diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index c0a6b8ce..439510d8 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,34 @@ +## 2026-05-13 | 資安供應鏈 S4.5:Gitea 認證清冊匯出請求 + +**背景**:Gitea 全量轉移到 GitHub 前,不能只靠未認證公開範圍清冊。現有 `gitea_repo_inventory_v1` 只能看到 `wooo/awoooi` 與 `wooo/ewoooc`,但本機 remote evidence 顯示至少有 4 個 unique Gitea repo 需要納入判斷。為了維持低摩擦,本輪只建立認證 / 管理脫敏匯出請求,不收 token、不寫 Gitea、不做 refs sync、不切 GitHub primary。 + +**完成**: +- 新增 `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json`。 +- 新增 `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` 與 `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md`。 +- 明確標示目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個。 +- 定義 2 類匯出來源選項:只讀 token API 清冊、已脫敏管理匯出清冊。 +- 明確標示 `token_value_collection_allowed=false`、`write_token_allowed=false`、`repo_write_allowed=false`、`refs_sync_allowed=false`、`github_primary_switch_authorized=false`、`action_buttons_allowed=false`。 +- 更新 manifest、mirror readiness、status rollup、primary readiness gate、AwoooP checklist、Gitea approval package、admin export checklist、server-side runbook、repo inventory snapshot、handoff 與 progress,使 AwoooP 能顯示 S4.5 請求與覆蓋缺口。 + +**仍未完成**: +- 取得 repo owner 批准後的 authenticated Gitea server-side inventory。 +- 將 private/internal repo list 匯入 `gitea_repo_inventory_v1.status=ok`。 +- 對 gap repo 補 owner / canonical / GitHub target / refs truth / workflow-secret parity。 +- 任何 GitHub primary 切換或 refs migration。 + +**仍禁止**: +- 不保存 token value、raw secret、cookie、private key。 +- 不使用 write token。 +- 不建立、刪除、封存或修改 Gitea repo。 +- 不建立 GitHub repo、不修改 visibility、不 sync refs、不 delete refs、不 force push。 +- 不切 GitHub primary、不停用 Gitea。 + +**驗證**: +- JSON 全量 parse 通過:83 個 JSON files。 +- S4.5 assertion 通過:manifest 仍為 35 個主 contracts、mirror readiness 維持 32 ready / 2 partial / 1 contract-only / 0 blocked、Gitea request 為未認證公開範圍 2 / 本機 Gitea unique 4 / 覆蓋缺口 2 / 匯出選項 2,所有 runtime / write / token value flags 皆為 false。 +- `git diff --check` 通過。 +- 敏感字串掃描確認本輪未保存 Kali SSH 密碼、常見 token pattern、private key material;也未出現 `token_value_collection_allowed`、`write_token_allowed`、`repo_write_allowed`、`refs_sync_allowed`、`github_primary_switch_authorized` 或 `action_buttons_allowed` 被打開。 + ## 2026-05-13 | 資安供應鏈 S4.4:GitHub Primary Rollback ADR 草案 **背景**:S4.0 已把 GitHub primary readiness gate 定義出來,S4.1-S4.3 已補 workflow / secret 名稱 inventory 與 redacted export request,但 GitHub primary cutover 前仍缺 rollback ADR。為了維持低摩擦,本輪只建立 rollback ADR 草案與鏡像契約,不切 GitHub primary、不執行 rollback、不修改 GitHub/Gitea。 diff --git a/docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json b/docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json new file mode 100644 index 00000000..e141bdce --- /dev/null +++ b/docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json @@ -0,0 +1,183 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:gitea-authenticated-inventory-export-request-v1", + "title": "Gitea Authenticated Inventory Export Request v1", + "description": "定義 Gitea private/internal 全量 repo inventory 的只讀 token 或管理匯出請求、允許欄位、拒收欄位與驗收 gate。此 schema 不授權讀取 token value、repo 寫入、refs sync 或 GitHub primary cutover。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "runtime_execution_authorized", + "source_contract", + "source_indexes", + "summary", + "export_source_options", + "required_inventory_fields", + "coverage_gap_hints", + "acceptance_rules", + "redaction_rules", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "gitea_authenticated_inventory_export_request_v1" + }, + "status": { + "type": "string", + "enum": ["draft_waiting_owner_export"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["redacted_export_request_only"] + }, + "runtime_execution_authorized": { + "type": "boolean", + "const": false + }, + "source_contract": { + "type": "string", + "const": "gitea_repo_inventory_v1" + }, + "source_indexes": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "gitea_base_url", + "org_or_user", + "public_only_repo_count", + "local_gitea_unique_repo_count", + "local_gitea_gap_count", + "export_source_option_count", + "target_inventory_status", + "token_value_collection_allowed", + "write_token_allowed", + "repo_write_allowed", + "refs_sync_allowed", + "github_primary_switch_authorized", + "action_buttons_allowed" + ], + "properties": { + "gitea_base_url": {"type": "string"}, + "org_or_user": {"type": "string"}, + "public_only_repo_count": {"type": "integer", "minimum": 0}, + "local_gitea_unique_repo_count": {"type": "integer", "minimum": 0}, + "local_gitea_gap_count": {"type": "integer", "minimum": 0}, + "export_source_option_count": {"type": "integer", "minimum": 0}, + "target_inventory_status": { + "type": "string", + "enum": ["gitea_repo_inventory_v1.status=ok"] + }, + "token_value_collection_allowed": {"type": "boolean", "const": false}, + "write_token_allowed": {"type": "boolean", "const": false}, + "repo_write_allowed": {"type": "boolean", "const": false}, + "refs_sync_allowed": {"type": "boolean", "const": false}, + "github_primary_switch_authorized": {"type": "boolean", "const": false}, + "action_buttons_allowed": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "export_source_options": { + "type": "array", + "items": { + "type": "object", + "required": [ + "option_id", + "title", + "request_status", + "producer", + "allowed_processing", + "blocked_processing", + "acceptance_gate", + "execution_authorized" + ], + "properties": { + "option_id": {"type": "string"}, + "title": {"type": "string"}, + "request_status": { + "type": "string", + "enum": ["waiting_human_approval_or_owner_export"] + }, + "producer": {"type": "string"}, + "allowed_processing": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "blocked_processing": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "acceptance_gate": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "execution_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "required_inventory_fields": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "coverage_gap_hints": { + "type": "array", + "items": { + "type": "object", + "required": [ + "gap_id", + "title", + "current_evidence", + "required_resolution", + "execution_authorized" + ], + "properties": { + "gap_id": {"type": "string"}, + "title": {"type": "string"}, + "current_evidence": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "required_resolution": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "execution_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "acceptance_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "redaction_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_actions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/schemas/security_mirror_status_rollup_v1.schema.json b/docs/schemas/security_mirror_status_rollup_v1.schema.json index ef56dcf7..7e3c0283 100644 --- a/docs/schemas/security_mirror_status_rollup_v1.schema.json +++ b/docs/schemas/security_mirror_status_rollup_v1.schema.json @@ -66,6 +66,11 @@ "approval_state_transition_rule_total", "followup_runtime_gate_template_total", "active_runtime_gate_count", + "gitea_inventory_status", + "gitea_inventory_public_only_repo_count", + "gitea_inventory_local_gitea_repo_count", + "gitea_inventory_export_source_option_count", + "gitea_inventory_token_value_collection_allowed", "primary_readiness_candidate_repo_count", "github_primary_ready_count", "primary_rollback_adr_repo_plan_count", @@ -129,6 +134,25 @@ "type": "integer", "minimum": 0 }, + "gitea_inventory_status": { + "type": "string" + }, + "gitea_inventory_public_only_repo_count": { + "type": "integer", + "minimum": 0 + }, + "gitea_inventory_local_gitea_repo_count": { + "type": "integer", + "minimum": 0 + }, + "gitea_inventory_export_source_option_count": { + "type": "integer", + "minimum": 0 + }, + "gitea_inventory_token_value_collection_allowed": { + "type": "boolean", + "const": false + }, "primary_readiness_candidate_repo_count": { "type": "integer", "minimum": 0 diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index 77eb10b7..21d40623 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -44,7 +44,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_mirror_status_rollup_v1` | AwoooP 鏡像狀態彙整契約 | Operator Console、Runtime State、Audit | mirror-only | 只顯示階段狀態、下一個 gate 與禁止事項;不得視為 runtime authorization | | `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge | | `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary | -| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 不保存 token value、不刪除或停用 Gitea repo | +| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidence 與 S4.5 authenticated/admin export request;不保存 token value、不刪除或停用 Gitea repo | | `local_git_remote_inventory_v1` | 本機可見 Git working tree remote | Source-control coverage evidence、migration matrix | mirror-only | 不視為 Gitea server 全量、不修改 remote | | `github_target_probe_v1` | 候選 GitHub repo read-only probe | Migration target evidence | mirror-only | `not_found_or_private` 不等同確認不存在 | | `github_target_decision_v1` | GitHub target 建立與可見性決策草案 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs | @@ -116,7 +116,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason,不允許切 primary | | `source_control_migration_event_v1.status=verified` | `approve_required` | 仍需人工批准主控切換 | | `gitea_repo_inventory_v1.status=blocked` | `observe` | 補只讀 token 或管理匯出,不做同步 | -| `gitea_repo_inventory_v1.status=partial` | `observe` | 視為 public-only evidence,不做同步 | +| `gitea_repo_inventory_v1.status=partial` | `observe` | 視為 public-only evidence,顯示 S4.5 export request 與 coverage gap,不做同步 | | `gitea_repo_inventory_v1.status=ok` | `warn` | 進入 repo mapping / branch tag diff | | `approval_required_event_v1.requested_action=run_gitea_readonly_inventory` | `approve_required` | 只允許 read-only token 或 redacted admin export,不保存 token value | | `local_git_remote_inventory_v1.status=partial` | `observe` | 補 server-side inventory,不做主控切換 | @@ -154,6 +154,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | wooo-aiops source control snapshot | `docs/security/source-control-wooo-aiops.snapshot.json` / `docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md` | | Gitea repo inventory snapshot | `docs/security/gitea-repo-inventory.snapshot.json` | | Gitea repo inventory 人讀版 | `docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md` | +| Gitea authenticated inventory export request | `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` / `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` | | Gitea org endpoint blocked snapshot | `docs/security/gitea-org-repo-inventory-blocked.snapshot.json` / `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md` | | Gitea server-side inventory runbook | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` | | Gitea read-only inventory approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index c50c65f9..71b2f754 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -327,7 +327,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -475,6 +475,8 @@ Schema:`docs/schemas/gitea_repo_inventory_v1.schema.json` AwoooP 初期處理方式:作為 migration matrix 的 read-only evidence;`partial` 只代表 public-only 可見範圍,不得觸發 repo 建立、刪除、封存或 GitHub primary 切換。 +S4.5 支援性請求:已新增 `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json`、`docs/security/gitea-authenticated-inventory-export-request.snapshot.json` 與 `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md`。此請求不新增第 36 個主 contract,而是補強 `gitea_repo_inventory_v1`:目前未認證公開範圍可見 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個;允許的來源只有只讀 token API 清冊或已脫敏管理匯出清冊;`token_value_collection_allowed=false`、`write_token_allowed=false`、`repo_write_allowed=false`、`refs_sync_allowed=false`、`github_primary_switch_authorized=false`。 + ### `local_git_remote_inventory_v1` 用途:在 Gitea API 受阻時,盤點本機可見 Git working tree 的 remote URL,找出仍指向 Gitea、GitHub、110 內部 Git 或 GitLab 類 remote 的專案。 @@ -811,6 +813,8 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 S4.4 GitHub primary rollback ADR 追加:已新增 `docs/schemas/source_control_primary_rollback_adr_v1.schema.json`、`docs/security/source-control-primary-rollback-adr.snapshot.json` 與 `docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md`。本輪只定義 7 個 in-scope repos 的 rollback ADR 草案、precondition、trigger、validation window 與 owner review;`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`,不得切 GitHub primary、不得執行 rollback、不得停用 Gitea。 +2026-05-13 S4.5 Gitea 認證清冊匯出請求追加:已新增 `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json`、`docs/security/gitea-authenticated-inventory-export-request.snapshot.json` 與 `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md`。本輪只定義 Gitea 私有 / 內部全量清冊的脫敏匯出請求;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;不得保存 token value、不得使用 write token、不得寫入 Gitea、不得建立或刪除 repo、不得 sync refs、不得切 GitHub primary。 + 2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 本波仍不做: @@ -843,6 +847,8 @@ Console 初期不提供高風險執行按鈕。 - [Gitea server-side inventory runbook](/Users/ogt/awoooi/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md) - [Gitea read-only inventory approval package](/Users/ogt/awoooi/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md) - [Gitea read-only inventory approval snapshot](/Users/ogt/awoooi/docs/security/gitea-readonly-inventory-approval.snapshot.json) +- [Gitea 認證清冊匯出請求](/Users/ogt/awoooi/docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md) +- [gitea_authenticated_inventory_export_request_v1 snapshot](/Users/ogt/awoooi/docs/security/gitea-authenticated-inventory-export-request.snapshot.json) - [Gitea admin export redaction checklist](/Users/ogt/awoooi/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md) - [Gitea public repo search snapshot](/Users/ogt/awoooi/docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md) - [gitea public repo search JSON](/Users/ogt/awoooi/docs/security/gitea-public-repo-search.snapshot.json) @@ -898,6 +904,7 @@ Console 初期不提供高風險執行按鈕。 - [coding_task_v1 schema](/Users/ogt/awoooi/docs/schemas/coding_task_v1.schema.json) - [source_control_migration_event_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_migration_event_v1.schema.json) - [gitea_repo_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_repo_inventory_v1.schema.json) +- [gitea_authenticated_inventory_export_request_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json) - [local_git_remote_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/local_git_remote_inventory_v1.schema.json) - [github_target_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_probe_v1.schema.json) - [github_target_decision_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_decision_v1.schema.json) diff --git a/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md b/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md index 3623ea85..585c00d6 100644 --- a/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md +++ b/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md @@ -6,6 +6,7 @@ | 狀態 | 第一版,給 `gitea_repo_inventory_v1` 管理匯入使用 | | 搭配文件 | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` | | Approval | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` | +| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` | ## 0. 允許保留的欄位 @@ -82,3 +83,4 @@ python3 scripts/security/gitea-repo-inventory.py \ 3. `repo_count` 大於或等於 public-only repo count。 4. `repos[].clone_url_redacted` 與 `repos[].ssh_url_redacted` 不含帳密。 5. 下一步仍只更新 migration matrix,不同步 refs、不建 repo、不切 primary。 +6. 必須能解釋 public-only API 看到 2 個 repos、本機 Gitea remote 看到 4 個 unique Gitea repos 的 coverage gap。 