docs(security): add ref truth owner response intake [skip ci]
This commit is contained in:
Your Name
@@ -1,3 +1,40 @@
|
||||
## 2026-05-17 | 資安供應鏈 S4.11:Source Control Ref Truth Owner Response 收件包
|
||||
|
||||
**背景**:`source_control_ref_truth_classification_v1` 已把 `awoooi`、`clawbot-v5`、`wooo-aiops` 的 141 個 refs review items 拆成 main/dev truth、deprecated drift、release tag 與 GitHub-only refs review lane;但 owner 真正回覆時仍缺一份可填、可驗收、可拒收的 intake 格式。為了維持低摩擦,本輪不新增第 36 個主 contract、不新增第 9 個 approval item、不 fetch、不 push refs、不 delete refs、不 force push、不切 primary;只新增 S4.11 owner response 收件包。
|
||||
|
||||
**完成**:
|
||||
- 新增 `docs/schemas/source_control_ref_truth_owner_response_v1.schema.json`。
|
||||
- 新增 `docs/security/source-control-ref-truth-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。
|
||||
- 定義 5 個 response templates,對應 main branch truth、active dev branch、drift deprecated candidate batch、release tag retention 與 GitHub-only refs review。
|
||||
- 定義 8 個 acceptance checks 與 10 個 rejection rules,避免 owner response 夾帶 secret、fetch/push/delete/force-push/rewrite refs、repo creation、visibility change、Gitea disable/delete/archive 或 primary switch。
|
||||
- 更新 manifest、mirror readiness、status rollup、source-control ref truth classification、draft reconcile plan、primary readiness gate、approval queue / gate / review packet / follow-up gate、AwoooP checklist、handoff、migration inventory、migration matrix 與 progress,使 AwoooP 能只讀顯示 S4.11 response templates。
|
||||
|
||||
**仍未完成**:
|
||||
- 尚未收到任何 refs truth owner response。
|
||||
- 尚未接受任何 main/dev truth、deprecated drift、release tag 或 GitHub-only refs disposition。
|
||||
- 尚未完成 refs sync / delete / force-push runtime gate。
|
||||
- 尚未解開 GitHub primary readiness blocker。
|
||||
|
||||
**仍禁止**:
|
||||
- 不 fetch refs。
|
||||
- 不 push refs。
|
||||
- 不 delete refs。
|
||||
- 不 force push 或 rewrite branch/tag。
|
||||
- 不切 GitHub primary。
|
||||
- 不建立 GitHub repo 或修改 visibility。
|
||||
- 不停用、刪除、封存或降級 Gitea repo。
|
||||
- 不保存 token value、raw secret、cookie、session、private key、deploy key value 或未脫敏截圖。
|
||||
- 不把 S4.11 response packet 當成 refs sync、delete、force push 或 primary approval。
|
||||
|
||||
**驗證**:
|
||||
- JSON 全量 parse 通過:139 個 JSON files。
|
||||
- S4.11 assertion 通過:repo 3 個、ref review items 141 個、manual truth 4、deprecated candidates 114、release tag review 3、GitHub-only review 20。
|
||||
- Owner response assertion 通過:response templates 5 個、received / accepted / rejected response 皆為 0、acceptance checks 8 個、rejection rules 10 個。
|
||||
- Readiness assertion 通過:contract manifest 仍為 35 個主 contracts、mirror readiness 維持 32 ready / 2 partial / 1 contract-only / 0 blocked。
|
||||
- Approval lane assertion 通過:approval queue / review packets / follow-up runtime gate templates 維持 8 / 8 / 8,`active_runtime_gates=0`,`github_primary_ready_count=0`。
|
||||
- `git diff --check` 通過。
|
||||
- 敏感字串掃描確認本輪未保存 Kali SSH 密碼樣式、常見 token pattern、private key material 或 `GITEA_READONLY_TOKEN` value。
|
||||
|
||||
## 2026-05-17 | 資安供應鏈 S4.10:GitHub Target Owner Decision Response 收件包
|
||||
|
||||
**背景**:S1.1 / S1.2 已把 8 個 GitHub target 候選與 7 個 approval-required targets 文件化,S4.0 也已把 GitHub primary readiness gate 維持在 blocked;但 repo owner 真正回覆 owner / visibility / canonical 時,仍缺一份可填、可驗收、可拒收的 response intake 格式。為了維持低摩擦,本輪不新增第 36 個主 contract、不新增 approval item、不建立 GitHub repo、不改 visibility、不同步 refs、不切 primary;只新增 S4.10 owner response 收件包。
|
||||
|
||||
@@ -0,0 +1,214 @@
|
||||
{
|
||||
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
||||
"$id": "urn:awoooi:source-control-ref-truth-owner-response-v1",
|
||||
"title": "Source Control Ref Truth Owner Response 收件契約 v1",
|
||||
"description": "定義 owner 回覆 refs truth / deprecated / release tag / GitHub-only refs 判定時的收件欄位、驗收規則與拒收規則。此 schema 不授權 fetch、push refs、delete refs、force push、rewrite tag、切換 GitHub primary、建立 repo、修改 visibility 或保存 secret value。",
|
||||
"type": "object",
|
||||
"required": [
|
||||
"schema_version",
|
||||
"status",
|
||||
"date",
|
||||
"mode",
|
||||
"runtime_execution_authorized",
|
||||
"source_contract",
|
||||
"target_contract",
|
||||
"source_indexes",
|
||||
"summary",
|
||||
"response_templates",
|
||||
"acceptance_checks",
|
||||
"rejection_rules",
|
||||
"allowed_outputs",
|
||||
"forbidden_actions"
|
||||
],
|
||||
"properties": {
|
||||
"schema_version": {
|
||||
"const": "source_control_ref_truth_owner_response_v1"
|
||||
},
|
||||
"status": {
|
||||
"type": "string",
|
||||
"enum": ["draft_waiting_owner_response"]
|
||||
},
|
||||
"date": {
|
||||
"type": "string"
|
||||
},
|
||||
"mode": {
|
||||
"type": "string",
|
||||
"enum": ["owner_ref_truth_response_intake_only"]
|
||||
},
|
||||
"runtime_execution_authorized": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
},
|
||||
"source_contract": {
|
||||
"type": "string",
|
||||
"const": "source_control_ref_truth_classification_v1"
|
||||
},
|
||||
"target_contract": {
|
||||
"type": "string",
|
||||
"const": "source_control_reconcile_plan_v1"
|
||||
},
|
||||
"source_indexes": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"summary": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"owner_response_status",
|
||||
"repo_count",
|
||||
"total_ref_review_item_count",
|
||||
"manual_truth_required_count",
|
||||
"deprecated_candidate_count",
|
||||
"release_tag_review_count",
|
||||
"github_only_review_count",
|
||||
"response_template_count",
|
||||
"received_response_count",
|
||||
"accepted_response_count",
|
||||
"rejected_response_count",
|
||||
"acceptance_check_count",
|
||||
"rejection_rule_count",
|
||||
"refs_sync_authorized",
|
||||
"refs_delete_authorized",
|
||||
"force_push_authorized",
|
||||
"github_primary_switch_authorized",
|
||||
"secret_value_collection_allowed",
|
||||
"action_buttons_allowed"
|
||||
],
|
||||
"properties": {
|
||||
"owner_response_status": {
|
||||
"type": "string",
|
||||
"enum": ["waiting_owner_response"]
|
||||
},
|
||||
"repo_count": {"type": "integer", "minimum": 0},
|
||||
"total_ref_review_item_count": {"type": "integer", "minimum": 0},
|
||||
"manual_truth_required_count": {"type": "integer", "minimum": 0},
|
||||
"deprecated_candidate_count": {"type": "integer", "minimum": 0},
|
||||
"release_tag_review_count": {"type": "integer", "minimum": 0},
|
||||
"github_only_review_count": {"type": "integer", "minimum": 0},
|
||||
"response_template_count": {"type": "integer", "minimum": 0},
|
||||
"received_response_count": {"type": "integer", "minimum": 0},
|
||||
"accepted_response_count": {"type": "integer", "minimum": 0},
|
||||
"rejected_response_count": {"type": "integer", "minimum": 0},
|
||||
"acceptance_check_count": {"type": "integer", "minimum": 0},
|
||||
"rejection_rule_count": {"type": "integer", "minimum": 0},
|
||||
"refs_sync_authorized": {"type": "boolean", "const": false},
|
||||
"refs_delete_authorized": {"type": "boolean", "const": false},
|
||||
"force_push_authorized": {"type": "boolean", "const": false},
|
||||
"github_primary_switch_authorized": {"type": "boolean", "const": false},
|
||||
"secret_value_collection_allowed": {"type": "boolean", "const": false},
|
||||
"action_buttons_allowed": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"response_templates": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"template_id",
|
||||
"lane",
|
||||
"affected_repos",
|
||||
"risk",
|
||||
"covered_item_count",
|
||||
"requested_owner_decision",
|
||||
"required_owner_fields",
|
||||
"acceptable_decisions",
|
||||
"minimum_evidence_refs",
|
||||
"acceptance_criteria",
|
||||
"rejection_conditions",
|
||||
"allowed_outputs",
|
||||
"execution_authorized"
|
||||
],
|
||||
"properties": {
|
||||
"template_id": {"type": "string"},
|
||||
"lane": {"type": "string"},
|
||||
"affected_repos": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"risk": {"type": "string"},
|
||||
"covered_item_count": {"type": "integer", "minimum": 0},
|
||||
"requested_owner_decision": {"type": "string"},
|
||||
"required_owner_fields": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"acceptable_decisions": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"minimum_evidence_refs": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"acceptance_criteria": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"rejection_conditions": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"allowed_outputs": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"execution_authorized": {
|
||||
"type": "boolean",
|
||||
"const": false
|
||||
}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"acceptance_checks": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"check_id",
|
||||
"title",
|
||||
"required",
|
||||
"pass_condition",
|
||||
"failure_lane",
|
||||
"execution_authorized"
|
||||
],
|
||||
"properties": {
|
||||
"check_id": {"type": "string"},
|
||||
"title": {"type": "string"},
|
||||
"required": {"type": "boolean"},
|
||||
"pass_condition": {"type": "string"},
|
||||
"failure_lane": {"type": "string"},
|
||||
"execution_authorized": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"rejection_rules": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"allowed_outputs": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"forbidden_actions": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
}
|
||||
},
|
||||
"additionalProperties": false
|
||||
}
|
||||
@@ -50,9 +50,9 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| `github_target_decision_v1` | GitHub target 建立與可見性決策草案;S4.10 owner decision response 收件包 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs;S4.10 response 目前 0 筆,不代表執行批准 |
|
||||
| `github_target_repo_approval_package_v1` | GitHub target 逐 repo approval package;S4.10 response templates | Approval queue、Migration target evidence | mirror-only | 低摩擦,只 gate 高風險執行;response 通過也只更新 read-only evidence |
|
||||
| `source_control_approval_board_v1` | 逐 repo owner / visibility / canonical / refs 決策 board | Approval queue、PR reviewer handoff | approval-only | 只顯示決策隊列,不執行 board item |
|
||||
