1226 lines
55 KiB
JSON
1226 lines
55 KiB
JSON
{
|
||
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
|
||
"status": "draft_waiting_owner_response",
|
||
"date": "2026-06-11",
|
||
"mode": "owner_workflow_secret_name_response_intake_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_contract": "source_control_workflow_secret_name_inventory_v1",
|
||
"target_contract": "source_control_workflow_secret_name_export_request_v1",
|
||
"source_indexes": [
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/security-approval-review-packet.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"owner_response_status": "waiting_owner_response",
|
||
"candidate_repo_count": 10,
|
||
"in_scope_repo_count": 9,
|
||
"export_request_count": 9,
|
||
"export_lane_count": 5,
|
||
"local_evidence_repo_count": 5,
|
||
"local_workflow_file_count": 33,
|
||
"local_referenced_secret_name_count": 42,
|
||
"owner_response_request_packet_count": 1,
|
||
"owner_response_template_status_count": 5,
|
||
"owner_response_audit_event_template_count": 3,
|
||
"owner_response_redaction_example_count": 5,
|
||
"response_template_count": 5,
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"acceptance_check_count": 8,
|
||
"rejection_rule_count": 10,
|
||
"secret_value_collection_allowed": false,
|
||
"write_token_allowed": false,
|
||
"workflow_modification_authorized": false,
|
||
"webhook_modification_authorized": false,
|
||
"runner_change_authorized": false,
|
||
"deploy_key_change_authorized": false,
|
||
"branch_protection_change_authorized": false,
|
||
"repo_secret_change_authorized": false,
|
||
"github_hosted_runner_enable_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"action_buttons_allowed": false,
|
||
"owner_response_collection_check_count": 6,
|
||
"intake_preflight_check_count": 6,
|
||
"workflow_secret_owner_handoff_package_ready": true,
|
||
"workflow_secret_owner_handoff_completion_percent": 100,
|
||
"workflow_secret_owner_handoff_check_count": 6,
|
||
"workflow_secret_owner_handoff_packet_field_count": 9,
|
||
"workflow_secret_owner_request_dispatch_authorized": false,
|
||
"secret_name_parity_complete": false,
|
||
"secret_value_or_hash_collection_allowed": false,
|
||
"workflow_secret_owner_response_handoff_not_approval": true
|
||
},
|
||
"workflow_secret_owner_handoff_preflight_checks": [
|
||
{
|
||
"check_id": "p1-4-baseline-sync",
|
||
"display_order": 1,
|
||
"check": "送件前確認 gitea/main、local evidence、S4.9-S4.12 source packets 最新狀態。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "p1-4-local-evidence-freshness",
|
||
"display_order": 2,
|
||
"check": "以 2026-06-04 local evidence 的 31 個 workflow files、42 個 unique secret names、5 個 runner labels 為基準。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "p1-4-five-response-lanes",
|
||
"display_order": 3,
|
||
"check": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 逐項追蹤。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "p1-4-metadata-only",
|
||
"display_order": 4,
|
||
"check": "只收 redacted host、runner label、key name、ruleset / CODEOWNERS metadata、secret name / scope / present-absent。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "p1-4-secret-material-rejected",
|
||
"display_order": 5,
|
||
"check": "secret value、hash、masked token、partial token、private key、runner token、webhook secret 全部拒收或隔離。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "p1-4-execution-request-rejected",
|
||
"display_order": 6,
|
||
"check": "workflow / webhook / runner / deploy key / branch protection / repository secret 修改、hosted runner enable、refs sync、primary switch 全部 hard reject。",
|
||
"current_status": "defined_not_dispatched",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"workflow_secret_owner_handoff_packet": {
|
||
"request_id": "p1_4_workflow_secret_owner_response_handoff",
|
||
"stage_id": "S4.12",
|
||
"source_evidence_summary": {
|
||
"local_evidence_repo_count": 5,
|
||
"local_workflow_file_count": 33,
|
||
"local_referenced_secret_name_count": 42,
|
||
"runner_label_count": 5
|
||
},
|
||
"requested_templates": [
|
||
"response-webhook-redacted-export",
|
||
"response-runner-label-owner",
|
||
"response-deploy-key-redacted-export",
|
||
"response-branch-protection-codeowners",
|
||
"response-repository-secret-name-parity"
|
||
],
|
||
"recipient_role_or_team_required": true,
|
||
"required_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"repo",
|
||
"provider",
|
||
"lane",
|
||
"lane_specific_owner",
|
||
"lane_specific_metadata",
|
||
"redacted_evidence_refs",
|
||
"followup_owner"
|
||
],
|
||
"allowed_metadata": [
|
||
"redacted_host",
|
||
"event_types",
|
||
"runner_label",
|
||
"key_name",
|
||
"required_checks",
|
||
"codeowners_path",
|
||
"secret_name",
|
||
"scope",
|
||
"present_absent"
|
||
],
|
||
"forbidden_inputs": [
|
||
"secret_value",
|
||
"secret_hash",
|
||
"masked_token",
|
||
"partial_token",
|
||
"token_value",
|
||
"runner_registration_token",
|
||
"webhook_secret",
|
||
"private_key",
|
||
"deploy_key_private_key",
|
||
"authorization_header",
|
||
"workflow_modification_request",
|
||
"runner_enablement_request",
|
||
"github_hosted_runner_enable_request",
|
||
"repository_secret_change_request",
|
||
"github_primary_switch_request"
|
||
],
|
||
"not_approval": true,
|
||
"execution_authorized": false
|
||
},
|
||
"post_dispatch_invariants": [
|
||
"Owner response 到來後仍需先進 S4.12 intake preflight 與 reviewer validation。",
