516 lines
25 KiB
JSON
516 lines
25 KiB
JSON
{
|
||
"schema_version": "source_control_primary_readiness_gate_v1",
|
||
"status": "draft_blocked",
|
||
"date": "2026-06-11",
|
||
"mode": "primary_readiness_gate_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json",
|
||
"docs/security/source-control-approval-board.snapshot.json",
|
||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
|
||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
|
||
"docs/security/source-control-primary-rollback-adr.snapshot.json",
|
||
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
|
||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||
"docs/security/gitea-public-repo-search.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
|
||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
|
||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"candidate_repo_count": 10,
|
||
"in_scope_repo_count": 9,
|
||
"external_scope_count": 1,
|
||
"primary_ready_count": 0,
|
||
"blocked_in_scope_count": 9,
|
||
"approval_required_count": 9,
|
||
"runtime_actions_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"action_buttons_allowed": false,
|
||
"raw_secret_storage_authorized": false
|
||
},
|
||
"global_readiness_gates": [
|
||
{
|
||
"gate_id": "GITEA_AUTHENTICATED_INVENTORY_REQUIRED",
|
||
"title": "Gitea private/internal 全量 inventory",
|
||
"status": "blocked",
|
||
"required_before_primary": [
|
||
"Gitea authenticated inventory 或 redacted admin export status=ok",
|
||
"確認所有 private/internal repo 都被納入 mapping",
|
||
"只保存 token_present=true/false,不保存 token value"
|
||
],
|
||
"current_gap": [
|
||
"目前只有 public-only / blocked endpoint evidence",
|
||
"S4.5 已建立 authenticated/admin export request,但尚未取得 `gitea_repo_inventory_v1.status=ok` evidence",
|
||
"S4.6 已建立 redacted import acceptance,但目前 received_payload_count=0、accepted_payload_count=0",
|
||
"S4.7 已建立 owner coverage attestation request,但目前 received_attestation_count=0、accepted_attestation_count=0",
|
||
"S4.9 已建立 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0",
|
||
"S4.13 validation rollup 已將 S4.9 納入四包 owner response 驗收總覽、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 parallel session recovery outcome lanes,但目前 total_received_response_count=0、total_accepted_response_count=0、reviewer audit emitted=0",
|
||
"public-only API 只看到 2 個 repos,本機 remote inventory 看到 4 個 unique Gitea repos,gap 仍待 owner 解釋",
|
||
"GITEA_READONLY_TOKEN 未提供",
|
||
"不得使用 write-capable credential 當 read-only token"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 blocked reason",
|
||
"mirror S4.5 authenticated inventory export request",
|
||
"mirror S4.6 redacted inventory import acceptance",
|
||
"mirror S4.7 owner coverage attestation request",
|
||
"mirror S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner attestation response templates、intake preflight checks 與 outcome lanes",
|
||
"mirror S4.13 owner response validation rollup, evidence routing rules, display sections, state transition rules, reviewer checklist, reviewer outcome lanes, reviewer audit event templates, reviewer audit display sections, reviewer audit collection checks, reviewer audit redaction examples, reviewer audit retention rules, reviewer audit retention checks, reviewer audit handoff packets, reviewer audit handoff checks, parallel session sync checks, parallel session conflict lanes, parallel session recovery checks, parallel session recovery outcome lanes",
|
||
"等待 read-only token 或 redacted admin export",
|
||
"更新 approval board 與 decision table"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"gate_id": "REFS_TRUTH_REQUIRED",
|
||
"title": "refs 真相來源與 branch/tag parity",
|
||
"status": "blocked",
|
||
"required_before_primary": [
|
||
"main/dev 與 active branch 真相來源已人工判定",
|
||
"release tags 保留或棄用決策完成",
|
||
"deprecated candidate refs 已由 repo owner review"
|
||
],
|
||
"current_gap": [
|
||
"3 個 mapped repos 仍有 refs drift",
|
||
"2026-06-04 awoooi read-only refresh 顯示 Gitea heads=170、GitHub heads=2、Gitea tags=2、GitHub tags=0、main SHA=64490d32c67d24ed123cbd4e2261c69e17913e38 vs 202071f7a8724d5e8c29de441c3f380575a0ea94",
|
||
"S4.11 current refs truth classification 已重產為 194 個 refs review items;owner response received/accepted 仍為 0",
|
||
