712 lines
30 KiB
JSON
712 lines
30 KiB
JSON
{
|
||
"schema_version": "github_target_owner_decision_response_v1",
|
||
"status": "draft_waiting_owner_response",
|
||
"date": "2026-05-17",
|
||
"mode": "owner_decision_response_intake_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_contract": "github_target_decision_v1",
|
||
"target_contract": "github_target_repo_approval_package_v1",
|
||
"source_indexes": [
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-repo-approval-package.snapshot.json",
|
||
"docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md",
|
||
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
|
||
"docs/security/source-control-approval-board.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/security-approval-review-packet.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"owner_response_status": "waiting_owner_response",
|
||
"target_decision_count": 8,
|
||
"approval_required_target_count": 7,
|
||
"owner_response_request_packet_count": 1,
|
||
"owner_response_template_status_count": 7,
|
||
"response_template_count": 7,
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"acceptance_check_count": 8,
|
||
"rejection_rule_count": 10,
|
||
"repo_creation_authorized": false,
|
||
"visibility_change_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"action_buttons_allowed": false
|
||
},
|
||
"owner_response_request_packet": {
|
||
"request_id": "s4_10_github_target_owner_decision_response_request",
|
||
"display_status": "ready_to_request_owner_response",
|
||
"requested_packet": "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
|
||
"required_response_item_count": 7,
|
||
"requested_template_ids": [
|
||
"target-awoooi-refs-blocked",
|
||
"target-clawbot-v5-refs-blocked",
|
||
"target-wooo-aiops-refs-blocked",
|
||
"target-wooo-infra-config-internal-remote",
|
||
"target-ewoooc-private-or-new",
|
||
"target-bitan-pharmacy-private-or-new",
|
||
"target-tsenyang-website-private-or-new"
|
||
],
|
||
"owner_instruction_summary": "請 owner 只依 S4.10 七個 templates 回覆 GitHub target 的 owner / visibility / canonical / target disposition,並只引用脫敏 evidence refs;不要貼 token、secret、private clone URL credential、repo archive、git object、API request body 或任何可執行 payload。",
|
||
"allowed_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"canonical_source",
|
||
"github_target_disposition",
|
||
"visibility_review_owner",
|
||
"refs_truth_review_owner",
|
||
"tag_disposition_owner",
|
||
"github_only_refs_owner",
|
||
"internal_remote_disposition",
|
||
"secret_name_inventory_owner",
|
||
"server_side_refs_diff_owner",
|
||
"active_status",
|
||
"evidence_refs",
|
||
"followup_owner"
|
||
],
|
||
"evidence_ref_rules": [
|
||
"只允許 repo 內既有文件、snapshot 或已脫敏 owner metadata pointer",
|
||
"not_found_or_private 只能作為需補證或 private access request 的 evidence,不得自動視為 repo 不存在",
|
||
"canonical_source 未知時必須明確選 unknown_requires_more_evidence 或指定補證 owner",
|
||
"不得提供 token value、secret value、private clone URL credential、cookie、session、deploy key value 或截圖中的敏感值",
|
||
"不確定是否含敏感值時先走 mirror quarantine,不得直接貼入 response"
|
||
],
|
||
"forbidden_payloads": [
|
||
"token_value",
|
||
"secret_value",
|
||
"private_key",
|
||
"cookie_or_session",
|
||
"private_clone_url_credential",
|
||
"repo_creation_command",
|
||
"visibility_change_command",
|
||
"write_or_admin_api_request",
|
||
"refs_sync_or_delete_request",
|
||
"force_push_or_tag_rewrite_request",
|
||
"github_primary_switch_request",
|
||
"repo_archive",
|
||
"git_object_pack",
|
||
"db_dump",
|
||
"unrelated_history_merge_request"
|
||
],
|
||
"allowed_submission_modes": [
|
||
"read_only_markdown_response",
|
||
"redacted_metadata_pointer",
|
||
"request_more_evidence",
|
||
"out_of_scope_disposition"
|
||
],
|
||
"awooop_display_mode": "display_owner_response_request_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
"owner_response_template_statuses": [
|
||
{
|
||
"template_id": "target-awoooi-refs-blocked",
|
||
"github_repo": "owenhytsai/awoooi",
|
||
"source_key": "wooo/awoooi",
|
||
