Files
awoooi/docs/security/source-control-owner-response-validation-rollup.snapshot.json

534 lines
22 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_owner_response_validation_rollup_v1",
"status": "draft_waiting_owner_responses",
"date": "2026-05-17",
"mode": "owner_response_validation_rollup_only",
"runtime_execution_authorized": false,
"source_contracts": [
"gitea_inventory_owner_attestation_response_v1",
"github_target_owner_decision_response_v1",
"source_control_ref_truth_owner_response_v1",
"source_control_workflow_secret_name_owner_response_v1"
],
"source_indexes": [
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"rollup_status": "waiting_owner_responses",
"response_packet_count": 4,
"validation_lane_count": 4,
"total_response_template_count": 22,
"total_received_response_count": 0,
"total_accepted_response_count": 0,
"total_rejected_response_count": 0,
"total_acceptance_check_count": 32,
"total_rejection_rule_count": 40,
"quarantine_required": true,
"primary_ready_count": 0,
"runtime_execution_authorized": false,
"token_value_collection_allowed": false,
"secret_value_collection_allowed": false,
"write_token_allowed": false,
"repo_creation_authorized": false,
"visibility_change_authorized": false,
"gitea_repo_write_authorized": false,
"refs_sync_authorized": false,
"refs_delete_authorized": false,
"force_push_authorized": false,
"workflow_modification_authorized": false,
"runner_enablement_authorized": false,
"github_hosted_runner_enable_authorized": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false
},
"validation_lanes": [
{
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
"source_contract": "gitea_inventory_owner_attestation_response_v1",
"response_packet": "docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"human_doc": "docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md",
"scope_summary": "5 個 Gitea coverage attestation itemspublic-only/local gap、org/user endpoint、110 adjacent scope、canonical owner、legacy/inaccessible disposition。",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"required_before_ready": [
"5 個 S4.7 attestation items 皆有可驗收 owner response",
"response 只能引用脫敏 evidence refs",
"不得保存 token value、raw secret、DB dump、git object 或 repo write payload"
],
"allowed_outputs": [
"更新 read-only Gitea coverage matrix wording",
"更新 owner / canonical / legacy disposition 欄位",
"維持 gitea_repo_inventory_v1.status=partial 直到 S4.6 payload 驗收通過"
],
"forbidden_actions": [
"store_token_value",
"write_gitea_repo",
"sync_refs",
"switch_github_primary"
],
"execution_authorized": false
},
{
"lane_id": "s4_10_github_target_owner_decision_response",
"source_contract": "github_target_owner_decision_response_v1",
"response_packet": "docs/security/github-target-owner-decision-response.snapshot.json",
"human_doc": "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
"scope_summary": "7 個 approval-required GitHub targets 的 owner、visibility、canonical response。",
"response_template_count": 7,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"required_before_ready": [
"7 個 target response 都有 owner / visibility / canonical disposition",
"not_found_or_private 不得自動解讀為可建立 repo",
"response 不得夾帶 repo creation、visibility change 或 refs sync payload"
],
"allowed_outputs": [
"更新 read-only GitHub target decision table wording",
"更新 repo-by-repo approval package 的 owner / visibility / canonical 欄位",
"維持 primary_ready_count=0"
],
"forbidden_actions": [
"create_github_repo",
"change_repo_visibility",
"sync_refs",
"switch_github_primary"
],
"execution_authorized": false
},
{
"lane_id": "s4_11_ref_truth_owner_response",
"source_contract": "source_control_ref_truth_owner_response_v1",
"response_packet": "docs/security/source-control-ref-truth-owner-response.snapshot.json",
"human_doc": "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
"scope_summary": "141 個 refs review items 的 main/dev truth、deprecated drift、release tag retention、GitHub-only refs disposition。",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"required_before_ready": [
"main/dev truth 與 release tags 必須有 deploy / artifact / rollback owner",
"deprecated candidate 只能更新 disposition不代表 delete approval",
"backfill candidate 只能更新 review wording不代表 push approval"
],
"allowed_outputs": [
"更新 read-only ref truth classification disposition",