diff --git a/docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md b/docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md new file mode 100644 index 00000000..a4242cf7 --- /dev/null +++ b/docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md @@ -0,0 +1,98 @@ +# Gitea 認證清冊匯出請求 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-13 | +| 狀態 | 草案,等待 owner 匯出 / 只讀批准 | +| 資料契約 | `docs/schemas/gitea_authenticated_inventory_export_request_v1.schema.json` | +| 快照 | `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` | +| 來源契約 | `gitea_repo_inventory_v1` | +| 模式 | `redacted_export_request_only` | +| 執行面授權 | `false` | + +## 0. 核心結論 + +S4.5 把 Gitea 私有 / 內部全量 repo 清冊的下一步匯出請求正式文件化。 + +目前 `gitea_repo_inventory_v1` 仍是 `partial`:未認證 API / 公開搜尋只看到 2 個公開 repos,但本機 remote 清冊至少看到 4 個 unique Gitea repos。因此不能宣告「Gitea 目前所有專案版本」已盤完,也不能開始 GitHub primary 切換。 + +本文件只定義兩條安全路徑:只讀 token API 清冊,或已脫敏的管理匯出清冊。兩者都不得保存 token value,不得寫入 Gitea,不得 sync refs,不得切 GitHub primary。 + +## 1. 摘要 + +| 指標 | 數量 | +|------|------| +| Gitea 基礎 URL | `http://192.168.0.110:3001` | +| 組織 / 使用者 | `wooo` | +| 未認證公開範圍 repos | 2 | +| 本機可見 Gitea unique repos | 4 | +| 本機 Gitea 覆蓋缺口 | 2 | +| 匯出來源選項 | 2 | +| 目標狀態 | `gitea_repo_inventory_v1.status=ok` | +| 允許收集 token value | `false` | +| 允許 write token | `false` | +| 允許 repo 寫入 | `false` | +| 允許 refs sync | `false` | +| 授權切換 GitHub primary | `false` | + +## 2. 匯出來源選項 + +| 選項 | 允許 | 禁止 | +|--------|------|------| +| 只讀 token API 清冊 | 使用 `GITEA_READONLY_TOKEN` 環境變數跑既有 inventory 工具;輸出只保存 `token_present=true` | 保存 token value、使用 write token、寫入 Gitea、sync refs | +| 已脫敏管理匯出清冊 | 匯入已脫敏 repo list JSON;只保留 repo metadata | 匯入 DB dump、secret、webhook secret、deploy key private key、cookie、session | + +## 3. 必要欄位 + +1. `full_name` 或 `owner.login + name`。 +2. `name`。 +3. `owner.login`。 +4. `private`。 +5. `archived`。 +6. `empty`。 +7. `default_branch`。 +8. `clone_url_redacted`。 +9. `ssh_url_redacted`。 +10. `github_repo_candidate`。 + +## 4. 目前覆蓋缺口 + +| 缺口 | 現況 | 需要解決 | +|-----|------|----------| +| 未認證公開範圍 vs 本機 Gitea | API 只看到 `wooo/awoooi`、`wooo/ewoooc`;本機 remote 還看到 `wooo/clawbot-v5`、`wooo/wooo-aiops` | 認證清冊或 owner 證明必須解釋缺口 | +| Org endpoint 受阻 | `orgs/wooo/repos` 未認證查詢先前為 blocked / 404 | 不得把 404 解讀為沒有 private/internal repos | +| 110 內部相鄰來源 | 本機另看到 `bitan-pharmacy`、`root/momo-pro-system`、`tsenyang-website`、`wooo/wooo-infra-config` | Gitea inventory 完成後仍需 owner 判定是否納入 migration scope | + +## 5. 驗收 + +1. `gitea_repo_inventory_v1.status=ok`。 +2. `visibility_scope=authenticated` 或 `visibility_scope=admin_export`。 +3. `repo_count` 大於或等於未認證公開範圍 repo count。 +4. 必須解釋未認證公開範圍 2 個 repos 與本機可見 Gitea 4 個 repos 的差異。 +5. 不含 token、password、secret value、webhook secret、deploy key private key、runner registration token、cookie、session。 +6. 只更新 migration matrix、decision table、approval board 與 readiness gate。 +7. 不建立 GitHub repo、不 sync refs、不切 primary。 + +## 6. AwoooP 可做 + +1. 顯示 S4.5 匯出請求與兩條安全來源路徑。 +2. 顯示覆蓋缺口與 owner review lane。 +3. 顯示 token value / write token / repo write / refs sync 全部禁止。 +4. 把完成的脫敏匯出寫入 Audit evidence 等待人工 review。 +5. 若 payload 含敏感值,送進 mirror 隔離。 + +## 7. AwoooP 不可做 + +1. 不要求使用者在 UI、對話或文件貼 token value。 +2. 不保存 token value。 +3. 不使用具寫入能力的 token。 +4. 不寫入 Gitea。 +5. 不建立、刪除、封存或修改 Gitea repo。 +6. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。 +7. 不把清冊請求當成清冊已完成。 + +## 8. 階段定位 + +S4.5 只是把 Gitea 認證清冊的下一步請求、欄位、拒收規則與驗收 gate 定清楚。 + +這補的是「完整轉移 Gitea 目前所有專案版本到 GitHub」前的第一個資料缺口;仍然停在框架期,不進入執行、同步或主控切換。 diff --git a/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md b/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md index 6ef06914..c32a724a 100644 --- a/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md +++ b/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md @@ -7,6 +7,7 @@ | 來源事件 | `gitea_repo_inventory_v1` | | Approval event | `docs/security/gitea-readonly-inventory-approval.snapshot.json` | | Redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` | +| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` | | 目的 | 補齊 Gitea private/internal server-side repo list | | 原則 | 低摩擦、只讀、只盤 metadata、不保存 token value、不做同步或主控切換 | @@ -25,6 +26,8 @@ 此 approval package 的目的不是提高日常開發門檻,而是只保護「會接觸 token 或管理匯出」這一個邊界。取得全量清單後,後續仍先進入 evidence / matrix / draft plan,不直接進入同步或阻擋。 +S4.5 已補 `gitea_authenticated_inventory_export_request_v1`,把 read-only token API inventory 與 redacted admin export 的允許欄位、拒收欄位、coverage gap 與驗收 gate 正式文件化。批准前仍不得要求使用者貼 token value。 + ## 1. 申請批准的動作 | 動作 | 風險 | 批准後允許 | 仍然禁止 | @@ -75,6 +78,7 @@ python3 scripts/security/gitea-repo-inventory.py \ | 可見範圍 | `visibility_scope=authenticated` 或 `admin_export` | | 敏感資訊 | 不含 token、password、secret value、private key | | Redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` 已通過 | +| Coverage gap | public-only 2 repos 與 local Gitea 4 repos 的差異已解釋 | | 後續動作 | 只更新 matrix / decision table,不同步 refs | ## 5. 批准前不得做 diff --git a/docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md b/docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md index a50613f1..44898cd9 100644 --- a/docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md +++ b/docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md @@ -13,6 +13,7 @@ | HTTP status | `200` | | Repo 數量 | `2` | | 阻塞原因 | 未提供 token,結果只代表公開可見 repo;private/internal repos 仍需只讀 token 或管理匯出 | +| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` | ## Repo 清單 @@ -22,3 +23,5 @@ | `wooo/ewoooc` | `owenhytsai/ewoooc` | `main` | `False` | `False` | > 注意:本檔由 read-only Gitea inventory 工具產生,不包含 API token 或 remote URL 帳密。 + +S4.5 已將 authenticated inventory / redacted admin export 的欄位、拒收規則與 coverage gap 驗收文件化;本 snapshot 仍是 `partial`,不得視為 server-side 全量。 diff --git a/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md b/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md index 6c541e1a..3c5d7221 100644 --- a/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md +++ b/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md @@ -8,6 +8,7 @@ | 事件 | `gitea_repo_inventory_v1` | | Approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` | | Redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` | +| S4.5 export request | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` | | 原則 | 不寫入 Gitea、不搬 secret value、不建立或刪除 repo | ## 0. 核心結論 @@ -27,6 +28,8 @@ 上述兩條非 public-only 路徑都必須先走 `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md`,不得在對話、文件或 LOGBOOK 中保存 token value。 +S4.5 已補 `gitea_authenticated_inventory_export_request_v1`:正式要求 authenticated inventory 或 admin export 必須解釋 public-only 2 個 repos 與本機 Gitea remote 4 個 unique repos 的 coverage gap,且輸出仍只能是 `gitea_repo_inventory_v1.status=ok` evidence。 + ## 1. Public-only 快照指令 ```bash diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index d7963ee9..14461c9d 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -35,7 +35,7 @@ | Contract | 狀態 | 原因 | 下一步 | |----------|------|------|--------| | `security_finding_v1` | `partial_ready` | 目前只有 Kali sample snapshot,runtime ingestion 尚未啟用 | 先 review `kali-finding-runtime-ingestion-approval-20260513` | -| `gitea_repo_inventory_v1` | `partial_ready` | 目前只有 public-only / blocked endpoint evidence | 先 review Gitea read-only inventory approval | +| `gitea_repo_inventory_v1` | `partial_ready` | 目前只有 public-only / blocked endpoint evidence;S4.5 已補認證清冊匯出請求,確認未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個 | 依 S4.5 請求用只讀 token API 或已脫敏管理匯出補全量清冊;不保存 token value | | `coding_task_v1` | `contract_only` | 已有 schema 與 handoff prompt,尚無正式 coding task snapshot | 等 code review 產生實際 task 後再 mirror | ## 2. AwoooP 鏡像目的地 @@ -82,8 +82,9 @@ AwoooP 可以將 ready / partial contracts mirror 到: 14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。 15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。 16. 再 mirror `source_control_primary_rollback_adr_v1`,只顯示 7 個 in-scope repo 的 rollback ADR 草案、validation window 與 owner review;不執行 rollback、不切 primary。 -17. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,export request 有 7 個 repos、5 類 lanes,不保存 secret value。 -18. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 -19. 最後再 mirror source-control 其他 contracts。 +17. 再 mirror `gitea_repo_inventory_v1` 與 S4.5 認證清冊匯出請求,只顯示未認證公開範圍 / 本機 evidence 覆蓋缺口與只讀 / 管理脫敏匯出選項;不保存 token value、不寫 Gitea、不 sync refs。 +18. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,export request 有 7 個 repos、5 類 lanes,不保存 secret value。 +19. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 +20. 最後再 mirror source-control 其他 contracts。 整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index a8d99846..6541a07b 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -29,6 +29,7 @@ | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | | GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | +| Gitea inventory | S4.5 已補認證清冊匯出請求;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、允許收集 token value=false | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;0 個 inventory complete、禁止收集 secret value、禁止 write token | | Dry-run | `contract_defined_not_executed` | | Runtime actions | `false` | @@ -58,7 +59,7 @@ 1. redacted finding ingestion adapter。 2. safe web crawl scope。 -3. Gitea private/internal read-only inventory。 +3. Gitea private/internal read-only inventory:依 S4.5 認證匯出請求補全量清冊;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個,不保存 token value。 4. GitHub target / owner / visibility / canonical。 5. Kali `/execute` 維持 block candidate。 6. GitHub primary readiness blockers 與 rollback ADR 缺口。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index ac81eac3..e0acdd84 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -39,7 +39,7 @@ | `security_mirror_status_rollup_v1` | mirror-only | AwoooP / Security Supply Chain 跨 Session 狀態總覽 | `security-mirror-status-rollup.snapshot.json` | | `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot | | `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi`、`clawbot-v5`、`wooo-aiops` | -| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory | public-only / blocked endpoint snapshots | +| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory;S4.5 已補認證清冊匯出請求 | public-only / blocked endpoint / S4.5 export request snapshots | | `local_git_remote_inventory_v1` | mirror-only | 本機 remote coverage | `local-git-remote-inventory.snapshot.json` | | `github_target_probe_v1` | mirror-only | GitHub target visibility | `github-target-probe.snapshot.json` | | `github_target_decision_v1` | mirror-only | GitHub target 決策 | `github-target-decision.snapshot.json` | @@ -60,7 +60,7 @@ 1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 -4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display。 +4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求與覆蓋缺口,不得觸發 token collection 或 Gitea write。 5. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index c7ce03b4..c895d474 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-13 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | +| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Gitea 認證清冊匯出請求 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -43,6 +43,7 @@ | S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary | | S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea | | S4.4 GitHub Primary rollback ADR | 完成草案 | 已建立 rollback ADR schema / snapshot / 人讀版;7 個 in-scope rollback drafts、0 owner approved、0 dry-run completed、0 active cutover | repo owner 審查 rollback owner、validation window 與 triggers;仍不可切 primary 或執行 rollback | +| S4.5 Gitea 認證清冊匯出請求 | 完成草案 | 已建立匯出請求 schema / snapshot / 人讀版;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;允許收集 token value=false | repo owner 依只讀 token API 或已脫敏管理匯出補私有 / 內部全量 repo list;仍不可保存 token、不可 write Gitea、不可 refs sync | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate | ## 1. 已建立的主要 evidence @@ -55,6 +56,8 @@ | Gitea server-side inventory runbook | `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md` | | Gitea read-only inventory approval package | `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` | | Gitea read-only inventory approval JSON | `docs/security/gitea-readonly-inventory-approval.snapshot.json` | +| Gitea 認證清冊匯出請求 | `docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` | +| Gitea 認證清冊匯出請求 JSON | `docs/security/gitea-authenticated-inventory-export-request.snapshot.json` | | Gitea 管理匯出 redaction checklist | `docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md` | | Gitea org endpoint blocked evidence | `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md` | | Source-control migration matrix | `docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` | @@ -140,11 +143,11 @@ ## 3. 下一階段建議 -1. 等待 Gitea read-only inventory approval 被批准後,再用只讀 token 或管理匯出補 private/internal server-side 全量 repo list。 +1. 依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊:目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。 2. 依 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求,workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/gitea-authenticated-inventory-export-request.snapshot.json b/docs/security/gitea-authenticated-inventory-export-request.snapshot.json new file mode 100644 index 00000000..5c23fba0 --- /dev/null +++ b/docs/security/gitea-authenticated-inventory-export-request.snapshot.json @@ -0,0 +1,168 @@ +{ + "schema_version": "gitea_authenticated_inventory_export_request_v1", + "status": "draft_waiting_owner_export", + "date": "2026-05-13", + "mode": "redacted_export_request_only", + "runtime_execution_authorized": false, + "source_contract": "gitea_repo_inventory_v1", + "source_indexes": [ + "docs/security/gitea-repo-inventory.snapshot.json", + "docs/security/gitea-public-repo-search.snapshot.json", + "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", + "docs/security/local-git-remote-inventory.snapshot.json", + "docs/security/gitea-readonly-inventory-approval.snapshot.json", + "docs/security/security-rollout-policy.snapshot.json" + ], + "summary": { + "gitea_base_url": "http://192.168.0.110:3001", + "org_or_user": "wooo", + "public_only_repo_count": 2, + "local_gitea_unique_repo_count": 4, + "local_gitea_gap_count": 2, + "export_source_option_count": 2, + "target_inventory_status": "gitea_repo_inventory_v1.status=ok", + "token_value_collection_allowed": false, + "write_token_allowed": false, + "repo_write_allowed": false, + "refs_sync_allowed": false, + "github_primary_switch_authorized": false, + "action_buttons_allowed": false + }, + "export_source_options": [ + { + "option_id": "gitea_readonly_token_api_inventory", + "title": "Gitea read-only token API inventory", + "request_status": "waiting_human_approval_or_owner_export", + "producer": "repo owner or security commander runs existing read-only inventory tool", + "allowed_processing": [ + "使用 `GITEA_READONLY_TOKEN` 環境變數執行 `scripts/security/gitea-repo-inventory.py`", + "輸出只保存 `token_present=true`,不保存 token value", + "只查 repo metadata:full name、owner、private、archived、empty、default branch、redacted clone / ssh URL", + "產出 `gitea_repo_inventory_v1.status=ok` snapshot 等待人工 review" + ], + "blocked_processing": [ + "把 token value 寫入文件、LOGBOOK、shell script、snapshot 或對話", + "使用 write-capable token", + "建立、刪除、封存或修改 Gitea repo", + "sync refs 或切 GitHub primary" + ], + "acceptance_gate": [ + "`visibility_scope=authenticated`", + "`status=ok`", + "`repo_count` 大於或等於 public-only repo count", + "owner 必須確認 read-only token 沒有 write / admin / secret scope", + "敏感字串掃描不得出現 token、password、private key、webhook secret 或 repository secret value" + ], + "execution_authorized": false + }, + { + "option_id": "gitea_redacted_admin_export_inventory", + "title": "Gitea redacted admin export inventory", + "request_status": "waiting_human_approval_or_owner_export", + "producer": "Gitea