"display_order": 1,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/awoooi` 的 canonical source、visibility review owner 與 refs truth owner;不得把既有 GitHub target 視為可直接 primary。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "target-clawbot-v5-refs-blocked",
|
||
"github_repo": "owenhytsai/clawbot-v5",
|
||
"source_key": "wooo/clawbot-v5",
|
||
"display_order": 2,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/clawbot-v5` 的 main SHA / tag 真相來源與 tag disposition owner;不得用單一句話批准 refs sync。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "target-wooo-aiops-refs-blocked",
|
||
"github_repo": "owenhytsai/wooo-aiops",
|
||
"source_key": "wooo/wooo-aiops",
|
||
"display_order": 3,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/wooo-aiops` 的 GitHub-only refs owner 與 disposition;不得刪除 GitHub-only refs。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "target-wooo-infra-config-internal-remote",
|
||
"github_repo": "owenhytsai/wooo-infra-config",
|
||
"source_key": "wooo/wooo-infra-config",
|
||
"display_order": 4,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/wooo-infra-config` 的 110 internal remote 用途與 secret name inventory owner;不得刪除 remote 或搬移 secret value。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "target-ewoooc-private-or-new",
|
||
"github_repo": "owenhytsai/ewoooc",
|
||
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
|
||
"display_order": 5,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/ewoooc` 與 momo-pro-system 的 canonical 關係、private access request 或 new target candidate disposition;不得自動建立 repo 或合併 unrelated histories。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "target-bitan-pharmacy-private-or-new",
|
||
"github_repo": "owenhytsai/bitan-pharmacy",
|
||
"source_key": "bitan-pharmacy",
|
||
"display_order": 6,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/bitan-pharmacy` 是否仍 active、GitHub target disposition 與 visibility review owner;不得把 not_found_or_private 當成可直接建立 repo。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
},
|
||
{
|
||
"template_id": "target-tsenyang-website-private-or-new",
|
||
"github_repo": "owenhytsai/tsenyang-website",
|
||
"source_key": "tsenyang-website",
|
||
"display_order": 7,
|
||
"collection_status": "waiting_owner_response",
|
||
"request_status": "request_ready_not_sent",
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"latest_outcome_lane": "keep_waiting_owner_response",
|
||
"next_owner_action": "Owner 需回覆 `owenhytsai/tsenyang-website` 是否仍 active、GitHub target disposition 與 visibility review owner;不得把 not_found_or_private 當成可直接建立 repo。",
|
||
"awooop_display_mode": "display_template_status_only",
|
||
"execution_authorized": false,
|
||
"not_approval": true,
|
||
"still_forbidden": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"store_secret_value",
|
||
"store_token_value"
|
||
]
|
||
}
|
||
],
|
||
"response_templates": [
|
||
{
|
||
"template_id": "target-awoooi-refs-blocked",
|
||
"github_repo": "owenhytsai/awoooi",
|
||
"source_key": "wooo/awoooi",
|
||
"target_state": "exists_refs_blocked",
|
||
"risk": "HIGH",
|
||
"requested_owner_decision": "指定 owner、canonical source、visibility review owner 與 refs truth review owner;維持 refs action disabled。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"canonical_source",
|
||
"github_target_disposition",
|
||
"visibility_review_owner",
|
||
"refs_truth_review_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_existing_target_as_candidate",
|
||
"hold_pending_refs_truth",
|
||
"hold_pending_canonical_review",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
|
||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須明確指定 `wooo/awoooi` 的 canonical source 與 owner review 責任人。",
|
||
"必須承認 refs truth / workflow-secret parity / rollback ADR 未完成前不得推 refs 或切 primary。",
|
||
"若 decision 是 hold,必須說明下一個 evidence owner。"
|
||
],
|
||
"rejection_conditions": [
|
||
"把既有 GitHub repo 視為可直接 primary。",
|
||
"要求 push、delete、force push refs 或修改 visibility。",
|
||
"缺 canonical source、visibility review owner 或 refs truth review owner。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 GitHub target decision table 的 owner / canonical / visibility read-only 欄位。",
