wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 5 Packages Projects Releases Wiki Activity

docs(security): add gitea inventory import acceptance gate [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-05-13 21:22:32 +08:00
parent ea02578bd8
commit bec1883a5d
20 changed files with 668 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
docs/LOGBOOK.md
View File

@@ -1,3 +1,34 @@
## 2026-05-13 | 資安供應鏈 S4.6Gitea 認證清冊匯入驗收契約
**背景**S4.5 已把 Gitea 私有 / 內部清冊的匯出請求定義清楚,但 owner 或管理者未來提供 payload 時,仍需要先有驗收、拒收與隔離規則,避免 token、DB dump、git object、repo 操作要求或 primary cutover 暗中混入。為了維持低摩擦,本輪只建立脫敏 payload 的接收規格,不呼叫 Gitea API、不匯入資料、不修改 repo、不同步 refs。
**完成**
- 新增 `docs/schemas/gitea_authenticated_inventory_import_acceptance_v1.schema.json`
- 新增 `docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json``docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md`
- 定義 10 個驗收檢查、10 個拒收規則、4 個 quarantine lanes。
- 明確標示目前 `received_payload_count=0``accepted_payload_count=0``rejected_payload_count=0`
- 明確標示 `token_value_collection_allowed=false``raw_secret_allowed=false``db_dump_allowed=false``git_object_import_allowed=false``repo_write_allowed=false``refs_sync_allowed=false``github_primary_switch_authorized=false``action_buttons_allowed=false`
- 更新 manifest、mirror readiness、status rollup、primary readiness gate、AwoooP checklist、Gitea approval package、admin export checklist、server-side runbook、repo inventory snapshot、handoff 與 progress使 AwoooP 能顯示 S4.6 payload 驗收 / 拒收 / 隔離規則。
**仍未完成**
- 尚未收到任何 owner / admin redacted inventory payload。
- 尚未產出 `gitea_repo_inventory_v1.status=ok` snapshot。
- 尚未解開 GitHub primary readiness 中的 Gitea inventory blocker。
- 任何 repo 建立、visibility 修改、refs sync、primary cutover 或 Gitea 停用。
**仍禁止**
- 不保存 token value、raw secret、cookie、session、private key、DB dump 或 git object pack。
- 不使用 write token。
- 不建立、刪除、封存或修改 Gitea repo。
- 不建立 GitHub repo、不修改 visibility、不 sync refs、不 delete refs、不 force push。
- 不把 payload 驗收成功當成 GitHub primary approval。
**驗證**
- JSON 全量 parse 通過85 個 JSON files。
- S4.6 assertion 通過manifest 仍為 35 個主 contracts、mirror readiness 維持 32 ready / 2 partial / 1 contract-only / 0 blocked、import acceptance payload 0 筆、驗收檢查 10 個、拒收規則 10 個、quarantine lanes 4 個,所有 runtime / write / token / DB dump / git object flags 皆為 false。
- `git diff --check` 通過。
- 敏感字串掃描確認本輪未保存 Kali SSH 密碼、常見 token pattern、private key material也未出現 `token_value_collection_allowed``raw_secret_allowed``db_dump_allowed``git_object_import_allowed``repo_write_allowed``refs_sync_allowed``github_primary_switch_authorized``action_buttons_allowed``runtime_execution_authorized` 被打開。
## 2026-05-13 | 資安供應鏈 S4.5Gitea 認證清冊匯出請求
**背景**Gitea 全量轉移到 GitHub 前,不能只靠未認證公開範圍清冊。現有 `gitea_repo_inventory_v1` 只能看到 `wooo/awoooi``wooo/ewoooc`,但本機 remote evidence 顯示至少有 4 個 unique Gitea repo 需要納入判斷。為了維持低摩擦,本輪只建立認證 / 管理脫敏匯出請求,不收 token、不寫 Gitea、不做 refs sync、不切 GitHub primary。

207
docs/schemas/gitea_authenticated_inventory_import_acceptance_v1.schema.json Normal file
View File

@@ -0,0 +1,207 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:gitea-authenticated-inventory-import-acceptance-v1",
"title": "Gitea 認證清冊匯入驗收契約 v1",
"description": "定義 Gitea 私有 / 內部 repo 清冊的脫敏 payload 驗收、拒收、隔離與允許輸出。此 schema 不授權匯入 token value、Gitea DB dump、git object、repo 寫入、refs sync 或 GitHub primary cutover。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"mode",
"runtime_execution_authorized",
"source_contract",
"source_request_contract",
"source_indexes",
"summary",
"payload_shape",
"acceptance_checks",
"rejection_rules",
"quarantine_mapping",
"allowed_outputs",
"forbidden_actions"
],
"properties": {
"schema_version": {
"const": "gitea_authenticated_inventory_import_acceptance_v1"
},
"status": {
"type": "string",
"enum": ["draft_waiting_redacted_inventory_payload"]
},
"date": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["redacted_payload_acceptance_only"]
},
"runtime_execution_authorized": {
"type": "boolean",
"const": false
},
"source_contract": {
"type": "string",
"const": "gitea_repo_inventory_v1"
},
"source_request_contract": {
"type": "string",
"const": "gitea_authenticated_inventory_export_request_v1"
},
"source_indexes": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"summary": {
"type": "object",
"required": [
"target_contract",
"import_payload_status",
"accepted_visibility_scopes",
"minimum_repo_count",
"local_gitea_unique_repo_count",
"required_gap_explanation_count",
"received_payload_count",
"accepted_payload_count",
"rejected_payload_count",
"acceptance_check_count",
"rejection_rule_count",
"quarantine_required_for_sensitive_payload",
"token_value_collection_allowed",
"raw_secret_allowed",
"db_dump_allowed",
"git_object_import_allowed",
"repo_write_allowed",
"refs_sync_allowed",
"github_primary_switch_authorized",
"action_buttons_allowed"
],
"properties": {
"target_contract": {
"type": "string",
"const": "gitea_repo_inventory_v1.status=ok"
},
"import_payload_status": {
"type": "string",
"enum": ["waiting_redacted_payload"]
},
"accepted_visibility_scopes": {
"type": "array",
"items": {
"type": "string",
"enum": ["authenticated", "admin_export"]
},
"minItems": 1
},
"minimum_repo_count": {"type": "integer", "minimum": 0},
"local_gitea_unique_repo_count": {"type": "integer", "minimum": 0},
"required_gap_explanation_count": {"type": "integer", "minimum": 0},
"received_payload_count": {"type": "integer", "minimum": 0},
"accepted_payload_count": {"type": "integer", "minimum": 0},
"rejected_payload_count": {"type": "integer", "minimum": 0},
"acceptance_check_count": {"type": "integer", "minimum": 0},
"rejection_rule_count": {"type": "integer", "minimum": 0},
"quarantine_required_for_sensitive_payload": {
"type": "boolean",
"const": true
},
"token_value_collection_allowed": {"type": "boolean", "const": false},
"raw_secret_allowed": {"type": "boolean", "const": false},
"db_dump_allowed": {"type": "boolean", "const": false},
"git_object_import_allowed": {"type": "boolean", "const": false},
"repo_write_allowed": {"type": "boolean", "const": false},
"refs_sync_allowed": {"type": "boolean", "const": false},
"github_primary_switch_authorized": {"type": "boolean", "const": false},
"action_buttons_allowed": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"payload_shape": {
"type": "object",
"required": [
"required_top_level_fields",
"required_repo_fields",
"required_attestations",
"field_constraints"
],
"properties": {
"required_top_level_fields": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"required_repo_fields": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"required_attestations": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"field_constraints": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
},
"acceptance_checks": {
"type": "array",
"items": {
"type": "object",
"required": [
"check_id",
"title",
"required",
"pass_condition",
"failure_lane",
"execution_authorized"
],
"properties": {
"check_id": {"type": "string"},
"title": {"type": "string"},
"required": {"type": "boolean"},
"pass_condition": {"type": "string"},
"failure_lane": {"type": "string"},
"execution_authorized": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"minItems": 1
},
"rejection_rules": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"quarantine_mapping": {
"type": "array",
"items": {
"type": "object",
"required": ["condition", "target_lane", "execution_authorized"],
"properties": {
"condition": {"type": "string"},
"target_lane": {"type": "string"},
"execution_authorized": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"minItems": 1
},
"allowed_outputs": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"forbidden_actions": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
}

