From d7d8f9f5656a27ce1e899329bf5c7ca1cfe86c4e Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 18 May 2026 19:32:42 +0800 Subject: [PATCH] docs(security): add ref truth template status ledger --- docs/LOGBOOK.md | 15 +++ ...ol_ref_truth_owner_response_v1.schema.json | 47 ++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 6 +- ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 6 +- .../GITEA-GITHUB-MIGRATION-INVENTORY.md | 2 +- docs/security/SECURITY-APPROVAL-GATE.md | 2 +- docs/security/SECURITY-APPROVAL-QUEUE.md | 2 +- .../SECURITY-APPROVAL-REVIEW-PACKET.md | 2 +- .../SECURITY-FOLLOWUP-RUNTIME-GATE.md | 2 +- docs/security/SECURITY-MIRROR-DRY-RUN.md | 2 +- docs/security/SECURITY-MIRROR-READINESS.md | 2 +- .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 5 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 4 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 13 ++- .../SOURCE-CONTROL-MIGRATION-MATRIX.md | 6 +- ...ONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md | 2 +- .../SOURCE-CONTROL-PRIMARY-READINESS-GATE.md | 8 +- .../security/SOURCE-CONTROL-RECONCILE-PLAN.md | 2 +- ...SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md | 5 +- ...SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md | 24 +++- .../security-approval-gate.snapshot.json | 2 +- .../security-approval-queue.snapshot.json | 2 +- ...urity-approval-review-packet.snapshot.json | 4 +- ...curity-followup-runtime-gate.snapshot.json | 4 +- .../security-mirror-dry-run.snapshot.json | 2 +- .../security-mirror-readiness.snapshot.json | 4 +- ...ecurity-mirror-status-rollup.snapshot.json | 18 ++- ...pply-chain-contract-manifest.snapshot.json | 4 +- ...r-response-validation-rollup.snapshot.json | 6 +- ...ntrol-primary-readiness-gate.snapshot.json | 4 +- ...rol-ref-truth-owner-response.snapshot.json | 110 ++++++++++++++++++ .../security-mirror-progress-guard.py | 1 + .../source-control-owner-response-guard.py | 7 ++ 33 files changed, 267 insertions(+), 58 deletions(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 1dad9311..35a48bc0 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,18 @@ +## 2026-05-18 | 資安供應鏈 S4.11:Refs Truth Owner Response Template Status Ledger + +**背景**:S4.11 已有 refs truth owner response request packet、response templates、acceptance checks 與 rejection rules;本輪補上 5 個 template status ledger,讓 AwoooP 能逐項顯示 main/dev truth、deprecated drift、release tag retention 與 GitHub-only refs response 仍為 `waiting_owner_response`,避免只看總數時誤判 request 已送出、response 已收到或已接受。 + +**完成**: +- `source_control_ref_truth_owner_response_v1` schema 新增 optional `owner_response_template_statuses`,summary 新增 `owner_response_template_status_count=5`。 +- `source-control-ref-truth-owner-response.snapshot.json` 新增 5 個 template statuses,全部維持 `collection_status=waiting_owner_response`、`request_status=request_ready_not_sent`、received / accepted / rejected 皆為 0。 +- `source-control-owner-response-guard.py` 反查 S4.11 template status count、template id 順序、display order、狀態、計數、`execution_authorized=false` 與 `not_approval=true`。 +- 更新 S4.11 人讀文件與 AwoooP / readiness / approval / status rollup / manifest / progress 顯示說明。 + +**仍禁止**: +- 不把 S4.11 template status ledger 當成 request sent、owner response received、accepted 或 approval。 +- 不把任一單項 refs truth response 當成 fetch、push、delete、force push、tag rewrite、backfill 或 GitHub primary approval。 +- 不保存 token value、secret value、private key、cookie、session、private clone URL credential、repo archive、git object pack、DB dump、API raw body 或 execution request payload。 + ## 2026-05-18 | 資安供應鏈 S4.11:Refs Truth Owner Response Request Packet **背景**:S4.11 已有 refs truth owner response templates、acceptance checks 與 rejection rules;本輪補上 owner response request packet,讓 AwoooP 在請 owner 回覆前先固定「要回覆哪 5 類 refs truth 問題、允許欄位、脫敏 evidence 規則與拒收 payload」,避免把 owner request 誤升級成 refs sync / delete / force push / GitHub primary approval。 diff --git a/docs/schemas/source_control_ref_truth_owner_response_v1.schema.json b/docs/schemas/source_control_ref_truth_owner_response_v1.schema.json index bc1aeaf0..93e7018e 100644 --- a/docs/schemas/source_control_ref_truth_owner_response_v1.schema.json +++ b/docs/schemas/source_control_ref_truth_owner_response_v1.schema.json @@ -63,6 +63,7 @@ "release_tag_review_count", "github_only_review_count", "owner_response_request_packet_count", + "owner_response_template_status_count", "response_template_count", "received_response_count", "accepted_response_count", @@ -88,6 +89,7 @@ "release_tag_review_count": {"type": "integer", "minimum": 0}, "github_only_review_count": {"type": "integer", "minimum": 0}, "owner_response_request_packet_count": {"type": "integer", "minimum": 0}, + "owner_response_template_status_count": {"type": "integer", "minimum": 0}, "response_template_count": {"type": "integer", "minimum": 0}, "received_response_count": {"type": "integer", "minimum": 0}, "accepted_response_count": {"type": "integer", "minimum": 0}, @@ -103,6 +105,51 @@ }, "additionalProperties": false }, + "owner_response_template_statuses": { + "type": "array", + "description": "S4.11 五個 refs truth response templates 的逐項收件狀態;只供 AwoooP 顯示,不代表 approval、refs execution queue 或 primary readiness。", + "items": { + "type": "object", + "required": [ + "template_id", + "lane", + "display_order", + "collection_status", + "request_status", + "received_response_count", + "accepted_response_count", + "rejected_response_count", + "latest_outcome_lane", + "next_owner_action", + "awooop_display_mode", + "execution_authorized", + "not_approval", + "still_forbidden" + ], + "properties": { + "template_id": {"type": "string"}, + "lane": {"type": "string"}, + "display_order": {"type": "integer", "minimum": 1}, + "collection_status": {"type": "string", "enum": ["waiting_owner_response"]}, + "request_status": {"type": "string", "enum": ["request_ready_not_sent"]}, + "received_response_count": {"type": "integer", "minimum": 0}, + "accepted_response_count": {"type": "integer", "minimum": 0}, + "rejected_response_count": {"type": "integer", "minimum": 0}, + "latest_outcome_lane": {"type": "string", "enum": ["keep_waiting_owner_response"]}, + "next_owner_action": {"type": "string"}, + "awooop_display_mode": {"type": "string", "enum": ["display_template_status_only"]}, + "execution_authorized": {"type": "boolean", "const": false}, + "not_approval": {"type": "boolean", "const": true}, + "still_forbidden": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, "owner_response_request_packet": { "type": "object", "description": "AwoooP 可直接顯示給 owner 的 S4.11 refs truth 回覆請求;只說明要填什麼與不得貼什麼,不授權 fetch、push、delete、force push、rewrite refs 或 GitHub primary 執行。", diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index df618f54..77177175 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -53,7 +53,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_approval_board_v1` | 逐 repo owner / visibility / canonical / refs 決策 board | Approval queue、PR reviewer handoff | approval-only | 只顯示決策隊列,不執行 board item | | `source_control_reconcile_plan_v1` | refs-blocked repo draft reconcile plan | Approval candidate、migration reviewer handoff | approval-only | 只顯示草案;S4.11 response 通過前只更新 wording,不 push refs、不切 primary | | `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs | -| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類;S4.11 owner response request packet / 收件包 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類、1 個 request packet、5 個 response templates 與人工判定隊列,不執行 sync/delete/force push | +| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類;S4.11 owner response request packet / template status ledger / 收件包 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類、1 個 request packet、5 個 template statuses、5 個 response templates 與人工判定隊列,不執行 sync/delete/force push | | `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` | | `source_control_primary_rollback_adr_v1` | GitHub primary rollback ADR 草案與 