docs(security): add S4.9 owner response dispatch package

docs/LOGBOOK.md

@@ -33861,3 +33861,21 @@ production browser smoke:
 1. 繼續推進 S4.9 owner response 真實回覆資料包，必填 owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner；驗收前維持 `0 / false`。
 2. 持續盤點高價值配置控管，優先納入 Nginx、K8s manifest、ArgoCD app、Gitea workflow、registry / Harbor、Sentry / SigNoz / Alertmanager、public gateway、AI provider route、資料庫 migration 與 secrets injection 流程。
 3. 任何主機維護、Kali 更新、Nginx / Docker / firewall / active scan 仍需獨立維護窗口與人工批准，不得由治理頁或 AwoooP approval 直接替代。
+
+## 2026-06-13 — S4.9 owner response 真實資料包與高價值配置 owner lanes 草案
+
+**修正內容**：
+- 新增 `docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md`：把 S4.9 五題 owner 回覆、六欄 canonical envelope、reviewer outcome lanes、拒收 / 隔離規則與高價值配置 P0 owner lanes 收成可交付資料包。
+- 新增 `docs/security/s4-9-owner-response-dispatch-package.snapshot.json`：機器可讀記錄 `dispatch_package_ready_not_sent`、五題 templates、九條高價值配置 owner lanes 與所有 `0 / false` gate。
+- 更新 `docs/workplans/2026-06-04-iwooos-security-governance-p0.md`：新增 P0-2h，明確標記 dispatch package `70%`，owner response gate 仍 `0%`。
+
+**目前狀態**：
+- S4.9 dispatch package：`70%`；可交給 owner 填寫，但尚未正式送件。
+- S4.9 owner response gate：仍 `0 / false`。
+- 高價值配置 owner lane 對齊：`55%`；Nginx、K8s / ArgoCD、Gitea workflow / runner、registry / TLS、Sentry / SigNoz / Alertmanager、public runtime config、AI provider route、DB migration、secrets injection 已對齊六欄 envelope。
+- IwoooS overall：仍維持 `64%`。
+- active runtime gate：仍為 `0`。
+
+**邊界**：
+- 本輪未執行 SSH、Nginx reload、Docker restart、firewall / iptables、K8s / ArgoCD 寫操作、active scan、secret 明文讀取、runtime restart、DB migration 或 AI provider route switch。
+- 不得把 dispatch package、snapshot、UI 可見或 AwoooP approval 解讀成 owner response received / accepted 或 runtime 授權。

docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md

@@ -0,0 +1,120 @@
+# S4.9 Owner Response Dispatch Package
+
+| 項目 | 內容 |
+|------|------|
+| 日期 | 2026-06-13 |
+| 狀態 | `dispatch_package_ready_not_sent` |
+| 對應 envelope | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md` |
+| 對應 intake form | `docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md` |
+| 對應 validation | `docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md` |
+| Snapshot | `docs/security/s4-9-owner-response-dispatch-package.snapshot.json` |
+| runtime gate | `0` |
+
+## 1. 核心結論
+
+本包把 S4.9 owner response 從「表單與驗收規則已定義」推進到「可交給 owner 填寫的送件包」。它固定 owner 要回覆哪些題目、每題必填欄位、哪些 evidence 只能用脫敏參照，以及 reviewer 收件後如何分流。
+
+本包仍不是正式送件紀錄，不是 owner response received，不是 accepted，不是 repo / refs / workflow / secret / runner / host / runtime 授權。
+
+## 2. 必填 Canonical Envelope
+
+每一題回覆都必須映射回六欄。缺任一欄，只能補件，不得增加 received / accepted count。
+
+| 欄位 | 填寫要求 | 禁止誤用 |
+|------|----------|----------|
+| `owner_role_or_team` | 填角色、團隊或責任單位 | 不填私人帳密、token、session 或私人聯絡資訊 |
+| `decision` | 只能填 `confirm`、`defer`、`reject`、`request_more_evidence` | `confirm` 不代表 runtime action approval |
+| `decision_reason` | 填脫敏理由摘要 | 不貼 raw log、raw API body、未脫敏截圖或內部聊天原文 |
+| `affected_scope` | 填 repo 群、namespace、endpoint、host scope、legacy disposition 或 canonical owner 範圍 | 不夾帶 repo create、refs sync、visibility change 或 workflow 修改要求 |
+| `redacted_evidence_refs` | 填文件路徑、snapshot id、ticket id、hash 或脫敏 metadata pointer | 不收 secret value、partial token、private key、authorization header、runner token |
