From d128337bbaff115b914fc151316e7de9809bd4a6 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 11 Jun 2026 20:42:38 +0800 Subject: [PATCH] =?UTF-8?q?docs(security):=20=E8=A3=9C=20S4.10=20owner=20r?= =?UTF-8?q?esponse=20canonical=20fields=20[skip=20ci]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/LOGBOOK.md | 22 +++ ...get_owner_decision_response_v1.schema.json | 8 +- .../GITHUB-TARGET-OWNER-DECISION-RESPONSE.md | 22 ++- ...rget-owner-decision-response.snapshot.json | 142 ++++++++++++++---- ...026-06-04-iwooos-security-governance-p0.md | 12 +- 5 files changed, 163 insertions(+), 43 deletions(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 36f5f8b4..5c247353 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,25 @@ +## 2026-06-11|S4.10 owner response canonical 9 欄補強 + +**背景**:`58e760fa` 已把 S4.10 GitHub target owner response 範圍從 7 個 target 擴到 9 個 target,並納入 `VibeWork` 與 `agent-bounty-protocol`。接續檢查時發現 handoff packet 仍偏向 owner / canonical / visibility 欄位,尚未完整固定統帥要求的 owner response 9 欄,容易讓後續收件又退回「請人工判斷」但缺少 rollback、maintenance window 與 validation plan 的狀態。 + +**完成**: + +- `github-target-owner-decision-response.snapshot.json` 的 `target_owner_handoff_packet.required_response_fields` 改為 canonical 9 欄:`owner_role_or_team`、`decision`、`decision_reason`、`affected_scope`、`redacted_evidence_refs`、`followup_owner`、`rollback_owner`、`maintenance_window`、`validation_plan`。 +- 9 個 response templates 逐一補齊 canonical 9 欄,保留 target-specific 欄位,例如 `canonical_source`、`visibility_review_owner`、`product_boundary_owner`、`external_agent_owner`、`treasury_owner`、`runtime_gate_owner`。 +- preflight、collection check、acceptance check 與 allowed outputs 已同步改成只讀收件 / 驗證紀錄候選,不進 execution queue。 +- schema 允許 `target_probe_summary.newly_added_in_scope_targets`,並修正 S4.10 template status description 為 9 個 target。 +- P0 workplan 已同步 latest `gitea/main`、10 個 candidate / 9 個 approval-required target、canonical 9 欄與 `VibeWork` / `agent-bounty-protocol` 納管狀態。 + +**完成度同步**: + +- S4.10 owner response canonical 9 欄補強:`100%`。 +- S4.10 owner response gate:仍 `0%`。 +- received / accepted / rejected:仍 `0 / 0 / 0`。 +- IwoooS 整體:仍 `64%`。 +- active runtime gate:仍 `0`。 + +**邊界**:本段純文件 / snapshot / schema 契約補強;不送 request、不收 owner response、不建立 repo、不修改 visibility、不同步 refs、不改 workflow / secret / runner、不切 GitHub primary、不停 Gitea、不 SSH、不 active scan、不開 runtime gate。 + ## 2026-06-11|P2-403B Agent 可視化紅線文案抽象化 **背景**:P2-403B 已把 OpenClaw / Hermes / NemoTron 的 AgentSession / Redis / Worker gate 只讀證據面接到治理頁,但正式站 DOM smoke 仍看到部分「禁止顯示」文案直接提到工作視窗、私有推理與推理鏈。這些不是實際對話內容外露,但會讓前端看起來像在呈現敏感類別名稱;統帥已明確要求工作視窗內容不得顯示到前端,因此本段把可見文字再抽象化。 diff --git a/docs/schemas/github_target_owner_decision_response_v1.schema.json b/docs/schemas/github_target_owner_decision_response_v1.schema.json index 3f44b31f..144ef62a 100644 --- a/docs/schemas/github_target_owner_decision_response_v1.schema.json +++ b/docs/schemas/github_target_owner_decision_response_v1.schema.json @@ -194,7 +194,11 @@ "candidate_count": {"type": "integer", "minimum": 0}, "exists_count": {"type": "integer", "minimum": 0}, "not_found_or_private_count": {"type": "integer", "minimum": 0}, - "external_scope_summary_repo": {"type": "string"} + "external_scope_summary_repo": {"type": "string"}, + "newly_added_in_scope_targets": { + "type": "array", + "items": {"type": "string"} + } }, "additionalProperties": false }, @@ -282,7 +286,7 @@ }, "owner_response_template_statuses": { "type": "array", - "description": "S4.10 七個 GitHub