|
||
"通過後只可更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup。",
|
||
"不得建立、複製、rotate、修改或刪除 secret。",
|
||
"不得改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS,不得啟用 GitHub hosted runner。",
|
||
"不得 sync refs、切 GitHub primary 或停用 Gitea。"
|
||
],
|
||
"owner_response_request_packet": {
|
||
"request_id": "s4_12_workflow_secret_name_owner_response_request",
|
||
"display_status": "ready_to_request_owner_response",
|
||
"requested_packet": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
|
||
"required_response_item_count": 5,
|
||
"requested_template_ids": [
|
||
"response-webhook-redacted-export",
|
||
"response-runner-label-owner",
|
||
"response-deploy-key-redacted-export",
|
||
"response-branch-protection-codeowners",
|
||
"response-repository-secret-name-parity"
|
||
],
|
||
"owner_instruction_summary": "請 owner 只依 S4.12 五個 templates 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity 的脫敏 metadata;不要貼 secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、header、未脫敏截圖或任何 workflow / secret / runner 執行要求。",
|
||
"allowed_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"lane",
|
||
"webhook_name_or_none",
|
||
"destination_host_redacted",
|
||
"event_types",
|
||
"active_enabled_flag",
|
||
"webhook_owner",
|
||
"runner_label_or_none",
|
||
"runner_scope",
|
||
"executor_type",
|
||
"hosted_or_self_hosted",
|
||
"runner_owner",
|
||
"github_hosted_minutes_risk",
|
||
"maintenance_window",
|
||
"key_name_or_none",
|
||
"read_only_flag",
|
||
"repo_scope",
|
||
"key_owner",
|
||
"rotation_owner",
|
||
"protected_branch_name_or_none",
|
||
"required_review_count",
|
||
"required_status_check_names",
|
||
"codeowners_path_or_none",
|
||
"owner_team_names",
|
||
"ruleset_owner",
|
||
"secret_name_list_or_none",
|
||
"secret_scope",
|
||
"owning_team",
|
||
"used_by_workflow_name",
|
||
"present_in_gitea",
|
||
"present_in_github",
|
||
"evidence_refs",
|
||
"followup_owner"
|
||
],
|
||
"evidence_ref_rules": [
|
||
"只允許 repo 內既有文件、snapshot、workflow 檔名、job 名稱、secret 名稱、runner label、redacted host 或已脫敏 owner metadata pointer。",
|
||
"secret parity 只能保存 secret name / scope / present-absent metadata / owner,不得保存 value、hash、masked token 或 partial token。",
|
||
"runner 回覆只能標示 self-hosted / hosted 風險 review candidate,不得視為 GitHub hosted runner 啟用批准。",
|
||
"webhook 回覆只能保存 redacted host、event types、enabled flag 與 owner,不得保存 webhook secret、tokenized URL、header 或 payload body。",
|
||
"deploy key 回覆只能保存 key 名稱、read-only flag、repo scope 與 owner,不得保存 private key、完整 public key 或 credential material。",
|
||
"不確定是否含敏感值時先走 mirror quarantine,不得直接貼入 response。"
|
||
],
|
||
"forbidden_payloads": [
|
||
"secret_value",
|
||
"token_value",
|
||
"private_key",
|
||
"deploy_key_value",
|
||
"runner_registration_token",
|
||
"runner_admin_token",
|
||
"webhook_secret",
|
||
"cookie_or_session",
|
||
"authorization_header",
|
||
"private_clone_url_credential",
|
||
"complete_webhook_payload_url",
|
||
"query_token",
|
||
"request_body",
|
||
"response_body",
|
||
"secret_hash",
|
||
"masked_token",
|
||
"partial_credential",
|
||
"workflow_modification_request",
|
||
"webhook_modification_request",
|
||
"runner_enablement_request",
|
||
"deploy_key_rotation_request",
|
||
"branch_protection_change_request",
|
||
"repository_secret_change_request",
|
||
"github_hosted_runner_enable_request",
|
||
"refs_sync_request",
|
||
"github_primary_switch_request",
|
||
"execution_request_payload"
|
||
],
|
||
"allowed_submission_modes": [
|
||
"markdown_table_redacted_metadata",
|
||
"json_redacted_metadata_pointer",
|
||
"existing_repo_doc_reference",
|
||
"awooop_manual_review_note"
|
||
],
|
||
"awooop_display_mode": "display_owner_response_request_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"不收集或保存 secret value、token value、runner token、webhook secret、private key、deploy key value、cookie 或 session",
|
||
"不使用 write token 或 write API",
|
||
"不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret",
|
||
"不 rotate、建立、複製或刪除 secret",
|
||
"不啟用 GitHub hosted runner 或消耗 GitHub Actions 額度",
|
||
"不 sync refs、不建立 repo、不修改 visibility、不切 GitHub primary",
|
||
"不停用、刪除、封存或降級 Gitea repo",
|
||
"不新增 AwoooP execution action button"
|
||
]
|
||
},
|
||
"owner_response_template_statuses": [
|
||
{
|
||
"template_id": "response-webhook-redacted-export",
|
||
"lane": "webhook_redacted_export_request",
|
||
"display_order": 1,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 webhook 名稱、redacted host、event types、enabled flag 與 webhook owner;不得貼 webhook secret、tokenized URL、header、cookie 或 payload body。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"不建立、修改、停用或刪除 webhook",
|
||
"不保存 webhook secret、完整 payload URL、query token、header、cookie 或 request body",
|
||
"不把 request_ready_not_sent 當成 webhook inventory complete"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "response-runner-label-owner",
|
||
"lane": "runner_label_owner_export_request",
|
||
"display_order": 2,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 runner label、executor type、self-hosted / hosted、runner owner、GitHub hosted minutes 風險與 maintenance window;不得貼 runner token、host password、SSH key 或 admin token。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"不新增、啟用、停用或改 runner label",
|
||
"不啟用 GitHub hosted runner 或消耗 GitHub Actions 額度",
|
||
