{ "schema_version": "source_control_workflow_secret_name_owner_response_v1", "status": "draft_waiting_owner_response", "date": "2026-06-11", "mode": "owner_workflow_secret_name_response_intake_only", "runtime_execution_authorized": false, "source_contract": "source_control_workflow_secret_name_inventory_v1", "target_contract": "source_control_workflow_secret_name_export_request_v1", "source_indexes": [ "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md", "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/security-approval-review-packet.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json" ], "summary": { "owner_response_status": "waiting_owner_response", "candidate_repo_count": 10, "in_scope_repo_count": 9, "export_request_count": 9, "export_lane_count": 5, "local_evidence_repo_count": 5, "local_workflow_file_count": 33, "local_referenced_secret_name_count": 42, "owner_response_request_packet_count": 1, "owner_response_template_status_count": 5, "owner_response_audit_event_template_count": 3, "owner_response_redaction_example_count": 5, "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "acceptance_check_count": 8, "rejection_rule_count": 10, "secret_value_collection_allowed": false, "write_token_allowed": false, "workflow_modification_authorized": false, "webhook_modification_authorized": false, "runner_change_authorized": false, "deploy_key_change_authorized": false, "branch_protection_change_authorized": false, "repo_secret_change_authorized": false, "github_hosted_runner_enable_authorized": false, "refs_sync_authorized": false, "github_primary_switch_authorized": false, "action_buttons_allowed": false, "owner_response_collection_check_count": 6, "intake_preflight_check_count": 6, "workflow_secret_owner_handoff_package_ready": true, "workflow_secret_owner_handoff_completion_percent": 100, "workflow_secret_owner_handoff_check_count": 6, "workflow_secret_owner_handoff_packet_field_count": 9, "workflow_secret_owner_request_dispatch_authorized": false, "secret_name_parity_complete": false, "secret_value_or_hash_collection_allowed": false, "workflow_secret_owner_response_handoff_not_approval": true }, "workflow_secret_owner_handoff_preflight_checks": [ { "check_id": "p1-4-baseline-sync", "display_order": 1, "check": "送件前確認 gitea/main、local evidence、S4.9-S4.12 source packets 最新狀態。", "current_status": "defined_not_dispatched", "execution_authorized": false }, { "check_id": "p1-4-local-evidence-freshness", "display_order": 2, "check": "以 2026-06-04 local evidence 的 31 個 workflow files、42 個 unique secret names、5 個 runner labels 為基準。", "current_status": "defined_not_dispatched", "execution_authorized": false }, { "check_id": "p1-4-five-response-lanes", "display_order": 3, "check": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 逐項追蹤。", "current_status": "defined_not_dispatched", "execution_authorized": false }, { "check_id": "p1-4-metadata-only", "display_order": 4, "check": "只收 redacted host、runner label、key name、ruleset / CODEOWNERS metadata、secret name / scope / present-absent。", "current_status": "defined_not_dispatched", "execution_authorized": false }, { "check_id": "p1-4-secret-material-rejected", "display_order": 5, "check": "secret value、hash、masked token、partial token、private key、runner token、webhook secret 全部拒收或隔離。", "current_status": "defined_not_dispatched", "execution_authorized": false }, { "check_id": "p1-4-execution-request-rejected", "display_order": 6, "check": "workflow / webhook / runner / deploy key / branch protection / repository secret 修改、hosted runner enable、refs sync、primary switch 全部 hard reject。", "current_status": "defined_not_dispatched", "execution_authorized": false } ], "workflow_secret_owner_handoff_packet": { "request_id": "p1_4_workflow_secret_owner_response_handoff", "stage_id": "S4.12", "source_evidence_summary": { "local_evidence_repo_count": 5, "local_workflow_file_count": 33, "local_referenced_secret_name_count": 42, "runner_label_count": 5 }, "requested_templates": [ "response-webhook-redacted-export", "response-runner-label-owner", "response-deploy-key-redacted-export", "response-branch-protection-codeowners", "response-repository-secret-name-parity" ], "recipient_role_or_team_required": true, "required_response_fields": [ "owner_role_or_team", "decision", "repo", "provider", "lane", "lane_specific_owner", "lane_specific_metadata", "redacted_evidence_refs", "followup_owner" ], "allowed_metadata": [ "redacted_host", "event_types", "runner_label", "key_name", "required_checks", "codeowners_path", "secret_name", "scope", "present_absent" ], "forbidden_inputs": [ "secret_value", "secret_hash", "masked_token", "partial_token", "token_value", "runner_registration_token", "webhook_secret", "private_key", "deploy_key_private_key", "authorization_header", "workflow_modification_request", "runner_enablement_request", "github_hosted_runner_enable_request", "repository_secret_change_request", "github_primary_switch_request" ], "not_approval": true, "execution_authorized": false }, "post_dispatch_invariants": [ "Owner response 到來後仍需先進 S4.12 intake preflight 與 reviewer validation。", "通過後只可更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup。", "不得建立、複製、rotate、修改或刪除 