wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md
Your Name 58e760fae2
All checks were successful
CD Pipeline / tests (push) Successful in 1m25s
Details
Code Review / ai-code-review (push) Successful in 13s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m2s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m48s
Details
feat(security): 擴充 S4.10 target owner response
2026-06-11 20:30:41 +08:00

36 KiB
Raw Blame History

AwoooP 只讀鏡像消費清單

項目 內容
日期 2026-06-04
狀態 IwoooS / AwoooP 只讀同步 active checklist
範圍 Kali / Code Review / Codex / Gitea / GitHub 資安供應鏈事件
低摩擦 policy docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md
Contract manifest docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md
原則 低摩擦分階段AwoooP 初期只 mirror、只讀 policy、只建立必要的 approval candidate不直接執行

0. 核心結論

AwoooP 可以消費 Security Supply Chain Session 產出的事件,但初期只能做三件事:

  1. mirror 成 Runtime State / Channel Event / Audit evidence。
  2. 計算 read-only policy 建議,例如 observewarnapprove_required
  3. 產生 approval candidate等待人工核准。

AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得切換 GitHub primary、不得修改 production runtime。

初期也不得把每個 observation 都變成阻擋條件。LOW / MEDIUM 且不涉及不可逆變更的項目,先以 observe / warn 累積 evidence缺 owner response、partial mirror、source-control drift、Kali observe finding、workflow / secret name gap 與 headline holding 也只能先建立 follow-up / owner review不得直接升 runtime blocker。只有 repo creation、visibility change、refs sync、secret、RBAC、NetworkPolicy、firewall、deploy、primary switch 等高風險動作才進 approval。

0.1 2026-06-04 IwoooS 同步規則

AwoooP Session 消費 IwoooS 狀態時,必須同步以下邊界:

項目 規則
commits / runs 同步 code commit、deploy marker、LOGBOOK commit、Gitea CD / code-review rungitea/main 又前進,先重讀最新 delta
production sanity 同步 /zh-TW/iwooos desktop / mobile、水平溢出、展開區塊、候選卡與 S4.9 gate 結果
S4.9 owner response 只顯示下一個收件焦點owner response received / accepted 仍為 0直到合格回覆通過預檢與人工 reviewer checklist
Code Review 候選 可分類為前端體驗、測試補洞、文件同步、低風險重構;人工批准前不得轉成 Codex coding也不得自動推正式
AwoooP approval 只能表示 AwoooP 流程候選或人工邊界,不等於資安批准、不等於 runtime gate
production UI UI 可見只能當 evidence不能當 execution authorization
Git 操作 不 force push、不 destructive git若另一個 Session 已更新 main先同步與比對不覆蓋