"不保存 runner registration token、admin token、SSH private key 或 host password"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "response-deploy-key-redacted-export",
|
||
"lane": "deploy_key_redacted_export_request",
|
||
"display_order": 3,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 deploy key / machine key 名稱、read-only flag、repo scope、key owner 與 rotation owner;不得貼 private key、完整 public key、token value 或 password。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"不新增、刪除、rotate 或修改 deploy key",
|
||
"不保存 private key、完整 public key、token value、password 或 credential value",
|
||
"不把 write-capable key 風險 candidate 當成 rotation approval"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "response-branch-protection-codeowners",
|
||
"lane": "branch_protection_codeowners_export_request",
|
||
"display_order": 4,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 protected branch、required checks、required review count、CODEOWNERS path、owner teams 與 ruleset owner;不得要求立即修改 branch protection、ruleset 或 CODEOWNERS。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"不修改 branch protection、ruleset、required checks 或 CODEOWNERS",
|
||
"不保存 PAT、admin override token、team secret、session cookie 或未脫敏截圖",
|
||
"不把 branch protection response 當成 primary readiness complete"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "response-repository-secret-name-parity",
|
||
"lane": "repository_secret_name_parity_export_request",
|
||
"display_order": 5,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 repository secret 名稱、scope、owning team、used-by workflow、present_in_gitea / present_in_github 與 rotation owner;不得貼 value、hash、masked token、partial token 或任何可還原片段。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"不建立、複製、rotate、修改或刪除 repository secret",
|
||
"不保存 secret value、hash、masked token、partial token、private key 或 credential value",
|
||
"不把 secret name parity response 當成 workflow ready 或 primary ready"
|
||
]
|
||
}
|
||
],
|
||
"owner_response_audit_event_templates": [
|
||
{
|
||
"event_template_id": "audit-workflow-secret-response-request-shown",
|
||
"display_order": 1,
|
||
"event_status": "template_only_not_emitted",
|
||
"trigger": "AwoooP 顯示 S4.12 workflow / secret name owner response request packet 時。",
|
||
"purpose": "只記錄 request packet 顯示 metadata;不代表 request 已送出、owner response 已收到、secret value collection、workflow / webhook / runner / deploy key / branch protection / repository secret 修改或 GitHub primary 授權。",
|
||
"allowed_metadata_fields": [
|
||
"event_id",
|
||
"event_time_taipei",
|
||
"event_template_id",
|
||
"source_contract",
|
||
"target_contract",
|
||
"request_id",
|
||
"requested_template_ids",
|
||
"displayed_by_role",
|
||
"displayed_to_owner_role_or_team",
|
||
"repo_count",
|
||
"lane_count",
|
||
"source_document_ref",
|
||
"redaction_status"
|
||
],
|
||
"forbidden_payloads": [
|
||
"secret_value",
|
||
"token_value",
|
||
"private_key",
|
||
"deploy_key_value",
|
||
"runner_registration_token",
|
||
"runner_admin_token",
|
||
"webhook_secret",
|
||
"cookie_or_session",
|
||
"authorization_header",
|
||
"complete_webhook_payload_url",
|
||
"query_token",
|
||
"request_body",
|
||
"response_body",
|
||
"secret_hash",
|
||
"masked_token",
|
||
"partial_credential",
|
||
"workflow_modification_request",
|
||
"webhook_modification_request",
|
||
"runner_enablement_request",
|
||
"deploy_key_rotation_request",
|
||
"branch_protection_change_request",
|
||
"repository_secret_change_request",
|
||
"github_hosted_runner_enable_request",
|
||
"refs_sync_request",
|
||
"github_primary_switch_request",
|
||
"execution_request_payload",
|
||
"unredacted_screenshot"
|
||
],
|
||
"emitted_event_count": 0,
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_audit_template_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"event_template_id": "audit-workflow-secret-response-received-metadata",
|
||
"display_order": 2,
|
||
"event_status": "template_only_not_emitted",
|
||
"trigger": "Owner 提供 S4.12 workflow / secret name response metadata pointer 時。",
|
||
"purpose": "只記錄已收到脫敏 metadata pointer;不得保存 owner response raw body、secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、response body 或未脫敏截圖。",
|
||
"allowed_metadata_fields": [
|
||
"event_id",
|
||
"event_time_taipei",
|
||
"event_template_id",
|
||
"source_contract",
|
||
"request_id",
|
||
"template_id",
|
||
"lane",
|
||
"repo",
|
||
"provider",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason_summary",
|
||
"evidence_refs",
|
||
"redaction_status",
|
||
"quarantine_lane",
|
||
"next_owner_action"
|
||
],
|
||
"forbidden_payloads": [
|
||
"secret_value",
|
||
"token_value",
|
||
"private_key",
|
||
"deploy_key_value",
|
||
"runner_registration_token",
|
||
"runner_admin_token",
|
||
"webhook_secret",
|
||
"cookie_or_session",
|
||
"authorization_header",
|
||
"complete_webhook_payload_url",
|
||
"query_token",
|
||
"request_body",
|
||
"response_body",
|
||
"secret_hash",
|
||
"masked_token",
|
||
"partial_credential",
|
||
"workflow_modification_request",
|
||
"webhook_modification_request",
|
||
"runner_enablement_request",
|
||
"deploy_key_rotation_request",
|
||
"branch_protection_change_request",
|
||
"repository_secret_change_request",
|
||
"github_hosted_runner_enable_request",
|
||
"refs_sync_request",
|
||
"github_primary_switch_request",
|
||
"execution_request_payload",
|
||
"unredacted_screenshot"
|
||
],
|
||
"emitted_event_count": 0,
