210 lines
9.6 KiB
JSON
210 lines
9.6 KiB
JSON
{
|
||
"schema_version": "gitea_inventory_coverage_attestation_v1",
|
||
"status": "draft_waiting_owner_attestation",
|
||
"date": "2026-05-17",
|
||
"mode": "coverage_attestation_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_contract": "gitea_repo_inventory_v1",
|
||
"source_request_contracts": [
|
||
"gitea_authenticated_inventory_export_request_v1",
|
||
"gitea_authenticated_inventory_import_acceptance_v1"
|
||
],
|
||
"source_indexes": [
|
||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||
"docs/security/gitea-public-repo-search.snapshot.json",
|
||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
|
||
"docs/security/local-git-remote-inventory.snapshot.json",
|
||
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
|
||
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"owner_attestation_status": "waiting_owner_attestation",
|
||
"required_attestation_item_count": 5,
|
||
"received_attestation_count": 0,
|
||
"accepted_attestation_count": 0,
|
||
"rejected_attestation_count": 0,
|
||
"public_only_repo_count": 2,
|
||
"local_gitea_unique_repo_count": 4,
|
||
"local_gitea_gap_count": 2,
|
||
"internal_110_adjacent_source_count": 4,
|
||
"owner_scope_decision_required": true,
|
||
"token_value_collection_allowed": false,
|
||
"repo_write_allowed": false,
|
||
"refs_sync_allowed": false,
|
||
"github_primary_switch_authorized": false,
|
||
"action_buttons_allowed": false
|
||
},
|
||
"attestation_items": [
|
||
{
|
||
"item_id": "public_only_vs_local_gitea_gap",
|
||
"title": "public-only 與本機 Gitea remote 覆蓋缺口",
|
||
"why_required": "public-only API 目前只看到 2 個 repos,但本機 remote evidence 顯示至少 4 個 Gitea unique repos,GitHub primary 前必須由 owner 說明差異。",
|
||
"current_evidence_gap": "未認證公開範圍看到 `wooo/awoooi`、`wooo/ewoooc`;本機 remote 另看到 `wooo/clawbot-v5`、`wooo/wooo-aiops`。",
|
||
"requested_owner_decision": "判定 `wooo/clawbot-v5` 與 `wooo/wooo-aiops` 是否仍屬本輪 Gitea inventory / GitHub migration scope,或屬 legacy / archived / external / inaccessible。",
|
||
"acceptable_decisions": [
|
||
"in_scope",
|
||
"out_of_scope",
|
||
"legacy_archived",
|
||
"external_system",
|
||
"inaccessible_requires_followup",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||
"docs/security/local-git-remote-inventory.snapshot.json"
|
||
],
|
||
"received_decision": null,
|
||
"accepted": false,
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"item_id": "org_user_endpoint_identity",
|
||
"title": "Gitea `wooo` org/user endpoint 身分確認",
|
||
"why_required": "`orgs/wooo/repos` 未認證查詢 blocked / 404,不能自動解讀為不存在 private/internal repos。",
|
||
"current_evidence_gap": "目前 public-only evidence 走 user endpoint;org endpoint 仍需 owner 或管理者說明 `wooo` 是 user、org,或兩者皆需盤。",
|
||
"requested_owner_decision": "確認 Gitea inventory 的 canonical endpoint 與需要盤點的 owner namespace。",
|
||
"acceptable_decisions": [
|
||
"in_scope",
|
||
"out_of_scope",
|
||
"inaccessible_requires_followup",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json"
|
||
],
|
||
"received_decision": null,
|
||
"accepted": false,
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"item_id": "internal_110_adjacent_scope",
|
||
"title": "110 內部相鄰來源是否納入本輪 scope",
|
||
"why_required": "本機與 110 adjacent evidence 看到多個非 public-only Gitea list 的來源;若它們屬於產品或部署路徑,必須納入 GitHub primary 前的 owner 判定。",
|
||
"current_evidence_gap": "目前需 owner 判定 `bitan-pharmacy`、`root/momo-pro-system`、`tsenyang-website`、`wooo/wooo-infra-config` 是否屬本輪 Gitea/GitHub migration scope。",
|
||
"requested_owner_decision": "逐項標示 in-scope、out-of-scope、external_system、legacy_archived 或 inaccessible_requires_followup。",
|
||
"acceptable_decisions": [
|
||
"in_scope",
|
||
"out_of_scope",
|
||
"legacy_archived",
|
||
"external_system",
|
||
"inaccessible_requires_followup",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
|
||
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json",
