192 lines
7.8 KiB
JSON
192 lines
7.8 KiB
JSON
{
|
||
"schema_version": "gitea_inventory_owner_attestation_request_draft_v1",
|
||
"status": "request_draft_ready_not_sent",
|
||
"date": "2026-06-04",
|
||
"stage_id": "S4.9",
|
||
"mode": "owner_request_draft_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_packet": "docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md",
|
||
"source_snapshot": "docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
|
||
"summary": {
|
||
"request_draft_package_ready": true,
|
||
"request_draft_template_count": 5,
|
||
"request_draft_template_ready_count": 5,
|
||
"frontstage_package_visible": true,
|
||
"frontstage_card_count": 5,
|
||
"frontstage_detail_visible": true,
|
||
"frontstage_detail_row_count": 5,
|
||
"frontstage_required_field_total": 30,
|
||
"frontstage_forbidden_action_count": 10,
|
||
"dispatch_preflight_package_ready": true,
|
||
"dispatch_preflight_completion_percent": 100,
|
||
"dispatch_preflight_check_count": 7,
|
||
"dispatch_packet_field_count": 11,
|
||
"dispatch_authorized": false,
|
||
"request_dispatch_allowed_without_human_operator": false,
|
||
"post_dispatch_count_increment_allowed_without_evidence": false,
|
||
"request_sent": false,
|
||
"request_sent_count": 0,
|
||
"recipients_confirmed_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"owner_response_accepted_count": 0,
|
||
"owner_response_rejected_count": 0,
|
||
"audit_events_emitted_count": 0,
|
||
"runtime_gate_opened": false,
|
||
"action_buttons_allowed": false,
|
||
"not_authorization": true
|
||
},
|
||
"request_draft_templates": [
|
||
{
|
||
"template_id": "response-public-only-vs-local-gitea-gap",
|
||
"display_order": 1,
|
||
"attestation_item_id": "public_only_vs_local_gitea_gap",
|
||
"draft_status": "ready_not_sent",
|
||
"owner_question": "判定 wooo/clawbot-v5 與 wooo/wooo-aiops 是否屬本輪 inventory / migration scope。",
|
||
"required_fields": ["owner_role_or_team", "decision", "decision_reason", "affected_repos", "evidence_refs", "followup_owner"]
|
||
},
|
||
{
|
||
"template_id": "response-org-user-endpoint-identity",
|
||
"display_order": 2,
|
||
"attestation_item_id": "org_user_endpoint_identity",
|
||
"draft_status": "ready_not_sent",
|
||
"owner_question": "說明 wooo 在 Gitea 中應以 user、org 或兩者盤點。",
|
||
"required_fields": ["owner_role_or_team", "decision", "decision_reason", "canonical_namespace", "evidence_refs", "followup_owner"]
|
||
},
|
||
{
|
||
"template_id": "response-internal-110-adjacent-scope",
|
||
"display_order": 3,
|
||
"attestation_item_id": "internal_110_adjacent_scope",
|
||
"draft_status": "ready_not_sent",
|
||
"owner_question": "逐項判定 bitan-pharmacy、root/momo-pro-system、tsenyang-website、wooo/wooo-infra-config 是否納入本輪 scope。",
|
||
"required_fields": ["owner_role_or_team", "decision", "decision_reason", "affected_sources", "evidence_refs", "followup_owner"]
|
||
},
|
||
{
|
||
"template_id": "response-repo-owner-canonical-scope",
|
||
"display_order": 4,
|
||
"attestation_item_id": "repo_owner_canonical_scope",
|
||
"draft_status": "ready_not_sent",
|
||
"owner_question": "為 in-scope repo 指定 owner、canonical source、GitHub target candidate 與 visibility review owner。",
|
||
"required_fields": ["owner_role_or_team", "decision", "decision_reason", "affected_repos", "evidence_refs", "followup_owner"]
|
||
},
|
||
{
|
||
"template_id": "response-legacy-or-inaccessible-disposition",
|
||
"display_order": 5,
|
||
"attestation_item_id": "legacy_or_inaccessible_repo_disposition",
