# CD / Runner / Secret injection 事故後回讀只讀計畫

| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-16 |
| 狀態 | `post_incident_readback_plan_ready_no_runtime_action` |
| 工具 | `scripts/security/cd-runner-secret-injection-post-incident-readback-plan.py` |
| Snapshot | `docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json` |
| Source evidence | `docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json` |
| runtime gate | `0` |

## 1. 目的

此計畫補在 CD / runner / secret injection change evidence acceptance 之後，專門處理事故後回讀：workflow / runner / secret injection 相關異常或變更後，owner 必須回讀 actor、時間窗、workflow diff state、runner attestation、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker、Gitea run、webhook / notification receipt、before / after deploy state、rollback、post-check 與防再發。

它只處理 metadata-only evidence ref，不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署，也不把 CD success、deploy marker、workflow success、route `200`、runner online、AwoooP approval 或 UI 可見狀態當成 runtime 授權。

## 2. 固定範圍

| 指標 | 數值 | 解讀 |
|------|------|------|
| `readback_candidate_count` | `5` | CD pipeline、Code Review、Deploy alerts、Runner attestation、Secret parity / injection owner 五類候選 |
| `c0_readback_candidate_count` | `4` | CD、Code Review、Runner、Secret parity 為 C0 |
| `c1_readback_candidate_count` | `1` | Deploy alerts / monitoring route 為 C1 |
| `write_capable_readback_candidate_count` | `5` | 五類都可能影響 workflow、runner、secret injection、通知或部署路徑 |
| `secret_sensitive_readback_candidate_count` | `5` | 五類都必須檢查 secret value / hash / partial token / runner token 不可出現 |
| `runner_or_workflow_readback_candidate_count` | `5` | 五類都必須回讀 workflow / runner 邊界 |
| `deploy_or_run_readback_required_candidate_count` | `5` | 五類都需要 deploy marker 或 Gitea run readback / 不適用理由 |
| `required_readback_field_count` | `33` | 事故後回讀必填欄位 |
| `reviewer_check_count` | `30` | reviewer 必檢規則 |
| `outcome_lane_count` | `11` | 收件結果分流 |
| `blocked_action_count` | `52` | 明確禁止動作 |

## 3. 必填事故後回讀欄位

每筆事故後回讀至少需要：

1. `incident_or_change_ref`
2. `actor_attribution_ref`
3. `change_time_window_ref`
4. `change_intent_or_break_glass_ref`
5. `workflow_diff_state_ref`
6. `runner_attestation_state_ref`
7. `runner_executor_host_readback_ref`
8. `runner_workspace_cleanup_readback_ref`
9. `runner_permission_scope_ref`
10. `secret_name_parity_state_ref`
11. `secret_injection_route_state_ref`
12. `step_env_secret_guard_result_ref`
13. `log_redaction_readback_ref`
14. `deploy_marker_readback_ref`
15. `gitea_action_run_readback_ref`
16. `webhook_delivery_state_ref`
17. `deploy_key_branch_protection_codeowners_ref`
18. `notification_delivery_receipt_ref`
19. `before_after_deploy_state_ref`
20. `affected_route_or_service_state_ref`
21. `cross_project_sync_ref`
22. `rollback_validation_ref`
23. `postcheck_evidence_ref`
24. `post_change_monitoring_ref`
25. `recurrence_guard_ref`
26. `maintenance_window`
27. `rollback_owner`
28. `followup_owner`
29. `redacted_evidence_refs`
30. `no_secret_value_attestation`
31. `no_raw_workflow_payload_attestation`
32. `no_unredacted_log_attestation`
33. `no_false_green_attestation`

以上欄位都只能保存脫敏 ref、commit、artifact pointer、run id、job id、ticket 或 hash。不得貼 secret value、secret hash、masked token、partial token、runner token、webhook secret、private key、deploy key private material、cookie、authorization header、完整 credential URL、未脫敏 action log 或未脫敏截圖。