| `source_control_reconcile_plan_v1` | refs-blocked repo draft reconcile plan | Approval candidate、migration reviewer handoff | approval-only | 只顯示草案,不 push refs、不切 primary |
|
||||
| `source_control_reconcile_plan_v1` | refs-blocked repo draft reconcile plan | Approval candidate、migration reviewer handoff | approval-only | 只顯示草案;S4.11 response 通過前只更新 wording,不 push refs、不切 primary |
|
||||
| `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs |
|
||||
| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete |
|
||||
| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類;S4.11 owner response 收件包 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類、5 個 response templates 與人工判定隊列,不執行 sync/delete/force push |
|
||||
| `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` |
|
||||
| `source_control_primary_rollback_adr_v1` | GitHub primary rollback ADR 草案與 validation window | Source-control review、Operator Console、Audit | approval-only | 只顯示 7 個 repo 的 rollback draft、owner review、validation window;不得執行 rollback 或切 primary |
|
||||
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence 與 S4.3 redacted export request;目前 `inventory_complete_count=0`,不得保存 secret value |
|
||||
@@ -126,7 +126,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| `source_control_approval_board_v1.pending_approval_count>0` | `approve_required` | 顯示逐 repo 決策隊列,不執行 repo 建立、visibility 修改、refs sync |
|
||||
| `source_control_reconcile_plan_v1.status=draft_blocked` | `approve_required` | 只顯示 refs reconcile 草案與 gate,不執行 sync |
|
||||
| `source_control_ref_detail_diff_v1.status=draft_blocked` | `observe` | 顯示 branch/tag 明細 diff,支援人工 review |
|
||||
| `source_control_ref_truth_classification_v1.status=draft_blocked` | `approve_required` | 顯示 main/dev 真相來源、drift deprecated 候選、release / UAT tag review lane,不執行分類結果 |
|
||||
| `source_control_ref_truth_classification_v1.status=draft_blocked` | `approve_required` | 顯示 main/dev 真相來源、drift deprecated 候選、release / UAT tag review lane 與 S4.11 owner response templates;不執行分類結果 |
|
||||
| `local_repo_canonical_probe_v1.status=unrelated` | `approve_required` | 禁止自動合併,需人工 canonical 判定 |
|
||||
| `git_remote_refs_probe_v1.status=ok` | `observe` | 可作 source evidence,但仍需 GitHub target 與 approval |
|
||||
| `security_rollout_policy_v1.enforcement_level=mirror_only` | `observe` | 只顯示 policy,不阻擋既有流程 |
|
||||
@@ -176,6 +176,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| Source Control draft reconcile plan | `docs/security/source-control-reconcile-plan.snapshot.json` / `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` |
|
||||
| Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` |
|
||||
| Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
|
||||
| Source Control ref truth owner response 收件包 | `docs/security/source-control-ref-truth-owner-response.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` |
|
||||
| Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
|
||||
| Source Control GitHub primary rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md` |
|
||||
| Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
|
||||
@@ -211,5 +212,6 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
1. AwoooP 主線先把本清單視為契約消費檢查清單。
|
||||
2. Security Supply Chain Session 補齊 Gitea 全量 repo inventory 的只讀 token 或管理匯出來源。
|
||||
3. Security Supply Chain Session 依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response。
|
||||
4. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。
|
||||
5. 任一方要把事件升級成實際執行,都必須先產出 `approval_required_event_v1`,並在 `security_approval_queue_v1` 中維持 `blocked_until_approved=true` 直到人工決策完成。
|
||||
4. Security Supply Chain Session 依 S4.11 收到並驗收 5 個 refs truth owner response templates;response 通過也只更新 read-only classification / reconcile / readiness wording。
|
||||
5. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。
|
||||
6. 任一方要把事件升級成實際執行,都必須先產出 `approval_required_event_v1`,並在 `security_approval_queue_v1` 中維持 `blocked_until_approved=true` 直到人工決策完成。
|
||||
|
||||
@@ -191,7 +191,7 @@ Schema:`docs/schemas/security_followup_runtime_gate_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/security-followup-runtime-gate.snapshot.json`
|
||||
|
||||
目前 templates:8 筆,對應 redacted finding ingestion、safe web crawl、Gitea owner attestation + read-only inventory、GitHub target decisions、ref truth review、credentialed scan、Kali full-upgrade/reboot 與 Kali `/execute` block candidate。Gitea follow-up template 必須先檢查 S4.7 owner scope decision;`active_runtime_gates=0`、`approved_scope_count=0`、`runtime_actions_authorized=false`。
|
||||
目前 templates:8 筆,對應 redacted finding ingestion、safe web crawl、Gitea owner attestation + read-only inventory、GitHub target decisions、ref truth review、credentialed scan、Kali full-upgrade/reboot 與 Kali `/execute` block candidate。Gitea follow-up template 必須先檢查 S4.7 owner scope decision;ref truth follow-up template 必須先檢查 S4.11 owner response 驗收結果;`active_runtime_gates=0`、`approved_scope_count=0`、`runtime_actions_authorized=false`。
|
||||
|
||||
AwoooP 初期處理方式:只顯示準備條件與禁止事項,不新增 action button,不啟用 runtime gate,不執行 scan、repo、refs、deploy、secret、RBAC、NetworkPolicy 或 firewall 類動作。
|
||||
|
||||
@@ -207,6 +207,18 @@ Snapshot:`docs/security/source-control-primary-readiness-gate.snapshot.json`
|
||||
|
||||
AwoooP 初期處理方式:只顯示 blockers、evidence refs 與 required review,不建立 GitHub repo、不修改 visibility、不 sync refs、不切 primary、不停用 Gitea。
|
||||
|
||||
### `source_control_ref_truth_owner_response_v1`
|
||||
|
||||
用途:定義 S4.11 refs truth owner response 收件包,讓 AwoooP 在處理 `source_control_ref_truth_classification_v1` 前,先看到 main/dev truth、deprecated drift、release tag 與 GitHub-only refs 的 response 欄位、可接受決策、驗收規則與拒收規則。
|
||||
|
||||
Schema:`docs/schemas/source_control_ref_truth_owner_response_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/source-control-ref-truth-owner-response.snapshot.json`
|
||||
|
||||
目前 response packet:5 個 response templates、8 個 acceptance checks、10 個 rejection rules;`received_response_count=0`、`accepted_response_count=0`、`rejected_response_count=0`。所有 refs sync / delete / force push / primary switch 動作都必須維持 disabled。
|
||||
|
||||
AwoooP 初期處理方式:只顯示 response templates、rejection rules 與 owner 補證缺口;收到 response 後只更新 read-only classification、draft reconcile plan 與 readiness blocker wording,不 fetch、不 push、不 delete refs、不 rewrite branch/tag、不切 GitHub primary。
|
||||
|
||||
### `source_control_primary_rollback_adr_v1`
|
||||
|
||||
用途:定義 S4.4 GitHub primary rollback ADR 草案,讓 AwoooP 在任何 primary cutover 前能顯示 rollback owner、validation window、rollback triggers 與逐 repo owner review。
|
||||
@@ -793,6 +805,8 @@ Console 初期不提供高風險執行按鈕。
|
||||
|
||||
2026-05-13 ref truth classification 追加:已新增 `scripts/security/source-control-ref-truth-classification.py`、`docs/schemas/source_control_ref_truth_classification_v1.schema.json`,並產出 `docs/security/source-control-ref-truth-classification.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`。目前 141 個 refs review items 已拆成 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。AwoooP 可建立 repo owner review queue,但不得把分類結果直接執行成 refs sync、delete、force push 或 GitHub primary switch。
|
||||
|
||||
2026-05-17 S4.11 ref truth owner response 追加:已新增 `docs/schemas/source_control_ref_truth_owner_response_v1.schema.json`、`docs/security/source-control-ref-truth-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。目前 5 個 response templates 對應 main/dev truth、deprecated drift、release tag retention 與 GitHub-only refs review;received / accepted response 皆為 0。AwoooP 可 mirror 成 owner response intake queue,但不得把 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。
|
||||
|
||||
2026-05-12 public search / canonical 追加:Gitea public search 在未提供 token 時可見 `wooo/awoooi`、`wooo/ewoooc`。已新增 `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md`,其中 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 仍需人工判定 canonical 關係,不得自動合併。
|
||||
|
||||
2026-05-12 GitHub target probe 追加:已新增 `scripts/security/github-target-probe.py`、`docs/schemas/github_target_probe_v1.schema.json` 與 `docs/security/github-target-probe.snapshot.json`。8 個候選中 5 個可讀,`owenhytsai/ewoooc`、`owenhytsai/bitan-pharmacy`、`owenhytsai/tsenyang-website` 為 `not_found_or_private`。
|
||||
@@ -919,6 +933,8 @@ Console 初期不提供高風險執行按鈕。
|
||||
- [security_approval_decision_record_v1 snapshot](/Users/ogt/awoooi/docs/security/security-approval-decision-record.snapshot.json)
|
||||
- [Source Control ref truth classification](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md)
|
||||
- [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json)
|
||||
- [Source Control ref truth owner response](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md)
|
||||
- [source_control_ref_truth_owner_response_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-owner-response.snapshot.json)
|
||||
- [Source Control GitHub primary rollback ADR](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md)
|
||||
- [source_control_primary_rollback_adr_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-primary-rollback-adr.snapshot.json)
|
||||
- [Source Control workflow / secret name inventory](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md)
|
||||
@@ -962,6 +978,7 @@ Console 初期不提供高風險執行按鈕。
|
||||
- [security_approval_gate_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_gate_v1.schema.json)
|
||||
- [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json)
|
||||
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
|
||||
- [source_control_ref_truth_owner_response_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_owner_response_v1.schema.json)
|
||||
- [source_control_primary_rollback_adr_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_primary_rollback_adr_v1.schema.json)
|
||||
- [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json)
|
||||
- [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json)
|
||||
|
||||
@@ -26,6 +26,7 @@
|
||||
| Source Control draft reconcile plan | `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` / `docs/security/source-control-reconcile-plan.snapshot.json` |
|
||||
