awoooi/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md

Gitea 到 GitHub 全量版本轉移 Inventory

項目	內容
日期	2026-06-04
狀態	第三版 read-only inventory refresh，尚未開始同步或主控切換
範圍	Source control / CI/CD supply chain security
上游 handoff	docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
branch/tag/SHA 盤點工具	scripts/security/source-control-migration-inventory.py
repo list 盤點工具	scripts/security/gitea-repo-inventory.py
本機 remote 盤點工具	scripts/security/local-git-remote-inventory.py
最新 branch/tag/SHA snapshot	docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md / docs/security/gitea-github-awoooi-inventory.snapshot.json
最新 repo list snapshot	docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md / docs/security/gitea-repo-inventory.snapshot.json
Gitea org endpoint blocked snapshot	docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md / docs/security/gitea-org-repo-inventory-blocked.snapshot.json
Gitea public search snapshot	docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md / docs/security/gitea-public-repo-search.snapshot.json
Gitea server-side inventory runbook	docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md
Gitea read-only inventory approval package	docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md / docs/security/gitea-readonly-inventory-approval.snapshot.json
Gitea admin export redaction checklist	docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md
最新本機 remote snapshot	docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md / docs/security/local-git-remote-inventory.snapshot.json
GitHub target probe	docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md / docs/security/github-target-probe.snapshot.json
本機 canonical lineage probe	docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md / docs/security/local-repo-canonical-ewoooc-momo.snapshot.json
Internal 110 refs probe	docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md / docs/security/git-remote-refs-bitan-tsenyang.snapshot.json
wooo-infra-config refs probe	docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md / docs/security/git-remote-refs-wooo-infra-config.snapshot.json
GitHub target 決策表	docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md / docs/security/github-target-decision.snapshot.json
GitHub target repo-by-repo approval package	docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md / docs/security/github-target-repo-approval-package.snapshot.json
Source Control draft reconcile plan	docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md / docs/security/source-control-reconcile-plan.snapshot.json
Source Control branch/tag detail diff	docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md / docs/security/source-control-ref-detail-diff.snapshot.json
Source Control ref truth classification	docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md / docs/security/source-control-ref-truth-classification.snapshot.json
Source Control ref truth owner response	docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md / docs/security/source-control-ref-truth-owner-response.snapshot.json
Workflow / secret name owner response	docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md / docs/security/source-control-workflow-secret-name-owner-response.snapshot.json
Owner response validation rollup	docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md / docs/security/source-control-owner-response-validation-rollup.snapshot.json
Source Control 遷移矩陣	docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md
Canonical repo 判定表	docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md

