{ "schema_version": "source_control_workflow_secret_name_local_evidence_v1", "status": "draft_partial_local_evidence", "date": "2026-06-11", "mode": "local_read_only_redacted_inventory", "runtime_execution_authorized": false, "source_contract": "source_control_workflow_secret_name_inventory_v1", "summary": { "candidate_repo_count": 10, "local_repo_visible_count": 9, "local_evidence_repo_count": 5, "workflow_file_count": 33, "gitea_workflow_file_count": 12, "github_workflow_file_count": 21, "codeowners_file_count": 2, "unique_secret_name_count": 42, "runner_label_count": 5, "secret_value_collection_allowed": false, "secret_value_detected": false, "runtime_actions_authorized": false, "action_buttons_allowed": false }, "unique_secret_names": [ "ARGOCD_API_TOKEN", "AWOOOI_GITEA_API_TOKEN", "AWOOOI_GITEA_WEBHOOK_SECRET", "AWOOOP_OPERATOR_API_KEY", "CD_PUSH_TOKEN", "CLAUDE_API_KEY", "CODECOV_TOKEN", "DATABASE_URL", "DEPLOY_SSH_KEY", "GEMINI_API_KEY", "GITEA_MIRROR_TOKEN", "GITHUB_TOKEN", "HARBOR_PASSWORD", "HARBOR_USER", "HARBOR_USERNAME", "INTERNAL_WEBHOOK_TOKEN", "JWT_ALGORITHM", "JWT_SECRET", "KUBE_CONFIG_PREVIEW", "KUBE_CONFIG_PROD", "KUBE_CONFIG_PRODUCTION", "KUBE_CONFIG_STAGING", "LANGFUSE_PUBLIC_KEY", "LANGFUSE_SECRET_KEY", "MIGRATION_DATABASE_URL", "NEMOTRON_BOT_TOKEN", "NVIDIA_API_KEY", "OPENCLAW_BOT_TOKEN", "OPENCLAW_TG_BOT_TOKEN", "OPENCLAW_TG_CHAT_ID", "OPENCLAW_TG_USER_WHITELIST", "REDIS_URL", "RUNNER_ADMIN_TOKEN", "SENTRY_AUTH_TOKEN", "SENTRY_DSN", "SMTP_HOST", "SRE_GROUP_CHAT_ID", "STAGING_API_URL", "STAGING_FRONTEND_URL", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID", "WEBHOOK_HMAC_SECRET" ], "runner_label_names": [ "awoooi-host", "harbor", "k8s", "self-hosted", "ubuntu-latest" ], "repos": [ { "repo_key": "awoooi", "repo_path": "/private/tmp/awoooi-agent-bounty-iwooos-20260611", "github_repo": "owenhytsai/awoooi", "source_key": "wooo/awoooi", "scope_status": "in_scope", "risk": "HIGH", "local_status": "partial_local_evidence", "workflow_files": [ { "provider": "gitea", "workflow_file_path": ".gitea/workflows/agent-market-watch.yaml", "workflow_display_name": "Agent Market Watch", "trigger_names": [ "schedule", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/ansible-lint.yml", "workflow_display_name": "Ansible Lint", "trigger_names": [ "paths", "pull_request", "push" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/cd-dev.yaml", "workflow_display_name": "CD Pipeline (Dev)", "trigger_names": [ "branches", "push", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "DEPLOY_SSH_KEY", "GEMINI_API_KEY", "HARBOR_PASSWORD", "HARBOR_USERNAME", "NVIDIA_API_KEY", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/cd.yaml", "workflow_display_name": "CD Pipeline", "trigger_names": [ "branches", "paths", "push", "workflow_dispatch" ], "runner_label_names": [ "awoooi-host" ], "environment_names": [], "referenced_secret_names": [ "ARGOCD_API_TOKEN", "AWOOOI_GITEA_API_TOKEN", "AWOOOI_GITEA_WEBHOOK_SECRET", "AWOOOP_OPERATOR_API_KEY", "CD_PUSH_TOKEN", "CLAUDE_API_KEY", "DATABASE_URL", "DEPLOY_SSH_KEY", "GEMINI_API_KEY", "HARBOR_PASSWORD", "HARBOR_USERNAME", "JWT_ALGORITHM", "JWT_SECRET", "LANGFUSE_PUBLIC_KEY", "LANGFUSE_SECRET_KEY", "MIGRATION_DATABASE_URL", "NEMOTRON_BOT_TOKEN", "NVIDIA_API_KEY", "OPENCLAW_BOT_TOKEN", "OPENCLAW_TG_USER_WHITELIST", "REDIS_URL", "SENTRY_AUTH_TOKEN", "SENTRY_DSN", "SMTP_HOST", "SRE_GROUP_CHAT_ID", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID", "WEBHOOK_HMAC_SECRET" ] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/code-review.yaml", "workflow_display_name": "Code Review", "trigger_names": [ "branches", "paths", "push", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "TELEGRAM_BOT_TOKEN" ] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/deploy-alerts.yaml", "workflow_display_name": "Deploy Alert Rules", "trigger_names": [ "branches", "paths", "push", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "DEPLOY_SSH_KEY", "TELEGRAM_BOT_TOKEN" ] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/e2e-health.yaml", "workflow_display_name": "E2E Health Check", "trigger_names": [ "schedule", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "AWOOOP_OPERATOR_API_KEY", "OPENCLAW_TG_BOT_TOKEN" ] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/run-migration.yml", "workflow_display_name": "run-migration", "trigger_names": [ "branches", "paths", "push", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "DATABASE_URL", "MIGRATION_DATABASE_URL", "TELEGRAM_BOT_TOKEN" ] }, { "provider": "gitea", "workflow_file_path": ".gitea/workflows/type-sync-check.yaml", "workflow_display_name": "Type Sync Check", "trigger_names": [ "branches", "paths", "pull_request", "push" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "github", "workflow_file_path": ".github/workflows/cd.yaml", "workflow_display_name": "CD", "trigger_names": [ "default", "description", "force_deploy", "inputs", "skip_api", "skip_web", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [ "production" ], "referenced_secret_names": [ "CLAUDE_API_KEY", "DATABASE_URL", "GEMINI_API_KEY", "GITEA_MIRROR_TOKEN", "HARBOR_PASSWORD", "HARBOR_USER", "KUBE_CONFIG_PROD", "NVIDIA_API_KEY", "OPENCLAW_TG_BOT_TOKEN", "OPENCLAW_TG_CHAT_ID", "REDIS_URL", "SENTRY_AUTH_TOKEN", "SENTRY_DSN", "WEBHOOK_HMAC_SECRET" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/ci.yaml", "workflow_display_name": "CI", "trigger_names": [ "branches", "pull_request", "push", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "CODECOV_TOKEN" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/daily-e2e-health.yaml", "workflow_display_name": "Daily E2E Health Check", "trigger_names": [ "api_url", "default", "description", "dry_run", "inputs", "options", "required", "schedule", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "OPENCLAW_TG_BOT_TOKEN", "OPENCLAW_TG_CHAT_ID", "WEBHOOK_HMAC_SECRET" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/deploy-prod.yml", "workflow_display_name": "Deploy to Production", "trigger_names": [ "default", "deploy_api", "deploy_web", "deploy_worker", "description", "inputs", "required", "skip_tests", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "HARBOR_PASSWORD", "HARBOR_USER", "OPENCLAW_TG_BOT_TOKEN", "OPENCLAW_TG_CHAT_ID" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/nightly-llm.yaml", "workflow_display_name": "Nightly LLM Tests", "trigger_names": [ "default", "description", "inputs", "required", "schedule", "timeout", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "github", "workflow_file_path": ".github/workflows/runner-healthcheck.yml", "workflow_display_name": "Runner Health Check", "trigger_names": [ "default", "description", "inputs", "notify_telegram", "required", "schedule", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [] } ], "codeowners_files": [], "referenced_secret_names": [ "ARGOCD_API_TOKEN", "AWOOOI_GITEA_API_TOKEN", "AWOOOI_GITEA_WEBHOOK_SECRET", "AWOOOP_OPERATOR_API_KEY", "CD_PUSH_TOKEN", "CLAUDE_API_KEY", "CODECOV_TOKEN", "DATABASE_URL", "DEPLOY_SSH_KEY", "GEMINI_API_KEY", "GITEA_MIRROR_TOKEN", "HARBOR_PASSWORD", "HARBOR_USER", "HARBOR_USERNAME", "JWT_ALGORITHM", "JWT_SECRET", "KUBE_CONFIG_PROD", "LANGFUSE_PUBLIC_KEY", "LANGFUSE_SECRET_KEY", "MIGRATION_DATABASE_URL", "NEMOTRON_BOT_TOKEN", "NVIDIA_API_KEY", "OPENCLAW_BOT_TOKEN", "OPENCLAW_TG_BOT_TOKEN", "OPENCLAW_TG_CHAT_ID", "OPENCLAW_TG_USER_WHITELIST", "REDIS_URL", "SENTRY_AUTH_TOKEN", "SENTRY_DSN", "SMTP_HOST", "SRE_GROUP_CHAT_ID", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID", "WEBHOOK_HMAC_SECRET" ], "runner_label_names": [ "awoooi-host", "harbor", "k8s", "self-hosted", "ubuntu-latest" ], "environment_names": [ "production" ], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "clawbot-v5", "repo_path": "/Users/ogt/clawbot-v5", "github_repo": "owenhytsai/clawbot-v5", "source_key": "wooo/clawbot-v5", "scope_status": "in_scope", "risk": "MEDIUM", "local_status": "local_repo_visible_no_workflow_files", "workflow_files": [], "codeowners_files": [], "referenced_secret_names": [], "runner_label_names": [], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "wooo-aiops", "repo_path": "/Users/ogt/wooo-aiops", "github_repo": "owenhytsai/wooo-aiops", "source_key": "wooo/wooo-aiops", "scope_status": "in_scope", "risk": "MEDIUM", "local_status": "partial_local_evidence", "workflow_files": [ { "provider": "gitea", "workflow_file_path": ".gitea/workflows/deploy-uat.yaml", "workflow_display_name": "Deploy to UAT", "trigger_names": [ "branches", "push", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "github", "workflow_file_path": ".github/workflows/cd.yaml", "workflow_display_name": "CD Pipeline", "trigger_names": [ "description", "environment", "inputs", "options", "release", "required", "type", "types", "version", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [ "description: \"Target environment\"", "name: production", "staging" ], "referenced_secret_names": [ "GITHUB_TOKEN", "KUBE_CONFIG_PRODUCTION", "KUBE_CONFIG_STAGING", "STAGING_API_URL", "STAGING_FRONTEND_URL" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/ci.yml", "workflow_display_name": "WOOO AIOps CI/CD (v4.1 Native BuildKit + ClawBot 告警)", "trigger_names": [ "branches", "default", "description", "force_deploy", "inputs", "push", "required", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "HARBOR_PASSWORD", "HARBOR_USER", "SENTRY_DSN", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/clawbot-build.yml", "workflow_display_name": "ClawBot Build & Push", "trigger_names": [ "default", "deploy_to_188", "description", "inputs", "required", "tag_suffix", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "HARBOR_PASSWORD", "HARBOR_USER", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/clear-cache.yml", "workflow_display_name": "🧹 Clear Next.js Cache (Panic Button)", "trigger_names": [ "confirm", "default", "description", "inputs", "required", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "github", "workflow_file_path": ".github/workflows/deploy.yml", "workflow_display_name": "Deploy to K3s", "trigger_names": [ "default", "description", "environment", "inputs", "options", "required", "skip_tests", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [ "description: 'Deployment environment'" ], "referenced_secret_names": [] }, { "provider": "github", "workflow_file_path": ".github/workflows/fast-deploy-uat.yml", "workflow_display_name": "🚀 Fast Deploy to UAT", "trigger_names": [ "default", "description", "inputs", "reason", "required", "skip_api", "skip_frontend", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "SENTRY_DSN" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/pr-check.yml", "workflow_display_name": "PR Check", "trigger_names": [ "pull_request", "types" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "GITHUB_TOKEN" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/preview.yml", "workflow_display_name": "PR Preview Environment", "trigger_names": [ "pull_request", "types" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "KUBE_CONFIG_PREVIEW" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/rollback.yml", "workflow_display_name": "🔄 Emergency Rollback (OPS.71)", "trigger_names": [ "confirm", "default", "description", "inputs", "options", "required", "service", "target_version", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "HARBOR_PASSWORD", "HARBOR_USER" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/runner-healthcheck.yml", "workflow_display_name": "Runner Health Check", "trigger_names": [ "default", "description", "inputs", "notify_telegram", "required", "schedule", "type", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted", "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "GITHUB_TOKEN", "RUNNER_ADMIN_TOKEN", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/scheduled-build.yml", "workflow_display_name": "Scheduled Snapshot Build", "trigger_names": [ "default", "description", "force_build", "inputs", "required", "schedule", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [] }, { "provider": "github", "workflow_file_path": ".github/workflows/usage-monitor.yml", "workflow_display_name": "📊 GitHub Actions Usage Monitor", "trigger_names": [ "default", "description", "force_alert", "inputs", "required", "schedule", "workflow_dispatch" ], "runner_label_names": [ "harbor", "k8s", "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "GITHUB_TOKEN" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/version-audit.yml", "workflow_display_name": "🔍 Version Drift Audit", "trigger_names": [ "default", "description", "force_alert", "inputs", "required", "schedule", "type", "workflow_dispatch" ], "runner_label_names": [ "self-hosted" ], "environment_names": [], "referenced_secret_names": [ "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] } ], "codeowners_files": [ { "codeowners_path": "CODEOWNERS", "owner_tokens": [ "@CIO", "@CISO", "@CPO", "@CTO" ], "owner_token_count": 4 }, { "codeowners_path": ".github/CODEOWNERS", "owner_tokens": [ "@owenhytsai" ], "owner_token_count": 1 } ], "referenced_secret_names": [ "GITHUB_TOKEN", "HARBOR_PASSWORD", "HARBOR_USER", "KUBE_CONFIG_PREVIEW", "KUBE_CONFIG_PRODUCTION", "KUBE_CONFIG_STAGING", "RUNNER_ADMIN_TOKEN", "SENTRY_DSN", "STAGING_API_URL", "STAGING_FRONTEND_URL", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ], "runner_label_names": [ "harbor", "k8s", "self-hosted", "ubuntu-latest" ], "environment_names": [ "description: \"Target environment\"", "description: 'Deployment environment'", "name: production", "staging" ], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "wooo-infra-config", "repo_path": "/Users/ogt/wooo-infra-config", "github_repo": "owenhytsai/wooo-infra-config", "source_key": "wooo/wooo-infra-config", "scope_status": "in_scope", "risk": "MEDIUM", "local_status": "partial_local_evidence", "workflow_files": [ { "provider": "github", "workflow_file_path": ".github/workflows/validate.yml", "workflow_display_name": "Validate Configs", "trigger_names": [ "branches", "pull_request", "push" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] } ], "codeowners_files": [], "referenced_secret_names": [ "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "ewoooc-momo", "repo_path": "/Users/ogt/momo-pro-system", "github_repo": "owenhytsai/ewoooc", "source_key": "wooo/ewoooc / root/momo-pro-system", "scope_status": "in_scope", "risk": "HIGH", "local_status": "partial_local_evidence", "workflow_files": [ { "provider": "gitea", "workflow_file_path": ".gitea/workflows/cd.yaml", "workflow_display_name": "CD Pipeline", "trigger_names": [ "branches", "paths", "push", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [ "DEPLOY_SSH_KEY", "INTERNAL_WEBHOOK_TOKEN", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ] }, { "provider": "github", "workflow_file_path": ".github/workflows/code-review.yml", "workflow_display_name": "Aider Code Review", "trigger_names": [ "branches", "default", "description", "inputs", "options", "pull_request", "push", "required", "review_type", "target_files", "type", "workflow_dispatch" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [] } ], "codeowners_files": [], "referenced_secret_names": [ "DEPLOY_SSH_KEY", "INTERNAL_WEBHOOK_TOKEN", "TELEGRAM_BOT_TOKEN", "TELEGRAM_CHAT_ID" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "bitan-pharmacy", "repo_path": "/Users/ogt/bitan-pharmacy", "github_repo": "owenhytsai/bitan-pharmacy", "source_key": "bitan-pharmacy", "scope_status": "in_scope", "risk": "MEDIUM", "local_status": "local_repo_visible_no_workflow_files", "workflow_files": [], "codeowners_files": [], "referenced_secret_names": [], "runner_label_names": [], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "tsenyang-website", "repo_path": "/Users/ogt/tsenyang-website", "github_repo": "owenhytsai/tsenyang-website", "source_key": "tsenyang-website", "scope_status": "in_scope", "risk": "MEDIUM", "local_status": "local_repo_visible_no_workflow_files", "workflow_files": [], "codeowners_files": [], "referenced_secret_names": [], "runner_label_names": [], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "open-design", "repo_path": "/Users/ogt/open-design", "github_repo": "nexu-io/open-design", "source_key": "open-design", "scope_status": "external_scope_review", "risk": "LOW", "local_status": "missing_local_repo", "workflow_files": [], "codeowners_files": [], "referenced_secret_names": [], "runner_label_names": [], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "vibework", "repo_path": "/Users/ogt/Documents/VibeWork", "github_repo": "owenhytsai/VibeWork", "source_key": "vibework", "scope_status": "in_scope", "risk": "HIGH", "local_status": "local_repo_visible_no_workflow_files", "workflow_files": [], "codeowners_files": [], "referenced_secret_names": [], "runner_label_names": [], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }, { "repo_key": "agent-bounty-protocol", "repo_path": "/Users/ogt/Documents/agent-bounty-protocol", "github_repo": "owenhytsai/agent-bounty-protocol", "source_key": "agent-bounty-protocol", "scope_status": "in_scope", "risk": "HIGH", "local_status": "partial_local_evidence", "workflow_files": [ { "provider": "gitea", "workflow_file_path": ".gitea/workflows/deploy.yml", "workflow_display_name": "CI and Production Smoke", "trigger_names": [ "branches", "push" ], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "referenced_secret_names": [] } ], "codeowners_files": [], "referenced_secret_names": [], "runner_label_names": [ "ubuntu-latest" ], "environment_names": [], "api_required_lanes": [ "webhook_inventory", "deploy_key_inventory", "branch_protection_inventory", "repository_secret_name_parity" ], "still_forbidden": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] } ], "redaction_rules": [ "只保存 workflow 內引用的 secret 名稱,不保存 secret value。", "不讀取 .env、secrets、private key、runner registration token 或 webhook secret。", "不呼叫 GitHub / Gitea API,因此 webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted export 或 read-only API evidence。", "任何含 raw secret/token/private key 的 payload 都必須拒收並進 quarantine。" ], "forbidden_actions": [ "collect secret value", "read .env or secret store", "modify workflow", "modify webhook", "rotate secret", "create GitHub repo", "sync refs", "switch GitHub primary", "disable Gitea" ] }