509 lines
17 KiB
JSON
509 lines
17 KiB
JSON
{
|
||
"schema_version": "source_control_workflow_secret_name_inventory_v1",
|
||
"status": "draft_missing_evidence",
|
||
"date": "2026-06-11",
|
||
"mode": "inventory_contract_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/source-control-approval-board.snapshot.json",
|
||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||
"docs/security/security-rollout-policy.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"candidate_repo_count": 10,
|
||
"in_scope_repo_count": 9,
|
||
"external_scope_count": 1,
|
||
"inventory_complete_count": 0,
|
||
"missing_inventory_count": 9,
|
||
"owner_response_template_count": 5,
|
||
"owner_response_received_count": 0,
|
||
"owner_response_accepted_count": 0,
|
||
"secret_value_collection_allowed": false,
|
||
"runtime_actions_authorized": false,
|
||
"action_buttons_allowed": false
|
||
},
|
||
"owner_response_packet": {
|
||
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
|
||
"snapshot_path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||
"human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||
"response_template_count": 5,
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"execution_authorized": false
|
||
},
|
||
"inventory_lanes": [
|
||
{
|
||
"lane_id": "workflow_file_inventory",
|
||
"title": "workflow 名稱與觸發條件 inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"workflow_file_path",
|
||
"workflow_display_name",
|
||
"trigger_names",
|
||
"runner_label_names",
|
||
"environment_names",
|
||
"referenced_secret_names"
|
||
],
|
||
"forbidden_fields": [
|
||
"secret_value",
|
||
"token_value",
|
||
"private_key",
|
||
"webhook_secret",
|
||
"deploy_key_private_material"
|
||
],
|
||
"required_before_primary": [
|
||
"列出 Gitea/GitHub workflow 名稱與觸發條件差異",
|
||
"確認 self-hosted runner label 是否一致",
|
||
"確認 deployment marker / production deploy workflow 真相來源"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"lane_id": "webhook_inventory",
|
||
"title": "webhook 名稱、目的地與事件類型 inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"webhook_name",
|
||
"destination_host_redacted",
|
||
"event_types",
|
||
"active_enabled_flag",
|
||
"owner"
|
||
],
|
||
"forbidden_fields": [
|
||
"webhook_secret",
|
||
"full_payload_url_with_token",
|
||
"authorization_header",
|
||
"cookie"
|
||
],
|
||
"required_before_primary": [
|
||
"列出 Gitea/GitHub webhook 目的地與事件類型差異",
|
||
"確認 primary cutover 後哪一端發 webhook",
|
||
"確認不重複觸發 deploy 或 notification"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"lane_id": "runner_inventory",
|
||
"title": "runner label 與 executor inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"runner_label",
|
||
"runner_scope",
|
||
"executor_type",
|
||
"host_alias",
|
||
"owner"
|
||
],
|
||
"forbidden_fields": [
|
||
"runner_registration_token",
|
||
"ssh_private_key",
|
||
"host_password",
|
||
"api_token"
|
||
],
|
||
"required_before_primary": [
|
||
"確認 GitHub primary 後使用 self-hosted runner,不消耗 GitHub hosted 額度",
|
||
"確認 runner label 與 workflow expectations 一致",
|
||
"確認 runner owner 與維護窗口"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"lane_id": "deploy_key_inventory",
|
||
"title": "deploy key / machine key 名稱 inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"key_name",
|
||
"read_only_flag",
|
||
"repo_scope",
|
||
"owner",
|
||
"last_seen_metadata"
|
||
],
|
||
"forbidden_fields": [
|
||
"private_key",
|
||
"public_key_full_value_if_sensitive",
|
||
"token_value",
|
||
"password"
|
||
],
|
||
"required_before_primary": [
|
||
"確認 deploy key 是否 read-only",
|
||
"確認 key owner 與 repo scope",
|
||
"確認 primary cutover 不需要搬移 private key value"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"lane_id": "branch_protection_codeowners_inventory",
|
||
"title": "branch protection / CODEOWNERS inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"protected_branch_name",
|
||
"required_review_count",
|
||
"required_status_check_names",
|
||
"codeowners_path",
|
||
"owner_team_names"
|
||
],
|
||
"forbidden_fields": [
|
||
"team_secret",
|
||
"personal_access_token",
|
||
"admin_override_token"
|
||
],
|
||
"required_before_primary": [
|
||
"確認 main/dev branch protection 差異",
|
||
"確認 required status checks 名稱與 CI provider 對齊",
|
||
"確認 CODEOWNERS 是否存在與 owner team 是否有效"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"lane_id": "secret_name_inventory",
|
||
"title": "secret 名稱與 owner inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"secret_name",
|
||
"secret_scope",
|
||
"owning_team",
|
||
"used_by_workflow_name",
|
||
"rotation_owner"
|
||
],
|
||
"forbidden_fields": [