| Source Control branch/tag detail diff | `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` / `docs/security/source-control-ref-detail-diff.snapshot.json` |
|
||||
| Source Control ref truth classification | `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` / `docs/security/source-control-ref-truth-classification.snapshot.json` |
|
||||
| Source Control ref truth owner response | `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` / `docs/security/source-control-ref-truth-owner-response.snapshot.json` |
|
||||
| Source Control 遷移矩陣 | `docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` |
|
||||
| Canonical repo 判定表 | `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md` |
|
||||
|
||||
@@ -48,7 +49,7 @@
|
||||
- `wooo-infra-config` 的 GitHub remote 與本機 `main` 對齊;110 internal remote 目前 read-only probe 不可讀,需判斷是否為舊 remote、mirror 或權限問題。
|
||||
- GitHub target 決策表已建立,8 個候選中 7 個需人工批准;其中 `ewoooc`、`bitan-pharmacy`、`tsenyang-website` 在 target visibility / owner 決策前不得自動建立或同步。
|
||||
- GitHub target repo-by-repo approval package 已建立,7 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認三條路徑;此 package 採低摩擦原則,只 gate 高風險執行,不阻擋 read-only evidence。
|
||||
- Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;這是人工判定隊列,不是同步批准。
|
||||
- Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;S4.11 已補 5 個 owner response templates,received / accepted response 皆為 0。這是人工判定隊列與收件框架,不是同步批准。
|
||||
- 本機可見 Git working tree 輔助盤點已找到 13 個 repo,其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個;此結果可用來補遷移矩陣,但不能取代 Gitea server 全量清單。
|
||||
|
||||
因此後續必須先完成「repo/branch/tag/workflow/webhook/permission/secrets 名稱」全量 inventory,再逐步 mirror 與驗證。
|
||||
|
||||
@@ -39,7 +39,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1`
|
||||
| 2 | Safe web crawl | 只批准低噪音 scope 定義 |
|
||||
| 3 | Gitea owner attestation + read-only inventory | 先依 S4.9 驗收 S4.7 owner response,再只批准只讀 inventory 或 redacted admin export |
|
||||
| 4 | GitHub target decisions | 只批准逐 repo S4.10 response 驗收與決策草案 |
|
||||
| 5 | Ref truth review | 只批准人工分類與 reconcile 草案 |
|
||||
| 5 | Ref truth review | 只批准 S4.11 owner response 驗收、人工分類與 reconcile 草案 |
|
||||
| 6 | Credentialed scan | 只允許人工 exception 設計,仍需 runtime gate |
|
||||
| 7 | Kali full-upgrade / reboot | 只允許維護窗口與 rollback 規劃 |
|
||||
| 8 | Kali `/execute` | 預設維持 block candidate |
|
||||
|
||||
@@ -36,7 +36,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1
|
||||
| 2 | `kali-safe-web-crawl-approval-20260513` | TLS/header/basic crawl 屬低噪音,但仍需批准 scope |
|
||||
| 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | 先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,再審 Gitea 全量版本轉 GitHub 的只讀 inventory gate |
|
||||
| 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 驗收逐 repo owner / visibility / canonical response |
|
||||
| 5 | `source-control-ref-truth-review-bundle-20260513` | refs truth / deprecated / release tag review |
|
||||
| 5 | `source-control-ref-truth-review-bundle-20260513` | 先依 S4.11 驗收 refs truth owner response,再看 deprecated / release tag review |
|
||||
| 6 | `kali-credentialed-scan-approval-20260513` | 需要憑證,風險較高 |
|
||||
| 7 | `kali-full-upgrade-reboot-approval-20260513` | 需要維護窗口、snapshot、rollback 與 post-check |
|
||||
| 8 | `kali-execute-endpoint-approval-20260513` | CRITICAL,預設 block candidate,不應接入 runtime |
|
||||
|
||||
@@ -40,7 +40,7 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo
|
||||
| 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 |
|
||||
| 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先依 S4.9 審 S4.7 owner response,再審只讀 token 或 redacted export |
|
||||
| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response,再審 owner / visibility / canonical 草案 |
|
||||
| 5 | Ref truth review | `design_or_draft_review` | 只審人工分類與 reconcile 草案 |
|
||||
| 5 | Ref truth review | `design_or_draft_review` | 先審 S4.11 owner response 驗收,再審人工分類與 reconcile 草案 |
|
||||
| 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 |
|
||||
| 7 | Kali full-upgrade / reboot | `manual_exception_review` | 只審維護窗口與 rollback 計畫 |
|
||||
| 8 | Kali `/execute` | `blocked_by_default_review` | 預設維持 block candidate |
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
| Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope |
|
||||
| Gitea owner attestation + read-only inventory | MEDIUM | 先依 S4.9 驗收 S4.7 owner response,再準備 read-only token 或 redacted export inventory |
|
||||
| GitHub target decision | HIGH | 只準備 S4.10 owner response 驗收、owner / visibility / canonical / workflow parity 決策 |
|
||||
| Ref truth review | HIGH | 只準備 refs truth / deprecated / release tag 人工判定 |
|
||||
| Ref truth review | HIGH | 只準備 S4.11 owner response 驗收、refs truth / deprecated / release tag 人工判定 |
|
||||
| Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 |
|
||||
| Kali full-upgrade / reboot | HIGH | 只準備維護窗口、snapshot、rollback 與 post-health |
|
||||
| Kali `/execute` exception | CRITICAL | 預設 blocked,只準備 disable / allowlist / audit 設計 |
|
||||
|
||||
@@ -89,4 +89,6 @@ AwoooP 可以將 ready / partial contracts mirror 到:
|
||||
|
||||
GitHub target 決策面需同時 mirror S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `github-target-owner-decision-response.snapshot.json`,只顯示 7 個 owner decision response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。
|
||||
|
||||
Ref truth 決策面需同時 mirror S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `source-control-ref-truth-owner-response.snapshot.json`,只顯示 5 個 owner response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。
|
||||
|
||||
整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
| Review packets | S3.2 已建立;8 packets、7 ready for human review、1 block candidate |
|
||||
| State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 |
|
||||
| Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates |
|
||||
| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response 收件包,7 個 response templates、owner response 0 筆 |
|
||||
| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response 收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response 收件包,5 個 response templates、owner response 0 筆 |
|
||||
| GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover |
|
||||
| Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response 收件包;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、敏感 payload 必須隔離、允許收集 token value=false |
|
||||
| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;0 個 inventory complete、禁止收集 secret value、禁止 write token |
|
||||
@@ -62,8 +62,9 @@
|
||||
3. Gitea private/internal read-only inventory:先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,且 S4.8 已把這個先行條件接到既有 approval queue / gate / review packet / follow-up runtime gate;再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆,不保存 token value。
|
||||
4. GitHub target / owner / visibility / canonical:先依 S4.10 收到並驗收 7 個 owner decision response templates;received / accepted response 目前皆為 0,不得把 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。
|
||||
5. Kali `/execute` 維持 block candidate。
|
||||
6. GitHub primary readiness blockers 與 rollback ADR 缺口。
|
||||
7. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggers,owner approval 前不可執行。
|
||||
8. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。
|
||||
6. Refs truth owner response:先依 S4.11 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templates;received / accepted response 目前皆為 0,不得把 response packet 當成 refs sync、delete、force push 或 primary approval。
|
||||
7. GitHub primary readiness blockers 與 rollback ADR 缺口。
|
||||
8. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggers,owner approval 前不可執行。
|
||||
9. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。
|
||||
|
||||
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence,不得由本 rollup 自動觸發。
|
||||
|
||||
@@ -45,9 +45,9 @@
|
||||
| `github_target_decision_v1` | mirror-only | GitHub target 決策;S4.10 已補 owner decision response 收件包 | `github-target-decision.snapshot.json` / `github-target-owner-decision-response.snapshot.json` |
|
||||
| `github_target_repo_approval_package_v1` | approval-only | 逐 repo approval queue draft;S4.10 response 通過前不得視為 repo / visibility / refs 批准 | `github-target-repo-approval-package.snapshot.json` / `github-target-owner-decision-response.snapshot.json` |
|
||||
| `source_control_approval_board_v1` | approval-only | 逐 repo owner / visibility / canonical / refs 決策 board | `source-control-approval-board.snapshot.json` |
|
||||
| `source_control_reconcile_plan_v1` | approval-only | refs-blocked repo 的 draft reconcile plan | `source-control-reconcile-plan.snapshot.json` |
|
||||
| `source_control_reconcile_plan_v1` | approval-only | refs-blocked repo 的 draft reconcile plan;S4.11 response 通過前只更新草案 wording | `source-control-reconcile-plan.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` |
|
||||
| `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` |
|
||||
| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` |
|
||||
| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類;S4.11 已補 owner response 收件包,5 templates、received 0 | `source-control-ref-truth-classification.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` |
|
||||
| `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` |
|
||||
| `source_control_primary_rollback_adr_v1` | approval-only | GitHub primary rollback ADR 草案與 validation window | `source-control-primary-rollback-adr.snapshot.json` |
|
||||
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence,S4.3 已補 redacted export request | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` |
|
||||
@@ -60,6 +60,7 @@
|
||||
1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。
|
||||
2. 再讀本 manifest,取得可消費 contract 與禁止動作。
|
||||
3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。
|
||||
4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 response templates、acceptance checks 與 rejection rules;不得新增 refs action。
|
||||
4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response 收件包與覆蓋缺口,不得觸發 token collection 或 Gitea write。
|
||||
5. 不新增執行按鈕,不做 runtime enforcement。
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|------|------|