18
docs/schemas/security_mirror_status_rollup_v1.schema.json
View File

@@ -71,6 +71,10 @@
"gitea_inventory_local_gitea_repo_count",
"gitea_inventory_export_source_option_count",
"gitea_inventory_token_value_collection_allowed",
"gitea_inventory_import_acceptance_status",
"gitea_inventory_import_acceptance_payload_count",
"gitea_inventory_import_acceptance_quarantine_required",
"gitea_inventory_import_acceptance_execution_authorized",
"primary_readiness_candidate_repo_count",
"github_primary_ready_count",
"primary_rollback_adr_repo_plan_count",
@@ -153,6 +157,20 @@
"type": "boolean",
"const": false
},
"gitea_inventory_import_acceptance_status": {
"type": "string"
},
"gitea_inventory_import_acceptance_payload_count": {
"type": "integer",
"minimum": 0
},
"gitea_inventory_import_acceptance_quarantine_required": {
"type": "boolean"
},
"gitea_inventory_import_acceptance_execution_authorized": {
"type": "boolean",
"const": false
},
"primary_readiness_candidate_repo_count": {
"type": "integer",
"minimum": 0

5
docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
View File

@@ -44,7 +44,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_mirror_status_rollup_v1` | AwoooP 鏡像狀態彙整契約 | Operator Console、Runtime State、Audit | mirror-only | 只顯示階段狀態、下一個 gate 與禁止事項;不得視為 runtime authorization |
| `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge |
| `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary |
| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidenceS4.5 authenticated/admin export request不保存 token value、不刪除或停用 Gitea repo |
| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidenceS4.5 authenticated/admin export request 與 S4.6 redacted import acceptance;不保存 token value、不刪除或停用 Gitea repo |
| `local_git_remote_inventory_v1` | 本機可見 Git working tree remote | Source-control coverage evidence、migration matrix | mirror-only | 不視為 Gitea server 全量、不修改 remote |
| `github_target_probe_v1` | 候選 GitHub repo read-only probe | Migration target evidence | mirror-only | `not_found_or_private` 不等同確認不存在 |
| `github_target_decision_v1` | GitHub target 建立與可見性決策草案 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs |
@@ -116,7 +116,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason不允許切 primary |
| `source_control_migration_event_v1.status=verified` | `approve_required` | 仍需人工批准主控切換 |
| `gitea_repo_inventory_v1.status=blocked` | `observe` | 補只讀 token 或管理匯出,不做同步 |
| `gitea_repo_inventory_v1.status=partial` | `observe` | 視為 public-only evidence顯示 S4.5 export request 與 coverage gap不做同步 |
| `gitea_repo_inventory_v1.status=partial` | `observe` | 視為 public-only evidence顯示 S4.5 export request、S4.6 import acceptance 與 coverage gap不做同步 |
| `gitea_repo_inventory_v1.status=ok` | `warn` | 進入 repo mapping / branch tag diff |
| `approval_required_event_v1.requested_action=run_gitea_readonly_inventory` | `approve_required` | 只允許 read-only token 或 redacted admin export不保存 token value |
| `local_git_remote_inventory_v1.status=partial` | `observe` | 補 server-side inventory不做主控切換 |
@@ -155,6 +155,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| Gitea repo inventory snapshot | `docs/security/gitea-repo-inventory.snapshot.json` |
| Gitea repo inventory 人讀版 | `docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md` |
| Gitea authenticated inventory export request | `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` / `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` |
| Gitea authenticated inventory import acceptance | `docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json` / `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
| Gitea org endpoint blocked snapshot | `docs/security/gitea-org-repo-inventory-blocked.snapshot.json` / `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md` |
| Gitea server-side inventory runbook | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` |
| Gitea read-only inventory approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` |

