{ "schema_version": "source_control_workflow_secret_name_inventory_v1", "status": "draft_missing_evidence", "date": "2026-06-11", "mode": "inventory_contract_only", "runtime_execution_authorized": false, "source_indexes": [ "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "docs/security/github-target-decision.snapshot.json", "docs/security/source-control-approval-board.snapshot.json", "docs/security/source-control-reconcile-plan.snapshot.json", "docs/security/security-rollout-policy.snapshot.json" ], "summary": { "candidate_repo_count": 10, "in_scope_repo_count": 9, "external_scope_count": 1, "inventory_complete_count": 0, "missing_inventory_count": 9, "owner_response_template_count": 5, "owner_response_received_count": 0, "owner_response_accepted_count": 0, "secret_value_collection_allowed": false, "runtime_actions_authorized": false, "action_buttons_allowed": false }, "owner_response_packet": { "schema_version": "source_control_workflow_secret_name_owner_response_v1", "snapshot_path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md", "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "execution_authorized": false }, "inventory_lanes": [ { "lane_id": "workflow_file_inventory", "title": "workflow 名稱與觸發條件 inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "workflow_file_path", "workflow_display_name", "trigger_names", "runner_label_names", "environment_names", "referenced_secret_names" ], "forbidden_fields": [ "secret_value", "token_value", "private_key", "webhook_secret", "deploy_key_private_material" ], "required_before_primary": [ "列出 Gitea/GitHub workflow 名稱與觸發條件差異", "確認 self-hosted runner label 是否一致", "確認 deployment marker / production deploy workflow 真相來源" ], "execution_authorized": false }, { "lane_id": "webhook_inventory", "title": "webhook 名稱、目的地與事件類型 inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "webhook_name", "destination_host_redacted", "event_types", "active_enabled_flag", "owner" ], "forbidden_fields": [ "webhook_secret", "full_payload_url_with_token", "authorization_header", "cookie" ], "required_before_primary": [ "列出 Gitea/GitHub webhook 目的地與事件類型差異", "確認 primary cutover 後哪一端發 webhook", "確認不重複觸發 deploy 或 notification" ], "execution_authorized": false }, { "lane_id": "runner_inventory", "title": "runner label 與 executor inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "runner_label", "runner_scope", "executor_type", "host_alias", "owner" ], "forbidden_fields": [ "runner_registration_token", "ssh_private_key", "host_password", "api_token" ], "required_before_primary": [ "確認 GitHub primary 後使用 self-hosted runner,不消耗 GitHub hosted 額度", "確認 runner label 與 workflow expectations 一致", "確認 runner owner 與維護窗口" ], "execution_authorized": false }, { "lane_id": "deploy_key_inventory", "title": "deploy key / machine key 名稱 inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "key_name", "read_only_flag", "repo_scope", "owner", "last_seen_metadata" ], "forbidden_fields": [ "private_key", "public_key_full_value_if_sensitive", "token_value", "password" ], "required_before_primary": [ "確認 deploy key 是否 read-only", "確認 key owner 與 repo scope", "確認 primary cutover 不需要搬移 private key value" ], "execution_authorized": false }, { "lane_id": "branch_protection_codeowners_inventory", "title": "branch protection / CODEOWNERS inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "protected_branch_name", "required_review_count", "required_status_check_names", "codeowners_path", "owner_team_names" ], "forbidden_fields": [ "team_secret", "personal_access_token", "admin_override_token" ], "required_before_primary": [ "確認 main/dev branch protection 差異", "確認 required status checks 名稱與 CI provider 對齊", "確認 CODEOWNERS 是否存在與 owner team 是否有效" ], "execution_authorized": false }, { "lane_id": "secret_name_inventory", "title": "secret 名稱與 owner inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "secret_name", "secret_scope", "owning_team", "used_by_workflow_name", "rotation_owner" ], "forbidden_fields": [ "secret_value", "secret_plaintext", "token_value", "private_key", "credential_value" ], "required_before_primary": [ "只列 secret 名稱與 owner,不列 value", "確認 Gitea/GitHub secret name parity", "確認缺漏 secret 的 owner 與補證流程" ], "execution_authorized": false }, { "lane_id": "redaction_audit_inventory", "title": "redaction 與 audit inventory", "status": "contract_defined_not_collected", "allowed_fields": [ "redaction_status", "evidence_ref", "producer", "reviewer", "collection_timestamp" ], "forbidden_fields": [ "raw_secret", "raw_token", "raw_cookie", "raw_private_key", "raw_webhook_secret" ], "required_before_primary": [ "每份 inventory snapshot 都必須標示已脫敏", "敏感值掃描通過後才可 mirror", "失敗 payload 必須進 quarantine,不得寫入 Runtime State" ], "execution_authorized": false } ], "repo_inventory_readiness": [ { "github_repo": "owenhytsai/awoooi", "source_key": "wooo/awoooi", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "HIGH", "required_inventory": [ "workflow_file_inventory", "webhook_inventory", "runner_inventory", "secret_name_inventory", "branch_protection_codeowners_inventory" ], "current_gap": [ "production deploy workflow / deployment marker 名稱 parity 尚未完成", "runner label 與 required status checks 尚未整理", "secret 只能列名稱與 owner,尚無 redacted snapshot" ], "allowed_now": [ "建立 read-only inventory request", "顯示缺口與 owner", "等待 redacted snapshot" ], "still_forbidden": [ "搬移 secret value", "修改 workflow", "切 GitHub primary", "停用 Gitea deploy path" ] }, { "github_repo": "owenhytsai/clawbot-v5", "source_key": "wooo/clawbot-v5", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "MEDIUM", "required_inventory": [ "workflow_file_inventory", "secret_name_inventory", "branch_protection_codeowners_inventory" ], "current_gap": [ "workflow / secret 名稱 parity 尚未整理", "required status checks 尚未確認" ], "allowed_now": [ "顯示 missing evidence", "要求 repo owner 補 redacted inventory" ], "still_forbidden": [ "建立或修改 secrets", "sync refs", "切 primary" ] }, { "github_repo": "owenhytsai/wooo-aiops", "source_key": "wooo/wooo-aiops", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "MEDIUM", "required_inventory": [ "workflow_file_inventory", "webhook_inventory", "secret_name_inventory" ], "current_gap": [ "GitHub-only refs 與 workflow 來源尚未釐清", "webhook / secret 名稱 parity 尚未整理" ], "allowed_now": [ "顯示 source-control review lane", "要求 owner 補 workflow / webhook 名稱" ], "still_forbidden": [ "delete GitHub-only refs", "搬 secret value", "切 primary" ] }, { "github_repo": "owenhytsai/wooo-infra-config", "source_key": "wooo/wooo-infra-config", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "MEDIUM", "required_inventory": [ "deploy_key_inventory", "secret_name_inventory", "branch_protection_codeowners_inventory" ], "current_gap": [ "infra secret 名稱 inventory 尚未完成", "deploy key / machine key owner 尚未確認", "110 internal remote 用途仍需 owner 決策" ], "allowed_now": [ "只列 key / secret 名稱與 owner", "顯示 internal remote purpose review" ], "still_forbidden": [ "搬 infra secret value", "輸出 private key", "刪除 remote", "切 primary" ] }, { "github_repo": "owenhytsai/ewoooc", "source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "HIGH", "required_inventory": [ "workflow_file_inventory", "secret_name_inventory", "branch_protection_codeowners_inventory" ], "current_gap": [ "canonical repo 尚未人工確認", "GitHub target 未授權 probe 看不到", "workflow / secret 名稱 inventory 尚未建立" ], "allowed_now": [ "顯示 target creation/access review", "要求 owner 補 canonical 與 redacted inventory" ], "still_forbidden": [ "auto_create_repo", "auto_merge_unrelated_histories", "搬 secret value", "切 primary" ] }, { "github_repo": "owenhytsai/bitan-pharmacy", "source_key": "bitan-pharmacy", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "MEDIUM", "required_inventory": [ "workflow_file_inventory", "secret_name_inventory" ], "current_gap": [ "GitHub target 未確認", "repo 是否仍 active 尚未確認", "workflow / secret 名稱 inventory 尚未建立" ], "allowed_now": [ "顯示 target creation/access