534 lines
20 KiB
JSON
534 lines
20 KiB
JSON
{
|
||
"schema_version": "github_target_private_backup_evidence_gate_v1",
|
||
"generated_at": "2026-06-26T09:43:15.948000+00:00",
|
||
"status": "blocked_public_visibility_and_safe_credential_evidence_required",
|
||
"mode": "read_only_private_backup_evidence_gate",
|
||
"source_reviews": {
|
||
"github_target_decision": "docs/security/github-target-decision.snapshot.json",
|
||
"github_target_owner_decision_response": "docs/security/github-target-owner-decision-response.snapshot.json",
|
||
"github_target_repo_approval_package": "docs/security/github-target-repo-approval-package.snapshot.json"
|
||
},
|
||
"summary": {
|
||
"target_decision_count": 10,
|
||
"approval_required_target_count": 9,
|
||
"approval_package_item_count": 9,
|
||
"public_probe_visible_target_count": 4,
|
||
"not_found_or_private_target_count": 5,
|
||
"private_backup_verified_count": 0,
|
||
"private_visibility_evidence_missing_count": 9,
|
||
"safe_credential_required_count": 9,
|
||
"safe_credential_accepted_evidence_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"owner_response_accepted_count": 0,
|
||
"execution_ready_count": 0,
|
||
"blocked_target_count": 9,
|
||
"external_scope_target_count": 1,
|
||
"forbidden_action_count": 12,
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"workflow_modification_authorized": false,
|
||
"workflow_trigger_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"private_clone_url_collection_allowed": false,
|
||
"not_found_or_private_as_absent_allowed": false,
|
||
"public_repo_allowed": false
|
||
},
|
||
"targets": [
|
||
{
|
||
"github_repo": "owenhytsai/awoooi",
|
||
"source_key": "wooo/awoooi",
|
||
"approval_required": true,
|
||
"probe_status": "exists",
|
||
"target_state": "exists_refs_blocked",
|
||
"risk": "HIGH",
|
||
"visibility_evidence_status": "blocked_public_probe_visible_private_evidence_required",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"github_target_publicly_readable_by_unauthenticated_probe",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/clawbot-v5",
|
||
"source_key": "wooo/clawbot-v5",
|
||
"approval_required": true,
|
||
"probe_status": "exists",
|
||
"target_state": "exists_refs_blocked",
|
||
"risk": "MEDIUM",
|
||
"visibility_evidence_status": "blocked_public_probe_visible_private_evidence_required",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"github_target_publicly_readable_by_unauthenticated_probe",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/wooo-aiops",
|
||
"source_key": "wooo/wooo-aiops",
|
||
"approval_required": true,
|
||
"probe_status": "exists",
|
||
"target_state": "exists_refs_blocked",
|
||
"risk": "MEDIUM",
|
||
"visibility_evidence_status": "blocked_public_probe_visible_private_evidence_required",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"github_target_publicly_readable_by_unauthenticated_probe",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/wooo-infra-config",
|
||
"source_key": "wooo/wooo-infra-config",
|
||
"approval_required": true,
|
||
"probe_status": "exists",
|
||
"target_state": "exists_aligned",
|
||
"risk": "MEDIUM",
|
||
"visibility_evidence_status": "blocked_public_probe_visible_private_evidence_required",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"github_target_publicly_readable_by_unauthenticated_probe",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/ewoooc",
|
||
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
|
||
"approval_required": true,
|
||
"probe_status": "not_found_or_private",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "HIGH",
|
||
"visibility_evidence_status": "blocked_private_or_absent_not_verified",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"not_found_or_private_is_not_private_verification",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md",
|
||
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/bitan-pharmacy",
|
||
"source_key": "bitan-pharmacy",
|
||
"approval_required": true,
|
||
"probe_status": "not_found_or_private",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "MEDIUM",
|
||
"visibility_evidence_status": "blocked_private_or_absent_not_verified",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"not_found_or_private_is_not_private_verification",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/tsenyang-website",