secret。", "不得改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS,不得啟用 GitHub hosted runner。", "不得 sync refs、切 GitHub primary 或停用 Gitea。" ], "owner_response_request_packet": { "request_id": "s4_12_workflow_secret_name_owner_response_request", "display_status": "ready_to_request_owner_response", "requested_packet": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md", "required_response_item_count": 5, "requested_template_ids": [ "response-webhook-redacted-export", "response-runner-label-owner", "response-deploy-key-redacted-export", "response-branch-protection-codeowners", "response-repository-secret-name-parity" ], "owner_instruction_summary": "請 owner 只依 S4.12 五個 templates 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity 的脫敏 metadata;不要貼 secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、header、未脫敏截圖或任何 workflow / secret / runner 執行要求。", "allowed_response_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "provider", "lane", "webhook_name_or_none", "destination_host_redacted", "event_types", "active_enabled_flag", "webhook_owner", "runner_label_or_none", "runner_scope", "executor_type", "hosted_or_self_hosted", "runner_owner", "github_hosted_minutes_risk", "maintenance_window", "key_name_or_none", "read_only_flag", "repo_scope", "key_owner", "rotation_owner", "protected_branch_name_or_none", "required_review_count", "required_status_check_names", "codeowners_path_or_none", "owner_team_names", "ruleset_owner", "secret_name_list_or_none", "secret_scope", "owning_team", "used_by_workflow_name", "present_in_gitea", "present_in_github", "evidence_refs", "followup_owner" ], "evidence_ref_rules": [ "只允許 repo 內既有文件、snapshot、workflow 檔名、job 名稱、secret 名稱、runner label、redacted host 或已脫敏 owner metadata pointer。", "secret parity 只能保存 secret name / scope / present-absent metadata / owner,不得保存 value、hash、masked token 或 partial token。", "runner 回覆只能標示 self-hosted / hosted 風險 review candidate,不得視為 GitHub hosted runner 啟用批准。", "webhook 回覆只能保存 redacted host、event types、enabled flag 與 owner,不得保存 webhook secret、tokenized URL、header 或 payload body。", "deploy key 回覆只能保存 key 名稱、read-only flag、repo scope 與 owner,不得保存 private key、完整 public key 或 credential material。", "不確定是否含敏感值時先走 mirror quarantine,不得直接貼入 response。" ], "forbidden_payloads": [ "secret_value", "token_value", "private_key", "deploy_key_value", "runner_registration_token", "runner_admin_token", "webhook_secret", "cookie_or_session", "authorization_header", "private_clone_url_credential", "complete_webhook_payload_url", "query_token", "request_body", "response_body", "secret_hash", "masked_token", "partial_credential", "workflow_modification_request", "webhook_modification_request", "runner_enablement_request", "deploy_key_rotation_request", "branch_protection_change_request", "repository_secret_change_request", "github_hosted_runner_enable_request", "refs_sync_request", "github_primary_switch_request", "execution_request_payload" ], "allowed_submission_modes": [ "markdown_table_redacted_metadata", "json_redacted_metadata_pointer", "existing_repo_doc_reference", "awooop_manual_review_note" ], "awooop_display_mode": "display_owner_response_request_only", "execution_authorized": false, "not_approval": true, "still_forbidden": [ "不收集或保存 secret value、token value、runner token、webhook secret、private key、deploy key value、cookie 或 session", "不使用 write token 或 write API", "不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret", "不 rotate、建立、複製或刪除 secret", "不啟用 GitHub hosted runner 或消耗 GitHub Actions 額度", "不 sync refs、不建立 repo、不修改 visibility、不切 GitHub primary", "不停用、刪除、封存或降級 Gitea repo", "不新增 AwoooP execution action button" ] }, "owner_response_template_statuses": [ { "template_id": "response-webhook-redacted-export", "lane": "webhook_redacted_export_request", "display_order": 1, "collection_status": "waiting_owner_response", "request_status": "request_ready_not_sent", "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "latest_outcome_lane": "keep_waiting_owner_response", "next_owner_action": "Owner 需回覆 webhook 名稱、redacted host、event types、enabled flag 與 webhook owner;不得貼 webhook secret、tokenized URL、header、cookie 或 payload body。", "awooop_display_mode": "display_template_status_only", "execution_authorized": false, "not_approval": true, "still_forbidden": [ "不建立、修改、停用或刪除 webhook", "不保存 webhook secret、完整 payload URL、query token、header、cookie 或 request body", "不把 request_ready_not_sent 當成 webhook inventory complete" ] }, { "template_id": "response-runner-label-owner", "lane": "runner_label_owner_export_request", "display_order": 2, "collection_status": "waiting_owner_response", "request_status": "request_ready_not_sent", "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "latest_outcome_lane": "keep_waiting_owner_response", "next_owner_action": "Owner 需回覆 runner label、executor type、self-hosted / hosted、runner owner、GitHub hosted minutes 風險與 maintenance window;不得貼 runner token、host password、SSH key 或 admin token。", "awooop_display_mode": "display_template_status_only", "execution_authorized": false, "not_approval": true, "still_forbidden": [ "不新增、啟用、停用或改 runner label", "不啟用 GitHub