9
docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
View File

@@ -327,7 +327,7 @@ Schema`docs/schemas/security_mirror_status_rollup_v1.schema.json`
Snapshot`docs/security/security-mirror-status-rollup.snapshot.json`
目前 rollup`framework_ready_waiting_approval`35 個 contracts、32 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆follow-up runtime gate templates 8 筆active runtime gates 0 筆GitHub primary candidate repos 8 筆primary ready 0 筆S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆Gitea inventory 目前 `partial_waiting_authenticated_inventory`public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、token value collection allowed=falseworkflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆decision records 目前 0 筆。
目前 rollup`framework_ready_waiting_approval`35 個 contracts、32 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆follow-up runtime gate templates 8 筆active runtime gates 0 筆GitHub primary candidate repos 8 筆primary ready 0 筆S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆Gitea inventory 目前 `partial_waiting_authenticated_inventory`public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、quarantine required=true、token value collection allowed=falseworkflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆decision records 目前 0 筆。
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence不得把 rollup 當 runtime authorization。
@@ -477,6 +477,8 @@ AwoooP 初期處理方式:作為 migration matrix 的 read-only evidence`pa
S4.5 支援性請求:已新增 `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json``docs/security/gitea-authenticated-inventory-export-request.snapshot.json``docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md`。此請求不新增第 36 個主 contract而是補強 `gitea_repo_inventory_v1`:目前未認證公開範圍可見 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個;允許的來源只有只讀 token API 清冊或已脫敏管理匯出清冊;`token_value_collection_allowed=false``write_token_allowed=false``repo_write_allowed=false``refs_sync_allowed=false``github_primary_switch_authorized=false`
S4.6 支援性驗收:已新增 `docs/schemas/gitea_authenticated_inventory_import_acceptance_v1.schema.json``docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json``docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md`。此驗收仍不新增第 36 個主 contract只定義 owner / 管理者提供脫敏 payload 後的 schema、redaction、coverage gap、quarantine 與 allowed output目前 `received_payload_count=0``accepted_payload_count=0``runtime_execution_authorized=false`,不得把驗收格式視為 inventory 已完成或 primary cutover approval。
### `local_git_remote_inventory_v1`
用途:在 Gitea API 受阻時,盤點本機可見 Git working tree 的 remote URL找出仍指向 Gitea、GitHub、110 內部 Git 或 GitLab 類 remote 的專案。
@@ -815,6 +817,8 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 S4.5 Gitea 認證清冊匯出請求追加:已新增 `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json``docs/security/gitea-authenticated-inventory-export-request.snapshot.json``docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md`。本輪只定義 Gitea 私有 / 內部全量清冊的脫敏匯出請求;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;不得保存 token value、不得使用 write token、不得寫入 Gitea、不得建立或刪除 repo、不得 sync refs、不得切 GitHub primary。
2026-05-13 S4.6 Gitea 認證清冊匯入驗收追加:已新增 `docs/schemas/gitea_authenticated_inventory_import_acceptance_v1.schema.json``docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json``docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md`。本輪只定義 owner / 管理者提供脫敏 payload 後的驗收、拒收與隔離規則;目前收到 payload 0 筆、接受 0 筆、拒收 0 筆;不得保存 token value、不得匯入 DB dump 或 git object、不得寫 Gitea、不得 sync refs、不得切 GitHub primary。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:
@@ -849,6 +853,8 @@ Console 初期不提供高風險執行按鈕。
- [Gitea read-only inventory approval snapshot](/Users/ogt/awoooi/docs/security/gitea-readonly-inventory-approval.snapshot.json)
- [Gitea 認證清冊匯出請求](/Users/ogt/awoooi/docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md)
- [gitea_authenticated_inventory_export_request_v1 snapshot](/Users/ogt/awoooi/docs/security/gitea-authenticated-inventory-export-request.snapshot.json)
- [Gitea 認證清冊匯入驗收契約](/Users/ogt/awoooi/docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md)
- [gitea_authenticated_inventory_import_acceptance_v1 snapshot](/Users/ogt/awoooi/docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json)
- [Gitea admin export redaction checklist](/Users/ogt/awoooi/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md)
- [Gitea public repo search snapshot](/Users/ogt/awoooi/docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md)
- [gitea public repo search JSON](/Users/ogt/awoooi/docs/security/gitea-public-repo-search.snapshot.json)
@@ -905,6 +911,7 @@ Console 初期不提供高風險執行按鈕。
- [source_control_migration_event_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_migration_event_v1.schema.json)
- [gitea_repo_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_repo_inventory_v1.schema.json)
- [gitea_authenticated_inventory_export_request_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json)
- [gitea_authenticated_inventory_import_acceptance_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_authenticated_inventory_import_acceptance_v1.schema.json)
- [local_git_remote_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/local_git_remote_inventory_v1.schema.json)
- [github_target_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_probe_v1.schema.json)
- [github_target_decision_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_decision_v1.schema.json)

3
docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md
View File

@@ -7,6 +7,7 @@
| 搭配文件 | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` |
| Approval | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` |
| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` |
| S4.6 import acceptance | `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
## 0. 允許保留的欄位
@@ -63,6 +64,7 @@
| 無 private key | 搜尋 `BEGIN .* PRIVATE KEY` | 不得出現 |
| repo 欄位完整 | 檢查 `full_name``owner.login + name` | 每個 repo 可識別 |
| visibility 可判斷 | 檢查 `private` | 每個 repo 有布林值 |
| S4.6 驗收 | 依 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 檢查 payload | 不完整或含敏感值時必須拒收或隔離 |
## 4. 匯入指令
@@ -84,3 +86,4 @@ python3 scripts/security/gitea-repo-inventory.py \
4. `repos[].clone_url_redacted``repos[].ssh_url_redacted` 不含帳密。
5. 下一步仍只更新 migration matrix不同步 refs、不建 repo、不切 primary。
6. 必須能解釋 public-only API 看到 2 個 repos、本機 Gitea remote 看到 4 個 unique Gitea repos 的 coverage gap。
7. 必須通過 S4.6 import acceptancepayload 驗收通過仍不代表 GitHub primary 已批准。

