165 lines
8.5 KiB
Markdown
165 lines
8.5 KiB
Markdown
# S4.9 Security Acceptance Record Template
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-05 |
|
||
| 基準 | `gitea/main=70c01003 docs(governance): 記錄 P1-002 正式驗證 [skip ci]` |
|
||
| 上游文件 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`、`docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md`、`docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md` |
|
||
| 模式 | security acceptance record template only |
|
||
| 不可誤讀 | 本文件不是 owner response、不是 reviewer validation 已通過、不是 accepted record、不是 GitHub primary / repo / refs / workflow / secret / runner / host / runtime 執行授權 |
|
||
|
||
## 1. 使用時機
|
||
|
||
本模板只能在 reviewer validation outcome 為 `ready_for_security_acceptance_record` 後使用。它的目的,是讓 security reviewer 把「可接受的脫敏 evidence、仍排除的 scope、後續 owner、不可授權聲明」記成一份可稽核紀錄。
|
||
|
||
建立本模板不代表:
|
||
|
||
- request 已送出
|
||
- owner response 已收到
|
||
- reviewer validation 已通過
|
||
- security acceptance 已完成
|
||
- GitHub primary 可以切換
|
||
- repo / refs / workflow / secret / runner / host / runtime 可以執行任何變更
|
||
|
||
## 2. 建立實際紀錄前置條件
|
||
|
||
| 前置條件 | 必須結果 | 不通過時 outcome |
|
||
|----------|----------|------------------|
|
||
| 最新基線 | 已 `git fetch gitea --prune` 並記錄 `baseline_commit` | `request_more_evidence` |
|
||
| Intake form | 五題都有非空回覆,且能映射到六欄 canonical envelope | `request_more_evidence` |
|
||
| Reviewer validation | V0-V8 全部通過,且 output 有 reviewer validation id | `request_more_evidence` |
|
||
| Quarantine | 無未解的 sensitive payload、raw secret、未脫敏截圖或 private credential URL | `quarantine_sensitive_payload` |
|
||
| Execution request | 沒有 repo create、visibility change、refs sync、workflow 修改、runner 啟用、Kali scan、`/execute`、SSH、host update、runtime restart / rollout / scale / delete | `reject_execution_request` |
|
||
| Cross-packet consistency | S4.5 / S4.10 / S4.11 / S4.12 / rollback ADR / runtime gate 沒有 owner、scope、disposition 矛盾 | `request_more_evidence` |
|
||
| Not approval statement | 已明確寫入「本紀錄不是執行批准」 | 不得建立 accepted record |
|
||
|
||
## 3. Acceptance Record 欄位
|
||
|
||
| 欄位 | 必填 | 填寫規則 |
|
||
|------|------|----------|
|
||
| `acceptance_record_id` | 是 | 格式建議 `s4-9-security-acceptance-YYYYMMDD-NN` |
|
||
| `baseline_commit` | 是 | 建立紀錄時的 `gitea/main` commit |
|
||
| `intake_form_ref` | 是 | owner 回覆使用的 intake form 版本或文件路徑 |
|
||
| `owner_response_refs` | 是 | 五題 owner response 的脫敏 metadata refs;不得貼 raw 回覆 |
|
||
| `reviewer_validation_ref` | 是 | reviewer validation output id / 文件路徑 / ticket id |
|
||
| `security_reviewer_role_or_team` | 是 | 最終 security acceptance reviewer 角色或團隊 |
|
||
| `security_acceptance_decision` | 是 | 只能填 `accept_redacted_evidence`、`defer`、`reject`、`request_more_evidence`、`quarantine_before_acceptance` |
|
||
| `decision_reason` | 是 | 一段脫敏摘要;不得包含 token、secret、cookie、session、authorization header、runner token |
|
||
| `accepted_scope` | 是 | 只列被接受的 source-control / evidence scope;不包含 runtime action |
|
||
| `excluded_scope` | 是 | 明列仍未接受或不在本輪的 repo、refs、workflow、secret、host、runtime scope |
|
||
| `redacted_evidence_refs` | 是 | 文件路徑、snapshot id、ticket id、hash、脫敏 metadata pointer |
|
||
| `unresolved_risks` | 是 | 仍需補證、owner attestation、rollback、primary readiness 或 runtime approval 的風險 |
|
||
| `followup_owner` | 是 | 後續補證、正式批准或下一階段 owner |
|
||
| `counts_after_record` | 是 | 只能依第 4 節規則填寫;模板本身全部維持 0 / false |
|
||
| `not_approval_statement` | 是 | 必須使用第 7 節的不可授權聲明 |
|
||
|
||
## 4. Count Transition 規則
|
||
|
||
| Count / Flag | 何時可更新 | 本模板建立時 |
|
||
|--------------|------------|--------------|
|
||
| `request_sent_count` | 有人工送件 audit metadata,且送件內容只含脫敏表單與禁止條款 | 不更新 |
|
||
| `received_response_count` | 收到非空 owner response,五題與六欄可讀,敏感 payload 已分流 | 不更新 |
|
||
| `accepted_response_count` | 實際 security acceptance record 已填寫、decision 為 `accept_redacted_evidence`,且 reviewer validation ref 通過 | 不更新 |
|
||
| `rejected_response_count` | 實際 owner response 被拒收,且 rejection reason 已記錄 | 不更新 |
