{ "schema_version": "source_control_ref_truth_owner_response_v1", "status": "draft_waiting_owner_response", "date": "2026-05-17", "mode": "owner_ref_truth_response_intake_only", "runtime_execution_authorized": false, "source_contract": "source_control_ref_truth_classification_v1", "target_contract": "source_control_reconcile_plan_v1", "source_indexes": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md", "docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md", "docs/security/source-control-reconcile-plan.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/security-approval-review-packet.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json" ], "summary": { "owner_response_status": "waiting_owner_response", "repo_count": 3, "total_ref_review_item_count": 141, "manual_truth_required_count": 4, "deprecated_candidate_count": 114, "release_tag_review_count": 3, "github_only_review_count": 20, "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, "rejected_response_count": 0, "acceptance_check_count": 8, "rejection_rule_count": 10, "refs_sync_authorized": false, "refs_delete_authorized": false, "force_push_authorized": false, "github_primary_switch_authorized": false, "secret_value_collection_allowed": false, "action_buttons_allowed": false }, "response_templates": [ { "template_id": "response-main-branch-truth-source", "lane": "main_truth_required", "affected_repos": [ "wooo/awoooi -> owenhytsai/awoooi", "wooo/clawbot-v5 -> owenhytsai/clawbot-v5", "wooo/wooo-aiops -> owenhytsai/wooo-aiops" ], "risk": "HIGH", "covered_item_count": 3, "requested_owner_decision": "判定三個 main branch 的真相來源、deploy marker owner、production source owner 與 rollback point owner;維持 refs action disabled。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "ref_name", "truth_source_or_sha", "deploy_marker_owner", "production_source_owner", "rollback_point_owner", "evidence_refs" ], "acceptable_decisions": [ "choose_gitea_as_truth_candidate", "choose_github_as_truth_candidate", "choose_specific_sha_as_truth_candidate", "hold_pending_deploy_marker", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json" ], "acceptance_criteria": [ "必須逐 repo 標示 main branch 的候選真相來源,不可只寫全域結論。", "必須說明 deploy marker、production source 與 rollback point 的 owner 或補證 owner。", "必須承認通過收件後只更新 read-only classification / reconcile / readiness wording,不授權 refs sync。" ], "rejection_conditions": [ "把 main branch truth response 當成可直接 push refs 或切 primary。", "沒有 repo、ref_name、truth_source_or_sha 或 deploy evidence owner。", "含有 token、credential、private URL 憑證或未脫敏截圖。" ], "allowed_outputs": [ "更新 `source-control-ref-truth-classification.snapshot.json` 的 read-only owner response 欄位。", "更新 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 的 owner response 摘要。", "更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording,且 primary_ready_count 維持 0。" ], "execution_authorized": false }, { "template_id": "response-active-dev-branch-truth-source", "lane": "active_branch_truth_required", "affected_repos": [ "wooo/awoooi -> owenhytsai/awoooi" ], "risk": "HIGH", "covered_item_count": 1, "requested_owner_decision": "判定 `wooo/awoooi` 的 `dev` branch 是否仍是 active workflow、legacy branch 或需補證;維持 refs action disabled。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "ref_name", "workflow_owner", "branch_disposition", "evidence_refs" ], "acceptable_decisions": [ "keep_active_branch_candidate", "mark_branch_legacy_candidate", "hold_pending_workflow_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-reconcile-plan.snapshot.json", "docs/security/security-approval-review-packet.snapshot.json" ], "acceptance_criteria": [ "必須指出 `dev` 是否仍有開發、部署、CI 或 release workflow 用途。", "若標為 legacy,只能標記 candidate,不代表刪除或封存批准。", "必須提供 workflow owner 或 request_more_evidence owner。" ], "rejection_conditions": [ "要求立即刪除或同步 `dev` branch。", "沒有 workflow owner 或 branch disposition。", "把 legacy candidate 當成 delete approval。" ], "allowed_outputs": [ "更新 `dev` branch 的 read-only disposition 欄位。", "更新 draft reconcile plan 的 blocked reason。", "建立 request_more_evidence lane。" ], "execution_authorized": false }, { "template_id": "response-drift-deprecated-candidate-batch", "lane": "archive_or_deprecate_candidate", "affected_repos": [ "wooo/awoooi drift/adopt-*" ], "risk": "LOW", "covered_item_count": 114, "requested_owner_decision": "批次判定 `drift/adopt-*` refs 是否可列為 deprecated candidate、audit retention candidate 或需拆批補證;標記 deprecated candidate 不等於 delete approval。