awoooi/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md

# GitHub Target Repo-by-repo Approval Package

| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | 草案，等待人工批准 |
| 上游決策 | `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` |
| JSON snapshot | `docs/security/github-target-repo-approval-package.snapshot.json` |
| Schema | `docs/schemas/github_target_repo_approval_package_v1.schema.json` |
| Owner response 收件包 | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` |
| 原則 | 低摩擦、逐 repo 決策，不自動建 repo、不改 visibility、不同步 refs、不切 primary |

## 0. 核心結論

9 個 approval-required GitHub targets 已拆成四條批准路徑：

1. Refs reconcile：`awoooi`、`clawbot-v5`、`wooo-aiops`。
2. GitHub target 建立 / 授權：`ewoooc`、`bitan-pharmacy`、`tsenyang-website`。
3. Internal remote 用途確認：`wooo-infra-config`。
4. 新納管產品 / agent target：`VibeWork`、`agent-bounty-protocol`。

這份 package 只讓 AwoooP / 統帥看到每個 repo 的批准條件與禁止動作，不代表已批准 push、mirror、repo creation、visibility 修改或 GitHub primary。

S4.10 已補 1 個 owner response request packet、9 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 9 個 owner decision response templates。owner response 通過後只允許更新 read-only decision table、approval package、approval board 與 primary readiness gate。

## 1. Repo-by-repo 決策表

| GitHub target | Action | Risk | Required reviewers | Blocked until |
|---------------|--------|------|--------------------|---------------|
| `owenhytsai/awoooi` | reconcile refs after full inventory | HIGH | migration-engineer、security-commander、human-owner | Gitea server-side 全量 repo inventory status=ok、branches/tags/workflows/webhooks/secrets 名稱 inventory 完成、部署真相來源已決定、GitHub primary ADR 與 rollback plan 完成 |
| `owenhytsai/clawbot-v5` | reconcile refs after full inventory | MEDIUM | migration-engineer、human-owner | Gitea/GitHub main SHA 對齊或人工指定真相來源、GitHub 缺 Gitea tag 的處理方式已決定 |
| `owenhytsai/wooo-aiops` | reconcile refs after full inventory | MEDIUM | migration-engineer、human-owner | Gitea/GitHub main SHA 對齊或人工指定真相來源、GitHub-only branch 與 tags 的來源已釐清 |
| `owenhytsai/wooo-infra-config` | confirm internal remote purpose | MEDIUM | migration-engineer、security-commander、human-owner | 110 internal remote 用途已確認、若 110 remote 為舊主控，已降級或移除、infra secrets 名稱 inventory 完成 |
| `owenhytsai/ewoooc` | create or grant access after canonical approval | HIGH | migration-engineer、security-commander、human-owner | ewoooc/momo-pro-system canonical 關係人工確認、server-side refs diff 完成、GitHub repo owner 與 visibility 決策完成 |
| `owenhytsai/bitan-pharmacy` | create or grant access after canonical approval | MEDIUM | migration-engineer、human-owner | 確認 repo 是否仍 active、GitHub repo owner 與 visibility 決策完成 |
| `owenhytsai/tsenyang-website` | create or grant access after canonical approval | MEDIUM | migration-engineer、human-owner | 確認 repo 是否仍 active、GitHub repo owner 與 visibility 決策完成 |
| `owenhytsai/VibeWork` | create or grant access after product boundary approval | HIGH | migration-engineer、security-commander、product-owner、human-owner | VibeWork 產品 / repo / surface owner 與 canonical source 決策完成、確認是否存在 private GitHub target 或需要建立候選 repo、保留 VibeWork 獨立產品邊界，不得由 AWOOOI primary readiness 直接併入、workflow / CODEOWNERS / deploy key / repository secret name parity owner response 完成 |
| `owenhytsai/agent-bounty-protocol` | create or grant access after agent runtime boundary approval | HIGH | migration-engineer、security-commander、product-owner、treasury-owner、human-owner | agent-bounty-protocol repo / deployment / external agent / treasury owner 決策完成、確認是否存在 private GitHub target 或需要建立候選 repo、A2A / MCP / bounty / treasury / payout / withdrawal runtime gate 維持 0、branch protection / CODEOWNERS / repository secret name parity owner response 完成 |

## 2. 批准後只允許的事

| GitHub target | 批准後允許 |
|---------------|------------|
| `owenhytsai/awoooi` | 產生 refs reconcile plan、產生 draft migration PR 或 ADR、更新 migration matrix 與 evidence |
| `owenhytsai/clawbot-v5` | 產生 refs reconcile plan、更新 migration matrix |
| `owenhytsai/wooo-aiops` | 產生 refs reconcile plan、更新 migration matrix |
| `owenhytsai/wooo-infra-config` | 標記 110 remote 為 mirror、legacy 或 active source、更新 canonical decision table |
| `owenhytsai/ewoooc` | 決定建立 GitHub repo 或授權既有 private repo、產生 migration plan |
| `owenhytsai/bitan-pharmacy` | 決定建立 GitHub repo 或授權既有 private repo、產生 migration plan |
| `owenhytsai/tsenyang-website` | 決定建立 GitHub repo 或授權既有 private repo、產生 migration plan |
| `owenhytsai/VibeWork` | 決定授權既有 private target 或建立候選 GitHub repo 計畫、補 repo / product / surface owner metadata、更新 source-control primary readiness 的 VibeWork read-only 欄位 |
| `owenhytsai/agent-bounty-protocol` | 決定授權既有 private target 或建立候選 GitHub repo 計畫、補 agent / bounty / treasury / execution surface owner metadata、更新 source-control primary readiness 的 agent-bounty-protocol read-only 欄位 |

## 3. 即使批准仍禁止

- 修改 workflow
- 修改 workflow 或 CODEOWNERS
- 切 GitHub primary
- 刪除 110 remote
- 刪除 GitHub-only refs
- 刪除任一 momo/ewoooc working tree
- 刪除任一端 repo
- 啟用 agent claim / submit / daemon
- 執行 payout 或 withdrawal
- 把 VibeWork 產品邊界併入 AWOOOI
- 搬 infra secret value
- 搬 secret value
- 搬移 secret value
- 直接 push refs
- 直接停用 Gitea
- 直接切 GitHub primary
- 直接切 primary
- 直接刪除 remote
- 直接同步 refs
- 自動 push refs
- 自動合併 unrelated histories
- 自動建立 mirror
- 自動建立 repo

## 4. AwoooP 消費方式

AwoooP 可以 mirror `github_target_repo_approval_package_v1` 作為 approval queue 的分組 evidence，但不得直接執行 GitHub repo creation、visibility change、refs sync 或 primary switch。