1. 允許消費的事件

事件 來源 AwoooP 目標 初期狀態 必要防護
security_finding_v1 Kali / Trivy / ZAP / Semgrep / detect-secrets / kube posture Runtime State、Channel Event、Audit mirror-only 不保存 raw secret、cookie、token、exploit payload
kali_integration_status_v1 192.168.0.112 live health / update / gap evidence Security posture、Operator Console、Approval candidate mirror-only 不保存 SSH 密碼或 API key、不直接啟動 scan 或 /execute
kali_scan_scope_approval_v1 Kali 112 scan scope、111/168 observe-only、safe/active/credentialed/execute/full-upgrade gates Approval queue、Operator Console、Audit approval-only 只顯示 scope 與 gate不啟動 scan、不呼叫 /execute
security_approval_queue_v1 Security Supply Chain pending approval / block candidate 集中隊列 Approval queue、Operator Console、Audit approval-only 只顯示 review order 與 blocked reason不執行 queue item
security_approval_gate_v1 S3 人工批准 gate Approval queue、Operator Console、Audit approval-only 只記錄人工決策、批准範圍與 follow-up runtime gate不執行 gate item
security_approval_decision_record_v1 S3 人工決策紀錄 Operator Console、Audit approval-only 只保存 approve / reject / defer / request more evidence / keep blocked 的稽核紀錄,不執行決策
security_approval_review_packet_v1 S3 人工審查封包 Approval queue、Operator Console、Audit approval-only 只顯示 review lane、required reviewers、requested decision 與 still forbidden不代表批准
security_approval_state_transition_v1 S3 人工決策狀態轉移 Approval queue、Operator Console、Audit approval-only 只顯示 decision 後 next stateapprove_scope 仍需 follow-up runtime gate
security_followup_runtime_gate_v1 S3 後續 runtime gate 準備模板 Approval queue、Operator Console、Audit approval-only 只顯示 minimum evidence、preflight checks 與 rollback / disable requirement目前不啟用 runtime gate
security_mirror_readiness_v1 Security Supply Chain contract mirror readiness index Operator Console、Runtime State、Channel Event、Audit mirror-only 只顯示 ready / partial / contract-only不執行 mirror item
security_mirror_intake_plan_v1 AwoooP mirror-only intake waves / destinations / acceptance gates Operator Console、Runtime State、Channel Event、Audit、Approval Queue mirror-only 只照 wave 讀取與顯示,不執行 intake item
security_mirror_event_v1 AwoooP mirror-only event envelope Operator Console、Runtime State、Channel Event、Audit、Approval Queue mirror-only 每筆 event 必須 execution_authorized=falseaction_buttons_allowed=false
security_mirror_route_v1 AwoooP 鏡像路由矩陣 Operator Console、Runtime State、Channel Event、Audit、Approval Queue mirror-only 只決定目的地、channel policy 與 review lane不作 execution router
security_mirror_acceptance_v1 AwoooP 鏡像驗收契約 Operator Console、Runtime State、Audit mirror-only 只驗收 contract count、event envelope、route coverage、redaction、progress estimate guard不作 runtime blocker
security_mirror_quarantine_v1 AwoooP 鏡像隔離契約 Operator Console、Audit mirror-only 只隔離驗收失敗 payload、顯示 recovery request 與 retry gate不作 runtime blocker
security_mirror_dry_run_v1 AwoooP 鏡像 dry-run 報告契約 Operator Console、Audit mirror-only 只回報接入演練結果,且必須包含 progress guard、owner response guard 與 latest local validation不得轉成 production ingestion
security_mirror_status_rollup_v1 AwoooP 鏡像狀態彙整契約 Operator Console、Runtime State、Audit mirror-only 只顯示階段狀態、58% headline 進度、progress display policy、delta ledger、下一個 gate 與禁止事項;不得視為 runtime authorization
source_control_owner_response_validation_rollup_v1 S4.9 / S4.10 / S4.11 / S4.12 owner response validation rollup Operator Console、Source-control review、Audit mirror-only 只顯示四包 response packets、24 個 templates、missing response lanes、owner response collection order、next collection candidate、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、7 條 parallel session recovery outcome lanes、quarantine rules 與 latest local validation不得視為 approval 或 runtime gate
coding_task_v1 Code Review / Codex Security / manual review Approval candidate、Channel Event、Audit suggest-only 不自動開 patch runner、不自動 merge