+| `followup_owner` | 填後續補證、審查或決策負責角色 / 團隊 | 不等於執行批准人，也不等於 runtime operator |
+
+## 3. S4.9 五題送件內容
+
+| 順序 | Template | Owner 必須回答 | 合格 evidence refs |
+|------|----------|----------------|--------------------|
+| 1 | `response-public-only-vs-local-gitea-gap` | 判定 `wooo/clawbot-v5`、`wooo/wooo-aiops` 是否屬本輪 inventory / migration scope | public probe snapshot、local inventory ref、owner note id |
+| 2 | `response-org-user-endpoint-identity` | 判定 `wooo` 應以 user、org 或兩者盤點，並指定 canonical endpoint | endpoint probe summary、HTTP status metadata、owner note id |
+| 3 | `response-internal-110-adjacent-scope` | 逐項判定 `bitan-pharmacy`、`root/momo-pro-system`、`tsenyang-website`、`wooo/wooo-infra-config` 是否納入本輪 scope | local repo / host scope snapshot、redacted owner note |
+| 4 | `response-repo-owner-canonical-scope` | 指定 in-scope repo 的 owner、canonical source、GitHub target candidate 與 visibility review owner | refs truth summary、target probe summary、owner note id |
+| 5 | `response-legacy-or-inaccessible-disposition` | 指定 legacy / inaccessible / external repo 的 disposition、理由與後續 owner | disposition note、archive candidate summary、ticket id |
+
+## 4. Owner 可回覆的形狀
+
+```text
+template_id:
+owner_role_or_team:
+decision:
+decision_reason:
+affected_scope:
+redacted_evidence_refs:
+followup_owner:
+```
+
+若 owner 需要更多資訊，`decision` 應填 `request_more_evidence`，並在 `decision_reason` 說明缺哪一種脫敏 evidence。不得用口頭「同意」、「可以」、「批准」取代六欄回覆。
+
+## 5. Reviewer 收件分流
+
+| Outcome | 使用時機 | Count 影響 |
+|---------|----------|------------|
+| `keep_waiting_owner_response` | 尚未收到完整六欄，或只有空白 / 口頭同意 | received / accepted 維持 0 |
+| `request_more_evidence` | 欄位缺漏、scope 不清、evidence refs 不足 | accepted 維持 0 |
+| `quarantine_sensitive_payload` | 疑似含 token、secret、private key、cookie、session、authorization header、runner token、未脫敏截圖或 private URL credential | 不保存 raw payload |
+| `reject_execution_request` | 夾帶 repo / refs / workflow / secret / runner / Kali / host / runtime 執行要求 | 不建立 action button |
+| `ready_for_reviewer_validation` | 五題完整、evidence refs 已脫敏、無執行要求 | 只進 reviewer checklist，仍非 accepted |
+
+## 6. 高價值配置控管對齊
+
+S4.9 owner response 是 source-control owner gate 的第一步。高價值配置控管仍需要獨立 owner response，但應共用同一個六欄 envelope 與拒收邊界。
+
+| 優先 | 類別 | 對應 owner lane | 送件前仍缺 |
+|------|------|----------------|------------|
+| P0-1 | Nginx / public gateway | `public_gateway_owner_response_required` | rendered diff、`nginx -t` evidence、route smoke、maintenance window、rollback owner |
+| P0-2 | K8s manifest / ArgoCD app | `gitops_owner_response_required` | GitOps diff、ArgoCD health readback、sync authorization、rollback revision |
+| P0-3 | Gitea workflow / runner / deploy key / webhook | `workflow_source_control_owner_response_required` | workflow diff、runner label owner、deploy key metadata only、webhook metadata only |
+| P0-4 | Registry / Harbor / TLS / certbot | `domain_tls_owner_response_required` | certificate path check、renewal window、ACME smoke、public HTTPS smoke |
+| P0-5 | Sentry / SigNoz / Alertmanager / Prometheus | `monitoring_owner_response_required` | live drift evidence、receiver owner、reload owner、route smoke、receipt proof |
+| P0-6 | Public gateway / frontend runtime config | `public_runtime_config_owner_response_required` | public URL check、frontend internal IP ban、CORS boundary、desktop / mobile smoke |