target response templates 的逐項收件狀態;只供 AwoooP 顯示,不代表 approval 或 execution queue。", + "description": "S4.10 九個 GitHub target response templates 的逐項收件狀態;只供 AwoooP 顯示,不代表 approval 或 execution queue。", "items": { "type": "object", "required": [ diff --git a/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md b/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md index e026c5d2..f6f29db9 100644 --- a/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md +++ b/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md @@ -76,7 +76,21 @@ S4.10 template status ledger 只讓 AwoooP 逐項顯示 9 個 GitHub target temp ## 2. Owner Response 必填欄位 -每筆 response 至少要能回答 owner role/team、decision、decision reason、canonical source、GitHub target disposition、visibility review owner 與 redacted evidence refs;新納入的 `VibeWork` 必須補 product / surface owner,`agent-bounty-protocol` 必須補 external agent / treasury / runtime gate owner。 +每筆 response 至少要能回答下列 canonical 9 欄。這 9 欄只代表收件與 reviewer 可判讀,不代表 repo creation、visibility change、refs sync、GitHub primary 或 runtime execution 被批准。 + +| 欄位 | 必填內容 | 缺漏時處理 | +|------|----------|------------| +| `owner_role_or_team` | 回覆責任角色或團隊,不收個人 credential 或敏感身份資料 | 補件 | +| `decision` | 只能使用第 4 節可接受決策值 | 非允許值拒收 | +| `decision_reason` | 決策理由摘要,不得貼 raw secret、token、cookie、未脫敏截圖或 API body | 補件或隔離 | +| `affected_scope` | 影響範圍,例如 repo、canonical source、visibility、refs truth、workflow-secret parity、產品邊界或 agent runtime boundary | 補件 | +| `redacted_evidence_refs` | 只引用 repo 內文件、snapshot 或已脫敏 metadata pointer | 疑似敏感 payload 進 quarantine | +| `followup_owner` | 下一步補證或判定負責人 | 補件 | +| `rollback_owner` | 若未來進入變更候選,誰負責 rollback 判定與回復計畫 | 補件 | +| `maintenance_window` | 若未來進入變更候選,允許審查的維護窗口或明確標示 `not_authorized_yet` | 補件 | +| `validation_plan` | 若未來進入變更候選,要如何驗證 read-only update、repo / refs / workflow 邊界與 post-check | 補件 | + +每個 template 仍可要求 target-specific 欄位,例如 `canonical_source`、`github_target_disposition`、`visibility_review_owner`、`refs_truth_review_owner`、`product_boundary_owner`、`external_agent_owner`、`treasury_owner` 或 `runtime_gate_owner`。新納入的 `VibeWork` 必須補 product / surface owner,`agent-bounty-protocol` 必須補 external agent / treasury / runtime gate owner。 ## 3. 九個 Response Template @@ -110,12 +124,12 @@ S4.10 template status ledger 只讓 AwoooP 逐項顯示 9 個 GitHub target temp 1. `github_repo` 必須對應 github_target_decision_v1 的 9 個 approval-required targets 之一。 2. `decision` 必須是該 target template 的 acceptable_decisions 之一。 -3. 每筆回覆必須有 owner role/team、visibility review owner 或明確 out-of-scope disposition。 +3. 每筆回覆必須填齊 canonical 9 欄,並依 template 補齊 visibility review owner、canonical source 或明確 out-of-scope disposition。 4. in-scope 或 candidate target 必須標示 canonical source;未知時必須選 unknown_requires_more_evidence。 5. 回覆不得把 refs truth、workflow-secret parity、Gitea inventory、rollback ADR 或 server-side diff 缺口視為已完成。 6. 回覆只能批准候選方向或補證方向,不得包含立即建立 repo 或修改 visibility 的執行要求。 7. 回覆不得要求 push、delete、force push、mirror sync、primary switch 或 disable Gitea。 -8. `evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key 或 deploy key value。 +8. `redacted_evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key 或 deploy key value。 ## 6. 必須拒收 @@ -124,7 +138,7 @@ S4.10 template status ledger 只讓 AwoooP 逐項顯示 9 個 GitHub target temp 3. 回覆含 visibility change command 或要求立即修改 public/private/internal visibility 時必須拒收。 4. 回覆要求 push refs、delete refs、force push、mirror sync、tag rewrite 或 branch rewrite 時必須拒收。 5. 回覆要求切 GitHub primary、停用 Gitea、刪除 Gitea、封存 Gitea 或移除 fallback 時必須拒收。 -6. 回覆缺 owner、visibility review owner、canonical source 或 out-of-scope disposition 時不得標記 accepted。 +6. 回覆缺 canonical 9 欄、visibility review owner、canonical source 或 out-of-scope disposition 時不得標記 accepted。 7. 回覆把 `not_found_or_private` 自動解釋為 repo 不存在或可建立時必須拒收。 8. 回覆要求自動合併 unrelated histories 或刪除 momo / ewoooc working tree 時必須拒收。 9. 回覆把 owner decision response 當成 repo migration approval、refs sync approval 或 primary approval 時必須拒收。 diff --git a/docs/security/github-target-owner-decision-response.snapshot.json b/docs/security/github-target-owner-decision-response.snapshot.json index c98e875a..6f23a9ed 100644 --- a/docs/security/github-target-owner-decision-response.snapshot.json +++ b/docs/security/github-target-owner-decision-response.snapshot.json @@ -1,7 +1,7 @@ { "schema_version": "github_target_owner_decision_response_v1", "status": "draft_waiting_owner_response", - "date": "2026-06-04", + "date": "2026-06-11", "mode": "owner_decision_response_intake_only", "runtime_execution_authorized": false, "source_contract": "github_target_decision_v1", @@ -80,7 +80,7 @@ { "check_id": "p1-3-required-owner-fields", "display_order": 5, - "check": "必須有 owner role/team、decision、reason、canonical source、target disposition、visibility review owner、redacted evidence refs。", + "check": "必須有 owner role/team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window、validation plan。", "current_status": "defined_not_dispatched", "execution_authorized": false }, @@ -125,11 +125,12 @@ "owner_role_or_team", "decision", "decision_reason", - "canonical_source", - "github_target_disposition", - "visibility_review_owner", + "affected_scope", "redacted_evidence_refs", - "followup_owner" + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan" ], "forbidden_inputs": [ "token_value", @@ -169,7 +170,7 @@ "target-vibework-private-or-new", "target-agent-bounty-protocol-private-or-new" ], - "owner_instruction_summary": "請 owner 只依 S4.10 九個 templates 回覆 GitHub target 的 owner / visibility / canonical / target disposition,並只引用脫敏 evidence refs;不要貼 token、secret、private clone URL credential、repo archive、git object、API request body 或任何可執行 payload。", + "owner_instruction_summary": "請 owner 只依 S4.10 九個 templates 回覆 GitHub target 的 owner / visibility / canonical / target disposition,且每筆都要填齊 owner role/team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window、validation plan;不要貼 token、secret、private clone URL credential、repo archive、git object、API request body 或任何可執行 payload。", "allowed_response_fields": [ "owner_role_or_team", "decision", @@ -190,7 +191,12 @@ "surface_owner", "external_agent_owner", "treasury_owner", - "runtime_gate_owner" + "runtime_gate_owner", + "affected_scope", + "redacted_evidence_refs", + "rollback_owner", + "maintenance_window", + "validation_plan" ], "evidence_ref_rules": [ "只允許 repo 內既有文件、snapshot 或已脫敏 owner metadata pointer", @@ -805,7 +811,7 @@ "display_order": 6, "title": "只記錄 GitHub target audit metadata", "required": true, - "pass_condition": "AwoooP 只能記錄 request shown、response received metadata、template id、github repo、owner role/team、redacted evidence refs 與 outcome lane;不得保存 token value、secret value、private clone URL credential、repo archive、git object pack 或可執行 payload。", + "pass_condition": "AwoooP 只能記錄 request shown、response received metadata、template id、github repo、owner role/team、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window、validation plan 與 outcome lane;不得保存 token value、secret