421 lines
41 KiB
Markdown
421 lines
41 KiB
Markdown
# Source Control Owner Response Validation Rollup
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-12 |
|
||
| 狀態 | 草案,等待 owner responses;S4.9 是目前第一優先收件 gate |
|
||
| 資料契約 | `docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json` |
|
||
| 快照 | `docs/security/source-control-owner-response-validation-rollup.snapshot.json` |
|
||
| 模式 | `owner_response_validation_rollup_only` |
|
||
| 執行面授權 | `false` |
|
||
|
||
## 0. 核心結論
|
||
|
||
S4.13 補的是「四個 owner response 收件包的只讀驗收彙整」。
|
||
|
||
它彙整 S4.9 Gitea owner attestation response、S4.10 GitHub target owner decision response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response。目的只是讓 AwoooP 有單一入口看到哪些 owner response 尚未收到、哪些可驗收、哪些必須拒收或隔離。
|
||
|
||
S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runtime gate,不新增 action button,也不把任何 response、reviewer audit retention check、handoff packet、parallel session sync check、parallel session conflict lane 或 parallel session recovery check 當成 repo creation、visibility change、refs sync、workflow 修改、secret 搬移、runner 啟用或 GitHub primary approval。
|
||
|
||
## 1. Rollup 摘要
|
||
|
||
| 指標 | 值 |
|
||
|------|----|
|
||
| response packets | 4 |
|
||
| validation lanes | 4 |
|
||
| response templates | 24 |
|
||
| 已收到 response | 0 |
|
||
| 已接受 response | 0 |
|
||
| 已拒收 response | 0 |
|
||
| acceptance checks | 32 |
|
||
| rejection rules | 40 |
|
||
| cross-packet checks | 10 |
|
||
| evidence routing rules | 6 |
|
||
| display sections | 8 |
|
||
| state transition rules | 7 |
|
||
| reviewer checklist | 9 |
|
||
| reviewer outcome lanes | 7 |
|
||
| reviewer audit event templates | 4 |
|
||
| reviewer audit display sections | 5 |
|
||
| reviewer audit collection checks | 6 |
|
||
| reviewer audit redaction examples | 5 |
|
||
| reviewer audit retention rules | 5 |
|
||
| reviewer audit retention checks | 6 |
|
||
| reviewer audit handoff packets | 6 |
|
||
| reviewer audit handoff checks | 6 |
|
||
| parallel session sync checks | 6 |
|
||
| parallel session conflict lanes | 6 |
|
||
| parallel session recovery checks | 6 |
|
||
| parallel session recovery outcome lanes | 7 |
|
||
| quarantine required | `true` |
|
||
| primary ready count | 0 |
|
||
| runtime execution authorized | `false` |
|
||
| action buttons allowed | `false` |
|
||
|
||
## 1.1 最新本機只讀驗證
|
||
|
||
| 項目 | 結果 |
|
||
|------|------|
|
||
| 日期 | 2026-06-12 |
|
||
| 範圍 | `repo_snapshot_only` |
|
||
| 指令 | `python3 scripts/security/source-control-owner-response-guard.py --root .` |
|
||
| 結果 | `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK` |
|
||
| 已收到 response | 0 |
|
||
| 已接受 response | 0 |
|
||
| runtime actions authorized | `false` |
|
||
| repo / refs actions authorized | `false` |
|
||
| workflow / secret actions authorized | `false` |
|
||
|
||
這表示四包 owner response snapshot 與 S4.13 rollup 的只讀 guard 已通過;不表示 owner response 已收到,也不授權 repo、refs、workflow、secret、runner、GitHub primary 或任何 runtime 動作。
|
||
|
||
## 2. 四條驗收 Lane
|
||
|
||
| Lane | 來源 | Templates | 目前狀態 |
|
||
|------|------|-----------|----------|
|
||
| S4.9 Gitea owner attestation response | `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` | 5 | 等待 response |
|
||
| S4.10 GitHub target owner decision response | `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | 9 | 等待 response |
|
||
| S4.11 refs truth owner response | `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` | 5 | 等待 response |
|
||
| S4.12 workflow / secret name owner response | `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` | 5 | request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 已定義,等待 response |
|
||
|
||
## 2.1 AwoooP 可顯示的缺口摘要
|
||
|
||
| Lane | 缺口 | 下一步 | 仍禁止 |
|
||
|------|------|--------|--------|
|
||
| S4.9 Gitea owner attestation | 5 個 response templates 尚未收到 | Owner 回覆 5 個 Gitea coverage attestation items,只引用脫敏 evidence refs | 不收 token value、不寫 Gitea、不 sync refs、不切 primary |
|
||
| S4.10 GitHub target decision | 9 個 response templates 尚未收到 | Owner 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 9 個 GitHub target 的 owner / visibility / canonical disposition | 不建 repo、不改 visibility、不 sync refs、不切 primary |
|
||
| S4.11 refs truth | 5 個 response templates 尚未收到 | Owner 依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition | 不 fetch / push / delete refs、不 force push、不切 primary |