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_audit_template_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"event_template_id": "audit-workflow-secret-response-outcome-classified",
|
||
"display_order": 3,
|
||
"event_status": "template_only_not_emitted",
|
||
"trigger": "AwoooP 依 S4.12 acceptance checks 與 rejection rules 分類 workflow / secret name owner response 時。",
|
||
"purpose": "只記錄分類結果、reviewer role 與下一步 owner action;不得把 outcome、owner wording 或單項 response 當成 secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key rotation、branch protection change、repository secret change、refs sync 或 GitHub primary 授權。",
|
||
"allowed_metadata_fields": [
|
||
"event_id",
|
||
"event_time_taipei",
|
||
"event_template_id",
|
||
"source_contract",
|
||
"request_id",
|
||
"template_id",
|
||
"lane",
|
||
"repo",
|
||
"provider",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason_summary",
|
||
"latest_outcome_lane",
|
||
"evidence_refs",
|
||
"redaction_status",
|
||
"quarantine_lane",
|
||
"next_owner_action",
|
||
"reviewer_role"
|
||
],
|
||
"forbidden_payloads": [
|
||
"secret_value",
|
||
"token_value",
|
||
"private_key",
|
||
"deploy_key_value",
|
||
"runner_registration_token",
|
||
"runner_admin_token",
|
||
"webhook_secret",
|
||
"cookie_or_session",
|
||
"authorization_header",
|
||
"complete_webhook_payload_url",
|
||
"query_token",
|
||
"request_body",
|
||
"response_body",
|
||
"secret_hash",
|
||
"masked_token",
|
||
"partial_credential",
|
||
"workflow_modification_request",
|
||
"webhook_modification_request",
|
||
"runner_enablement_request",
|
||
"deploy_key_rotation_request",
|
||
"branch_protection_change_request",
|
||
"repository_secret_change_request",
|
||
"github_hosted_runner_enable_request",
|
||
"refs_sync_request",
|
||
"github_primary_switch_request",
|
||
"execution_request_payload",
|
||
"unredacted_screenshot"
|
||
],
|
||
"emitted_event_count": 0,
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_audit_template_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
}
|
||
],
|
||
"owner_response_redaction_examples": [
|
||
{
|
||
"example_id": "redaction-webhook-redacted-host-metadata",
|
||
"display_order": 1,
|
||
"example_status": "template_example_only",
|
||
"category": "webhook_redacted_host_metadata",
|
||
"safe_response_shape": [
|
||
"template_id=response-webhook-redacted-export",
|
||
"repo=owenhytsai/awoooi",
|
||
"webhook_name_or_none=deployment-status-webhook",
|
||
"destination_host_redacted=hooks.example.internal",
|
||
"event_types=[push, pull_request]",
|
||
"active_enabled_flag=true",
|
||
"webhook_owner=platform-ops"
|
||
],
|
||
"required_redactions": [
|
||
"只保留 host 或 domain 類 metadata,不保留完整 payload URL、query string、header、cookie 或 body",
|
||
"webhook secret 必須以 absent / managed_by_owner / rotate_required_candidate 類 metadata 表示,不得保存值",
|
||
"enabled flag 只代表 inventory metadata,不代表可建立、停用或修改 webhook"
|
||
],
|
||
"forbidden_raw_values": [
|
||
"webhook_secret",
|
||
"complete_webhook_payload_url",
|
||
"query_token",
|
||
"authorization_header",
|
||
"request_body",
|
||
"response_body",
|
||
"cookie_or_session"
|
||
],
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_redaction_example_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"example_id": "redaction-runner-label-owner-metadata",
|
||
"display_order": 2,
|
||
"example_status": "template_example_only",
|
||
"category": "runner_label_owner_metadata",
|
||
"safe_response_shape": [
|
||
"template_id=response-runner-label-owner",
|
||
"repo=owenhytsai/wooo-aiops",
|
||
"runner_label_or_none=self-hosted-linux-110",
|
||
"executor_type=self_hosted",
|
||
"hosted_or_self_hosted=self_hosted",
|
||
"runner_owner=platform-ops",
|
||
"github_hosted_minutes_risk=not_enabled"
|
||
],
|
||
"required_redactions": [
|
||
"runner label 只能保存名稱、scope、executor type、owner 與額度風險 metadata",
|
||
"hosted runner 只能標成 risk review candidate,不得視為啟用或消耗 GitHub Actions 額度批准",
|
||
"不得貼 runner registration token、admin token、host password、SSH private key 或 machine credential"
|
||
],
|
||
"forbidden_raw_values": [
|
||
"runner_registration_token",
|
||
"runner_admin_token",
|
||
"host_password",
|
||
"ssh_private_key",
|
||
"machine_credential",
|
||
"github_hosted_runner_enable_request"
|
||
],
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_redaction_example_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"example_id": "redaction-deploy-key-name-scope-metadata",
|
||
"display_order": 3,
|
||
"example_status": "template_example_only",
|
||
"category": "deploy_key_name_scope_metadata",
|
||
"safe_response_shape": [
|
||
"template_id=response-deploy-key-redacted-export",
|
||
"repo=owenhytsai/wooo-infra-config",
|
||
"key_name_or_none=infra-readonly-deploy-key",
|
||
"read_only_flag=true",
|
||
"repo_scope=single_repo",
|
||
"key_owner=platform-ops",
|
||
"rotation_owner=security-commander"
|
||
],
|
||
"required_redactions": [
|
||
"deploy key 只能保存 key name、read-only flag、repo scope、owner 與 rotation owner metadata",
|
||
"public key 若需要補證,必須改成既有文件引用或 owner metadata pointer,不保存完整 key material",
|
||
"rotation owner 只代表後續責任人,不代表本階段可 rotate、建立、刪除或修改 key"
|
||
],
|
||
"forbidden_raw_values": [
|
||
"private_key",
|
||
"deploy_key_value",
|
||
"complete_public_key",
|
||
"token_value",
|
||
"credential_value",
|
||
"deploy_key_rotation_request"
|
||
],
