 S4.9 next focus。 19. 顯示 6 條 parallel session conflict lanes,讓分支、delta、counter、runtime flag、source-control mutation request 或 next focus 衝突時只進停下重讀與人工 review。 -20. 在未來 response 通過後,只更新 read-only evidence、matrix、decision table、reconcile wording 或 readiness wording。 +20. 顯示 6 個 parallel session recovery checks,讓 conflict lane 命中後只做 fetch/compare、重讀 ledger、重跑只讀 guard、review diff、確認 false flags 與 S4.9 next focus。 +21. 在未來 response 通過後,只更新 read-only evidence、matrix、decision table、reconcile wording 或 readiness wording。 ## 5. AwoooP 不可做 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index 63d49467..d41db7c7 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -37,7 +37,7 @@ | Gate | 目前狀態 | 說明 | |------|----------|------| -| Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到,audit events emitted 仍為 0;S4.13 已集中顯示四包 owner response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes,但 total accepted response 仍為 0、reviewer audit emitted 仍為 0 | +| Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到,audit events emitted 仍為 0;S4.13 已集中顯示四包 owner response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks,但 total accepted response 仍為 0、reviewer audit emitted 仍為 0 | | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0、audit events emitted 仍為 0 | | workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0、audit events emitted 仍為 0;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | | owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0 | @@ -48,12 +48,12 @@ 1. 顯示每個 repo 的 readiness state、blockers 與 evidence refs。 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 -4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.11 refs truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.13 validation rollup / evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / handoff checks / parallel session sync checks / parallel session conflict lanes、workflow/runner/secret name inventory、rollback ADR。 +4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.11 refs truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.13 validation rollup / evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks、workflow/runner/secret name inventory、rollback ADR。 5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、6 個 owner response collection checks、6 個 intake preflight checks、7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0、audit events emitted 仍為 0。 7. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 8. 連到 S4.12 `source_control_workflow_secret_name_owner_response_v1` 顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0、audit events emitted 仍為 0。 -9. 連到 S4.13 `source_control_owner_response_validation_rollup_v1` 顯示四包 owner response validation 狀態:22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、received / accepted / rejected response 皆為 0、reviewer audit emitted 仍為 0。 +9. 連到 S4.13 `source_control_owner_response_validation_rollup_v1` 顯示四包 owner response validation 狀態:22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、received / accepted / rejected response 皆為 0、reviewer audit emitted 仍為 0。 10. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。 11. 把狀態寫入 Audit evidence 與 Operator Console。 @@ -71,6 +71,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 -S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.11 已補上 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.12 已補上 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.13 已補上四包 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀收件檢查、只讀 preflight、只讀顯示順序、只讀 evidence routing、只讀狀態語義、人工審查提示、結果分類、脫敏稽核格式、稽核顯示邊界、只讀稽核檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、交接消費檢查、平行 Session 同步檢查、衝突 lane 與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.11 已補上 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.12 已補上 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.13 已補上四包 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀收件檢查、只讀 preflight、只讀顯示順序、只讀 evidence routing、只讀狀態語義、人工審查提示、結果分類、脫敏稽核格式、稽核顯示邊界、只讀稽核檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、交接消費檢查、平行 Session 同步檢查、衝突 lane、復原前檢查與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index d76113a4..ef082a33 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -271,7 +271,7 @@ "docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md" ], - "notes": "提供 AwoooP / Security Supply Chain 跨 Session 狀態總覽、下一個 gate 與禁止事項;S4.13 owner response validation rollup 可 mirror 四個 response packets、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;不授權執行。" + "notes": "提供 AwoooP / Security Supply Chain 跨 Session 狀態總覽、下一個 gate 與禁止事項;S4.13 owner response validation rollup 可 mirror 四個 response packets、22 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;不授權執行。" }, { "contract": "coding_task_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index ddf2f6cb..9aaf6fd2 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -143,15 +143,15 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.13 已補四包 