|
||
| S4.12 workflow / secret name | 1 個 request packet 已定義、5 個 template statuses 仍 waiting、3 個 audit event templates 仍 0 emitted、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 已定義、5 個 response templates 尚未收到 | Owner 依 request packet、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity 的脫敏狀態 | 不收 secret value、不改 workflow、不啟用 runner、不切 primary |
|
||
|
||
## 2.2 建議收件順序
|
||
|
||
| 順序 | Lane | 為什麼先後這樣排 |
|
||
|------|------|------------------|
|
||
| 1 | S4.9 Gitea owner attestation | 先確認 Gitea 覆蓋範圍與 canonical owner,避免後續 GitHub target / refs 判定建立在不完整 inventory 上 |
|
||
| 2 | S4.10 GitHub target decision | 再確認 GitHub target owner / visibility / canonical,避免 `not_found_or_private` 被誤解成可直接建立 repo |
|
||
| 3 | S4.11 refs truth | GitHub target owner / visibility 明確後,再判定 branch / tag 真相來源,避免 refs sync 或 delete 被提前誤用 |
|
||
| 4 | S4.12 workflow / secret name | 最後補 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 parity,避免 secret 或 runner 變更早於 source truth |
|
||
|
||
這個順序只讓 AwoooP 顯示下一個建議收件項目,不是 approval queue、不是 execution queue,也不授權任何 repo、refs、workflow、secret、runner 或 primary 動作。
|
||
|
||
## 2.3 下一個建議收件項目
|
||
|
||
| 欄位 | 內容 |
|
||
|------|------|
|
||
| 下一步 | S4.9 Gitea owner attestation response |
|
||
| 需要回覆 | 5 個 Gitea coverage attestation items |
|
||
| 顯示模式 | `display_next_collection_item_only` |
|
||
| 目前 received / accepted | `0 / 0` |
|
||
| 仍禁止 | 不收 token value、不寫 Gitea、不 sync refs、不切 GitHub primary |
|
||
|
||
`next_collection_candidate` 只讓 AwoooP 操作控制台顯示「現在先收 S4.9」。它不是批准、不是執行排程,也不是後續 S4.10 / S4.11 / S4.12 已可接受的訊號。
|
||
|
||
AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-response.snapshot.json` 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、6 個 intake preflight checks 與 5 個 outcome lanes;request packet 只提示 owner 要填什麼與不得貼什麼,template statuses 只逐項顯示 waiting / request ready,audit event templates 只定義 request shown / response received metadata / outcome classified 的脫敏 metadata 欄位且目前 0 emitted,redaction examples 只提供安全回覆形狀,display sections 只固定只讀 UI 順序,collection checks 只維持 request / received / accepted 狀態分離,preflight / outcome 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或 AwoooP production ingestion 已啟用。
|
||
|
||
### 2.3.1 2026-06-12 S4.9 Current Intake Readiness
|
||
|
||
S4.9 目前已具備可直接照表收件與預檢的準備度,但尚未收到任何 owner response。這個狀態應顯示在 AwoooP 操作控制台作為下一個收件焦點,不得變成 approval queue 或 execution queue。
|
||
|
||
| 項目 | 目前值 | 不得誤讀成 |
|
||
|------|--------|------------|
|
||
| 收件準備度 | `100%` | owner response 已收到 |
|
||
| owner response gate | `0%` | S4.9 已接受 |
|
||
| request sent | `false` | 已正式送件 |
|
||
| received / accepted / rejected | `0 / 0 / 0` | 任一項已完成 |
|
||
| 五題缺口 | public-only/local gap、org/user endpoint、110 adjacent scope、repo owner/canonical、legacy/inaccessible disposition | inventory complete、GitHub primary ready |
|
||
| 合格回覆封套 | owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner | 執行授權或資安批准 |
|
||
| 通過後可做 | 只更新 read-only coverage / matrix / readiness wording | 寫 Gitea、建立 repo、sync refs、切 primary、開 runtime gate |
|
||
|
||
## 2.4 S4.9 最小回覆封套
|
||
|
||
S4.9 owner response 收件前,必須具備以下六個欄位。缺任一欄位只能補件,不得增加 received / accepted count。
|
||
|
||
| 欄位 | 用途 | 安全邊界 |
|
||
|------|------|----------|
|
||
| owner role / team | 確認回覆責任來源 | 不要求個人敏感資料 |
|
||
| decision | `confirm`、`defer`、`reject`、`request_more_evidence` | 其他 decision 直接拒收 |
|
||
| decision reason | 簡述判斷原因 | 不得貼 raw secret、token、cookie、未脫敏截圖或 private URL credential |
|
||
| affected scope | 影響的 repo、Gitea coverage、canonical owner 或 legacy disposition | 不得夾帶 repo write、refs sync、visibility change |
|
||
| redacted evidence refs | 文件路徑、ticket id、hash、摘要或脫敏 evidence ref | 疑似敏感 payload 進 quarantine |
|
||
| followup owner | 補件或後續人工決策負責角色 | 不等於批准者、不等於 runtime gate owner |
|
||
|
||
S4.9 回覆即使通過,也只允許更新 read-only Gitea coverage matrix、owner / canonical disposition 與 readiness wording;不得寫 Gitea、不得同步 refs、不得建立 GitHub repo、不得切 GitHub primary,也不得啟用任何 AwoooP action button。
|
||
|
||
## 3. Cross-Packet 驗收規則
|
||
|
||
1. 四個 source response packets 都必須可解析,且 summary 欄位存在。
|
||
2. response template count 必須對齊來源:`5 + 9 + 5 + 5 = 24`。
|
||
3. received / accepted / rejected count 必須明確列出;目前皆為 `0 / 0 / 0`。
|
||
4. 即使未來 response 通過,也只能更新 read-only wording、matrix 或 readiness 欄位。