"S4.11 已建立 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0",
|
||
"不得 push/delete/force push refs"
|
||
],
|
||
"allowed_now": [
|
||
"mirror ref truth classification",
|
||
"mirror S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules",
|
||
"顯示 single-ref review lane",
|
||
"更新 draft reconcile plan"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"gate_id": "WORKFLOW_SECRET_NAME_PARITY_REQUIRED",
|
||
"title": "workflow / webhook / runner / secret 名稱 parity",
|
||
"status": "missing_evidence",
|
||
"required_before_primary": [
|
||
"workflow 名稱與觸發條件 inventory 完成",
|
||
"webhook / deploy key / runner / branch protection / CODEOWNERS inventory 完成",
|
||
"secret 只列名稱與 owner,不保存 value"
|
||
],
|
||
"current_gap": [
|
||
"S4.2 local evidence 已重跑:10 個 candidate repos、9 個 local visible repos、5 個 local evidence repos、33 個 workflow files、42 個 unique referenced secret names、secret_value_detected=false",
|
||
"仍缺 webhook、runner owner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted evidence",
|
||
"S4.12 已建立 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0",
|
||
"不得搬移或輸出 secret value",
|
||
"不得因缺資料而假設 GitHub ready"
|
||
],
|
||
"allowed_now": [
|
||
"建立 read-only inventory plan",
|
||
"mirror S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、templates、acceptance checks 與 rejection rules",
|
||
"列出需要 owner 補證的欄位",
|
||
"維持 GitHub primary blocked"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"gate_id": "OWNER_VISIBILITY_CANONICAL_REQUIRED",
|
||
"title": "owner / visibility / canonical 決策",
|
||
"status": "pending_review",
|
||
"required_before_primary": [
|
||
"7 個 in-scope targets 完成 owner 決策",
|
||
"visibility 與 canonical repo 已人工確認",
|
||
"not_found_or_private 不得自動解讀為 repo 不存在"
|
||
],
|
||
"current_gap": [
|
||
"9 個 targets 仍需人工批准",
|
||
"2026-06-11 GitHub target probe 顯示 10 個候選中 5 個可讀、5 個 not_found_or_private;VibeWork 與 agent-bounty-protocol 只能視為需 owner response 的 private/new target candidate,not_found_or_private 仍不得解讀為 repo 不存在",
|
||
"S4.10 已建立 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0",
|
||
"ewoooc / momo-pro-system canonical 關係尚未確認",
|
||
"bitan-pharmacy 與 tsenyang-website GitHub target 未確認"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 approval board",
|
||
"mirror S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、acceptance checks 與 rejection rules",
|
||
"要求 repo owner 補決策",
|
||
"更新 visibility decision table"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"gate_id": "ROLLBACK_ADR_REQUIRED",
|
||
"title": "GitHub primary ADR 與 rollback plan",
|
||
"status": "pending_review",
|
||
"required_before_primary": [
|
||
"逐 repo GitHub primary ADR 完成",
|
||
"rollback plan 與 Gitea mirror/fallback 角色明確",
|
||
"切換前後監控與驗證 gate 已定義"
|
||
],
|
||
"current_gap": [
|
||
"S4.4 / P1-5 已建立 rollback ADR 草案與 rollback owner handoff package,但尚無 owner-approved decision record",
|
||
"9 個 in-scope repos 的 rollback owner handoff templates、fallback role、validation window 與 trigger 已定義;rollback owner response received/accepted 仍為 0",
|
||
"dry_run_completed_count=0,active_cutover_count=0,不得切換 GitHub primary"
|
||
],
|
||
"allowed_now": [
|
||
"mirror rollback ADR 草案",
|
||
"mirror P1-5 rollback owner handoff package、preflight checks、handoff packet 與 repo templates",
|
||
"列出 rollback evidence requirements",
|
||
"讓 AwoooP mirror blocked state"
|
||
],
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"repo_readiness": [
|
||
{
|
||
"github_repo": "owenhytsai/awoooi",
|
||
"source_key": "wooo/awoooi",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_refs_parity",
|
||
"risk": "HIGH",
|
||
"target_state": "exists_refs_blocked",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"main SHA 不一致",
|
||
"2026-06-04 read-only refresh 顯示 Gitea heads=170、GitHub heads=2、Gitea-only heads=168、Gitea tags=2、GitHub tags=0",
|
||
"S4.11 ref truth classification 已重產為 194 items,但 owner response received/accepted 仍為 0",
|
||
"branches/tags/workflows/webhooks/secrets 名稱 inventory 尚未完成",
|
||
"GitHub primary ADR 與 rollback plan 尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
|
||
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-ref-detail-diff.snapshot.json",
|
||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 refs truth review lane",
|
||
"更新 draft reconcile plan",
|
||