hosted runner 或消耗 GitHub Actions 額度", "不保存 runner registration token、admin token、SSH private key 或 host password" ] }, { "template_id": "response-deploy-key-redacted-export", "lane": "deploy_key_redacted_export_request", "display_order": 3, "collection_status": "waiting_owner_response", "request_status": "request_ready_not_sent", "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "latest_outcome_lane": "keep_waiting_owner_response", "next_owner_action": "Owner 需回覆 deploy key / machine key 名稱、read-only flag、repo scope、key owner 與 rotation owner;不得貼 private key、完整 public key、token value 或 password。", "awooop_display_mode": "display_template_status_only", "execution_authorized": false, "not_approval": true, "still_forbidden": [ "不新增、刪除、rotate 或修改 deploy key", "不保存 private key、完整 public key、token value、password 或 credential value", "不把 write-capable key 風險 candidate 當成 rotation approval" ] }, { "template_id": "response-branch-protection-codeowners", "lane": "branch_protection_codeowners_export_request", "display_order": 4, "collection_status": "waiting_owner_response", "request_status": "request_ready_not_sent", "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "latest_outcome_lane": "keep_waiting_owner_response", "next_owner_action": "Owner 需回覆 protected branch、required checks、required review count、CODEOWNERS path、owner teams 與 ruleset owner;不得要求立即修改 branch protection、ruleset 或 CODEOWNERS。", "awooop_display_mode": "display_template_status_only", "execution_authorized": false, "not_approval": true, "still_forbidden": [ "不修改 branch protection、ruleset、required checks 或 CODEOWNERS", "不保存 PAT、admin override token、team secret、session cookie 或未脫敏截圖", "不把 branch protection response 當成 primary readiness complete" ] }, { "template_id": "response-repository-secret-name-parity", "lane": "repository_secret_name_parity_export_request", "display_order": 5, "collection_status": "waiting_owner_response", "request_status": "request_ready_not_sent", "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "latest_outcome_lane": "keep_waiting_owner_response", "next_owner_action": "Owner 需回覆 repository secret 名稱、scope、owning team、used-by workflow、present_in_gitea / present_in_github 與 rotation owner;不得貼 value、hash、masked token、partial token 或任何可還原片段。", "awooop_display_mode": "display_template_status_only", "execution_authorized": false, "not_approval": true, "still_forbidden": [ "不建立、複製、rotate、修改或刪除 repository secret", "不保存 secret value、hash、masked token、partial token、private key 或 credential value", "不把 secret name parity response 當成 workflow ready 或 primary ready" ] } ], "owner_response_audit_event_templates": [ { "event_template_id": "audit-workflow-secret-response-request-shown", "display_order": 1, "event_status": "template_only_not_emitted", "trigger": "AwoooP 顯示 S4.12 workflow / secret name owner response request packet 時。", "purpose": "只記錄 request packet 顯示 metadata;不代表 request 已送出、owner response 已收到、secret value collection、workflow / webhook / runner / deploy key / branch protection / repository secret 修改或 GitHub primary 授權。", "allowed_metadata_fields": [ "event_id", "event_time_taipei", "event_template_id", "source_contract", "target_contract", "request_id", "requested_template_ids", "displayed_by_role", "displayed_to_owner_role_or_team", "repo_count", "lane_count", "source_document_ref", "redaction_status" ], "forbidden_payloads": [ "secret_value", "token_value", "private_key", "deploy_key_value", "runner_registration_token", "runner_admin_token", "webhook_secret", "cookie_or_session", "authorization_header", "complete_webhook_payload_url", "query_token", "request_body", "response_body", "secret_hash", "masked_token", "partial_credential", "workflow_modification_request", "webhook_modification_request", "runner_enablement_request", "deploy_key_rotation_request", "branch_protection_change_request", "repository_secret_change_request", "github_hosted_runner_enable_request", "refs_sync_request", "github_primary_switch_request", "execution_request_payload", "unredacted_screenshot" ], "emitted_event_count": 0, "stored_raw_payload_allowed": false, "awooop_display_mode": "display_audit_template_only", "execution_authorized": false, "not_approval": true }, { "event_template_id": "audit-workflow-secret-response-received-metadata", "display_order": 2, "event_status": "template_only_not_emitted", "trigger": "Owner 提供 S4.12 workflow / secret name response metadata pointer 時。", "purpose": "只記錄已收到脫敏 metadata pointer;不得保存 owner response raw body、secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、response body 或未脫敏截圖。", "allowed_metadata_fields": [ "event_id", "event_time_taipei", "event_template_id", "source_contract", "request_id", "template_id", "lane", "repo", "provider", "owner_role_or_team", "decision", "decision_reason_summary", "evidence_refs", "redaction_status", "quarantine_lane", "next_owner_action" ], "forbidden_payloads": [ "secret_value", "token_value", "private_key", "deploy_key_value", "runner_registration_token", "runner_admin_token", "webhook_secret", "cookie_or_session", "authorization_header", "complete_webhook_payload_url", "query_token", "request_body", "response_body", "secret_hash", "masked_token", "partial_credential", "workflow_modification_request", "webhook_modification_request", "runner_enablement_request", "deploy_key_rotation_request", "branch_protection_change_request", "repository_secret_change_request", "github_hosted_runner_enable_request", "refs_sync_request", "github_primary_switch_request", "execution_request_payload", "unredacted_screenshot" ], "emitted_event_count": 0, "stored_raw_payload_allowed": false, "awooop_display_mode": "display_audit_template_only", "execution_authorized": false, "not_approval": true }, { "event_template_id": "audit-workflow-secret-response-outcome-classified", "display_order": 3, "event_status": "template_only_not_emitted", "trigger": "AwoooP 依 S4.12 acceptance checks 與 rejection rules 分類 workflow / secret name owner response 時。", "purpose": "只記錄分類結果、reviewer role 與下一步 owner action;不得把 outcome、owner wording 或單項 response 當成 secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key rotation、branch protection change、repository secret change、refs sync 或 GitHub primary 授權。", "allowed_metadata_fields": [ "event_id", "event_time_taipei", "event_template_id", "source_contract", "request_id", "template_id", "lane", "repo", "provider", "owner_role_or_team", "decision", "decision_reason_summary", "latest_outcome_lane", "evidence_refs", "redaction_status", "quarantine_lane", "next_owner_action", "reviewer_role" ], "forbidden_payloads": [ "secret_value", "token_value", "private_key", "deploy_key_value", "runner_registration_token", "runner_admin_token", "webhook_secret", "cookie_or_session", "authorization_header", "complete_webhook_payload_url", "query_token", "request_body", "response_body", "secret_hash", "masked_token", "partial_credential", "workflow_modification_request", "webhook_modification_request", "runner_enablement_request", "deploy_key_rotation_request", "branch_protection_change_request", "repository_secret_change_request", "github_hosted_runner_enable_request", "refs_sync_request", "github_primary_switch_request", "execution_request_payload", "unredacted_screenshot" ], "emitted_event_count": 0, "stored_raw_payload_allowed": false, "awooop_display_mode": "display_audit_template_only", "execution_authorized": false, "not_approval": true } ], "owner_response_redaction_examples": [ { "example_id": "redaction-webhook-redacted-host-metadata", "display_order": 1, "example_status": "template_example_only", "category": "webhook_redacted_host_metadata", "safe_response_shape": [ "template_id=response-webhook-redacted-export", "repo=owenhytsai/awoooi", "webhook_name_or_none=deployment-status-webhook", "destination_host_redacted=hooks.example.internal", "event_types=[push, pull_request]", "active_enabled_flag=true", "webhook_owner=platform-ops" ], "required_redactions": [ "只保留 host 或 domain 類 metadata,不保留完整 payload URL、query string、header、cookie 或 body", "webhook secret 必須以 absent / managed_by_owner / rotate_required_candidate 類 metadata 表示,不得保存值", "enabled flag 只代表 inventory metadata,不代表可建立、停用或修改 webhook" ], "forbidden_raw_values": [ "webhook_secret", "complete_webhook_payload_url", "query_token", "authorization_header", "request_body", "response_body", "cookie_or_session" ], "stored_raw_payload_allowed": false, "awooop_display_mode": "display_redaction_example_only", "execution_authorized": false, "not_approval": true }, { "example_id": "redaction-runner-label-owner-metadata", "display_order": 2, "example_status": "template_example_only", "category": "runner_label_owner_metadata", "safe_response_shape": [ "template_id=response-runner-label-owner", "repo=owenhytsai/wooo-aiops", "runner_label_or_none=self-hosted-linux-110", "executor_type=self_hosted", "hosted_or_self_hosted=self_hosted", "runner_owner=platform-ops", "github_hosted_minutes_risk=not_enabled" ], "required_redactions": [ "runner label 只能保存名稱、scope、executor type、owner 與額度風險 metadata", "hosted runner 只能標成 risk review candidate,不得視為啟用或消耗 GitHub Actions 額度批准", "不得貼 runner registration token、admin token、host password、SSH private key 或 machine credential" ], "forbidden_raw_values": [ "runner_registration_token", "runner_admin_token", "host_password", "ssh_private_key", "machine_credential", "github_hosted_runner_enable_request" ], "stored_raw_payload_allowed": false, "awooop_display_mode": "display_redaction_example_only", "execution_authorized": false, "not_approval": true }, { "example_id": "redaction-deploy-key-name-scope-metadata", "display_order": 3, "example_status": "template_example_only", "category": "deploy_key_name_scope_metadata", "safe_response_shape": [ "template_id=response-deploy-key-redacted-export", "repo=owenhytsai/wooo-infra-config", "key_name_or_none=infra-readonly-deploy-key", "read_only_flag=true", "repo_scope=single_repo", "key_owner=platform-ops", "rotation_owner=security-commander" ], "required_redactions": [ "deploy key 只能保存 key name、read-only flag、repo scope、owner 與 rotation owner metadata", "public key 若需要補證,必須改成既有文件引用或 owner metadata pointer,不保存完整 key material", "rotation owner 只代表後續責任人,不代表本階段可 rotate、建立、刪除或修改 key" ], "forbidden_raw_values": [ "private_key", "deploy_key_value", "complete_public_key", "token_value", "credential_value", "deploy_key_rotation_request" ], "stored_raw_payload_allowed": false, "awooop_display_mode": "display_redaction_example_only", "execution_authorized": false, "not_approval": true }, { "example_id": "redaction-branch-protection-codeowners-metadata", "display_order": 4, "example_status": "template_example_only", "category": "branch_protection_codeowners_metadata", "safe_response_shape": [ "template_id=response-branch-protection-codeowners", "repo=owenhytsai/awoooi", "protected_branch_name_or_none=main", "required_review_count=1", "required_status_check_names=[lint, test]", "codeowners_path_or_none=.github/CODEOWNERS", "ruleset_owner=source-control-owner" ], "required_redactions": [ "只保存 branch/ruleset/CODEOWNERS metadata 與 required check names,不保存 admin override token 或 session", "若引用 UI screenshot,必須先脫敏 owner、token、cookie、email、完整 URL credential 與個資", "不得把 required check 或 reviewer wording 當成可立即修改 branch protection / ruleset / CODEOWNERS 的授權" ], "forbidden_raw_values": [ "admin_override_token", "session_cookie", "authorization_header", "unredacted_screenshot", "branch_protection_change_request", "codeowners_write_request" ], "stored_raw_payload_allowed": false, "awooop_display_mode": "display_redaction_example_only", "execution_authorized": false, "not_approval": true }, { "example_id": "redaction-secret-name-parity-quarantine-pointer", "display_order": 5, "example_status": "template_example_only", "category": "repository_secret_name_parity_or_quarantine", "safe_response_shape": [ "template_id=response-repository-secret-name-parity", "repo=owenhytsai/awoooi", "secret_name_list_or_none=[DATABASE_URL, OPENAI_API_KEY]", "present_in_gitea=unknown_requires_more_evidence", "present_in_github=unknown_requires_more_evidence", "owning_team=platform-ops", "collection_status=quarantine_sensitive_payload_if_value_seen" ], "required_redactions": [ "secret parity 只能保存 secret name、scope、present / absent / unknown metadata、owner 與 evidence refs", "任何 value、hash、masked token、partial token、可還原片段或未脫敏截圖都必須改走 quarantine pointer", "secret name parity 通過也只更新 read-only wording,不代表可建立、複製、rotate、修改或刪除 secret" ], "forbidden_raw_values": [ "secret_value", "secret_hash", "masked_token", "partial_credential", "repository_secret_change_request", "execution_request_payload", "owner_response_raw_body" ], "stored_raw_payload_allowed": false, "awooop_display_mode": "display_redaction_example_only", "execution_authorized": false, "not_approval": true } ], "owner_response_collection_checks": [ { "check_id": "collection-workflow-secret-request-packet-displayed", "display_order": 1, "title": "已顯示 workflow / secret 名稱 owner response request packet", "required": true, "pass_condition": "AwoooP 必須只顯示 owner_response_request_packet 的 5 個 workflow / secret 名稱 templates、允許欄位、脫敏 evidence 規則與禁止 payload,不得附加 secret value collection、workflow/webhook/runner/deploy key/branch protection/secret 修改、refs sync 或 primary switch 要求。", "failure_lane": "keep_waiting_owner_response", "awooop_display": "display_request_packet_only", "execution_authorized": false, "not_approval": true }, { "check_id": "collection-workflow-secret-read-only-submission-mode", "display_order": 2, "title": "workflow / secret 名稱收件模式維持 read-only", "required": true, "pass_condition": "owner 只能用 read-only markdown response、redacted metadata pointer、existing repo doc reference 或 AwoooP manual review note;不得提交 secret value、webhook secret、runner token、deploy key material、private key、authorization header、未脫敏截圖或 execution request。", "failure_lane": "quarantine_sensitive_payload", "awooop_display": "display_read_only_submission_only", "execution_authorized": false, "not_approval": true }, { "check_id": "collection-five-workflow-secret-template-tracking", "display_order": 3, "title": "五個 workflow / secret templates 分開追蹤", "required": true, "pass_condition": "S4.12 五個 requested_template_ids 必須逐 lane 追蹤 received / accepted / rejected 狀態;不可用單一整體同意取代 webhook、runner、deploy key、branch protection / CODEOWNERS 或 repository secret name parity 的個別判定。", "failure_lane": "request_more_evidence", "awooop_display": "display_per_workflow_secret_lane_tracking", "execution_authorized": false, "not_approval": true }, { "check_id": "collection-workflow-secret-redacted-evidence-only", "display_order": 4, "title": "只收 workflow / secret 名稱脫敏 evidence refs", "required": true, "pass_condition": "收件內容只能包含 repo 內路徑、snapshot path、secret name metadata、redacted host、runner label、key name、ruleset/CODEOWNERS metadata 或已脫敏 evidence refs;任何不確定是否含 secret value、token、private key、deploy key material、完整 URL credential、request body、header 或未脫敏截圖的資料都先進 quarantine。", "failure_lane": "quarantine_sensitive_payload", "awooop_display": "display_redacted_evidence_only", "execution_authorized": false, "not_approval": true }, { "check_id": "collection-workflow-secret-no-approval-language", "display_order": 5, "title": "不得把 workflow / secret 回覆語意升級成批准", "required": true, "pass_condition": "即使 owner response 文字包含同意、OK、可進行或批准,也只能視為 workflow / secret 名稱 inventory disposition;不得視為 secret 建立、複製、rotate、workflow 修改、runner 啟用、deploy key rotation、branch protection change、refs sync 或 GitHub primary