|
||
5. 四個 packets 都必須保留 rejection rules;總數 40。
|
||
6. 不得收 token、secret、private key、cookie、session、partial credential 或未脫敏 payload。
|
||
7. 不得夾帶 write token、admin API、repo write、workflow 修改、runner 啟用或 secret rotate。
|
||
8. 不得把 response 當成 refs sync、delete refs、force push 或 GitHub primary approval。
|
||
9. 任何不確定是否含敏感值的 response 都先 quarantine。
|
||
10. 接受 response 後必須同步更新 source packet、validation rollup、security mirror rollup、primary readiness gate 與 LOGBOOK。
|
||
|
||
## 3.1 Evidence Routing Rules
|
||
|
||
| 順序 | Rule | 只讀路由 | 禁止誤用 |
|
||
|------|------|----------|----------|
|
||
| 1 | 已知 owner response lane | 已知 S4.9 / S4.10 / S4.11 / S4.12 lane 與 template 才能進入對應 source packet preflight | 不認識的 lane 不得自動新增 template 或標成 received |
|
||
| 2 | 必填欄位完整 | 缺 owner、decision、reason、repo/provider metadata 或 evidence refs 時只要求補證 | 不增加 received / accepted count |
|
||
| 3 | 敏感 payload 隔離 | 疑似 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header、private URL credential 或未脫敏截圖時送 mirror quarantine | 不保存 raw payload、不渲染敏感材料 |
|
||
| 4 | 執行要求拒收 | 夾帶 repo、visibility、refs、workflow、webhook、runner、secret、Kali scan 或 GitHub primary 執行要求時 hard reject | 不建立 runtime gate、不新增 action button |
|
||
| 5 | 跨包矛盾進 owner review | owner、repo、visibility、truth source 或 secret 名稱在四包之間矛盾時只進人工 review | 不自動覆蓋 source packet |
|
||
| 6 | 通過後只更新只讀 wording | 所有 source preflight、acceptance、cross-packet checks 與 quarantine rules 通過後,只能更新 read-only readiness / matrix wording | 不解鎖 repo、refs、workflow、secret、runner 或 primary 動作 |
|
||
|
||
這 6 條規則只讓 AwoooP 決定 evidence pointer 應顯示、補證、隔離、拒收或進人工 review;它們不代表 owner response 已收到、已接受、可執行或可切換 GitHub primary。
|
||
|
||
## 3.2 Display Sections
|
||
|
||
| 順序 | Section | 顯示來源 | 邊界 |
|
||
|------|---------|----------|------|
|
||
| 1 | Owner response validation 總覽 | `summary` | 只顯示四包、24 templates、received / accepted / rejected 皆為 0 與 false flags |
|
||
| 2 | Missing owner response lanes | `missing_response_lanes` | 只顯示四條缺口與下一步 owner action,不新增 response |
|
||
| 3 | Owner response collection order | `owner_response_collection_order` | 只顯示建議收件順序,不是 execution queue |
|
||
| 4 | Next collection candidate | `next_collection_candidate` | 只顯示目前先收 S4.9,不代表 S4.10-S4.12 可提前接受 |
|
||
| 5 | Cross-packet acceptance checks | `cross_packet_acceptance_checks` | 只讀驗收檢查,不解鎖 runtime |
|
||
| 6 | Evidence routing rules | `owner_response_evidence_routing_rules` | 只路由補證、隔離、拒收、跨包 review 或只讀更新 |
|
||
| 7 | Quarantine 與禁止事項 | `quarantine_rules` / `forbidden_actions` | 只顯示敏感 payload、write/admin/action button 與 primary 禁令 |
|
||
| 8 | 最新本機只讀驗證 | `latest_local_validation` | 只顯示 snapshot guard 結果,不代表 production ingestion |
|
||
|
||
這 8 個 sections 只固定 AwoooP 操作控制台的呈現順序;不新增 approval item、不建立 runtime gate、不新增 action button,也不增加 received / accepted count。
|
||
|
||
## 3.3 State Transition Rules
|
||
|
||
| 順序 | Rule | 狀態轉移 | 邊界 |
|
||
|------|------|----------|------|
|
||
| 1 | Waiting → received pending validation | 已知 lane / template、必填欄位完整、evidence refs 已脫敏時,才可顯示候選收件 | 不增加 accepted count、不建立 runtime gate |
|
||
| 2 | Missing fields → request more evidence | 缺 owner、decision、reason、metadata 或 evidence refs 時只補證 | 不增加 received / accepted count、不解鎖 primary readiness |
|
||
| 3 | Sensitive payload → mirror quarantine | 疑似 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header、private URL credential 或未脫敏截圖時隔離 | 不保存 raw payload、不渲染敏感材料 |
|
||
| 4 | Execution request → hard rejected | 夾帶 repo、visibility、refs、workflow、webhook、runner、secret、Kali scan、GitHub hosted runner 或 GitHub primary 執行要求時拒收 | 不建立 action button、不排入 execution queue |
|
||
| 5 | Cross-packet conflict → owner review | S4.9-S4.12 owner、repo、visibility、truth source 或 secret 名稱互相矛盾時進人工 review | 不自動覆蓋 source packet、不自動 merge |
|
||
| 6 | Validation pass → read-only update | source packet preflight、acceptance、cross-packet checks 與 quarantine rules 都通過時只更新 wording | 不建 repo、不 sync refs、不改 workflow/secret、不啟用 runner/primary |
|
||
| 7 | Read-only update → waiting runtime gate | read-only wording 完成後仍等待獨立人工批准與 runtime gate | 不把文件更新當 runtime approval、不消耗 GitHub hosted runner minutes |
|
||
|
||
這 7 條 state transition rules 只讓 AwoooP 顯示 owner response validation 的狀態語義;它們不代表 response 已接受、approval 已成立、runtime gate 已啟用或任何 repo / refs / workflow / secret / runner / primary 動作可執行。