source_control_migration_event_v1 Gitea/GitHub branch/tag/SHA diff Supply-chain evidence、Approval candidate mirror-only 不觸發 deploy、不切換 primary
gitea_repo_inventory_v1 Gitea org/user repo list 或管理匯出 Supply-chain evidence、migration matrix mirror-only 顯示 public-only evidence、S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation、S4.9 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes不保存 token value、不刪除或停用 Gitea repo
local_git_remote_inventory_v1 本機可見 Git working tree remote Source-control coverage evidence、migration matrix mirror-only 不視為 Gitea server 全量、不修改 remote
github_target_probe_v1 候選 GitHub repo read-only probe Migration target evidence mirror-only not_found_or_private 不等同確認不存在
github_target_decision_v1 GitHub target 建立與可見性決策草案S4.10 owner decision response request packet / 收件包 Approval candidate、Migration target evidence mirror-only approval 前不得建立 repo、修改 visibility、同步 refsS4.10 request packet 只顯示 9 個 target 要求template status ledger 逐項顯示 waiting / request readyaudit event templates 只定義 0 emitted 的脫敏 metadataredaction examples 只顯示可接受的脫敏 metadata shapecollection checks 只維持 request / received / accepted 分離intake preflight checks 只分類可收、補證、隔離或拒收response 目前 0 筆,不代表執行批准
github_target_repo_approval_package_v1 GitHub target 逐 repo approval packageS4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response templates Approval queue、Migration target evidence mirror-only 低摩擦,只 gate 高風險執行request packet 只顯示 owner 要回覆什麼response 通過也只更新 read-only evidence
source_control_approval_board_v1 逐 repo owner / visibility / canonical / refs 決策 board Approval queue、PR reviewer handoff approval-only 只顯示決策隊列,不執行 board item
source_control_reconcile_plan_v1 refs-blocked repo draft reconcile plan Approval candidate、migration reviewer handoff approval-only 只顯示草案S4.11 response 通過前只更新 wording不 push refs、不切 primary
source_control_ref_detail_diff_v1 refs-blocked repo branch/tag 明細 diff Migration reviewer evidence mirror-only 只顯示 diff不 fetch、不 push、不刪 refs
source_control_ref_truth_classification_v1 refs diff 真相來源與 deprecated 候選分類S4.11 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包 Repo owner review queue、migration reviewer handoff approval-only 只顯示分類、1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 response templates 與人工判定隊列,不執行 sync/delete/force push
source_control_primary_readiness_gate_v1 GitHub primary readiness / parity gate Source-control review、Operator Console、Audit approval-only 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 primary_ready_count=0
source_control_primary_rollback_adr_v1 GitHub primary rollback ADR 草案與 validation window Source-control review、Operator Console、Audit approval-only 只顯示 7 個 repo 的 rollback draft、owner review、validation window不得執行 rollback 或切 primary
source_control_workflow_secret_name_inventory_v1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gateS4.12 owner response 收件包 Source-control review、Secret hygiene audit、Operator Console approval-only 只顯示缺口、S4.2 local evidence、S4.3 redacted export request、S4.12 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates目前 inventory_complete_count=0,不得保存 secret value
local_repo_canonical_probe_v1 本機 working tree lineage 比對 Canonical decision evidence mirror-only 不自動合併、不自動建 repo、不刪除
git_remote_refs_probe_v1 指定 repo remote refs read-only probe Source readiness evidence mirror-only 不 fetch、不 push、不自動 mirror
approval_required_event_v1 上述事件的高風險 gate Approval queue、Audit approval-only blocked_until_approved=true
security_rollout_policy_v1 低摩擦資安 rollout policy Read-only policy、Operator Console mirror-only 初期 observe-first顯示 7 條 non-blocking escalation lanes不做 runtime enforcement
security_supply_chain_contract_manifest_v1 Security Supply Chain 契約索引 Contract registry、Operator Console mirror-only 只作路由索引,不作 execution router

