53 lines
2.3 KiB
JSON
53 lines
2.3 KiB
JSON
{
|
||
"schema_version": "security_approval_decision_record_v1",
|
||
"status": "draft",
|
||
"date": "2026-05-13",
|
||
"mode": "decision_record_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_indexes": [
|
||
"docs/security/security-approval-gate.snapshot.json",
|
||
"docs/security/security-approval-queue.snapshot.json",
|
||
"docs/security/security-approval-review-packet.snapshot.json",
|
||
"docs/security/security-approval-state-transition.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json",
|
||
"docs/security/security-mirror-status-rollup.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"total_decision_records": 0,
|
||
"approve_scope_count": 0,
|
||
"reject_count": 0,
|
||
"defer_count": 0,
|
||
"request_more_evidence_count": 0,
|
||
"keep_blocked_count": 0,
|
||
"pending_runtime_gate_count": 0,
|
||
"runtime_actions_authorized": false,
|
||
"raw_secret_storage_authorized": false
|
||
},
|
||
"decision_records": [],
|
||
"recording_rules": [
|
||
"每筆人工決策都必須引用 security_approval_gate_v1 的 gate_id 與 source_queue_item_id。",
|
||
"若決策來自 security_approval_review_packet_v1,需在 notes 或 evidence refs 保留 packet_id 的稽核關聯。",
|
||
"決策後的 next state 必須依 security_approval_state_transition_v1 顯示,且不得授權執行。",
|
||
"approve_scope 只代表批准該 scope 進下一步設計、草案、只讀 inventory、低噪音 scope 或人工 exception;不代表可立即執行。",
|
||
"所有 decision record 都必須維持 execution_authorized=false。",
|
||
"若 decision=approve_scope,AwoooP 只能依 security_followup_runtime_gate_v1 顯示 runtime gate 準備模板,不得啟用 runtime gate。",
|
||
"任何批准後的 scan、/execute、repo、refs、deploy、secret、RBAC、NetworkPolicy、firewall 變更都必須另有 follow-up runtime gate。",
|
||
"決策紀錄不得保存 raw secret、token、cookie、private key、credential value 或 exploit payload。"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_decision_record",
|
||
"auto_approve",
|
||
"execute_after_decision_without_runtime_gate",
|
||
"start_kali_scan",
|
||
"call_kali_execute_endpoint",
|
||
"run_credentialed_scan",
|
||
"create_github_repo",
|
||
"change_repo_visibility",
|
||
"sync_git_refs",
|
||
"switch_github_primary",
|
||
"auto_merge",
|
||
"production_deploy",
|
||
"store_secret_token_cookie_private_key_or_exploit_payload"
|
||
]
|
||
}
|