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_redaction_example_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"example_id": "redaction-branch-protection-codeowners-metadata",
|
||
"display_order": 4,
|
||
"example_status": "template_example_only",
|
||
"category": "branch_protection_codeowners_metadata",
|
||
"safe_response_shape": [
|
||
"template_id=response-branch-protection-codeowners",
|
||
"repo=owenhytsai/awoooi",
|
||
"protected_branch_name_or_none=main",
|
||
"required_review_count=1",
|
||
"required_status_check_names=[lint, test]",
|
||
"codeowners_path_or_none=.github/CODEOWNERS",
|
||
"ruleset_owner=source-control-owner"
|
||
],
|
||
"required_redactions": [
|
||
"只保存 branch/ruleset/CODEOWNERS metadata 與 required check names,不保存 admin override token 或 session",
|
||
"若引用 UI screenshot,必須先脫敏 owner、token、cookie、email、完整 URL credential 與個資",
|
||
"不得把 required check 或 reviewer wording 當成可立即修改 branch protection / ruleset / CODEOWNERS 的授權"
|
||
],
|
||
"forbidden_raw_values": [
|
||
"admin_override_token",
|
||
"session_cookie",
|
||
"authorization_header",
|
||
"unredacted_screenshot",
|
||
"branch_protection_change_request",
|
||
"codeowners_write_request"
|
||
],
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_redaction_example_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"example_id": "redaction-secret-name-parity-quarantine-pointer",
|
||
"display_order": 5,
|
||
"example_status": "template_example_only",
|
||
"category": "repository_secret_name_parity_or_quarantine",
|
||
"safe_response_shape": [
|
||
"template_id=response-repository-secret-name-parity",
|
||
"repo=owenhytsai/awoooi",
|
||
"secret_name_list_or_none=[DATABASE_URL, OPENAI_API_KEY]",
|
||
"present_in_gitea=unknown_requires_more_evidence",
|
||
"present_in_github=unknown_requires_more_evidence",
|
||
"owning_team=platform-ops",
|
||
"collection_status=quarantine_sensitive_payload_if_value_seen"
|
||
],
|
||
"required_redactions": [
|
||
"secret parity 只能保存 secret name、scope、present / absent / unknown metadata、owner 與 evidence refs",
|
||
"任何 value、hash、masked token、partial token、可還原片段或未脫敏截圖都必須改走 quarantine pointer",
|
||
"secret name parity 通過也只更新 read-only wording,不代表可建立、複製、rotate、修改或刪除 secret"
|
||
],
|
||
"forbidden_raw_values": [
|
||
"secret_value",
|
||
"secret_hash",
|
||
"masked_token",
|
||
"partial_credential",
|
||
"repository_secret_change_request",
|
||
"execution_request_payload",
|
||
"owner_response_raw_body"
|
||
],
|
||
"stored_raw_payload_allowed": false,
|
||
"awooop_display_mode": "display_redaction_example_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
}
|
||
],
|
||
"owner_response_collection_checks": [
|
||
{
|
||
"check_id": "collection-workflow-secret-request-packet-displayed",
|
||
"display_order": 1,
|
||
"title": "已顯示 workflow / secret 名稱 owner response request packet",
|
||
"required": true,
|
||
"pass_condition": "AwoooP 必須只顯示 owner_response_request_packet 的 5 個 workflow / secret 名稱 templates、允許欄位、脫敏 evidence 規則與禁止 payload,不得附加 secret value collection、workflow/webhook/runner/deploy key/branch protection/secret 修改、refs sync 或 primary switch 要求。",
|
||
"failure_lane": "keep_waiting_owner_response",
|
||
"awooop_display": "display_request_packet_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"check_id": "collection-workflow-secret-read-only-submission-mode",
|
||
"display_order": 2,
|
||
"title": "workflow / secret 名稱收件模式維持 read-only",
|
||
"required": true,
|
||
"pass_condition": "owner 只能用 read-only markdown response、redacted metadata pointer、existing repo doc reference 或 AwoooP manual review note;不得提交 secret value、webhook secret、runner token、deploy key material、private key、authorization header、未脫敏截圖或 execution request。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"awooop_display": "display_read_only_submission_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"check_id": "collection-five-workflow-secret-template-tracking",
|
||
"display_order": 3,
|
||
"title": "五個 workflow / secret templates 分開追蹤",
|
||
"required": true,
|
||
"pass_condition": "S4.12 五個 requested_template_ids 必須逐 lane 追蹤 received / accepted / rejected 狀態;不可用單一整體同意取代 webhook、runner、deploy key、branch protection / CODEOWNERS 或 repository secret name parity 的個別判定。",
|
||
"failure_lane": "request_more_evidence",
|
||
"awooop_display": "display_per_workflow_secret_lane_tracking",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"check_id": "collection-workflow-secret-redacted-evidence-only",
|
||
"display_order": 4,
|
||
"title": "只收 workflow / secret 名稱脫敏 evidence refs",
|
||
"required": true,
|
||
"pass_condition": "收件內容只能包含 repo 內路徑、snapshot path、secret name metadata、redacted host、runner label、key name、ruleset/CODEOWNERS metadata 或已脫敏 evidence refs;任何不確定是否含 secret value、token、private key、deploy key material、完整 URL credential、request body、header 或未脫敏截圖的資料都先進 quarantine。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"awooop_display": "display_redacted_evidence_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"check_id": "collection-workflow-secret-no-approval-language",
|
||
"display_order": 5,
|
||
"title": "不得把 workflow / secret 回覆語意升級成批准",
|
||
"required": true,
|
||
"pass_condition": "即使 owner response 文字包含同意、OK、可進行或批准,也只能視為 workflow / secret 名稱 inventory disposition;不得視為 secret 建立、複製、rotate、workflow 修改、runner 啟用、deploy key rotation、branch protection change、refs sync 或 GitHub primary approval。",
|
||
"failure_lane": "reject_execution_request",
|
||
