# S4.9 Reviewer Validation Checklist

| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-05 |
| 基準 | `gitea/main=a516d3f8 docs(security): 補 S4.9 owner response intake form [skip ci]` |
| 上游文件 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`、`docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md` |
| 模式 | reviewer validation checklist only |
| 不可誤讀 | 本文件不是 request dispatch、不是 owner response、不是 accepted record、不是 repo / refs / workflow / secret / runner / host / runtime 執行授權 |

## 1. 使用時機

本 checklist 只在 owner response intake form 進入 `ready_for_reviewer_validation` 後使用。它的目的，是讓 reviewer 逐關判斷「可進下一步」、「補件」、「隔離」或「拒收」。

通過本 checklist 仍不等於 runtime action、GitHub primary、Kali scan、主機維護、repo 建立、refs sync、workflow 修改或 Secret 讀取獲得批准。若需執行任何動作，必須切出獨立人工批准、rollback、post-check 與 audit record。

## 2. Reviewer 分工

| 角色 | 負責內容 | 不可做的事 |
|------|----------|------------|
| Intake reviewer | 檢查五題與六欄是否完整 | 不替 owner 補 decision |
| Redaction reviewer | 檢查 evidence refs 是否只含脫敏參照 | 不複製 raw payload 到文件、LOGBOOK 或前端 |
| Scope reviewer | 檢查 affected scope 是否能對應 source-control / host / product 範圍 | 不把 scope 判定轉成 git 或 runtime action |
| Consistency reviewer | 對照 S4.5 / S4.10 / S4.11 / S4.12 / rollback handoff 的 owner、scope、disposition | 不用單一表單覆蓋其他封包的缺口 |
| Final recorder | 記錄 reviewer outcome、補件原因與下一位 owner | 不把 reviewer note 寫成 accepted 或 approved |

## 3. Validation Gates

| Gate | 檢查 | 通過條件 | 失敗 outcome |
|------|------|----------|--------------|
| V0 | 基線同步 | reviewer 使用最新 `gitea/main`、最新 intake form 與最新 P0 總帳 | `keep_waiting_owner_response` 或重新同步 |
| V1 | 五題完整性 | 五題都有回覆或明確補件狀態 | `request_more_evidence` |
| V2 | 六欄完整性 | 每題都能映射到 `owner_role_or_team`、`decision`、`decision_reason`、`affected_scope`、`redacted_evidence_refs`、`followup_owner` | `request_more_evidence` |
| V3 | Decision allowlist | `decision` 只使用 `confirm`、`defer`、`reject`、`request_more_evidence` | `request_more_evidence` 或 `reject_execution_request` |
| V4 | Sensitive payload | 沒有 token、secret、private key、cookie、session、authorization header、runner token、webhook secret、DB dump、repo archive 或未脫敏截圖 | `quarantine_sensitive_payload` |
| V5 | Execution request | 沒有 repo create、visibility change、refs sync、delete refs、workflow 修改、runner 啟用、Kali scan、`/execute`、SSH、host update、runtime restart / rollout / scale / delete | `reject_execution_request` |
| V6 | Evidence refs | evidence 只保留文件路徑、snapshot id、ticket id、hash、脫敏 metadata pointer 或 quarantine pointer | `request_more_evidence` 或 `quarantine_sensitive_payload` |
| V7 | Cross-packet consistency | owner、scope、canonical source、legacy disposition、workflow / secret 名稱、rollback owner 沒有互相矛盾 | `request_more_evidence` |
| V8 | Gate boundary | 所有執行面與 primary switch 仍在獨立人工批准外 | `reject_execution_request` |

## 4. Outcome 決策表

| Outcome | 使用條件 | 可更新內容 | 不得更新內容 |
|---------|----------|------------|--------------|
| `keep_waiting_owner_response` | 尚未收到表單、只有空白表、只有口頭同意、基線過期 | waiting note、followup owner | received / accepted / rejected count |
| `request_more_evidence` | 欄位缺漏、scope 不清、evidence refs 不足、跨包矛盾 | 補件原因、缺口清單、補件 owner | accepted count、runtime gate |
| `quarantine_sensitive_payload` | 含疑似敏感 payload、未脫敏 evidence、private credential URL | quarantine metadata、payload 類型、長度、收件時間 | raw payload、LOGBOOK raw text、前端顯示 |
| `reject_execution_request` | 夾帶 git / workflow / runner / host / scan / runtime 執行要求 | rejection reason、需切出的人工批准類型 | action button、runtime gate、GitHub primary |
| `ready_for_security_acceptance_record` | 五題完整、六欄完整、無敏感 payload、無執行要求、跨包一致 | reviewer validation note、下一階段 owner | 自動 accepted、自動 dispatch、自動 execution |