administrator exports repo metadata and redacts before import", + "allowed_processing": [ + "匯入已脫敏的 repo list JSON", + "只保留 repo metadata,不保留 secret、webhook、deploy key 或 token material", + "產出 `visibility_scope=admin_export` 與 `status=ok` 的 inventory snapshot", + "將 export 與 local remote inventory 做 coverage review" + ], + "blocked_processing": [ + "匯入 Gitea DB dump、完整 git object pack、private key 或 webhook secret", + "保存 API token、PAT、cookie、session、CSRF token", + "用管理匯出直接建立 GitHub repo 或同步 refs", + "把 admin export 當成 primary cutover approval" + ], + "acceptance_gate": [ + "`visibility_scope=admin_export`", + "`status=ok`", + "每筆 repo 都可識別 `full_name` 或 `owner.login + name`", + "每筆 repo 都有 `private`、`archived`、`empty` 與 `default_branch` metadata", + "所有 URL 必須 redacted,且不含 username、password 或 token" + ], + "execution_authorized": false + } + ], + "required_inventory_fields": [ + "full_name or owner.login + name", + "name", + "owner.login", + "private", + "archived", + "empty", + "default_branch", + "clone_url_redacted", + "ssh_url_redacted", + "github_repo_candidate" + ], + "coverage_gap_hints": [ + { + "gap_id": "public_only_vs_local_gitea_gap", + "title": "Public-only API 與本機 Gitea remote 覆蓋差異", + "current_evidence": [ + "Public-only Gitea API 目前只看到 `wooo/awoooi` 與 `wooo/ewoooc`", + "本機 remote inventory 看到 4 個 unique Gitea repos:`wooo/awoooi`、`wooo/clawbot-v5`、`wooo/ewoooc`、`wooo/wooo-aiops`", + "至少 `wooo/clawbot-v5` 與 `wooo/wooo-aiops` 需要 authenticated inventory 或 owner attestation 解釋" + ], + "required_resolution": [ + "authenticated inventory 或 admin export 必須包含這些 local-gitea repos,或由 owner 明確標註為 external / legacy / inaccessible", + "缺口只能進 owner review,不得自動建立、刪除或封存 repo" + ], + "execution_authorized": false + }, + { + "gap_id": "org_endpoint_blocked_gap", + "title": "Gitea org endpoint 未認證查詢 blocked", + "current_evidence": [ + "`orgs/wooo/repos` 未認證查詢先前為 blocked / 404 evidence", + "`users/wooo/repos` 與 public search 都只代表 public-only 可見範圍" + ], + "required_resolution": [ + "用 read-only token 或 redacted admin export 確認 `wooo` 是 user、org 或混合來源", + "不得把未認證 404 解讀為沒有 private/internal repos" + ], + "execution_authorized": false + }, + { + "gap_id": "internal_110_adjacent_source_gap", + "title": "110 internal git adjacent source-control gap", + "current_evidence": [ + "本機 remote inventory 另看到 internal 110 repos:`bitan-pharmacy`、`root/momo-pro-system`、`tsenyang-website`、`wooo/wooo-infra-config`", + "這些不等同 Gitea org inventory,但會影響完整專案版本遷移" + ], + "required_resolution": [ + "Gitea authenticated inventory 完成後,仍需 owner 判定 internal 110 repos 是否屬於同一輪 GitHub migration scope", + "不得在 Gitea inventory request 中自動合併 internal 110 source" + ], + "execution_authorized": false + } + ], + "acceptance_rules": [ + "S4.5 完成只代表 Gitea authenticated inventory export request 已定義,不代表 inventory 已取得。", + "真正完成 gate 必須讓 `gitea_repo_inventory_v1.status=ok`,且 `visibility_scope` 為 `authenticated` 或 `admin_export`。", + "export 必須能解釋 public-only repo count 2 與 local Gitea unique repo count 4 之間的 gap。", + "所有敏感值必須拒收並進 mirror quarantine。", + "通過 inventory gate 後仍只能更新 migration matrix、decision table、approval board 與 readiness gate,不得同步 refs 或切 GitHub primary。" + ], + "redaction_rules": [ + "API token 只允許以 `token_present=true|false` 表示,不保存 value。", + "URL 必須移除 username、password、token 與 query secret,只保留 redacted clone / ssh URL。", + "不得保存 webhook secret、repository secret value、deploy key private key、runner registration token、cookie、session 或 CSRF token。", + "不得保存 Gitea DB dump、完整 git object pack 或任何可還原 credentials 的 partial token。", + "任何含敏感值的 export 必須拒收,不得人工手改後直接入庫。" + ], + "forbidden_actions": [ + "store_token_value", + "use_write_capable_token", + "write_to_gitea", + "create_gitea_repo", + "delete_or_archive_gitea_repo", + "create_github_repo", + "change_repo_visibility", + "sync_git_refs", + "delete_git_refs", + "force_push", + "switch_github_primary", + "disable_gitea", + "add_action_button" + ] +} diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index dc1b7c52..89055952 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -232,10 +232,14 @@ "snapshot_paths": [ "docs/security/gitea-repo-inventory.snapshot.json", "docs/security/gitea-public-repo-search.snapshot.json", - "docs/security/gitea-org-repo-inventory-blocked.snapshot.json" + "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", + "docs/security/gitea-authenticated-inventory-export-request.snapshot.json" ], - "human_docs": ["docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md"], - "notes": "目前仍是 public-only / blocked endpoint evidence;private/internal 全量需 approval。" + "human_docs": [ + "docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md", + "docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md" + ], + "notes": "目前仍是 public-only / blocked endpoint evidence;S4.5 已補 authenticated/admin export request,private/internal 全量需 approval。" }, { "contract": "local_git_remote_inventory_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index b683fd94..01551ba0 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -19,6 +19,7 @@ "docs/security/security-approval-review-packet.snapshot.json", "docs/security/security-approval-state-transition.