+| P0-7 | AI provider route | `ai_provider_route_owner_response_required` | provider route owner、fallback order evidence、cost boundary、rollback owner |
+| P0-8 | DB migration | `database_migration_owner_response_required` | migration diff、backup / rollback owner、post-migration verification plan |
+| P0-9 | Secrets injection / redaction | `secret_metadata_owner_response_required` | secret name parity、metadata-only check、rotation owner、no secret value check |
+
+這些 lane 可以共用 S4.9 的欄位與 quarantine-first 規則，但不能把 S4.9 回覆直接升級成 Nginx reload、ArgoCD sync、workflow 修改、registry change、alert reload、AI route switch、DB migration 或 secret rotation 授權。
+
+## 7. 固定 0 / false 邊界
+
+```text
+dispatch_authorized=false
+request_sent=false
+request_sent_count=0
+received_response_count=0
+accepted_response_count=0
+rejected_response_count=0
+owner_response_received_count=0
+owner_response_accepted_count=0
+redacted_payload_ingested=false
+active_runtime_gate_count=0
+runtime_execution_authorized=false
+action_buttons_allowed=false
+repo_creation_authorized=false
+refs_sync_authorized=false
+workflow_modification_authorized=false
+github_primary_switch_authorized=false
+host_update_authorized=false
+active_scan_authorized=false
+secret_value_collection_authorized=false
+nginx_reload_authorized=false
+argocd_sync_authorized=false
+database_migration_authorized=false
+ai_provider_route_change_authorized=false
+```
+
+## 8. 完成度
+
+| 工作 | 完成度 | 說明 |
+|------|--------|------|
+| S4.9 dispatch package | `70%` | 可送 owner 填寫的資料包已固定；尚未正式送件 |
+| S4.9 owner response gate | `0%` | 尚未收到或接受 owner response |
+| 高價值配置 owner lane 對齊 | `55%` | 已共用六欄 envelope 與 P0 lane；仍需各 lane owner 實際回覆 |
+| IwoooS overall | 維持 `64%` | 文件與資料包不調高整體進度 |
+| active runtime gate | `0` | 不變 |

docs/security/s4-9-owner-response-dispatch-package.snapshot.json

@@ -0,0 +1,178 @@
+{
+  "schema_version": "s4_9_owner_response_dispatch_package_v1",
+  "generated_at": "2026-06-13T02:20:00+08:00",
+  "status": "dispatch_package_ready_not_sent",
+  "mode": "owner_response_dispatch_package_only",
+  "source_documents": [
+    "docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md",
+    "docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md",
+    "docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md",
+    "docs/security/S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md"
+  ],
+  "canonical_owner_fields": [
+    "owner_role_or_team",
+    "decision",
+    "decision_reason",
+    "affected_scope",
+    "redacted_evidence_refs",
+    "followup_owner"
+  ],
+  "allowed_decisions": [
+    "confirm",
+    "defer",
+    "reject",
+    "request_more_evidence"
+  ],
+  "s4_9_response_templates": [
+    {
+      "template_id": "response-public-only-vs-local-gitea-gap",
+      "required_fields": 6,
+      "status": "waiting_owner_response"
+    },
+    {
+      "template_id": "response-org-user-endpoint-identity",
+      "required_fields": 6,
+      "status": "waiting_owner_response"
+    },
+    {
+      "template_id": "response-internal-110-adjacent-scope",
+      "required_fields": 6,
+      "status": "waiting_owner_response"
+    },
+    {
+      "template_id": "response-repo-owner-canonical-scope",
+      "required_fields": 6,
