docs(security): 強化 S4.9 owner response 基準一致性
All checks were successful
Code Review / ai-code-review (push) Successful in 14s

This commit is contained in:
Your Name
2026-06-12 12:14:45 +08:00
parent 7cea7ef02a
commit c6fe7c2dd7
4 changed files with 30 additions and 8 deletions

View File

@@ -3,7 +3,7 @@
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-12 |
| 基準 | `gitea/main=b17a28c2 feat(governance): 新增報表 runtime 啟動前閘門` |
| 基準 | `gitea/main=7cea7ef0 docs(logbook): 記錄 IwoooS 修正候選卡驗證 [skip ci]` |
| 範圍 | S4.9 Gitea owner attestation response gate 與 S4.13 owner response validation rollup |
| 模式 | 只讀 committed snapshot / 文件稽核 |
| 不可誤讀 | 不是 request sent、不是 owner response received、不是 accepted、不是 repo / refs / workflow / secret / runtime 授權 |
@@ -30,7 +30,7 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
| 缺口 | 影響 | 下一步 |
|------|------|--------|
| P0 主控總帳與缺口稽核基準需跟上最新 `gitea/main` | 平行 Session 已推進 P2-403I/J/K、Public Gateway Preflight、SRE 戰情室路由、Knowledge Base tenant context報表 runtime 啟動前閘門;舊 commit 基準會讓新 Session 誤判下一步 | 本輪已更新到 `b17a28c2`;後續每次推送前仍需 fetch、讀 LOGBOOK 最新段落與同步 runs / deploy marker |
| P0 主控總帳與缺口稽核基準需跟上最新 `gitea/main` | 平行 Session 已推進 P2-403I/J/K、Public Gateway Preflight、SRE 戰情室路由、Knowledge Base tenant context報表 runtime 啟動前閘門、IwoooS 審查後修正候選卡與 S4.13 rollup 口徑修正;舊 commit 基準會讓新 Session 誤判下一步 | 本輪已更新到 `7cea7ef0`,最新 deploy marker 為 `8a8843e3`;後續每次推送前仍需 fetch、讀 LOGBOOK 最新段落與同步 runs / deploy marker |
| S4.9 gate 仍只有 request-ready沒有 owner response | IwoooS 64% 不能因規範存在而往前解鎖 | 維持 `0%`,只準備收件缺口,不調高 progress |
| S4.13 rollup 文件曾殘留舊模板總數 | Snapshot 已是 `5 + 9 + 5 + 5 = 24`,但文件仍可能寫成 `22`,會造成 reviewer 誤判 S4.10 目標數 | 已同步文件並把 `source-control-owner-response-guard.py` 納入文件一致性檢查 |
| request packet 的欄位名稱存在同義詞 | `affected_repos``affected_sources``affected_repos_or_sources_or_namespace``evidence_refs` 與使用者要求的 `affected_scope``redacted_evidence_refs` 容易在 UI / handoff 中混用 | 已補 `S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`,後續顯示層以六欄 canonical envelope 呈現source templates 可保留細分欄位 |
@@ -88,6 +88,7 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
| S4.9 現況缺口稽核 | 100% | 已列出已符合、仍不符合、需新增、需調整、五題回覆與 0 / false 邊界 |
| S4.9 canonical owner response envelope | 100% | 已補六欄信封、alias 映射、五題投影、quarantine-first 與 reviewer checklist |
| S4.9 owner response gate | 0% | 沒有收到 owner response不得調高 |
| S4.9 基準與日期一致性 | 100% | 已跟到 `gitea/main=7cea7ef0` 與 deploy marker `8a8843e3`,並要求 guard 擋下過期基準、過期日期與舊模板公式 |
| S4.13 rollup 文件一致性 | 100% | 已把 `22` 舊口徑修正為 `24`,並由 guard 檢查 |
| IwoooS 整體 | 維持 64% | 只讀稽核不改 runtime readiness |
| active runtime gate | 0 | 不變 |

View File

@@ -111,7 +111,7 @@ S4.13 不新增第 36 個主 contract不新增 approval item不啟用 runt
AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-response.snapshot.json` 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、6 個 intake preflight checks 與 5 個 outcome lanesrequest packet 只提示 owner 要填什麼與不得貼什麼template statuses 只逐項顯示 waiting / request readyaudit event templates 只定義 request shown / response received metadata / outcome classified 的脫敏 metadata 欄位且目前 0 emittedredaction examples 只提供安全回覆形狀display sections 只固定只讀 UI 順序collection checks 只維持 request / received / accepted 狀態分離preflight / outcome 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或 AwoooP production ingestion 已啟用。
### 2.3.1 2026-06-04 S4.9 Current Intake Readiness
### 2.3.1 2026-06-12 S4.9 Current Intake Readiness
S4.9 目前已具備可直接照表收件與預檢的準備度,但尚未收到任何 owner response。這個狀態應顯示在 AwoooP 操作控制台作為下一個收件焦點,不得變成 approval queue 或 execution queue。

