wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 5 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md
Your Name 58e760fae2
All checks were successful
CD Pipeline / tests (push) Successful in 1m25s
Details
Code Review / ai-code-review (push) Successful in 13s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m2s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m48s
Details
feat(security): 擴充 S4.10 target owner response
2026-06-11 20:30:41 +08:00

246 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Source Control Approval Board
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | `draft` |
| 預設模式 | `mirror_only` |
| authenticated inventory gate | `blocked` |
| gate 原因 | GITEA_READONLY_TOKEN 未提供,且不使用可 push 的既有 remote credential 當 read-only tokenserver-side private/internal repo list 仍未完成。 |
| GitHub target owner response | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` |
| repo items | 10 |
| pending approval | 9 |
## 0. 核心原則
本 board 只整理決策不授權執行。AwoooP 可以 mirror 成 approval candidate但不得建立 repo、修改 visibility、同步 refs、切 GitHub primary 或保存 credential value。
S4.10 已補 1 個 GitHub target owner response request packet、9 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 9 個 owner decision response templates目前 received / accepted response 皆為 0。
## 1. 逐 repo 決策隊列
| GitHub repo | Lane | Risk | Probe | Approval | 下一步 |
|-------------|------|------|-------|----------|--------|
| `owenhytsai/awoooi` | `refs_reconcile` | `HIGH` | `exists` | `pending` | 先產生 draft reconcile plan不 push refs、不切 primary。 |
| `owenhytsai/clawbot-v5` | `refs_reconcile` | `MEDIUM` | `exists` | `pending` | 先產生 draft reconcile plan不 push refs、不切 primary。 |
| `owenhytsai/wooo-aiops` | `refs_reconcile` | `MEDIUM` | `exists` | `pending` | 先產生 draft reconcile plan不 push refs、不切 primary。 |
| `owenhytsai/wooo-infra-config` | `internal_remote_purpose` | `MEDIUM` | `exists` | `pending` | 先文件化用途與風險,不刪除 remote、不同步 refs。 |
| `owenhytsai/ewoooc` | `target_creation_or_access` | `HIGH` | `not_found_or_private` | `pending` | 先取得 owner / visibility 決策,不自動建立 repo。 |
| `owenhytsai/bitan-pharmacy` | `target_creation_or_access` | `MEDIUM` | `not_found_or_private` | `pending` | 先取得 owner / visibility 決策,不自動建立 repo。 |
| `owenhytsai/tsenyang-website` | `target_creation_or_access` | `MEDIUM` | `not_found_or_private` | `pending` | 先取得 owner / visibility 決策,不自動建立 repo。 |
| `nexu-io/open-design` | `scope_review` | `LOW` | `exists` | `not_required` | 只標記 scope review不納入主控切換。 |
| `owenhytsai/VibeWork` | `target_creation_or_access` | `HIGH` | `not_found_or_private` | `pending` | 先取得 owner / visibility 決策,不自動建立 repo。 |
| `owenhytsai/agent-bounty-protocol` | `target_creation_or_access` | `HIGH` | `not_found_or_private` | `pending` | 先取得 owner / visibility 決策,不自動建立 repo。 |
## 2. 詳細阻塞點
### owenhytsai/awoooi
- Source key`wooo/awoooi`
- Required decision決定 Gitea / GitHub refs 真相來源,並批准只產生 reconcile plan。
- AwoooP consumption`approval_candidate`
- Blocked until
- Gitea server-side 全量 repo inventory status=ok
- branches/tags/workflows/webhooks/secrets 名稱 inventory 完成
- 部署真相來源已決定
- GitHub primary ADR 與 rollback plan 完成
- Still forbidden
- 直接 push refs
- 直接切 GitHub primary
- 直接停用 Gitea
- 搬 secret value
- Evidence refs
- `docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md`
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/clawbot-v5
- Source key`wooo/clawbot-v5`
- Required decision決定 Gitea / GitHub refs 真相來源,並批准只產生 reconcile plan。
- AwoooP consumption`approval_candidate`
- Blocked until
- Gitea/GitHub main SHA 對齊或人工指定真相來源
- GitHub 缺 Gitea tag 的處理方式已決定
- Still forbidden
- 直接 push refs
- 直接切 primary
- 刪除任一端 repo
- Evidence refs
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/wooo-aiops
- Source key`wooo/wooo-aiops`
- Required decision決定 Gitea / GitHub refs 真相來源,並批准只產生 reconcile plan。
- AwoooP consumption`approval_candidate`
- Blocked until
- Gitea/GitHub main SHA 對齊或人工指定真相來源
- GitHub-only branch 與 tags 的來源已釐清
- Still forbidden
- 直接 push refs
- 直接切 primary
- 刪除 GitHub-only refs
- Evidence refs
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/wooo-infra-config
- Source key`wooo/wooo-infra-config`