2. AwoooP 可以做的處理

處理 允許 說明
Runtime State mirror 儲存脫敏後摘要、狀態、風險等級、evidence ref
Channel Event 發送資安 posture、遷移阻塞、approval pending 等通知
Read-only policy 計算建議,不改 firewall、RBAC、NetworkPolicy、secret、deploy
Approval candidate 讓人審核是否批准下一步
Audit evidence 保存可追溯事件,不保存敏感原文
Operator Console 顯示 初期只顯示,不提供高風險執行按鈕

3. 初期禁止動作

禁止動作 原因
直接啟動 Kali scan 掃描強度與範圍需人工批准,避免誤傷內網服務
直接啟動 active DAST / credentialed scan 會碰驗證狀態與服務負載,需 approval
直接呼叫 Codex patch runner coding 仍需 patch-only / human review gate
自動 merge / auto deploy 供應鏈與 production 風險太高
修改 secrets / RBAC / NetworkPolicy / firewall 高風險不可逆或半不可逆變更
切換 GitHub primary / Gitea mirror 主控 目前 Gitea/GitHub branch、tag、main SHA 尚未對齊
刪除、停用、歸檔 Gitea repo 需要完整 repo inventory 與人工確認
保存 raw secret / token / cookie / exploit payload 違反 evidence 脫敏原則