approval。", "failure_lane": "reject_execution_request", "awooop_display": "display_scope_response_only", "execution_authorized": false, "not_approval": true }, { "check_id": "collection-workflow-secret-audit-metadata-only", "display_order": 6, "title": "只記錄 workflow / secret audit metadata", "required": true, "pass_condition": "AwoooP 只能記錄 request shown、response received metadata、template id、lane、repo、owner role/team、redacted host、runner label、key name、secret name metadata、evidence refs 與 outcome lane;不得保存 secret value、hash、masked token、partial credential、webhook secret、runner token、private key、authorization header 或可執行 payload。", "failure_lane": "quarantine_sensitive_payload", "awooop_display": "display_audit_metadata_only", "execution_authorized": false, "not_approval": true } ], "intake_preflight_checks": [ { "check_id": "preflight-known-workflow-secret-lane", "display_order": 1, "title": "回覆必須對應已知 workflow / secret 名稱 lane", "required": true, "pass_condition": "`template_id` 或 `lane` 必須對應 S4.12 五個 workflow / secret name templates 之一,不得新增未盤點 repo、未請求 workflow / secret 類別,或把 out-of-scope repo 自動視為可補 secret / workflow。", "failure_lane": "request_owner_correction", "awooop_display": "request_more_evidence", "execution_authorized": false }, { "check_id": "preflight-required-workflow-secret-owner-fields", "display_order": 2, "title": "workflow / secret 名稱必填欄位完整", "required": true, "pass_condition": "每筆 response 必須有 owner role/team、decision、decision_reason、repo、provider、lane、lane-specific owner、必要的 redacted metadata 與 evidence_refs;secret name parity 批次回覆必須有可重現 repo list 與 scope。", "failure_lane": "request_more_evidence", "awooop_display": "request_more_evidence", "execution_authorized": false }, { "check_id": "preflight-allowed-workflow-secret-decision", "display_order": 3, "title": "workflow / secret decision 在模板允許值內", "required": true, "pass_condition": "`decision` 必須落在對應 response template 的 acceptable_decisions;口頭同意、整體 OK、可進行、請幫我建立 secret 或未列出的執行語句都不得進入 accepted。", "failure_lane": "request_owner_correction", "awooop_display": "request_more_evidence", "execution_authorized": false }, { "check_id": "preflight-workflow-secret-redacted-evidence-only", "display_order": 4, "title": "只接受 workflow / secret 名稱脫敏 evidence refs", "required": true, "pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot、redacted metadata pointer、secret name list、redacted host、runner label、key name、ruleset / CODEOWNERS metadata;不得含 secret value、hash、masked token、partial credential、webhook secret、runner token、private key、deploy key value、authorization header、cookie、session、request body 或未脫敏截圖。", "failure_lane": "quarantine_sensitive_payload", "awooop_display": "quarantine_sensitive_payload", "execution_authorized": false }, { "check_id": "preflight-no-workflow-secret-execution-request", "display_order": 5, "title": "不得夾帶 workflow / secret 執行要求", "required": true, "pass_condition": "response 不得要求建立 / 複製 / rotate secret、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS、啟用 GitHub hosted runner、使用 write token、建立 repo、sync refs、GitHub primary switch、Kali scan 或任何 runtime action。", "failure_lane": "reject_execution_request", "awooop_display": "reject_execution_request", "execution_authorized": false }, { "check_id": "preflight-all-five-workflow-secret-lanes-before-accepted", "display_order": 6, "title": "接受前需覆蓋五個 workflow / secret templates", "required": true, "pass_condition": "S4.12 要被標示 accepted 前,五個 response templates 都必須收到可驗收的 owner response;部分回覆只能維持 waiting、ready_for_owner_review、request_more_evidence 或 quarantine。", "failure_lane": "keep_waiting_owner_response", "awooop_display": "ready_for_owner_review", "execution_authorized": false } ], "response_templates": [ { "template_id": "response-webhook-redacted-export", "lane": "webhook_redacted_export_request", "affected_repos": [ "owenhytsai/awoooi", "owenhytsai/wooo-aiops" ], "risk": "MEDIUM", "covered_repo_count": 2, "requested_owner_decision": "回覆 webhook 名稱、redacted host、事件類型、enabled flag 與 owner;不得包含 webhook secret、token URL、header、cookie 或 payload body。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "provider", "webhook_name_or_none", "destination_host_redacted", "event_types", "active_enabled_flag", "webhook_owner", "evidence_refs" ], "acceptable_decisions": [ "provide_redacted_webhook_inventory_candidate", "mark_no_webhook_candidate", "hold_pending_webhook_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/security-mirror-quarantine.snapshot.json" ], "acceptance_criteria": [ "只允許保存 redacted host、event types、enabled flag 與 owner。", "必須標示 primary cutover 後哪一端負責發 webhook,或明確要求補證。", "必須承認 response 通過後只更新 read-only inventory / readiness wording,不修改 webhook。" ], "rejection_conditions": [ "含 webhook secret、完整 payload URL、query token、header、cookie 或 request body。", "要求立即建立、停用或修改 webhook。", "缺 repo、provider、webhook owner 或 no-webhook disposition。" ], "allowed_outputs": [ "更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 webhook read-only owner response 欄位。", "更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow/webhook blocker wording。", "建立 request_more_evidence / quarantine lane。" ], "execution_authorized": false }, { "template_id": "response-runner-label-owner", "lane": "runner_label_owner_export_request", "affected_repos": [ "owenhytsai/awoooi", "owenhytsai/wooo-aiops", "owenhytsai/wooo-infra-config", "owenhytsai/ewoooc" ], "risk": "HIGH", "covered_repo_count": 4, "requested_owner_decision": "回覆 runner label、executor type、hosted/self-hosted、owner 與 GitHub hosted minutes 風險;不得包含 runner registration token、admin token、SSH key 或 host password。