0. 重要結論

目前不能直接把 GitHub 切成 primary。

第三輪只讀盤點顯示，至少目前工作中的 awoooi repo 存在以下差異：

• GitHub origin 與 Gitea gitea 的 main SHA 不一致。
• Gitea 有大量 drift/adopt-* 分支，GitHub 沒有；截至 2026-06-04 read-only refresh，awoooi Gitea heads 為 170 條，GitHub heads 為 2 條，且 Gitea-only heads 為 168 條。
• Gitea 有 release tags，GitHub 目前查不到 tags。
• 本機 gitea remote URL 內嵌憑證，這是 credential hygiene 風險；不得寫入文件、不得複製到 GitHub，後續需移除並輪替。
• Gitea wooo user endpoint 在未提供 token 時可見 wooo/awoooi 與 wooo/ewoooc，目前 gitea_repo_inventory_v1.status=partial。
• Gitea org endpoint 未認證查詢仍回 404；未提供 token 的結果只代表 public-only 可見範圍，不代表 private/internal repos 已完整盤到。
• Gitea read-only inventory approval package 已建立；取得只讀 token 或管理匯出前，必須先經人工批准，且不得保存 token value。
• GitHub target probe 顯示 8 個候選中 5 個可讀、3 個為 not_found_or_private：owenhytsai/ewoooc、owenhytsai/bitan-pharmacy、owenhytsai/tsenyang-website。
• ewoooc-momo-pro-system 本機 lineage probe 顯示三個 working tree 近期 sample 內無共同 commit，因此不得自動視為複本或同一 repo 分支。
• bitan-pharmacy 與 tsenyang-website 的 110 remote refs probe 顯示本機 main 與 remote main 對齊，各 1 head / 0 tags；但 GitHub target 仍未確認。
• wooo-infra-config 的 GitHub remote 與本機 main 對齊；110 internal remote 目前 read-only probe 不可讀，需判斷是否為舊 remote、mirror 或權限問題。
• GitHub target 決策表已建立，10 個候選中 9 個需人工批准；其中 ewoooc、bitan-pharmacy、tsenyang-website、VibeWork、agent-bounty-protocol 在 target visibility / owner 決策前不得自動建立或同步。
• GitHub target repo-by-repo approval package 已建立，9 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認、product / agent runtime boundary 四條路徑；此 package 採低摩擦原則，只 gate 高風險執行，不阻擋 read-only evidence。
• Source Control ref truth classification 已於 2026-06-04 重產為 current queue：194 個 refs review items，其中 4 個真相來源判定、142 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review。S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner response templates 仍是收件框架，received / accepted response 皆為 0、audit events emitted 仍為 0，不是同步批准。
• Workflow / secret 名稱 owner response 已建立，S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates，received / accepted response 皆為 0、audit events emitted 仍為 0；這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition，不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。
• Workflow / secret 名稱本機 evidence 已於 2026-06-04 重跑：8 個候選 repo、7 個本機可見 repo、4 個 local evidence repo、31 個 workflow files、42 個 unique referenced secret names，secret_value_detected=false；但 webhook、runner owner、deploy key、branch protection、repository secret name parity 仍缺。
• Owner response validation rollup 已建立，S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets，共 24 個 response templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、7 條 parallel session recovery outcome lanes、received / accepted response 皆為 0 且 reviewer audit emitted 仍為 0；這只是驗收總覽、只讀路由、顯示順序、狀態語義、人工審查提示、結果分類、脫敏稽核格式、稽核顯示邊界、只讀稽核檢查、安全 metadata 顯示範例、metadata retention 邊界、只讀 retention 驗證、跨 Session 只讀交接、交接消費檢查、平行 Session 同步檢查、衝突 lane、復原前檢查與復原結果分類，不是 approval、runtime gate、production ingestion 或執行授權。
• 本機可見 Git working tree 輔助盤點已找到 13 個 repo，其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個；此結果可用來補遷移矩陣，但不能取代 Gitea server 全量清單。

因此後續必須先完成「repo/branch/tag/workflow/webhook/permission/secrets 名稱」全量 inventory，再逐步 mirror 與驗證。