"更新 draft reconcile plan wording",
"維持 refs sync / delete / force push disabled"
],
"forbidden_actions": [
"fetch_refs",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary"
],
"execution_authorized": false
},
{
"lane_id": "s4_12_workflow_secret_name_owner_response",
"source_contract": "source_control_workflow_secret_name_owner_response_v1",
"response_packet": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"scope_summary": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted owner response。",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"required_before_ready": [
"每個 lane 只能保存允許欄位與脫敏 metadata",
"GitHub hosted runner 只能進 risk review不得啟用或消耗 hosted minutes",
"secret name parity 只保存名稱、scope、owner 與 present/absent不保存 value/hash/partial token"
],
"allowed_outputs": [
"更新 read-only workflow / secret name inventory wording",
"更新 redacted export request disposition",
"維持 workflow / secret parity blocker 直到實際 redacted evidence 完成"
],
"forbidden_actions": [
"store_secret_value",
"modify_workflow",
"enable_runner",
"enable_github_hosted_runner",
"switch_github_primary"
],
"execution_authorized": false
}
],
"cross_packet_acceptance_checks": [
{
"check_id": "all_source_packets_schema_valid",
"title": "四個 source response packets 都必須 JSON / schema 結構有效",
"required": true,
"pass_condition": "source packet 可被解析,且 summary 欄位存在",
"failure_lane": "mirror_quarantine",
"execution_authorized": false
},
{
"check_id": "template_counts_match",
"title": "response template count 必須與各 source packet summary 一致",
"required": true,
"pass_condition": "5 + 7 + 5 + 5 = 22",
"failure_lane": "mirror_quarantine",
"execution_authorized": false
},
{
"check_id": "response_counts_explicit",
"title": "received / accepted / rejected count 必須明確列出",
"required": true,
"pass_condition": "所有 source packets 目前皆為 0 / 0 / 0",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "accepted_response_does_not_unlock_runtime",
"title": "即使未來 response 被接受,也不得直接解鎖 runtime",
"required": true,
"pass_condition": "readiness effect 只允許更新 read-only wording 或 matrix 欄位",
"failure_lane": "block_candidate",
"execution_authorized": false
},
{
"check_id": "rejection_rules_present",
"title": "四個 packets 都必須保留 rejection rules",
"required": true,
"pass_condition": "每包 10 個 rejection rules總數 40",
"failure_lane": "mirror_quarantine",
"execution_authorized": false
},
{
"check_id": "no_secret_or_token_value",
"title": "不得收集 token、secret、private key、cookie、session 或 partial credential",
"required": true,
"pass_condition": "所有收件與輸出欄位只允許脫敏 evidence refs 或名稱 metadata",
"failure_lane": "hard_reject",
"execution_authorized": false
},
{
"check_id": "no_write_or_admin_action",
"title": "不得夾帶 write token、admin API、repo write、workflow 修改或 runner 啟用",
"required": true,
"pass_condition": "所有 write / admin / execution flags 皆為 false",
"failure_lane": "hard_reject",
"execution_authorized": false
},
{
"check_id": "no_refs_or_primary_action",
"title": "不得把 owner response 當成 refs sync、delete、force push 或 primary approval",
"required": true,
"pass_condition": "refs_sync / refs_delete / force_push / github_primary_switch 皆為 false",
"failure_lane": "hard_reject",
"execution_authorized": false
},
{
"check_id": "quarantine_uncertain_payload",
"title": "任何不確定是否含敏感值的 response 必須隔離",
"required": true,
"pass_condition": "quarantine_required=true 且 quarantine rules 已列出",
"failure_lane": "mirror_quarantine",
"execution_authorized": false
},
{
"check_id": "rollup_and_readiness_must_be_updated_together",
"title": "接受 response 後必須同步更新 rollup 與 readiness wording",
"required": true,
"pass_condition": "更新 source packet、validation rollup、security mirror rollup、primary readiness gate 與 LOGBOOK",
"failure_lane": "request_more_evidence",
"execution_authorized": false
}
],
"quarantine_rules": [
"response 夾帶 token、secret、cookie、session、private key、deploy key material、runner token 或 partial credential 時 hard reject。",
"response 夾帶完整 webhook URL、query token、header、body、未脫敏 screenshot 或 private URL credential 時 hard reject。",
"response 要求 write API、repo 建立、visibility change、workflow 修改、runner 啟用、secret rotate、refs sync、delete refs、force push 或 GitHub primary switch 時 hard reject。",
"response 缺 lane、repo、provider、owner、decision、decision_reason 或 evidence_refs 時 request_more_evidence。",
