wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 5 Packages Projects Releases Wiki Activity
Files
d7b5dfd85e3e16ffbd0a66a8d963ca2145eb0f21
awoooi/docs/security/source-control-primary-readiness-gate.snapshot.json

449 lines
21 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_primary_readiness_gate_v1",
"status": "draft_blocked",
"date": "2026-06-04",
"mode": "primary_readiness_gate_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/github-target-probe.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"candidate_repo_count": 8,
"in_scope_repo_count": 7,
"external_scope_count": 1,
"primary_ready_count": 0,
"blocked_in_scope_count": 7,
"approval_required_count": 7,
"runtime_actions_authorized": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false,
"raw_secret_storage_authorized": false
},
"global_readiness_gates": [
{
"gate_id": "GITEA_AUTHENTICATED_INVENTORY_REQUIRED",
"title": "Gitea private/internal 全量 inventory",
"status": "blocked",
"required_before_primary": [
"Gitea authenticated inventory 或 redacted admin export status=ok",
"確認所有 private/internal repo 都被納入 mapping",
"只保存 token_present=true/false不保存 token value"
],
"current_gap": [
"目前只有 public-only / blocked endpoint evidence",
"S4.5 已建立 authenticated/admin export request但尚未取得 `gitea_repo_inventory_v1.status=ok` evidence",
"S4.6 已建立 redacted import acceptance但目前 received_payload_count=0、accepted_payload_count=0",
"S4.7 已建立 owner coverage attestation request但目前 received_attestation_count=0、accepted_attestation_count=0",
"S4.9 已建立 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0",
"S4.13 validation rollup 已將 S4.9 納入四包 owner response 驗收總覽、evidence routing rules、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checks、reviewer audit redaction examples、reviewer audit retention rules、reviewer audit retention checks、reviewer audit handoff packets、handoff checks、parallel session sync checks、parallel session conflict lanes、parallel session recovery checks 與 parallel session recovery outcome lanes但目前 total_received_response_count=0、total_accepted_response_count=0、reviewer audit emitted=0",
"public-only API 只看到 2 個 repos本機 remote inventory 看到 4 個 unique Gitea reposgap 仍待 owner 解釋",
"GITEA_READONLY_TOKEN 未提供",
"不得使用 write-capable credential 當 read-only token"
],
"allowed_now": [
"顯示 blocked reason",
"mirror S4.5 authenticated inventory export request",
"mirror S4.6 redacted inventory import acceptance",
"mirror S4.7 owner coverage attestation request",
"mirror S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner attestation response templates、intake preflight checks 與 outcome lanes",
"mirror S4.13 owner response validation rollup, evidence routing rules, display sections, state transition rules, reviewer checklist, reviewer outcome lanes, reviewer audit event templates, reviewer audit display sections, reviewer audit collection checks, reviewer audit redaction examples, reviewer audit retention rules, reviewer audit retention checks, reviewer audit handoff packets, reviewer audit handoff checks, parallel session sync checks, parallel session conflict lanes, parallel session recovery checks, parallel session recovery outcome lanes",
"等待 read-only token 或 redacted admin export",
"更新 approval board 與 decision table"
],
"execution_authorized": false
},
{
"gate_id": "REFS_TRUTH_REQUIRED",
"title": "refs 真相來源與 branch/tag parity",
"status": "blocked",
"required_before_primary": [
"main/dev 與 active branch 真相來源已人工判定",
"release tags 保留或棄用決策完成",
"deprecated candidate refs 已由 repo owner review"
],
"current_gap": [
"3 個 mapped repos 仍有 refs drift",
"2026-06-04 awoooi read-only refresh 顯示 Gitea heads=170、GitHub heads=2、Gitea tags=2、GitHub tags=0、main SHA=64490d32c67d24ed123cbd4e2261c69e17913e38 vs 202071f7a8724d5e8c29de441c3f380575a0ea94",
"S4.11 current refs truth classification 已重產為 194 個 refs review itemsowner response received/accepted 仍為 0",
"S4.11 已建立 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0",
"不得 push/delete/force push refs"
],
"allowed_now": [
"mirror ref truth classification",
"mirror S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules",