validation window | Source-control review、Operator Console、Audit | approval-only | 只顯示 7 個 repo 的 rollback draft、owner review、validation window;不得執行 rollback 或切 primary | | `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.12 owner response 收件包 | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence、S4.3 redacted export request 與 5 個 response templates;目前 `inventory_complete_count=0`,不得保存 secret value | @@ -128,7 +128,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_approval_board_v1.pending_approval_count>0` | `approve_required` | 顯示逐 repo 決策隊列,不執行 repo 建立、visibility 修改、refs sync | | `source_control_reconcile_plan_v1.status=draft_blocked` | `approve_required` | 只顯示 refs reconcile 草案與 gate,不執行 sync | | `source_control_ref_detail_diff_v1.status=draft_blocked` | `observe` | 顯示 branch/tag 明細 diff,支援人工 review | -| `source_control_ref_truth_classification_v1.status=draft_blocked` | `approve_required` | 顯示 main/dev 真相來源、drift deprecated 候選、release / UAT tag review lane、S4.11 owner response request packet 與 templates;不執行分類結果 | +| `source_control_ref_truth_classification_v1.status=draft_blocked` | `approve_required` | 顯示 main/dev 真相來源、drift deprecated 候選、release / UAT tag review lane、S4.11 owner response request packet、template status ledger 與 templates;不執行分類結果 | | `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 S4.2 local evidence、S4.3 export request 與 S4.12 owner response templates;不收 secret value、不改 workflow、不啟用 runner | | `local_repo_canonical_probe_v1.status=unrelated` | `approve_required` | 禁止自動合併,需人工 canonical 判定 | | `git_remote_refs_probe_v1.status=ok` | `observe` | 可作 source evidence,但仍需 GitHub target 與 approval | @@ -218,7 +218,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 2. Security Supply Chain Session 補齊 Gitea 全量 repo inventory 的只讀 token 或管理匯出來源。 3. AwoooP 先 mirror S4.13 owner response validation rollup,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;不得把 rollup 視為 approval 或 execution authorization。 4. Security Supply Chain Session 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response。 -5. Security Supply Chain Session 依 S4.11 request packet 收到並驗收 5 個 refs truth owner response templates;response 通過也只更新 read-only classification / reconcile / readiness wording。 +5. Security Supply Chain Session 依 S4.11 request packet 與 template status ledger 收到並驗收 5 個 refs truth owner response templates;response 通過也只更新 read-only classification / reconcile / readiness wording。 6. Security Supply Chain Session 依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates;response 通過也只更新 read-only inventory / export request / readiness wording。 7. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。 8. 任一方要把事件升級成實際執行,都必須先產出 `approval_required_event_v1`,並在 `security_approval_queue_v1` 中維持 `blocked_until_approved=true` 直到人工決策完成。 diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index c25391c7..474b895a 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -261,7 +261,7 @@ AwoooP 初期處理方式:只顯示 blockers、evidence refs 與 required revi ### `source_control_ref_truth_owner_response_v1` -用途:定義 S4.11 refs truth owner response request packet 與收件包,讓 AwoooP 在處理 `source_control_ref_truth_classification_v1` 前,先看到 owner 要回覆哪 5 類 refs truth 問題,以及 main/dev truth、deprecated drift、release tag 與 GitHub-only refs 的 response 欄位、可接受決策、驗收規則與拒收規則。 +用途:定義 S4.11 refs truth owner response request packet、template status ledger 與收件包,讓 AwoooP 在處理 `source_control_ref_truth_classification_v1` 前,先看到 owner 要回覆哪 5 類 refs truth 問題、各 template 是否仍 waiting,以及 main/dev truth、deprecated drift、release tag 與 GitHub-only refs 的 response 欄位、可接受決策、驗收規則與拒收規則。 Schema:`docs/schemas/source_control_ref_truth_owner_response_v1.schema.json` @@ -393,7 +393,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response request packet 1 筆、templates 5 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response request packet 1 筆、template statuses 5 筆、templates 5 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -863,7 +863,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 ref truth classification 追加:已新增 `scripts/security/source-control-ref-truth-classification.py`、`docs/schemas/source_control_ref_truth_classification_v1.schema.json`,並產出 `docs/security/source-control-ref-truth-classification.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`。目前 141 個 refs review items 已拆成 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。AwoooP 可建立 repo owner review queue,但不得把分類結果直接執行成 refs sync、delete、force push 或 GitHub primary switch。 -2026-05-17 S4.11 ref truth owner response 追加,2026-05-18 補 request packet:已新增 `docs/schemas/source_control_ref_truth_owner_response_v1.schema.json`、`docs/security/source-control-ref-truth-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。目前 1 個 owner response request packet 與 5 個 response templates 對應 main/dev truth、deprecated drift、release tag retention 與 GitHub-only refs review;received / accepted response 皆為 0。AwoooP 可 mirror 成 owner response intake queue,但不得把 request packet 或 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。 +2026-05-17 S4.11 ref truth owner response 追加,2026-05-18 補 request packet 與 template status ledger:已新增 `docs/schemas/source_control_ref_truth_owner_response_v1.schema.json`、`docs/security/source-control-ref-truth-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。目前 1 個 owner response request packet、5 個 template statuses 與 5 個 response templates 對應 main/dev truth、deprecated drift、release tag retention 與 GitHub-only refs review;received / accepted response 皆為 0。AwoooP 可 mirror 成 owner response intake queue,但不得把 request packet、template status ledger 或 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。 2026-05-12 public search / canonical 追加:Gitea public search 在未提供 token 時可見 `wooo/awoooi`、`wooo/ewoooc`。已新增 `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md`,其中 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 仍需人工判定 canonical 關係,不得自動合併。 diff --git a/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md b/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md index 99479282..55ec62b8 100644 --- a/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md +++ b/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md @@ -51,7 +51,7 @@ - `wooo-infra-config` 的 GitHub remote 與本機 `main` 對齊;110 internal remote 目前 read-only probe 不可讀,需判斷是否為舊 remote、mirror 或權限問題。 - GitHub target 決策表已建立,8 個候選中 7 個需人工批准;其中 `ewoooc`、`bitan-pharmacy`、`tsenyang-website` 在 target visibility / owner 決策前不得自動建立或同步。 - GitHub target repo-by-repo approval package 已建立,7 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認三條路徑;此 package 採低摩擦原則,只 gate 高風險執行,不阻擋 read-only evidence。 -- Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;S4.11 已補 1 個 owner response request packet 與 5 個 owner response templates,received / accepted response 皆為 0。這是人工判定隊列與收件框架,不是同步批准。 +- Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;S4.11 已補 1 個 owner response request packet、5 個 template statuses 與 5 個 owner response templates,received / accepted response 皆為 0。這是人工判定隊列與收件框架,不是同步批准。 - Workflow / secret 名稱 owner response 已建立,S4.12 補 5 個 response templates,received / accepted response 皆為 0;這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition,不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。 - Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,共 22 個 response templates、received / accepted response 皆為 0;這只是驗收總覽,不是 approval、runtime gate 或執行授權。 - 本機可見 Git working tree 輔助盤點已找到 13 個 repo,其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個;此結果可用來補遷移矩陣,但不能取代 Gitea server 全量清單。 