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "ref_pattern_or_ref_list", "retention_owner", "audit_or_rollback_use", "evidence_refs" ], "acceptable_decisions": [ "mark_deprecated_candidate", "keep_audit_retention_candidate", "split_batch_requires_more_evidence", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md" ], "acceptance_criteria": [ "必須明確說明這是批次 owner disposition,不是刪除批准。", "必須提供 retention owner 或補證 owner。", "若需要拆批,必須說明拆分準則與下一個 evidence owner。" ], "rejection_conditions": [ "把 deprecated candidate 當成 delete approval。", "要求刪除、rewrite、force push 或 prune refs。", "未說明 audit / rollback / retention 用途是否仍存在。" ], "allowed_outputs": [ "更新 classification 的 deprecated candidate owner response 欄位。", "更新人工 review checklist。", "維持 refs delete / push / force push 禁用。" ], "execution_authorized": false }, { "template_id": "response-release-tag-retention", "lane": "release_tag_missing_on_github", "affected_repos": [ "wooo/awoooi v7.2.0", "wooo/awoooi v7.3.0", "wooo/clawbot-v5 v5.5-sprint1" ], "risk": "MEDIUM", "covered_item_count": 3, "requested_owner_decision": "判定 release tags 是否需要保留、是否為 legacy candidate,或是否等待 artifact / deploy owner 補證;維持 tag action disabled。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "tag_name", "artifact_owner", "deploy_marker_owner", "retention_disposition", "evidence_refs" ], "acceptable_decisions": [ "keep_release_tag_candidate", "mark_tag_legacy_candidate", "hold_pending_artifact_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/source-control-primary-rollback-adr.snapshot.json" ], "acceptance_criteria": [ "必須逐 tag 指定 artifact owner、deploy marker owner 或補證 owner。", "必須說明保留或 legacy candidate 的依據。", "必須明確不授權 tag push、tag rewrite 或 tag delete。" ], "rejection_conditions": [ "要求立即同步、重寫或刪除 tag。", "缺 artifact owner 或 deploy marker owner。", "把 tag retention response 當成 release approval。" ], "allowed_outputs": [ "更新 release tag review lane。", "更新 rollback ADR 的 evidence gap wording。", "維持 tag action disabled。" ], "execution_authorized": false }, { "template_id": "response-github-only-ref-review", "lane": "github_only_manual_review", "affected_repos": [ "wooo/wooo-aiops refactor/phase-9.3", "wooo/wooo-aiops 19 UAT tags" ], "risk": "MEDIUM", "covered_item_count": 20, "requested_owner_decision": "判定 GitHub-only branch / UAT tags 是否保留、回補候選、legacy candidate 或需稽核 owner 補證;backfill 只能是 candidate,不代表 push。", "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "repo", "ref_name_or_pattern", "github_only_owner", "audit_owner", "backfill_candidate_reason", "evidence_refs" ], "acceptable_decisions": [ "keep_github_only_candidate", "backfill_to_gitea_candidate", "mark_legacy_github_only_candidate", "hold_pending_audit_owner", "unknown_requires_more_evidence" ], "minimum_evidence_refs": [ "docs/security/source-control-ref-truth-classification.