4. 事件到處理模式對照

條件 AwoooP recommended mode 後續
`security_finding_v1.severity=LOW MEDIUMconfidence=LOW MEDIUM`
`security_finding_v1.severity=HIGH CRITICAL` approve_required
kali_integration_status_v1.status=partial_runtime_health_integrated observe 顯示 Kali 112 health、更新紀錄、缺口與 approval gates不得直接掃描
kali_scan_scope_approval_v1.status=draft_waiting_approval approve_required 顯示 Kali 112、111/168、核心主機、公開網站 scope 與 gate不得執行 scan
security_approval_queue_v1.status=draft approve_required 顯示 8 個 queue items、review order 與 blocked reasonGitea item 已要求 S4.7 owner attestation 先行;不得執行 item
security_approval_gate_v1.mode=approval_gate_only approve_required 顯示 8 個 gate items、批准範圍與 follow-up runtime gate批准後不得自動執行
security_approval_decision_record_v1.mode=decision_record_only observe 顯示人工決策紀錄;每筆紀錄都必須 execution_authorized=false
security_approval_review_packet_v1.mode=approval_review_packet_only approve_required 顯示 8 個 review packets、review lane 與 still forbiddenGitea packet 需顯示 5 個 attestation items不得當成批准或執行授權
security_approval_state_transition_v1.mode=approval_state_transition_only observe 顯示 5 個 decision options 的 next state不得把 transition 當 execution authorization
security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only observe 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gatesGitea template 需先看 S4.7 owner decision不得新增 action button
source_control_primary_readiness_gate_v1.status=draft_blocked approve_required 顯示 10 個 candidate repos、9 個 in-scope blocked、0 個 primary ready不得切 primary
source_control_primary_rollback_adr_v1.status=draft_waiting_owner_review approve_required 顯示 7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed不得執行 rollback 或切 primary
source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence approve_required 顯示 10 個 candidate repos、S4.2 local evidence 5 repos / 33 workflows / 42 referenced secret names、S4.3 export request 9 repos / 5 lanes、0 個 complete不得收集 secret value、不得修改 workflow
security_mirror_readiness_v1.status=draft observe 顯示 36 個 contracts 的 readiness不得把 readiness 當 execution authorization
security_mirror_intake_plan_v1.status=draft observe 顯示 5 個 intake waves 與 4 個 acceptance gates不得執行 wave
security_mirror_event_v1.execution_authorized=false observe 只包裝鏡像 payload明確不授權執行、不顯示執行按鈕
security_mirror_route_v1.status=draft observe 顯示 5 個 route groups、channel policy 與 review lane不得轉成 execution router
security_mirror_acceptance_v1.status=draft observe 顯示 8 個 acceptance checks其中 progress estimate guard 必須確認 58% 不是執行授權;只可驗收鏡像資料,不得阻擋 runtime
security_mirror_quarantine_v1.status=draft observe 顯示 5 個 quarantine lanes、recovery request 與 retry gate不得自動重試失敗 payload
security_mirror_dry_run_v1.dry_run_status=contract_defined_not_executed observe 顯示 8 個 dry-run steps 與 latest_local_validation.status=repo_snapshot_guard_passCHECK_PROGRESS_GUARD 必須維持 58% 不是執行授權,CHECK_OWNER_RESPONSE_GUARD 必須維持 owner response received / accepted 皆為 0不得視為 production ingestion 已啟用
security_mirror_status_rollup_v1.rollup_status=framework_ready_waiting_approval observe 顯示 S0-S4 階段、58% headline 進度、micro progress delta ledger、approval queue summary 與下一個 gate不得新增 execution action
source_control_owner_response_validation_rollup_v1.status=draft_waiting_owner_responses observe 顯示四包 owner response packets、4 條 missing response lanes、4 步收件順序、24 個 templates、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks、7 條 parallel session recovery outcome lanes、received / accepted / rejected 皆為 0latest_local_validation.result=SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK;不得當成 approval 或 execution authorization
`coding_task_v1.risk=LOW MEDIUM` warn
`coding_task_v1.risk=HIGH CRITICAL` approve_required
source_control_migration_event_v1.status=blocked observe 顯示 blocking reason不允許切 primary
source_control_migration_event_v1.status=verified approve_required 仍需人工批准主控切換
gitea_repo_inventory_v1.status=blocked observe 補只讀 token 或管理匯出,不做同步
gitea_repo_inventory_v1.status=partial observe 視為 public-only evidence顯示 S4.5 export request、S4.6 import acceptance、S4.7 owner attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response templates、intake preflight checks、outcome lanes 與 coverage gap不做同步
gitea_repo_inventory_v1.status=ok warn 進入 repo mapping / branch tag diff
approval_required_event_v1.requested_action=run_gitea_readonly_inventory approve_required 只允許 read-only token 或 redacted admin export不保存 token value
local_git_remote_inventory_v1.status=partial observe 補 server-side inventory不做主控切換
github_target_probe_v1.status=ok 且有 not_found_or_private observe 補 GitHub target 決策,不自動建立 repo
github_target_decision_v1.approval_required_count>0 approve_required 產生 approval candidate並顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates不執行 repo 建立、visibility 修改、refs sync 或 primary switch
github_target_repo_approval_package_v1.status=draft observe 建立 approval queue draft不阻擋 read-only evidenceS4.10 response 通過前不得視為 repo / visibility / refs 批准
source_control_approval_board_v1.pending_approval_count>0 approve_required 顯示逐 repo 決策隊列,不執行 repo 建立、visibility 修改、refs sync
source_control_reconcile_plan_v1.status=draft_blocked approve_required 只顯示 refs reconcile 草案與 gate不執行 sync
source_control_ref_detail_diff_v1.status=draft_blocked observe 顯示 branch/tag 明細 diff支援人工 review
source_control_ref_truth_classification_v1.status=draft_blocked approve_required 顯示 main/dev 真相來源、drift deprecated 候選、release / UAT tag review lane、S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates不執行分類結果
source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence approve_required 顯示 S4.2 local evidence、S4.3 export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates不收 secret value、不改 workflow、不啟用 runner
local_repo_canonical_probe_v1.status=unrelated approve_required 禁止自動合併,需人工 canonical 判定
git_remote_refs_probe_v1.status=ok observe 可作 source evidence但仍需 GitHub target 與 approval
security_rollout_policy_v1.enforcement_level=mirror_only observe 只顯示 policy 與 7 條 non-blocking escalation lanes不阻擋既有流程
security_supply_chain_contract_manifest_v1.default_enforcement_level=mirror_only observe 只載入契約索引,不新增執行入口

5. Evidence 脫敏要求

資料 保存方式
repo URL 移除 username、password、token
API token 只保存 `token_present=true
secret 名稱 可保存名稱與 owner
secret value 禁止保存
exploit payload 禁止保存 raw payload只保存 redacted evidence ref
scan result 保存 finding 摘要、severity、confidence、asset key
host IP 內網資產可保存,但外部分享需改 asset key