diff --git a/docs/security/SECURITY-APPROVAL-GATE.md b/docs/security/SECURITY-APPROVAL-GATE.md index f0188214..638adc25 100644 --- a/docs/security/SECURITY-APPROVAL-GATE.md +++ b/docs/security/SECURITY-APPROVAL-GATE.md @@ -39,7 +39,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1` | 2 | Safe web crawl | 只批准低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | 先依 S4.9 驗收 S4.7 owner response,再只批准只讀 inventory 或 redacted admin export | | 4 | GitHub target decisions | 只批准逐 repo S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 workflow / secret 名稱 response 驗收與決策草案 | -| 5 | Ref truth review | 只批准 S4.11 request packet / owner response 驗收、人工分類與 reconcile 草案 | +| 5 | Ref truth review | 只批准 S4.11 request packet / template status ledger / owner response 驗收、人工分類與 reconcile 草案 | | 6 | Credentialed scan | 只允許人工 exception 設計,仍需 runtime gate | | 7 | Kali full-upgrade / reboot | 只允許維護窗口與 rollback 規劃 | | 8 | Kali `/execute` | 預設維持 block candidate | diff --git a/docs/security/SECURITY-APPROVAL-QUEUE.md b/docs/security/SECURITY-APPROVAL-QUEUE.md index 28a6cba3..e50530aa 100644 --- a/docs/security/SECURITY-APPROVAL-QUEUE.md +++ b/docs/security/SECURITY-APPROVAL-QUEUE.md @@ -36,7 +36,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 | 2 | `kali-safe-web-crawl-approval-20260513` | TLS/header/basic crawl 屬低噪音,但仍需批准 scope | | 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | 先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,再審 Gitea 全量版本轉 GitHub 的只讀 inventory gate | | 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收逐 repo owner / visibility / canonical response,並依 S4.12 驗收 workflow / secret 名稱 owner response | -| 5 | `source-control-ref-truth-review-bundle-20260513` | 先依 S4.11 request packet 驗收 refs truth owner response,再看 deprecated / release tag review | +| 5 | `source-control-ref-truth-review-bundle-20260513` | 先依 S4.11 request packet / template status ledger 驗收 refs truth owner response,再看 deprecated / release tag review | | 6 | `kali-credentialed-scan-approval-20260513` | 需要憑證,風險較高 | | 7 | `kali-full-upgrade-reboot-approval-20260513` | 需要維護窗口、snapshot、rollback 與 post-check | | 8 | `kali-execute-endpoint-approval-20260513` | CRITICAL,預設 block candidate,不應接入 runtime | diff --git a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md index 04ca8545..9e034adc 100644 --- a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md +++ b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md @@ -40,7 +40,7 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo | 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先依 S4.9 審 S4.7 owner response,再審只讀 token 或 redacted export | | 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 workflow / secret 名稱 response,再審 owner / visibility / canonical 草案 | -| 5 | Ref truth review | `design_or_draft_review` | 先審 S4.11 request packet / owner response 驗收,再審人工分類與 reconcile 草案 | +| 5 | Ref truth review | `design_or_draft_review` | 先審 S4.11 request packet / template status ledger / owner response 驗收,再審人工分類與 reconcile 草案 | | 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 | | 7 | Kali full-upgrade / reboot | `manual_exception_review` | 只審維護窗口與 rollback 計畫 | | 8 | Kali `/execute` | `blocked_by_default_review` | 預設維持 block candidate | diff --git a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md index c77c5f8c..2566eac3 100644 --- a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md +++ b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md @@ -35,7 +35,7 @@ | Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope | | Gitea owner attestation + read-only inventory | MEDIUM | 先依 S4.9 驗收 S4.7 owner response,再準備 read-only token 或 redacted export inventory | | GitHub target decision | HIGH | 只準備 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response、S4.12 workflow / secret 名稱 response 驗收、owner / visibility / canonical / workflow parity 決策 | -| Ref truth review | HIGH | 只準備 S4.11 request packet / owner response 驗收、refs truth / deprecated / release tag 人工判定 | +| Ref truth review | HIGH | 只準備 S4.11 request packet / template status ledger / owner response 驗收、refs truth / deprecated / release tag 人工判定 | | Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 | | Kali full-upgrade / reboot | HIGH | 只準備維護窗口、snapshot、rollback 與 post-health | | Kali `/execute` exception | CRITICAL | 預設 blocked,只準備 disable / allowlist / audit 設計 | diff --git a/docs/security/SECURITY-MIRROR-DRY-RUN.md b/docs/security/SECURITY-MIRROR-DRY-RUN.md index 72940ec4..6cf65f21 100644 --- a/docs/security/SECURITY-MIRROR-DRY-RUN.md +++ b/docs/security/SECURITY-MIRROR-DRY-RUN.md @@ -24,7 +24,7 @@ | `CHECK_ROUTE_COVERAGE` | 確認 route groups 覆蓋所有 contracts | 不建立 fallback execution route | | `CHECK_ACCEPTANCE_AND_QUARANTINE` | 確認驗收與隔離只處理 mirror payload | 不阻擋 runtime | | `CHECK_PROGRESS_GUARD` | 確認 58% headline 進度與 micro progress delta ledger 只作狀態顯示 | 不把進度或 delta ledger 當 approval 或 runtime authorization | -| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、脫敏範例與只讀 UI 區塊、維持收件狀態分離、分類可審、補證、隔離、拒收或等待;S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 也只提示 7 個 GitHub target 要回覆的欄位、逐項顯示 waiting / request ready、定義 0 emitted 的脫敏 metadata、維持 request / received / accepted 分離,並只分類可收、補證、隔離或拒收;S4.11 request packet 只提示 5 類 refs truth owner response 欄位 | 不把 guard pass、request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | +| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、脫敏範例與只讀 UI 區塊、維持收件狀態分離、分類可審、補證、隔離、拒收或等待;S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 也只提示 7 個 GitHub target 要回覆的欄位、逐項顯示 waiting / request ready、定義 0 emitted 的脫敏 metadata、維持 request / received / accepted 分離,並只分類可收、補證、隔離或拒收;S4.11 request packet 只提示 5 類 refs truth owner response 欄位,template status ledger 逐項顯示 waiting / request ready | 不把 guard pass、request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | | `CHECK_LOW_NOISE_CHANNEL` | 確認 Channel Event 低噪音 | 不對 LOW / MEDIUM 洗版 | | `CONFIRM_NO_RUNTIME_ACTION` | 確認 dry-run 沒有任何 runtime action | 不掃描、不 deploy、不 sync refs | diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index b45a71ab..0f8db986 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -89,7 +89,7 @@ AwoooP 可以將 ready / partial contracts mirror 到: GitHub target 決策面需同時 mirror S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `github-target-owner-decision-response.snapshot.json`,只顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、6 個 owner response collection checks、6 個 intake preflight checks、7 個 owner decision response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 -Ref truth 決策面需同時 mirror S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `source-control-ref-truth-owner-response.snapshot.json`,只顯示 1 個 owner response request packet、5 個 owner response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet 或 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。 +Ref truth 決策面需同時 mirror S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `source-control-ref-truth-owner-response.snapshot.json`,只顯示 1 個 owner response request packet、5 個 template statuses、5 個 owner response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger 或 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。 Workflow / secret 名稱決策面需同時 mirror S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` 與 `source-control-workflow-secret-name-owner-response.snapshot.json`,只顯示 5 個 owner response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 GitHub primary approval。