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | S0/S1 read-only evidence 建置中 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
|
||||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||||
|
||||
## 0. 本階段完成後整體進度
|
||||
@@ -18,7 +18,7 @@
|
||||
| S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board;S4.10 目前 response 0 筆 | 低摩擦逐項批准 |
|
||||
| S1.2a refs reconcile plan | 完成草案 | `awoooi`、`clawbot-v5`、`wooo-aiops` 已產生 draft plan;狀態仍為 `draft_blocked` | authenticated inventory + branch/tag diff + single-repo approval |
|
||||
| S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs |
|
||||
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 |
|
||||
| S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs;S4.11 已補 owner response 收件包 | repo owner 單 ref / 單 repo 判定 |
|
||||
| S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 |
|
||||
| S1.4 契約索引 | 完成草案 | 35 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry |
|
||||
| S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate |
|
||||
@@ -38,7 +38,7 @@
|
||||
| S3.2 人工審查封包契約 | 完成草案 | `security_approval_review_packet_v1` 已建立;8 個 review packets、7 ready for human review、1 block candidate、0 個 runtime action 授權 | AwoooP 可顯示 review lane,不可把 packet 當批准或執行 |
|
||||
| S3.3 人工決策狀態轉移契約 | 完成草案 | `security_approval_state_transition_v1` 已建立;5 個 decision options 都有 next state、0 個 runtime action 授權 | AwoooP 可顯示決策後狀態,不可把 transition 當執行 |
|
||||
| S3.4 後續 runtime gate 準備契約 | 完成草案 | `security_followup_runtime_gate_v1` 已建立;8 個 gate templates、0 個 active runtime gates、0 個 approved scope | AwoooP 可顯示前置 evidence、preflight checks 與 rollback / disable requirement,不可啟用 runtime gate |
|
||||
| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 target owner response gate | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary |
|
||||
| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 target owner response gate;S4.11 已補 refs truth owner response gate | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary |
|
||||
| S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret |
|
||||
| S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary |
|
||||
| S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea |
|
||||
@@ -49,6 +49,7 @@
|
||||
| S4.8 Gitea Owner Attestation Approval Lane 對齊 | 完成草案 | 已將既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊 S4.7 先行條件;queue items 維持 8、review packets 維持 8、active runtime gates 維持 0 | AwoooP 先顯示 5 個 attestation items,owner decision 接受前不得執行 read-only inventory 或標記 complete |
|
||||
| S4.9 Gitea Owner Attestation Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;5 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 S4.7 五個 items;response 通過只更新 read-only matrix / decision table / readiness gate,不代表 inventory 執行或 primary approval |
|
||||
| S4.10 GitHub Target Owner Decision Response 收件包 | 完成草案 | 已建立 owner decision response schema / snapshot / 人讀版;7 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 7 個 GitHub target 的 owner / visibility / canonical;response 通過只更新 read-only decision table / approval package / approval board / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval |
|
||||
| S4.11 Source Control Ref Truth Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;5 個 response templates、8 個 acceptance checks、10 個 rejection rules、total ref review items 141、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 main/dev truth、deprecated drift、release tag、GitHub-only refs;response 通過只更新 read-only classification / reconcile / readiness wording,不代表 refs sync、delete、force push 或 primary approval |
|
||||
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate |
|
||||
|
||||
## 1. 已建立的主要 evidence
|
||||
@@ -87,6 +88,8 @@
|
||||
| Source Control branch/tag detail diff JSON | `docs/security/source-control-ref-detail-diff.snapshot.json` |
|
||||
| Source Control ref truth classification | `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
|
||||
| Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` |
|
||||
| Source Control ref truth owner response 收件包 | `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` |
|
||||
| Source Control ref truth owner response JSON | `docs/security/source-control-ref-truth-owner-response.snapshot.json` |
|
||||
| Source Control GitHub primary readiness gate | `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
|
||||
| Source Control GitHub primary readiness gate JSON | `docs/security/source-control-primary-readiness-gate.snapshot.json` |
|
||||
| Source Control GitHub primary rollback ADR | `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md` |
|
||||
@@ -158,9 +161,9 @@
|
||||
|
||||
1. 先依 S4.9 `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` 收到並驗收 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 的 owner response;S4.8 已把這件事接到既有 approval queue / gate / review packet / follow-up runtime gate。之後再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。
|
||||
2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。
|
||||
3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
|
||||
3. 依 S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner response 驗收;response 通過也只更新 read-only classification / reconcile / readiness wording,仍不得 push/delete refs 或 force push。
|
||||
4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
|
||||
5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。
|
||||
6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response 收件包,GitHub target 決策需同時顯示 S4.10 owner decision response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。
|
||||
6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response 收件包,GitHub target 決策需同時顯示 S4.10 owner decision response templates,refs truth 需同時顯示 S4.11 owner response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。
|
||||
7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。
|
||||
8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response templates、S4.10 GitHub target owner response templates、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。
|
||||
8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response templates、S4.10 GitHub target owner response templates、S4.11 refs truth owner response templates、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。
|
||||
|
||||
@@ -120,7 +120,7 @@ GitHub primary 可以作為長期方向,但目前還不能切換。
|
||||
|
||||
Repo-by-repo approval package 已建立,7 個 approval-required targets 皆為 `pending`。Approval scope 採低摩擦原則:只處理高風險執行邊界,不阻擋 read-only inventory、evidence mirror 與草案規劃。
|
||||
|
||||
Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops` 的 141 個 refs 差異拆成 review lane。`main` / `dev` 屬真相來源判定,`drift/adopt-*` 先列 deprecated candidate,release / UAT tags 先列保留判定;不得把分類結果直接執行成同步、刪除或 primary switch。
|
||||
Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops` 的 141 個 refs 差異拆成 review lane。`main` / `dev` 屬真相來源判定,`drift/adopt-*` 先列 deprecated candidate,release / UAT tags 先列保留判定;S4.11 已補 owner response 收件包,5 個 templates、received / accepted response 皆為 0。不得把分類結果或 response packet 直接執行成同步、刪除、force push 或 primary switch。
|
||||
|
||||
## 3. 必要驗收 gate
|
||||
|
||||
@@ -145,13 +145,13 @@ Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops`
|
||||
|
||||
這三個 mapped repos 都不能直接視為 GitHub primary ready。
|
||||
|
||||
Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`。目前分類結果是 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。
|
||||
Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`,S4.11 owner response 收件包見 `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md`。目前分類結果是 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。
|
||||
|
||||
## 5. 下一波建議
|
||||
|
||||
1. 先批准 Gitea read-only inventory package,再用只讀 token 或管理匯出補齊 Gitea server repo list。
|
||||
2. 依 GitHub target repo-by-repo approval package 處理 7 個 approval-required target。
|
||||
3. 依 ref truth classification 釐清 `wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops` 的雙端分歧來源。
|
||||
3. 依 S4.11 ref truth owner response 收件包與 classification 釐清 `wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。
|
||||
4. 釐清 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 的 canonical 關係。
|
||||
5. 釐清 `bitan-pharmacy`、`tsenyang-website` 是否仍 active,並決定 GitHub owner / visibility。
|
||||
6. 產出 GitHub primary ADR 前,不做主控切換。
|
||||
|
||||
@@ -8,6 +8,7 @@
|
||||
| Snapshot | `docs/security/source-control-primary-readiness-gate.snapshot.json` |
|
||||
| Rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` |
|
||||
| GitHub target owner response | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` |
|
||||
| Ref truth owner response | `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` |
|
||||
| 模式 | `primary_readiness_gate_only` |
|
||||
| runtime 執行授權 | `false` |
|
||||
|
||||
@@ -35,7 +36,7 @@
|
||||
| Gate | 目前狀態 | 說明 |
|
||||
|------|----------|------|
|
||||
| Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.7 owner coverage attestation 與 S4.9 owner response 仍未收到 |
|
||||
| refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift |
|
||||
| refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response 收件包,received / accepted response 皆為 0 |
|
||||
| workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot |
|
||||
| owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response 收件包,received / accepted response 皆為 0 |
|
||||
| rollback ADR | pending review | S4.4 已建立 rollback ADR 草案;7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window |
|
||||
@@ -45,11 +46,12 @@
|
||||
1. 顯示每個 repo 的 readiness state、blockers 與 evidence refs。
|
||||
2. 顯示 `primary_ready_count=0`。
|
||||
3. 將 7 個 in-scope repos 維持在 approval / review lane。
|
||||
4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response、refs truth、workflow/runner/secret name inventory、rollback ADR。
|
||||
4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response、S4.11 refs truth owner response、workflow/runner/secret name inventory、rollback ADR。
|
||||
5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。
|
||||
6. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。
|
||||
7. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。