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9/S4.11/S4.12 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆,S4.13 reviewer audit templates 也仍為 emitted=0,handoff packets / checks、parallel session sync checks 與 parallel session conflict lanes 只作跨 Session 只讀交接、消費檢查、分支/ledger 同步確認與衝突分流。", - "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks 與 6 條 parallel session conflict lanes,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates、依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.13 已補四包 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9/S4.11/S4.12 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆,S4.13 reviewer audit templates 也仍為 emitted=0,handoff packets / checks、parallel session sync checks、parallel session conflict lanes 與 recovery checks 只作跨 Session 只讀交接、消費檢查、分支/ledger 同步確認、衝突分流與復原前檢查。", + "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates、依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" } ], "progress_display_policy": { "headline_percent": 58, "headline_status": "holding_until_owner_response_or_runtime_gate", "why_headline_is_holding": [ - "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes 的框架細節,改善可見性、收件安全、稽核格式、跨 Session 同步與衝突分流,但 owner response received / accepted 仍為 0。", + "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight、S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.13 evidence routing rules / display sections / state transition rules / reviewer checklist / reviewer outcome lanes / reviewer audit event templates / reviewer audit display sections / reviewer audit collection checks / reviewer audit redaction examples / reviewer audit retention rules / reviewer audit retention checks / reviewer audit handoff packets / reviewer audit handoff checks / parallel session sync checks / parallel session conflict lanes / parallel session recovery checks 的框架細節,改善可見性、收件安全、稽核格式、跨 Session 同步、衝突分流與復原前檢查,但 owner response received / accepted 仍為 0。", "overall_percent 只在 owner response、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 這些高層 gate 有實質變化時調整。", "維持 58% 是為了避免把 read-only scaffold 誤算成 runtime enforcement、Kali scan、repo migration 或 GitHub primary cutover。" ], @@ -563,6 +563,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s4_13_owner_response_validation_parallel_session_recovery_checks", + "display_order": 34, + "completed_stage": "S4.13 owner response validation parallel session recovery checks", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "parallel session recovery checks 只確認 fetch/branch compare、latest ledger、read-only guards、staged diff review、runtime flags false 與 next focus S4.9,不代表 owner response received、production ingestion、approval、runtime gate 或 execution authorization。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -574,7 +586,7 @@ "allowed_processing": [ "顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets", "顯示 22 個 templates、received=0、accepted=0、rejected=0", - "顯示 10 個 cross-packet acceptance checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 quarantine rules", + "顯示 10 個 cross-packet acceptance checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 quarantine rules", "只更新 read-only wording、matrix 或 readiness evidence" ], "blocked_processing": [ @@ -819,7 +831,7 @@ "S4.10 新增 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=7、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。", "S4.11 已新增 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 refs sync、delete、force push 或 GitHub primary approval。", "S4.12 只新增 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、audit_events_emitted=0、response_template_count=5、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。", - "S4.13 只新增 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks 與 parallel session conflict lanes;response_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、owner_response_evidence_routing_rule_count=6、owner_response_validation_display_section_count=8、owner_response_validation_state_transition_rule_count=7、owner_response_validation_reviewer_checklist_count=9、owner_response_validation_reviewer_outcome_lane_count=7、owner_response_validation_reviewer_audit_event_template_count=4、owner_response_validation_reviewer_audit_display_section_count=5、owner_response_validation_reviewer_audit_collection_check_count=6、owner_response_validation_reviewer_audit_redaction_example_count=5、owner_response_validation_reviewer_audit_retention_rule_count=5、owner_response_validation_reviewer_audit_retention_check_count=6、owner_response_validation_reviewer_audit_handoff_packet_count=6、owner_response_validation_reviewer_audit_handoff_check_count=6、owner_response_validation_parallel_session_sync_check_count=6、owner_response_validation_parallel_session_conflict_lane_count=6、reviewer_audit_events_emitted=0、next_collection_candidate=S4.9,不把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks 或 parallel session conflict lanes 當 approval、runtime gate、production ingestion 或 execution authorization。" + "S4.13 只新增 owner