value、private clone URL credential、repo archive、git object pack 或可執行 payload。", "failure_lane": "quarantine_sensitive_payload", "awooop_display": "display_audit_metadata_only", "execution_authorized": false, @@ -828,7 +834,7 @@ "display_order": 2, "title": "GitHub target 必填欄位完整", "required": true, - "pass_condition": "每筆 response 必須有 owner role/team、decision、decision_reason、canonical_source、target disposition 或 out-of-scope disposition、visibility review owner 與 evidence_refs。", + "pass_condition": "每筆 response 必須有 owner role/team、decision、decision_reason、affected_scope、redacted_evidence_refs、followup_owner、rollback_owner、maintenance_window 與 validation_plan;target-specific canonical source、target disposition、visibility review owner 或 out-of-scope disposition 仍需依 template 補齊。", "failure_lane": "request_more_evidence", "awooop_display": "request_more_evidence", "execution_authorized": false @@ -886,6 +892,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "github_target_disposition", "visibility_review_owner", @@ -906,12 +918,14 @@ "acceptance_criteria": [ "必須明確指定 `wooo/awoooi` 的 canonical source 與 owner review 責任人。", "必須承認 refs truth / workflow-secret parity / rollback ADR 未完成前不得推 refs 或切 primary。", - "若 decision 是 hold,必須說明下一個 evidence owner。" + "若 decision 是 hold,必須說明下一個 evidence owner。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "把既有 GitHub repo 視為可直接 primary。", "要求 push、delete、force push refs 或修改 visibility。", - "缺 canonical source、visibility review owner 或 refs truth review owner。" + "缺 canonical source、visibility review owner 或 refs truth review owner。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 GitHub target decision table 的 owner / canonical / visibility read-only 欄位。", @@ -931,6 +945,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "tag_disposition_owner", "visibility_review_owner", @@ -950,12 +970,14 @@ "acceptance_criteria": [ "必須說明 main SHA 與 tag 差異要由哪個 owner 判定。", "若仍 active,必須保留 refs review lane。", - "若排除 scope,必須附 owner 理由與後續 disposition。" + "若排除 scope,必須附 owner 理由與後續 disposition。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "用單一句話批准 refs sync。", "未處理 GitHub 缺 Gitea tag 的 disposition。", - "要求刪除任一端 repo 或 refs。" + "要求刪除任一端 repo 或 refs。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 refs truth review lane。", @@ -975,6 +997,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "github_only_refs_owner", "visibility_review_owner", @@ -994,12 +1022,14 @@ "acceptance_criteria": [ "必須指定 GitHub-only branch / tags 的 owner 或補證 owner。", "必須說明 main SHA truth source 尚未判定時要維持 blocked。", - "若標為 out_of_scope,必須說明與 AwoooP / AWOOOI scope 的關係。" + "若標為 out_of_scope,必須說明與 AwoooP / AWOOOI scope 的關係。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "要求刪除 GitHub-only refs。", "未指定 GitHub-only refs owner。", - "把 refs classification 當成已批准 sync。" + "把 refs classification 當成已批准 sync。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 refs truth classification 的 owner review 欄位。", @@ -1019,6 +1049,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "internal_remote_disposition", "secret_name_inventory_owner", @@ -1038,12 +1074,14 @@ "acceptance_criteria": [ "必須判定 110 internal remote 是 active source、mirror、legacy 或需要補證。", "必須指定 infra secret 名稱 inventory owner。", - "不得把 internal remote disposition 當成刪除 remote 的批准。" + "不得把 internal remote disposition 當成刪除 remote 的批准。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "要求直接刪除 remote 或改 remote URL。", "要求搬移或貼出 secret value。", - "未說明 110 internal remote 用途。" + "未說明 110 internal remote 用途。