wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/security/high-value-config-owner-packet.snapshot.json

983 lines
32 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"canonical_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"control_category_inventory": [
{
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"label": "Nginx / reverse proxy / public route",
"path_patterns": [
"infra/ansible/roles/nginx/templates/*.j2",
"infra/ansible/playbooks/nginx-sync.yml",
"k8s/nginx/**",
"ops/nginx/**",
"docs/runbooks/disaster-recovery/DR-Nginx.md"
],
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
]
},
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"path_patterns": [
"docs/runbooks/REGISTRY-CERTBOT-188.md",
"docs/runbooks/**/*CERTBOT*.md",
"docs/runbooks/**/*TLS*.md",
"scripts/ops/**/*cert*",
"scripts/ops/**/*tls*",
"ops/**/*cert*",
"ops/**/*tls*",
"infra/**/*cert*",
"infra/**/*tls*",
"k8s/**/*tls*"
],
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
},
{
"category_id": "k8s_production_gitops",
"control_tier": "C0",
"label": "K8s / ArgoCD / production manifests",
"path_patterns": [
"k8s/awoooi-prod/**",
"k8s/argocd/**",
"k8s/velero/**",
"k8s/monitoring/**"
],
"priority": "P0",
"required_gate": "gitops_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"gitops_diff",
"argocd_health_readback",
"sync_authorization_check",
"rollback_revision",
"post_deploy_health_if_executed"
]
},
{
"category_id": "secret_metadata",
"control_tier": "C0",
"label": "Secret metadata / injection / redaction",
"path_patterns": [
"k8s/**/*secret*",
"k8s/**/*Secret*",
".gitea/workflows/*.yml",
".gitea/workflows/*.yaml",
".github/workflows/*.yml",
".github/workflows/*.yaml",
"docs/runbooks/SECRETS-MANAGEMENT.md",
"docs/security/SECRETS_REFERENCE.md"
],
"priority": "P0",
"required_gate": "secret_metadata_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"secret_name_parity",
"metadata_only_check",
"no_secret_value_check",
"rotation_owner",
"injection_readback_if_deployed"
]
},
{
"category_id": "gitea_workflow_runner_source_control",
"control_tier": "C0",
"label": "Gitea workflow / runner / deploy key / webhook / branch protection",
"path_patterns": [
".gitea/workflows/**",
".github/workflows/**",
"ops/runner/**",
"scripts/setup-runner*.sh",
"scripts/**/*runner*",
"docs/security/SOURCE-CONTROL-*",
"docs/security/GITEA-*",
"docs/security/GITHUB-*"
],
"priority": "P0",
"required_gate": "workflow_source_control_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"workflow_diff",
"runner_label_owner",
"deploy_key_metadata_only",
"webhook_metadata_only",
"branch_protection_metadata",
"no_token_value_check"
]
},
{
"category_id": "public_admin_api_runtime_config",
"control_tier": "C0",
"label": "Public / admin / API / frontend runtime config",
"path_patterns": [
"apps/web/next.config.*",
"apps/web/src/lib/config.*",
"apps/api/src/core/config.py",
"apps/api/src/api/v1/monitoring.py",
"apps/api/src/middleware/**",
"apps/web/src/middleware.*"
],
"priority": "P0",
"required_gate": "public_runtime_config_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"public_url_check",
"frontend_internal_ip_ban",
"cors_boundary_check",
"admin_auth_boundary_check",
"desktop_mobile_smoke_if_frontend"
]
},
{
"category_id": "backup_restore_credential",
"control_tier": "C0",
"label": "Backup / restore / escrow / retention",
"path_patterns": [
"scripts/backup/**",
"k8s/velero/**",
"docs/runbooks/disaster-recovery/**",
"docs/runbooks/**/*RESTORE*.md",
"docs/runbooks/**/*BACKUP*.md"
],
"priority": "P0",
"required_gate": "backup_restore_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"credential_absence_check",
"restore_drill_gate",
"retention_policy",
"escrow_owner",
"rollback_ref"
]
},
{
"category_id": "agent_bounty_protocol_runtime",
