{ "schema_version": "security_approval_decision_record_v1", "status": "draft", "date": "2026-05-13", "mode": "decision_record_only", "runtime_execution_authorized": false, "source_indexes": [ "docs/security/security-approval-gate.snapshot.json", "docs/security/security-approval-queue.snapshot.json", "docs/security/security-approval-review-packet.snapshot.json", "docs/security/security-approval-state-transition.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json", "docs/security/security-mirror-status-rollup.snapshot.json" ], "summary": { "total_decision_records": 0, "approve_scope_count": 0, "reject_count": 0, "defer_count": 0, "request_more_evidence_count": 0, "keep_blocked_count": 0, "pending_runtime_gate_count": 0, "runtime_actions_authorized": false, "raw_secret_storage_authorized": false }, "decision_records": [], "recording_rules": [ "每筆人工決策都必須引用 security_approval_gate_v1 的 gate_id 與 source_queue_item_id。", "若決策來自 security_approval_review_packet_v1,需在 notes 或 evidence refs 保留 packet_id 的稽核關聯。", "決策後的 next state 必須依 security_approval_state_transition_v1 顯示,且不得授權執行。", "approve_scope 只代表批准該 scope 進下一步設計、草案、只讀 inventory、低噪音 scope 或人工 exception;不代表可立即執行。", "所有 decision record 都必須維持 execution_authorized=false。", "若 decision=approve_scope,AwoooP 只能依 security_followup_runtime_gate_v1 顯示 runtime gate 準備模板,不得啟用 runtime gate。", "任何批准後的 scan、/execute、repo、refs、deploy、secret、RBAC、NetworkPolicy、firewall 變更都必須另有 follow-up runtime gate。", "決策紀錄不得保存 raw secret、token、cookie、private key、credential value 或 exploit payload。" ], "forbidden_actions": [ "execute_decision_record", "auto_approve", "execute_after_decision_without_runtime_gate", "start_kali_scan", "call_kali_execute_endpoint", "run_credentialed_scan", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "auto_merge", "production_deploy", "store_secret_token_cookie_private_key_or_exploit_payload" ] }