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 68c7f935..67626762 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -28,7 +28,7 @@ | Review packets | S3.2 已建立;8 packets、7 ready for human review、1 block candidate | | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | -| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response request packet 與收件包,5 個 response templates、owner response 0 筆;S4.12 已補 workflow / secret 名稱 owner response 收件包,5 個 response templates、owner response 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | +| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response request packet、5 個 template statuses 與收件包,5 個 response templates、owner response 0 筆;S4.12 已補 workflow / secret 名稱 owner response 收件包,5 個 response templates、owner response 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | | Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、audit events emitted 0 筆、敏感 payload 必須隔離、允許收集 token value=false | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 5 個 owner response templates;0 個 inventory complete、禁止收集 secret value、禁止 write token | @@ -59,6 +59,7 @@ | S4.10 collection checks | framework detail | 0 | 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到或已接受 | | S4.10 intake preflight checks | framework detail | 0 | 只分類可收、補證、隔離或拒收,不代表 owner response accepted 或可執行 repo / refs / primary 動作 | | S4.11 request packet | framework detail | 0 | 只顯示 owner 要回覆哪 5 類 refs truth 問題,不代表 request sent、response received、accepted 或 refs sync/delete/force push 授權 | +| S4.11 template status ledger | framework detail | 0 | 只逐項顯示 5 類 refs truth response 仍為 waiting,received / accepted 仍為 0,不代表 refs sync/delete/force push 授權 | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: @@ -104,7 +105,7 @@ python3 scripts/security/security-mirror-progress-guard.py 3. Gitea private/internal read-only inventory:先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,且 S4.8 已把這個先行條件接到既有 approval queue / gate / review packet / follow-up runtime gate;再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆,不保存 token value。 4. GitHub target / owner / visibility / canonical:先依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 owner decision response templates;received / accepted response 目前皆為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。 5. Kali `/execute` 維持 block candidate。 -6. Refs truth owner response:先依 S4.11 request packet 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templates;received / accepted response 目前皆為 0,不得把 request packet 或 response packet 當成 refs sync、delete、force push 或 primary approval。 +6. Refs truth owner response:先依 S4.11 request packet 與 template status ledger 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templates;received / accepted response 目前皆為 0,不得把 request packet、template status ledger 或 response packet 當成 refs sync、delete、force push 或 primary approval。 7. Workflow / secret 名稱 owner response:先依 S4.12 顯示 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 5 個 response templates;received / accepted response 目前皆為 0,不得把 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 primary approval。 8. Owner response validation rollup:先依 S4.13 顯示 S4.9/S4.10/S4.11/S4.12 四包 response packets、22 個 templates、10 個 cross-packet checks 與 quarantine rules;不得把 rollup 當成 approval、runtime gate 或 execution authorization。 9. GitHub primary readiness blockers 與 rollback ADR 缺口。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index c0082816..26b7e978 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -47,7 +47,7 @@ | `source_control_approval_board_v1` | approval-only | 逐 repo owner / visibility / canonical / refs 決策 board | `source-control-approval-board.snapshot.json` | | `source_control_reconcile_plan_v1` | approval-only | refs-blocked repo 的 draft reconcile plan;S4.11 response 通過前只更新草案 wording | `source-control-reconcile-plan.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` | | `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` | -| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類;S4.11 已補 owner response request packet 與收件包,5 templates、received 0 | `source-control-ref-truth-classification.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` | +| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類;S4.11 已補 owner response request packet、template status ledger 與收件包,5 templates、received 0 | `source-control-ref-truth-classification.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` | | `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` | | `source_control_primary_rollback_adr_v1` | approval-only | GitHub primary rollback ADR 草案與 validation window | `source-control-primary-rollback-adr.snapshot.json` | | `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence,S4.3 已補 redacted export request,S4.12 已補 owner response 收件包 | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` / `source-control-workflow-secret-name-owner-response.snapshot.json` | @@ -60,7 +60,7 @@ 1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 -4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 owner response request packet、response templates、acceptance checks 與 rejection rules;不得新增 refs action。 +4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 owner response request packet、template status ledger、response templates、acceptance checks 與 rejection rules;不得新增 refs action。 5. 讀到 `source-control-owner-response-validation-rollup.snapshot.json` 時,只顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets 的總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個;不得把 rollup 當成 approval 或 execution authorization。 6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 7. 不新增執行按鈕,不做 runtime enforcement。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index bc8573d1..36ad8001 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -27,7 +27,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 S4.11 request packet 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 S4.11 request packet / template status ledger 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 | 最近完成 | 目前狀態 | headline delta | |----------|----------|----------------| @@ -38,6 +38,7 @@ python3 scripts/security/security-mirror-progress-guard.py | S4.10 collection checks | 已完成草案,只維持 request / received / accepted 狀態分離 | 0 | | S4.10 intake preflight checks | 已完成草案,只分類可收、補證、隔離或拒收 | 0 | | S4.11 request packet | 已完成草案,只顯示 owner 要回覆哪 5 類 refs truth 問題 | 0 | +| S4.11 template status ledger | 已完成草案,5 類 refs truth responses 仍 waiting owner response | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -50,7 +51,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board;S4.10 目前 response 0 筆 | 低摩擦逐項批准 | | S1.2a refs reconcile plan | 完成草案 | `awoooi`、`clawbot-v5`、`wooo-aiops` 已產生 draft plan;狀態仍為 `draft_blocked` | authenticated inventory + branch/tag diff + single-repo approval | | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | -| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs;S4.11 已補 owner response request packet 與收件包 | repo owner 單 ref / 單 repo 判定 | +| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs;S4.11 已補 owner response request packet、template status ledger 與收件包 | repo owner 單 ref / 單 repo 判定 | | S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 | | S1.4 契約索引 | 完成草案 | 35 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | | S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate | @@ -83,7 +84,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S4.8 Gitea Owner Attestation Approval Lane 對齊 | 完成草案 | 已將既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊 S4.7 先行條件;queue items 維持 8、review packets 維持 8、active runtime gates 維持 0 | AwoooP 先顯示 5 個 attestation items,owner decision 接受前不得執行 read-only inventory 或標記 complete | | S4.9 Gitea Owner Attestation Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet 與模板回覆 S4.7 五個 items;AwoooP 先用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離,再用 preflight / outcome lanes 判斷可審、補證、隔離、拒收或等待;response 通過只更新 read-only matrix / decision table / readiness gate,不代表 inventory 執行、audit production ingestion 或 primary approval | | S4.10 GitHub Target Owner Decision Response 收件包 | 完成草案 | 已建立 owner decision response schema / snapshot / 人讀版;1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、7 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與模板回覆 7 個 GitHub target 的 owner / visibility / canonical;response 通過只更新 read-only decision table / approval package / approval board / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval | -| S4.11 Source Control Ref Truth Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 response templates、8 個 acceptance checks、10 個 rejection rules、total ref review items 141、received response 0、accepted 0、execution authorized=false | owner 依 request packet 與模板回覆 main/dev truth、deprecated drift、release tag、GitHub-only refs;response 通過只更新 read-only classification / reconcile / readiness wording,不代表 refs sync、delete、force push 或 primary approval | +| S4.11 Source Control Ref Truth Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、5 個 response templates、8 個 acceptance checks、10 個 rejection rules、total ref review items 141、received response 0、accepted 0、execution authorized=false | owner 依 request packet、template status ledger 與模板回覆 main/dev truth、deprecated drift、release tag、GitHub-only refs;response 通過只更新 read-only classification / reconcile / readiness wording,不代表 refs sync、delete、force push 或 primary approval | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate | ## 1. 