wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md
Your Name 9e15fd08b3
All checks were successful
CD Pipeline / tests (push) Successful in 1m39s
Details
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / build-and-deploy (push) Successful in 5m19s
Details
CD Pipeline / post-deploy-checks (push) Successful in 2m11s
Details
feat(web): land iwooos security posture surfaces
2026-05-25 20:35:52 +08:00

75 lines
5.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 資安人工審查封包契約
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-17 |
| 狀態 | 草案 |
| Schema | `docs/schemas/security_approval_review_packet_v1.schema.json` |
| Snapshot | `docs/security/security-approval-review-packet.snapshot.json` |
| 模式 | `approval_review_packet_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
`security_approval_review_packet_v1` 是 S3.2 的人工審查封包格式。
它把 `security_approval_queue_v1``security_approval_gate_v1` 的 8 個審查項目整理成 AwoooP 可以顯示的 review packet讓 Operator 看得懂「現在要審什麼、由誰審、可以做哪些決策、仍然禁止哪些動作」。
它不是批准結果,也不是執行授權。真正的人工決策仍必須另外寫入 `security_approval_decision_record_v1`,而且每筆紀錄都必須維持 `execution_authorized=false`
S3.3 開始,決策後的 next state 由 `security_approval_state_transition_v1` 定義。這讓 AwoooP 能顯示 `approve_scope` 後仍在等待 runtime gate而不是直接執行。
S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_followup_runtime_gate_v1` 顯示。這仍只是準備模板,不會啟用 runtime gate。
## 1. 目前狀態
| 指標 | 數量 |
|------|------|
| Review packets | 8 |
| Ready for human review | 7 |
| Block candidate | 1 |
| Decision records created | 0 |
| Runtime actions authorized | `false` |
| Action buttons allowed | `false` |
## 2. Review Packet 順序
| 順序 | Packet | Review lane | 初期定位 |
|------|--------|-------------|----------|
| 1 | Redacted finding ingestion | `design_or_draft_review` | 只審是否可設計或建立 draft PR |
| 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 |
| 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先依 S4.9 審 S4.7 owner response再審只讀 token 或 redacted export |
| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 workflow / secret 名稱 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response再審 owner / visibility / canonical 草案 |
| 5 | Ref truth review | `design_or_draft_review` | 先審 S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response 驗收,再審人工分類與 reconcile 草案 |
| 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 |
| 7 | Kali full-upgrade / reboot | `manual_exception_review` | 只審維護窗口與 rollback 計畫 |
| 8 | Kali `/execute` | `blocked_by_default_review` | 預設維持 block candidate |
## 3. AwoooP 可做
1. 顯示 review packet、review order、risk、review lane 與 required reviewers。
2. 顯示 requested decision、decision options、evidence refs 與 still forbidden。
3. 讓人工 reviewer 選擇 approve / reject / defer / request more evidence / keep blocked。
4. 將實際決策另寫成 `security_approval_decision_record_v1`
5.`security_approval_state_transition_v1` 顯示決策後 next state。
6.`security_followup_runtime_gate_v1` 顯示後續 runtime gate 準備條件。
7. 將 packet 作為 Operator Console / Audit evidence不新增執行按鈕。
## 4. AwoooP 不可做
1. 不把 review packet 視為批准。
2. 不把 review packet 視為 runtime authorization。
3. 不因為 packet 存在就啟動 scan、credentialed scan 或 Kali `/execute`
4. 不建立 GitHub repo、不改 visibility、不 sync refs、不切 GitHub primary。
5. 不保存 raw secret、token、cookie、private key、credential value 或 exploit payload。
## 5. 階段定位
S3.2 只補上「讓人好審」的封包,不提高資安阻力。
低風險與中風險仍以 observe / warn / draft review 為主;只有不可逆或高風險動作才持續留在 approval gate且批准後仍必須再過 runtime gate。
2026-05-17 S4.8 追加Gitea review packet 會顯示 S4.7 的 5 個 owner attestation items、`received_attestation_count=0``accepted_attestation_count=0`。這讓 reviewer 先判斷 coverage gap 與 scope decision不會把 read-only inventory approval 誤解成 repo migration 或 GitHub primary approval。
2026-05-17 S4.9 追加2026-05-18 補 request packet、template status ledger、audit event templates、redaction examples、display sections 與 collection checksGitea review packet 會顯示 S4.9 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、5 個 owner response templates、6 個 intake preflight checks、5 個 outcome lanes、`received_response_count=0`、8 個 acceptance checks 與 10 個 rejection rules。reviewer 應先確認 request packet 只要求脫敏回覆template statuses 仍逐項 waitingaudit event templates 仍為 template-only 且不保存 raw payloadredaction examples 只是填寫範例display sections 只是只讀 UI 順序collection checks 沒有把 request sent 誤判成 received / accepted再看 response 是否可審、需補證、需隔離、需拒收或仍需等待,最後才看 read-only inventory gatereview packet 仍不代表批准,也不授權執行。
Reference in New Issue View Git Blame Copy Permalink