View File

@@ -1,7 +1,7 @@
{
"schema_version": "source_control_owner_response_validation_rollup_v1",
"status": "draft_waiting_owner_responses",
"date": "2026-06-04",
"date": "2026-06-12",
"mode": "owner_response_validation_rollup_only",
"runtime_execution_authorized": false,
"source_contracts": [
@@ -200,7 +200,7 @@
"check_id": "template_counts_match",
"title": "response template count 必須與各 source packet summary 一致",
"required": true,
"pass_condition": "5 + 7 + 5 + 5 = 22",
"pass_condition": "5 + 9 + 5 + 5 = 24",
"failure_lane": "mirror_quarantine",
"execution_authorized": false
},
@@ -2242,7 +2242,7 @@
},
"latest_local_validation": {
"status": "repo_snapshot_guard_pass",
"date": "2026-06-04",
"date": "2026-06-12",
"scope": "repo_snapshot_only",
"command": "python3 scripts/security/source-control-owner-response-guard.py --root .",
"result": "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK",

View File

@@ -13,6 +13,10 @@ from pathlib import Path
from typing import Any
EXPECTED_ROLLUP_DATE = "2026-06-12"
EXPECTED_TEMPLATE_COUNT_FORMULA = "5 + 9 + 5 + 5 = 24"
STALE_TEMPLATE_COUNT_FORMULA = "5 + 7 + 5 + 5 = 22"
LANES = [
{
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
@@ -498,13 +502,16 @@ def validate_markdown_consistency(security_dir: Path) -> None:
encoding="utf-8"
)
assert_contains("rollup_doc.total_template_formula", rollup_doc, "5 + 9 + 5 + 5 = 24")
assert_contains("rollup_doc.date", rollup_doc, EXPECTED_ROLLUP_DATE)
assert_contains("rollup_doc.total_template_formula", rollup_doc, EXPECTED_TEMPLATE_COUNT_FORMULA)
assert_contains("rollup_doc.total_template_display", rollup_doc, "24 templates")
assert_not_contains("rollup_doc.stale_formula", rollup_doc, "5 + 7 + 5 + 5 = 22")
assert_not_contains("rollup_doc.stale_date", rollup_doc, "2026-06-04")
assert_not_contains("rollup_doc.stale_formula", rollup_doc, STALE_TEMPLATE_COUNT_FORMULA)
assert_not_contains("rollup_doc.stale_display", rollup_doc, "22 templates")
assert_contains("gap_audit_doc.latest_baseline_present", gap_audit_doc, "gitea/main=")
assert_not_contains("gap_audit_doc.stale_baseline_b615", gap_audit_doc, "b615bde5")
assert_not_contains("gap_audit_doc.stale_baseline_f1bad", gap_audit_doc, "f1bad81d")
assert_not_contains("gap_audit_doc.stale_baseline_b17a", gap_audit_doc, "b17a28c2")
assert_contains("gap_audit_doc.rollup_consistency", gap_audit_doc, "S4.13 rollup 文件一致性")
@@ -515,6 +522,7 @@ def validate(root: Path) -> None:
rollup_summary = rollup["summary"]
assert_equal("rollup.status", rollup["status"], "draft_waiting_owner_responses")
assert_equal("rollup.date", rollup["date"], EXPECTED_ROLLUP_DATE)
assert_false("rollup.runtime_execution_authorized", rollup["runtime_execution_authorized"])
assert_equal("rollup.response_packet_count", rollup_summary["response_packet_count"], len(LANES))
assert_equal("rollup.validation_lane_count", rollup_summary["validation_lane_count"], len(LANES))
@@ -1130,6 +1138,18 @@ def validate(root: Path) -> None:
assert_equal("missing_response_lanes.count", len(missing_lane_by_id), len(LANES))
assert_equal("owner_response_collection_order.count", len(collection_order_by_id), len(LANES))
cross_packet_checks = {item["check_id"]: item for item in rollup["cross_packet_acceptance_checks"]}
assert_equal(
"cross_packet_acceptance_checks.template_counts_match.pass_condition",
cross_packet_checks["template_counts_match"]["pass_condition"],
EXPECTED_TEMPLATE_COUNT_FORMULA,
)
assert_not_contains(
"rollup.snapshot.stale_template_count_formula",
json.dumps(rollup, ensure_ascii=False),
STALE_TEMPLATE_COUNT_FORMULA,
)
evidence_routing_rules = rollup["owner_response_evidence_routing_rules"]
assert_equal(
"owner_response_evidence_routing_rules.ids",
@@ -1826,6 +1846,7 @@ def validate(root: Path) -> None:
local_validation = rollup["latest_local_validation"]
assert_equal("rollup.latest_local_validation.status", local_validation["status"], "repo_snapshot_guard_pass")
assert_equal("rollup.latest_local_validation.date", local_validation["date"], EXPECTED_ROLLUP_DATE)
assert_equal("rollup.latest_local_validation.scope", local_validation["scope"], "repo_snapshot_only")
assert_equal("rollup.latest_local_validation.result", local_validation["result"], "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK")
assert_equal("rollup.latest_local_validation.received_response_count", local_validation["received_response_count"], 0)