已建立的主要 evidence @@ -199,11 +200,11 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons 1. 先依 S4.9 `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` 收到並驗收 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 的 owner response;S4.8 已把這件事接到既有 approval queue / gate / review packet / follow-up runtime gate。之後再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。 2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。 -3. 依 S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` request packet 與 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner response 驗收;response 通過也只更新 read-only classification / reconcile / readiness wording,仍不得 push/delete refs 或 force push。 +3. 依 S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` request packet、template status ledger 與 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner response 驗收;response 通過也只更新 read-only classification / reconcile / readiness wording,仍不得 push/delete refs 或 force push。 4. 依 S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` 與 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` 對 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 做 owner response 驗收;response 通過也只更新 read-only inventory / export request / readiness wording,仍不得收 secret value、改 workflow 或啟用 runner。 5. 依 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 集中檢查 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;rollup 通過也只更新 read-only wording,不代表 approval 或 execution authorization。 6. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 7. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response request packet 與 templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request 與 S4.12 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response request packet、template status ledger 與 templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request 與 S4.12 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 9. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response intake preflight checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response request packet、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response intake preflight checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response request packet、S4.11 refs truth owner response template status ledger、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md b/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md index f7e35171..48b22e29 100644 --- a/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md +++ b/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md @@ -122,7 +122,7 @@ GitHub primary 可以作為長期方向,但目前還不能切換。 Repo-by-repo approval package 已建立,7 個 approval-required targets 皆為 `pending`。Approval scope 採低摩擦原則:只處理高風險執行邊界,不阻擋 read-only inventory、evidence mirror 與草案規劃。 -Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops` 的 141 個 refs 差異拆成 review lane。`main` / `dev` 屬真相來源判定,`drift/adopt-*` 先列 deprecated candidate,release / UAT tags 先列保留判定;S4.11 已補 owner response request packet 與收件包,5 個 templates、received / accepted response 皆為 0。不得把分類結果、request packet 或 response packet 直接執行成同步、刪除、force push 或 primary switch。 +Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops` 的 141 個 refs 差異拆成 review lane。`main` / `dev` 屬真相來源判定,`drift/adopt-*` 先列 deprecated candidate,release / UAT tags 先列保留判定;S4.11 已補 owner response request packet、template status ledger 與收件包,5 個 templates、received / accepted response 皆為 0。不得把分類結果、request packet、template status ledger 或 response packet 直接執行成同步、刪除、force push 或 primary switch。 Workflow / secret name owner response 已建立,S4.12 補 5 個 templates,對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0。不得把 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 primary approval。 @@ -151,13 +151,13 @@ Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / 這三個 mapped repos 都不能直接視為 GitHub primary ready。 -Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`,S4.11 owner response request packet / 收件包見 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。目前分類結果是 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。 +Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`,S4.11 owner response request packet / template status ledger / 收件包見 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。目前分類結果是 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。 ## 5. 下一波建議 1. 先批准 Gitea read-only inventory package,再用只讀 token 或管理匯出補齊 Gitea server repo list。 2. 依 GitHub target repo-by-repo approval package 處理 7 個 approval-required target。 -3. 依 S4.11 ref truth owner response request packet / 收件包與 classification 釐清 `wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。 +3. 依 S4.11 ref truth owner response request packet / template status ledger / 收件包與 classification 釐清 `wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。 4. 依 S4.12 workflow / secret name owner response 收件包補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition;仍不得收 secret value、改 workflow 或啟用 hosted runner。 5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation;仍不得把 rollup 當 approval 或 execution authorization。 6. 釐清 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 的 canonical 關係。 diff --git a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md index 9a1e58e8..3ed4a611 100644 --- a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md +++ b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md @@ -66,7 +66,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt |------|------|--------|--------| | S4.9 Gitea owner attestation | 5 個 response templates 尚未收到 | Owner 回覆 5 個 Gitea coverage attestation items,只引用脫敏 evidence refs | 不收 token value、不寫 Gitea、不 sync refs、不切 primary | | S4.10 GitHub target decision | 7 個 response templates 尚未收到 | Owner 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition | 不建 repo、不改 visibility、不 sync refs、不切 primary | -| S4.11 refs truth | 5 個 response templates 尚未收到 | Owner 依 S4.11 request packet 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition | 不 fetch / push / delete refs、不 force push、不切 primary | +| S4.11 refs truth | 5 個 response templates 尚未收到 | Owner 依 S4.11 request packet 與 template status ledger 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition | 不 fetch / push / delete refs、不 force push、不切 primary | | S4.12 workflow / secret name | 5 個 response templates 尚未收到 | Owner 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity 的脫敏狀態 | 不收 secret value、不改 workflow、不啟用 runner、不切 primary | ## 2.2 建議收件順序 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index 3b15c913..fa09b6bd 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -38,7 +38,7 @@ | Gate | 目前狀態 | 說明 | |------|----------|------| | Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到,audit events emitted 仍為 0;S4.13 已集中顯示四包 owner response validation,但 total accepted response 仍為 0 | -| refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response request packet 與收件包,received / accepted response 皆為 0 | +| refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response request packet、template status ledger 與收件包,received / accepted response 皆為 0 | | workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;S4.12 已補 owner response 收件包,received / accepted response 皆為 0;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | | owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0 | | rollback ADR | pending review | S4.4 已建立 rollback ADR 草案;7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window | @@ -48,9 +48,9 @@ 1. 