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 canonical decision table 的 remote disposition。", @@ -1063,6 +1101,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "github_target_disposition", "visibility_review_owner", @@ -1084,12 +1128,14 @@ "acceptance_criteria": [ "必須明確說明 `not_found_or_private` 不能自動視為不存在。", "必須指定 ewoooc / momo-pro-system canonical 判定 owner。", - "若只是批准候選新 repo,仍不得建立 repo,必須先產生 migration plan。" + "若只是批准候選新 repo,仍不得建立 repo,必須先產生 migration plan。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "把 `not_found_or_private` 當成建立 repo 的直接批准。", "自動合併 unrelated histories。", - "要求刪除任一 momo / ewoooc working tree。" + "要求刪除任一 momo / ewoooc working tree。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 target decision table 的 disposition。", @@ -1109,6 +1155,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "active_status", "canonical_source", "github_target_disposition", @@ -1130,12 +1182,14 @@ "acceptance_criteria": [ "必須說明 repo 是否仍 active。", "必須指定 GitHub target 是既有 private、候選新 repo、out-of-scope 或需補證。", - "若 active,必須保留 workflow / secret name parity gate。" + "若 active,必須保留 workflow / secret name parity gate。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "把 target 看不到當成可直接建立 repo。", "沒有 active_status 或 visibility review owner。", - "要求自動 push refs 或刪除 110 remote。" + "要求自動 push refs 或刪除 110 remote。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 target decision table 的 active / disposition 欄位。", @@ -1155,6 +1209,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "active_status", "canonical_source", "github_target_disposition", @@ -1176,12 +1236,14 @@ "acceptance_criteria": [ "必須說明 repo 是否仍 active。", "必須指定 GitHub target 是既有 private、候選新 repo、out-of-scope 或需補證。", - "若 active,必須保留 workflow / secret name parity gate。" + "若 active,必須保留 workflow / secret name parity gate。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "把 target 看不到當成可直接建立 repo。", "沒有 active_status 或 visibility review owner。", - "要求自動 push refs 或刪除 110 remote。" + "要求自動 push refs 或刪除 110 remote。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 target decision table 的 active / disposition 欄位。", @@ -1201,6 +1263,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "github_target_disposition", "visibility_review_owner", @@ -1223,12 +1291,14 @@ "acceptance_criteria": [ "必須說明 VibeWork 是否已有 private GitHub target 或只是新 target candidate。", "必須指定 product boundary owner、repo owner、surface owner 與 visibility review owner。", - "必須明確保留 VibeWork 獨立產品邊界,不得把 target decision 當成併入 AWOOOI 或 primary cutover approval。" + "必須明確保留 VibeWork 獨立產品邊界,不得把 target decision 當成併入 AWOOOI 或 primary cutover approval。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "把 not_found_or_private 視為可直接建立 repo。", "缺 product boundary owner、canonical source 或 visibility review owner。", - "要求修改 workflow、搬 secret value、push refs 或切 primary。" + "要求修改 workflow、搬 secret value、push refs 或切 primary。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 GitHub target decision table 的 VibeWork read-only disposition。", @@ -1248,6 +1318,12 @@ "owner_role_or_team", "decision", "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan", "canonical_source", "github_target_disposition", "visibility_review_owner", @@ -1271,12 +1347,14 @@ "acceptance_criteria": [ "必須說明 agent-bounty-protocol 是否已有 private GitHub target 或只是新 target candidate。", "必須指定 repo、deployment、external agent、treasury 與 runtime gate owner。", - "必須確認 A2A / MCP / bounty / treasury / payout / withdrawal 不因 target response 而開啟 runtime。" + "必須確認 A2A / MCP / bounty / treasury / payout / withdrawal 不因 target response 而開啟 runtime。", + "必須填齊 S4.10 canonical 9 欄,包含 affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。" ], "rejection_conditions": [ "把 not_found_or_private 視為可直接建立 repo。", "缺 external agent owner、treasury owner、runtime gate owner 或 visibility review owner。", - "要求啟用 agent action、payout、withdrawal、workflow 修改、push refs 或切 primary。" + "要求啟用 agent action、payout、withdrawal、workflow 修改、push refs 或切 primary。", + "缺 rollback owner、maintenance window 或 validation plan。" ], "allowed_outputs": [ "更新 GitHub target decision table 的 agent-bounty-protocol read-only disposition。", @@ -1307,7 +1385,7 @@ "check_id": "owner_and_visibility_present", "title": "owner 與 visibility review 責任存在", "required": true, - "pass_condition": "每筆回覆必須有 owner role/team、visibility review owner 或明確 out-of-scope disposition。", + "pass_condition": "每筆回覆必須有 canonical 9 欄,並依 template 補齊 visibility review owner、canonical source 或明確 out-of-scope disposition。", "failure_lane": "request_more_evidence", "execution_authorized": false }, @@ -1347,7 +1425,7 @@ "check_id": "secret_values_absent", "title": "未包含 secret value", "required": true, - "pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key 或 deploy key value。", + "pass_condition": "`redacted_evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key 或 deploy key value。", "failure_lane": "quarantine_sensitive_payload", "execution_authorized": false } @@ -1370,7 +1448,9 @@ "更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording。", "更新 `source-control-approval-board.snapshot.json` 的 review lane。", "建立 request_more_evidence / quarantine lane。", - "維持 `github_primary_ready_count=0` 與所有 execution flags false。" + "維持 `github_primary_ready_count=0` 與所有 execution flags false。", + "建立 read-only owner response validation record candidate,不進 execution queue。", + "更新 S4.10 收件缺口矩陣的欄位完整度,不調高 owner response accepted count。" ], "forbidden_actions": [ "建立 GitHub repo。", diff --git a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md index d3853eb2..e2851832 100644 --- a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md +++ b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md @@ -9,7 +9,7 @@ | 工作視窗 | IwoooS / AWOOOI 資安治理 P0 | | 本次乾淨 worktree | `/private/tmp/awoooi-repair-playbook-coverage-20260611` | | 本次分支 | `codex/repair-playbook-coverage-20260611` | -| 最新觀察到的 `gitea/main` | `8f3ec9f4 fix(i18n): 移除內部工作用語顯示` | +| 最新觀察到的 `gitea/main` | `27ffb928 chore(cd): deploy 58e760f [skip ci]` | | 最新 P0 Telegram 告警 / 批准執行真相鏈基準 | code `32e4beca`、deploy marker `717b5870`、code-review `2658`、CD `2657`;no-action approval 不再觸發 executor,可執行修復 approval 會寫入 `auto_repair_executions`、KM 與 verifier | | 最新 P0 Telegram no-action 人工處置包基準 | code `cd928852`、deploy marker `9181cc0e`、code-review `2666`;正式部署 tree 已包含 no-action 人工處置包、`處置包 / 重診 / 歷史 / 靜默 / 真相鏈 / Runs` 鍵盤、production pod render / keyboard smoke | | 最新 P0 MCP evidence / PlayBook 修復候選基準 | code `cc614023`、D1 blocker clarity `47d677ac`、D2 manual draft package `febe9ecf`、D3 draft work item `e8d5eafb`、D4 work item detail panel `e8a5bac5`、D5 coverage gap contract 本地完成;目前 production deploy marker 仍為 `985a2cfe` 的 D4 Work Items detail panel,D5 尚待推送 / 部署驗證。