3
docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md
View File

@@ -6,6 +6,7 @@
| 狀態 | 草案,等待 owner 匯出 / 只讀批准 |
| 資料契約 | `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json` |
| 快照 | `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` |
| 後續驗收 | `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
| 來源契約 | `gitea_repo_inventory_v1` |
| 模式 | `redacted_export_request_only` |
| 執行面授權 | `false` |
@@ -18,6 +19,8 @@ S4.5 把 Gitea 私有 / 內部全量 repo 清冊的下一步匯出請求正式
本文件只定義兩條安全路徑:只讀 token API 清冊,或已脫敏的管理匯出清冊。兩者都不得保存 token value不得寫入 Gitea不得 sync refs不得切 GitHub primary。
S4.6 已補後續的匯入驗收契約:即使 owner 或管理者提供 payload也必須先通過 schema、脫敏、coverage gap 與隔離規則,才能成為 `gitea_repo_inventory_v1.status=ok` 的候選 evidence。
## 1. 摘要
| 指標 | 數量 |

120
docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md Normal file
View File

@@ -0,0 +1,120 @@
# Gitea 認證清冊匯入驗收契約
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | 草案,等待脫敏清冊 payload |
| 資料契約 | `docs/schemas/gitea_authenticated_inventory_import_acceptance_v1.schema.json` |
| 快照 | `docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json` |
| 來源契約 | `gitea_repo_inventory_v1` |
| 上游請求 | `gitea_authenticated_inventory_export_request_v1` |
| 模式 | `redacted_payload_acceptance_only` |
| 執行面授權 | `false` |
## 0. 核心結論
S4.6 定義「收到 owner 或 Gitea 管理者提供的脫敏清冊後,怎麼驗收、怎麼拒收、怎麼隔離」。
這不是實際匯入,也不是宣告 Gitea inventory 完成。它只把未來可接受的 payload 形狀、必要欄位、拒收規則、隔離 lane 與允許輸出先固定下來,避免 owner 提供資料時把 token、DB dump、git object 或 repo 操作要求混進來。
## 1. 驗收摘要
| 指標 | 值 |
|------|----|
| 目標契約 | `gitea_repo_inventory_v1.status=ok` |
| 目前 payload 狀態 | `waiting_redacted_payload` |
| 可接受 visibility scope | `authenticated` / `admin_export` |
| 最低 repo count | 2 |
| 本機可見 Gitea unique repos | 4 |
| 需要解釋的缺口 | 3 |
| 已收到 payload | 0 |
| 已接受 payload | 0 |
| 已拒收 payload | 0 |
| 驗收檢查 | 10 |
| 拒收規則 | 10 |
| 敏感 payload 必須隔離 | `true` |
| 允許收集 token value | `false` |
| 允許 DB dump / git object | `false` |
| 允許 repo write / refs sync | `false` |
| 授權切換 GitHub primary | `false` |
## 2. 可接受 Payload 形狀
必須具備 top-level 欄位:
1. `schema_version`
2. `base_url`
3. `org`
4. `visibility_scope`
5. `token_present`
6. `status`
7. `repo_count`
8. `repos`
9. `coverage_gap_explanation`
10. `redaction_attestation`
每筆 repo 必須具備:
1. `full_name`
2. `name`
3. `owner.login`
4. `private`
5. `archived`
6. `empty`
7. `default_branch`
8. `clone_url_redacted`
9. `ssh_url_redacted`
10. `github_repo_candidate`
## 3. 必須拒收
1. token value、PAT、cookie、session、CSRF token 或 partial token。
2. webhook secret、repository secret value、runner registration token。
3. deploy key private key 或任何 private key material。
4. Gitea DB dump、完整 git object pack、裸 repo tarball。
5. write-capable token、admin token 或 secret scope token。
6. 建立、刪除、封存或修改 Gitea repo 的要求。
7. 建立 GitHub repo、修改 visibility、sync refs、delete refs、force push 或切 GitHub primary 的要求。
8. 未解釋未認證公開範圍 2 repos 與本機 Gitea 4 unique repos 差異的 payload。
9. 未說明 110 內部相鄰來源 scope 的 payload。
10. 任何不確定是否含敏感值的 payload。
## 4. 隔離 Lane
| 條件 | 隔離 lane |
|------|-----------|
| 出現 token、password、cookie、session、private key、webhook secret 或 runner registration token | `sensitive_value_payload_quarantine` |
| 出現 Gitea DB dump、git object pack、裸 repo tarball 或完整 artifact | `oversized_or_wrong_artifact_quarantine` |
| 欄位不足、repo_count 不一致或 coverage gap 未解釋 | `schema_or_evidence_gap_quarantine` |
| payload 夾帶 repo 建立、refs sync、primary switch 或 workflow / secret 修改要求 | `execution_request_quarantine` |
## 5. 允許輸出
1. 產出或更新脫敏後的 `gitea_repo_inventory_v1.status=ok` snapshot。
2. 更新 `SOURCE-CONTROL-MIGRATION-MATRIX.md` 與 source-control decision table。
3. 更新 `source_control_primary_readiness_gate_v1` 的 Gitea inventory blocker 狀態。
4. 更新 `security_mirror_status_rollup_v1``docs/LOGBOOK.md`
5. 對缺口建立人工 owner review lane不建立 execution action。
## 6. AwoooP 可做
1. 顯示 S4.6 匯入驗收格式。
2. 顯示 payload 驗收 / 拒收 / 隔離規則。
3. 在 owner 提供 payload 後,只做 schema / redaction / coverage gap 檢查。
4. 將敏感或不完整 payload 送進隔離 lane。
5. 將通過驗收的脫敏 metadata 顯示為等待人工 review 的 evidence。
## 7. AwoooP 不可做
1. 不要求使用者貼 token、secret、private key、cookie、session 或 DB dump。
2. 不把 payload 驗收成功當成 GitHub primary 已批准。
3. 不建立 GitHub repo。
4. 不修改 Gitea repo。
5. 不 sync refs。
6. 不新增執行按鈕。
## 8. 階段定位
S4.6 補的是 S4.5 後面的「安全收件規格」。它讓下一個 owner export / admin export 有清楚門檻,但仍然停在框架期。
真正讓 `gitea_repo_inventory_v1.status=ok`,必須等到脫敏 payload 實際產生、通過驗收、經人工 review 後,再另行提交 snapshot。此文件本身不代表 inventory 已完成。