response validation rollup、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks;response_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、owner_response_evidence_routing_rule_count=6、owner_response_validation_display_section_count=8、owner_response_validation_state_transition_rule_count=7、owner_response_validation_reviewer_checklist_count=9、owner_response_validation_reviewer_outcome_lane_count=7、owner_response_validation_reviewer_audit_event_template_count=4、owner_response_validation_reviewer_audit_display_section_count=5、owner_response_validation_reviewer_audit_collection_check_count=6、owner_response_validation_reviewer_audit_redaction_example_count=5、owner_response_validation_reviewer_audit_retention_rule_count=5、owner_response_validation_reviewer_audit_retention_check_count=6、owner_response_validation_reviewer_audit_handoff_packet_count=6、owner_response_validation_reviewer_audit_handoff_check_count=6、owner_response_validation_parallel_session_sync_check_count=6、owner_response_validation_parallel_session_conflict_lane_count=6、owner_response_validation_parallel_session_recovery_check_count=6、reviewer_audit_events_emitted=0、next_collection_candidate=S4.9,不把 rollup、routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes 或 parallel session recovery checks 當 approval、runtime gate、production ingestion 或 execution authorization。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 3f1ca02f..2e7b7681 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -491,7 +491,7 @@ "sync_refs", "store_secret_value" ], - "notes": "定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要;目前顯示 58% headline progress、progress display policy 與 micro progress delta ledger,說明近期 S4.10 / S4.11 / S4.12 / S4.13 framework detail 不會推高 headline;S4.13 已補 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks 與 6 個 parallel session sync checks、6 條 parallel session conflict lanes,彙整 S4.9/S4.10/S4.11/S4.12 共 22 個 response templates、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;只顯示階段、下一個 gate、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes 與禁止事項,不授權執行。" + "notes": "定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要;目前顯示 58% headline progress、progress display policy 與 micro progress delta ledger,說明近期 S4.10 / S4.11 / S4.12 / S4.13 framework detail 不會推高 headline;S4.13 已補 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes 與 6 個 parallel session recovery checks,彙整 S4.9/S4.10/S4.11/S4.12 共 22 個 response templates、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;只顯示階段、下一個 gate、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與禁止事項,不授權執行。" }, { "contract": "coding_task_v1", diff --git a/docs/security/source-control-owner-response-validation-rollup.snapshot.json b/docs/security/source-control-owner-response-validation-rollup.snapshot.json index 1778db55..35b0cd98 100644 --- a/docs/security/source-control-owner-response-validation-rollup.snapshot.json +++ b/docs/security/source-control-owner-response-validation-rollup.snapshot.json @@ -61,7 +61,8 @@ "owner_response_validation_reviewer_audit_handoff_packet_count": 6, "owner_response_validation_reviewer_audit_handoff_check_count": 6, "owner_response_validation_parallel_session_sync_check_count": 6, - "owner_response_validation_parallel_session_conflict_lane_count": 6 + "owner_response_validation_parallel_session_conflict_lane_count": 6, + "owner_response_validation_parallel_session_recovery_check_count": 6 }, "validation_lanes": [ { @@ -1772,6 +1773,98 @@ "not_approval": true } ], + "owner_response_validation_parallel_session_recovery_checks": [ + { + "check_id": "check-recovery-fetch-and-compare-branch", + "display_order": 1, + "title": "Fetch and compare branch before recovery", + "check_requirement": "命中 conflict lane 後,AwoooP 與另一個 Session 必須先顯示 git fetch 後的 HEAD 對 gitea/codex/security-supply-chain-contracts-20260512 為 0/0;若不是 0/0,只能停下請人工判定。", + "safe_result": "recovery_branch_compare_read_only", + "blocked_interpretations": [ + "auto_rebase_after_conflict", + "auto_merge_after_conflict", + "force_push_after_conflict" + ], + "awooop_display_mode": "display_parallel_session_recovery_check_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "check-recovery-read-latest-ledger", + "display_order": 2, + "title": "Read latest ledger and LOGBOOK", + "check_requirement": "復原前必須重新讀取 status rollup latest delta、progress_delta_ledger length、LOGBOOK latest entry 與 handoff summary;不得從衝突前的舊上下文繼續。", + "safe_result": "recovery_latest_ledger_read_only", + "blocked_interpretations": [ + "continue_from_pre_conflict_context", + "skip_logbook_after_conflict", + "treat_ledger_read_as_authorization" + ], + "awooop_display_mode": "display_parallel_session_recovery_check_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "check-recovery-rerun-readonly-guards", + "display_order": 3, + "title": "Rerun read-only guards", + "check_requirement": "復原前必須重跑 source-control-owner-response guard 與 security-mirror-progress guard;guard pass 只代表 