|
||||
8. 把狀態寫入 Audit evidence 與 Operator Console。
|
||||
6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。
|
||||
7. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。
|
||||
8. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。
|
||||
9. 把狀態寫入 Audit evidence 與 Operator Console。
|
||||
|
||||
## 4. AwoooP 不可做
|
||||
|
||||
@@ -65,6 +67,6 @@
|
||||
|
||||
S4.0 只是把「切換前一定要看見什麼」先定義清楚。
|
||||
|
||||
S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response 收件包,S4.10 已補上 GitHub target owner decision response 收件包;它們只是 scope decision 與 response 驗收框架,不是 migration approval、repo creation approval、visibility change approval、refs sync approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。
|
||||
S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response 收件包,S4.10 已補上 GitHub target owner decision response 收件包,S4.11 已補上 refs truth owner response 收件包;它們只是 scope decision 與 response 驗收框架,不是 migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。
|
||||
|
||||
這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。
|
||||
|
||||
@@ -8,12 +8,13 @@
|
||||
| inventory gate | `blocked` |
|
||||
| gate 原因 | Gitea authenticated / admin_export server-side inventory 尚未完成;本 plan 只能作草案,不可執行 refs sync。 |
|
||||
| plan count | 3 |
|
||||
| refs owner response 收件包 | `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` / `docs/security/source-control-ref-truth-owner-response.snapshot.json` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
這份文件只是 refs reconcile 草案,不是同步腳本,也不授權任何 GitHub primary 切換。AwoooP 可以 mirror 成 approval candidate,但不得執行 board item 或呼叫任何 push / sync 工具。
|
||||
|
||||
若已存在 `source_control_ref_truth_classification_v1`,請把它視為本 plan 的人工 review lane 補充:分類結果只協助 repo owner 判定,不授權同步或刪除。
|
||||
若已存在 `source_control_ref_truth_classification_v1`,請把它視為本 plan 的人工 review lane 補充:分類結果只協助 repo owner 判定,不授權同步或刪除。S4.11 已補 `source_control_ref_truth_owner_response_v1` 收件包;response 通過也只更新本 plan 的 draft wording,不代表 refs sync、delete、force push 或 primary approval。
|
||||
|
||||
## 1. Repo 差異摘要
|
||||
|
||||
|
||||
@@ -6,12 +6,13 @@
|
||||
| 狀態 | `draft_blocked` |
|
||||
| 預設模式 | `classification_only` |
|
||||
| 來源 snapshot | `docs/security/source-control-ref-detail-diff.snapshot.json` |
|
||||
| Owner response 收件包 | `docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` / `docs/security/source-control-ref-truth-owner-response.snapshot.json` |
|
||||
| repo count | `3` |
|
||||
| total items | `141` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
本檔把 branch/tag diff 轉成「人工審核分類」:哪些 ref 需要真相來源判定、哪些可能是 deprecated 候選、哪些 release / UAT tags 需要保留判定。它不是同步計畫,也不授權 fetch、push、delete refs 或 GitHub primary 切換。
|
||||
本檔把 branch/tag diff 轉成「人工審核分類」:哪些 ref 需要真相來源判定、哪些可能是 deprecated 候選、哪些 release / UAT tags 需要保留判定。S4.11 已補 owner response 收件包,讓 AwoooP 可以等待並驗收 5 類 owner 回覆;它仍不是同步計畫,也不授權 fetch、push、delete refs 或 GitHub primary 切換。
|
||||
|
||||
## 1. 摘要
|
||||
|
||||
@@ -21,6 +22,8 @@
|
||||
| 可能 deprecated / archive 候選 | `114` |
|
||||
| release tag 待審核 | `3` |
|
||||
| GitHub-only ref 待審核 | `20` |
|
||||
| S4.11 response templates | `5` |
|
||||
| S4.11 received / accepted / rejected | `0 / 0 / 0` |
|
||||
|
||||
## 2. Repo 分類
|
||||
|
||||
@@ -118,9 +121,10 @@
|
||||
## 3. AwoooP 消費方式
|
||||
|
||||
1. 只 mirror `source_control_ref_truth_classification_v1`。
|
||||
2. 可顯示 review lane 與 owner decision queue。
|
||||
2. 可顯示 review lane、owner decision queue 與 S4.11 owner response templates。
|
||||
3. 可產生單 repo / 單 ref approval candidate,但不得自動批准。
|
||||
4. 不得新增 refs sync、delete、force-push、primary switch action。
|
||||
4. 收到 owner response 後,只能依 S4.11 驗收 / 拒收 / 隔離並更新 read-only evidence。
|
||||
5. 不得新增 refs sync、delete、force-push、primary switch action。
|
||||
|
||||
## 4. 仍然禁止
|
||||
|
||||
|
||||
125
docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md
Normal file
125
docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md
Normal file
@@ -0,0 +1,125 @@
|
||||
# Source Control Ref Truth Owner Response 收件包
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | 草案,等待 owner response |
|
||||
| 資料契約 | `docs/schemas/source_control_ref_truth_owner_response_v1.schema.json` |
|
||||
| 快照 | `docs/security/source-control-ref-truth-owner-response.snapshot.json` |
|
||||
| 來源契約 | `source_control_ref_truth_classification_v1` |
|
||||
| 目標契約 | `source_control_reconcile_plan_v1` |
|
||||
| 模式 | `owner_ref_truth_response_intake_only` |
|
||||
| 執行面授權 | `false` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
S4.11 補的是「owner 要怎麼回覆 141 個 refs review items 的真相來源、deprecated 候選、release tag retention 與 GitHub-only refs disposition」。
|
||||
|
||||
S4.11 不是 refs sync approval、不是 delete approval、不是 force-push approval,也不是 GitHub primary approval。它只把 owner response 的欄位、可接受決策、驗收規則、拒收規則與允許輸出固定下來,讓 AwoooP 可以只讀顯示並等待人工補證。
|
||||
|
||||
此文件不要求貼 token,不接受 raw secret,不 fetch、不 push refs、不 delete refs、不 rewrite branch/tag、不建立 repo、不修改 visibility、不切 primary,也不停用 Gitea。
|
||||
|
||||
## 1. Response 摘要
|
||||
|
||||
| 指標 | 值 |
|
||||
|------|----|
|
||||
| owner response 狀態 | `waiting_owner_response` |
|
||||
| repos | 3 |
|
||||
| ref review items | 141 |
|
||||
| 需要人工指定真相來源 | 4 |
|
||||
| deprecated / archive 候選 | 114 |
|
||||
| release tag 待審核 | 3 |
|
||||
| GitHub-only ref 待審核 | 20 |
|
||||
| response templates | 5 |
|
||||
| 已收到 response | 0 |
|
||||
| 已接受 response | 0 |
|
||||
| 已拒收 response | 0 |
|
||||
| acceptance checks | 8 |
|
||||
| rejection rules | 10 |
|
||||
| 授權 sync refs | `false` |
|
||||
| 授權 delete refs | `false` |
|
||||
| 授權 force push | `false` |
|
||||
| 授權切換 GitHub primary | `false` |
|
||||
| 允許收集 secret value | `false` |
|
||||
| 允許 action button | `false` |
|
||||
|
||||
## 2. Owner Response 必填欄位
|
||||
|
||||
每筆 response 至少要能回答:
|
||||
|
||||
1. `owner_role_or_team`:回覆者角色或團隊,不要求個人敏感資訊。
|
||||
2. `decision`:必須是該 lane template 允許的決策值。
|
||||
3. `decision_reason`:為什麼做此真相來源、retention 或 disposition 判定。
|
||||
4. `repo` 與 `ref_name` / `tag_name` / `ref_pattern_or_ref_list`:批次回覆必須能重現範圍。
|
||||
5. `truth_source_or_sha`、`branch_disposition`、`retention_disposition` 或 `github_only_owner`:依 lane 補齊。
|
||||
6. `deploy_marker_owner`、`artifact_owner`、`rollback_point_owner` 或 `workflow_owner`:高風險 branch/tag 必須有 owner 或補證 owner。
|
||||
7. `evidence_refs`:只能指向 repo 內文件、snapshot 或 owner 提供的脫敏 metadata。
|
||||
|
||||
## 3. 五個 Response Template
|
||||
|
||||
| Template | Lane | 覆蓋範圍 | 驗收重點 |
|
||||
|----------|------|----------|----------|
|
||||
| `response-main-branch-truth-source` | `main_truth_required` | 3 個 repo main branch | 指定 truth source、deploy marker owner、production source owner、rollback point owner |
|
||||
| `response-active-dev-branch-truth-source` | `active_branch_truth_required` | `wooo/awoooi dev` | 判定 active workflow、legacy candidate 或需補 workflow owner |
|
||||
| `response-drift-deprecated-candidate-batch` | `archive_or_deprecate_candidate` | `wooo/awoooi` 114 個 drift/adopt refs | deprecated candidate 只代表人工 disposition,不代表 delete approval |
|
||||
| `response-release-tag-retention` | `release_tag_missing_on_github` | `awoooi` 2 個 release tags、`clawbot-v5` 1 個 tag | 指定 artifact / deploy marker owner,維持 tag action disabled |
|
||||
| `response-github-only-ref-review` | `github_only_manual_review` | `wooo-aiops` 1 個 branch + 19 個 UAT tags | backfill 只能是 candidate,不代表 push approval |
|
||||
|
||||
## 4. 可接受決策值
|
||||
|
||||
| Lane | Decision |
|
||||
|------|----------|
|
||||
| `main_truth_required` | `choose_gitea_as_truth_candidate`、`choose_github_as_truth_candidate`、`choose_specific_sha_as_truth_candidate`、`hold_pending_deploy_marker`、`unknown_requires_more_evidence` |
|
||||
| `active_branch_truth_required` | `keep_active_branch_candidate`、`mark_branch_legacy_candidate`、`hold_pending_workflow_owner`、`unknown_requires_more_evidence` |
|
||||
| `archive_or_deprecate_candidate` | `mark_deprecated_candidate`、`keep_audit_retention_candidate`、`split_batch_requires_more_evidence`、`unknown_requires_more_evidence` |
|
||||
| `release_tag_missing_on_github` | `keep_release_tag_candidate`、`mark_tag_legacy_candidate`、`hold_pending_artifact_owner`、`unknown_requires_more_evidence` |
|
||||
| `github_only_manual_review` | `keep_github_only_candidate`、`backfill_to_gitea_candidate`、`mark_legacy_github_only_candidate`、`hold_pending_audit_owner`、`unknown_requires_more_evidence` |
|
||||
|
||||
## 5. 驗收規則
|
||||
|
||||
1. response 必須對應既有 refs truth lane。
|
||||
2. `decision` 必須在該 lane template 的允許值內。
|
||||
3. 必須標示 repo 與 ref scope;批次回覆必須有可重現範圍。
|
||||
4. 必須說明 truth source 或 disposition;未知時要明確選 hold / unknown。
|
||||
5. high-risk main branch 與 release tag 必須有 deploy、artifact、rollback 或補證 owner。
|
||||
6. 不得夾帶 fetch、push refs、delete refs、force push、mirror sync、tag rewrite 或 branch rewrite 要求。
|
||||
7. 不得夾帶 GitHub primary、repo creation、visibility change、disable Gitea 或 archive Gitea 要求。
|
||||
8. `evidence_refs` 必須已脫敏,不得包含 token、credential、secret value、private key、deploy key value、cookie 或 session。
|
||||
|
||||
## 6. 必須拒收
|
||||
|
||||
1. token value、PAT、cookie、session、CSRF token、private key、deploy key value 或 partial credential。
|
||||
2. fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs。
|
||||
3. 切 GitHub primary 或把 GitHub primary readiness 視為已完成。
|
||||
4. 建立 repo、修改 repo visibility 或改 remote URL。
|
||||
5. 把 deprecated candidate 當成 delete approval。
|
||||
6. 把 backfill candidate 當成 push approval。
|
||||
7. 缺 repo/ref/lane 或批次範圍無法重現。
|
||||
8. main / release high-risk 回覆缺 deploy marker、artifact、rollback 或補證 owner。
|
||||
9. 要求停用、刪除、封存或降級 Gitea。
|
||||
10. 任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆。
|
||||
|
||||
## 7. AwoooP 可做
|
||||
|
||||
1. 顯示 5 個 owner response templates。
|
||||
2. 顯示 8 個 acceptance checks 與 10 個 rejection rules。
|
||||
3. 在 owner response 到來後,只更新 read-only classification、draft reconcile plan、primary readiness blocker wording 與 status rollup。
|
||||
4. 將不完整或可疑 response 放進 mirror quarantine。
|
||||
5. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。
|
||||
|
||||
## 8. AwoooP 不可做
|
||||
|
||||