4
docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md
View File

@@ -8,6 +8,7 @@
| Approval event | `docs/security/gitea-readonly-inventory-approval.snapshot.json` |
| Redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` |
| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` |
| S4.6 import acceptance | `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
| 目的 | 補齊 Gitea private/internal server-side repo list |
| 原則 | 低摩擦、只讀、只盤 metadata、不保存 token value、不做同步或主控切換 |
@@ -28,6 +29,8 @@
S4.5 已補 `gitea_authenticated_inventory_export_request_v1`,把 read-only token API inventory 與 redacted admin export 的允許欄位、拒收欄位、coverage gap 與驗收 gate 正式文件化。批准前仍不得要求使用者貼 token value。
S4.6 已補 `gitea_authenticated_inventory_import_acceptance_v1`,把 owner / 管理者提供脫敏 payload 後的 schema 檢查、敏感值拒收、coverage gap 驗收與 mirror quarantine lane 正式文件化。payload 驗收通過仍不等於 GitHub primary cutover 被批准。
## 1. 申請批准的動作
| 動作 | 風險 | 批准後允許 | 仍然禁止 |
@@ -79,6 +82,7 @@ python3 scripts/security/gitea-repo-inventory.py \
| 敏感資訊 | 不含 token、password、secret value、private key |
| Redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` 已通過 |
| Coverage gap | public-only 2 repos 與 local Gitea 4 repos 的差異已解釋 |
| Import acceptance | S4.6 驗收檢查通過;敏感 payload 必須進隔離 |
| 後續動作 | 只更新 matrix / decision table不同步 refs |
## 5. 批准前不得做

3
docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md
View File

@@ -14,6 +14,7 @@
| Repo 數量 | `2` |
| 阻塞原因 | 未提供 token結果只代表公開可見 repoprivate/internal repos 仍需只讀 token 或管理匯出 |
| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` |
| S4.6 import acceptance | `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
## Repo 清單
@@ -25,3 +26,5 @@
> 注意:本檔由 read-only Gitea inventory 工具產生,不包含 API token 或 remote URL 帳密。
S4.5 已將 authenticated inventory / redacted admin export 的欄位、拒收規則與 coverage gap 驗收文件化;本 snapshot 仍是 `partial`,不得視為 server-side 全量。
S4.6 已將後續脫敏 payload 的驗收、拒收與隔離規則文件化;目前尚未收到 payload`gitea_repo_inventory_v1.status` 仍不得標記為 `ok`。

