125 lines
8.2 KiB
Markdown
125 lines
8.2 KiB
Markdown
# S4.9 Reviewer Validation Checklist
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-05 |
|
||
| 基準 | `gitea/main=a516d3f8 docs(security): 補 S4.9 owner response intake form [skip ci]` |
|
||
| 上游文件 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`、`docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md` |
|
||
| 模式 | reviewer validation checklist only |
|
||
| 不可誤讀 | 本文件不是 request dispatch、不是 owner response、不是 accepted record、不是 repo / refs / workflow / secret / runner / host / runtime 執行授權 |
|
||
|
||
## 1. 使用時機
|
||
|
||
本 checklist 只在 owner response intake form 進入 `ready_for_reviewer_validation` 後使用。它的目的,是讓 reviewer 逐關判斷「可進下一步」、「補件」、「隔離」或「拒收」。
|
||
|
||
通過本 checklist 仍不等於 runtime action、GitHub primary、Kali scan、主機維護、repo 建立、refs sync、workflow 修改或 Secret 讀取獲得批准。若需執行任何動作,必須切出獨立人工批准、rollback、post-check 與 audit record。
|
||
|
||
## 2. Reviewer 分工
|
||
|
||
| 角色 | 負責內容 | 不可做的事 |
|
||
|------|----------|------------|
|
||
| Intake reviewer | 檢查五題與六欄是否完整 | 不替 owner 補 decision |
|
||
| Redaction reviewer | 檢查 evidence refs 是否只含脫敏參照 | 不複製 raw payload 到文件、LOGBOOK 或前端 |
|
||
| Scope reviewer | 檢查 affected scope 是否能對應 source-control / host / product 範圍 | 不把 scope 判定轉成 git 或 runtime action |
|
||
| Consistency reviewer | 對照 S4.5 / S4.10 / S4.11 / S4.12 / rollback handoff 的 owner、scope、disposition | 不用單一表單覆蓋其他封包的缺口 |
|
||
| Final recorder | 記錄 reviewer outcome、補件原因與下一位 owner | 不把 reviewer note 寫成 accepted 或 approved |
|
||
|
||
## 3. Validation Gates
|
||
|
||
| Gate | 檢查 | 通過條件 | 失敗 outcome |
|
||
|------|------|----------|--------------|
|
||
| V0 | 基線同步 | reviewer 使用最新 `gitea/main`、最新 intake form 與最新 P0 總帳 | `keep_waiting_owner_response` 或重新同步 |
|
||
| V1 | 五題完整性 | 五題都有回覆或明確補件狀態 | `request_more_evidence` |
|
||
| V2 | 六欄完整性 | 每題都能映射到 `owner_role_or_team`、`decision`、`decision_reason`、`affected_scope`、`redacted_evidence_refs`、`followup_owner` | `request_more_evidence` |
|
||
| V3 | Decision allowlist | `decision` 只使用 `confirm`、`defer`、`reject`、`request_more_evidence` | `request_more_evidence` 或 `reject_execution_request` |
|
||
| V4 | Sensitive payload | 沒有 token、secret、private key、cookie、session、authorization header、runner token、webhook secret、DB dump、repo archive 或未脫敏截圖 | `quarantine_sensitive_payload` |
|
||
| V5 | Execution request | 沒有 repo create、visibility change、refs sync、delete refs、workflow 修改、runner 啟用、Kali scan、`/execute`、SSH、host update、runtime restart / rollout / scale / delete | `reject_execution_request` |
|
||
| V6 | Evidence refs | evidence 只保留文件路徑、snapshot id、ticket id、hash、脫敏 metadata pointer 或 quarantine pointer | `request_more_evidence` 或 `quarantine_sensitive_payload` |
|
||
| V7 | Cross-packet consistency | owner、scope、canonical source、legacy disposition、workflow / secret 名稱、rollback owner 沒有互相矛盾 | `request_more_evidence` |
|
||
| V8 | Gate boundary | 所有執行面與 primary switch 仍在獨立人工批准外 | `reject_execution_request` |
|
||
|
||
## 4. Outcome 決策表
|
||
|
||
| Outcome | 使用條件 | 可更新內容 | 不得更新內容 |
|
||
|---------|----------|------------|--------------|
|
||
| `keep_waiting_owner_response` | 尚未收到表單、只有空白表、只有口頭同意、基線過期 | waiting note、followup owner | received / accepted / rejected count |
|
||
| `request_more_evidence` | 欄位缺漏、scope 不清、evidence refs 不足、跨包矛盾 | 補件原因、缺口清單、補件 owner | accepted count、runtime gate |
|
||
| `quarantine_sensitive_payload` | 含疑似敏感 payload、未脫敏 evidence、private credential URL | quarantine metadata、payload 類型、長度、收件時間 | raw payload、LOGBOOK raw text、前端顯示 |
|
||
| `reject_execution_request` | 夾帶 git / workflow / runner / host / scan / runtime 執行要求 | rejection reason、需切出的人工批准類型 | action button、runtime gate、GitHub primary |