顯示每個 repo 的 readiness state、blockers 與 evidence refs。 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 -4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.11 refs truth owner response request packet / owner response、S4.12 workflow / secret name owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 +4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.11 refs truth owner response request packet / template status ledger / owner response、S4.12 workflow / secret name owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、6 個 owner response collection checks、6 個 intake preflight checks、7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 -6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 1 個 owner response request packet、5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 +6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 1 個 owner response request packet、5 個 template statuses、5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 7. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 8. 連到 S4.12 `source_control_workflow_secret_name_owner_response_v1` 顯示 5 個 owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 9. 連到 S4.13 `source_control_owner_response_validation_rollup_v1` 顯示四包 owner response validation 狀態:22 個 templates、10 個 cross-packet checks、received / accepted / rejected response 皆為 0。 @@ -71,6 +71,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 -S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.11 已補上 refs truth owner response request packet 與收件包,S4.12 已補上 workflow / secret 名稱 owner response 收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀顯示順序與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.11 已補上 refs truth owner response request packet、template status ledger 與收件包,S4.12 已補上 workflow / secret 名稱 owner response 收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀顯示順序與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md b/docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md index ed6c00ba..b7611f4d 100644 --- a/docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md +++ b/docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md @@ -14,7 +14,7 @@ 這份文件只是 refs reconcile 草案,不是同步腳本,也不授權任何 GitHub primary 切換。AwoooP 可以 mirror 成 approval candidate,但不得執行 board item 或呼叫任何 push / sync 工具。 -若已存在 `source_control_ref_truth_classification_v1`,請把它視為本 plan 的人工 review lane 補充:分類結果只協助 repo owner 判定,不授權同步或刪除。S4.11 已補 `source_control_ref_truth_owner_response_v1` request packet 與收件包;response 通過也只更新本 plan 的 draft wording,不代表 refs sync、delete、force push 或 primary approval。 +若已存在 `source_control_ref_truth_classification_v1`,請把它視為本 plan 的人工 review lane 補充:分類結果只協助 repo owner 判定,不授權同步或刪除。S4.11 已補 `source_control_ref_truth_owner_response_v1` request packet、template status ledger 與收件包;response 通過也只更新本 plan 的 draft wording,不代表 refs sync、delete、force push 或 primary approval。 ## 1. Repo 差異摘要 diff --git a/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md b/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md index 0dab1832..9ce6730f 100644 --- a/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md +++ b/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md @@ -12,7 +12,7 @@ ## 0. 核心結論 -本檔把 branch/tag diff 轉成「人工審核分類」:哪些 ref 需要真相來源判定、哪些可能是 deprecated 候選、哪些 release / UAT tags 需要保留判定。S4.11 已補 owner response request packet 與收件包,讓 AwoooP 可以提示 owner 並驗收 5 類 owner 回覆;它仍不是同步計畫,也不授權 fetch、push、delete refs 或 GitHub primary 切換。 +本檔把 branch/tag diff 轉成「人工審核分類」:哪些 ref 需要真相來源判定、哪些可能是 deprecated 候選、哪些 release / UAT tags 需要保留判定。S4.11 已補 owner response request packet、template status ledger 與收件包,讓 AwoooP 可以提示 owner、逐項顯示 waiting 並驗收 5 類 owner 回覆;它仍不是同步計畫,也不授權 fetch、push、delete refs 或 GitHub primary 切換。 ## 1. 摘要 @@ -23,6 +23,7 @@ | release tag 待審核 | `3` | | GitHub-only ref 待審核 | `20` | | S4.11 request packet | `1` | +| S4.11 template status ledger | `5` | | S4.11 response templates | `5` | | S4.11 received / accepted / rejected | `0 / 0 / 0` | @@ -122,7 +123,7 @@ ## 3. AwoooP 消費方式 1. 只 mirror `source_control_ref_truth_classification_v1`。 -2. 可顯示 review lane、owner decision queue、S4.11 owner response request packet 與 templates。 +2. 可顯示 review lane、owner decision queue、S4.11 owner response request packet、template status ledger 與 templates。 3. 可產生單 repo / 單 ref approval candidate,但不得自動批准。 4. 收到 owner response 後,只能依 S4.11 驗收 / 拒收 / 隔離並更新 read-only evidence。 5. 不得新增 refs sync、delete、force-push、primary switch action。 diff --git a/docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md b/docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md index 043cffe4..43682de7 100644 --- a/docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md +++ b/docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md @@ -31,6 +31,7 @@ S4.11 不是 refs sync approval、不是 delete approval、不是 force-push app | release tag 待審核 | 3 | | GitHub-only ref 待審核 | 20 | | owner response request packet | 1 | +| template status ledger | 5 | | response templates | 5 | | 已收到 response | 0 | | 已接受 response | 0 | @@ -59,6 +60,18 @@ S4.11 不是 refs sync approval、不是 delete approval、不是 force-push app Owner 回覆只能使用脫敏 metadata 或既有文件引用。不得貼 token、secret、private clone URL credential、git object pack、repo archive、API raw body、fetch/push/delete/force-push 指令或任何 execution request payload。 +## 1.2 Template Status Ledger + +| Template | 狀態 | request | received / accepted / rejected | +|----------|------|---------|--------------------------------| +| `response-main-branch-truth-source` | `waiting_owner_response` | `request_ready_not_sent` | `0 / 0 / 0` | +| `response-active-dev-branch-truth-source` | `waiting_owner_response` | `request_ready_not_sent` | `0 / 0 / 0` | +| `response-drift-deprecated-candidate-batch` | `waiting_owner_response` | `request_ready_not_sent` | `0 / 0 / 0` | +| `response-release-tag-retention` | `waiting_owner_response` | `request_ready_not_sent` | `0 / 0 / 0` | +| `response-github-only-ref-review` | `waiting_owner_response` | `request_ready_not_sent` | `0 / 0 / 0` | + +Template status ledger 只讓 AwoooP 逐項顯示哪一類 refs truth response 還在等待 owner。`request_ready_not_sent` 不代表 request 已送出,`waiting_owner_response` 不代表 owner 已回覆,任何單項狀態也不代表 refs sync、delete、force push、tag rewrite、backfill 或 GitHub primary approval。 + ## 2. Owner Response 必填欄位 每筆 response 至少要能回答: @@ -118,11 +131,12 @@ Owner 回覆只能使用脫敏 metadata 或既有文件引用。不得貼 token ## 7. AwoooP 可做 1. 顯示 1 個 owner response request packet。 -2. 顯示 5 個 owner response templates。 -3. 顯示 8 個 acceptance checks 與 10 個 rejection rules。 -4. 在 owner response 到來後,只更新 read-only classification、draft reconcile plan、primary readiness blocker wording 與 status rollup。 -5. 將不完整或可疑 response 放進 mirror quarantine。 -6. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 +2. 顯示 5 個 template statuses,逐項維持 `waiting_owner_response`。 +3. 顯示 5 個 owner response templates。 +4. 顯示 8 個 acceptance checks 與 10 個 rejection rules。 +5. 在 owner response 到來後,只更新 read-only classification、draft reconcile plan、primary readiness blocker wording 與 status rollup。 +6. 將不完整或可疑 response 放進 mirror quarantine。 +7. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 ## 8. AwoooP 不可做 diff --git a/docs/security/security-approval-gate.snapshot.json b/docs/security/security-approval-gate.snapshot.json index 5059b1bf..ed280e10 100644 --- a/docs/security/security-approval-gate.snapshot.json +++ b/docs/security/security-approval-gate.snapshot.json @@ -180,7 +180,7 @@ ], "decision_options": ["approve_scope", "reject", "defer", "request_more_evidence"], "allowed_after_approval": [ - "依 S4.11 request packet 驗收 owner response", + "依 S4.11 request packet / template status ledger 驗收 owner response", "標記單 ref 真相來源候選", "更新 source control reconcile plan", "產生人工 review checklist" diff --git a/docs/security/security-approval-queue.snapshot.json b/docs/security/security-approval-queue.snapshot.json index 7bb6289a..63acc2b8 100644 --- a/docs/security/security-approval-queue.snapshot.json +++ b/docs/security/security-approval-queue.snapshot.json @@ -183,7 +183,7 @@ "docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md" ], "allowed_after_approval": [ - "依 S4.11 request packet 驗收 owner response", + "依 S4.11 request packet / template status ledger 驗收 owner response", "標記單 ref 真相來源候選", "更新 source control reconcile plan", "產生人工 review checklist" diff --git a/docs/security/security-approval-review-packet.snapshot.json b/docs/security/security-approval-review-packet.snapshot.json index d3a74855..b8f1b3e1 100644 --- a/docs/security/security-approval-review-packet.snapshot.json +++ b/docs/security/security-approval-review-packet.snapshot.json @@ -220,12 +220,12 @@ ], "allowed_pre_decision_actions": [ "顯示 141 個 refs review items", - "顯示 S4.11 request packet、五個 owner response templates 與 received_response_count=0", + "顯示 S4.11 request packet、template status ledger、五個 owner response templates 與 received_response_count=0", "依 repo / branch / tag 分組給 owner 判定", "產生人工 review checklist" ], "allowed_after_decision_actions": [ - "若 approve_scope,只能依 S4.11 request packet 驗收後更新 truth classification 或 reconcile draft", + "若 approve_scope,只能依 S4.11 request packet / template status ledger 驗收後更新 truth classification 或 reconcile draft", "任何 refs sync/delete 仍需後續 runtime gate" ], "still_forbidden": [ diff --git a/docs/security/security-followup-runtime-gate.snapshot.json b/docs/security/security-followup-runtime-gate.snapshot.json index b9416c1d..bde88328 100644 --- a/docs/security/security-followup-runtime-gate.snapshot.json +++ b/docs/security/security-followup-runtime-gate.snapshot.json @@ -205,7 +205,7 @@ "applies_after_decision": "approve_scope", "minimum_required_evidence": [ "單 repo / 單 ref owner 判定", - "S4.11 request packet / owner response 驗收結果", + "S4.11 request packet / template status ledger / owner response 驗收結果", "真相來源與 deprecated refs 清單", "branch/tag diff 最新 snapshot", "不得 sync/delete 的確認" @@ -216,7 +216,7 @@ "human-owner" ], "preflight_checks": [ - "確認 owner response 已依 S4.11 request packet 驗收 / 拒收 / 隔離", + "確認 owner response 已依 S4.11 request packet / template status ledger 驗收 / 拒收 / 隔離", "確認分類結果不會自動執行", "確認 force push 禁用", "確認 release tags 需人工保留 / 棄用判定", diff --git a/docs/security/security-mirror-dry-run.snapshot.json b/docs/security/security-mirror-dry-run.snapshot.json index 252e3636..74cfc6bf 100644 --- a/docs/security/security-mirror-dry-run.snapshot.json +++ b/docs/security/security-mirror-dry-run.snapshot.json @@ -107,7 +107,7 @@ }, { "step_id": "CHECK_OWNER_RESPONSE_GUARD", - "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 7 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離,S4.10 intake preflight checks 只分類可收、補證、隔離或拒收,S4.11 request packet 只提示 5 類 refs truth owner response 欄位;不能把 request shown、response received metadata、preflight pass 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", + "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 7 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離,S4.10 intake preflight checks 只分類可收、補證、隔離或拒收,S4.11 request packet 只提示 5 類 refs truth owner response 欄位,S4.11 template status ledger 逐項顯示 waiting / request ready;不能把 request shown、response received metadata、preflight pass 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", "evidence_refs": [ "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md", diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index 2815a3b9..f751e433 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -329,7 +329,7 @@ "docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md", "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md" ], - "notes": "可 mirror draft reconcile plan 與 S4.11 owner response request packet / 收件包;response 通過前只更新草案 wording,不得 push refs。" + "notes": "可 mirror draft reconcile plan 與 S4.11 owner response request packet / template status ledger / 收件包;response 通過前只更新草案 wording,不得 push refs。" }, { "contract": "source_control_ref_detail_diff_v1", @@ -355,7 +355,7 @@ "docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md", "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md" ], - "notes": "可 mirror refs truth classification、review lanes、S4.11 owner response request packet 與 templates;received_response_count=0,不得執行分類結果。" + "notes": "可 mirror refs truth classification、review lanes、S4.11 owner response request packet、template status ledger 與 templates;received_response_count=0,不得執行分類結果。" }, { "contract": "source_control_primary_readiness_gate_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 78ad6580..af340b66 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -143,15 +143,15 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet 與收件包;S4.12 已補 workflow / secret 名稱 owner response intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", - "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet 收到並驗收 5 個 refs truth owner response templates、依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet、5 個 template statuses 與收件包;S4.12 已補 workflow / secret 名稱 owner response intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", + "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet 與 template status ledger 收到並驗收 5 個 refs truth owner response templates、依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" } ], "progress_display_policy": { "headline_percent": 58, "headline_status": "holding_until_owner_response_or_runtime_gate", "why_headline_is_holding": [ - "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight 與 S4.11 request packet 的框架細節,改善可見性與收件安全,但 owner response received / accepted 仍為 0。", + "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight 與 S4.11 request packet / template status ledger 的框架細節,改善可見性與收件安全,但 owner response received / accepted 仍為 0。", "overall_percent 只在 owner response、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 這些高層 gate 有實質變化時調整。", "維持 58% 是為了避免把 read-only scaffold 誤算成 runtime enforcement、Kali scan、repo migration 或 GitHub primary cutover。" ], @@ -251,6 +251,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s4_11_ref_truth_owner_response_template_status_ledger", + "display_order": 8, + "completed_stage": "S4.11 refs truth owner response template status ledger", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "template status ledger 只逐項顯示 5 類 refs truth response 仍為 waiting_owner_response,received / accepted 皆為 0,不代表 refs sync/delete/force push 授權。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index b43165b6..75a3d2ec 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -513,7 +513,7 @@ "force_push", "switch_github_primary" ], - "notes": "只針對 3 個 refs-blocked mapped repos 產生 draft plan;S4.11 request packet / owner response 通過前只能更新 draft wording,inventory gate 仍 blocked,不可執行。" + "notes": "只針對 3 個 refs-blocked mapped repos 產生 draft plan;S4.11 request packet / template status ledger / owner response 通過前只能更新 draft wording,inventory gate 仍 blocked,不可執行。" }, { "contract": "source_control_ref_detail_diff_v1", @@ -559,7 +559,7 @@ "delete_refs", "switch_github_primary" ], - "notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review lane;S4.11 只定義 1 個 owner response request packet、5 個 owner response templates、received_response_count=0,仍不授權 sync/delete/force push。" + "notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review lane;S4.11 只定義 1 個 owner response request packet、5 個 template statuses、5 個 owner response templates、received_response_count=0,仍不授權 sync/delete/force push。" }, { "contract": "source_control_primary_readiness_gate_v1", diff --git a/docs/security/source-control-owner-response-validation-rollup.snapshot.json b/docs/security/source-control-owner-response-validation-rollup.snapshot.json index 9b856c8b..d75b4a88 100644 --- a/docs/security/source-control-owner-response-validation-rollup.snapshot.json +++ b/docs/security/source-control-owner-response-validation-rollup.snapshot.json @@ -110,7 +110,7 @@ "source_contract": "source_control_ref_truth_owner_response_v1", "response_packet": "docs/security/source-control-ref-truth-owner-response.snapshot.json", "human_doc": "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md", - "scope_summary": "S4.11 request packet 加上 141 個 refs review items 的 main/dev truth、deprecated drift、release tag retention、GitHub-only refs disposition。", + "scope_summary": "S4.11 request packet、template status ledger,加上 141 個 refs review items 的 main/dev truth、deprecated drift、release tag retention、GitHub-only refs disposition。", "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, @@ -278,7 +278,7 @@ }, { "effect_id": "ref_truth_owner_response_accepted", - "when_all_checks_pass": "S4.11 request packet 已顯示,5 個 lane response 全部接受,且 batch scope 可重現。", + "when_all_checks_pass": "S4.11 request packet 已顯示,template status ledger 已維持 request / received / accepted 分離,5 個 lane response 全部接受,且 batch scope 可重現。", "allowed_update": "只更新 ref truth classification disposition 與 draft reconcile plan wording。", "still_forbidden": [ "fetch_refs", @@ -349,7 +349,7 @@ "received_response_count": 0, "accepted_response_count": 0, "current_status": "waiting_owner_response", - "next_owner_action": "Owner 需依 S4.11 request packet 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition。", + "next_owner_action": "Owner 需依 S4.11 request packet 與 template status ledger 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition。", "awooop_display_mode": "observe_missing_response", "still_forbidden": [ "fetch_refs", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index 38abc099..f8873c0f 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -81,12 +81,12 @@ "current_gap": [ "3 個 mapped repos 仍有 refs drift", "141 個 refs review items 尚待人工判定", - "S4.11 已建立 refs truth owner response request packet 與收件包,但目前 received_response_count=0、accepted_response_count=0", + "S4.11 已建立 refs truth owner response request packet、template status ledger 與收件包,但目前 received_response_count=0、accepted_response_count=0", "不得 push/delete/force push refs" ], "allowed_now": [ "mirror ref truth classification", - "mirror S4.11 owner response request packet、templates、acceptance checks 與 rejection rules", + "mirror S4.11 owner response request packet、template status ledger、templates、acceptance checks 與 rejection rules", "顯示 single-ref review lane", "更新 draft reconcile plan" ], diff --git a/docs/security/source-control-ref-truth-owner-response.snapshot.json b/docs/security/source-control-ref-truth-owner-response.snapshot.json index 1f3253b3..63038cd9 100644 --- a/docs/security/source-control-ref-truth-owner-response.snapshot.json +++ b/docs/security/source-control-ref-truth-owner-response.snapshot.json @@ -25,6 +25,7 @@ "release_tag_review_count": 3, "github_only_review_count": 20, "owner_response_request_packet_count": 1, + "owner_response_template_status_count": 5, "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, @@ -125,6 +126,115 @@ "不新增 AwoooP execution action button" ] }, + "owner_response_template_statuses": [ + { + "template_id": "response-main-branch-truth-source", + "lane": "main_truth_required", + "display_order": 1, + "collection_status": "waiting_owner_response", + "request_status": "request_ready_not_sent", + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "latest_outcome_lane": "keep_waiting_owner_response", + "next_owner_action": "Owner 需逐 repo 回覆 main branch truth source、deploy marker owner、production source owner 與 rollback point owner;不得把 request ready 當成 refs sync approval。", + "awooop_display_mode": "display_template_status_only", + "execution_authorized": false, + "not_approval": true, + "still_forbidden": [ + "不 fetch refs", + "不 push refs", + "不 delete refs", + "不 force push", + "不切 GitHub primary" + ] + }, + { + "template_id": "response-active-dev-branch-truth-source", + "lane": "active_branch_truth_required", + "display_order": 2, + "collection_status": "waiting_owner_response", + "request_status": "request_ready_not_sent", + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "latest_outcome_lane": "keep_waiting_owner_response", + "next_owner_action": "Owner 需回覆 `wooo/awoooi dev` 是否仍為 active workflow、legacy candidate 或需補 workflow owner;不得把 legacy candidate 當成 delete approval。", + "awooop_display_mode": "display_template_status_only", + "execution_authorized": false, + "not_approval": true, + "still_forbidden": [ + "不 fetch refs", + "不 push refs", + "不 delete refs", + "不 force push", + "不 rewrite branch" + ] + }, + { + "template_id": "response-drift-deprecated-candidate-batch", + "lane": "archive_or_deprecate_candidate", + "display_order": 3, + "collection_status": "waiting_owner_response", + "request_status": "request_ready_not_sent", + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "latest_outcome_lane": "keep_waiting_owner_response", + "next_owner_action": "Owner 需回覆 `drift/adopt-*` batch 的 deprecated、audit retention 或 split batch disposition;不得把 deprecated candidate 當成 prune/delete approval。", + "awooop_display_mode": "display_template_status_only", + "execution_authorized": false, + "not_approval": true, + "still_forbidden": [ + "不 prune refs", + "不 delete refs", + "不 force push", + "不把 batch disposition 當執行批准" + ] + }, + { + "template_id": "response-release-tag-retention", + "lane": "release_tag_missing_on_github", + "display_order": 4, + "collection_status": "waiting_owner_response", + "request_status": "request_ready_not_sent", + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "latest_outcome_lane": "keep_waiting_owner_response", + "next_owner_action": "Owner 需回覆 release tag retention、artifact owner 與 deploy marker owner;不得把 tag retention 當成 tag push、rewrite 或 delete approval。", + "awooop_display_mode": "display_template_status_only", + "execution_authorized": false, + "not_approval": true, + "still_forbidden": [ + "不 push tag", + "不 rewrite tag", + "不 delete tag", + "不切 GitHub primary" + ] + }, + { + "template_id": "response-github-only-ref-review", + "lane": "github_only_manual_review", + "display_order": 5, + "collection_status": "waiting_owner_response", + "request_status": "request_ready_not_sent", + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "latest_outcome_lane": "keep_waiting_owner_response", + "next_owner_action": "Owner 需回覆 GitHub-only branch / UAT tags 的保留、backfill candidate、legacy 或補證 owner;不得把 backfill candidate 當成 push approval。", + "awooop_display_mode": "display_template_status_only", + "execution_authorized": false, + "not_approval": true, + "still_forbidden": [ + "不 push refs", + "不 delete GitHub-only refs", + "不 backfill refs", + "不切 GitHub primary" + ] + } + ], "response_templates": [ { "template_id": "response-main-branch-truth-source", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 2de5cb79..34f890b6 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -89,6 +89,7 @@ def validate(root: Path) -> None: "s4_10_owner_response_collection_checks", "s4_10_owner_response_intake_preflight_checks", "s4_11_ref_truth_owner_response_request_packet", + "s4_11_ref_truth_owner_response_template_status_ledger", ] assert_equal( "progress_delta_ledger.delta_ids", diff --git a/scripts/security/source-control-owner-response-guard.py b/scripts/security/source-control-owner-response-guard.py index 961e1dc2..c129cc73 100755 --- a/scripts/security/source-control-owner-response-guard.py +++ b/scripts/security/source-control-owner-response-guard.py @@ -159,6 +159,13 @@ LANES = [ "response-release-tag-retention", "response-github-only-ref-review", ], + "expected_template_statuses": [ + "response-main-branch-truth-source", + "response-active-dev-branch-truth-source", + "response-drift-deprecated-candidate-batch", + "response-release-tag-retention", + "response-github-only-ref-review", + ], "false_flags": [ "refs_sync_authorized", "refs_delete_authorized",