5
docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md
View File

@@ -9,6 +9,7 @@
| Approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` |
| Redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` |
| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` |
| S4.6 import acceptance | `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
| 原則 | 不寫入 Gitea、不搬 secret value、不建立或刪除 repo |
## 0. 核心結論
@@ -30,6 +31,8 @@
S4.5 已補 `gitea_authenticated_inventory_export_request_v1`:正式要求 authenticated inventory 或 admin export 必須解釋 public-only 2 個 repos 與本機 Gitea remote 4 個 unique repos 的 coverage gap且輸出仍只能是 `gitea_repo_inventory_v1.status=ok` evidence。
S4.6 已補 `gitea_authenticated_inventory_import_acceptance_v1`:收到 owner / 管理者提供的脫敏 payload 後,必須先依 S4.6 檢查 schema、URL 脫敏、coverage gap、redaction attestation 與敏感值隔離。此驗收仍不授權 repo 建立、refs sync 或 GitHub primary cutover。
## 1. Public-only 快照指令
```bash
@@ -138,3 +141,5 @@ python3 scripts/security/gitea-repo-inventory.py \
3. 每個 repo 盤點 workflow / webhook / runner / secret 名稱。
4. 每個 repo 建立 mirror / archive / keep-local 判定。
5. 產出 GitHub primary ADR 與 rollback plan。
S4.6 驗收通過只代表「脫敏清冊 payload 可以變成 evidence」任何 GitHub repo 建立、visibility 修改、refs sync、primary cutover 或 Gitea 停用仍需後續人工批准與 runtime gate。

4
docs/security/SECURITY-MIRROR-READINESS.md
View File

@@ -35,7 +35,7 @@
| Contract | 狀態 | 原因 | 下一步 |
|----------|------|------|--------|
| `security_finding_v1` | `partial_ready` | 目前只有 Kali sample snapshotruntime ingestion 尚未啟用 | 先 review `kali-finding-runtime-ingestion-approval-20260513` |
| `gitea_repo_inventory_v1` | `partial_ready` | 目前只有 public-only / blocked endpoint evidenceS4.5 已補認證清冊匯出請求,確認未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個 | 依 S4.5 請求用只讀 token API 或已脫敏管理匯出補全量清冊;不保存 token value |
| `gitea_repo_inventory_v1` | `partial_ready` | 目前只有 public-only / blocked endpoint evidenceS4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約;未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個 | 依 S4.5 請求取得脫敏清冊後,先用 S4.6 驗收 / 拒收 / 隔離;不保存 token value |
| `coding_task_v1` | `contract_only` | 已有 schema 與 handoff prompt尚無正式 coding task snapshot | 等 code review 產生實際 task 後再 mirror |
## 2. AwoooP 鏡像目的地
@@ -82,7 +82,7 @@ AwoooP 可以將 ready / partial contracts mirror 到:
14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。
15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。
16. 再 mirror `source_control_primary_rollback_adr_v1`,只顯示 7 個 in-scope repo 的 rollback ADR 草案、validation window 與 owner review不執行 rollback、不切 primary。
17. 再 mirror `gitea_repo_inventory_v1`S4.5 認證清冊匯出請求,只顯示未認證公開範圍 / 本機 evidence 覆蓋缺口只讀 / 管理脫敏匯出選項;不保存 token value、不寫 Gitea、不 sync refs。
17. 再 mirror `gitea_repo_inventory_v1`S4.5 認證清冊匯出請求與 S4.6 匯入驗收契約,只顯示未認證公開範圍 / 本機 evidence 覆蓋缺口只讀 / 管理脫敏匯出選項、payload 驗收 / 拒收 / 隔離規則;不保存 token value、不寫 Gitea、不 sync refs。
18. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namesexport request 有 7 個 repos、5 類 lanes不保存 secret value。
19. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
20. 最後再 mirror source-control 其他 contracts。

4
docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
View File

@@ -29,7 +29,7 @@
| Follow-up runtime gate templates | S3.4 已建立8 個 templates、0 個 active runtime gates |
| GitHub primary readiness gate | S4.0 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready |
| GitHub primary rollback ADR | S4.4 已建立7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover |
| Gitea inventory | S4.5 已補認證清冊匯出請求;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、允許收集 token value=false |
| Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、敏感 payload 必須隔離、允許收集 token value=false |
| Workflow / secret name inventory | S4.1 已建立S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidenceS4.3 補 7 個 repos、5 類 lanes 的 redacted export request0 個 inventory complete、禁止收集 secret value、禁止 write token |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
@@ -59,7 +59,7 @@
1. redacted finding ingestion adapter。
2. safe web crawl scope。
3. Gitea private/internal read-only inventory依 S4.5 認證匯出請求補全量清冊;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個,不保存 token value。
3. Gitea private/internal read-only inventory依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個,不保存 token value。
4. GitHub target / owner / visibility / canonical。
5. Kali `/execute` 維持 block candidate。
6. GitHub primary readiness blockers 與 rollback ADR 缺口。

4
docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
View File

@@ -39,7 +39,7 @@
| `security_mirror_status_rollup_v1` | mirror-only | AwoooP / Security Supply Chain 跨 Session 狀態總覽 | `security-mirror-status-rollup.snapshot.json` |
| `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot |
| `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi``clawbot-v5``wooo-aiops` |
| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventoryS4.5 已補認證清冊匯出請求 | public-only / blocked endpoint / S4.5 export request snapshots |
| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventoryS4.5 已補認證清冊匯出請求S4.6 已補匯入驗收契約 | public-only / blocked endpoint / S4.5 export request / S4.6 import acceptance snapshots |
| `local_git_remote_inventory_v1` | mirror-only | 本機 remote coverage | `local-git-remote-inventory.snapshot.json` |
| `github_target_probe_v1` | mirror-only | GitHub target visibility | `github-target-probe.snapshot.json` |
| `github_target_decision_v1` | mirror-only | GitHub target 決策 | `github-target-decision.snapshot.json` |
@@ -60,7 +60,7 @@
1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`
2. 再讀本 manifest取得可消費 contract 與禁止動作。
3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求與覆蓋缺口,不得觸發 token collection 或 Gitea write。
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約與覆蓋缺口,不得觸發 token collection 或 Gitea write。
5. 不新增執行按鈕,不做 runtime enforcement。
## 3. 永久禁止

11
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Gitea 認證清冊匯出請求 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -44,6 +44,7 @@
| S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版7 個 in-scope repos、5 類 export laneswebhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name paritywrite token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export仍不可收 secret value、不可修改 GitHub/Gitea |
| S4.4 GitHub Primary rollback ADR | 完成草案 | 已建立 rollback ADR schema / snapshot / 人讀版7 個 in-scope rollback drafts、0 owner approved、0 dry-run completed、0 active cutover | repo owner 審查 rollback owner、validation window 與 triggers仍不可切 primary 或執行 rollback |
| S4.5 Gitea 認證清冊匯出請求 | 完成草案 | 已建立匯出請求 schema / snapshot / 人讀版;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;允許收集 token value=false | repo owner 依只讀 token API 或已脫敏管理匯出補私有 / 內部全量 repo list仍不可保存 token、不可 write Gitea、不可 refs sync |
| S4.6 Gitea 認證清冊匯入驗收契約 | 完成草案 | 已建立匯入驗收 schema / snapshot / 人讀版;目前 received payload 0、accepted 0、rejected 0定義 10 個驗收檢查、10 個拒收規則與 4 個 quarantine lanes | owner 提供脫敏 payload 後先驗收 / 拒收 / 隔離;仍不可把驗收當 primary approval |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate |
## 1. 已建立的主要 evidence
@@ -58,6 +59,8 @@
| Gitea read-only inventory approval JSON | `docs/security/gitea-readonly-inventory-approval.snapshot.json` |
| Gitea 認證清冊匯出請求 | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` |