"要求 repo owner 判定真相來源"
|
||
],
|
||
"still_forbidden": [
|
||
"push refs",
|
||
"force push",
|
||
"delete refs",
|
||
"switch GitHub primary",
|
||
"disable Gitea"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/clawbot-v5",
|
||
"source_key": "wooo/clawbot-v5",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_refs_parity",
|
||
"risk": "MEDIUM",
|
||
"target_state": "exists_refs_blocked",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"main SHA 不一致",
|
||
"GitHub 缺 Gitea tag 的處理方式尚未決定",
|
||
"逐 repo rollback plan 尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
|
||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 refs blocked reason",
|
||
"更新 draft reconcile plan",
|
||
"要求 repo owner 決定 tag 保留方式"
|
||
],
|
||
"still_forbidden": [
|
||
"push refs",
|
||
"delete refs",
|
||
"switch GitHub primary",
|
||
"delete Gitea repo"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/wooo-aiops",
|
||
"source_key": "wooo/wooo-aiops",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_refs_parity",
|
||
"risk": "MEDIUM",
|
||
"target_state": "exists_refs_blocked",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"main SHA 不一致",
|
||
"GitHub-only branch 與 tags 來源尚未釐清",
|
||
"逐 repo rollback plan 尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
|
||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 GitHub-only refs review lane",
|
||
"更新 refs truth classification",
|
||
"要求 repo owner 判定來源"
|
||
],
|
||
"still_forbidden": [
|
||
"push refs",
|
||
"delete GitHub-only refs",
|
||
"force push",
|
||
"switch GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/wooo-infra-config",
|
||
"source_key": "wooo/wooo-infra-config",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_internal_remote_decision",
|
||
"risk": "MEDIUM",
|
||
"target_state": "exists_aligned",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"110 internal remote 用途尚未確認",
|
||
"infra secrets 名稱 inventory 尚未完成",
|
||
"逐 repo primary ADR 尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 internal remote purpose review",
|
||
"要求 owner 判定 110 remote 是 active source、legacy mirror 或 fallback",
|
||
"只保存 secret 名稱 inventory,不保存 value"
|
||
],
|
||
"still_forbidden": [
|
||
"delete remote",
|
||
"sync refs",
|
||
"move secret values",
|
||
"switch GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/ewoooc",
|
||
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_target_decision",
|
||
"risk": "HIGH",
|
||
"target_state": "not_found_or_private",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"GitHub target 未授權 probe 看不到",
|
||
"ewoooc/momo-pro-system canonical 關係尚未確認",
|
||
"server-side refs diff 尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 target creation/access review",
|
||
"要求 owner / visibility / canonical 決策",
|
||
"補 server-side read-only refs diff"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"auto_merge_unrelated_histories",
|
||
"delete_working_tree",
|
||
"switch GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/bitan-pharmacy",
|
||
"source_key": "bitan-pharmacy",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_target_decision",
|
||
"risk": "MEDIUM",
|
||
"target_state": "not_found_or_private",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"2026-06-04 GitHub target probe 仍為 not_found_or_private",
|
||
"GitHub target 未確認",
|
||
"repo 是否仍 active 尚未確認",
|
||
"owner / visibility 決策尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 target creation/access review",
|
||
"要求 owner 確認 active 狀態",
|
||
"保持 read-only evidence"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push refs",
|
||
"delete 110 remote",
|
||
"switch GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/tsenyang-website",
|
||
"source_key": "tsenyang-website",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_target_decision",
|
||
"risk": "MEDIUM",
|
||
"target_state": "not_found_or_private",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"2026-06-04 GitHub target probe 仍為 not_found_or_private",
|
||
"GitHub target 未確認",
|
||
"repo 是否仍 active 尚未確認",
|
||
"owner / visibility 決策尚未完成"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/github-target-probe.snapshot.json",
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 target creation/access review",
|
||