|
||
| `redacted_payload_ingested` | 脫敏 metadata 已通過 reviewer validation 並被 acceptance record 接受 | 不更新 |
|
||
| `runtime_execution_authorized` | 另有獨立人工批准、rollback、post-check、disable plan 與 audit record | 永遠不得由 S4.9 文件更新 |
|
||
| `github_primary_switch_authorized` | 另有 primary readiness、owner acceptance、rollback ADR 與 cutover approval | 永遠不得由本模板更新 |
|
||
|
||
## 5. Decision Outcome 處理
|
||
|
||
| Decision | 使用條件 | 後續 |
|
||
|----------|----------|------|
|
||
| `accept_redacted_evidence` | 五題、六欄、reviewer validation、cross-packet consistency 全部通過,且只接受脫敏 evidence | 可建立 accepted record;仍不開 runtime gate |
|
||
| `defer` | scope 或 owner 時機未成熟,但無敏感 payload 或執行要求 | 保留 followup owner 與補件期限 |
|
||
| `reject` | owner response 與 scope / evidence 不符合本輪要求 | 記錄 rejection reason,不建立 action button |
|
||
| `request_more_evidence` | 欄位不足、scope 不清、refs / workflow / rollback owner 有矛盾 | 回到補件 |
|
||
| `quarantine_before_acceptance` | 疑似 sensitive payload、未脫敏 evidence 或 private credential URL | 先隔離;不得建立 accepted record |
|
||
|
||
## 6. Evidence Redaction 規則
|
||
|
||
允許:
|
||
|
||
- repo path、branch / tag / commit hash、workflow file path
|
||
- snapshot id、ticket id、run id、redacted owner note id
|
||
- HTTP status metadata、resource kind、namespace、non-secret key name
|
||
- quarantine pointer,但不得含 raw payload
|
||
|
||
禁止:
|
||
|
||
- token、secret、private key、cookie、session、authorization header
|
||
- runner token、webhook secret、database URL、private URL credential
|
||
- DB dump、repo archive、git object pack、裸 repo tarball
|
||
- masked token、partial token、hash fragment、base64 secret payload
|
||
- 未脫敏截圖、raw API body、raw log 中的敏感欄位
|
||
|
||
## 7. 必填不可授權聲明
|
||
|
||
實際 acceptance record 的 `not_approval_statement` 必須包含以下語意:
|
||
|
||
```text
|
||
本 S4.9 security acceptance record 只接受脫敏 owner response evidence 與 scope 判定。
|
||
它不是 GitHub primary switch 批准,不是 repo 建立 / visibility change / refs sync 批准,
|
||
不是 workflow 修改 / runner 啟用 / Secret 讀取批准,
|
||
不是 Kali active scan、/execute、SSH、host update 或 runtime restart / rollout / scale / delete 批准。
|
||
任何執行面變更必須另有獨立人工批准、rollback、post-check、disable plan 與 audit record。
|
||
```
|
||
|
||
## 8. 空白模板
|
||
|
||
```text
|
||
acceptance_record_id:
|
||
baseline_commit:
|
||
intake_form_ref:
|
||
owner_response_refs:
|
||
reviewer_validation_ref:
|
||
security_reviewer_role_or_team:
|
||
security_acceptance_decision:
|
||
decision_reason:
|
||
accepted_scope:
|
||
excluded_scope:
|
||
redacted_evidence_refs:
|
||
unresolved_risks:
|
||
followup_owner:
|
||
counts_after_record:
|
||
request_sent_count:
|
||
received_response_count:
|
||
accepted_response_count:
|
||
rejected_response_count:
|
||
redacted_payload_ingested:
|
||
runtime_execution_authorized:
|
||
github_primary_switch_authorized:
|
||
not_approval_statement:
|
||
```
|
||
|
||
## 9. 驗收前狀態
|
||
|
||
```text
|
||
request_sent=false
|
||
request_sent_count=0
|
||
received_response_count=0
|
||
accepted_response_count=0
|
||
rejected_response_count=0
|
||
owner_response_received_count=0
|
||
owner_response_accepted_count=0
|
||
redacted_payload_ingested=false
|
||
active_runtime_gate_count=0
|
||
runtime_execution_authorized=false
|
||
action_buttons_allowed=false
|
||
repo_creation_authorized=false
|
||
refs_sync_authorized=false
|
||
workflow_modification_authorized=false
|
||
github_primary_switch_authorized=false
|
||
host_update_authorized=false
|
||
active_scan_authorized=false
|
||
secret_value_collection_authorized=false
|
||
```
|
||
|
||
## 10. 本輪完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| S4.9 security acceptance record template | 100% | 前置條件、欄位、count transition、decision outcome、evidence redaction 與不可授權聲明已固定 |
|
||
| S4.9 owner response gate | 0% | 尚未送件、尚未收到 owner response、尚未 reviewer validation passed、尚未 accepted |
|
||
| IwoooS 整體 | 維持 64% | Acceptance record 模板完成不代表 runtime readiness 提升 |
|
||
| active runtime gate | 0 | 不變 |
|