"awooop_display": "display_scope_response_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
},
|
||
{
|
||
"check_id": "collection-workflow-secret-audit-metadata-only",
|
||
"display_order": 6,
|
||
"title": "只記錄 workflow / secret audit metadata",
|
||
"required": true,
|
||
"pass_condition": "AwoooP 只能記錄 request shown、response received metadata、template id、lane、repo、owner role/team、redacted host、runner label、key name、secret name metadata、evidence refs 與 outcome lane;不得保存 secret value、hash、masked token、partial credential、webhook secret、runner token、private key、authorization header 或可執行 payload。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"awooop_display": "display_audit_metadata_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true
|
||
}
|
||
],
|
||
"intake_preflight_checks": [
|
||
{
|
||
"check_id": "preflight-known-workflow-secret-lane",
|
||
"display_order": 1,
|
||
"title": "回覆必須對應已知 workflow / secret 名稱 lane",
|
||
"required": true,
|
||
"pass_condition": "`template_id` 或 `lane` 必須對應 S4.12 五個 workflow / secret name templates 之一,不得新增未盤點 repo、未請求 workflow / secret 類別,或把 out-of-scope repo 自動視為可補 secret / workflow。",
|
||
"failure_lane": "request_owner_correction",
|
||
"awooop_display": "request_more_evidence",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "preflight-required-workflow-secret-owner-fields",
|
||
"display_order": 2,
|
||
"title": "workflow / secret 名稱必填欄位完整",
|
||
"required": true,
|
||
"pass_condition": "每筆 response 必須有 owner role/team、decision、decision_reason、repo、provider、lane、lane-specific owner、必要的 redacted metadata 與 evidence_refs;secret name parity 批次回覆必須有可重現 repo list 與 scope。",
|
||
"failure_lane": "request_more_evidence",
|
||
"awooop_display": "request_more_evidence",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "preflight-allowed-workflow-secret-decision",
|
||
"display_order": 3,
|
||
"title": "workflow / secret decision 在模板允許值內",
|
||
"required": true,
|
||
"pass_condition": "`decision` 必須落在對應 response template 的 acceptable_decisions;口頭同意、整體 OK、可進行、請幫我建立 secret 或未列出的執行語句都不得進入 accepted。",
|
||
"failure_lane": "request_owner_correction",
|
||
"awooop_display": "request_more_evidence",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "preflight-workflow-secret-redacted-evidence-only",
|
||
"display_order": 4,
|
||
"title": "只接受 workflow / secret 名稱脫敏 evidence refs",
|
||
"required": true,
|
||
"pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot、redacted metadata pointer、secret name list、redacted host、runner label、key name、ruleset / CODEOWNERS metadata;不得含 secret value、hash、masked token、partial credential、webhook secret、runner token、private key、deploy key value、authorization header、cookie、session、request body 或未脫敏截圖。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"awooop_display": "quarantine_sensitive_payload",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "preflight-no-workflow-secret-execution-request",
|
||
"display_order": 5,
|
||
"title": "不得夾帶 workflow / secret 執行要求",
|
||
"required": true,
|
||
"pass_condition": "response 不得要求建立 / 複製 / rotate secret、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS、啟用 GitHub hosted runner、使用 write token、建立 repo、sync refs、GitHub primary switch、Kali scan 或任何 runtime action。",
|
||
"failure_lane": "reject_execution_request",
|
||
"awooop_display": "reject_execution_request",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "preflight-all-five-workflow-secret-lanes-before-accepted",
|
||
"display_order": 6,
|
||
"title": "接受前需覆蓋五個 workflow / secret templates",
|
||
"required": true,
|
||
"pass_condition": "S4.12 要被標示 accepted 前,五個 response templates 都必須收到可驗收的 owner response;部分回覆只能維持 waiting、ready_for_owner_review、request_more_evidence 或 quarantine。",
|
||
"failure_lane": "keep_waiting_owner_response",
|
||
"awooop_display": "ready_for_owner_review",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"response_templates": [
|
||
{
|
||
"template_id": "response-webhook-redacted-export",
|
||
"lane": "webhook_redacted_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/wooo-aiops"
|
||
],
|
||
"risk": "MEDIUM",
|
||
"covered_repo_count": 2,
|
||
"requested_owner_decision": "回覆 webhook 名稱、redacted host、事件類型、enabled flag 與 owner;不得包含 webhook secret、token URL、header、cookie 或 payload body。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"webhook_name_or_none",
|
||
"destination_host_redacted",
|
||
"event_types",
|
||
"active_enabled_flag",
|
||
"webhook_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_redacted_webhook_inventory_candidate",
|
||
"mark_no_webhook_candidate",
|
||
"hold_pending_webhook_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"只允許保存 redacted host、event types、enabled flag 與 owner。",
|
||
"必須標示 primary cutover 後哪一端負責發 webhook,或明確要求補證。",
|
||
"必須承認 response 通過後只更新 read-only inventory / readiness wording,不修改 webhook。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 webhook secret、完整 payload URL、query token、header、cookie 或 request body。",
|
||
"要求立即建立、停用或修改 webhook。",
|
||
"缺 repo、provider、webhook owner 或 no-webhook disposition。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 webhook read-only owner response 欄位。",
|
||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow/webhook blocker wording。",
|
||
"建立 request_more_evidence / quarantine lane。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-runner-label-owner",
|
||