|
||
"更新 repo approval package 的 blocked_until 說明。",
|
||
"維持 primary readiness blocked。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "target-clawbot-v5-refs-blocked",
|
||
"github_repo": "owenhytsai/clawbot-v5",
|
||
"source_key": "wooo/clawbot-v5",
|
||
"target_state": "exists_refs_blocked",
|
||
"risk": "MEDIUM",
|
||
"requested_owner_decision": "指定 main SHA / tag 真相來源與 owner;維持 refs action disabled。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"canonical_source",
|
||
"tag_disposition_owner",
|
||
"visibility_review_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_existing_target_as_candidate",
|
||
"hold_pending_refs_truth",
|
||
"mark_external_or_out_of_scope",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
|
||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||
"docs/security/source-control-ref-truth-classification.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須說明 main SHA 與 tag 差異要由哪個 owner 判定。",
|
||
"若仍 active,必須保留 refs review lane。",
|
||
"若排除 scope,必須附 owner 理由與後續 disposition。"
|
||
],
|
||
"rejection_conditions": [
|
||
"用單一句話批准 refs sync。",
|
||
"未處理 GitHub 缺 Gitea tag 的 disposition。",
|
||
"要求刪除任一端 repo 或 refs。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 refs truth review lane。",
|
||
"更新 approval package 的 owner decision 欄位。",
|
||
"維持 refs action disabled。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "target-wooo-aiops-refs-blocked",
|
||
"github_repo": "owenhytsai/wooo-aiops",
|
||
"source_key": "wooo/wooo-aiops",
|
||
"target_state": "exists_refs_blocked",
|
||
"risk": "MEDIUM",
|
||
"requested_owner_decision": "指定 GitHub-only branch / tags 的來源 owner 與 disposition;維持 refs action disabled。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"canonical_source",
|
||
"github_only_refs_owner",
|
||
"visibility_review_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_existing_target_as_candidate",
|
||
"hold_pending_refs_truth",
|
||
"mark_external_or_out_of_scope",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
|
||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||
"docs/security/source-control-ref-truth-classification.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須指定 GitHub-only branch / tags 的 owner 或補證 owner。",
|
||
"必須說明 main SHA truth source 尚未判定時要維持 blocked。",
|
||
"若標為 out_of_scope,必須說明與 AwoooP / AWOOOI scope 的關係。"
|
||
],
|
||
"rejection_conditions": [
|
||
"要求刪除 GitHub-only refs。",
|
||
"未指定 GitHub-only refs owner。",
|
||
"把 refs classification 當成已批准 sync。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 refs truth classification 的 owner review 欄位。",
|
||
"更新 GitHub target decision table。",
|
||
"維持 GitHub primary readiness blocked。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "target-wooo-infra-config-internal-remote",
|
||
"github_repo": "owenhytsai/wooo-infra-config",
|
||
"source_key": "wooo/wooo-infra-config",
|
||
"target_state": "exists_aligned",
|
||
"risk": "MEDIUM",
|
||
"requested_owner_decision": "判定 110 internal remote 用途、infra owner 與 secret name inventory owner。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"canonical_source",
|
||
"internal_remote_disposition",
|
||
"secret_name_inventory_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_existing_target_as_candidate",
|
||
"hold_pending_canonical_review",
|
||
"mark_external_or_out_of_scope",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須判定 110 internal remote 是 active source、mirror、legacy 或需要補證。",
|
||
"必須指定 infra secret 名稱 inventory owner。",
|
||
"不得把 internal remote disposition 當成刪除 remote 的批准。"
|
||
],
|
||
"rejection_conditions": [
|
||
"要求直接刪除 remote 或改 remote URL。",
|
||
"要求搬移或貼出 secret value。",
|
||
"未說明 110 internal remote 用途。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 canonical decision table 的 remote disposition。",
|
||
"更新 workflow / secret name inventory 的 owner gap。",
|
||
"維持 repo / secret / refs 執行 disabled。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "target-ewoooc-private-or-new",
