Files
awoooi/docs/security/S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md

165 lines
8.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# S4.9 Security Acceptance Record Template
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-05 |
| 基準 | `gitea/main=70c01003 docs(governance): 記錄 P1-002 正式驗證 [skip ci]` |
| 上游文件 | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md``docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md``docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md` |
| 模式 | security acceptance record template only |
| 不可誤讀 | 本文件不是 owner response、不是 reviewer validation 已通過、不是 accepted record、不是 GitHub primary / repo / refs / workflow / secret / runner / host / runtime 執行授權 |
## 1. 使用時機
本模板只能在 reviewer validation outcome 為 `ready_for_security_acceptance_record` 後使用。它的目的,是讓 security reviewer 把「可接受的脫敏 evidence、仍排除的 scope、後續 owner、不可授權聲明」記成一份可稽核紀錄。
建立本模板不代表:
- request 已送出
- owner response 已收到
- reviewer validation 已通過
- security acceptance 已完成
- GitHub primary 可以切換
- repo / refs / workflow / secret / runner / host / runtime 可以執行任何變更
## 2. 建立實際紀錄前置條件
| 前置條件 | 必須結果 | 不通過時 outcome |
|----------|----------|------------------|
| 最新基線 | 已 `git fetch gitea --prune` 並記錄 `baseline_commit` | `request_more_evidence` |
| Intake form | 五題都有非空回覆,且能映射到六欄 canonical envelope | `request_more_evidence` |
| Reviewer validation | V0-V8 全部通過,且 output 有 reviewer validation id | `request_more_evidence` |
| Quarantine | 無未解的 sensitive payload、raw secret、未脫敏截圖或 private credential URL | `quarantine_sensitive_payload` |
| Execution request | 沒有 repo create、visibility change、refs sync、workflow 修改、runner 啟用、Kali scan、`/execute`、SSH、host update、runtime restart / rollout / scale / delete | `reject_execution_request` |
| Cross-packet consistency | S4.5 / S4.10 / S4.11 / S4.12 / rollback ADR / runtime gate 沒有 owner、scope、disposition 矛盾 | `request_more_evidence` |
| Not approval statement | 已明確寫入「本紀錄不是執行批准」 | 不得建立 accepted record |
## 3. Acceptance Record 欄位
| 欄位 | 必填 | 填寫規則 |
|------|------|----------|
| `acceptance_record_id` | 是 | 格式建議 `s4-9-security-acceptance-YYYYMMDD-NN` |
| `baseline_commit` | 是 | 建立紀錄時的 `gitea/main` commit |
| `intake_form_ref` | 是 | owner 回覆使用的 intake form 版本或文件路徑 |
| `owner_response_refs` | 是 | 五題 owner response 的脫敏 metadata refs不得貼 raw 回覆 |
| `reviewer_validation_ref` | 是 | reviewer validation output id / 文件路徑 / ticket id |
| `security_reviewer_role_or_team` | 是 | 最終 security acceptance reviewer 角色或團隊 |
| `security_acceptance_decision` | 是 | 只能填 `accept_redacted_evidence``defer``reject``request_more_evidence``quarantine_before_acceptance` |
| `decision_reason` | 是 | 一段脫敏摘要;不得包含 token、secret、cookie、session、authorization header、runner token |
| `accepted_scope` | 是 | 只列被接受的 source-control / evidence scope不包含 runtime action |
| `excluded_scope` | 是 | 明列仍未接受或不在本輪的 repo、refs、workflow、secret、host、runtime scope |
| `redacted_evidence_refs` | 是 | 文件路徑、snapshot id、ticket id、hash、脫敏 metadata pointer |
| `unresolved_risks` | 是 | 仍需補證、owner attestation、rollback、primary readiness 或 runtime approval 的風險 |
| `followup_owner` | 是 | 後續補證、正式批准或下一階段 owner |
| `counts_after_record` | 是 | 只能依第 4 節規則填寫;模板本身全部維持 0 / false |
| `not_approval_statement` | 是 | 必須使用第 7 節的不可授權聲明 |
## 4. Count Transition 規則
| Count / Flag | 何時可更新 | 本模板建立時 |
|--------------|------------|--------------|
| `request_sent_count` | 有人工送件 audit metadata且送件內容只含脫敏表單與禁止條款 | 不更新 |
| `received_response_count` | 收到非空 owner response五題與六欄可讀敏感 payload 已分流 | 不更新 |
