awoooi/docs/security/security-rollout-policy.snapshot.json

{
  "schema_version": "security_rollout_policy_v1",
  "status": "draft",
  "default_mode": "observe",
  "enforcement_level": "mirror_only",
  "policy_items": [
    {
      "condition": "read_only_inventory_or_evidence_mirror",
      "mode": "observe",
      "allowed": [
        "collect_metadata",
        "write_redacted_snapshot",
        "update_docs",
        "mirror_to_awooop_runtime_state"
      ],
      "forbidden": [
        "change_runtime",
        "write_to_remote_system",
        "delete_or_archive_repo",
        "sync_refs"
      ],
      "reason": "初期先建立可見性與追溯性，不阻擋產品與架構推進。"
    },
    {
      "condition": "low_or_medium_observation_without_irreversible_change",
      "mode": "warn",
      "allowed": [
        "label_risk",
        "create_followup_item",
        "add_evidence_ref",
        "prepare_draft_plan"
      ],
      "forbidden": [
        "block_deploy",
        "force_owner_decision",
        "auto_patch",
        "auto_merge"
      ],
      "reason": "LOW / MEDIUM observation 先累積 evidence，不把日常流程變成審批地獄。"
    },
    {
      "condition": "uses_readonly_token_or_admin_export",
      "mode": "approve_required",
      "allowed": [
        "request_human_approval",
        "run_once_after_approval",
        "store_token_present_boolean_only",
        "write_redacted_inventory"
      ],
      "forbidden": [
        "store_token_value",
        "reuse_write_token",
        "write_to_gitea",
        "create_repo"
      ],
      "reason": "只讀 token 與管理匯出會碰敏感邊界，需 approval，但仍不授權任何同步或寫入。"
    },
    {
      "condition": "repo_creation_visibility_change_or_refs_sync",
      "mode": "approve_required",
      "allowed": [
        "create_approval_candidate",
        "prepare_migration_plan",
        "prepare_rollback_plan"
      ],
      "forbidden": [
        "execute_without_owner_approval",
        "push_refs",
        "change_visibility",
        "switch_primary"
      ],
      "reason": "這些動作會改供應鏈控制面，必須逐 repo 核准。"
    },
    {
      "condition": "secret_rbac_network_firewall_deploy_or_primary_switch",
      "mode": "approve_required",
      "allowed": [
        "create_approval_required_event",
        "prepare_dry_run_plan",
        "define_rollback"
      ],
      "forbidden": [
        "auto_execute",
        "store_secret_value",
        "skip_human_review"
      ],
      "reason": "這些動作有生產、權限或安全 blast radius，不進入初期自動化。"
    },
    {
      "condition": "destructive_action_without_rollback_or_secret_value_storage",
      "mode": "block_candidate",
      "allowed": [
        "record_block_reason",
        "request_manual_exception"
      ],
      "forbidden": [
        "force_push",
        "delete_repo",
        "store_raw_secret",
        "disable_audit"
      ],
      "reason": "不可逆且無 rollback 的動作不屬於初期框架建置範圍。"
    }
  ]
}