|
||
|
||
## 3.4 Reviewer Checklist
|
||
|
||
| 順序 | Checklist | Reviewer 只讀確認 | 失敗路由 |
|
||
|------|-----------|-------------------|----------|
|
||
| 1 | Lane 與 template 已知 | evidence pointer 屬於 S4.9-S4.12 既有 lane / template | request more evidence |
|
||
| 2 | 必填 owner 欄位完整 | owner、decision、reason、repo/provider metadata、evidence refs 都存在 | request more evidence |
|
||
| 3 | Evidence refs 已脫敏 | 只接受文件路徑、ticket id、hash 或摘要,不接受 raw payload | mirror quarantine |
|
||
| 4 | Source packet preflight 通過 | 對應 S4.9-S4.12 intake preflight checks 已有結果 | source packet preflight failure route |
|
||
| 5 | Cross-packet 一致 | owner、repo、visibility、truth source、workflow / secret name parity 無矛盾 | cross-packet owner review |
|
||
| 6 | 無敏感 payload | 無 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header 或 partial credential | mirror quarantine |
|
||
| 7 | 無執行意圖 | 無 repo、refs、workflow、webhook、runner、secret、Kali scan、GitHub hosted runner 或 primary switch 要求 | hard reject |
|
||
| 8 | 只更新 read-only wording | 通過後只更新 evidence、matrix、decision table、reconcile wording 或 readiness wording | block candidate |
|
||
| 9 | 後續 runtime gate 仍需獨立批准 | active runtime gate、primary ready、action buttons 都仍為 0 / false | block candidate |
|
||
|
||
這 9 個 checklist items 只提供 reviewer 檢查順序;不會增加 received / accepted count,不會形成 approval,也不會建立 runtime gate、execution queue 或 action button。
|
||
|
||
## 3.5 Reviewer Outcome Lanes
|
||
|
||
| 順序 | Outcome lane | Reviewer 判定 | 安全結果 |
|
||
|------|--------------|---------------|----------|
|
||
| 1 | 繼續等待 owner response | 只看到 request packet、template status、audit template、redaction example 或 display section | keep waiting |
|
||
| 2 | 要求補證 | 缺 owner、decision、reason、metadata、evidence refs 或 source packet preflight 結果 | request more evidence |
|
||
| 3 | 敏感 payload 隔離 | 疑似 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header、private URL credential、partial credential 或未脫敏截圖 | mirror quarantine |
|
||
| 4 | 拒收執行要求 | 夾帶 repo、refs、workflow、webhook、runner、secret、Kali scan、GitHub hosted runner 或 primary switch 要求 | hard reject |
|
||
| 5 | 跨包 owner review | S4.9-S4.12 owner、repo、visibility、truth source 或 workflow / secret name parity 互相矛盾 | cross-packet owner review |
|
||
| 6 | 只讀更新候選 | preflight、acceptance、cross-packet checks、reviewer checklist 與 quarantine rules 全部通過 | read-only update candidate |
|
||
| 7 | 仍等待後續 runtime gate | 只讀 wording 可更新,但 active runtime gate、primary ready 與 action buttons 仍為 0 / false | waiting follow-up runtime gate |
|
||
|
||
這 7 條 outcome lanes 只讓 reviewer 將檢查結果放到可顯示的只讀分類;不會自動增加 received / accepted count,不會觸發 approval,也不會建立 repo、refs、workflow、secret、runner、Kali 或 primary 的執行入口。
|
||
|
||
## 3.6 Reviewer Audit Event Templates
|
||
|
||
| 順序 | Audit template | 觸發語意 | 邊界 |
|
||
|------|----------------|----------|------|
|
||
| 1 | reviewer outcome review opened | reviewer 開始依 checklist / outcome lanes 檢查 evidence pointer | 只允許 reviewer、lane、template、source packet 與脫敏 evidence ref metadata |
|
||
| 2 | reviewer outcome classified | reviewer 將結果分類到 7 條 outcome lanes 之一 | 只允許 outcome、理由摘要、checklist pass/fail count 與脫敏 refs |
|
||
| 3 | quarantine or reject recorded | reviewer 判定 mirror quarantine 或 hard reject | 只允許 blocked reason、quarantine pointer 與 blocked action summary |
|
||
| 4 | read-only update noted | reviewer 判定只讀更新候選或等待 runtime gate | 只允許 read-only targets、runtime gate required 與 0 / false 狀態 |
|
||
|
||
這 4 個 audit event templates 目前全部是 `template_only_not_emitted`、`emitted_event_count=0`,只定義未來 AwoooP 可以怎麼留脫敏 audit metadata;不代表 production ingestion 已啟用,也不得保存 raw owner response、token、secret、private key、cookie、session、authorization header、private URL credential、partial credential 或未脫敏截圖。
|
||
|
||
## 3.7 Reviewer Audit Display Sections
|
||
|
||
| 順序 | Display section | 顯示內容 | 邊界 |
|
||
|------|-----------------|----------|------|
|
||
| 1 | reviewer audit template summary | 4 個 reviewer audit templates、`template_only_not_emitted`、`emitted_event_count=0` | 只顯示模板狀態,不代表 production ingestion |
|
||
| 2 | reviewer audit metadata fields | reviewer role、lane、template、source packet、classification reason、checklist count 與脫敏 evidence refs 等欄位名稱 | 只顯示欄位名稱,不顯示 raw owner response |
|
||