"response 的敏感性不確定時先 quarantine不猜測、不修補、不自動接受。"
],
"readiness_effects": [
{
"effect_id": "gitea_owner_response_accepted",
"when_all_checks_pass": "S4.9 request packet 已顯示、template status ledger / audit event templates / redaction examples / display sections / collection checks 已確認 request / received / accepted 分離audit events emitted=0且 5 個 response templates 全部接受S4.6 redacted payload 仍需另外驗收。",
"allowed_update": "只更新 Gitea coverage matrix、owner / canonical disposition 與 readiness wordinggitea_repo_inventory_v1 仍不得直接標記 ok。",
"still_forbidden": [
"store_token_value",
"write_gitea_repo",
"sync_refs",
"switch_github_primary"
]
},
{
"effect_id": "github_target_owner_response_accepted",
"when_all_checks_pass": "S4.10 7 個 target response 全部接受。",
"allowed_update": "只更新 GitHub target decision table、repo approval package 與 primary readiness blocker wording。",
"still_forbidden": [
"create_github_repo",
"change_visibility",
"sync_refs",
"switch_github_primary"
]
},
{
"effect_id": "ref_truth_owner_response_accepted",
"when_all_checks_pass": "S4.11 5 個 lane response 全部接受,且 batch scope 可重現。",
"allowed_update": "只更新 ref truth classification disposition 與 draft reconcile plan wording。",
"still_forbidden": [
"fetch_refs",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary"
]
},
{
"effect_id": "workflow_secret_owner_response_accepted",
"when_all_checks_pass": "S4.12 5 個 workflow / secret lanes 全部接受,且所有 evidence 已脫敏。",
"allowed_update": "只更新 workflow / secret name inventory、redacted export request 與 readiness wording。",
"still_forbidden": [
"store_secret_value",
"modify_workflow",
"enable_runner",
"enable_github_hosted_runner",
"switch_github_primary"
]
}
],
"allowed_outputs": [
"mirror_owner_response_validation_rollup",
"display_cross_packet_counts",
"display_missing_owner_response_lanes",
"display_next_collection_candidate",
"route_invalid_response_to_quarantine",
"update_read_only_readiness_wording_after_accepted_response"
],
"missing_response_lanes": [
{
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
"source_contract": "gitea_inventory_owner_attestation_response_v1",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"current_status": "waiting_owner_response",
"next_owner_action": "Owner 需依 S4.9 owner response request packet 回覆 5 個 Gitea coverage attestation itemsAwoooP 需用 template status ledger / audit event templates / redaction examples / display sections / collection checks 逐項追蹤,且只能引用脫敏 evidence refs。",
"awooop_display_mode": "observe_missing_response",
"still_forbidden": [
"store_token_value",
"write_gitea_repo",
"sync_refs",
"switch_github_primary"
]
},
{
"lane_id": "s4_10_github_target_owner_decision_response",
"source_contract": "github_target_owner_decision_response_v1",
"response_template_count": 7,
"received_response_count": 0,
"accepted_response_count": 0,
"current_status": "waiting_owner_response",
"next_owner_action": "Owner 需依 S4.10 request packet 與 template status ledger 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition。",
"awooop_display_mode": "observe_missing_response",
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"sync_refs",
"switch_github_primary"
]
},
{
"lane_id": "s4_11_ref_truth_owner_response",
"source_contract": "source_control_ref_truth_owner_response_v1",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"current_status": "waiting_owner_response",
"next_owner_action": "Owner 需依 S4.11 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition。",
"awooop_display_mode": "observe_missing_response",
"still_forbidden": [
"fetch_refs",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary"
]
},
{
"lane_id": "s4_12_workflow_secret_name_owner_response",
"source_contract": "source_control_workflow_secret_name_owner_response_v1",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"current_status": "waiting_owner_response",
"next_owner_action": "Owner 需依 S4.12 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的脫敏狀態。",
"awooop_display_mode": "observe_missing_response",
"still_forbidden": [
"store_secret_value",
"modify_workflow",
"enable_runner",
"enable_github_hosted_runner",
"switch_github_primary"
]
}
],
"owner_response_collection_order": [
{
"order": 1,
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
"reason": "先確認 Gitea 覆蓋範圍與 canonical owner避免後續 GitHub target / refs 判定建立在不完整 inventory 上。",