| Gitea 認證清冊匯出請求 JSON | `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` |
| Gitea 認證清冊匯入驗收契約 | `docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` |
| Gitea 認證清冊匯入驗收契約 JSON | `docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json` |
| Gitea 管理匯出 redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` |
| Gitea org endpoint blocked evidence | `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md` |
| Source-control migration matrix | `docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` |
@@ -143,11 +146,11 @@
## 3. 下一階段建議
1. 依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list不保存 token value。
1. 依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list不保存 token value。
2.`SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。
3.`SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md``awoooi``clawbot-v5``wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
4.`ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
5.`KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求workflow / secret inventory 需同時顯示 S4.3 redacted export requestprimary readiness 需同時顯示 S4.4 rollback ADR 草案。
6. AwoooP 主線先讀 `security_mirror_readiness_v1``security_mirror_intake_plan_v1``security_mirror_event_v1``security_mirror_route_v1``security_mirror_acceptance_v1``security_mirror_quarantine_v1``security_mirror_dry_run_v1``security_mirror_status_rollup_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求與 S4.6 匯入驗收契約workflow / secret inventory 需同時顯示 S4.3 redacted export requestprimary readiness 需同時顯示 S4.4 rollback ADR 草案。
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy不做 runtime blocking。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason不新增 execution router。
8. AwoooP 主線再讀 `security_approval_queue_v1``security_approval_gate_v1``security_approval_decision_record_v1``security_approval_review_packet_v1``security_approval_state_transition_v1``security_followup_runtime_gate_v1``source_control_primary_readiness_gate_v1``source_control_primary_rollback_adr_v1``source_control_workflow_secret_name_inventory_v1``security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason不新增 execution router。

224
docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json Normal file
View File

@@ -0,0 +1,224 @@
{
"schema_version": "gitea_authenticated_inventory_import_acceptance_v1",
"status": "draft_waiting_redacted_inventory_payload",
"date": "2026-05-13",
"mode": "redacted_payload_acceptance_only",
"runtime_execution_authorized": false,
"source_contract": "gitea_repo_inventory_v1",
"source_request_contract": "gitea_authenticated_inventory_export_request_v1",
"source_indexes": [
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/local-git-remote-inventory.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"summary": {
"target_contract": "gitea_repo_inventory_v1.status=ok",
"import_payload_status": "waiting_redacted_payload",
"accepted_visibility_scopes": ["authenticated", "admin_export"],
"minimum_repo_count": 2,
"local_gitea_unique_repo_count": 4,
"required_gap_explanation_count": 3,
"received_payload_count": 0,
"accepted_payload_count": 0,
"rejected_payload_count": 0,
"acceptance_check_count": 10,
"rejection_rule_count": 10,
"quarantine_required_for_sensitive_payload": true,
"token_value_collection_allowed": false,
"raw_secret_allowed": false,
"db_dump_allowed": false,
"git_object_import_allowed": false,
"repo_write_allowed": false,
"refs_sync_allowed": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false
},
"payload_shape": {
"required_top_level_fields": [
"schema_version",
"base_url",
"org",
"visibility_scope",
"token_present",
"status",
"repo_count",
"repos",
"coverage_gap_explanation",
"redaction_attestation"
],
"required_repo_fields": [
"full_name",
"name",
"owner.login",
"private",
"archived",
"empty",
"default_branch",
"clone_url_redacted",
"ssh_url_redacted",
"github_repo_candidate"
],
"required_attestations": [
"no_token_value",
"no_write_token",
"no_webhook_secret",
"no_deploy_key_private_key",
"no_runner_registration_token",
"no_cookie_or_session",
"no_gitea_db_dump",
"no_git_object_pack"
],
"field_constraints": [
"`visibility_scope` 必須是 `authenticated` 或 `admin_export`",
"`status` 必須是 `ok`",
"`repo_count` 必須大於或等於 2並且必須等於 `repos.length`",
"`coverage_gap_explanation` 必須解釋 public-only 2 repos、本機 Gitea 4 unique repos 與 internal 110 adjacent source 的差異",
"所有 URL 必須 redacted且不得含 username、password、token 或 secret query string"
]
},
"acceptance_checks": [
{
"check_id": "schema_and_status_ok",
"title": "Schema 與狀態正確",
"required": true,
"pass_condition": "`schema_version=gitea_repo_inventory_v1` 且 `status=ok`",
"failure_lane": "reject_payload",
"execution_authorized": false
},
{
"check_id": "visibility_scope_allowed",
"title": "可接受的可見範圍",
"required": true,
"pass_condition": "`visibility_scope` 為 `authenticated` 或 `admin_export`",
"failure_lane": "reject_payload",
"execution_authorized": false
},
{
"check_id": "repo_count_consistent",
"title": "repo_count 與 repos 數量一致",
"required": true,
"pass_condition": "`repo_count >= 2` 且等於 `repos.length`",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "local_gitea_gap_explained",
"title": "本機 Gitea 覆蓋缺口已說明",
"required": true,
"pass_condition": "payload 解釋 public-only 2 repos 與本機 4 unique Gitea repos 的差異",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "internal_110_scope_explained",
"title": "110 內部相鄰來源已說明",
"required": true,
"pass_condition": "payload 說明 internal 110 repos 是否屬於本輪 GitHub migration scope",
"failure_lane": "request_owner_scope_decision",
"execution_authorized": false
},
{
"check_id": "redaction_attestation_present",
"title": "脫敏聲明存在",
"required": true,
"pass_condition": "payload 明確聲明不含 token、secret、private key、cookie、session、DB dump 或 git object pack",
"failure_lane": "quarantine_sensitive_payload",
"execution_authorized": false
},
{
"check_id": "urls_are_redacted",
"title": "URL 已脫敏",
"required": true,
"pass_condition": "clone / ssh URL 不含 username、password、token、cookie 或 secret query string",
"failure_lane": "quarantine_sensitive_payload",
"execution_authorized": false
},
{
"check_id": "token_scope_readonly",
"title": "token scope 只讀或不保存",
"required": true,
"pass_condition": "只保存 `token_present=true|false`,且 owner 聲明沒有 write/admin/secret scope",
"failure_lane": "reject_payload",
"execution_authorized": false
},
{
"check_id": "repo_identity_unique",
"title": "repo identity 可唯一判讀",
"required": true,
"pass_condition": "每筆 repo 都有 `full_name` 或 `owner.login + name`,且不得重複",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "output_is_contract_update_only",
"title": "輸出只允許更新契約與證據",
"required": true,
"pass_condition": "只更新 `gitea_repo_inventory_v1` snapshot、migration matrix、decision table、readiness gate 與 LOGBOOK",
"failure_lane": "reject_runtime_or_source_control_action",
"execution_authorized": false
}
],
"rejection_rules": [
"payload 含 token value、PAT、cookie、session、CSRF token 或 partial token 時必須拒收。",
"payload 含 webhook secret、repository secret value、runner registration token 或 deploy key private key 時必須拒收。",
"payload 含 Gitea DB dump、完整 git object pack、裸 repo tarball 或可還原 credential 的 artifact 時必須拒收。",