"要求 owner 確認 active 狀態",
|
||
"保持 read-only evidence"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push refs",
|
||
"delete 110 remote",
|
||
"switch GitHub primary"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "nexu-io/open-design",
|
||
"source_key": "open-design",
|
||
"scope_status": "external_scope_review",
|
||
"readiness_state": "observe_scope_review",
|
||
"risk": "LOW",
|
||
"target_state": "external_scope",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"尚未確認是否屬於 AWOOOI 資安供應鏈範圍",
|
||
"2026-06-04 GitHub target probe 顯示 heads=644,屬 external high-churn evidence,只能當 scope review summary",
|
||
"不納入 GitHub primary cutover 候選"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/github-target-probe.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 scope review",
|
||
"維持 observe-only"
|
||
],
|
||
"still_forbidden": [
|
||
"加入 primary cutover queue",
|
||
"修改 repo visibility",
|
||
"sync refs"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/VibeWork",
|
||
"source_key": "vibework",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_target_decision",
|
||
"risk": "HIGH",
|
||
"target_state": "local_repo_visible_no_workflow_files",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"VibeWork 新納入 IwoooS source-control primary readiness 範圍,owner / product / surface / canonical decision 尚未完成",
|
||
"本機 repo 可見但未找到 workflow / CODEOWNERS,仍需 owner 確認是否另有私有 workflow、repo secret、deploy key 或外部部署面",
|
||
"VibeWork 獨立產品邊界必須保留,不得由 AWOOOI primary readiness 直接併入或切換",
|
||
"workflow / runner / secret name owner response received / accepted 仍為 0"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 VibeWork 納管缺口與 owner response lane",
|
||
"要求 repo / product / surface / owner / evidence refs",
|
||
"保持只讀 evidence 與獨立產品邊界"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push_refs",
|
||
"modify_workflow",
|
||
"move_secret_values",
|
||
"switch GitHub primary",
|
||
"把 VibeWork 產品邊界併入 AWOOOI"
|
||
]
|
||
},
|
||
{
|
||
"github_repo": "owenhytsai/agent-bounty-protocol",
|
||
"source_key": "agent-bounty-protocol",
|
||
"scope_status": "in_scope",
|
||
"readiness_state": "blocked_waiting_target_decision",
|
||
"risk": "HIGH",
|
||
"target_state": "local_gitea_workflow_visible",
|
||
"primary_ready": false,
|
||
"blockers": [
|
||
"agent-bounty-protocol 新納入 IwoooS 資安控管範圍,GitHub / Gitea target、owner 與 canonical decision 尚未完成",
|
||
"本機已見 1 個 Gitea workflow、0 個 referenced secret names 與 ubuntu-latest runner label,但 branch protection / CODEOWNERS / repository secret parity 尚未補齊",
|
||
"A2A / MCP / bounty / treasury / agent execution 邊界尚未建立 owner response 與 runtime gate",
|
||
"workflow / runner / secret name owner response received / accepted 仍為 0"
|
||
],
|
||
"evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
|
||
],
|
||
"allowed_now": [
|
||
"顯示 agent-bounty-protocol 新納管缺口與 owner response lane",
|
||
"只讀列出 workflow 名稱、runner label 與 secret name parity 缺口",
|
||
"要求 agent / bounty / treasury / execution surface owner 決策"
|
||
],
|
||
"still_forbidden": [
|
||
"auto_create_repo",
|
||
"push_refs",
|
||
"modify_workflow",
|
||
"enable_runner",
|
||
"move_secret_values",
|
||
"switch GitHub primary",
|
||
"把 bounty / agent 執行候選當 runtime 授權"
|
||
]
|
||
}
|
||
],
|
||
"gate_rules": [
|
||
"本契約只定義 GitHub primary readiness gate,不代表任何 repo 已可切換 primary。",
|
||
"primary_ready_count 必須維持 0,直到逐 repo parity、owner、visibility、rollback ADR 與人工批准全部完成。",
|
||
"not_found_or_private 不能當成 repo 不存在,也不能自動建立 GitHub repo。",
|
||
"Gitea 在 cutover 前仍是實際本地控制面;不得停用、刪除、封存或降級任何 repo。",
|
||
"secret 只能 inventory 名稱與 owner,不得搬移或保存 secret value。",
|
||
"任何 refs sync / repo creation / visibility change / primary switch 都需要新的 runtime gate 與人工批准。",
|
||
"Snapshot 必須標示 refresh date 與可重現路徑;過期暫存 worktree evidence 不得當成 current readiness。",
|
||
"由工具重產的 snapshot 若會覆蓋人工治理註記,必須分層保存或重產後補回治理狀態。",
|
||
"External scope / high-churn GitHub repo 只保留 summary evidence,不得直接加入 primary cutover queue。"
|
||
],
|
||
"forbidden_actions": [
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"delete_git_refs",
|
||
"force_push",
|
||
"switch_github_primary",
|
||
"disable_gitea",
|
||
"delete_or_archive_gitea_repo",
|
||
"move_secret_values",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload",
|
||
"add_action_button"
|
||
]
|
||
}
|