|
||
"docs/security/local-git-remote-inventory.snapshot.json"
|
||
],
|
||
"received_decision": null,
|
||
"accepted": false,
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"item_id": "repo_owner_canonical_scope",
|
||
"title": "repo owner / canonical / GitHub target scope",
|
||
"why_required": "GitHub target、canonical repo 與 repo owner 若未確認,會讓後續 refs truth、workflow-secret parity 與 rollback ADR 無法判斷。",
|
||
"current_evidence_gap": "部分 repo 仍需確認 owner、visibility、canonical target 與 GitHub target,不得用 public API `not_found_or_private` 自動建立 repo。",
|
||
"requested_owner_decision": "針對每個 in-scope repo 指定 owner、canonical source、GitHub target candidate 與 visibility 判斷責任人。",
|
||
"acceptable_decisions": [
|
||
"in_scope",
|
||
"out_of_scope",
|
||
"external_system",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/source-control-approval-board.snapshot.json",
|
||
"docs/security/local-repo-canonical-ewoooc-momo.snapshot.json"
|
||
],
|
||
"received_decision": null,
|
||
"accepted": false,
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"item_id": "legacy_or_inaccessible_repo_disposition",
|
||
"title": "legacy / inaccessible repo 處置",
|
||
"why_required": "若 repo 已封存、不可讀或屬歷史來源,也必須留下明確處置,避免之後把缺口誤當成已完成 inventory。",
|
||
"current_evidence_gap": "目前沒有 owner attestation 可說明未出現在 authenticated/admin export payload 的 repo 是否應留待後續、排除、封存或另案處理。",
|
||
"requested_owner_decision": "提供每個 legacy / inaccessible / external repo 的處置:保留 evidence、另案追蹤、納入後續清冊,或明確排除並附理由。",
|
||
"acceptable_decisions": [
|
||
"out_of_scope",
|
||
"legacy_archived",
|
||
"external_system",
|
||
"inaccessible_requires_followup",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"received_decision": null,
|
||
"accepted": false,
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"decision_values": [
|
||
{
|
||
"value": "in_scope",
|
||
"meaning": "屬本輪 Gitea inventory / GitHub migration scope,後續需補 refs truth、workflow-secret parity、rollback ADR 與人工批准。",
|
||
"allowed_effect": "可更新 read-only matrix / decision table;不可執行 repo 建立、refs sync 或 primary switch。",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"value": "out_of_scope",
|
||
"meaning": "不屬本輪 scope,必須留下 owner 理由與 evidence ref。",
|
||
"allowed_effect": "可在 matrix 標示 out-of-scope;不可刪除、封存或停用來源 repo。",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"value": "legacy_archived",
|
||
"meaning": "屬歷史或封存來源,只保留 evidence 與人工處置紀錄。",
|
||
"allowed_effect": "可建立 archive review lane;不可執行 archive/delete。",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"value": "external_system",
|
||
"meaning": "由外部系統或非本輪 source-control 管線管理。",
|
||
"allowed_effect": "可標示 external owner;不可在本流程自動遷移。",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"value": "inaccessible_requires_followup",
|
||
"meaning": "目前不可讀或缺權限,需要 owner / 管理者補脫敏 evidence。",
|
||
"allowed_effect": "可建立 request_more_evidence lane;不可假設已完成 inventory。",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"value": "unknown_requires_more_evidence",
|
||
"meaning": "目前 evidence 不足以判定 scope。",
|
||
"allowed_effect": "維持 blocker 與 partial status;不可進 primary readiness。",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 owner attestation snapshot 與人讀文件",
|
||
"更新 source-control migration matrix、decision table、readiness gate 與 status rollup 的 read-only 欄位",
|
||
"把缺口顯示到 AwoooP approval / review lane",
|
||
"維持 `gitea_repo_inventory_v1.status=partial`,直到 authenticated/admin export payload 通過 S4.6 且 owner attestation 被接受"
|
||
],
|
||
"forbidden_actions": [
|
||
"store_token_value",
|
||
"request_raw_token_in_chat_or_docs",
|
||
"use_write_capable_token",
|
||
"write_to_gitea",
|
||
"create_gitea_repo",
|
||
"delete_or_archive_gitea_repo",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"delete_git_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"add_action_button",
|
||
"execute_scan_or_runtime_change"
|
||
]
|
||
}
|