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "provider", "runner_label_or_none", "runner_scope", "executor_type", "hosted_or_self_hosted", "runner_owner", "github_hosted_minutes_risk", "maintenance_window", "evidence_refs" ], "acceptable_decisions": [ "keep_self_hosted_runner_candidate", "approve_hosted_runner_risk_review_candidate", "mark_no_runner_candidate", "hold_pending_runner_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json" ], "acceptance_criteria": [ "必須標示 runner 是 self-hosted 或 hosted;若 hosted,必須列入額度風險 review,而不是啟用批准。", "必須指定 runner owner 與維護窗口,或明確要求補證。", "必須承認 response 不授權新增 runner、不授權改 workflow、不授權消耗 GitHub hosted minutes。" ], "rejection_conditions": [ "含 runner registration token、admin token、SSH private key、host password 或 API token。", "要求立即啟用 GitHub hosted runner 或改 runner label。", "把 hosted runner risk review candidate 當成使用 GitHub Actions 額度的批准。" ], "allowed_outputs": [ "更新 runner label owner review lane。", "更新 GitHub hosted runner 額度風險 wording。", "維持 workflow / runner execution disabled。" ], "execution_authorized": false }, { "template_id": "response-deploy-key-redacted-export", "lane": "deploy_key_redacted_export_request", "affected_repos": [ "owenhytsai/wooo-infra-config" ], "risk": "HIGH", "covered_repo_count": 1, "requested_owner_decision": "回覆 deploy key / machine key 名稱、read-only flag、repo scope 與 owner;不得包含 private key、完整 public key、token value 或 password。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "provider", "key_name_or_none", "read_only_flag", "repo_scope", "key_owner", "rotation_owner", "evidence_refs" ], "acceptable_decisions": [ "provide_deploy_key_name_scope_candidate", "mark_no_deploy_key_candidate", "mark_write_capable_key_risk_candidate", "hold_pending_key_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md", "docs/security/security-mirror-quarantine.snapshot.json" ], "acceptance_criteria": [ "只允許 key 名稱、read-only flag、repo scope、owner 與 rotation owner。", "write-capable key 只能列為風險 candidate,不得自動 rotate 或刪除。", "必須承認 response 不授權搬移 key、不授權貼 private key、不授權修改 deploy key。" ], "rejection_conditions": [ "含 private key、完整 public key、token value、password 或 credential value。", "要求立即 rotate、刪除或新增 deploy key。", "缺 key owner / rotation owner 或 no-key disposition。" ], "allowed_outputs": [ "更新 deploy key read-only risk lane。", "更新 primary readiness key blocker wording。", "建立 key_owner request_more_evidence lane。" ], "execution_authorized": false }, { "template_id": "response-branch-protection-codeowners", "lane": "branch_protection_codeowners_export_request", "affected_repos": [ "owenhytsai/awoooi", "owenhytsai/clawbot-v5", "owenhytsai/wooo-infra-config", "owenhytsai/ewoooc" ], "risk": "MEDIUM", "covered_repo_count": 4, "requested_owner_decision": "回覆 protected branch、required checks、required review count、CODEOWNERS path 與 owner teams;不得包含 team secret、PAT、admin override token 或 session cookie。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "provider", "protected_branch_name_or_none", "required_review_count", "required_status_check_names", "codeowners_path_or_none", "owner_team_names", "ruleset_owner", "evidence_refs" ], "acceptable_decisions": [ "provide_branch_protection_codeowners_candidate", "mark_no_branch_protection_candidate", "hold_pending_ruleset_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json" ], "acceptance_criteria": [ "必須列出 required status check names,並標示與 workflow / runner label 對應狀態。", "缺 CODEOWNERS 或 branch protection 只能形成 readiness gap,不代表可修改規則。", "必須指定 ruleset owner 或 request_more_evidence owner。" ], "rejection_conditions": [ "含 PAT、admin override token、session cookie、team secret 或未脫敏截圖。", "要求立即修改 branch protection、ruleset、required checks 或 CODEOWNERS。", "把 branch protection response 當成 primary readiness complete。" ], "allowed_outputs": [ "更新 branch protection / CODEOWNERS owner review lane。", "更新 required status check parity wording。", "維持 primary_ready_count=0。" ], "execution_authorized": false }, { "template_id": "response-repository-secret-name-parity", "lane": "repository_secret_name_parity_export_request", "affected_repos": [ "owenhytsai/awoooi", "owenhytsai/clawbot-v5", "owenhytsai/wooo-aiops", "owenhytsai/wooo-infra-config", "owenhytsai/ewoooc", "owenhytsai/bitan-pharmacy", "owenhytsai/tsenyang-website" ], "risk": "HIGH", "covered_repo_count": 7, "requested_owner_decision": "回覆 repository secret 名稱 parity、scope、owning team、used-by workflow 與 present_in_gitea / present_in_github metadata;不得包含 value、hash、partial token 或可還原片段。