"control_tier": "C0",
"label": "agent-bounty-protocol runtime / MCP / A2A / treasury boundary",
"path_patterns": [
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json",
"docs/schemas/agent_bounty_iwooos_onboarding_handoff_v1.schema.json",
"agent-bounty-protocol/**"
],
"priority": "P0",
"required_gate": "agent_bounty_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"repo_owner_scope",
"runtime_gate_false",
"no_payout_or_treasury_execution",
"no_mcp_a2a_runtime_execution",
"redacted_evidence_refs_only"
]
},
{
"category_id": "monitoring_alerting_observability",
"control_tier": "C1",
"label": "Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse",
"path_patterns": [
"ops/monitoring/**",
"ops/alertmanager/**",
"ops/grafana/**",
"ops/signoz/**",
"ops/sentry-self-hosted/**",
"infra/langfuse/**",
"k8s/monitoring/**"
],
"priority": "P1",
"required_gate": "monitoring_observability_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"rule_diff",
"receiver_diff",
"reload_gate",
"failure_notification_policy",
"public_route_smoke_if_affected"
]
},
{
"category_id": "docker_compose_systemd_host_config",
"control_tier": "C1",
"label": "Docker Compose / systemd / host service config",
"path_patterns": [
"docker-compose*.yml",
"docker-compose*.yaml",
"ops/**/docker-compose*.yml",
"ops/**/docker-compose*.yaml",
"scripts/reboot-recovery/**",
"scripts/**/*.service",
"ops/**/*.service"
],
"priority": "P1",
"required_gate": "host_service_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"port_conflict_check",
"volume_diff",
"env_name_diff",
"restart_window",
"rollback_owner"
]
},
{
"category_id": "ssh_firewall_network_access",
"control_tier": "C1",
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"path_patterns": [
"infra/ansible/inventory/**",
"infra/ansible/**/*known_hosts*",
"infra/ansible/**/*ssh*",
"scripts/**/*ssh*",
"scripts/**/*known_hosts*",
"ops/**/*wireguard*",
"ops/**/*firewall*",
"k8s/**/*network*",
"k8s/**/*Network*"
],
"priority": "P1",
"required_gate": "network_access_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"target_whitelist",
"host_key_policy",
"ingress_egress_matrix",
"rollback_owner",
"maintenance_window"
]
},
{
"category_id": "ai_provider_model_routing",
"control_tier": "C1",
"label": "AI provider / model routing / Ollama proxy / cost and privacy",
"path_patterns": [
"apps/api/src/services/ai_providers/**",
"apps/api/src/services/**/*model*",
"apps/api/src/services/**/*provider*",
"infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2",
"docs/ai/**",
"docs/**/*Ollama*"
],
"priority": "P1",
"required_gate": "ai_provider_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"dry_run",
"benchmark",
"cost_review",
"privacy_review",
"fallback_order_check"
]
},
{
"category_id": "product_surface_runtime_routes",
"control_tier": "C2",
"label": "AWOOOI / AwoooP / IwoooS / VibeWork / other product runtime routes",
"path_patterns": [
"apps/web/src/app/**",
"apps/web/messages/*.json",
"docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/vibework-iwooos-onboarding-handoff.snapshot.json"
],
"priority": "P2",
"required_gate": "product_surface_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"product_boundary_check",
"i18n_traditional_chinese_check",
"no_internal_transcript_check",
"desktop_mobile_smoke_if_frontend"
]
},
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"path_patterns": [
"docs/security/**",
"docs/schemas/**",
"scripts/security/**",
"docs/LOGBOOK.md"
],
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"execution_boundaries": {
"action_buttons_allowed": false,
"host_write_authorized": false,
"request_sent": false,
"response_accepted": false,
"response_received": false,
"runtime_execution_authorized": false,
"secret_value_collected": false
},