|
||
"github_repo": "owenhytsai/ewoooc",
|
||
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "HIGH",
|
||
"requested_owner_decision": "判定 ewoooc / momo-pro-system canonical 關係與 GitHub target 是既有 private repo、候選新 repo 或需補證。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"canonical_source",
|
||
"github_target_disposition",
|
||
"visibility_review_owner",
|
||
"server_side_refs_diff_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_private_target_access_request",
|
||
"approve_new_target_creation_candidate",
|
||
"hold_pending_canonical_review",
|
||
"mark_external_or_out_of_scope",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md",
|
||
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md",
|
||
"docs/security/github-target-decision.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須明確說明 `not_found_or_private` 不能自動視為不存在。",
|
||
"必須指定 ewoooc / momo-pro-system canonical 判定 owner。",
|
||
"若只是批准候選新 repo,仍不得建立 repo,必須先產生 migration plan。"
|
||
],
|
||
"rejection_conditions": [
|
||
"把 `not_found_or_private` 當成建立 repo 的直接批准。",
|
||
"自動合併 unrelated histories。",
|
||
"要求刪除任一 momo / ewoooc working tree。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 target decision table 的 disposition。",
|
||
"更新 approval package 的 canonical blocker。",
|
||
"建立 request_more_evidence lane。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "target-bitan-pharmacy-private-or-new",
|
||
"github_repo": "owenhytsai/bitan-pharmacy",
|
||
"source_key": "bitan-pharmacy",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "MEDIUM",
|
||
"requested_owner_decision": "判定 repo 是否仍 active、GitHub target disposition、owner 與 visibility review owner。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"active_status",
|
||
"canonical_source",
|
||
"github_target_disposition",
|
||
"visibility_review_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_private_target_access_request",
|
||
"approve_new_target_creation_candidate",
|
||
"hold_pending_canonical_review",
|
||
"mark_external_or_out_of_scope",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須說明 repo 是否仍 active。",
|
||
"必須指定 GitHub target 是既有 private、候選新 repo、out-of-scope 或需補證。",
|
||
"若 active,必須保留 workflow / secret name parity gate。"
|
||
],
|
||
"rejection_conditions": [
|
||
"把 target 看不到當成可直接建立 repo。",
|
||
"沒有 active_status 或 visibility review owner。",
|
||
"要求自動 push refs 或刪除 110 remote。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 target decision table 的 active / disposition 欄位。",
|
||
"更新 approval package 的 blocked_until。",
|
||
"維持 repo creation 與 refs action disabled。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "target-tsenyang-website-private-or-new",
|
||
"github_repo": "owenhytsai/tsenyang-website",
|
||
"source_key": "tsenyang-website",
|
||
"target_state": "not_found_or_private",
|
||
"risk": "MEDIUM",
|
||
"requested_owner_decision": "判定 repo 是否仍 active、GitHub target disposition、owner 與 visibility review owner。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"active_status",
|
||
"canonical_source",
|
||
"github_target_disposition",
|
||
"visibility_review_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"approve_private_target_access_request",
|
||
"approve_new_target_creation_candidate",
|
||
"hold_pending_canonical_review",
|
||
"mark_external_or_out_of_scope",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須說明 repo 是否仍 active。",
|
||
"必須指定 GitHub target 是既有 private、候選新 repo、out-of-scope 或需補證。",
|
||
"若 active,必須保留 workflow / secret name parity gate。"
|
||
],
|
||
"rejection_conditions": [
|
||
"把 target 看不到當成可直接建立 repo。",
|
||
"沒有 active_status 或 visibility review owner。",
|
||
"要求自動 push refs 或刪除 110 remote。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 target decision table 的 active / disposition 欄位。",
|
||
"更新 approval package 的 blocked_until。",
|
||
"維持 repo creation 與 refs action disabled。"
|
||
],
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"acceptance_checks": [
|
||
{
|
||
"check_id": "maps_to_known_github_target",
|
||
"title": "回覆對應既有 GitHub target",