review", "要求 owner 確認 active 狀態" ], "still_forbidden": [ "auto_create_repo", "push refs", "搬 secret value", "切 primary" ] }, { "github_repo": "owenhytsai/tsenyang-website", "source_key": "tsenyang-website", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "MEDIUM", "required_inventory": [ "workflow_file_inventory", "secret_name_inventory" ], "current_gap": [ "GitHub target 未確認", "repo 是否仍 active 尚未確認", "workflow / secret 名稱 inventory 尚未建立" ], "allowed_now": [ "顯示 target creation/access review", "要求 owner 確認 active 狀態" ], "still_forbidden": [ "auto_create_repo", "push refs", "搬 secret value", "切 primary" ] }, { "github_repo": "nexu-io/open-design", "source_key": "open-design", "scope_status": "external_scope_review", "inventory_state": "scope_review_only", "risk": "LOW", "required_inventory": [ "scope ownership only" ], "current_gap": [ "尚未確認是否屬於 AWOOOI 資安供應鏈範圍" ], "allowed_now": [ "顯示 scope review", "維持 observe-only" ], "still_forbidden": [ "加入 primary cutover queue", "修改 repo visibility", "sync refs" ] }, { "github_repo": "owenhytsai/VibeWork", "source_key": "vibework", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "HIGH", "required_inventory": [ "workflow_file_inventory", "secret_name_inventory", "branch_protection_codeowners_inventory" ], "current_gap": [ "本機 repo 可見但未找到 workflow / CODEOWNERS,仍需 owner 確認是否另有部署 workflow、repo secret 或外部 deploy key", "VibeWork 必須保留獨立產品邊界,不得被 AWOOOI source-control primary 決策直接併入", "GitHub / Gitea target、canonical source 與 secret name parity 尚未完成人工決策" ], "allowed_now": [ "顯示 VibeWork 納管範圍與缺口", "要求 owner 補 repo / product / surface / owner / evidence refs", "保持只讀 evidence 與獨立產品邊界" ], "still_forbidden": [ "auto_create_repo", "push_refs", "搬 secret value", "切 primary", "把 VibeWork 產品邊界併入 AWOOOI" ] }, { "github_repo": "owenhytsai/agent-bounty-protocol", "source_key": "agent-bounty-protocol", "scope_status": "in_scope", "inventory_state": "missing_evidence", "risk": "HIGH", "required_inventory": [ "workflow_file_inventory", "runner_inventory", "secret_name_inventory", "branch_protection_codeowners_inventory" ], "current_gap": [ "新納入專案,本機已見 1 個 Gitea workflow、0 個 referenced secret names 與 ubuntu-latest runner label,但 owner / target / canonical 決策未完成", "A2A / MCP / bounty / treasury / agent execution 邊界尚未建立資安 owner response", "branch protection、CODEOWNERS 與 repository secret name parity 尚未完成只讀 export" ], "allowed_now": [ "顯示 agent-bounty-protocol 新納管缺口", "只讀列出 workflow 名稱、runner label 與 secret name parity 缺口", "要求 owner 補 agent / bounty / treasury / execution surface 邊界" ], "still_forbidden": [ "auto_create_repo", "push_refs", "修改 workflow", "啟用 runner", "搬 secret value", "切 primary", "把 bounty / agent 執行候選當 runtime 授權" ] } ], "inventory_rules": [ "本契約只定義 workflow / runner / webhook / deploy key / secret 名稱 inventory 欄位,不代表 inventory 已完成。", "secret_name_inventory 只允許保存 secret_name、scope、owner 與 used_by_workflow_name,禁止保存 value。", "任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。", "此 inventory 完成前,GitHub primary readiness gate 必須維持 blocked。", "S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。", "S4.3 已補 redacted export request package,將 webhook、runner、deploy key、branch protection/CODEOWNERS 與 repository secret name parity 的 owner / read-only export 欄位、拒收欄位與 acceptance gate 文件化;它仍不是 API 執行或 primary cutover 批准。", "S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,將 5 類 export lanes 的 request 欄位、等待狀態、0 emitted 脫敏 audit metadata 模板、安全回覆範例、只讀收件檢查、response 欄位、驗收規則與拒收規則文件化;received_response_count=0、audit_events_emitted=0,仍不得收集 secret value 或修改 workflow。", "inventory snapshot 只能 mirror 成 Operator Console / Audit evidence,不得新增 execution action。" ], "forbidden_actions": [ "collect_secret_value", "store_secret_token_cookie_private_key_or_exploit_payload", "create_github_repo", "change_repo_visibility", "sync_git_refs", "delete_git_refs", "force_push", "switch_github_primary", "disable_gitea", "modify_workflow", "rotate_secret", "add_action_button" ] }