| 3 | reviewer audit forbidden payloads | token、secret、private key、deploy key、cookie、session、authorization header、private URL credential、partial credential、runner token、webhook secret、raw body、未脫敏截圖與 execution payload 禁止清單 | 只能提示禁止項目,不保存 payload |
|
||
| 4 | reviewer audit emission status | 全部 reviewer audit templates 仍為 0 emitted、`stored_raw_payload_allowed=false` | 不能解讀為 production audit 已落地 |
|
||
| 5 | reviewer audit non-authorization boundary | 顯示這些 section 只固定 UI 呈現 | 不代表 owner response received / accepted、approval、runtime gate、execution queue、action button 或 primary switch |
|
||
|
||
這 5 個 display sections 只讓 AwoooP 操作控制台安全顯示 reviewer audit templates 的狀態、允許 metadata、禁止 payload 與非授權邊界;不新增 audit ingestion pipeline,也不讓任何 section 觸發 repo、refs、workflow、secret、runner、Kali 或 GitHub primary 動作。
|
||
|
||
## 3.8 Reviewer Audit Collection Checks
|
||
|
||
| 順序 | Collection check | 要求 | 安全結果 |
|
||
|------|------------------|------|----------|
|
||
| 1 | audit templates 先可見 | 先顯示 4 個 audit templates 與 5 個 audit display sections | waiting,不代表 emitted |
|
||
| 2 | metadata-only | 只允許欄位名稱、脫敏 evidence refs 與 count 類數值 | metadata-only pass / waiting |
|
||
| 3 | forbidden payload 阻擋 | token、secret、private key、cookie、session、raw body、未脫敏截圖與 execution payload 必須隔離或拒收 | blocked / quarantined |
|
||
| 4 | emitted 仍為 0 | 未另行批准 production ingestion 前,`emitted_event_count=0`、`stored_raw_payload_allowed=false` | template only |
|
||
| 5 | 無 runtime side effect | 不建立 runtime gate、execution queue、action button、scan request、repo action 或 workflow / secret change | read-only check |
|
||
| 6 | counters 不變 | 不增加 received / accepted response、reviewer audit emitted、primary ready 或 active runtime gate count | waiting owner response |
|
||
|
||
這 6 個 collection checks 只讓 AwoooP 在畫面上檢查 reviewer audit 是否仍符合 metadata-only、0 emitted、無副作用與 counters 不變;通過檢查也不代表 owner response 已收到或接受,不代表 production ingestion,也不授權 runtime gate、Kali scan、repo / refs / workflow / secret / runner 變更或 GitHub primary switch。
|
||
|
||
## 3.9 Reviewer Audit Redaction Examples
|
||
|
||
| 順序 | Redaction example | 安全顯示形狀 | 禁止內容 |
|
||
|------|-------------------|--------------|----------|
|
||
| 1 | reviewer role / lane / template metadata | reviewer role、lane、template、source packet、開始時間與脫敏 evidence ref count | raw owner response、未脫敏截圖、private URL credential |
|
||
| 2 | classification reason summary | outcome lane、理由摘要、checklist pass/fail count、脫敏 evidence refs | token、secret、partial credential、runner token、webhook secret |
|
||
| 3 | quarantine pointer | blocked reason、quarantine pointer、blocked action summary | raw request / response body、credential value、private key、execution payload |
|
||
| 4 | read-only update targets | read-only target ids、follow-up runtime gate required、0 / false counters | execution command、repo write token、refs update payload、workflow secret value |
|
||
| 5 | runtime gate counter summary | received=0、accepted=0、reviewer audit emitted=0、primary ready=0、active runtime gate=0、not authorization | runtime approval、execution queue、action button、scan request、primary switch payload |
|
||
|
||
這 5 個 redaction examples 只示範 reviewer audit metadata 的安全顯示形狀;它們不是 owner response,不是 production ingestion,不會讓 counters 增加,也不允許 AwoooP 保存任何 token、secret、private key、cookie、session、raw body、未脫敏截圖或 execution payload。
|
||
|
||
## 3.10 Reviewer Audit Retention Rules
|
||
|
||
| 順序 | Retention rule | 可保留 metadata | 必須阻擋 |
|
||
|------|----------------|-----------------|----------|
|
||
| 1 | reviewer start metadata | reviewer role、lane、template、source packet、開始時間與脫敏 evidence ref count | raw owner response、未脫敏截圖、private URL credential、authorization header、cookie / session |
|
||
| 2 | classification summary | outcome lane、理由摘要、checklist pass/fail count、脫敏 evidence refs 與審查時間 | token、secret、secret hash、partial credential、runner token、webhook secret |
|
||
| 3 | quarantine pointer | outcome lane、blocked reason code、redaction required、quarantine pointer、blocked action summary | raw request / response body、credential value、private key、execution payload |
|
||
| 4 | read-only update target | outcome lane、read-only target ids、follow-up runtime gate required、0 / false counters | execution command、repo write token、refs update payload、workflow secret value、primary switch payload |
|
||