"lane": "runner_label_owner_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/wooo-aiops",
|
||
"owenhytsai/wooo-infra-config",
|
||
"owenhytsai/ewoooc"
|
||
],
|
||
"risk": "HIGH",
|
||
"covered_repo_count": 4,
|
||
"requested_owner_decision": "回覆 runner label、executor type、hosted/self-hosted、owner 與 GitHub hosted minutes 風險;不得包含 runner registration token、admin token、SSH key 或 host password。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"runner_label_or_none",
|
||
"runner_scope",
|
||
"executor_type",
|
||
"hosted_or_self_hosted",
|
||
"runner_owner",
|
||
"github_hosted_minutes_risk",
|
||
"maintenance_window",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"keep_self_hosted_runner_candidate",
|
||
"approve_hosted_runner_risk_review_candidate",
|
||
"mark_no_runner_candidate",
|
||
"hold_pending_runner_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須標示 runner 是 self-hosted 或 hosted;若 hosted,必須列入額度風險 review,而不是啟用批准。",
|
||
"必須指定 runner owner 與維護窗口,或明確要求補證。",
|
||
"必須承認 response 不授權新增 runner、不授權改 workflow、不授權消耗 GitHub hosted minutes。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 runner registration token、admin token、SSH private key、host password 或 API token。",
|
||
"要求立即啟用 GitHub hosted runner 或改 runner label。",
|
||
"把 hosted runner risk review candidate 當成使用 GitHub Actions 額度的批准。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 runner label owner review lane。",
|
||
"更新 GitHub hosted runner 額度風險 wording。",
|
||
"維持 workflow / runner execution disabled。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-deploy-key-redacted-export",
|
||
"lane": "deploy_key_redacted_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/wooo-infra-config"
|
||
],
|
||
"risk": "HIGH",
|
||
"covered_repo_count": 1,
|
||
"requested_owner_decision": "回覆 deploy key / machine key 名稱、read-only flag、repo scope 與 owner;不得包含 private key、完整 public key、token value 或 password。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"key_name_or_none",
|
||
"read_only_flag",
|
||
"repo_scope",
|
||
"key_owner",
|
||
"rotation_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_deploy_key_name_scope_candidate",
|
||
"mark_no_deploy_key_candidate",
|
||
"mark_write_capable_key_risk_candidate",
|
||
"hold_pending_key_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"只允許 key 名稱、read-only flag、repo scope、owner 與 rotation owner。",
|
||
"write-capable key 只能列為風險 candidate,不得自動 rotate 或刪除。",
|
||
"必須承認 response 不授權搬移 key、不授權貼 private key、不授權修改 deploy key。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 private key、完整 public key、token value、password 或 credential value。",
|
||
"要求立即 rotate、刪除或新增 deploy key。",
|
||
"缺 key owner / rotation owner 或 no-key disposition。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 deploy key read-only risk lane。",
|
||
"更新 primary readiness key blocker wording。",
|
||
"建立 key_owner request_more_evidence lane。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-branch-protection-codeowners",
|
||
"lane": "branch_protection_codeowners_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/clawbot-v5",
|
||
"owenhytsai/wooo-infra-config",
|
||
"owenhytsai/ewoooc"
|
||
],
|
||
"risk": "MEDIUM",
|
||
"covered_repo_count": 4,
|
||
"requested_owner_decision": "回覆 protected branch、required checks、required review count、CODEOWNERS path 與 owner teams;不得包含 team secret、PAT、admin override token 或 session cookie。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"protected_branch_name_or_none",
|
||
"required_review_count",
|
||
"required_status_check_names",
|
||
"codeowners_path_or_none",
|
||
"owner_team_names",
|
||
"ruleset_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_branch_protection_codeowners_candidate",
|
||
"mark_no_branch_protection_candidate",
|
||
"hold_pending_ruleset_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須列出 required status check names,並標示與 workflow / runner label 對應狀態。",
|
||
"缺 CODEOWNERS 或 branch protection 只能形成 readiness gap,不代表可修改規則。",
|
||
"必須指定 ruleset owner 或 request_more_evidence owner。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 PAT、admin override token、session cookie、team secret 或未脫敏截圖。",
|
||
"要求立即修改 branch protection、ruleset、required checks 或 CODEOWNERS。",
|
||
"把 branch protection response 當成 primary readiness complete。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 branch protection / CODEOWNERS owner review lane。",
|
||
"更新 required status check parity wording。",
|
||
"維持 primary_ready_count=0。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-repository-secret-name-parity",
|
||
"lane": "repository_secret_name_parity_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/clawbot-v5",
|
||
"owenhytsai/wooo-aiops",
|
||
"owenhytsai/wooo-infra-config",
|
||
"owenhytsai/ewoooc",
|
||
"owenhytsai/bitan-pharmacy",
|
||
"owenhytsai/tsenyang-website"
|
||
],
|
||
"risk": "HIGH",
|
||
"covered_repo_count": 7,
|
||
"requested_owner_decision": "回覆 repository secret 名稱 parity、scope、owning team、used-by workflow 與 present_in_gitea / present_in_github metadata;不得包含 value、hash、partial token 或可還原片段。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"secret_name_list_or_none",
|
||
"secret_scope",
|
||
"owning_team",
|
||
"used_by_workflow_name",
|
||
"rotation_owner",
|
||
"present_in_gitea",
|
||
"present_in_github",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_secret_name_presence_map_candidate",
|
||
"mark_no_repository_secret_candidate",