1. 本輪 read-only 探測

檢查	結果
git remote -v	已確認 origin 指向 GitHub，gitea 指向本地 Gitea；未在文件中保存憑證
GitHub heads	2 條
Gitea heads	170 條
GitHub tags	0 條
Gitea tag refs	4 條 raw refs，實際 tag 為 v7.2.0、v7.3.0
Gitea org API	未認證查詢 http://192.168.0.110:3001/api/v1/orgs/wooo/repos 回 404，保留為 endpoint 判定 evidence
Gitea user API	未認證查詢 http://192.168.0.110:3001/api/v1/users/wooo/repos 回 200，取得 public repos 2 個
Gitea public search API	未認證查詢 /api/v1/repos/search 回 200，取得 wooo/awoooi、wooo/ewoooc
可重跑工具	python3 scripts/security/source-control-migration-inventory.py --repo . --gitea-remote gitea --github-remote origin --output-json docs/security/gitea-github-awoooi-inventory.snapshot.json --output-md docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md
Gitea repo list 工具	python3 scripts/security/gitea-repo-inventory.py --base-url http://192.168.0.110:3001 --org wooo --scope user --github-owner owenhytsai --output-json docs/security/gitea-repo-inventory.snapshot.json --output-md docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md
Gitea read-only inventory approval	docs/security/gitea-readonly-inventory-approval.snapshot.json
Gitea public search 工具	python3 scripts/security/gitea-repo-inventory.py --base-url http://192.168.0.110:3001 --org public-search --github-owner owenhytsai --scope search --limit 100 --output-json docs/security/gitea-public-repo-search.snapshot.json --output-md docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md
本機 remote 盤點工具	python3 scripts/security/local-git-remote-inventory.py --root /Users/ogt --root "/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs" --max-depth 4 --output-json docs/security/local-git-remote-inventory.snapshot.json --output-md docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md
GitHub target probe 工具	python3 scripts/security/github-target-probe.py --candidate owenhytsai/awoooi --candidate owenhytsai/clawbot-v5 --candidate owenhytsai/wooo-aiops --candidate owenhytsai/wooo-infra-config --candidate owenhytsai/ewoooc --candidate owenhytsai/bitan-pharmacy --candidate owenhytsai/tsenyang-website --candidate nexu-io/open-design --output-json docs/security/github-target-probe.snapshot.json --output-md docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md
Workflow / secret 名稱本機 evidence 工具	python3 scripts/security/source-control-workflow-secret-name-local-inventory.py --date 2026-06-04 ... --output docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json
本機 canonical lineage 工具	python3 scripts/security/local-repo-canonical-probe.py --group-name ewoooc-momo-pro-system --repo local-momo-gitea=/Users/ogt/momo-pro-system --repo icloud-momo-gitea="/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs/momo-pro-system" --repo local-momo-gitlab=/Users/ogt/momo_pro_system --sample-limit 100 --git-timeout 8 --output-json docs/security/local-repo-canonical-ewoooc-momo.snapshot.json --output-md docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md
Internal 110 refs 工具	python3 scripts/security/git-remote-refs-probe.py --group-name internal-110-bitan-tsenyang --repo bitan-pharmacy=/Users/ogt/bitan-pharmacy=origin --repo tsenyang-website=/Users/ogt/tsenyang-website=origin --output-json docs/security/git-remote-refs-bitan-tsenyang.snapshot.json --output-md docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md
wooo-infra-config refs 工具	python3 scripts/security/git-remote-refs-probe.py --group-name wooo-infra-config-remotes --repo wooo-infra-config-gitea=/Users/ogt/wooo-infra-config=gitea --repo wooo-infra-config-github=/Users/ogt/wooo-infra-config=origin --output-json docs/security/git-remote-refs-wooo-infra-config.snapshot.json --output-md docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md
GitHub target 決策 snapshot	docs/security/github-target-decision.snapshot.json，依前述 read-only evidence 人工彙整，非執行工具，不授權 repo 建立或 visibility 修改
GitHub target repo-by-repo approval snapshot	docs/security/github-target-repo-approval-package.snapshot.json，逐 repo 拆分 approval path，不授權執行
Source Control draft reconcile plan	docs/security/source-control-reconcile-plan.snapshot.json，只產生 draft_blocked 草案，不授權 refs sync
Source Control branch/tag detail diff	docs/security/source-control-ref-detail-diff.snapshot.json，保存 3 個 refs-blocked mapped repos 的 branch/tag 明細，不授權 fetch/push
Source Control ref truth classification	docs/security/source-control-ref-truth-classification.snapshot.json，將 ref diff 轉成單 ref 人工判定隊列，不授權 sync/delete
Workflow / secret name owner response	docs/security/source-control-workflow-secret-name-owner-response.snapshot.json，固定 5 類 response templates，不授權 secret value collection、workflow modification、hosted runner enablement 或 primary switch
Owner response validation rollup	docs/security/source-control-owner-response-validation-rollup.snapshot.json，集中顯示 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、reviewer audit handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 parallel session recovery outcome lanes，不授權 approval、production ingestion 或 runtime action

1.1 Gitea repo list snapshot

欄位	值
Schema	gitea_repo_inventory_v1
Status	partial
Query mode	user
Visibility scope	public_only
HTTP status	200
Repo count	2
Token present	false
Snapshot	docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md / docs/security/gitea-repo-inventory.snapshot.json
Org endpoint blocked snapshot	docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md / docs/security/gitea-org-repo-inventory-blocked.snapshot.json
阻塞原因	未提供 token，結果只代表公開可見 repo；private/internal repos 仍需只讀 token 或管理匯出

此結果代表目前已完成 public-only server-side repo list，但尚未完成「Gitea 所有專案」盤點。不得開始批量同步、刪除、封存或 GitHub primary 切換。

1.1.1 Gitea public search snapshot

欄位	值
Schema	gitea_repo_inventory_v1
Status	partial
HTTP status	200
Repo count	2
Token present	false
可見 repos	wooo/awoooi、wooo/ewoooc
Snapshot	docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md / docs/security/gitea-public-repo-search.snapshot.json

此結果代表 Gitea 有公開 repo 可被 read-only search 看到，但 private/internal repos 仍可能缺席。因此它只能補強 evidence，不能取代只讀 token 或管理匯出。完整操作方式見 docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md。

