{ "schema_version": "source_control_workflow_secret_name_export_request_v1", "status": "draft_waiting_owner_export", "date": "2026-06-11", "mode": "redacted_export_request_only", "runtime_execution_authorized": false, "source_contract": "source_control_workflow_secret_name_inventory_v1", "source_indexes": [ "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/security-rollout-policy.snapshot.json" ], "summary": { "candidate_repo_count": 10, "in_scope_request_count": 9, "external_scope_review_count": 1, "export_request_count": 9, "export_lane_count": 5, "owner_response_template_count": 5, "owner_response_received_count": 0, "owner_response_accepted_count": 0, "webhook_export_request_repo_count": 2, "runner_export_request_repo_count": 5, "deploy_key_export_request_repo_count": 1, "branch_protection_codeowners_export_request_repo_count": 6, "repository_secret_name_parity_export_request_repo_count": 9, "secret_value_collection_allowed": false, "write_token_allowed": false, "runtime_actions_authorized": false, "action_buttons_allowed": false }, "owner_response_packet": { "schema_version": "source_control_workflow_secret_name_owner_response_v1", "snapshot_path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md", "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "execution_authorized": false, "allowed_effect": "response 通過後只更新 read-only inventory / export request / readiness wording,不授權 workflow/secret/runner/deploy key 變更" }, "export_lanes": [ { "lane_id": "webhook_redacted_export_request", "title": "Webhook 名稱、目的地 host 與事件類型 redacted export", "request_status": "waiting_owner_or_readonly_export", "allowed_fields": [ "provider", "webhook_name", "destination_host_redacted", "event_types", "active_enabled_flag", "owner", "last_updated_metadata" ], "forbidden_fields": [ "webhook_secret", "full_payload_url_with_token", "authorization_header", "cookie", "request_body", "secret_value" ], "accepted_producer_modes": [ "owner_attested_redacted_export", "read_only_api_summary", "admin_export_after_manual_redaction" ], "acceptance_gate": [ "每筆 webhook 必須只保留 host 或 redacted URL,不得包含 query token。", "必須標示 Gitea / GitHub 哪一端在 primary cutover 後負責發 webhook。", "若偵測到 secret value 或 token value,整份 export 必須進 mirror quarantine。" ], "execution_authorized": false }, { "lane_id": "runner_label_owner_export_request", "title": "Runner label / executor / hosted minutes 風險 redacted export", "request_status": "waiting_owner_or_readonly_export", "allowed_fields": [ "provider", "runner_label", "runner_scope", "executor_type", "host_alias", "hosted_or_self_hosted", "owner", "maintenance_window" ], "forbidden_fields": [ "runner_registration_token", "runner_admin_token", "ssh_private_key", "host_password", "api_token" ], "accepted_producer_modes": [ "owner_attested_redacted_export", "read_only_runner_inventory_summary" ], "acceptance_gate": [ "必須確認 GitHub primary 後哪些 workflow 仍使用 self-hosted runner,避免誤用 GitHub hosted minutes。", "只保存 label、owner 與 executor metadata,不保存 runner token。", "若 runner label 無 owner,必須保持 primary readiness blocked。" ], "execution_authorized": false }, { "lane_id": "deploy_key_redacted_export_request", "title": "Deploy key / machine key 名稱與 read-only 狀態 redacted export", "request_status": "waiting_owner_or_readonly_export", "allowed_fields": [ "provider", "key_name", "read_only_flag", "repo_scope", "owner", "last_seen_metadata" ], "forbidden_fields": [ "private_key", "public_key_full_value", "token_value", "password", "credential_value" ], "accepted_producer_modes": [ "owner_attested_redacted_export", "read_only_api_summary", "admin_export_after_manual_redaction" ], "acceptance_gate": [ "只允許列 key 名稱、read-only flag、repo scope 與 owner。", "不得保存 private key 或完整 public key material。", "write-capable key 必須只標成風險與 owner review,不得自動 rotate。" ], "execution_authorized": false }, { "lane_id": "branch_protection_codeowners_export_request", "title": "Branch protection / required checks / CODEOWNERS redacted export", "request_status": "waiting_owner_or_readonly_export", "allowed_fields": [ "provider", "protected_branch_name", "required_review_count", "required_status_check_names", "codeowners_path", "owner_team_names" ], "forbidden_fields": [ "team_secret", "personal_access_token", "admin_override_token", "session_cookie" ], "accepted_producer_modes": [ "owner_attested_redacted_export", "read_only_api_summary", "local_codeowners_snapshot" ], "acceptance_gate": [ "必須列出 GitHub primary 前 main/dev branch 的 protection 差異。", "required status checks 名稱必須與實際 workflow 或 runner label 對上。", "缺 CODEOWNERS 不等於 blocked runtime,只代表 primary readiness 未完成。" ], "execution_authorized": false }, { "lane_id": "repository_secret_name_parity_export_request", "title": "Repository secret 名稱 parity redacted export", "request_status": "waiting_owner_or_readonly_export", "allowed_fields": [ "provider", "secret_name", "secret_scope", "owning_team", "used_by_workflow_name", "rotation_owner", "present_in_gitea", "present_in_github" ], "forbidden_fields": [ "secret_value", "secret_plaintext", "token_value", "private_key", "credential_value" ], "accepted_producer_modes": [ "owner_attested_redacted_export", "read_only_secret_name_summary", "admin_export_after_manual_redaction" ], "acceptance_gate": [ "只比對 secret 名稱、scope、owner 與 present/absent metadata。", "不得輸出 value、hash、partial token 或可還原片段。", "缺漏 secret 只建立 owner review lane,不自動建立或 rotate secret。" ], "execution_authorized": false } ], "repo_export_requests": [ { "repo_key": "awoooi", "github_repo": "owenhytsai/awoooi", "source_key": "wooo/awoooi", "scope_status": "in_scope", "risk": "HIGH", "request_state": "waiting_owner_export", "requested_lanes": [ "webhook_redacted_export_request", "runner_label_owner_export_request", "branch_protection_codeowners_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "此 repo 是核心產品與 deploy workflow 主線,必須先確認 webhook、runner label、branch protection 與 secret name parity。", "若未證明 self-hosted runner owner 與 label 對齊,不可宣告 GitHub primary ready。" ], "still_forbidden": [ "修改 workflow", "rotate secret", "sync refs", "switch_github_primary" ] }, { "repo_key": "clawbot-v5", "github_repo": "owenhytsai/clawbot-v5", "source_key": "wooo/clawbot-v5", "scope_status": "in_scope", "risk": "MEDIUM", "request_state": "waiting_owner_export", "requested_lanes": [ "branch_protection_codeowners_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "本機 repo 可見但未找到 workflow / CODEOWNERS,仍需 owner 確認是否真的不需要 workflow 與 repo secret。", "若 GitHub target 另有 private workflow,必須用 redacted export 補證。" ], "still_forbidden": [ "建立 secret", "修改 branch protection", "push refs", "switch_github_primary" ] }, { "repo_key": "wooo-aiops", "github_repo": "owenhytsai/wooo-aiops", "source_key": "wooo/wooo-aiops", "scope_status": "in_scope", "risk": "MEDIUM", "request_state": "waiting_owner_export", "requested_lanes": [ "webhook_redacted_export_request", "runner_label_owner_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "S4.2 已看到 workflow 與 CODEOWNERS,本階段要補 webhook 與 secret name parity。", "若 workflow 使用 hosted runner,必須標出費用與額度風險,不自動切換 runner。" ], "still_forbidden": [ "delete GitHub-only refs", "修改 webhook", "搬移 secret value", "switch_github_primary" ] }, { "repo_key": "wooo-infra-config", "github_repo": "owenhytsai/wooo-infra-config", "source_key": "wooo/wooo-infra-config", "scope_status": "in_scope", "risk": "MEDIUM", "request_state": "waiting_owner_export", "requested_lanes": [ "runner_label_owner_export_request", "deploy_key_redacted_export_request", "branch_protection_codeowners_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "infra repo 只允許輸出 key 名稱、read-only flag 與 owner,不允許輸出 key material。", "110 internal remote 用途仍需 owner 決策,本 request 不授權改 remote。" ], "still_forbidden": [ "輸出 private key", "搬 infra secret value", "刪除 remote", "switch_github_primary" ] }, { "repo_key": "ewoooc", "github_repo": "owenhytsai/ewoooc", "source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees", "scope_status": "in_scope", "risk": "HIGH", "request_state": "waiting_owner_export", "requested_lanes": [ "runner_label_owner_export_request", "branch_protection_codeowners_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "此 repo 仍有 canonical target 與 unrelated history 風險,export request 只用來補 workflow / secret 名稱 evidence。", "必須先完成 canonical repo 人工確認,才可談 primary readiness。" ], "still_forbidden": [ "auto_create_repo", "auto_merge_unrelated_histories", "搬 secret value", "switch_github_primary" ] }, { "repo_key": "bitan-pharmacy", "github_repo": "owenhytsai/bitan-pharmacy", "source_key": "bitan-pharmacy", "scope_status": "in_scope", "risk": "MEDIUM", "request_state": "waiting_owner_export", "requested_lanes": [ "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "本機 repo 可見但未找到 workflow;先要求 owner 確認是否有 repo secret 或外部 deploy key。", "若 repo 不再 active,需 owner 在 primary readiness board 標註,不自動封存。" ], "still_forbidden": [ "auto_create_repo", "push refs", "搬 secret value", "switch_github_primary" ] }, { "repo_key": "tsenyang-website", "github_repo": "owenhytsai/tsenyang-website", "source_key": "tsenyang-website", "scope_status": "in_scope", "risk": "MEDIUM", "request_state": "waiting_owner_export", "requested_lanes": [ "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "本機 repo 可見但未找到 workflow;先要求 owner 確認是否有 repo secret 或外部 deploy key。", "若 repo 不再 active,需 owner 在 primary readiness board 標註,不自動封存。" ], "still_forbidden": [ "auto_create_repo", "push refs", "搬 secret value", "switch_github_primary" ] }, { "repo_key": "open-design", "github_repo": "nexu-io/open-design", "source_key": "open-design", "scope_status": "external_scope_review", "risk": "LOW", "request_state": "waiting_scope_review", "requested_lanes": [], "owner_export_required": false, "read_only_api_allowed": false, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "此 repo 目前只做 external scope review,不進 AWOOOI GitHub primary cutover queue。", "若未來確認納入範圍,必須先建立新的 in-scope approval item。" ], "still_forbidden": [ "加入 primary cutover queue", "修改 repo visibility", "sync refs" ] }, { "repo_key": "vibework", "github_repo": "owenhytsai/VibeWork", "source_key": "vibework", "scope_status": "in_scope", "risk": "HIGH", "request_state": "waiting_owner_export", "requested_lanes": [ "branch_protection_codeowners_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "本機 repo 可見但未找到 workflow / CODEOWNERS,需 owner 確認是否另有私有 workflow、repo secret、deploy key 或外部部署面。", "回覆必須保留 VibeWork 獨立產品邊界;本 request 不授權 primary switch、repo creation 或 workflow 變更。" ], "still_forbidden": [ "auto_create_repo", "push_refs", "搬 secret value", "switch_github_primary", "把 VibeWork 併入 AWOOOI 產品邊界" ] }, { "repo_key": "agent-bounty-protocol", "github_repo": "owenhytsai/agent-bounty-protocol", "source_key": "agent-bounty-protocol", "scope_status": "in_scope", "risk": "HIGH", "request_state": "waiting_owner_export", "requested_lanes": [ "runner_label_owner_export_request", "branch_protection_codeowners_export_request", "repository_secret_name_parity_export_request" ], "owner_export_required": true, "read_only_api_allowed": true, "write_api_allowed": false, "secret_value_allowed": false, "acceptance_notes": [ "本機已見 1 個 Gitea workflow 與 ubuntu-latest runner label,但仍需 owner 補 runner owner、branch protection / CODEOWNERS 與 secret name parity。", "agent / bounty / treasury / MCP / A2A 執行邊界只能形成只讀 owner response,不授權 runtime execution。" ], "still_forbidden": [ "auto_create_repo", "push_refs", "修改 workflow", "啟用 runner", "搬 secret value", "switch_github_primary", "把 bounty / agent 執行候選當 runtime 授權" ] } ], "acceptance_rules": [ "每份 export 必須標示 producer、collection timestamp、redaction_status 與 evidence_ref。", "只讀 API export 只能使用 read-only token;若 token 具有 write scope,必須停止並改用 owner attestation 或管理匯出後手動脫敏。", "任何 secret value、token value、cookie、private key、webhook secret、runner registration token 都必須拒收並進 mirror quarantine。", "export request 完成只代表 evidence 可 review,不代表 GitHub primary ready。", "缺漏欄位只建立 owner review lane,不自動修改 repo、workflow、webhook、runner、deploy key、branch protection 或 secret。" ], "redaction_rules": [ "URL 必須移除 username、password、token 與 query secret,只保留 host 或 redacted path。", "secret 只能保存名稱、scope、owner、used_by_workflow 與 present/absent metadata。", "key 只能保存 key name、read_only_flag、repo_scope、owner,不保存 key material。", "runner 只能保存 label、scope、executor_type、host_alias、hosted_or_self_hosted 與 owner。", "任何可還原 credential 的 hash、prefix、suffix 或 partial token 都不得保存。" ], "forbidden_actions": [ "collect_secret_value", "store_secret_token_cookie_private_key_or_webhook_secret", "use_write_token", "call_runtime_execute", "modify_workflow", "modify_webhook", "modify_runner", "modify_deploy_key", "modify_branch_protection", "create_or_rotate_secret", "create_github_repo", "change_repo_visibility", "sync_git_refs", "switch_github_primary", "disable_gitea", "add_action_button" ] }