| 5 | counter snapshot | received=0、accepted=0、reviewer audit emitted=0、primary ready=0、active runtime gate=0、not authorization | runtime approval、execution queue、action button、scan request、primary switch payload |
|
||
|
||
這 5 條 retention rules 只定義 reviewer audit metadata 可以保留的安全形狀;未來就算有 owner response 進入人工檢查,也只能保留已脫敏 metadata、reason code、pointer 與 counters,不得保存 raw payload、credential、secret、private key、截圖內容、execution command 或任何可執行 payload。
|
||
|
||
## 3.11 Reviewer Audit Retention Checks
|
||
|
||
| 順序 | Retention check | 要求 | 安全結果 |
|
||
|------|-----------------|------|----------|
|
||
| 1 | retention rules 先可見 | 先顯示 5 條 retention rules | waiting,不代表 ingestion ready |
|
||
| 2 | retained metadata-only | 只確認 retained metadata shape、reason code、pointer、counter 與 redacted evidence refs | metadata-only retention check |
|
||
| 3 | raw payload blocked | raw request / response body、未脫敏截圖、execution payload、private key 與 credential value 必須拒收或隔離 | raw payload retention blocked |
|
||
| 4 | secret retention blocked | token、secret、secret hash、partial credential、runner token、webhook secret、authorization header 與 cookie / session 不得保留 | secret retention blocked |
|
||
| 5 | counter snapshot only | retention checks 通過也不得增加 received、accepted、reviewer audit emitted、primary ready 或 active runtime gate count | counter snapshot only |
|
||
| 6 | no runtime side effect | 不建立 runtime gate、execution queue、action button、scan request、repo action 或 workflow / secret change | read-only retention check |
|
||
|
||
這 6 個 retention checks 只讓 AwoooP 確認 retention rules 有被安全套用;通過也不代表 owner response 已收到或接受,不代表 audit production ingestion,也不允許任何 runtime gate、Kali scan、repo / refs / workflow / secret / runner 變更或 GitHub primary switch。
|
||
|
||
## 3.12 Reviewer Audit Handoff Packets
|
||
|
||
| 順序 | Handoff packet | 交接內容 | 安全結果 |
|
||
|------|----------------|----------|----------|
|
||
| 1 | current counters and boundary | 顯示 received=0、accepted=0、reviewer audit emitted=0、primary ready=0、active runtime gate=0 與 headline 58% | 只讀 resume pointer |
|
||
| 2 | required source packets | 接手者必讀 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response snapshot、S4.13 validation rollup 與 security mirror status rollup | 不跳過 source packet preflight |
|
||
| 3 | safe display fields | 只顯示 lane id、template id、count、狀態、脫敏 evidence refs、reason code、pointer 與 metadata shape | 不顯示 raw response 或未脫敏截圖 |
|
||
| 4 | forbidden runtime interpretations | 明確禁止把 handoff 變成 repo、refs、workflow、secret、runner、Kali scan、GitHub hosted runner 或 primary switch 動作 | 不新增 action button 或 execution queue |
|
||
| 5 | next owner response focus | 下一個建議收件仍是 S4.9 Gitea owner attestation response | 不自動催收、代填、標記 received 或 accepted |
|
||
| 6 | post-review follow-up gates | 未來 response 通過後仍需 redacted payload 驗收、rollback ADR owner approval、逐 repo 人工批准與獨立 runtime gate | 不把 handoff complete 當成 primary ready、payload ingested 或 runtime approved |
|
||
|
||
這 6 個 handoff packets 只讓 AwoooP / 另一個 Security Supply Chain Session 用相同上下文接手 reviewer audit 狀態;它們不是 owner response、不是 production ingestion、不是 approval,也不得觸發任何 repo、refs、workflow、secret、runner、Kali 或 GitHub primary 動作。
|
||
|
||
## 3.13 Reviewer Audit Handoff Checks
|
||
|
||
| 順序 | Handoff check | 要求 | 安全結果 |
|
||
|------|---------------|------|----------|
|
||
| 1 | handoff packets visible | 6 個 handoff packets 全部可見後才顯示 handoff check 狀態 | waiting,不代表 consumed |
|
||
| 2 | counters remain zero | handoff checks 通過也不得增加 received、accepted、reviewer audit emitted、primary ready 或 active runtime gate count | counter snapshot only |
|
||
| 3 | source packets required | 接手者必須先讀 S4.9 / S4.10 / S4.11 / S4.12 四包 source packets 與 S4.13 rollup | 不跳過 source packet preflight |
|
||
| 4 | safe display only | 只顯示 lane id、template id、count、狀態、脫敏 evidence refs、reason code、pointer 與 metadata shape | 不渲染 raw response 或敏感欄位 |
|
||
| 5 | runtime interpretations blocked | 不新增 runtime gate、execution queue、action button、scan request、repo / refs action、workflow / secret change、runner enablement 或 primary switch | runtime 誤讀阻擋 |
|
||
| 6 | next focus not received | 只顯示 next_collection_candidate=S4.9,不自動催收、代填、標記 received / accepted 或建立 follow-up runtime gate | next focus display only |
|
||
|
||
這 6 個 handoff checks 只確認 handoff packets 被安全消費;通過也不代表 owner response 已收到或接受,不代表 audit production ingestion,也不允許任何 runtime gate、Kali scan、repo / refs / workflow / secret / runner 變更或 GitHub primary switch。