snapshot 邊界一致,不代表 owner response、runtime gate 或 source-control mutation 授權。", + "safe_result": "recovery_guards_pass_display_only", + "blocked_interpretations": [ + "treat_guard_pass_as_owner_response", + "treat_guard_pass_as_runtime_gate", + "treat_guard_pass_as_primary_approval" + ], + "awooop_display_mode": "display_parallel_session_recovery_check_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "check-recovery-review-staged-diff-only", + "display_order": 4, + "title": "Review staged diff before continuing", + "check_requirement": "若復原後有 staged 或 unstaged diff,只能顯示 docs/schema/snapshot/guard 類只讀變更;不得把別的 Session 的變更覆蓋、丟棄或自動合併。", + "safe_result": "recovery_diff_review_read_only", + "blocked_interpretations": [ + "overwrite_other_session_changes", + "drop_unreviewed_changes", + "stage_runtime_or_secret_change_from_recovery" + ], + "awooop_display_mode": "display_parallel_session_recovery_check_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "check-recovery-keep-runtime-flags-false", + "display_order": 5, + "title": "Keep runtime flags false after recovery", + "check_requirement": "復原後仍必須確認 runtime_execution_authorized、repo_creation_authorized、refs_sync_authorized、workflow_modification_authorized、github_primary_switch_authorized 與 action_buttons_allowed 全部為 false。", + "safe_result": "recovery_runtime_flags_false", + "blocked_interpretations": [ + "create_action_button_after_recovery", + "enqueue_runtime_job_after_recovery", + "start_kali_or_repo_action_after_recovery" + ], + "awooop_display_mode": "display_parallel_session_recovery_check_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "check-recovery-record-next-focus-s4-9", + "display_order": 6, + "title": "Record next focus remains S4.9", + "check_requirement": "復原完成後只能把 next_collection_candidate 顯示為 S4.9 Gitea owner attestation response;不得把復原完成視為催收、代填、received、accepted 或 follow-up runtime gate。", + "safe_result": "recovery_next_focus_s4_9_display_only", + "blocked_interpretations": [ + "auto_collect_owner_response_after_recovery", + "mark_s4_9_received_after_recovery", + "create_followup_runtime_gate_after_recovery" + ], + "awooop_display_mode": "display_parallel_session_recovery_check_only", + "execution_authorized": false, + "not_approval": true + } + ], "readiness_effects": [ { "effect_id": "gitea_owner_response_accepted", @@ -1840,6 +1933,7 @@ "display_owner_response_validation_reviewer_audit_handoff_checks", "display_owner_response_validation_parallel_session_sync_checks", "display_owner_response_validation_parallel_session_conflict_lanes", + "display_owner_response_validation_parallel_session_recovery_checks", "route_invalid_response_to_quarantine", "update_read_only_readiness_wording_after_accepted_response" ], diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index b4c05bf5..1c07367b 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -52,7 +52,7 @@ "S4.6 已建立 redacted import acceptance,但目前 received_payload_count=0、accepted_payload_count=0", "S4.7 已建立 owner coverage attestation request,但目前 received_attestation_count=0、accepted_attestation_count=0", "S4.9 已建立 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0", - "S4.13 validation rollup 已將 S4.9 納入四包 owner response 驗收總覽、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks 與 parallel session conflict lanes,但目前 total_received_response_count=0、total_accepted_response_count=0、reviewer audit emitted=0", + "S4.13 validation rollup 已將 S4.9 納入四包 owner response 驗收總覽、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes 與 parallel session recovery checks,但目前 total_received_response_count=0、total_accepted_response_count=0、reviewer audit emitted=0", "public-only API 只看到 2 個 repos,本機 remote inventory 看到 4 個 unique Gitea repos,gap 仍待 owner 解釋", "GITEA_READONLY_TOKEN 未提供", "不得使用 write-capable credential 當 read-only token" @@ -63,7 +63,7 @@ "mirror S4.6 redacted inventory import acceptance", "mirror S4.7 owner coverage attestation request", "mirror S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner attestation response templates、intake preflight checks 與 outcome lanes", - "mirror S4.13 owner response validation rollup, evidence routing rules, display sections, state transition rules, reviewer checklist, reviewer outcome lanes, reviewer audit event templates, reviewer audit display sections, reviewer audit collection checks, reviewer audit redaction examples, reviewer audit retention rules, reviewer audit retention checks, reviewer audit handoff packets, reviewer audit handoff checks, parallel session sync checks, parallel session conflict lanes", + "mirror S4.13 owner response validation rollup, evidence routing rules, display sections, state transition rules, reviewer checklist, reviewer outcome lanes, reviewer audit event templates, reviewer audit display sections, reviewer audit collection checks, reviewer audit redaction examples, reviewer audit retention rules, reviewer audit retention checks, reviewer audit handoff