正式部署 tree 經 production pod smoke 與 Work Items browser smoke 確認可由 MCP evidence + approved PlayBook trust 產生 medium approval candidate、綁定預配置 approval id、不外露 preallocated metadata,且通用兜底 / 診斷型 PlayBook 不會被誤當修復命令;若缺安全修復候選,Telegram 人工處置包會顯示阻擋原因、下一步、PlayBook 草案欄位與 AwoooP 修復候選草案工作項,工作項頁會顯示 PlayBook 草案處置板、必填欄位、阻擋原因、下一步與 Runs / 審批連結;D5 讓 blocked result 進一步輸出服務 coverage gap、blocking stage、必收 MCP evidence refs 與 PlayBook template fields | @@ -227,11 +227,11 @@ S4.9 是目前 IwoooS 64% 能往前的第一優先 gate。驗收前所有 count |------|--------|-----------------|--------| | `awoooi` Gitea / GitHub refs refresh | 100% | Gitea heads `170`、GitHub heads `2`、Gitea tags `2`、GitHub tags `0`、main SHA 不一致 | 已重產 ref detail diff / ref truth classification;下一步收 S4.11 owner response | | Gitea public repo inventory refresh | 100% | user endpoint public-only 仍只見 `wooo/awoooi`、`wooo/ewoooc`;org endpoint 仍 blocked / 404 | 取得只讀 token 或 redacted admin export 批准 | -| GitHub target probe refresh | 100% | 8 個候選中 5 個可讀、3 個 `not_found_or_private`;`open-design` heads `644` 只作 external scope evidence | P1-3 handoff 已補;owner / visibility / canonical response 仍待收 | +| GitHub target probe refresh | 100% | 10 個候選中 5 個可讀、5 個 `not_found_or_private`;`open-design` 只作 external scope evidence;`VibeWork` 與 `agent-bounty-protocol` 已納入 approval-required queue | P1-3 handoff 已補;owner / visibility / canonical response 仍待收 | | Workflow / secret 名稱本機 evidence refresh | 100% | 31 個 workflow files、42 個 unique referenced secret names、`secret_value_detected=false` | 補 webhook、runner owner、deploy key、branch protection、secret name parity | | Primary readiness gate 文件更新 | 90% | 已寫入 2026-06-04 refs truth 重產結果與禁止誤讀規則 | 跑 guard 後以 LOGBOOK 封存 | | Gitea authenticated inventory request handoff | 100% | S4.5 請求已對齊 S4.9 owner response gate,補 5 項 request dispatch preflight、8 欄 handoff packet 與送後不變條件 | 仍未收 token value、未收 payload、未 import inventory;S4.6/S4.9 驗收前不得標記 status=ok | -| GitHub target owner response handoff | 100% | S4.10 已對齊 2026-06-04 target probe,補 6 項 target owner handoff preflight、9 欄 handoff packet 與送後不變條件 | `not_found_or_private` 不得視為不存在;received / accepted 仍 0,不建 repo、不改 visibility | +| GitHub target owner response handoff | 100% | S4.10 已對齊 2026-06-11 target probe,補 6 項 target owner handoff preflight、9 個 target、canonical 9 欄 handoff packet 與送後不變條件 | `not_found_or_private` 不得視為不存在;received / accepted 仍 0,不建 repo、不改 visibility | | 全量 Gitea 專案版本盤點 | 25% | 目前仍是 public-only + 本機輔助 evidence | 需只讀 token / admin export;不使用 write credential | | 逐 repo refs truth queue | 100% | S4.11 current queue 已重產為 `194` refs review items:真相來源 `4`、deprecated / archive 候選 `142`、release tag `3`、GitHub-only `20` | 送 owner response;received / accepted 仍維持 0 | | Workflow / runner / secret parity owner response handoff | 100% | S4.12 已對齊 2026-06-04 local evidence,補 6 項 workflow / secret handoff preflight、9 欄 handoff packet 與送後不變條件;local secret names 校正為 `42` | 只收 redacted metadata,不收 value / hash / partial token;received / accepted 仍 0 | @@ -272,7 +272,7 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory / |------|------|------|----------| | P1-1 | Source-control refs truth 重產 | 以 2026-06-04 `awoooi` refs refresh 重產 detail diff / truth classification | 新 queue 已改為 `194` items,不再引用舊 `141` 為 current | | P1-2 | Gitea authenticated inventory request | 已補 2026-06-04 request handoff package;S4.9 owner response gate 作先行條件,只讀 token API / redacted admin export 二選一 | 只收 metadata,不保存 token value;received / accepted / imported 全部仍為 0 | -| P1-3 | GitHub target owner response | 已補 2026-06-04 target owner handoff package;對 7 個 in-scope targets 收 owner / visibility / canonical 決策 | received / accepted 前仍全部 0;`not_found_or_private` 不代表不存在或可建立 | +| P1-3 | GitHub target owner response | 已補 2026-06-11 target owner handoff package;對 9 個 approval-required targets 收 owner / visibility / canonical 決策,且每筆必須具備 owner role/team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window、validation plan | received / accepted 前仍全部 0;`not_found_or_private` 不代表不存在或可建立 | | P1-4 | Workflow / runner / secret parity evidence | 已補 2026-06-04 owner response handoff package;webhook、runner owner、deploy key、branch protection、CODEOWNERS、secret name parity 只收 redacted metadata | secret value、hash、masked token、partial token 仍拒收;received / accepted 前全部 0 | | P1-5 | Primary rollback ADR 補強 | 已補 2026-06-04 rollback owner handoff package;逐 repo rollback owner、trigger、validation window、fallback role 進入可交接模板 | ADR approved 前不切 primary;received / accepted / approved 仍 0 | | P1-6 | AwoooP Session 同步 | 同步 commits、runs、production sanity、P1 refresh counts、gate 0 / false | 另一 Session 不再使用舊 refs count | @@ -296,11 +296,11 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory / | P1 `awoooi` refs inventory refresh | Gitea heads `170`、GitHub heads `2`、Gitea tags `2`、GitHub tags `0`,Gitea `main=64490d32...`、GitHub `main=202071f...`,仍 `blocked` | | P1 refs truth classification refresh | current queue `194` items;`manual_truth_required=4`、`deprecated_candidate=142`、`release_tag_review=3`、`github_only_review=20`;S4.11 owner response received / accepted 仍為 0 | | P1 Gitea repo inventory refresh | user endpoint public-only 2 repos;org endpoint blocked / 404;仍需只讀 token 或 redacted admin export | -| P1 GitHub target probe refresh | 8 個候選中 5 個可讀、3 個 `not_found_or_private`;`open-design` heads `644` 僅作 external scope | +| P1 GitHub target probe refresh | 10 個候選中 5 個可讀、5 個 `not_found_or_private`;`open-design` 僅作 external scope;`VibeWork` 與 `agent-bounty-protocol` 已列入 approval-required queue | | P1 workflow / secret 名稱 refresh | 31 個 workflow files、42 個 unique referenced secret names、`secret_value_detected=false` | | P1-2 Gitea authenticated inventory request handoff | S4.5 request 日期更新為 2026-06-04;補 5 項 dispatch preflight、8 欄 request handoff packet、送後不變條件;payload received / accepted / imported 仍 0 | | P1-2 JSON parse / structure check | `gitea-authenticated-inventory-export-request.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `GITEA_AUTHENTICATED_INVENTORY_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator | -| P1-3 GitHub target owner response handoff | S4.10 日期更新為 2026-06-04;補 6 項 target owner handoff preflight、9 欄 handoff packet、送後不變條件;received / accepted / rejected 仍 0 | +| P1-3 GitHub target owner response handoff | S4.10 日期更新為 2026-06-11;補 6 項 target owner handoff preflight、9 個 target、canonical 9 欄 handoff packet、送後不變條件;received / accepted / rejected 仍 0 | | P1-3 JSON parse / structure check | `github-target-owner-decision-response.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `GITHUB_TARGET_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator | | P1-4 Workflow / secret owner response handoff | S4.12 日期更新為 2026-06-04;補 6 項 workflow / secret handoff preflight、9 欄 handoff packet、送後不變條件;local referenced secret names 校正為 `42`;received / accepted / rejected 仍 0 | | P1-4 JSON parse / structure check | `source-control-workflow-secret-name-owner-response.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `WORKFLOW_SECRET_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV,未跑完整 schema validator |