"required_packet": "docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md",
"minimum_response": [
"public-only/local gap disposition",
"org/user endpoint disposition",
"110 adjacent source scope",
"canonical owner",
"legacy/inaccessible disposition"
],
"awooop_action": "display_next_collection_item",
"blocked_until_received": true,
"execution_authorized": false,
"still_forbidden": [
"store_token_value",
"write_gitea_repo",
"sync_refs",
"switch_github_primary"
]
},
{
"order": 2,
"lane_id": "s4_10_github_target_owner_decision_response",
"reason": "再確認 GitHub target owner / visibility / canonical避免 not_found_or_private 被誤解成可直接建立 repo。",
"required_packet": "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
"minimum_response": [
"repo owner",
"target visibility",
"canonical target disposition",
"not_found_or_private handling"
],
"awooop_action": "display_next_collection_item",
"blocked_until_received": true,
"execution_authorized": false,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"sync_refs",
"switch_github_primary"
]
},
{
"order": 3,
"lane_id": "s4_11_ref_truth_owner_response",
"reason": "GitHub target owner / visibility 明確後,再判定 branch / tag 真相來源,避免 refs sync 或 delete 被提前誤用。",
"required_packet": "docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
"minimum_response": [
"main/dev truth disposition",
"deprecated drift disposition",
"release tag retention",
"GitHub-only refs disposition"
],
"awooop_action": "display_next_collection_item",
"blocked_until_received": true,
"execution_authorized": false,
"still_forbidden": [
"fetch_refs",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary"
]
},
{
"order": 4,
"lane_id": "s4_12_workflow_secret_name_owner_response",
"reason": "最後補 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 parity避免 secret 或 runner 變更早於 source truth。",
"required_packet": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"minimum_response": [
"webhook redacted state",
"runner label owner",
"deploy key redacted state",
"branch protection / CODEOWNERS state",
"repository secret name parity"
],
"awooop_action": "display_next_collection_item",
"blocked_until_received": true,
"execution_authorized": false,
"still_forbidden": [
"store_secret_value",
"modify_workflow",
"enable_runner",
"enable_github_hosted_runner",
"switch_github_primary"
]
}
],
"next_collection_candidate": {
"order": 1,
"lane_id": "s4_9_gitea_inventory_owner_attestation_response",
"display_status": "next_owner_response_required",
"source_contract": "gitea_inventory_owner_attestation_response_v1",
"required_packet": "docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md",
"required_response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"minimum_response": [
"public-only/local gap disposition",
"org/user endpoint disposition",
"110 adjacent source scope",
"canonical owner",
"legacy/inaccessible disposition"
],
"awooop_display_mode": "display_next_collection_item_only",
"why_next": "S4.9 是後續 GitHub target、refs truth 與 workflow / secret parity 判定的前置 scope / canonical owner 來源;未收到前不得推進後續 source-control owner response 接受狀態。",
"blocked_until_received": true,
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"store_token_value",
"write_gitea_repo",
"sync_refs",
"switch_github_primary"
]
},
"latest_local_validation": {
"status": "repo_snapshot_guard_pass",
"date": "2026-05-18",
"scope": "repo_snapshot_only",
"command": "python3 scripts/security/source-control-owner-response-guard.py",
"result": "SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK",
"validated_lanes": [
"s4_9_gitea_inventory_owner_attestation_response",
"s4_10_github_target_owner_decision_response",
"s4_11_ref_truth_owner_response",
"s4_12_workflow_secret_name_owner_response"
],
"received_response_count": 0,
"accepted_response_count": 0,
"runtime_actions_authorized": false,
"repo_or_refs_actions_authorized": false,
"workflow_or_secret_actions_authorized": false,
"not_authorization": true
},
"forbidden_actions": [
"runtime_execution",
"store_token_or_secret_value",
"use_write_token",
"create_repo",
"change_repo_visibility",
"write_gitea_repo",
"sync_refs",
"delete_refs",
"force_push",
"modify_workflow_or_secret",
"enable_runner",
"enable_github_hosted_runner",
"switch_github_primary",
"add_action_button"
]
}