|
||
|
||
## 3.14 Parallel Session Sync Checks
|
||
|
||
| 順序 | Sync check | 要求 | 安全結果 |
|
||
|------|------------|------|----------|
|
||
| 1 | same PR branch | AwoooP 主線與另一個 Security Supply Chain Session 先確認同一 PR #117 分支、且本地與遠端無分歧 | same branch read-only sync |
|
||
| 2 | latest delta visible | 接手前必須顯示最新 progress delta,避免讀到舊 handoff 或舊 ledger | latest delta display only |
|
||
| 3 | owner response counters zero | sync check 通過也不得增加 received、accepted、reviewer audit emitted、primary ready 或 active runtime gate count | counter snapshot only |
|
||
| 4 | runtime flags false | runtime execution、repo creation、refs sync、workflow modification、GitHub primary switch 與 action buttons 都必須維持 false | runtime flags false |
|
||
| 5 | source-control mutations blocked | 只允許 docs/schema/snapshot/guard 類只讀更新,不得建立 repo、改 visibility、sync/delete refs、force push、改 workflow/secret/runner、切 primary 或停用 Gitea | source-control mutation blocked |
|
||
| 6 | next focus stays S4.9 | next_collection_candidate 仍只顯示 S4.9 Gitea owner attestation response | S4.9 display only |
|
||
|
||
這 6 個 parallel session sync checks 是為了避免 AwoooP 主線與另一個 Security Supply Chain Session 在同一個 PR 分支上讀到不同階段或互相誤判授權。它們只確認分支、ledger、counter、false flags、source-control mutation 禁令與下一步 focus;不代表 owner response received / accepted、production ingestion、approval、runtime gate、repo / refs / workflow / secret / runner 變更、Kali scan 或 GitHub primary switch。
|
||
|
||
## 3.15 Parallel Session Conflict Lanes
|
||
|
||
| 順序 | Conflict lane | 衝突條件 | 安全結果 |
|
||
|------|---------------|----------|----------|
|
||
| 1 | stale or diverged branch | 本地 HEAD 與 PR #117 遠端分支不是 0/0 同步,或不是同一分支 | 停下重讀分支,不 auto merge、不 force push |
|
||
| 2 | stale progress delta | latest delta、ledger length 或 LOGBOOK latest entry 不一致 | 重讀 rollup / LOGBOOK / handoff / guard output |
|
||
| 3 | owner response counter drift | counters 不是 0 且沒有 source packet 與人工驗收紀錄 | 暫停為 counter drift,人工比對 evidence |
|
||
| 4 | runtime flag drift | 任一 runtime/source-control false flag 變成 true | 標成 flag drift,人工 review,不建 action button |
|
||
| 5 | source-control mutation request | 有人要求把同步結果轉成 repo、refs、workflow、runner、Gitea 或 primary 動作 | mirror phase 拒收 mutation request |
|
||
| 6 | next focus drift | next_collection_candidate 不是 S4.9,或後續 lane 被提前當成 accepted | 回到 S4.9 display-only 收件順序 |
|
||
|
||
這 6 條 conflict lanes 只是在兩個 Session 對分支、ledger、counter、false flags、source-control mutation 或下一步 focus 看法不一致時,固定「停下、重讀、人工 review」的顯示語義;不授權 merge、rebase、force push、repo / refs / workflow / secret / runner 變更、Kali scan、GitHub primary switch 或任何 runtime action。
|
||
|
||
## 3.16 Parallel Session Recovery Checks
|
||
|
||
| 順序 | Recovery check | 檢查要求 | 安全結果 |
|
||
|------|----------------|----------|----------|
|
||
| 1 | fetch and compare branch | 命中 conflict lane 後先確認本地 HEAD 與遠端 PR 分支為 0/0 | branch compare read-only |
|
||
| 2 | read latest ledger and LOGBOOK | 重新讀 latest delta、ledger length、LOGBOOK latest entry 與 handoff summary | latest ledger read-only |
|
||
| 3 | rerun read-only guards | 重跑 owner response guard 與 mirror progress guard | guard pass display-only |
|
||
| 4 | review staged diff only | staged / unstaged diff 只能是 docs/schema/snapshot/guard 類更新 | diff review read-only |
|
||
| 5 | keep runtime flags false | runtime、repo、refs、workflow、primary 與 action button flags 仍為 false | runtime flags false |
|
||
| 6 | record next focus remains S4.9 | 復原後 next_collection_candidate 仍只顯示 S4.9 | S4.9 display only |
|
||
|
||
這 6 個 recovery checks 只是在 conflict lane 命中後,固定「重抓遠端、重讀 ledger、重跑 guard、看 diff、確認 false flags、回到 S4.9」的只讀復原順序;不授權 rebase、merge、force push、覆蓋另一個 Session 變更、repo / refs / workflow / secret / runner 變更、Kali scan、GitHub primary switch 或任何 runtime action。
|
||
|
||
## 3.17 Parallel Session Recovery Outcome Lanes
|
||
|
||
| 順序 | Outcome lane | 條件 | 安全結果 |
|
||
|------|--------------|------|----------|
|
||
| 1 | recovery ready for read-only continuation | branch 0/0、ledger 已重讀、guards 通過、diff 在範圍內、false flags 維持 false、next focus 是 S4.9 | 只可從最新 HEAD 繼續 mirror-only 文件階段 |
|
||
| 2 | branch still diverged | fetch 後本地與遠端仍分歧或不是同一 PR 分支 | 停下給人工 branch review |
|
||
| 3 | ledger or handoff still stale | latest delta、ledger length、LOGBOOK 或 handoff 不一致 | 只重讀來源,不從舊上下文繼續 |