|
||
"source_key": "tsenyang-website",
|
||
"approval_required": true,
|
||
"probe_status": "not_found_or_private",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "MEDIUM",
|
||
"visibility_evidence_status": "blocked_private_or_absent_not_verified",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"not_found_or_private_is_not_private_verification",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "nexu-io/open-design",
|
||
"source_key": "open-design",
|
||
"approval_required": false,
|
||
"probe_status": "exists",
|
||
"target_state": "external_scope",
|
||
"risk": "LOW",
|
||
"visibility_evidence_status": "external_scope_not_backup_target",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "not_required_external_scope",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"external_scope_review_only"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/github-target-probe.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/VibeWork",
|
||
"source_key": "vibework",
|
||
"approval_required": true,
|
||
"probe_status": "not_found_or_private",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "HIGH",
|
||
"visibility_evidence_status": "blocked_private_or_absent_not_verified",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"not_found_or_private_is_not_private_verification",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/agent-bounty-protocol",
|
||
"source_key": "agent-bounty-protocol",
|
||
"approval_required": true,
|
||
"probe_status": "not_found_or_private",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "HIGH",
|
||
"visibility_evidence_status": "blocked_private_or_absent_not_verified",
|
||
"private_backup_verified": false,
|
||
"private_visibility_owner_evidence_ref": null,
|
||
"safe_credential_evidence_status": "missing_safe_credential_metadata",
|
||
"safe_credential_evidence_ref": null,
|
||
"owner_response_accepted": false,
|
||
"refs_sync_ready": false,
|
||
"execution_ready": false,
|
||
"blockers": [
|
||
"not_found_or_private_is_not_private_verification",
|
||
"private_visibility_owner_evidence_missing",
|
||
"safe_credential_metadata_missing",
|
||
"refs_sync_not_authorized"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"mirror_sync",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"workflow_modification",
|
||
"workflow_trigger",
|
||
"secret_value_collection",
|
||
"private_clone_url_collection"
|
||
],
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
}
|
||
],
|
||
"acceptance_requirements": [
|
||
"每個 approval-required GitHub target 必須有 private visibility owner evidence ref。",
|
||
"公開 probe 可讀的 target 不得被視為符合私有備援要求。",
|
||
"`not_found_or_private` 只代表未授權只讀 probe 看不到,不得當成 private verified 或 repo absent。",
|
||
"safe credential evidence 只允許 credential storage / owner / scope / rotation metadata,不得收 token value。",
|
||
"owner response accepted count 在 reviewer acceptance 前必須維持 0。",
|
||
"private evidence 與 safe credential evidence 完整前不得建立 repo、改 visibility、push refs 或切 GitHub primary。"
|
||
],
|
||
"rejection_rules": [
|
||
"任何 public repo 或 unauthenticated readable target 均不得標示 private_backup_verified=true。",
|
||
"任何 token、PAT、private key、cookie、session、private clone credential 或 partial secret 必須拒收。",
|
||
"任何 repo creation、visibility change、refs sync、force push、tag rewrite、workflow trigger 或 primary switch request 必須拒收。",
|
||
"任何把 `not_found_or_private` 解讀為 repo 不存在或可建立新 repo 的 response 必須拒收。"
|
||
],
|
||
"operation_boundaries": {
|
||
"read_only_api_allowed": true,
|
||
"github_api_write_allowed": false,
|
||
"gitea_api_write_allowed": false,
|
||
"repo_creation_allowed": false,
|
||
"visibility_change_allowed": false,
|
||
"refs_sync_allowed": false,
|
||
"workflow_modification_allowed": false,
|
||
"workflow_trigger_allowed": false,
|
||
"github_primary_switch_allowed": false,
|
||
"secret_value_collection_allowed": false,
|
||
"private_clone_url_collection_allowed": false
|
||
},
|
||
"authorization_flags": {
|
||
"runtime_execution_authorized": false,
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"workflow_modification_authorized": false,
|
||
"workflow_trigger_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_values_collected": false
|
||
}
|
||
}
|