"generated_at": "2026-06-14T17:21:00+08:00",
"git_commit": "3db8d53d",
"next_steps": [
"若 packet_count > 0將 packet 交給 owner 補 canonical 欄位;不得把草案視為已送件。",
"若 owner 回覆含 secret 或執行要求,先 quarantine 或 reject_execution_request。",
"只有 reviewer checklist 完成後才可進 acceptedaccepted 仍不開 runtime gate。"
],
"packets": [
{
"affected_files": [
"scripts/ops/188-registry-certbot-fix.sh",
"scripts/ops/fix-188-registry-certbot-renewal.sh"
],
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"blocked_requests": [
"repo_create",
"visibility_change",
"refs_sync",
"refs_delete",
"force_push",
"workflow_modify",
"runner_enable",
"secret_value_submit",
"ssh_host_modify",
"nginx_reload",
"dns_tls_modify",
"argocd_sync",
"kubectl_apply",
"active_scan",
"agent_bounty_runtime_execute",
"payout_or_withdrawal"
],
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"false_flags": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"dns_tls_change_authorized": false,
"force_push_authorized": false,
"host_write_authorized": false,
"nginx_reload_authorized": false,
"refs_sync_authorized": false,
"request_sent": false,
"response_accepted": false,
"response_received": false,
"runner_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"workflow_modification_authorized": false
},
"field_templates": [
{
"field": "owner_role_or_team",
"instruction": "填角色或團隊不填私人帳號、密碼、token 或私人聯絡資訊。",
"required": true
},
{
"field": "decision",
"instruction": "只能填 confirm、defer、reject、request_more_evidence不得附帶 runtime 執行批准。",
"required": true
},
{
"field": "decision_reason",
"instruction": "填脫敏短理由;不可貼 raw log、raw API body、未脫敏截圖或內部對話。",
"required": true
},
{
"field": "affected_scope",
"instruction": "填受影響 repo、host、domain、namespace、route、service、secret name 或產品邊界。",
"required": true
},
{
"field": "redacted_evidence_refs",
"instruction": "只填文件路徑、snapshot id、ticket id、commit、hash 或脫敏 metadata pointer。",
"required": true
},
{
"field": "followup_owner",
"instruction": "填後續補證、審查或決策負責角色 / 團隊。",
"required": true
},
{
"field": "rollback_owner",
"instruction": "填回滾負責角色 / 團隊;不是直接執行授權。",
"required": true
},
{
"field": "maintenance_window",
"instruction": "填維護窗口或明確寫 deferred / not scheduled不得用口頭同意代替。",
"required": true
},
{
"field": "validation_plan",
"instruction": "填 preflight、post-check、rollback check若只讀文件變更寫 guard / json / doc secret sanity。",
"required": true
}
],
"label": "DNS / TLS / certbot / certificate path",
"outcome_lanes": [
"keep_waiting_owner_response",
"request_more_evidence",
"quarantine_sensitive_payload",
"reject_execution_request",
"ready_for_reviewer_validation"
],
"packet_id": "high_value_config_owner_packet:dns_tls_certbot",
"priority": "P0",
"redaction_rules": [
"只收 redacted evidence refs不收 secret value。",
"疑似 token、cookie、authorization header、private key、runner token 或 webhook secret 一律 quarantine。",
"內部工作視窗對話、抱怨、口頭同意不得進產品文案或 LOGBOOK raw text。"
],
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
],
"reviewer_checklist": [
"canonical owner fields 全部存在。",
"decision 只使用允許值。",
"affected scope 可映射到 repo / host / domain / route / service / secret name。",
"redacted evidence refs 不含 raw payload。",
"沒有夾帶執行要求。",
"C0 / C1 若要進 runtime需獨立人工批准與維護窗口。"
],
"status": "draft_waiting_owner_response"
},
{
"affected_files": [
"k8s/nginx/awoooi-prod.conf"
],
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"blocked_requests": [
"repo_create",
"visibility_change",
"refs_sync",
"refs_delete",
"force_push",
"workflow_modify",
"runner_enable",
"secret_value_submit",
"ssh_host_modify",
"nginx_reload",
"dns_tls_modify",
"argocd_sync",
"kubectl_apply",
"active_scan",
"agent_bounty_runtime_execute",
"payout_or_withdrawal"
],
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"false_flags": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"dns_tls_change_authorized": false,
"force_push_authorized": false,
