wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
d7b5dfd85e3e16ffbd0a66a8d963ca2145eb0f21
awoooi/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md
Your Name 9e15fd08b3
All checks were successful
CD Pipeline / tests (push) Successful in 1m39s
Details
Code Review / ai-code-review (push) Successful in 15s
Details
CD Pipeline / build-and-deploy (push) Successful in 5m19s
Details
CD Pipeline / post-deploy-checks (push) Successful in 2m11s
Details
feat(web): land iwooos security posture surfaces
2026-05-25 20:35:52 +08:00

8.4 KiB
Raw Blame History

Source Control Approval Board

項目 內容
日期 2026-05-12
狀態 draft
預設模式 mirror_only
authenticated inventory gate blocked
gate 原因 GITEA_READONLY_TOKEN 未提供,且不使用可 push 的既有 remote credential 當 read-only tokenserver-side private/internal repo list 仍未完成。
GitHub target owner response docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md
repo items 8
pending approval 7

0. 核心原則

本 board 只整理決策不授權執行。AwoooP 可以 mirror 成 approval candidate但不得建立 repo、修改 visibility、同步 refs、切 GitHub primary 或保存 credential value。

S4.10 已補 1 個 GitHub target owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 7 個 owner decision response templates目前 received / accepted response 皆為 0。response 通過後也只更新本 board、decision table、approval package 與 readiness gate 的 read-only 欄位,不代表 repo creation、visibility change、refs sync 或 primary approval。

1. 逐 repo 決策隊列

GitHub repo Lane Risk Probe Approval 下一步
owenhytsai/awoooi refs_reconcile HIGH exists pending 先產生 draft reconcile plan不 push refs、不切 primary。
owenhytsai/clawbot-v5 refs_reconcile MEDIUM exists pending 先產生 draft reconcile plan不 push refs、不切 primary。
owenhytsai/wooo-aiops refs_reconcile MEDIUM exists pending 先產生 draft reconcile plan不 push refs、不切 primary。
owenhytsai/wooo-infra-config internal_remote_purpose MEDIUM exists pending 先文件化用途與風險,不刪除 remote、不同步 refs。
owenhytsai/ewoooc target_creation_or_access HIGH not_found_or_private pending 先取得 owner / visibility 決策,不自動建立 repo。
owenhytsai/bitan-pharmacy target_creation_or_access MEDIUM not_found_or_private pending 先取得 owner / visibility 決策,不自動建立 repo。
owenhytsai/tsenyang-website target_creation_or_access MEDIUM not_found_or_private pending 先取得 owner / visibility 決策,不自動建立 repo。
nexu-io/open-design scope_review LOW exists not_required 只標記 scope review不納入主控切換。

2. 詳細阻塞點

owenhytsai/awoooi

  • Source keywooo/awoooi
  • Required decision決定 Gitea / GitHub refs 真相來源,並批准只產生 reconcile plan。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • Gitea server-side 全量 repo inventory status=ok
    • branches/tags/workflows/webhooks/secrets 名稱 inventory 完成
    • 部署真相來源已決定
    • GitHub primary ADR 與 rollback plan 完成
  • Still forbidden
    • 直接 push refs
    • 直接切 GitHub primary
    • 直接停用 Gitea
    • 搬 secret value
  • Evidence refs
    • docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/github-target-probe.snapshot.json

owenhytsai/clawbot-v5

  • Source keywooo/clawbot-v5
  • Required decision決定 Gitea / GitHub refs 真相來源,並批准只產生 reconcile plan。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • Gitea/GitHub main SHA 對齊或人工指定真相來源
    • GitHub 缺 Gitea tag 的處理方式已決定
  • Still forbidden
    • 直接 push refs
    • 直接切 primary
    • 刪除任一端 repo
  • Evidence refs
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/github-target-probe.snapshot.json

owenhytsai/wooo-aiops

  • Source keywooo/wooo-aiops
  • Required decision決定 Gitea / GitHub refs 真相來源,並批准只產生 reconcile plan。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • Gitea/GitHub main SHA 對齊或人工指定真相來源
    • GitHub-only branch 與 tags 的來源已釐清
  • Still forbidden
    • 直接 push refs
    • 直接切 primary
    • 刪除 GitHub-only refs
  • Evidence refs
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/github-target-probe.snapshot.json

owenhytsai/wooo-infra-config

  • Source keywooo/wooo-infra-config
  • Required decision決定 110 internal remote 是 active source、legacy mirror 或應降級。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • 110 internal remote 用途已確認
    • 若 110 remote 為舊主控,已降級或移除
    • infra secrets 名稱 inventory 完成
  • Still forbidden
    • 直接刪除 remote
    • 直接同步 refs
    • 搬 infra secret value
  • Evidence refs
    • docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/github-target-probe.snapshot.json

owenhytsai/ewoooc

  • Source keywooo/ewoooc / root/momo-pro-system / momo working trees
  • Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • ewoooc/momo-pro-system canonical 關係人工確認
    • server-side refs diff 完成
    • GitHub repo owner 與 visibility 決策完成
  • Still forbidden
    • 自動建立 mirror
    • 自動合併 unrelated histories
    • 刪除任一 momo/ewoooc working tree
    • 切 GitHub primary
  • Evidence refs
    • docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md
    • docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md
    • docs/security/github-target-probe.snapshot.json

owenhytsai/bitan-pharmacy

  • Source keybitan-pharmacy
  • Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • 確認 repo 是否仍 active
    • GitHub repo owner 與 visibility 決策完成
  • Still forbidden
    • 自動建立 repo
    • 自動 push refs
    • 刪除 110 remote
  • Evidence refs
    • docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/github-target-probe.snapshot.json

owenhytsai/tsenyang-website

  • Source keytsenyang-website
  • Required decision決定 GitHub repo owner / visibility / 是否建立或授權既有 repo。
  • AwoooP consumptionapproval_candidate
  • Blocked until
    • 確認 repo 是否仍 active
    • GitHub repo owner 與 visibility 決策完成
  • Still forbidden
    • 自動建立 repo
    • 自動 push refs
    • 刪除 110 remote
  • Evidence refs
    • docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md
    • docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md
    • docs/security/github-target-owner-decision-response.snapshot.json
    • docs/security/github-target-probe.snapshot.json

nexu-io/open-design

  • Source keyopen-design
  • Required decision決定此 repo 是否屬於 AWOOOI 資安供應鏈範圍。
  • AwoooP consumptionscope_review_only
  • Blocked until
    • 確認是否屬於 AWOOOI 資安網範圍
  • Still forbidden
    • auto_execute
    • sync_refs
    • switch_primary
  • Evidence refs
    • docs/security/github-target-probe.snapshot.json

3. Gate 前允許做的事

  1. 更新 read-only evidence。
  2. 更新 approval board / decision table。
  3. 寫 draft reconcile plan。
  4. 把 pending approval mirror 到 AwoooP。

4. Gate 前仍禁止

  • 使用 write-capable credential 當作 read-only token
  • 建立 GitHub repo
  • 修改 repo visibility
  • sync refs
  • switch GitHub primary
Reference in New Issue View Git Blame Copy Permalink