"顯示 single-ref review lane",
"更新 draft reconcile plan"
],
"execution_authorized": false
},
{
"gate_id": "WORKFLOW_SECRET_NAME_PARITY_REQUIRED",
"title": "workflow / webhook / runner / secret 名稱 parity",
"status": "missing_evidence",
"required_before_primary": [
"workflow 名稱與觸發條件 inventory 完成",
"webhook / deploy key / runner / branch protection / CODEOWNERS inventory 完成",
"secret 只列名稱與 owner不保存 value"
],
"current_gap": [
"S4.2 local evidence 已於 2026-06-04 重跑8 個 candidate repos、7 個 local visible repos、4 個 local evidence repos、31 個 workflow files、42 個 unique referenced secret names、secret_value_detected=false",
"仍缺 webhook、runner owner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted evidence",
"S4.12 已建立 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0",
"不得搬移或輸出 secret value",
"不得因缺資料而假設 GitHub ready"
],
"allowed_now": [
"建立 read-only inventory plan",
"mirror S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、templates、acceptance checks 與 rejection rules",
"列出需要 owner 補證的欄位",
"維持 GitHub primary blocked"
],
"execution_authorized": false
},
{
"gate_id": "OWNER_VISIBILITY_CANONICAL_REQUIRED",
"title": "owner / visibility / canonical 決策",
"status": "pending_review",
"required_before_primary": [
"7 個 in-scope targets 完成 owner 決策",
"visibility 與 canonical repo 已人工確認",
"not_found_or_private 不得自動解讀為 repo 不存在"
],
"current_gap": [
"7 個 targets 仍需人工批准",
"2026-06-04 GitHub target probe 顯示 8 個候選中 5 個可讀、3 個 not_found_or_privatenot_found_or_private 仍不得解讀為 repo 不存在",
"S4.10 已建立 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0",
"ewoooc / momo-pro-system canonical 關係尚未確認",
"bitan-pharmacy 與 tsenyang-website GitHub target 未確認"
],
"allowed_now": [
"顯示 approval board",
"mirror S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、acceptance checks 與 rejection rules",
"要求 repo owner 補決策",
"更新 visibility decision table"
],
"execution_authorized": false
},
{
"gate_id": "ROLLBACK_ADR_REQUIRED",
"title": "GitHub primary ADR 與 rollback plan",
"status": "pending_review",
"required_before_primary": [
"逐 repo GitHub primary ADR 完成",
"rollback plan 與 Gitea mirror/fallback 角色明確",
"切換前後監控與驗證 gate 已定義"
],
"current_gap": [
"S4.4 / P1-5 已建立 rollback ADR 草案與 rollback owner handoff package但尚無 owner-approved decision record",
"7 個 in-scope repos 的 rollback owner handoff templates、fallback role、validation window 與 trigger 已定義rollback owner response received/accepted 仍為 0",
"dry_run_completed_count=0active_cutover_count=0不得切換 GitHub primary"
],
"allowed_now": [
"mirror rollback ADR 草案",
"mirror P1-5 rollback owner handoff package、preflight checks、handoff packet 與 repo templates",
"列出 rollback evidence requirements",
"讓 AwoooP mirror blocked state"
],
"execution_authorized": false
}
],
"repo_readiness": [
{
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_refs_parity",
"risk": "HIGH",
"target_state": "exists_refs_blocked",
"primary_ready": false,
"blockers": [
"main SHA 不一致",
"2026-06-04 read-only refresh 顯示 Gitea heads=170、GitHub heads=2、Gitea-only heads=168、Gitea tags=2、GitHub tags=0",
"S4.11 ref truth classification 已重產為 194 items但 owner response received/accepted 仍為 0",
"branches/tags/workflows/webhooks/secrets 名稱 inventory 尚未完成",
"GitHub primary ADR 與 rollback plan 尚未完成"
],
"evidence_refs": [
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 refs truth review lane",
"更新 draft reconcile plan",
"要求 repo owner 判定真相來源"
],
"still_forbidden": [
"push refs",
"force push",
"delete refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_refs_parity",
"risk": "MEDIUM",
"target_state": "exists_refs_blocked",
"primary_ready": false,
"blockers": [
"main SHA 不一致",
"GitHub 缺 Gitea tag 的處理方式尚未決定",
"逐 repo rollback plan 尚未完成"
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 refs blocked reason",
"更新 draft reconcile plan",
"要求 repo owner 決定 tag 保留方式"
],
"still_forbidden": [
"push refs",
"delete refs",
"switch GitHub primary",
"delete Gitea repo"
]
},
{
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_refs_parity",
"risk": "MEDIUM",
"target_state": "exists_refs_blocked",
"primary_ready": false,
"blockers": [
"main SHA 不一致",
"GitHub-only branch 與 tags 來源尚未釐清",