|
||
"secret_value",
|
||
"secret_plaintext",
|
||
"token_value",
|
||
"private_key",
|
||
"credential_value"
|
||
],
|
||
"required_before_primary": [
|
||
"只列 secret 名稱與 owner,不列 value",
|
||
"確認 Gitea/GitHub secret name parity",
|
||
"確認缺漏 secret 的 owner 與補證流程"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"lane_id": "redaction_audit_inventory",
|
||
"title": "redaction 與 audit inventory",
|
||
"status": "contract_defined_not_collected",
|
||
"allowed_fields": [
|
||
"redaction_status",
|
||
"evidence_ref",
|
||
"producer",
|
||
"reviewer",
|
||
"collection_timestamp"
|
||
],
|
||
"forbidden_fields": [
|
||
"raw_secret",
|
||
"raw_token",
|
||
"raw_cookie",
|
||
"raw_private_key",
|
||
"raw_webhook_secret"
|
||
],
|
||
"required_before_primary": [
|
||
"每份 inventory snapshot 都必須標示已脫敏",
|
||
"敏感值掃描通過後才可 mirror",
|
||
"失敗 payload 必須進 quarantine,不得寫入 Runtime State"
|
||
],
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"repo_inventory_readiness": [
|
||
{
|
||
"github_repo": "owenhytsai/awoooi",
|
||
"source_key": "wooo/awoooi",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "HIGH",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"webhook_inventory",
|
||
"runner_inventory",
|
||
"secret_name_inventory",
|
||
"branch_protection_codeowners_inventory"
|
||
],
|
||
"current_gap": [
|
||
"production deploy workflow / deployment marker 名稱 parity 尚未完成",
|
||
"runner label 與 required status checks 尚未整理",
|
||
"secret 只能列名稱與 owner,尚無 redacted snapshot"
|
||
],
|
||
"allowed_now": [
|
||
"建立 read-only inventory request",
|
||
"顯示缺口與 owner",
|
||
"等待 redacted snapshot"
|
||
],
|
||
"still_forbidden": [
|
||
"搬移 secret value",
|
||
"修改 workflow",
|
||
"切 GitHub primary",
|
||
"停用 Gitea deploy path"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/clawbot-v5",
|
||
"source_key": "wooo/clawbot-v5",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "MEDIUM",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"secret_name_inventory",
|
||
"branch_protection_codeowners_inventory"
|
||
],
|
||
"current_gap": [
|
||
"workflow / secret 名稱 parity 尚未整理",
|
||
"required status checks 尚未確認"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 missing evidence",
|
||
"要求 repo owner 補 redacted inventory"
|
||
],
|
||
"still_forbidden": [
|
||
"建立或修改 secrets",
|
||
"sync refs",
|
||
"切 primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/wooo-aiops",
|
||
"source_key": "wooo/wooo-aiops",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "MEDIUM",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"webhook_inventory",
|
||
"secret_name_inventory"
|
||
],
|
||
"current_gap": [
|
||
"GitHub-only refs 與 workflow 來源尚未釐清",
|
||
"webhook / secret 名稱 parity 尚未整理"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 source-control review lane",
|
||
"要求 owner 補 workflow / webhook 名稱"
|
||
],
|
||
"still_forbidden": [
|
||
"delete GitHub-only refs",
|
||
"搬 secret value",
|
||
"切 primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/wooo-infra-config",
|
||
"source_key": "wooo/wooo-infra-config",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "MEDIUM",
|
||
"required_inventory": [
|
||
"deploy_key_inventory",
|
||
"secret_name_inventory",
|
||
"branch_protection_codeowners_inventory"
|
||
],
|
||
"current_gap": [
|
||
"infra secret 名稱 inventory 尚未完成",
|
||
"deploy key / machine key owner 尚未確認",
|
||
"110 internal remote 用途仍需 owner 決策"
|
||
],
|
||
"allowed_now": [
|
||
"只列 key / secret 名稱與 owner",
|
||
"顯示 internal remote purpose review"
|
||
],
|
||
"still_forbidden": [
|
||
"搬 infra secret value",
|
||
"輸出 private key",
|
||
"刪除 remote",
|
||
"切 primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/ewoooc",
|
||
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "HIGH",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"secret_name_inventory",
|
||
"branch_protection_codeowners_inventory"
|
||
],
|
||
"current_gap": [
|
||
"canonical repo 尚未人工確認",
|
||
"GitHub target 未授權 probe 看不到",
|
||
"workflow / secret 名稱 inventory 尚未建立"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 target creation/access review",
|
||
"要求 owner 補 canonical 與 redacted inventory"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"auto_merge_unrelated_histories",
|
||
"搬 secret value",
|
||
"切 primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/bitan-pharmacy",
|
||
"source_key": "bitan-pharmacy",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "MEDIUM",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"secret_name_inventory"
|
||
],
|
||
"current_gap": [
|
||
"GitHub target 未確認",
|
||
"repo 是否仍 active 尚未確認",
|
||