+      "status": "waiting_owner_response"
+    },
+    {
+      "template_id": "response-legacy-or-inaccessible-disposition",
+      "required_fields": 6,
+      "status": "waiting_owner_response"
+    }
+  ],
+  "outcome_lanes": [
+    "keep_waiting_owner_response",
+    "request_more_evidence",
+    "quarantine_sensitive_payload",
+    "reject_execution_request",
+    "ready_for_reviewer_validation"
+  ],
+  "high_value_config_owner_lanes": [
+    {
+      "priority": "P0-1",
+      "category_id": "nginx_public_gateway",
+      "owner_lane": "public_gateway_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-2",
+      "category_id": "k8s_production_gitops",
+      "owner_lane": "gitops_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-3",
+      "category_id": "gitea_workflow_runner_source_control",
+      "owner_lane": "workflow_source_control_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-4",
+      "category_id": "dns_tls_certbot",
+      "owner_lane": "domain_tls_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-5",
+      "category_id": "monitoring_alerting_observability",
+      "owner_lane": "monitoring_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-6",
+      "category_id": "public_admin_api_runtime_config",
+      "owner_lane": "public_runtime_config_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-7",
+      "category_id": "ai_provider_route",
+      "owner_lane": "ai_provider_route_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-8",
+      "category_id": "database_migration",
+      "owner_lane": "database_migration_owner_response_required",
+      "status": "owner_response_required"
+    },
+    {
+      "priority": "P0-9",
+      "category_id": "secret_metadata",
+      "owner_lane": "secret_metadata_owner_response_required",
+      "status": "owner_response_required"
+    }
+  ],
+  "forbidden_payloads": [
+    "token",
+    "secret",
+    "private_key",
+    "cookie",
+    "session",
+    "authorization_header",
+    "runner_token",
+    "webhook_secret",
+    "database_url",
+    "unredacted_screenshot",
+    "private_url_credential"
+  ],
+  "forbidden_actions": [
+    "repo_create",
+    "visibility_change",
+    "refs_sync",
+    "delete_refs",
+    "force_push",
+    "workflow_modify",
+    "runner_enable",
+    "kali_scan",
+    "host_update",
+    "runtime_restart",
+    "nginx_reload",
+    "argocd_sync",
+    "database_migration",
+    "secret_rotation",
+    "ai_provider_route_switch"
+  ],
+  "gates": {
+    "dispatch_authorized": false,
+    "request_sent": false,
+    "request_sent_count": 0,
+    "received_response_count": 0,
+    "accepted_response_count": 0,
+    "rejected_response_count": 0,
+    "owner_response_received_count": 0,
+    "owner_response_accepted_count": 0,
+    "redacted_payload_ingested": false,
+    "active_runtime_gate_count": 0,
+    "runtime_execution_authorized": false,
+    "action_buttons_allowed": false,
+    "repo_creation_authorized": false,
+    "refs_sync_authorized": false,
+    "workflow_modification_authorized": false,
+    "github_primary_switch_authorized": false,
+    "host_update_authorized": false,
+    "active_scan_authorized": false,
+    "secret_value_collection_authorized": false,