"host_write_authorized": false,
"nginx_reload_authorized": false,
"refs_sync_authorized": false,
"request_sent": false,
"response_accepted": false,
"response_received": false,
"runner_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"workflow_modification_authorized": false
},
"field_templates": [
{
"field": "owner_role_or_team",
"instruction": "填角色或團隊不填私人帳號、密碼、token 或私人聯絡資訊。",
"required": true
},
{
"field": "decision",
"instruction": "只能填 confirm、defer、reject、request_more_evidence不得附帶 runtime 執行批准。",
"required": true
},
{
"field": "decision_reason",
"instruction": "填脫敏短理由;不可貼 raw log、raw API body、未脫敏截圖或內部對話。",
"required": true
},
{
"field": "affected_scope",
"instruction": "填受影響 repo、host、domain、namespace、route、service、secret name 或產品邊界。",
"required": true
},
{
"field": "redacted_evidence_refs",
"instruction": "只填文件路徑、snapshot id、ticket id、commit、hash 或脫敏 metadata pointer。",
"required": true
},
{
"field": "followup_owner",
"instruction": "填後續補證、審查或決策負責角色 / 團隊。",
"required": true
},
{
"field": "rollback_owner",
"instruction": "填回滾負責角色 / 團隊;不是直接執行授權。",
"required": true
},
{
"field": "maintenance_window",
"instruction": "填維護窗口或明確寫 deferred / not scheduled不得用口頭同意代替。",
"required": true
},
{
"field": "validation_plan",
"instruction": "填 preflight、post-check、rollback check若只讀文件變更寫 guard / json / doc secret sanity。",
"required": true
}
],
"label": "Nginx / reverse proxy / public route",
"outcome_lanes": [
"keep_waiting_owner_response",
"request_more_evidence",
"quarantine_sensitive_payload",
"reject_execution_request",
"ready_for_reviewer_validation"
],
"packet_id": "high_value_config_owner_packet:nginx_public_gateway",
"priority": "P0",
"redaction_rules": [
"只收 redacted evidence refs不收 secret value。",
"疑似 token、cookie、authorization header、private key、runner token 或 webhook secret 一律 quarantine。",
"內部工作視窗對話、抱怨、口頭同意不得進產品文案或 LOGBOOK raw text。"
],
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
],
"reviewer_checklist": [
"canonical owner fields 全部存在。",
"decision 只使用允許值。",
"affected scope 可映射到 repo / host / domain / route / service / secret name。",
"redacted evidence refs 不含 raw payload。",
"沒有夾帶執行要求。",
"C0 / C1 若要進 runtime需獨立人工批准與維護窗口。"
],
"status": "draft_waiting_owner_response"
},
{
"affected_files": [
"docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md",
"docs/security/high-value-config-change-gate.snapshot.json",
"scripts/security/high-value-config-change-gate.py"
],
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"blocked_requests": [
"repo_create",
"visibility_change",
"refs_sync",
"refs_delete",
"force_push",
"workflow_modify",
"runner_enable",
"secret_value_submit",
"ssh_host_modify",
"nginx_reload",
"dns_tls_modify",
"argocd_sync",
"kubectl_apply",
"active_scan",
"agent_bounty_runtime_execute",
"payout_or_withdrawal"
],
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"false_flags": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"dns_tls_change_authorized": false,
"force_push_authorized": false,
"host_write_authorized": false,
"nginx_reload_authorized": false,
"refs_sync_authorized": false,
"request_sent": false,
"response_accepted": false,
"response_received": false,
"runner_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"workflow_modification_authorized": false
},
"field_templates": [
{
"field": "owner_role_or_team",
"instruction": "填角色或團隊不填私人帳號、密碼、token 或私人聯絡資訊。",
"required": true
},
{
"field": "decision",
"instruction": "只能填 confirm、defer、reject、request_more_evidence不得附帶 runtime 執行批准。",
"required": true
},
{
"field": "decision_reason",
"instruction": "填脫敏短理由;不可貼 raw log、raw API body、未脫敏截圖或內部對話。",
"required": true
},
{
"field": "affected_scope",
"instruction": "填受影響 repo、host、domain、namespace、route、service、secret name 或產品邊界。",
"required": true
},
{