6. 目前可立即 mirror 的檔案

類型 檔案
source control event snapshot docs/security/gitea-github-awoooi-inventory.snapshot.json
source control event 人讀版 docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md
clawbot-v5 source control snapshot docs/security/source-control-clawbot-v5.snapshot.json / docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md
wooo-aiops source control snapshot docs/security/source-control-wooo-aiops.snapshot.json / docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md
Gitea repo inventory snapshot docs/security/gitea-repo-inventory.snapshot.json
Gitea repo inventory 人讀版 docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md
Gitea authenticated inventory export request docs/security/gitea-authenticated-inventory-export-request.snapshot.json / docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md
Gitea authenticated inventory import acceptance docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json / docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md
Gitea inventory coverage owner attestation docs/security/gitea-inventory-coverage-attestation.snapshot.json / docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md
Gitea inventory owner attestation response 收件包 docs/security/gitea-inventory-owner-attestation-response.snapshot.json / docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md
Gitea org endpoint blocked snapshot docs/security/gitea-org-repo-inventory-blocked.snapshot.json / docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md
Gitea server-side inventory runbook docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md
Gitea read-only inventory approval package docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md
Gitea read-only inventory approval snapshot docs/security/gitea-readonly-inventory-approval.snapshot.json
Gitea admin export redaction checklist docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md
Gitea public repo search snapshot docs/security/gitea-public-repo-search.snapshot.json / docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md
本機 Git remote inventory snapshot docs/security/local-git-remote-inventory.snapshot.json
本機 Git remote inventory 人讀版 docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md
Source Control 遷移矩陣 docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md
Source Control Canonical Repo 判定表 docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md
GitHub target probe snapshot docs/security/github-target-probe.snapshot.json / docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md
GitHub target 決策 snapshot docs/security/github-target-decision.snapshot.json / docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
GitHub target owner decision response 收件包 docs/security/github-target-owner-decision-response.snapshot.json / docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md
GitHub target repo approval package docs/security/github-target-repo-approval-package.snapshot.json / docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md
Source Control approval board docs/security/source-control-approval-board.snapshot.json / docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md
Source Control draft reconcile plan docs/security/source-control-reconcile-plan.snapshot.json / docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md
Source Control branch/tag detail diff docs/security/source-control-ref-detail-diff.snapshot.json / docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md
Source Control ref truth classification docs/security/source-control-ref-truth-classification.snapshot.json / docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md
Source Control ref truth owner response 收件包 docs/security/source-control-ref-truth-owner-response.snapshot.json / docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md
Source Control GitHub primary readiness gate docs/security/source-control-primary-readiness-gate.snapshot.json / docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md
Source Control GitHub primary rollback ADR docs/security/source-control-primary-rollback-adr.snapshot.json / docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md
Source Control workflow / secret name inventory docs/security/source-control-workflow-secret-name-inventory.snapshot.json / docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md
Source Control workflow / secret name local evidence docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json / docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md
Source Control workflow / secret name export request docs/security/source-control-workflow-secret-name-export-request.snapshot.json / docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md
Source Control workflow / secret name owner response 收件包 docs/security/source-control-workflow-secret-name-owner-response.snapshot.json / docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md
Kali 112 integration status docs/security/kali-integration-status.snapshot.json / docs/security/KALI-INTEGRATION-STATUS.md
Security finding contract docs/security/security-finding-kali-sample.snapshot.json / docs/security/SECURITY-FINDING-CONTRACT.md
Kali scan scope approval package docs/security/kali-scan-scope-approval.snapshot.json / docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md
Security approval queue docs/security/security-approval-queue.snapshot.json / docs/security/SECURITY-APPROVAL-QUEUE.md
Security approval gate docs/security/security-approval-gate.snapshot.json / docs/security/SECURITY-APPROVAL-GATE.md
Security approval decision record docs/security/security-approval-decision-record.snapshot.json / docs/security/SECURITY-APPROVAL-DECISION-RECORD.md
Security approval review packet docs/security/security-approval-review-packet.snapshot.json / docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md
Security approval state transition docs/security/security-approval-state-transition.snapshot.json / docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md
Security follow-up runtime gate preparation docs/security/security-followup-runtime-gate.snapshot.json / docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md
Security mirror readiness docs/security/security-mirror-readiness.snapshot.json / docs/security/SECURITY-MIRROR-READINESS.md
Security mirror intake plan docs/security/security-mirror-intake-plan.snapshot.json / docs/security/SECURITY-MIRROR-INTAKE-PLAN.md
資安鏡像事件契約 docs/security/security-mirror-event-sample.snapshot.json / docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md
資安鏡像路由矩陣 docs/security/security-mirror-route.snapshot.json / docs/security/SECURITY-MIRROR-ROUTE.md
資安鏡像驗收契約 docs/security/security-mirror-acceptance.snapshot.json / docs/security/SECURITY-MIRROR-ACCEPTANCE.md
資安鏡像隔離契約 docs/security/security-mirror-quarantine.snapshot.json / docs/security/SECURITY-MIRROR-QUARANTINE.md
資安鏡像 dry-run 報告契約 docs/security/security-mirror-dry-run.snapshot.json / docs/security/SECURITY-MIRROR-DRY-RUN.md
資安鏡像狀態彙整契約 docs/security/security-mirror-status-rollup.snapshot.json / docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md
Source Control owner response validation rollup docs/security/source-control-owner-response-validation-rollup.snapshot.json / docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md
本機 repo canonical lineage snapshot docs/security/local-repo-canonical-ewoooc-momo.snapshot.json / docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md
Internal 110 refs snapshot docs/security/git-remote-refs-bitan-tsenyang.snapshot.json / docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md
wooo-infra-config refs snapshot docs/security/git-remote-refs-wooo-infra-config.snapshot.json / docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md
Gitea/GitHub migration inventory docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md
AwoooP handoff docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md
低摩擦資安 rollout policy docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md / docs/security/security-rollout-policy.snapshot.json
Security Supply Chain contract manifest docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md / docs/security/security-supply-chain-contract-manifest.snapshot.json