"workflow / secret 名稱 inventory 尚未建立"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 target creation/access review",
|
||
"要求 owner 確認 active 狀態"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push refs",
|
||
"搬 secret value",
|
||
"切 primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/tsenyang-website",
|
||
"source_key": "tsenyang-website",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "MEDIUM",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"secret_name_inventory"
|
||
],
|
||
"current_gap": [
|
||
"GitHub target 未確認",
|
||
"repo 是否仍 active 尚未確認",
|
||
"workflow / secret 名稱 inventory 尚未建立"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 target creation/access review",
|
||
"要求 owner 確認 active 狀態"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push refs",
|
||
"搬 secret value",
|
||
"切 primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "nexu-io/open-design",
|
||
"source_key": "open-design",
|
||
"scope_status": "external_scope_review",
|
||
"inventory_state": "scope_review_only",
|
||
"risk": "LOW",
|
||
"required_inventory": [
|
||
"scope ownership only"
|
||
],
|
||
"current_gap": [
|
||
"尚未確認是否屬於 AWOOOI 資安供應鏈範圍"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 scope review",
|
||
"維持 observe-only"
|
||
],
|
||
"still_forbidden": [
|
||
"加入 primary cutover queue",
|
||
"修改 repo visibility",
|
||
"sync refs"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/VibeWork",
|
||
"source_key": "vibework",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "HIGH",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"secret_name_inventory",
|
||
"branch_protection_codeowners_inventory"
|
||
],
|
||
"current_gap": [
|
||
"本機 repo 可見但未找到 workflow / CODEOWNERS,仍需 owner 確認是否另有部署 workflow、repo secret 或外部 deploy key",
|
||
"VibeWork 必須保留獨立產品邊界,不得被 AWOOOI source-control primary 決策直接併入",
|
||
"GitHub / Gitea target、canonical source 與 secret name parity 尚未完成人工決策"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 VibeWork 納管範圍與缺口",
|
||
"要求 owner 補 repo / product / surface / owner / evidence refs",
|
||
"保持只讀 evidence 與獨立產品邊界"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push_refs",
|
||
"搬 secret value",
|
||
"切 primary",
|
||
"把 VibeWork 產品邊界併入 AWOOOI"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/agent-bounty-protocol",
|
||
"source_key": "agent-bounty-protocol",
|
||
"scope_status": "in_scope",
|
||
"inventory_state": "missing_evidence",
|
||
"risk": "HIGH",
|
||
"required_inventory": [
|
||
"workflow_file_inventory",
|
||
"runner_inventory",
|
||
"secret_name_inventory",
|
||
"branch_protection_codeowners_inventory"
|
||
],
|
||
"current_gap": [
|
||
"新納入專案,本機已見 1 個 Gitea workflow、0 個 referenced secret names 與 ubuntu-latest runner label,但 owner / target / canonical 決策未完成",
|
||
"A2A / MCP / bounty / treasury / agent execution 邊界尚未建立資安 owner response",
|
||
"branch protection、CODEOWNERS 與 repository secret name parity 尚未完成只讀 export"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 agent-bounty-protocol 新納管缺口",
|
||
"只讀列出 workflow 名稱、runner label 與 secret name parity 缺口",
|
||
"要求 owner 補 agent / bounty / treasury / execution surface 邊界"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push_refs",
|
||
"修改 workflow",
|
||
"啟用 runner",
|
||
"搬 secret value",
|
||
"切 primary",
|
||
"把 bounty / agent 執行候選當 runtime 授權"
|
||
]
|
||
}
|
||
],
|
||
"inventory_rules": [
|
||
"本契約只定義 workflow / runner / webhook / deploy key / secret 名稱 inventory 欄位,不代表 inventory 已完成。",
|
||
"secret_name_inventory 只允許保存 secret_name、scope、owner 與 used_by_workflow_name,禁止保存 value。",
|
||
"任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。",
|
||
"此 inventory 完成前,GitHub primary readiness gate 必須維持 blocked。",
|
||
"S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。",
|
||
"S4.3 已補 redacted export request package,將 webhook、runner、deploy key、branch protection/CODEOWNERS 與 repository secret name parity 的 owner / read-only export 欄位、拒收欄位與 acceptance gate 文件化;它仍不是 API 執行或 primary cutover 批准。",
|
||
"S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,將 5 類 export lanes 的 request 欄位、等待狀態、0 emitted 脫敏 audit metadata 模板、安全回覆範例、只讀收件檢查、response 欄位、驗收規則與拒收規則文件化;received_response_count=0、audit_events_emitted=0,仍不得收集 secret value 或修改 workflow。",
|
||
"inventory snapshot 只能 mirror 成 Operator Console / Audit evidence,不得新增 execution action。"
|
||
],
|
||
"forbidden_actions": [
|
||
"collect_secret_value",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"delete_git_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"modify_workflow",
|
||
"rotate_secret",
|
||
"add_action_button"
|
||
]
|
||
}
|