|
||
"required": true,
|
||
"pass_condition": "`github_repo` 必須對應 github_target_decision_v1 的 7 個 approval-required targets 之一。",
|
||
"failure_lane": "reject_unknown_target",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "decision_value_allowed",
|
||
"title": "決策值在允許範圍內",
|
||
"required": true,
|
||
"pass_condition": "`decision` 必須是該 target template 的 acceptable_decisions 之一。",
|
||
"failure_lane": "request_owner_correction",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "owner_and_visibility_present",
|
||
"title": "owner 與 visibility review 責任存在",
|
||
"required": true,
|
||
"pass_condition": "每筆回覆必須有 owner role/team、visibility review owner 或明確 out-of-scope disposition。",
|
||
"failure_lane": "request_more_evidence",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "canonical_source_present",
|
||
"title": "canonical source 已說明",
|
||
"required": true,
|
||
"pass_condition": "in-scope 或 candidate target 必須標示 canonical source;未知時必須選 unknown_requires_more_evidence。",
|
||
"failure_lane": "keep_primary_blocked",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "blocked_until_respected",
|
||
"title": "blocked_until 不被繞過",
|
||
"required": true,
|
||
"pass_condition": "回覆不得把 refs truth、workflow-secret parity、Gitea inventory、rollback ADR 或 server-side diff 缺口視為已完成。",
|
||
"failure_lane": "reject_scope_jump",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "no_repo_creation_or_visibility_change",
|
||
"title": "不含 repo creation 或 visibility change 指令",
|
||
"required": true,
|
||
"pass_condition": "回覆只能批准候選方向或補證方向,不得包含立即建立 repo 或修改 visibility 的執行要求。",
|
||
"failure_lane": "reject_runtime_source_control_action",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "no_refs_or_primary_action",
|
||
"title": "不含 refs 或 primary action",
|
||
"required": true,
|
||
"pass_condition": "回覆不得要求 push、delete、force push、mirror sync、primary switch 或 disable Gitea。",
|
||
"failure_lane": "reject_refs_or_primary_action",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "secret_values_absent",
|
||
"title": "未包含 secret value",
|
||
"required": true,
|
||
"pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key 或 deploy key value。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"rejection_rules": [
|
||
"回覆含 token value、PAT、cookie、session、CSRF token、private key 或 partial credential 時必須拒收。",
|
||
"回覆含 repo creation command、API request body、CLI command 或 automation payload 時必須拒收。",
|
||
"回覆含 visibility change command 或要求立即修改 public/private/internal visibility 時必須拒收。",
|
||
"回覆要求 push refs、delete refs、force push、mirror sync、tag rewrite 或 branch rewrite 時必須拒收。",
|
||
"回覆要求切 GitHub primary、停用 Gitea、刪除 Gitea、封存 Gitea 或移除 fallback 時必須拒收。",
|
||
"回覆缺 owner、visibility review owner、canonical source 或 out-of-scope disposition 時不得標記 accepted。",
|
||
"回覆把 `not_found_or_private` 自動解釋為 repo 不存在或可建立時必須拒收。",
|
||
"回覆要求自動合併 unrelated histories 或刪除 momo / ewoooc working tree 時必須拒收。",
|
||
"回覆把 owner decision response 當成 repo migration approval、refs sync approval 或 primary approval 時必須拒收。",
|
||
"任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆必須先進 mirror quarantine。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 `github-target-decision.snapshot.json` 的 read-only owner / visibility / canonical decision 欄位。",
|
||
"更新 `github-target-repo-approval-package.snapshot.json` 的 blocked_until、review owner 與 evidence refs。",
|
||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording。",
|
||
"更新 `source-control-approval-board.snapshot.json` 的 review lane。",
|
||
"建立 request_more_evidence / quarantine lane。",
|
||
"維持 `github_primary_ready_count=0` 與所有 execution flags false。"
|
||
],
|
||
"forbidden_actions": [
|
||
"建立 GitHub repo。",
|
||
"修改 GitHub repo visibility。",
|
||
"push、delete、force push、mirror sync 或 rewrite refs。",
|
||
"切 GitHub primary。",
|
||
"停用、刪除、封存或降級 Gitea repo。",
|
||
"保存 secret value、token value、private key、cookie、session 或 deploy key value。",
|
||
"把 response packet 當成 migration execution approval。",
|
||
"新增 AwoooP execution action button。"
|
||
]
|
||
}
|