|
||
"draft_status": "ready_not_sent",
|
||
"owner_question": "對 legacy、inaccessible 或 external repo 留下 disposition、理由與後續 owner。",
|
||
"required_fields": ["owner_role_or_team", "decision", "decision_reason", "affected_repos", "evidence_refs", "followup_owner"]
|
||
}
|
||
],
|
||
"dispatch_preflight_checks": [
|
||
{
|
||
"check_id": "dispatch-baseline-sync",
|
||
"display_order": 1,
|
||
"check": "送件前確認 gitea/main 與另一個 AwoooP Session 最新 commit,不使用舊 refs 或舊 deploy marker。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "dispatch-template-version",
|
||
"display_order": 2,
|
||
"check": "五題 template id、必填欄位與收件包版本需一致。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "dispatch-recipient-role-only",
|
||
"display_order": 3,
|
||
"check": "收件對象只記錄 role / team,不收個人敏感資料或憑證。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "dispatch-redacted-evidence-refs",
|
||
"display_order": 4,
|
||
"check": "僅附 repo 內文件、snapshot、ticket id、hash 或脫敏 metadata ref。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "dispatch-forbidden-action-banner",
|
||
"display_order": 5,
|
||
"check": "明確標示此包不是 approval、不是 execution、不是 source-control mutation。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "dispatch-audit-metadata-only-after-send",
|
||
"display_order": 6,
|
||
"check": "只有實際送件後才可記錄 request shown metadata;不得預填已送出。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "dispatch-counts-remain-zero",
|
||
"display_order": 7,
|
||
"check": "無實際送件證據前,request_sent_count、received、accepted、rejected 全部維持 0。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"dispatch_packet_template": {
|
||
"request_id": "s4_9_gitea_owner_attestation_response_request",
|
||
"stage_id": "S4.9",
|
||
"requested_templates": [
|
||
"response-public-only-vs-local-gitea-gap",
|
||
"response-org-user-endpoint-identity",
|
||
"response-internal-110-adjacent-scope",
|
||
"response-repo-owner-canonical-scope",
|
||
"response-legacy-or-inaccessible-disposition"
|
||
],
|
||
"recipient_role_or_team_required": true,
|
||
"sender_role_or_team_required": true,
|
||
"requested_response_deadline_or_window_optional": true,
|
||
"allowed_response_format": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner"
|
||
],
|
||
"redacted_evidence_refs_only": true,
|
||
"forbidden_payloads": [
|
||
"secret_plaintext",
|
||
"repo_archive",
|
||
"database_dump",
|
||
"runner_registration_token",
|
||
"deploy_key_private_key",
|
||
"git_object_pack"
|
||
],
|
||
"followup_owner_required": true,
|
||
"not_approval": true,
|
||
"runtime_execution_authorized": false
|
||
},
|
||
"post_dispatch_invariants": [
|
||
"request_sent_count 只能在有可稽核人工送件 metadata 後調整。",
|
||
"送件後不得同步提高 owner_response_received_count、owner_response_accepted_count 或 owner_response_rejected_count。",
|
||
"收到回覆後仍需經過 S4.9 response preflight、敏感材料隔離、跨包一致性檢查與 reviewer 驗收。",
|
||
"任何 GitHub primary、repo / refs / workflow / secret、Kali、SSH、主機維護或 runtime gate 都必須另走人工批准與 rollback / post-check。"
|
||
],
|
||
"allowed_outputs": [
|
||
"owner role/team metadata",
|
||
"decision and decision reason",
|
||
"affected repo/source/namespace metadata",
|
||
"redacted evidence refs",
|
||
"followup owner"
|
||
],
|
||
"forbidden_actions": [
|
||
"collect_secret_plaintext",
|
||
"collect_repo_archive",
|
||
"write_gitea",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_or_delete_refs",
|
||
"force_push_refs",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"open_runtime_gate"
|
||
],
|
||
"not_authorization": true
|
||
}
|