+    "nginx_reload_authorized": false,
+    "argocd_sync_authorized": false,
+    "database_migration_authorized": false,
+    "ai_provider_route_change_authorized": false
+  },
+  "progress": {
+    "s4_9_dispatch_package_percent": 70,
+    "s4_9_owner_response_gate_percent": 0,
+    "high_value_config_owner_lane_alignment_percent": 55,
+    "iwooos_overall_percent": 64,
+    "active_runtime_gate_count": 0
+  }
+}

docs/workplans/2026-06-04-iwooos-security-governance-p0.md

@@ -28,6 +28,7 @@
 | 最新 S4.9 owner response intake form 基準 | `docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md`；五題可填表、六欄填寫規則、reviewer 收件欄與 outcome lanes 已固定；owner response gate 仍 `0%` |
 | 最新 S4.9 reviewer validation checklist 基準 | `docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md`；Reviewer 分工、V0-V8 gates、outcome 決策表、count transition 與 cross-packet consistency 已固定；owner response gate 仍 `0%` |
 | 最新 S4.9 security acceptance record template 基準 | `docs/security/S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md`；acceptance record 前置條件、欄位、count transition、decision outcome、evidence redaction 與不可授權聲明已固定；owner response gate 仍 `0%` |
+| 最新 S4.9 owner response dispatch package 基準 | `docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md`；五題送件內容、六欄 owner 回覆格式、reviewer outcome lanes 與高價值配置 P0 owner lanes 已固定；dispatch package `70%`，owner response gate 仍 `0%` |
 | 目前平行 Session | AwoooP thread `019e9154-7d5e-7b72-85be-c9d97e43ecc9` 已補 P1-002 正式驗證紀錄；後續進 `P1-003` 前仍需重新 fetch / fast-forward，避免 LOGBOOK / workplan 衝突 |
 | 前一個正式 IwoooS 候選基準 | code `7b8fc093`、deploy marker `45c63488`、LOGBOOK `02cadee6` |
 | 最新導航 IA 基準 | code `973fc7a4`、LOGBOOK `2555c811`、deploy marker `0260ec89` |
@@ -66,6 +67,7 @@
 | P0-2e | S4.9 owner response intake form | 100% | 已新增 `S4-9-OWNER-RESPONSE-INTAKE-FORM.md`，固定五題可填表、六欄填寫規則、reviewer 收件欄與 outcome lanes；owner response gate 仍 0% | owner response guard、progress guard、diff check |
 | P0-2f | S4.9 reviewer validation checklist | 100% | 已新增 `S4-9-REVIEWER-VALIDATION-CHECKLIST.md`，固定 reviewer 分工、V0-V8 gates、outcome 決策表、count transition 與 cross-packet consistency；owner response gate 仍 0% | owner response guard、progress guard、diff check |
 | P0-2g | S4.9 security acceptance record template | 100% | 已新增 `S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md`，固定 acceptance record 前置條件、欄位、count transition、decision outcome、evidence redaction 與不可授權聲明；owner response gate 仍 0% | owner response guard、progress guard、diff check |
+| P0-2h | S4.9 owner response dispatch package | 70% | 已新增 `S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md` 與 snapshot，固定可交給 owner 填寫的五題送件包、高價值配置 P0 owner lanes 與 0 / false 邊界；尚未正式送件、尚未 received / accepted | JSON parse、owner response guard、progress guard、doc secrets sanity |
 | P0-3 | AwoooP 同步封包 | 100% | 已送至 AwoooP 平行工作 thread `019e9154-7d5e-7b72-85be-c9d97e43ecc9`；後續仍需每次推版前重新 fetch / fast-forward | 本文件、thread send readback、mirror checklist readback |
 | P0-4 | production live sanity 節點 | 100% | desktop / mobile / 展開區塊 / overflow / action href 檢查已完成 | Playwright production sanity 通過 |
 | P0-5 | LOGBOOK 與完成度更新 | 100% | D2 comments-only、D2 AIOps sample、D2 Code Review 候選分類與 D2 AwoooP Runs fallback 皆已回填；可見 / bundle 變更皆已補 local / production desktop + mobile smoke | `docs/LOGBOOK.md` readback |