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "provider", "secret_name_list_or_none", "secret_scope", "owning_team", "used_by_workflow_name", "rotation_owner", "present_in_gitea", "present_in_github", "evidence_refs" ], "acceptable_decisions": [ "provide_secret_name_presence_map_candidate", "mark_no_repository_secret_candidate", "hold_pending_secret_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json", "docs/security/source-control-workflow-secret-name-export-request.snapshot.json", "docs/security/security-mirror-quarantine.snapshot.json" ], "acceptance_criteria": [ "只允許保存 secret name、scope、owner、used-by workflow、present/absent metadata。", "不得保存 value、hash、partial token、masked token 或任何可還原片段。", "缺漏 secret 只建立 owner review lane,不自動建立、複製、rotate 或刪除 secret。" ], "rejection_conditions": [ "含 secret value、plaintext、hash、partial token、private key、credential value 或未脫敏截圖。", "要求立即建立、複製、修改、rotate 或刪除 repository secret。", "把 secret name parity response 當成 workflow 已可執行或 primary ready。" ], "allowed_outputs": [ "更新 repository secret name parity owner review lane。", "更新 workflow / secret name inventory gap wording。", "維持 inventory_complete_count=0 與 primary_ready_count=0。" ], "execution_authorized": false } ], "acceptance_checks": [ { "check_id": "maps_to_known_export_lane", "title": "回覆對應既有 export lane", "required": true, "pass_condition": "`lane` 必須對應 S4.3 既有 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS 或 repository secret name parity。", "failure_lane": "reject_unknown_export_lane", "execution_authorized": false }, { "check_id": "decision_value_allowed", "title": "決策值在允許範圍內", "required": true, "pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。", "failure_lane": "request_owner_correction", "execution_authorized": false }, { "check_id": "repo_scope_present", "title": "repo scope 已標示", "required": true, "pass_condition": "每筆回覆必須有 repo、provider 與 lane;批次 secret name parity 必須有可重現 repo list。", "failure_lane": "request_more_evidence", "execution_authorized": false }, { "check_id": "owner_present", "title": "owner 或補證 owner 已標示", "required": true, "pass_condition": "每筆回覆必須有 owner role/team,且 lane-specific owner 不得空白;未知時必須選 hold/unknown。", "failure_lane": "request_owner_assignment", "execution_authorized": false }, { "check_id": "allowed_fields_only", "title": "只含允許欄位", "required": true, "pass_condition": "回覆只能包含 lane allowed_fields 與 owner/evidence metadata,不得加入 request body、header、credential 或 raw config。", "failure_lane": "quarantine_unexpected_payload", "execution_authorized": false }, { "check_id": "secret_values_absent", "title": "未包含 secret value", "required": true, "pass_condition": "不得包含 secret/token/cookie/private key/deploy key/runner token/webhook secret/password、hash、masked token 或 partial credential。", "failure_lane": "quarantine_sensitive_payload", "execution_authorized": false }, { "check_id": "no_write_or_rotation_requested", "title": "不含 write 或 rotation 要求", "required": true, "pass_condition": "回覆不得要求 write API、rotate secret、修改 workflow、修改 webhook、修改 runner、修改 deploy key 或修改 branch protection。", "failure_lane": "reject_runtime_change_request", "execution_authorized": false }, { "check_id": "no_primary_or_refs_action_requested", "title": "不含 primary 或 refs action", "required": true, "pass_condition": "回覆不得要求建立 repo、sync refs、切 GitHub primary、停用 Gitea 或把 inventory 視為 primary ready。", "failure_lane": "reject_primary_or_refs_action", "execution_authorized": false } ], "rejection_rules": [ "回覆含 secret value、PAT、cookie、session、CSRF token、private key、deploy key value、runner token、webhook secret 或 partial credential 時必須拒收。", "回覆含完整 webhook payload URL、query token、authorization header、request body 或未脫敏截圖時必須拒收。", "回覆含 runner registration token、runner admin token、SSH private key、host password 或 API token 時必須拒收。", "回覆含 deploy key private material、完整 public key、token value、password 或 credential value 時必須拒收。", "回覆含 secret value、secret hash、partial token、masked token 或任何可還原片段時必須拒收。", "回覆要求 write API、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS 或 rotate secret 時必須拒收。", "回覆要求建立 repo、sync refs、切 GitHub primary、停用或封存 Gitea 時必須拒收。", "回覆缺 repo、provider、lane owner 或 no-data disposition 時不得標記 accepted。", "回覆把 owner response 當成 inventory complete、workflow ready、secret parity complete 或 GitHub primary ready 時必須拒收。", "任何不確定是否含敏感值、私有 URL 憑證、完整 key material 或未脫敏截圖的回覆必須先進 mirror quarantine。" ], "allowed_outputs": [ "更新 `source-control-workflow-secret-name-inventory.snapshot.json` 的 read-only owner response 欄位。", "更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 response status wording。", "更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow / webhook / runner / secret name blocker wording。", "更新 `security-mirror-status-rollup.snapshot.json` 的 workflow_secret owner response summary。", "建立 request_more_evidence / quarantine lane。", "維持 `inventory_complete_count=0`、`github_primary_ready_count=0` 與所有 workflow / secret / repo / refs / primary execution flags false。" ], "forbidden_actions": [ "收集或保存 secret value、token value、cookie、session、private key、deploy key value、runner token 或 webhook secret。", "使用 write token 或 write API。", "修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret。", "rotate secret、建立 secret、複製 secret 或刪除 secret。", "啟用 GitHub hosted runner 或消耗 GitHub Actions 額度。", "建立 GitHub repo 或修改 visibility。", "sync refs、push refs、delete refs 或 force push。", "切 GitHub primary。", "停用、刪除、封存或降級 Gitea repo。", "新增 AwoooP execution action button。" ] }