7. 下一步

  1. AwoooP 主線先把本清單視為契約消費檢查清單。
  2. Security Supply Chain Session 補齊 Gitea 全量 repo inventory 的只讀 token 或管理匯出來源。
  3. AwoooP 先 mirror S4.13 owner response validation rollup集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rules、6 個 reviewer audit retention checks、6 個 reviewer audit handoff packets、6 個 reviewer audit handoff checks、6 個 parallel session sync checks、6 條 parallel session conflict lanes、6 個 parallel session recovery checks 與 7 條 parallel session recovery outcome lanes不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets / checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 或 parallel session recovery outcome lanes 視為 approval、production ingestion 或 execution authorization。
  4. Security Supply Chain Session 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 9 個 GitHub target owner / visibility / canonical response。
  5. Security Supply Chain Session 依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templatesaudit event templates 目前 0 emittedredaction examples 只示範安全 metadata shapecollection checks 只維持 request / received / accepted 分離preflight 只分類可審、補證、隔離、拒收或等待response 通過也只更新 read-only classification / reconcile / readiness wording。
  6. Security Supply Chain Session 依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templatesrequest packet 只提示 owner 要回覆什麼template status ledger 只逐項顯示 waitingaudit event templates 只定義 0 emitted 的脫敏 metadataredaction examples 只示範安全 metadata shaperesponse 通過也只更新 read-only inventory / export request / readiness wording。
  7. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。
  8. 任一方要把事件升級成實際執行,都必須先產出 approval_required_event_v1,並在 security_approval_queue_v1 中維持 blocked_until_approved=true 直到人工決策完成。
Reference in New Issue View Git Blame Copy Permalink