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json", + "docs/security/gitea-authenticated-inventory-export-request.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/source-control-primary-rollback-adr.snapshot.json", "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", @@ -37,6 +38,11 @@ "approval_state_transition_rule_total": 5, "followup_runtime_gate_template_total": 8, "active_runtime_gate_count": 0, + "gitea_inventory_status": "partial_waiting_authenticated_inventory", + "gitea_inventory_public_only_repo_count": 2, + "gitea_inventory_local_gitea_repo_count": 4, + "gitea_inventory_export_source_option_count": 2, + "gitea_inventory_token_value_collection_allowed": false, "primary_readiness_candidate_repo_count": 8, "github_primary_ready_count": 0, "primary_rollback_adr_repo_plan_count": 7, @@ -69,8 +75,8 @@ { "phase_id": "S1_readonly_inventory", "state": "in_progress", - "current_result": "已完成多項 read-only evidence;Gitea private/internal 全量 repo list 仍需批准後補齊。", - "next_gate": "只讀 token 或 redacted admin export approval。" + "current_result": "已完成多項 read-only evidence;S4.5 已補 Gitea authenticated/admin export request,但 private/internal 全量 repo list 仍需批准後補齊。", + "next_gate": "只讀 token 或 redacted admin export owner approval;仍不得保存 token value。" }, { "phase_id": "S2_mirror_only_consumption", @@ -87,7 +93,7 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 7 個 in-scope repos 的 rollback ADR 草案,owner_approved_count=0、dry_run_completed_count=0。", + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request,但 inventory status 仍 partial。", "next_gate": "Gitea authenticated inventory、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。" } ], @@ -179,6 +185,7 @@ "mode": "approval_required", "source_contract": "gitea_repo_inventory_v1", "allowed_processing": [ + "顯示 S4.5 authenticated/admin export request 與 coverage gap", "使用 read-only token 或 redacted admin export 補齊 repo list", "只保存 token_present=true/false", "更新 migration matrix 與 decision table" @@ -286,7 +293,8 @@ "S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。", "S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。", "S4.3 只新增 redacted export request package;export_request_count=7、export_lane_count=5、write_token_allowed=false,不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。", - "S4.4 只新增 GitHub primary rollback ADR 草案;repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false,不切 primary、不執行 rollback。" + "S4.4 只新增 GitHub primary rollback ADR 草案;repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false,不切 primary、不執行 rollback。", + "S4.5 只新增 Gitea authenticated inventory export request;public_only_repo_count=2、local_gitea_unique_repo_count=4、export_source_option_count=2、token_value_collection_allowed=false,不使用 token、不寫入 Gitea、不 sync refs。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 2234a582..d2b648e2 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -377,17 +377,19 @@ "snapshot_paths": [ "docs/security/gitea-repo-inventory.snapshot.json", "docs/security/gitea-public-repo-search.snapshot.json", - "docs/security/gitea-org-repo-inventory-blocked.snapshot.json" + "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", + "docs/security/gitea-authenticated-inventory-export-request.snapshot.json" ], "human_docs": [ "docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md", - "docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md" + "docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md", + "docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md" ], "consumer": "AwoooP migration matrix evidence", "consumption_mode": "mirror_only", - "allowed_actions": ["mirror_public_only_inventory", "create_readonly_inventory_approval_candidate"], + "allowed_actions": ["mirror_public_only_inventory", "create_readonly_inventory_approval_candidate", "display_authenticated_inventory_export_request"], "forbidden_actions": ["store_token_value", "write_to_gitea", "delete_or_archive_repo"], - "notes": "目前是 partial/public_only,private/internal 全量需批准後補齊。" + "notes": "目前是 partial/public_only;S4.5 已補 authenticated/admin export request,private/internal 全量仍需批准後補齊。" }, { "contract": "local_git_remote_inventory_v1", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index 0e9ba087..080a38f6 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -13,6 +13,7 @@ "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/source-control-primary-rollback-adr.snapshot.json", "docs/security/gitea-repo-inventory.snapshot.json", + "docs/security/gitea-authenticated-inventory-export-request.snapshot.json", "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json" ], @@ -40,11 +41,14 @@ ], "current_gap": [ "目前只有 public-only / blocked endpoint evidence", + "S4.5 已建立 authenticated/admin export request,但尚未取得 `gitea_repo_inventory_v1.status=ok` evidence", + "public-only API 只看到 2 個 repos,本機 remote inventory 看到 4 個 unique Gitea repos,gap 仍待 owner 解釋", "GITEA_READONLY_TOKEN 未提供", "不得使用 write-capable credential 當 read-only token" ], "allowed_now": [ "顯示 blocked reason", + "mirror S4.5 authenticated inventory export request", "等待 read-only token 或 redacted admin export", "更新 approval board 與 decision table" ],