"field": "redacted_evidence_refs",
"instruction": "只填文件路徑、snapshot id、ticket id、commit、hash 或脫敏 metadata pointer。",
"required": true
},
{
"field": "followup_owner",
"instruction": "填後續補證、審查或決策負責角色 / 團隊。",
"required": true
},
{
"field": "rollback_owner",
"instruction": "填回滾負責角色 / 團隊;不是直接執行授權。",
"required": true
},
{
"field": "maintenance_window",
"instruction": "填維護窗口或明確寫 deferred / not scheduled不得用口頭同意代替。",
"required": true
},
{
"field": "validation_plan",
"instruction": "填 preflight、post-check、rollback check若只讀文件變更寫 guard / json / doc secret sanity。",
"required": true
}
],
"label": "Security evidence / snapshot / guard tooling",
"outcome_lanes": [
"keep_waiting_owner_response",
"request_more_evidence",
"quarantine_sensitive_payload",
"reject_execution_request",
"ready_for_reviewer_validation"
],
"packet_id": "high_value_config_owner_packet:security_evidence_tooling",
"priority": "P3",
"redaction_rules": [
"只收 redacted evidence refs不收 secret value。",
"疑似 token、cookie、authorization header、private key、runner token 或 webhook secret 一律 quarantine。",
"內部工作視窗對話、抱怨、口頭同意不得進產品文案或 LOGBOOK raw text。"
],
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
],
"reviewer_checklist": [
"canonical owner fields 全部存在。",
"decision 只使用允許值。",
"affected scope 可映射到 repo / host / domain / route / service / secret name。",
"redacted evidence refs 不含 raw payload。",
"沒有夾帶執行要求。",
"C0 / C1 若要進 runtime需獨立人工批准與維護窗口。"
],
"status": "draft_waiting_owner_response"
}
],
"schema_version": "high_value_config_owner_packet_v1",
"source_gate_schema_version": "high_value_config_change_gate_v1",
"source_gate_summary": {
"changed_file_count": 6,
"impacted_c0_category_count": 2,
"impacted_c1_category_count": 0,
"impacted_category_count": 3,
"matched_high_value_file_count": 6,
"owner_evidence_complete": false,
"owner_evidence_provided": false,
"runtime_execution_authorized": false,
"strongest_priority": "P0",
"strongest_tier": "C0"
},
"status": "draft_waiting_owner_response",
"summary": {
"accepted_response_count": 0,
"c0_packet_count": 2,
"c1_packet_count": 0,
"packet_count": 3,
"received_response_count": 0,
"request_sent_count": 0,
"runtime_gate_count": 0
},
"universal_owner_response_template": {
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"false_flags": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"dns_tls_change_authorized": false,
"force_push_authorized": false,
"host_write_authorized": false,
"nginx_reload_authorized": false,
"refs_sync_authorized": false,
"request_sent": false,
"response_accepted": false,
"response_received": false,
"runner_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"workflow_modification_authorized": false
},
"field_templates": [
{
"field": "owner_role_or_team",
"instruction": "填角色或團隊不填私人帳號、密碼、token 或私人聯絡資訊。",
"required": true
},
{
"field": "decision",
"instruction": "只能填 confirm、defer、reject、request_more_evidence不得附帶 runtime 執行批准。",
"required": true
},
{
"field": "decision_reason",
"instruction": "填脫敏短理由;不可貼 raw log、raw API body、未脫敏截圖或內部對話。",
"required": true
},
{
"field": "affected_scope",
"instruction": "填受影響 repo、host、domain、namespace、route、service、secret name 或產品邊界。",
"required": true
},
{
"field": "redacted_evidence_refs",
"instruction": "只填文件路徑、snapshot id、ticket id、commit、hash 或脫敏 metadata pointer。",
"required": true
},
{
"field": "followup_owner",
"instruction": "填後續補證、審查或決策負責角色 / 團隊。",
"required": true
},
{
"field": "rollback_owner",
"instruction": "填回滾負責角色 / 團隊;不是直接執行授權。",
"required": true
},
{
"field": "maintenance_window",
"instruction": "填維護窗口或明確寫 deferred / not scheduled不得用口頭同意代替。",
"required": true
},
{
"field": "validation_plan",
"instruction": "填 preflight、post-check、rollback check若只讀文件變更寫 guard / json / doc secret sanity。",
"required": true
}
]
}
}
Reference in New Issue View Git Blame Copy Permalink