1.2 本機 Git remote snapshot

欄位	值
Schema	local_git_remote_inventory_v1
Status	partial
掃描 roots	/Users/ogt、/Users/ogt/Library/Mobile Documents/com~apple~CloudDocs
Working tree count	13
Gitea linked working trees	6
GitHub linked working trees	6
Mapped working trees	4
Gitea-only working trees	2
GitHub-only working trees	2
110 internal-only working trees	3
去重後 Gitea repos	wooo/awoooi、wooo/clawbot-v5、wooo/ewoooc、wooo/wooo-aiops
去重後 GitHub repos	nexu-io/open-design、owenhytsai/awoooi、owenhytsai/clawbot-v5、owenhytsai/wooo-aiops、owenhytsai/wooo-infra-config
去重後 110 internal repos	bitan-pharmacy、root/momo-pro-system、tsenyang-website、wooo/wooo-infra-config
Snapshot	docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md / docs/security/local-git-remote-inventory.snapshot.json

此 snapshot 只能代表本機可見 working tree。它揭露了 Gitea API 之外的 source control 風險：仍有專案只連到 110 內部 remote 或 GitLab 類 remote，GitHub primary 切換前也要納入遷移矩陣。

第一版派工矩陣已建立於 docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md。該矩陣將 awoooi、ewoooc、clawbot-v5、wooo-aiops、bitan-pharmacy、tsenyang-website、wooo-infra-config 等 source-control target 拆成 P0/P1/P2，不授權任何自動同步或刪除。

2026-05-12 追加 refs diff：已對 wooo/clawbot-v5 與 wooo/wooo-aiops 產生 read-only refs snapshot，兩者皆為 blocked。因此目前已驗證的 mapped repos 中，awoooi、clawbot-v5、wooo-aiops 都不是 GitHub primary ready。

Canonical repo 判定表已建立於 docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md。wooo/ewoooc、root/momo-pro-system、momo-pro-system、momo_pro_system 目前列為待人工判定，不可自動合併。

GitHub target probe 已建立於 docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md。owenhytsai/ewoooc、owenhytsai/bitan-pharmacy、owenhytsai/tsenyang-website 目前未授權 read-only probe 看不到，因此不能視為已完成 GitHub target。

GitHub target 建立與可見性決策表已建立於 docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md。目前 github_target_decision_v1.status=draft，10 個 target 候選中 9 個 approval_required=true。此表只能作為下一階段 approval evidence，不能自動建立 repo、修改 visibility、同步 refs 或切 GitHub primary。

GitHub target repo-by-repo approval package 已建立於 docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md。目前 github_target_repo_approval_package_v1.status=draft，9 個 approval items 全部 pending。此 package 用於分段批准與 owner / visibility / canonical 判定，不得被解讀為已批准推版或同步。

2. 目前 repo 對照

欄位	Gitea	GitHub	狀態
Repo	wooo/awoooi	owenhytsai/awoooi	已有對應
main	64490d32c67d24ed123cbd4e2261c69e17913e38	202071f7a8724d5e8c29de441c3f380575a0ea94	不一致，阻塞主控切換
release/v1.0	d15fb7d9f4bac86873d5c16b9c17c527b8f38bef	d15fb7d9f4bac86873d5c16b9c17c527b8f38bef	一致
dev	Gitea-only，仍待 owner 判定	無	GitHub 缺分支
drift/adopt-*	多條	無	GitHub 缺分支
v7.2.0	有	無	GitHub 缺 tag
v7.3.0	有	無	GitHub 缺 tag

3. Gitea-only 分支類型

類型	說明	建議處理
dev	Gitea 上存在，GitHub 不存在	判斷是否仍使用；若使用，需同步
drift/adopt-*	GitOps / drift adoption 類分支	先保留並同步或封存，不可直接刪除
main	Gitea 與 GitHub SHA 不一致	需確認哪一端是部署真相
release/v1.0	兩端 SHA 一致	可標為已對齊

4. Credential Hygiene

本輪發現本機 git remote 內嵌 Gitea 憑證。後續處理原則：

1. 不把憑證值寫入任何文件、LOGBOOK、issue、PR 或 chat。
2. 切換前移除 local remote URL 中的 embedded credential。
3. 改用 credential helper、只讀 token、或部署專用 secret store。
4. 對既有 token 做 rotation。
5. 在 AwoooP / AWOOOI audit 中記錄「已輪替」的 evidence，不記錄 token value。