"payload 要求使用 write-capable token、admin token 或 secret scope token 時必須拒收。",
"payload 要求建立、刪除、封存或修改 Gitea repo 時必須拒收。",
"payload 要求建立 GitHub repo、修改 visibility、sync refs、delete refs 或 force push 時必須拒收。",
"payload 未解釋 public-only 與本機 Gitea 覆蓋差異時不得標記 inventory complete。",
"payload 未說明 internal 110 adjacent source scope 時不得進 GitHub primary readiness。",
"payload 只提供截圖、文字描述或不完整 repo metadata 時必須要求補 evidence。",
"任何不確定是否含敏感值的 payload 必須先進 mirror quarantine不得人工手改後直接入庫。"
],
"quarantine_mapping": [
{
"condition": "出現 token、password、cookie、session、private key、webhook secret 或 runner registration token",
"target_lane": "sensitive_value_payload_quarantine",
"execution_authorized": false
},
{
"condition": "出現 Gitea DB dump、git object pack、裸 repo tarball 或完整 artifact",
"target_lane": "oversized_or_wrong_artifact_quarantine",
"execution_authorized": false
},
{
"condition": "欄位不足、repo_count 不一致或 coverage gap 未解釋",
"target_lane": "schema_or_evidence_gap_quarantine",
"execution_authorized": false
},
{
"condition": "payload 夾帶 repo 建立、refs sync、primary switch 或 workflow/secret 修改要求",
"target_lane": "execution_request_quarantine",
"execution_authorized": false
}
],
"allowed_outputs": [
"產出或更新脫敏後的 `gitea_repo_inventory_v1.status=ok` snapshot",
"更新 `SOURCE-CONTROL-MIGRATION-MATRIX.md` 與 source-control decision table",
"更新 `source_control_primary_readiness_gate_v1` 的 Gitea inventory blocker 狀態",
"更新 `security_mirror_status_rollup_v1` 與 `docs/LOGBOOK.md`",
"對缺口建立人工 owner review lane不建立 execution action"
],
"forbidden_actions": [
"store_token_value",
"store_raw_secret",
"store_cookie_or_session",
"import_gitea_db_dump",
"import_git_object_pack",
"use_write_capable_token",
"write_to_gitea",
"create_gitea_repo",
"delete_or_archive_gitea_repo",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"delete_git_refs",
"force_push",
"switch_github_primary",
"disable_gitea",
"add_action_button"
]
}

8
docs/security/security-mirror-readiness.snapshot.json
View File

@@ -233,13 +233,15 @@
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json"
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md"
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md"
],
"notes": "目前仍是 public-only / blocked endpoint evidenceS4.5 已補 authenticated/admin export requestprivate/internal 全量需 approval。"
"notes": "目前仍是 public-only / blocked endpoint evidenceS4.5 已補 authenticated/admin export requestS4.6 已補 redacted import acceptanceprivate/internal 全量需 approval 與脫敏 payload 驗收。"
},
{
"contract": "local_git_remote_inventory_v1",

17
docs/security/security-mirror-status-rollup.snapshot.json
View File

@@ -20,6 +20,7 @@
"docs/security/security-approval-state-transition.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
@@ -43,6 +44,10 @@
"gitea_inventory_local_gitea_repo_count": 4,
"gitea_inventory_export_source_option_count": 2,
"gitea_inventory_token_value_collection_allowed": false,
"gitea_inventory_import_acceptance_status": "draft_waiting_redacted_inventory_payload",
"gitea_inventory_import_acceptance_payload_count": 0,
"gitea_inventory_import_acceptance_quarantine_required": true,
"gitea_inventory_import_acceptance_execution_authorized": false,
"primary_readiness_candidate_repo_count": 8,
"github_primary_ready_count": 0,
"primary_rollback_adr_repo_plan_count": 7,
@@ -75,8 +80,8 @@
{
"phase_id": "S1_readonly_inventory",
"state": "in_progress",
"current_result": "已完成多項 read-only evidenceS4.5 已補 Gitea authenticated/admin export request但 private/internal 全量 repo list 仍需批准後補齊。",
"next_gate": "只讀 token 或 redacted admin export owner approval仍不得保存 token value。"
"current_result": "已完成多項 read-only evidenceS4.5 已補 Gitea authenticated/admin export requestS4.6 已補 redacted import acceptance但 private/internal 全量 repo list 仍需批准後補齊。",
"next_gate": "只讀 token 或 redacted admin export owner approval收到 payload 後先依 S4.6 驗收與隔離規則檢查,仍不得保存 token value。"
},
{
"phase_id": "S2_mirror_only_consumption",
@@ -93,8 +98,8 @@
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 local evidenceS4.3 已補 redacted export requestS4.4 已補 rollback ADR 草案S4.5 已補 Gitea authenticated inventory export request但 inventory status 仍 partial。",
"next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。"
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 local evidenceS4.3 已補 redacted export requestS4.4 已補 rollback ADR 草案S4.5 已補 Gitea authenticated inventory export requestS4.6 已補 redacted import acceptance,但 inventory status 仍 partial。",
"next_gate": "Gitea authenticated inventory payload 通過 S4.6 驗收、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
@@ -185,14 +190,16 @@
"mode": "approval_required",
"source_contract": "gitea_repo_inventory_v1",
"allowed_processing": [
"顯示 S4.5 authenticated/admin export request 與 coverage gap",
"顯示 S4.5 authenticated/admin export request、S4.6 redacted import acceptance 與 coverage gap",
"使用 read-only token 或 redacted admin export 補齊 repo list",
"收到 payload 後只做 schema / redaction / coverage gap 驗收與隔離",
"只保存 token_present=true/false",
"更新 migration matrix 與 decision table"
],
"blocked_processing": [
"保存 token value",
"使用 write-capable token",
"把 S4.6 payload 驗收當成 primary approval",
"建立 GitHub repo 或 sync refs"
]
},

10
docs/security/security-supply-chain-contract-manifest.snapshot.json
View File

@@ -378,18 +378,20 @@
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json"
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md"
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md"
],
"consumer": "AwoooP migration matrix evidence",
"consumption_mode": "mirror_only",
"allowed_actions": ["mirror_public_only_inventory", "create_readonly_inventory_approval_candidate", "display_authenticated_inventory_export_request"],
"allowed_actions": ["mirror_public_only_inventory", "create_readonly_inventory_approval_candidate", "display_authenticated_inventory_export_request", "display_redacted_inventory_import_acceptance"],
"forbidden_actions": ["store_token_value", "write_to_gitea", "delete_or_archive_repo"],
"notes": "目前是 partial/public_onlyS4.5 已補 authenticated/admin export requestprivate/internal 全量仍需批准後補齊。"
"notes": "目前是 partial/public_onlyS4.5 已補 authenticated/admin export requestS4.6 已補 redacted import acceptanceprivate/internal 全量仍需批准後補齊。"
},
{
"contract": "local_git_remote_inventory_v1",

3
docs/security/source-control-primary-readiness-gate.snapshot.json
View File

@@ -14,6 +14,7 @@
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
@@ -42,6 +43,7 @@
"current_gap": [
"目前只有 public-only / blocked endpoint evidence",
"S4.5 已建立 authenticated/admin export request但尚未取得 `gitea_repo_inventory_v1.status=ok` evidence",
"S4.6 已建立 redacted import acceptance但目前 received_payload_count=0、accepted_payload_count=0",
"public-only API 只看到 2 個 repos本機 remote inventory 看到 4 個 unique Gitea reposgap 仍待 owner 解釋",
"GITEA_READONLY_TOKEN 未提供",
"不得使用 write-capable credential 當 read-only token"
@@ -49,6 +51,7 @@
"allowed_now": [
"顯示 blocked reason",
"mirror S4.5 authenticated inventory export request",
"mirror S4.6 redacted inventory import acceptance",
"等待 read-only token 或 redacted admin export",
"更新 approval board 與 decision table"
],