## 5. Count Transition 邊界

| Count / Flag | 允許變更前提 | 仍需維持不變的情境 |
|--------------|--------------|--------------------|
| `request_sent_count` | 有人工送件 audit metadata，且送件內容只含脫敏表單與禁止條款 | 只有 request draft、template、handoff 或本 checklist |
| `received_response_count` | 收到非空表單，五題與六欄可讀，敏感 payload 已先分流 | 只有口頭同意、空白表、未完成映射、含 raw payload |
| `accepted_response_count` | reviewer validation 通過後，另有 security acceptance record | 只有表單、只有 reviewer note、只有 AwoooP approval、只有 UI 可見 |
| `rejected_response_count` | 有實際回覆被拒收，且 rejection reason 已記錄 | 尚未收到回覆、只需要補件、只需要隔離 |
| `redacted_payload_ingested` | 脫敏 metadata 已完成 reviewer 驗收且無 raw payload | evidence refs 未清楚、payload 未隔離、仍需補件 |
| `runtime_execution_authorized` | 另有獨立人工批准、rollback、post-check、disable plan 與 audit record | S4.9 任一文件、表單、reviewer validation 或 AwoooP approval |
| `github_primary_switch_authorized` | 另有 primary readiness、owner acceptance、rollback ADR 與 cutover approval | S4.9 owner response gate 尚未 accepted |

## 6. Cross-packet Consistency Checklist

| 封包 | Reviewer 必查 | 失敗處理 |
|------|---------------|----------|
| S4.5 Gitea authenticated inventory | 是否仍只收 read-only metadata 或 redacted admin export；不收 token value | 補件或隔離 |
| S4.10 GitHub target owner response | `not_found_or_private` 是否被誤讀成不存在或可建立 repo | 補件 |
| S4.11 refs truth queue | refs truth、deprecated / archive candidate、GitHub-only refs 是否有 owner 判定 | 補件 |
| S4.12 workflow / secret parity | Secret name parity 是否只含名稱與 template；沒有 value、hash fragment、partial token | 隔離或補件 |
| Rollback ADR owner handoff | rollback owner、trigger、validation window、fallback role 是否一致 | 補件 |
| IwoooS runtime gate | UI / matrix / AwoooP approval 是否被誤讀成 runtime 授權 | 拒收執行要求 |

## 7. Reviewer Output Template

```text
reviewer_validation_id:
baseline_commit:
intake_form_ref:
reviewer_role_or_team:
outcome:
outcome_reason:
passed_gates:
failed_gates:
missing_fields:
quarantine_refs:
cross_packet_conflicts:
followup_owner:
not_approval_statement:
```

`not_approval_statement` 必須明確寫出：本 reviewer output 不是 repo / refs / workflow / secret / runner / host / runtime 執行批准，也不是 GitHub primary switch 批准。

## 8. 驗收前狀態

```text
request_sent=false
request_sent_count=0
received_response_count=0
accepted_response_count=0
rejected_response_count=0
owner_response_received_count=0
owner_response_accepted_count=0
redacted_payload_ingested=false
active_runtime_gate_count=0
runtime_execution_authorized=false
action_buttons_allowed=false
repo_creation_authorized=false
refs_sync_authorized=false
workflow_modification_authorized=false
github_primary_switch_authorized=false
host_update_authorized=false
active_scan_authorized=false
secret_value_collection_authorized=false
```

## 9. 本輪完成度

| 工作 | 完成度 | 說明 |
|------|--------|------|
| S4.9 reviewer validation checklist | 100% | Reviewer 分工、V0-V8 gates、outcome 決策表、count transition 與 cross-packet consistency 已固定 |
| S4.9 owner response gate | 0% | 尚未送件、尚未收到 owner response、尚未 accepted |
| IwoooS 整體 | 維持 64% | Reviewer checklist 完成不代表 runtime readiness 提升 |
| active runtime gate | 0 | 不變 |