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md" ], "acceptance_criteria": [ "必須說明 GitHub-only refs 的用途、owner 或補證 owner。", "若選 backfill_to_gitea_candidate,必須明確標示只是候選,不授權 push。", "必須維持 GitHub primary readiness blocked。" ], "rejection_conditions": [ "把 backfill candidate 當成 push approval。", "要求刪除 GitHub-only refs 或直接同步到 Gitea。", "缺 GitHub-only owner 或 audit owner。" ], "allowed_outputs": [ "更新 GitHub-only review lane。", "更新 draft reconcile plan 的 candidate wording。", "維持 refs action disabled。" ], "execution_authorized": false } ], "acceptance_checks": [ { "check_id": "maps_to_known_ref_truth_lane", "title": "回覆對應既有 refs truth lane", "required": true, "pass_condition": "`lane` 必須對應 source_control_ref_truth_classification_v1 既有 lane:main_truth_required、active_branch_truth_required、archive_or_deprecate_candidate、release_tag_missing_on_github 或 github_only_manual_review。", "failure_lane": "reject_unknown_ref_truth_lane", "execution_authorized": false }, { "check_id": "decision_value_allowed", "title": "決策值在允許範圍內", "required": true, "pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。", "failure_lane": "request_owner_correction", "execution_authorized": false }, { "check_id": "repo_and_ref_scope_present", "title": "repo 與 ref scope 已標示", "required": true, "pass_condition": "每筆回覆必須有 repo 與 ref_name、tag_name、ref_pattern 或 ref_list;批次回覆必須有可重現範圍。", "failure_lane": "request_more_evidence", "execution_authorized": false }, { "check_id": "truth_source_or_disposition_present", "title": "真相來源或 disposition 已說明", "required": true, "pass_condition": "main/dev lane 必須有 truth source 或 workflow disposition;deprecated/release/GitHub-only lane 必須有 retention、legacy、backfill candidate 或補證 disposition。", "failure_lane": "keep_ref_truth_blocked", "execution_authorized": false }, { "check_id": "deploy_or_artifact_evidence_present_for_high_risk", "title": "高風險 ref 有 deploy 或 artifact owner", "required": true, "pass_condition": "main branch 與 release tag response 必須提供 deploy marker、production source、rollback point 或 artifact owner;未知時必須選 hold/unknown。", "failure_lane": "request_deploy_or_artifact_owner", "execution_authorized": false }, { "check_id": "no_refs_action_requested", "title": "不含 refs 執行要求", "required": true, "pass_condition": "回覆不得要求 fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs。", "failure_lane": "reject_refs_action", "execution_authorized": false }, { "check_id": "no_primary_or_repo_change_requested", "title": "不含 primary 或 repo 變更要求", "required": true, "pass_condition": "回覆不得要求切 GitHub primary、建立 repo、修改 visibility、停用 Gitea、刪除 Gitea 或封存 Gitea。", "failure_lane": "reject_primary_or_repo_action", "execution_authorized": false }, { "check_id": "secret_values_absent", "title": "未包含 secret value", "required": true, "pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key、deploy key value、cookie 或 session。", "failure_lane": "quarantine_sensitive_payload", "execution_authorized": false } ], "rejection_rules": [ "回覆含 token value、PAT、cookie、session、CSRF token、private key、deploy key value 或 partial credential 時必須拒收。", "回覆要求 fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs 時必須拒收。", "回覆要求切 GitHub primary 或把 GitHub primary readiness 視為已完成時必須拒收。", "回覆要求建立 repo、修改 repo visibility 或改 remote URL 時必須拒收。", "回覆把 deprecated_candidate 當成 delete approval 時必須拒收。", "回覆把 backfill_to_gitea_candidate 當成 push approval 時必須拒收。", "回覆缺 repo/ref/lane 或批次範圍無法重現時不得標記 accepted。", "main / release high-risk 回覆缺 deploy marker、artifact、rollback 或補證 owner 時不得標記 accepted。", "回覆要求停用、刪除、封存或降級 Gitea 時必須拒收。", "任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆必須先進 mirror quarantine。" ], "allowed_outputs": [ "更新 `source-control-ref-truth-classification.snapshot.json` 的 read-only owner response 欄位。", "更新 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 的 owner response 摘要。", "更新 `source-control-reconcile-plan.snapshot.json` 的 draft wording。", "更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording。", "建立 request_more_evidence / quarantine lane。", "維持 `github_primary_ready_count=0` 與所有 refs / repo / primary execution flags false。" ], "forbidden_actions": [ "fetch refs。", "push refs。", "delete refs。", "force push。", "rewrite branch 或 tag。", "切 GitHub primary。", "建立 GitHub repo 或修改 visibility。", "停用、刪除、封存或降級 Gitea repo。", "保存 secret value、token value、private key、cookie、session 或 deploy key value。", "新增 AwoooP execution action button。" ] }