packets, reviewer audit handoff checks, parallel session sync checks, parallel session conflict lanes, parallel session recovery checks", "等待 read-only token 或 redacted admin export", "更新 approval board 與 decision table" ], diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 86bb0d38..b3034545 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -115,6 +115,7 @@ def validate(root: Path) -> None: "s4_13_owner_response_validation_reviewer_audit_handoff_checks", "s4_13_owner_response_validation_parallel_session_sync_checks", "s4_13_owner_response_validation_parallel_session_conflict_lanes", + "s4_13_owner_response_validation_parallel_session_recovery_checks", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -215,6 +216,11 @@ def validate(root: Path) -> None: owner_summary["owner_response_validation_parallel_session_conflict_lane_count"], 6, ) + assert_equal( + "owner_rollup.owner_response_validation_parallel_session_recovery_check_count", + owner_summary["owner_response_validation_parallel_session_recovery_check_count"], + 6, + ) assert_false("owner_rollup.runtime_execution_authorized", owner_summary["runtime_execution_authorized"]) assert_false("owner_rollup.repo_creation_authorized", owner_summary["repo_creation_authorized"]) assert_false("owner_rollup.refs_sync_authorized", owner_summary["refs_sync_authorized"]) diff --git a/scripts/security/source-control-owner-response-guard.py b/scripts/security/source-control-owner-response-guard.py index 05c693a3..49750426 100755 --- a/scripts/security/source-control-owner-response-guard.py +++ b/scripts/security/source-control-owner-response-guard.py @@ -404,6 +404,15 @@ EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES = [ "conflict-next-focus-drift", ] +EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS = [ + "check-recovery-fetch-and-compare-branch", + "check-recovery-read-latest-ledger", + "check-recovery-rerun-readonly-guards", + "check-recovery-review-staged-diff-only", + "check-recovery-keep-runtime-flags-false", + "check-recovery-record-next-focus-s4-9", +] + def load_json(path: Path) -> dict[str, Any]: return json.loads(path.read_text(encoding="utf-8")) @@ -516,6 +525,11 @@ def validate(root: Path) -> None: rollup_summary["owner_response_validation_parallel_session_conflict_lane_count"], len(EXPECTED_ROLLUP_PARALLEL_SESSION_CONFLICT_LANES), ) + assert_equal( + "rollup.owner_response_validation_parallel_session_recovery_check_count", + rollup_summary["owner_response_validation_parallel_session_recovery_check_count"], + len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS), + ) assert_true("rollup.quarantine_required", rollup_summary["quarantine_required"]) assert_equal("rollup.primary_ready_count", rollup_summary["primary_ready_count"], 0) @@ -1403,6 +1417,56 @@ def validate(root: Path) -> None: item["execution_authorized"], ) + parallel_session_recovery_checks = rollup["owner_response_validation_parallel_session_recovery_checks"] + assert_equal( + "owner_response_validation_parallel_session_recovery_checks.ids", + [item["check_id"] for item in parallel_session_recovery_checks], + EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS, + ) + assert_equal( + "owner_response_validation_parallel_session_recovery_checks.display_order", + [item["display_order"] for item in parallel_session_recovery_checks], + list(range(1, len(EXPECTED_ROLLUP_PARALLEL_SESSION_RECOVERY_CHECKS) + 1)), + ) + for item in parallel_session_recovery_checks: + assert_equal( + f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.awooop_display_mode", + item["awooop_display_mode"], + "display_parallel_session_recovery_check_only", + ) + assert_false( + f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.execution_authorized", + item["execution_authorized"], + ) + assert_true( + f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.not_approval", + item["not_approval"], + ) + for blocked in item["blocked_interpretations"]: + if blocked in { + "auto_rebase_after_conflict", + "auto_merge_after_conflict", + "force_push_after_conflict", + "continue_from_pre_conflict_context", + "treat_ledger_read_as_authorization", + "treat_guard_pass_as_owner_response", + "treat_guard_pass_as_runtime_gate", + "treat_guard_pass_as_primary_approval", + "overwrite_other_session_changes", + "drop_unreviewed_changes", + "stage_runtime_or_secret_change_from_recovery", + "create_action_button_after_recovery", + "enqueue_runtime_job_after_recovery", + "start_kali_or_repo_action_after_recovery", + "auto_collect_owner_response_after_recovery", + "mark_s4_9_received_after_recovery", + "create_followup_runtime_gate_after_recovery", + }: + assert_false( + f"owner_response_validation_parallel_session_recovery_checks.{item['check_id']}.runtime_execution_authorized", + item["execution_authorized"], + ) + first_lane = LANES[0] first_collection_item = collection_order_by_id[first_lane["lane_id"]] first_missing_lane = missing_lane_by_id[first_lane["lane_id"]]