| `accepted_response_count` | 實際 security acceptance record 已填寫、decision 為 `accept_redacted_evidence`,且 reviewer validation ref 通過 | 不更新 |
| `rejected_response_count` | 實際 owner response 被拒收,且 rejection reason 已記錄 | 不更新 |
| `redacted_payload_ingested` | 脫敏 metadata 已通過 reviewer validation 並被 acceptance record 接受 | 不更新 |
| `runtime_execution_authorized` | 另有獨立人工批准、rollback、post-check、disable plan 與 audit record | 永遠不得由 S4.9 文件更新 |
| `github_primary_switch_authorized` | 另有 primary readiness、owner acceptance、rollback ADR 與 cutover approval | 永遠不得由本模板更新 |
## 5. Decision Outcome 處理
| Decision | 使用條件 | 後續 |
|----------|----------|------|
| `accept_redacted_evidence` | 五題、六欄、reviewer validation、cross-packet consistency 全部通過,且只接受脫敏 evidence | 可建立 accepted record仍不開 runtime gate |
| `defer` | scope 或 owner 時機未成熟,但無敏感 payload 或執行要求 | 保留 followup owner 與補件期限 |
| `reject` | owner response 與 scope / evidence 不符合本輪要求 | 記錄 rejection reason不建立 action button |
| `request_more_evidence` | 欄位不足、scope 不清、refs / workflow / rollback owner 有矛盾 | 回到補件 |
| `quarantine_before_acceptance` | 疑似 sensitive payload、未脫敏 evidence 或 private credential URL | 先隔離;不得建立 accepted record |
## 6. Evidence Redaction 規則
允許:
- repo path、branch / tag / commit hash、workflow file path
- snapshot id、ticket id、run id、redacted owner note id
- HTTP status metadata、resource kind、namespace、non-secret key name
- quarantine pointer但不得含 raw payload
禁止:
- token、secret、private key、cookie、session、authorization header
- runner token、webhook secret、database URL、private URL credential
- DB dump、repo archive、git object pack、裸 repo tarball
- masked token、partial token、hash fragment、base64 secret payload
- 未脫敏截圖、raw API body、raw log 中的敏感欄位
## 7. 必填不可授權聲明
實際 acceptance record 的 `not_approval_statement` 必須包含以下語意:
```text
本 S4.9 security acceptance record 只接受脫敏 owner response evidence 與 scope 判定。
它不是 GitHub primary switch 批准,不是 repo 建立 / visibility change / refs sync 批准,
不是 workflow 修改 / runner 啟用 / Secret 讀取批准,
不是 Kali active scan、/execute、SSH、host update 或 runtime restart / rollout / scale / delete 批准。
任何執行面變更必須另有獨立人工批准、rollback、post-check、disable plan 與 audit record。
```
## 8. 空白模板
```text
acceptance_record_id:
baseline_commit:
intake_form_ref:
owner_response_refs:
reviewer_validation_ref:
security_reviewer_role_or_team:
security_acceptance_decision:
decision_reason:
accepted_scope:
excluded_scope:
redacted_evidence_refs:
unresolved_risks:
followup_owner:
counts_after_record:
request_sent_count:
received_response_count:
accepted_response_count:
rejected_response_count:
redacted_payload_ingested:
runtime_execution_authorized:
github_primary_switch_authorized:
not_approval_statement:
```
## 9. 驗收前狀態
```text
request_sent=false
request_sent_count=0
received_response_count=0
accepted_response_count=0
rejected_response_count=0
owner_response_received_count=0
owner_response_accepted_count=0
redacted_payload_ingested=false
active_runtime_gate_count=0
runtime_execution_authorized=false
action_buttons_allowed=false
repo_creation_authorized=false
refs_sync_authorized=false
workflow_modification_authorized=false
github_primary_switch_authorized=false
host_update_authorized=false
active_scan_authorized=false
secret_value_collection_authorized=false
```
## 10. 本輪完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| S4.9 security acceptance record template | 100% | 前置條件、欄位、count transition、decision outcome、evidence redaction 與不可授權聲明已固定 |
| S4.9 owner response gate | 0% | 尚未送件、尚未收到 owner response、尚未 reviewer validation passed、尚未 accepted |
| IwoooS 整體 | 維持 64% | Acceptance record 模板完成不代表 runtime readiness 提升 |
| active runtime gate | 0 | 不變 |