|
||
"hold_pending_secret_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"只允許保存 secret name、scope、owner、used-by workflow、present/absent metadata。",
|
||
"不得保存 value、hash、partial token、masked token 或任何可還原片段。",
|
||
"缺漏 secret 只建立 owner review lane,不自動建立、複製、rotate 或刪除 secret。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 secret value、plaintext、hash、partial token、private key、credential value 或未脫敏截圖。",
|
||
"要求立即建立、複製、修改、rotate 或刪除 repository secret。",
|
||
"把 secret name parity response 當成 workflow 已可執行或 primary ready。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 repository secret name parity owner review lane。",
|
||
"更新 workflow / secret name inventory gap wording。",
|
||
"維持 inventory_complete_count=0 與 primary_ready_count=0。"
|
||
],
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"acceptance_checks": [
|
||
{
|
||
"check_id": "maps_to_known_export_lane",
|
||
"title": "回覆對應既有 export lane",
|
||
"required": true,
|
||
"pass_condition": "`lane` 必須對應 S4.3 既有 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS 或 repository secret name parity。",
|
||
"failure_lane": "reject_unknown_export_lane",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "decision_value_allowed",
|
||
"title": "決策值在允許範圍內",
|
||
"required": true,
|
||
"pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。",
|
||
"failure_lane": "request_owner_correction",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "repo_scope_present",
|
||
"title": "repo scope 已標示",
|
||
"required": true,
|
||
"pass_condition": "每筆回覆必須有 repo、provider 與 lane;批次 secret name parity 必須有可重現 repo list。",
|
||
"failure_lane": "request_more_evidence",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "owner_present",
|
||
"title": "owner 或補證 owner 已標示",
|
||
"required": true,
|
||
"pass_condition": "每筆回覆必須有 owner role/team,且 lane-specific owner 不得空白;未知時必須選 hold/unknown。",
|
||
"failure_lane": "request_owner_assignment",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "allowed_fields_only",
|
||
"title": "只含允許欄位",
|
||
"required": true,
|
||
"pass_condition": "回覆只能包含 lane allowed_fields 與 owner/evidence metadata,不得加入 request body、header、credential 或 raw config。",
|
||
"failure_lane": "quarantine_unexpected_payload",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "secret_values_absent",
|
||
"title": "未包含 secret value",
|
||
"required": true,
|
||
"pass_condition": "不得包含 secret/token/cookie/private key/deploy key/runner token/webhook secret/password、hash、masked token 或 partial credential。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "no_write_or_rotation_requested",
|
||
"title": "不含 write 或 rotation 要求",
|
||
"required": true,
|
||
"pass_condition": "回覆不得要求 write API、rotate secret、修改 workflow、修改 webhook、修改 runner、修改 deploy key 或修改 branch protection。",
|
||
"failure_lane": "reject_runtime_change_request",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "no_primary_or_refs_action_requested",
|
||
"title": "不含 primary 或 refs action",
|
||
"required": true,
|
||
"pass_condition": "回覆不得要求建立 repo、sync refs、切 GitHub primary、停用 Gitea 或把 inventory 視為 primary ready。",
|
||
"failure_lane": "reject_primary_or_refs_action",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"rejection_rules": [
|
||
"回覆含 secret value、PAT、cookie、session、CSRF token、private key、deploy key value、runner token、webhook secret 或 partial credential 時必須拒收。",
|
||
"回覆含完整 webhook payload URL、query token、authorization header、request body 或未脫敏截圖時必須拒收。",
|
||
"回覆含 runner registration token、runner admin token、SSH private key、host password 或 API token 時必須拒收。",
|
||
"回覆含 deploy key private material、完整 public key、token value、password 或 credential value 時必須拒收。",
|
||
"回覆含 secret value、secret hash、partial token、masked token 或任何可還原片段時必須拒收。",
|
||
"回覆要求 write API、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS 或 rotate secret 時必須拒收。",
|
||
"回覆要求建立 repo、sync refs、切 GitHub primary、停用或封存 Gitea 時必須拒收。",
|
||
"回覆缺 repo、provider、lane owner 或 no-data disposition 時不得標記 accepted。",
|
||
"回覆把 owner response 當成 inventory complete、workflow ready、secret parity complete 或 GitHub primary ready 時必須拒收。",
|
||
"任何不確定是否含敏感值、私有 URL 憑證、完整 key material 或未脫敏截圖的回覆必須先進 mirror quarantine。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 `source-control-workflow-secret-name-inventory.snapshot.json` 的 read-only owner response 欄位。",
|
||
"更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 response status wording。",
|
||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow / webhook / runner / secret name blocker wording。",
|
||
"更新 `security-mirror-status-rollup.snapshot.json` 的 workflow_secret owner response summary。",
|
||
"建立 request_more_evidence / quarantine lane。",
|
||
"維持 `inventory_complete_count=0`、`github_primary_ready_count=0` 與所有 workflow / secret / repo / refs / primary execution flags false。"
|
||
],
|
||
"forbidden_actions": [
|
||
"收集或保存 secret value、token value、cookie、session、private key、deploy key value、runner token 或 webhook secret。",
|
||
"使用 write token 或 write API。",
|
||
"修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret。",
|
||
"rotate secret、建立 secret、複製 secret 或刪除 secret。",
|
||
"啟用 GitHub hosted runner 或消耗 GitHub Actions 額度。",
|
||
"建立 GitHub repo 或修改 visibility。",
|
||
"sync refs、push refs、delete refs 或 force push。",
|
||
"切 GitHub primary。",
|
||
"停用、刪除、封存或降級 Gitea repo。",
|
||
"新增 AwoooP execution action button。"
|
||
]
|
||
}
|