|
||
| `ready_for_security_acceptance_record` | 五題完整、六欄完整、無敏感 payload、無執行要求、跨包一致 | reviewer validation note、下一階段 owner | 自動 accepted、自動 dispatch、自動 execution |
|
||
|
||
## 5. Count Transition 邊界
|
||
|
||
| Count / Flag | 允許變更前提 | 仍需維持不變的情境 |
|
||
|--------------|--------------|--------------------|
|
||
| `request_sent_count` | 有人工送件 audit metadata,且送件內容只含脫敏表單與禁止條款 | 只有 request draft、template、handoff 或本 checklist |
|
||
| `received_response_count` | 收到非空表單,五題與六欄可讀,敏感 payload 已先分流 | 只有口頭同意、空白表、未完成映射、含 raw payload |
|
||
| `accepted_response_count` | reviewer validation 通過後,另有 security acceptance record | 只有表單、只有 reviewer note、只有 AwoooP approval、只有 UI 可見 |
|
||
| `rejected_response_count` | 有實際回覆被拒收,且 rejection reason 已記錄 | 尚未收到回覆、只需要補件、只需要隔離 |
|
||
| `redacted_payload_ingested` | 脫敏 metadata 已完成 reviewer 驗收且無 raw payload | evidence refs 未清楚、payload 未隔離、仍需補件 |
|
||
| `runtime_execution_authorized` | 另有獨立人工批准、rollback、post-check、disable plan 與 audit record | S4.9 任一文件、表單、reviewer validation 或 AwoooP approval |
|
||
| `github_primary_switch_authorized` | 另有 primary readiness、owner acceptance、rollback ADR 與 cutover approval | S4.9 owner response gate 尚未 accepted |
|
||
|
||
## 6. Cross-packet Consistency Checklist
|
||
|
||
| 封包 | Reviewer 必查 | 失敗處理 |
|
||
|------|---------------|----------|
|
||
| S4.5 Gitea authenticated inventory | 是否仍只收 read-only metadata 或 redacted admin export;不收 token value | 補件或隔離 |
|
||
| S4.10 GitHub target owner response | `not_found_or_private` 是否被誤讀成不存在或可建立 repo | 補件 |
|
||
| S4.11 refs truth queue | refs truth、deprecated / archive candidate、GitHub-only refs 是否有 owner 判定 | 補件 |
|
||
| S4.12 workflow / secret parity | Secret name parity 是否只含名稱與 template;沒有 value、hash fragment、partial token | 隔離或補件 |
|
||
| Rollback ADR owner handoff | rollback owner、trigger、validation window、fallback role 是否一致 | 補件 |
|
||
| IwoooS runtime gate | UI / matrix / AwoooP approval 是否被誤讀成 runtime 授權 | 拒收執行要求 |
|
||
|
||
## 7. Reviewer Output Template
|
||
|
||
```text
|
||
reviewer_validation_id:
|
||
baseline_commit:
|
||
intake_form_ref:
|
||
reviewer_role_or_team:
|
||
outcome:
|
||
outcome_reason:
|
||
passed_gates:
|
||
failed_gates:
|
||
missing_fields:
|
||
quarantine_refs:
|
||
cross_packet_conflicts:
|
||
followup_owner:
|
||
not_approval_statement:
|
||
```
|
||
|
||
`not_approval_statement` 必須明確寫出:本 reviewer output 不是 repo / refs / workflow / secret / runner / host / runtime 執行批准,也不是 GitHub primary switch 批准。
|
||
|
||
## 8. 驗收前狀態
|
||
|
||
```text
|
||
request_sent=false
|
||
request_sent_count=0
|
||
received_response_count=0
|
||
accepted_response_count=0
|
||
rejected_response_count=0
|
||
owner_response_received_count=0
|
||
owner_response_accepted_count=0
|
||
redacted_payload_ingested=false
|
||
active_runtime_gate_count=0
|
||
runtime_execution_authorized=false
|
||
action_buttons_allowed=false
|
||
repo_creation_authorized=false
|
||
refs_sync_authorized=false
|
||
workflow_modification_authorized=false
|
||
github_primary_switch_authorized=false
|
||
host_update_authorized=false
|
||
active_scan_authorized=false
|
||
secret_value_collection_authorized=false
|
||
```
|
||
|
||
## 9. 本輪完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| S4.9 reviewer validation checklist | 100% | Reviewer 分工、V0-V8 gates、outcome 決策表、count transition 與 cross-packet consistency 已固定 |
|
||
| S4.9 owner response gate | 0% | 尚未送件、尚未收到 owner response、尚未 accepted |
|
||
| IwoooS 整體 | 維持 64% | Reviewer checklist 完成不代表 runtime readiness 提升 |
|
||
| active runtime gate | 0 | 不變 |
|