1. 不要求使用者貼 token、secret、private key、cookie、session 或 deploy key。
|
||||
2. 不把 response 當成 refs sync approval。
|
||||
3. 不把 response 當成 delete refs approval。
|
||||
4. 不把 response 當成 force-push approval。
|
||||
5. 不把 response 當成 GitHub primary approval。
|
||||
6. 不建立 GitHub repo。
|
||||
7. 不修改 GitHub/Gitea repo。
|
||||
8. 不新增執行按鈕。
|
||||
|
||||
## 9. 階段定位
|
||||
|
||||
S4.11 是 S4.0 GitHub primary readiness 與 S4.10 GitHub target owner decision 後面的 refs owner response 收件包。
|
||||
|
||||
它讓 141 個 ref review items 的 owner response 變得可審、可驗收、可拒收,但仍停在框架期。真正進入 refs migration 或 GitHub primary 前,仍必須等 Gitea inventory、GitHub target response、workflow-secret parity、rollback ADR、owner approval 與後續 runtime gate 全部補齊。
|
||||
@@ -12,6 +12,7 @@
|
||||
"docs/security/kali-scan-scope-approval.snapshot.json",
|
||||
"docs/security/source-control-approval-board.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
|
||||
],
|
||||
@@ -174,11 +175,13 @@
|
||||
],
|
||||
"decision_options": ["approve_scope", "reject", "defer", "request_more_evidence"],
|
||||
"allowed_after_approval": [
|
||||
"標記單 ref 真相來源",
|
||||
"依 S4.11 驗收 owner response",
|
||||
"標記單 ref 真相來源候選",
|
||||
"更新 source control reconcile plan",
|
||||
"產生人工 review checklist"
|
||||
],
|
||||
"still_forbidden": [
|
||||
"把 S4.11 response packet 當成 refs sync/delete/force push approval",
|
||||
"push refs",
|
||||
"delete refs",
|
||||
"force push",
|
||||
@@ -188,6 +191,8 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
|
||||
]
|
||||
},
|
||||
|
||||
@@ -163,7 +163,7 @@
|
||||
"risk": "HIGH",
|
||||
"state": "pending_approval",
|
||||
"recommended_awooop_mode": "approve_required",
|
||||
"requested_decision": "是否逐 repo / 單 ref 判定真相來源、deprecated 候選、release tag 與 GitHub-only refs;分類結果不得自動執行。",
|
||||
"requested_decision": "是否逐 repo / 單 ref 判定真相來源、deprecated 候選、release tag 與 GitHub-only refs;先依 S4.11 驗收 owner response,分類結果不得自動執行。",
|
||||
"blocked_until_approved": true,
|
||||
"required_reviewers": [
|
||||
"migration-engineer",
|
||||
@@ -173,14 +173,18 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
|
||||
],
|
||||
"allowed_after_approval": [
|
||||
"標記單 ref 真相來源",
|
||||
"依 S4.11 驗收 owner response",
|
||||
"標記單 ref 真相來源候選",
|
||||
"更新 source control reconcile plan",
|
||||
"產生人工 review checklist"
|
||||
],
|
||||
"still_forbidden": [
|
||||
"把 S4.11 response packet 當成 refs sync/delete/force push approval",
|
||||
"push refs",
|
||||
"delete refs",
|
||||
"force push",
|
||||
|
||||
@@ -13,7 +13,8 @@
|
||||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||||
"docs/security/security-rollout-policy.snapshot.json",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
"total_review_packets": 8,
|
||||
@@ -199,7 +200,7 @@
|
||||
"risk": "HIGH",
|
||||
"review_state": "ready_for_human_review",
|
||||
"review_lane": "design_or_draft_review",
|
||||
"requested_decision": "是否逐 repo / 單 ref 判定真相來源、deprecated 候選、release tag 與 GitHub-only refs;分類結果不得自動執行。",
|
||||
"requested_decision": "是否逐 repo / 單 ref 判定真相來源、deprecated 候選、release tag 與 GitHub-only refs;先依 S4.11 驗收 owner response,分類結果不得自動執行。",
|
||||
"required_reviewers": [
|
||||
"migration-engineer",
|
||||
"security-commander",
|
||||
@@ -209,18 +210,22 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
|
||||
],
|
||||
"allowed_pre_decision_actions": [
|
||||
"顯示 141 個 refs review items",
|
||||
"顯示 S4.11 五個 owner response templates 與 received_response_count=0",
|
||||
"依 repo / branch / tag 分組給 owner 判定",
|
||||
"產生人工 review checklist"
|
||||
],
|
||||
"allowed_after_decision_actions": [
|
||||
"若 approve_scope,只能更新 truth classification 或 reconcile draft",
|
||||
"若 approve_scope,只能依 S4.11 驗收後更新 truth classification 或 reconcile draft",
|
||||
"任何 refs sync/delete 仍需後續 runtime gate"
|
||||
],
|
||||
"still_forbidden": [
|
||||
"把 S4.11 response packet 當成 refs sync/delete/force push approval",
|
||||
"push refs",
|
||||
"delete refs",
|
||||
"force push",
|
||||
|
||||
@@ -12,7 +12,8 @@
|
||||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||||
"docs/security/security-rollout-policy.snapshot.json",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
"total_gate_templates": 8,
|
||||
@@ -200,6 +201,7 @@
|
||||
"applies_after_decision": "approve_scope",
|
||||
"minimum_required_evidence": [
|
||||
"單 repo / 單 ref owner 判定",
|
||||
"S4.11 owner response 驗收結果",
|
||||
"真相來源與 deprecated refs 清單",
|
||||
"branch/tag diff 最新 snapshot",
|
||||
"不得 sync/delete 的確認"
|
||||
@@ -210,12 +212,14 @@
|
||||
"human-owner"
|
||||
],
|
||||
"preflight_checks": [
|
||||
"確認 owner response 已依 S4.11 驗收 / 拒收 / 隔離",
|
||||
"確認分類結果不會自動執行",
|
||||
"確認 force push 禁用",
|
||||
"確認 release tags 需人工保留 / 棄用判定",
|
||||
"確認 GitHub primary 仍 blocked"
|
||||
],
|
||||
"allowed_pre_runtime_artifacts": [
|
||||
"source-control-ref-truth-owner-response acceptance note",
|
||||
"updated ref truth classification snapshot",
|
||||
"manual review checklist",
|
||||
"draft reconcile plan update",
|
||||
|
||||
@@ -315,9 +315,15 @@
|
||||
"consumption_mode": "approval_only",
|
||||
"mirror_allowed": true,
|
||||
"execution_allowed": false,
|
||||
"snapshot_paths": ["docs/security/source-control-reconcile-plan.snapshot.json"],
|
||||
"human_docs": ["docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md"],
|
||||
"notes": "可 mirror draft reconcile plan;不得 push refs。"
|
||||
"snapshot_paths": [
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||||
],
|
||||
"human_docs": [
|
||||
"docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
|
||||
],
|
||||
"notes": "可 mirror draft reconcile plan 與 S4.11 owner response 收件包;response 通過前只更新草案 wording,不得 push refs。"
|
||||
},
|
||||
{
|
||||
"contract": "source_control_ref_detail_diff_v1",
|
||||
@@ -335,9 +341,15 @@
|
||||
"consumption_mode": "approval_only",
|
||||
"mirror_allowed": true,
|
||||
"execution_allowed": false,
|
||||
"snapshot_paths": ["docs/security/source-control-ref-truth-classification.snapshot.json"],
|
||||
"human_docs": ["docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md"],
|
||||
"notes": "可 mirror refs truth classification 與 review lanes;不得執行分類結果。"
|
||||
"snapshot_paths": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||||
],
|
||||
"human_docs": [
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
|
||||
],
|
||||
"notes": "可 mirror refs truth classification、review lanes 與 S4.11 owner response templates;received_response_count=0,不得執行分類結果。"
|
||||
},
|
||||
{
|
||||
"contract": "source_control_primary_readiness_gate_v1",
|
||||
|
||||
@@ -24,6 +24,7 @@
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
|
||||
"docs/security/github-target-owner-decision-response.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||||
"docs/security/source-control-primary-rollback-adr.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
@@ -57,6 +58,13 @@
|
||||
"gitea_inventory_coverage_attestation_execution_authorized": false,
|
||||
"primary_readiness_candidate_repo_count": 8,
|
||||
"github_primary_ready_count": 0,
|
||||
"ref_truth_owner_response_template_count": 5,
|
||||
"ref_truth_owner_received_response_count": 0,
|
||||
"ref_truth_owner_accepted_response_count": 0,
|
||||
"ref_truth_owner_rejected_response_count": 0,
|
||||
"ref_truth_refs_sync_authorized": false,
|
||||
"ref_truth_refs_delete_authorized": false,
|
||||
"ref_truth_force_push_authorized": false,
|
||||
"primary_rollback_adr_repo_plan_count": 7,
|
||||
"primary_rollback_adr_owner_approved_count": 0,
|
||||
"primary_rollback_adr_dry_run_completed_count": 0,
|
||||
@@ -105,8 +113,8 @@
|
||||
{
|
||||
"phase_id": "S4_migration_execution",
|
||||
"state": "not_started",
|
||||
"current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response intake packet;S4.10 已補 GitHub target owner decision response intake packet,但 inventory status 仍 partial,GitHub target response 仍 0 筆。",
|
||||
"next_gate": "依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response、authenticated inventory payload 通過 S4.6 驗收、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。"
|
||||
"current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response intake packet;S4.10 已補 GitHub target owner decision response intake packet;S4.11 已補 refs truth owner response intake packet,但 inventory status 仍 partial,GitHub target response 與 refs truth response 仍 0 筆。",
|
||||
"next_gate": "依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 收到並驗收 5 個 refs truth owner response templates、authenticated inventory payload 通過 S4.6 驗收、workflow / webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。"
|
||||
}
|
||||
],
|
||||
"next_safe_actions": [
|
||||
@@ -235,6 +243,24 @@
|
||||
"切 GitHub primary"
|
||||
]
|
||||
},
|
||||
{
|
||||
"action_id": "review_ref_truth_owner_responses",
|
||||
"title": "審查 refs truth owner response 收件包",
|
||||
"mode": "approval_required",
|
||||
"source_contract": "source_control_ref_truth_classification_v1",
|
||||
"allowed_processing": [
|
||||
"顯示 S4.11 owner response templates、received_response_count=0 與 rejection rules",
|
||||
"依 main/dev truth、deprecated drift、release tag、GitHub-only refs 分組給 owner 判定",
|
||||
"response 通過後只更新 read-only classification、draft reconcile plan 與 readiness blocker wording",
|
||||
"維持 refs action disabled"
|
||||
],
|
||||
"blocked_processing": [
|
||||
"把 S4.11 response packet 當成 refs sync、delete、force push 或 primary approval",
|
||||
"fetch / push / delete refs",
|
||||
"rewrite branch 或 tag",
|
||||
"切 GitHub primary"
|
||||
]
|
||||
},
|
||||
{
|
||||
"action_id": "review_github_primary_readiness_gate",
|
||||
"title": "審查 GitHub primary readiness blockers",
|
||||
@@ -242,7 +268,7 @@
|
||||
"source_contract": "source_control_primary_readiness_gate_v1",
|
||||
"allowed_processing": [
|
||||
"顯示 7 個 in-scope repos 仍 blocked",
|
||||
"顯示 Gitea inventory、refs truth、workflow/secret name parity 與 rollback ADR 缺口",
|
||||
"顯示 Gitea inventory、refs truth owner response、workflow/secret name parity 與 rollback ADR 缺口",
|
||||
"要求 repo owner 補 owner / visibility / canonical 決策"
|
||||