|
||
| 4 | read-only guard failed | owner response guard、progress guard、JSON 或 targeted jq 失敗 | 只修 snapshot / schema / guard 一致性 |
|
||
| 5 | diff out of mirror-only scope | diff 含 runtime、workflow、secret、runner、refs、deploy、Kali、primary 或 Gitea disable 類變更 | 標示給人工 review,不 stage/commit/drop |
|
||
| 6 | runtime flag drift | 任一 runtime / source-control false flag 變成 true | 阻擋 runtime 解讀並回查 flag |
|
||
| 7 | next focus drift | next_collection_candidate 不是 S4.9,或後續包被提前當成 received / accepted | 回到 S4.9 display-only focus |
|
||
|
||
這 7 條 recovery outcome lanes 只是在 recovery checks 後固定結果分類,讓 AwoooP 能看懂「可只讀續做、仍需人工分支 review、ledger 仍 stale、guard 失敗、diff 越界、flag 漂移、focus 漂移」;不授權 rebase、merge、force push、runtime queue、action button、repo / refs / workflow / secret / runner 變更、Kali scan、GitHub primary switch 或 Gitea disable。
|
||
|
||
## 4. AwoooP 可做
|
||
|
||
1. 顯示四個 response packets 的總覽與缺口。
|
||
2. 顯示 24 個 response templates、32 個 acceptance checks、40 個 rejection rules。
|
||
3. 顯示目前 received / accepted / rejected response 皆為 0。
|
||
4. 將不完整或可疑 response 導入 mirror quarantine。
|
||
5. 顯示 6 條 evidence routing rules,讓 reviewer 知道 evidence pointer 應補證、隔離、拒收、送跨包 review 或只讀更新。
|
||
6. 顯示 8 個 validation display sections,固定總覽、缺口、收件順序、下一個收件、cross-packet checks、routing、quarantine 與本機驗證的只讀區塊。
|
||
7. 顯示 7 條 state transition rules,固定 waiting、pending validation、補證、隔離、拒收、owner review、read-only update 與 waiting runtime gate 的只讀語義。
|
||
8. 顯示 9 個 reviewer checklist items,讓人工審查先確認 lane、必填欄位、脫敏、preflight、cross-packet consistency、無敏感 payload、無執行意圖與後續 runtime gate 邊界。
|
||
9. 顯示 7 條 reviewer outcome lanes,讓 reviewer 把結果歸到等待、補證、隔離、拒收、跨包 review、只讀更新候選或等待後續 runtime gate。
|
||
10. 顯示 4 個 reviewer audit event templates,讓未來只記錄脫敏 metadata,且目前 `emitted_event_count=0`。
|
||
11. 顯示 5 個 reviewer audit display sections,固定 audit templates、允許 metadata、禁止 payload、0 emitted 狀態與非授權邊界的 UI 呈現。
|
||
12. 顯示 6 個 reviewer audit collection checks,確認 audit templates 可見、metadata-only、forbidden payload blocked、emitted=0、無 runtime side effect 與 counters 不變。
|
||
13. 顯示 5 個 reviewer audit redaction examples,示範 reviewer / classification / quarantine / read-only update / runtime gate counter metadata 的安全形狀。
|
||
14. 顯示 5 條 reviewer audit retention rules,固定可保留 metadata 與 raw payload 拒收邊界。
|
||
15. 顯示 6 個 reviewer audit retention checks,確認 retention rules 可見、metadata-only、raw payload / secret retention blocked、counter snapshot-only 與無 runtime side effect。
|
||
16. 顯示 6 個 reviewer audit handoff packets,讓另一個 AwoooP / Security Supply Chain Session 只讀接手目前 counters、必讀 source packets、安全顯示欄位、禁止 runtime 誤讀、下一個 owner response focus 與後續 gates。
|
||
17. 顯示 6 個 reviewer audit handoff checks,確認 handoff packets 可見、counters 不變、source packets 必讀、安全顯示欄位、runtime 誤讀阻擋與 next focus 未被標記 received。
|
||
18. 顯示 6 個 parallel session sync checks,確認另一個 Session 接手前已同步同一 PR 分支、latest delta、0 counters、false flags、source-control mutation 禁令與 S4.9 next focus。
|
||
19. 顯示 6 條 parallel session conflict lanes,讓分支、delta、counter、runtime flag、source-control mutation request 或 next focus 衝突時只進停下重讀與人工 review。
|
||
20. 顯示 6 個 parallel session recovery checks,讓 conflict lane 命中後只做 fetch/compare、重讀 ledger、重跑只讀 guard、review diff、確認 false flags 與 S4.9 next focus。
|
||
21. 顯示 7 條 parallel session recovery outcome lanes,讓復原後只分類 ready、branch diverged、ledger stale、guard failed、diff out-of-scope、runtime flag drift 或 next focus drift。
|
||
22. 在未來 response 通過後,只更新 read-only evidence、matrix、decision table、reconcile wording 或 readiness wording。
|
||
|
||
## 5. AwoooP 不可做
|
||
|
||
1. 不要求使用者貼 token、secret、private key、cookie、session、deploy key、runner token 或 webhook secret。
|
||
2. 不使用 write token。
|
||
3. 不建立 GitHub repo、不修改 visibility、不寫 Gitea repo。
|
||
4. 不 sync refs、不 delete refs、不 force push。
|
||
5. 不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret。
|
||
6. 不啟用 GitHub hosted runner,不讓此階段消耗 GitHub Actions hosted minutes。
|
||
7. 不切 GitHub primary。
|
||
8. 不新增 execution action button。
|
||
|
||
## 6. 階段定位
|
||
|
||
S4.13 是 S4.9 到 S4.12 的彙整驗收入口。
|
||
|
||
它讓另一個 AwoooP session 可以用一份 rollup 看懂「現在缺哪些 owner response」,但不改變任何 runtime 狀態。真正進入 GitHub primary、refs migration、workflow/secret parity completion 或 Kali runtime ingestion 之前,仍必須等 owner responses、redacted payload、rollback ADR、人工批准與 follow-up runtime gate 全部補齊。
|