- Required decision決定 110 internal remote 是 active source、legacy mirror 或應降級。
- AwoooP consumption`approval_candidate`
- Blocked until
- 110 internal remote 用途已確認
- 若 110 remote 為舊主控,已降級或移除
- infra secrets 名稱 inventory 完成
- Still forbidden
- 直接刪除 remote
- 直接同步 refs
- 搬 infra secret value
- Evidence refs
- `docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md`
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/ewoooc
- Source key`wooo/ewoooc / root/momo-pro-system / momo working trees`
- Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
- AwoooP consumption`approval_candidate`
- Blocked until
- ewoooc/momo-pro-system canonical 關係人工確認
- server-side refs diff 完成
- GitHub repo owner 與 visibility 決策完成
- Still forbidden
- 自動建立 mirror
- 自動合併 unrelated histories
- 刪除任一 momo/ewoooc working tree
- 切 GitHub primary
- Evidence refs
- `docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md`
- `docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md`
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/bitan-pharmacy
- Source key`bitan-pharmacy`
- Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
- AwoooP consumption`approval_candidate`
- Blocked until
- 確認 repo 是否仍 active
- GitHub repo owner 與 visibility 決策完成
- Still forbidden
- 自動建立 repo
- 自動 push refs
- 刪除 110 remote
- Evidence refs
- `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md`
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/tsenyang-website
- Source key`tsenyang-website`
- Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
- AwoooP consumption`approval_candidate`
- Blocked until
- 確認 repo 是否仍 active
- GitHub repo owner 與 visibility 決策完成
- Still forbidden
- 自動建立 repo
- 自動 push refs
- 刪除 110 remote
- Evidence refs
- `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md`
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/github-target-probe.snapshot.json`
### nexu-io/open-design
- Source key`open-design`
- Required decision決定此 repo 是否屬於 AWOOOI 資安供應鏈範圍。
- AwoooP consumption`scope_review_only`
- Blocked until
- 確認是否屬於 AWOOOI 資安網範圍
- Still forbidden
- auto_execute
- sync_refs
- switch_primary
- Evidence refs
- `docs/security/github-target-probe.snapshot.json`
### owenhytsai/VibeWork
- Source key`vibework`
- Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
- AwoooP consumption`approval_candidate`
- Blocked until
- VibeWork 產品 / repo / surface owner 與 canonical source 決策完成
- 確認是否存在 private GitHub target 或需要建立候選 repo
- 保留 VibeWork 獨立產品邊界,不得由 AWOOOI primary readiness 直接併入
- workflow / CODEOWNERS / deploy key / repository secret name parity owner response 完成
- Still forbidden
- 自動建立 repo
- 自動 push refs
- 修改 workflow 或 CODEOWNERS
- 搬移 secret value
- 把 VibeWork 產品邊界併入 AWOOOI
- 切 GitHub primary
- Evidence refs
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/source-control-primary-readiness-gate.snapshot.json`
- `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json`
### owenhytsai/agent-bounty-protocol
- Source key`agent-bounty-protocol`
- Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
- AwoooP consumption`approval_candidate`
- Blocked until
- agent-bounty-protocol repo / deployment / external agent / treasury owner 決策完成
- 確認是否存在 private GitHub target 或需要建立候選 repo
- A2A / MCP / bounty / treasury / payout / withdrawal runtime gate 維持 0
- branch protection / CODEOWNERS / repository secret name parity owner response 完成
- Still forbidden
- 自動建立 repo
- 自動 push refs
- 修改 workflow
- 啟用 agent claim / submit / daemon
- 執行 payout 或 withdrawal
- 搬移 secret value
- 切 GitHub primary
- Evidence refs
- `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`
- `docs/security/github-target-owner-decision-response.snapshot.json`
- `docs/security/source-control-primary-readiness-gate.snapshot.json`
- `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json`
## 3. Gate 前允許做的事
1. 更新 read-only evidence。
2. 更新 approval board / decision table。
3. 寫 draft reconcile plan。
4. 把 pending approval mirror 到 AwoooP。
## 4. Gate 前仍禁止
- 使用 write-capable credential 當作 read-only token
- 建立 GitHub repo
- 修改 repo visibility
- sync refs
- switch GitHub primary
Reference in New Issue View Git Blame Copy Permalink