],
|
||||
"blocked_processing": [
|
||||
@@ -321,7 +347,8 @@
|
||||
"S4.7 只新增 Gitea owner coverage attestation request;required_attestation_item_count=5、received_attestation_count=0,不把 attestation 當 migration approval。",
|
||||
"S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件;approval_queue_total 仍為 8、active_runtime_gates 仍為 0,不新增執行入口。",
|
||||
"S4.9 只新增 Gitea owner attestation response 收件包;required_response_item_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 inventory 執行或 primary approval。",
|
||||
"S4.10 只新增 GitHub target owner decision response 收件包;response_template_count=7、received_response_count=0、accepted_response_count=0,不把 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。"
|
||||
"S4.10 只新增 GitHub target owner decision response 收件包;response_template_count=7、received_response_count=0、accepted_response_count=0,不把 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。",
|
||||
"S4.11 只新增 refs truth owner response 收件包;response_template_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 refs sync、delete、force push 或 GitHub primary approval。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"start_kali_scan",
|
||||
|
||||
@@ -483,8 +483,14 @@
|
||||
{
|
||||
"contract": "source_control_reconcile_plan_v1",
|
||||
"schema_path": "docs/schemas/source_control_reconcile_plan_v1.schema.json",
|
||||
"snapshot_paths": ["docs/security/source-control-reconcile-plan.snapshot.json"],
|
||||
"human_docs": ["docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md"],
|
||||
"snapshot_paths": [
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||||
],
|
||||
"human_docs": [
|
||||
"docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
|
||||
],
|
||||
"consumer": "AwoooP approval candidate / migration reviewer",
|
||||
"consumption_mode": "approval_only",
|
||||
"allowed_actions": [
|
||||
@@ -498,7 +504,7 @@
|
||||
"force_push",
|
||||
"switch_github_primary"
|
||||
],
|
||||
"notes": "只針對 3 個 refs-blocked mapped repos 產生 draft plan;inventory gate 仍 blocked,不可執行。"
|
||||
"notes": "只針對 3 個 refs-blocked mapped repos 產生 draft plan;S4.11 owner response 通過前只能更新 draft wording,inventory gate 仍 blocked,不可執行。"
|
||||
},
|
||||
{
|
||||
"contract": "source_control_ref_detail_diff_v1",
|
||||
@@ -523,8 +529,14 @@
|
||||
{
|
||||
"contract": "source_control_ref_truth_classification_v1",
|
||||
"schema_path": "docs/schemas/source_control_ref_truth_classification_v1.schema.json",
|
||||
"snapshot_paths": ["docs/security/source-control-ref-truth-classification.snapshot.json"],
|
||||
"human_docs": ["docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md"],
|
||||
"snapshot_paths": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||||
],
|
||||
"human_docs": [
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
|
||||
],
|
||||
"consumer": "AwoooP migration reviewer / repo owner approval queue",
|
||||
"consumption_mode": "approval_only",
|
||||
"allowed_actions": [
|
||||
@@ -538,7 +550,7 @@
|
||||
"delete_refs",
|
||||
"switch_github_primary"
|
||||
],
|
||||
"notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review lane;仍不授權 sync。"
|
||||
"notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review lane;S4.11 只定義 5 個 owner response templates、received_response_count=0,仍不授權 sync/delete/force push。"
|
||||
},
|
||||
{
|
||||
"contract": "source_control_primary_readiness_gate_v1",
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/source-control-primary-rollback-adr.snapshot.json",
|
||||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||||
@@ -76,10 +77,12 @@
|
||||
"current_gap": [
|
||||
"3 個 mapped repos 仍有 refs drift",
|
||||
"141 個 refs review items 尚待人工判定",
|
||||
"S4.11 已建立 refs truth owner response 收件包,但目前 received_response_count=0、accepted_response_count=0",
|
||||
"不得 push/delete/force push refs"
|
||||
],
|
||||
"allowed_now": [
|
||||
"mirror ref truth classification",
|
||||
"mirror S4.11 owner response templates、acceptance checks 與 rejection rules",
|
||||
"顯示 single-ref review lane",
|
||||
"更新 draft reconcile plan"
|
||||
],
|
||||
@@ -169,6 +172,7 @@
|
||||
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||||
],
|
||||
"allowed_now": [
|
||||
@@ -200,6 +204,7 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||||
],
|
||||
"allowed_now": [
|
||||
@@ -230,6 +235,7 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||||
],
|
||||
"allowed_now": [
|
||||
|
||||
@@ -17,6 +17,15 @@
|
||||
]
|
||||
},
|
||||
"plan_count": 3,
|
||||
"owner_response_packet": {
|
||||
"schema_version": "source_control_ref_truth_owner_response_v1",
|
||||
"snapshot_path": "docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"human_doc": "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
|
||||
"received_response_count": 0,
|
||||
"accepted_response_count": 0,
|
||||
"execution_authorized": false,
|
||||
"allowed_effect": "response 通過後只更新 draft wording,不授權 refs sync/delete/force push/primary switch"
|
||||
},
|
||||
"plans": [
|
||||
{
|
||||
"gitea_repo": "wooo/awoooi",
|
||||
|
||||
@@ -12,6 +12,16 @@
|
||||
"release_tag_review_count": 3,
|
||||
"github_only_review_count": 20
|
||||
},
|
||||
"owner_response_packet": {
|
||||
"schema_version": "source_control_ref_truth_owner_response_v1",
|
||||
"snapshot_path": "docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||||
"human_doc": "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
|
||||
"required_response_lanes": 5,
|
||||
"received_response_count": 0,
|
||||
"accepted_response_count": 0,
|
||||
"rejected_response_count": 0,
|
||||
"execution_authorized": false
|
||||
},
|
||||
"still_forbidden": [
|
||||
"fetch",
|
||||
"push refs",
|
||||
|
||||
@@ -0,0 +1,386 @@
|
||||
{
|
||||
"schema_version": "source_control_ref_truth_owner_response_v1",
|
||||
"status": "draft_waiting_owner_response",
|
||||
"date": "2026-05-17",
|
||||
"mode": "owner_ref_truth_response_intake_only",
|
||||
"runtime_execution_authorized": false,
|
||||
"source_contract": "source_control_ref_truth_classification_v1",
|
||||
"target_contract": "source_control_reconcile_plan_v1",
|
||||
"source_indexes": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||||
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md",
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||||
"docs/security/security-approval-review-packet.snapshot.json",
|
||||
"docs/security/security-followup-runtime-gate.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
"owner_response_status": "waiting_owner_response",
|
||||
"repo_count": 3,
|
||||
"total_ref_review_item_count": 141,
|
||||
"manual_truth_required_count": 4,
|
||||
"deprecated_candidate_count": 114,
|
||||
"release_tag_review_count": 3,
|
||||
"github_only_review_count": 20,
|
||||
"response_template_count": 5,
|
||||
"received_response_count": 0,
|
||||
"accepted_response_count": 0,
|
||||
"rejected_response_count": 0,
|
||||
"acceptance_check_count": 8,
|
||||
"rejection_rule_count": 10,
|
||||
"refs_sync_authorized": false,
|
||||
"refs_delete_authorized": false,
|
||||
"force_push_authorized": false,
|
||||
"github_primary_switch_authorized": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"action_buttons_allowed": false
|
||||
},
|
||||
"response_templates": [
|
||||
{
|
||||
"template_id": "response-main-branch-truth-source",
|
||||
"lane": "main_truth_required",
|
||||
"affected_repos": [
|
||||
"wooo/awoooi -> owenhytsai/awoooi",
|
||||
"wooo/clawbot-v5 -> owenhytsai/clawbot-v5",
|
||||
"wooo/wooo-aiops -> owenhytsai/wooo-aiops"
|
||||
],
|
||||
"risk": "HIGH",
|
||||
"covered_item_count": 3,
|
||||
"requested_owner_decision": "判定三個 main branch 的真相來源、deploy marker owner、production source owner 與 rollback point owner;維持 refs action disabled。",
|
||||
"required_owner_fields": [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"repo",
|
||||
"ref_name",
|
||||
"truth_source_or_sha",
|
||||
"deploy_marker_owner",
|
||||
"production_source_owner",
|
||||
"rollback_point_owner",
|
||||
"evidence_refs"
|
||||
],
|
||||
"acceptable_decisions": [
|
||||
"choose_gitea_as_truth_candidate",
|
||||
"choose_github_as_truth_candidate",
|
||||
"choose_specific_sha_as_truth_candidate",
|
||||
"hold_pending_deploy_marker",
|
||||
"unknown_requires_more_evidence"
|
||||
],
|
||||
"minimum_evidence_refs": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||||
],
|
||||
"acceptance_criteria": [
|
||||
"必須逐 repo 標示 main branch 的候選真相來源,不可只寫全域結論。",
|
||||
"必須說明 deploy marker、production source 與 rollback point 的 owner 或補證 owner。",
|
||||
"必須承認通過收件後只更新 read-only classification / reconcile / readiness wording,不授權 refs sync。"
|
||||
],
|
||||
"rejection_conditions": [
|
||||
"把 main branch truth response 當成可直接 push refs 或切 primary。",
|
||||
"沒有 repo、ref_name、truth_source_or_sha 或 deploy evidence owner。",
|
||||
"含有 token、credential、private URL 憑證或未脫敏截圖。"
|
||||
],
|
||||
"allowed_outputs": [
|
||||
"更新 `source-control-ref-truth-classification.snapshot.json` 的 read-only owner response 欄位。",
|
||||
"更新 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 的 owner response 摘要。",
|
||||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording,且 primary_ready_count 維持 0。"
|
||||
],
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"template_id": "response-active-dev-branch-truth-source",
|
||||
"lane": "active_branch_truth_required",
|
||||
"affected_repos": [
|
||||
"wooo/awoooi -> owenhytsai/awoooi"
|
||||
],
|
||||
"risk": "HIGH",
|
||||
"covered_item_count": 1,
|
||||
"requested_owner_decision": "判定 `wooo/awoooi` 的 `dev` branch 是否仍是 active workflow、legacy branch 或需補證;維持 refs action disabled。",
|
||||
"required_owner_fields": [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"repo",
|
||||
"ref_name",
|
||||
"workflow_owner",
|
||||
"branch_disposition",
|
||||
"evidence_refs"
|
||||
],
|
||||
"acceptable_decisions": [
|
||||
"keep_active_branch_candidate",
|
||||
"mark_branch_legacy_candidate",
|
||||
"hold_pending_workflow_owner",
|
||||
"unknown_requires_more_evidence"
|
||||
],
|
||||