"逐 repo rollback plan 尚未完成"
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 GitHub-only refs review lane",
"更新 refs truth classification",
"要求 repo owner 判定來源"
],
"still_forbidden": [
"push refs",
"delete GitHub-only refs",
"force push",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_internal_remote_decision",
"risk": "MEDIUM",
"target_state": "exists_aligned",
"primary_ready": false,
"blockers": [
"110 internal remote 用途尚未確認",
"infra secrets 名稱 inventory 尚未完成",
"逐 repo primary ADR 尚未完成"
],
"evidence_refs": [
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 internal remote purpose review",
"要求 owner 判定 110 remote 是 active source、legacy mirror 或 fallback",
"只保存 secret 名稱 inventory不保存 value"
],
"still_forbidden": [
"delete remote",
"sync refs",
"move secret values",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_target_decision",
"risk": "HIGH",
"target_state": "not_found_or_private",
"primary_ready": false,
"blockers": [
"GitHub target 未授權 probe 看不到",
"ewoooc/momo-pro-system canonical 關係尚未確認",
"server-side refs diff 尚未完成"
],
"evidence_refs": [
"docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md",
"docs/security/github-target-probe.snapshot.json",
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner / visibility / canonical 決策",
"補 server-side read-only refs diff"
],
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
"delete_working_tree",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_target_decision",
"risk": "MEDIUM",
"target_state": "not_found_or_private",
"primary_ready": false,
"blockers": [
"2026-06-04 GitHub target probe 仍為 not_found_or_private",
"GitHub target 未確認",
"repo 是否仍 active 尚未確認",
"owner / visibility 決策尚未完成"
],
"evidence_refs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/github-target-probe.snapshot.json",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner 確認 active 狀態",
"保持 read-only evidence"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"delete 110 remote",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_target_decision",
"risk": "MEDIUM",
"target_state": "not_found_or_private",
"primary_ready": false,
"blockers": [
"2026-06-04 GitHub target probe 仍為 not_found_or_private",
"GitHub target 未確認",
"repo 是否仍 active 尚未確認",
"owner / visibility 決策尚未完成"
],
"evidence_refs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/github-target-probe.snapshot.json",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner 確認 active 狀態",
"保持 read-only evidence"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"delete 110 remote",
"switch GitHub primary"
]
},
{
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"readiness_state": "observe_scope_review",
"risk": "LOW",
"target_state": "external_scope",
"primary_ready": false,
"blockers": [
"尚未確認是否屬於 AWOOOI 資安供應鏈範圍",
"2026-06-04 GitHub target probe 顯示 heads=644屬 external high-churn evidence只能當 scope review summary",
"不納入 GitHub primary cutover 候選"
],
"evidence_refs": [
"docs/security/github-target-probe.snapshot.json"
],
"allowed_now": [
"顯示 scope review",
"維持 observe-only"
],
"still_forbidden": [
"加入 primary cutover queue",
"修改 repo visibility",
"sync refs"
]
}
],
"gate_rules": [
"本契約只定義 GitHub primary readiness gate不代表任何 repo 已可切換 primary。",
"primary_ready_count 必須維持 0直到逐 repo parity、owner、visibility、rollback ADR 與人工批准全部完成。",
"not_found_or_private 不能當成 repo 不存在,也不能自動建立 GitHub repo。",
"Gitea 在 cutover 前仍是實際本地控制面;不得停用、刪除、封存或降級任何 repo。",
"secret 只能 inventory 名稱與 owner不得搬移或保存 secret value。",
"任何 refs sync / repo creation / visibility change / primary switch 都需要新的 runtime gate 與人工批准。",
"Snapshot 必須標示 refresh date 與可重現路徑;過期暫存 worktree evidence 不得當成 current readiness。",
"由工具重產的 snapshot 若會覆蓋人工治理註記,必須分層保存或重產後補回治理狀態。",
"External scope / high-churn GitHub repo 只保留 summary evidence不得直接加入 primary cutover queue。"
],
"forbidden_actions": [
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"delete_git_refs",
"force_push",
"switch_github_primary",
"disable_gitea",
"delete_or_archive_gitea_repo",
"move_secret_values",
"store_secret_token_cookie_private_key_or_exploit_payload",
"add_action_button"
]
}
Reference in New Issue View Git Blame Copy Permalink