5. 全量專案盤點待辦

目前只完成本工作目錄的 awoooi repo 初步盤點。要滿足「Gitea 目前所有專案版本都轉移到 GitHub」，仍需完成：

項目	狀態	備註
Gitea org/repo list	部分完成	public-only user endpoint 已確認 2 個 repo；private/internal 仍需要只讀 token 或管理匯出
本機可見 Git remotes	部分完成	只能當輔助 evidence，不等同 server 全量
每個 repo 的 GitHub 對應目標	部分完成	已有 10 個 target 候選與決策草案；仍需 owner / visibility / server-side refs 決策
branches 全量 diff	待盤點	每 repo 執行 heads 比對
tags 全量 diff	待盤點	每 repo 執行 tags 比對
releases / artifacts	待盤點	Gitea API 或 UI 匯出
issues / PR	待盤點	需決定搬遷或封存
workflows	待盤點	.gitea/workflows 改寫或保留 fallback
webhooks	待盤點	對接 GitHub webhook 或 AwoooP event adapter
secrets 名稱	待盤點	只盤名稱與 owner，不搬 value
branch protection / CODEOWNERS	待設計	GitHub primary 前必備

5.1 2026-06-04 規範落差

類別	落差	處理方向
已不符合現況	2026-05-13 的 117 Gitea heads 與 S4.11 141 refs review items 已落後；2026-06-04 read-only refresh 顯示 awoooi Gitea heads 為 170	已重產 ref detail diff / ref truth classification，current queue 為 194 items；下一步只收 owner response，不執行 refs
已不符合現況	source-control-workflow-secret-name-local-evidence.snapshot.json 曾指向舊暫存 worktree	本輪已改成本 worktree；後續 snapshot 必須標示 refresh date 與可重現路徑
需要新增規範	生成式 snapshot 會覆蓋人工治理註記	將 generator output 與治理補註分層，或重產後固定補回 S4.5 / S4.6 / S4.7 狀態
需要新增規範	外部 / 高 churn GitHub target 例如 nexu-io/open-design 會產生大量 heads evidence	對 external scope repos 只保留 summary / sampled refs，避免把外部 refs 變成 primary readiness 證據
需要調整規範	GitHub target probe 只能證明 read-only 可見性，不能證明 owner / visibility / primary readiness	primary gate 需同時要求 owner decision、refs parity、workflow / secret parity 與 rollback ADR

6. source_control_migration_event_v1 範例

{
  "schema_version": "source_control_migration_event_v1",
  "gitea_repo": "wooo/awoooi",
  "github_repo": "owenhytsai/awoooi",
  "branch_count_gitea": 170,
  "branch_count_github": 2,
  "tag_count_gitea": 2,
  "tag_count_github": 0,
  "latest_sha_gitea": "64490d32c67d24ed123cbd4e2261c69e17913e38",
  "latest_sha_github": "202071f7a8724d5e8c29de441c3f380575a0ea94",
  "workflows_mapped": false,
  "webhooks_mapped": false,
  "secrets_inventory_only": true,
  "status": "blocked",
  "blocking_reason": "Gitea 與 GitHub main SHA 不一致，且 GitHub 缺 Gitea-only branches/tags。"
}

此範例已由 docs/security/gitea-github-awoooi-inventory.snapshot.json 產生，並通過 source_control_migration_event_v1 必填欄位與 additional-properties 檢查。

7. 下一步

1. 依 docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md 取得 Gitea 只讀 repo inventory 批准，不使用寫入 token。
2. 依 github_target_decision_v1 對需要人工批准的 target 做 owner / visibility / canonical 決策。
3. 依 docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md 由 repo owner 對 main/dev、release tags、GitHub-only refs 與 drift deprecated 候選逐項判定；仍不 push refs。
4. 標記「可 mirror」、「需人工判斷」、「需封存」、「不可搬」。
5. 依 S4.12 workflow / secret name owner response request packet、template status ledger、audit event templates、redaction examples 與收件包驗收 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity；仍不得收 secret value、改 workflow 或啟用 hosted runner。
6. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 parallel session recovery outcome lanes；仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 或 parallel session recovery outcome lanes 當 approval、production ingestion 或 execution authorization。
7. 產出 GitHub primary ADR，定義切換 gate 與 rollback。
8. 將 source_control_migration_event_v1、gitea_repo_inventory_v1、local_git_remote_inventory_v1 mirror 到 AwoooP，初期只作為 evidence。