"minimum_evidence_refs": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||||
"docs/security/security-approval-review-packet.snapshot.json"
|
||||
],
|
||||
"acceptance_criteria": [
|
||||
"必須指出 `dev` 是否仍有開發、部署、CI 或 release workflow 用途。",
|
||||
"若標為 legacy,只能標記 candidate,不代表刪除或封存批准。",
|
||||
"必須提供 workflow owner 或 request_more_evidence owner。"
|
||||
],
|
||||
"rejection_conditions": [
|
||||
"要求立即刪除或同步 `dev` branch。",
|
||||
"沒有 workflow owner 或 branch disposition。",
|
||||
"把 legacy candidate 當成 delete approval。"
|
||||
],
|
||||
"allowed_outputs": [
|
||||
"更新 `dev` branch 的 read-only disposition 欄位。",
|
||||
"更新 draft reconcile plan 的 blocked reason。",
|
||||
"建立 request_more_evidence lane。"
|
||||
],
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"template_id": "response-drift-deprecated-candidate-batch",
|
||||
"lane": "archive_or_deprecate_candidate",
|
||||
"affected_repos": [
|
||||
"wooo/awoooi drift/adopt-*"
|
||||
],
|
||||
"risk": "LOW",
|
||||
"covered_item_count": 114,
|
||||
"requested_owner_decision": "批次判定 `drift/adopt-*` refs 是否可列為 deprecated candidate、audit retention candidate 或需拆批補證;標記 deprecated candidate 不等於 delete approval。",
|
||||
"required_owner_fields": [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"repo",
|
||||
"ref_pattern_or_ref_list",
|
||||
"retention_owner",
|
||||
"audit_or_rollback_use",
|
||||
"evidence_refs"
|
||||
],
|
||||
"acceptable_decisions": [
|
||||
"mark_deprecated_candidate",
|
||||
"keep_audit_retention_candidate",
|
||||
"split_batch_requires_more_evidence",
|
||||
"unknown_requires_more_evidence"
|
||||
],
|
||||
"minimum_evidence_refs": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md"
|
||||
],
|
||||
"acceptance_criteria": [
|
||||
"必須明確說明這是批次 owner disposition,不是刪除批准。",
|
||||
"必須提供 retention owner 或補證 owner。",
|
||||
"若需要拆批,必須說明拆分準則與下一個 evidence owner。"
|
||||
],
|
||||
"rejection_conditions": [
|
||||
"把 deprecated candidate 當成 delete approval。",
|
||||
"要求刪除、rewrite、force push 或 prune refs。",
|
||||
"未說明 audit / rollback / retention 用途是否仍存在。"
|
||||
],
|
||||
"allowed_outputs": [
|
||||
"更新 classification 的 deprecated candidate owner response 欄位。",
|
||||
"更新人工 review checklist。",
|
||||
"維持 refs delete / push / force push 禁用。"
|
||||
],
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"template_id": "response-release-tag-retention",
|
||||
"lane": "release_tag_missing_on_github",
|
||||
"affected_repos": [
|
||||
"wooo/awoooi v7.2.0",
|
||||
"wooo/awoooi v7.3.0",
|
||||
"wooo/clawbot-v5 v5.5-sprint1"
|
||||
],
|
||||
"risk": "MEDIUM",
|
||||
"covered_item_count": 3,
|
||||
"requested_owner_decision": "判定 release tags 是否需要保留、是否為 legacy candidate,或是否等待 artifact / deploy owner 補證;維持 tag action disabled。",
|
||||
"required_owner_fields": [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"repo",
|
||||
"tag_name",
|
||||
"artifact_owner",
|
||||
"deploy_marker_owner",
|
||||
"retention_disposition",
|
||||
"evidence_refs"
|
||||
],
|
||||
"acceptable_decisions": [
|
||||
"keep_release_tag_candidate",
|
||||
"mark_tag_legacy_candidate",
|
||||
"hold_pending_artifact_owner",
|
||||
"unknown_requires_more_evidence"
|
||||
],
|
||||
"minimum_evidence_refs": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/source-control-primary-rollback-adr.snapshot.json"
|
||||
],
|
||||
"acceptance_criteria": [
|
||||
"必須逐 tag 指定 artifact owner、deploy marker owner 或補證 owner。",
|
||||
"必須說明保留或 legacy candidate 的依據。",
|
||||
"必須明確不授權 tag push、tag rewrite 或 tag delete。"
|
||||
],
|
||||
"rejection_conditions": [
|
||||
"要求立即同步、重寫或刪除 tag。",
|
||||
"缺 artifact owner 或 deploy marker owner。",
|
||||
"把 tag retention response 當成 release approval。"
|
||||
],
|
||||
"allowed_outputs": [
|
||||
"更新 release tag review lane。",
|
||||
"更新 rollback ADR 的 evidence gap wording。",
|
||||
"維持 tag action disabled。"
|
||||
],
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"template_id": "response-github-only-ref-review",
|
||||
"lane": "github_only_manual_review",
|
||||
"affected_repos": [
|
||||
"wooo/wooo-aiops refactor/phase-9.3",
|
||||
"wooo/wooo-aiops 19 UAT tags"
|
||||
],
|
||||
"risk": "MEDIUM",
|
||||
"covered_item_count": 20,
|
||||
"requested_owner_decision": "判定 GitHub-only branch / UAT tags 是否保留、回補候選、legacy candidate 或需稽核 owner 補證;backfill 只能是 candidate,不代表 push。",
|
||||
"required_owner_fields": [
|
||||
"owner_role_or_team",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"repo",
|
||||
"ref_name_or_pattern",
|
||||
"github_only_owner",
|
||||
"audit_owner",
|
||||
"backfill_candidate_reason",
|
||||
"evidence_refs"
|
||||
],
|
||||
"acceptable_decisions": [
|
||||
"keep_github_only_candidate",
|
||||
"backfill_to_gitea_candidate",
|
||||
"mark_legacy_github_only_candidate",
|
||||
"hold_pending_audit_owner",
|
||||
"unknown_requires_more_evidence"
|
||||
],
|
||||
"minimum_evidence_refs": [
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||||
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md"
|
||||
],
|
||||
"acceptance_criteria": [
|
||||
"必須說明 GitHub-only refs 的用途、owner 或補證 owner。",
|
||||
"若選 backfill_to_gitea_candidate,必須明確標示只是候選,不授權 push。",
|
||||
"必須維持 GitHub primary readiness blocked。"
|
||||
],
|
||||
"rejection_conditions": [
|
||||
"把 backfill candidate 當成 push approval。",
|
||||
"要求刪除 GitHub-only refs 或直接同步到 Gitea。",
|
||||
"缺 GitHub-only owner 或 audit owner。"
|
||||
],
|
||||
"allowed_outputs": [
|
||||
"更新 GitHub-only review lane。",
|
||||
"更新 draft reconcile plan 的 candidate wording。",
|
||||
"維持 refs action disabled。"
|
||||
],
|
||||
"execution_authorized": false
|
||||
}
|
||||
],
|
||||
"acceptance_checks": [
|
||||
{
|
||||
"check_id": "maps_to_known_ref_truth_lane",
|
||||
"title": "回覆對應既有 refs truth lane",
|
||||
"required": true,
|
||||
"pass_condition": "`lane` 必須對應 source_control_ref_truth_classification_v1 既有 lane:main_truth_required、active_branch_truth_required、archive_or_deprecate_candidate、release_tag_missing_on_github 或 github_only_manual_review。",
|
||||
"failure_lane": "reject_unknown_ref_truth_lane",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "decision_value_allowed",
|
||||
"title": "決策值在允許範圍內",
|
||||
"required": true,
|
||||
"pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。",
|
||||
"failure_lane": "request_owner_correction",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "repo_and_ref_scope_present",
|
||||
"title": "repo 與 ref scope 已標示",
|
||||
"required": true,
|
||||
"pass_condition": "每筆回覆必須有 repo 與 ref_name、tag_name、ref_pattern 或 ref_list;批次回覆必須有可重現範圍。",
|
||||
"failure_lane": "request_more_evidence",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "truth_source_or_disposition_present",
|
||||
"title": "真相來源或 disposition 已說明",
|
||||
"required": true,
|
||||
"pass_condition": "main/dev lane 必須有 truth source 或 workflow disposition;deprecated/release/GitHub-only lane 必須有 retention、legacy、backfill candidate 或補證 disposition。",
|
||||
"failure_lane": "keep_ref_truth_blocked",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "deploy_or_artifact_evidence_present_for_high_risk",
|
||||
"title": "高風險 ref 有 deploy 或 artifact owner",
|
||||
"required": true,
|
||||
"pass_condition": "main branch 與 release tag response 必須提供 deploy marker、production source、rollback point 或 artifact owner;未知時必須選 hold/unknown。",
|
||||
"failure_lane": "request_deploy_or_artifact_owner",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "no_refs_action_requested",
|
||||
"title": "不含 refs 執行要求",
|
||||
"required": true,
|
||||
"pass_condition": "回覆不得要求 fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs。",
|
||||
"failure_lane": "reject_refs_action",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "no_primary_or_repo_change_requested",
|
||||
"title": "不含 primary 或 repo 變更要求",
|
||||
"required": true,
|
||||
"pass_condition": "回覆不得要求切 GitHub primary、建立 repo、修改 visibility、停用 Gitea、刪除 Gitea 或封存 Gitea。",
|
||||
"failure_lane": "reject_primary_or_repo_action",
|
||||
"execution_authorized": false
|
||||
},
|
||||
{
|
||||
"check_id": "secret_values_absent",
|
||||
"title": "未包含 secret value",
|
||||
"required": true,
|
||||
"pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key、deploy key value、cookie 或 session。",
|
||||
"failure_lane": "quarantine_sensitive_payload",
|
||||
"execution_authorized": false
|
||||
}
|
||||
],
|
||||
"rejection_rules": [
|
||||
"回覆含 token value、PAT、cookie、session、CSRF token、private key、deploy key value 或 partial credential 時必須拒收。",
|
||||
"回覆要求 fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs 時必須拒收。",
|
||||
"回覆要求切 GitHub primary 或把 GitHub primary readiness 視為已完成時必須拒收。",
|
||||
"回覆要求建立 repo、修改 repo visibility 或改 remote URL 時必須拒收。",
|
||||
"回覆把 deprecated_candidate 當成 delete approval 時必須拒收。",
|
||||
"回覆把 backfill_to_gitea_candidate 當成 push approval 時必須拒收。",
|
||||
"回覆缺 repo/ref/lane 或批次範圍無法重現時不得標記 accepted。",
|
||||
"main / release high-risk 回覆缺 deploy marker、artifact、rollback 或補證 owner 時不得標記 accepted。",
|
||||
"回覆要求停用、刪除、封存或降級 Gitea 時必須拒收。",
|
||||
"任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆必須先進 mirror quarantine。"
|
||||
],
|
||||
"allowed_outputs": [
|
||||
"更新 `source-control-ref-truth-classification.snapshot.json` 的 read-only owner response 欄位。",
|
||||
"更新 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 的 owner response 摘要。",
|
||||
"更新 `source-control-reconcile-plan.snapshot.json` 的 draft wording。",
|
||||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording。",
|
||||
"建立 request_more_evidence / quarantine lane。",
|
||||
"維持 `github_primary_ready_count=0` 與所有 refs / repo / primary execution flags false。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"fetch refs。",
|
||||
"push refs。",
|
||||
"delete refs。",
|
||||
"force push。",
|
||||
"rewrite branch 或 tag。",
|
||||
"切 GitHub primary。",
|
||||
"建立 GitHub repo 或修改 visibility。",
|
||||
"停用、刪除、封存或降級 Gitea repo。",
|
||||
"保存 secret value、token value、private key、cookie、session 或 deploy key value。",
|
||||
"新增 AwoooP execution action button。"
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user