## 4. Reviewer checks

Reviewer 必須確認：

- 來源 change evidence acceptance snapshot 是目前版本。
- incident / change ref、actor、時間窗、intent / break-glass reason 都存在。
- workflow diff state 只以 ref 呈現，不保存 raw workflow payload。
- runner label、executor、host alias、workspace cleanup、permission scope 與 hosted runner 風險可追溯。
- secret name parity、secret injection route、step-env secret guard 與 log redaction readback 完整。
- deploy marker 與 Gitea run readback 只能作證據，不代表 runtime approval。
- webhook delivery、deploy key、branch protection、CODEOWNERS、notification receipt 與跨專案同步影響已標示。
- rollback validation、post-check、post-change monitoring 與 recurrence guard 已明確列出。
- 不把 CD success、deploy marker、workflow success、route `200`、runner online、UI 可見或 AwoooP approval 當驗收。

## 5. Outcome lanes

| Lane | 說明 |
|------|------|
| `waiting_post_incident_readback` | 尚未收到事故後回讀包 |
| `request_actor_or_time_supplement` | 缺 actor、時間窗、intent 或 break-glass reason |
| `request_workflow_runner_supplement` | 缺 workflow diff、runner attestation、executor / host、workspace cleanup 或 permission scope |
| `request_secret_injection_supplement` | 缺 secret name parity、injection route、step-env guard 或 log redaction readback |
| `request_deploy_run_supplement` | 缺 deploy marker、Gitea run readback、before / after deploy state 或 post-check |
| `request_webhook_notification_supplement` | 缺 webhook delivery、notification receipt、SRE route owner 或 cross-project sync |
| `quarantine_sensitive_payload` | 收到敏感值、runner token、webhook secret、private key、未脫敏 log 或截圖時隔離 |
| `reject_false_green_claim` | 把 CD success、deploy marker、workflow success、route `200`、runner online、UI 可見或 AwoooP approval 當驗收時拒收 |
| `ready_for_cd_runner_secret_post_incident_review` | metadata 合格後進 reviewer review |
| `recurrence_guard_backfill_required` | 需補防再發 guard、owner review、change freeze、automation block 或 runner isolation plan |
| `waiting_runtime_gate` | 即使 readback accepted，runtime gate 仍需獨立人工批准 |

## 6. 禁止動作

此計畫明確禁止修改 workflow、未批准 dispatch workflow、啟用 / 安裝 / 重啟 runner、修改 runner label、使用 runner admin token、啟用 GitHub hosted runner、收集 secret value / hash / partial token / runner token / webhook secret / deploy key private material、保存 raw workflow payload / 未脫敏 action log、建立 / 更新 / rotate / 刪除 repo secret、讀 secret store、修改 secret injection path、修改 webhook、修改 deploy key、修改 branch protection、修改 CODEOWNERS、sync refs、force push、切 GitHub primary、停用 Gitea、把 CD pipeline 當 action 執行、注入 K8s secret、ArgoCD sync、production deploy、新增 action button 或開 runtime gate。

## 7. 完成度與邊界

| 工作 | 完成度 | 邊界 |
|------|--------|------|
| CD / Runner / Secret injection post-incident readback plan | `100%` | 只讀計畫與 snapshot 已建立 |
| Secret metadata 只讀治理成熟度 | `68% -> 70%` | 只代表事故後回讀欄位補齊，不代表可讀或可改 secret |
| Gitea workflow / runner source-control 只讀治理成熟度 | `72% -> 74%` | 只代表 workflow / runner 事故後回讀欄位補齊，不代表 workflow / runner 可修改 |
| post-incident readback received / accepted | `0%` | 尚未收到或接受任何事故後回讀 |
| runtime gate | `0` | 不開 workflow、runner、secret、deploy、ArgoCD 或 production action |

## 8. 下一步

1. 要求 owner 只提供事故後 readback ref：workflow diff state、runner attestation、secret name parity、secret injection route、Gitea run readback、guard result、deploy marker、notification receipt、rollback owner 與 post-check evidence。
2. reviewer 只檢查 metadata 完整性、no-secret-value、log redaction 與 no-false-green，不保存 raw workflow payload、raw action log 或 credential material。
3. 若未來要進 runtime approval package，必須另開維護窗口、rollback owner、跨專案同步與 production post-check gate。