wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
e00282908f7e140bdfbed13502792f85ea4488fd
awoooi/docs/security/source-control-primary-readiness-gate.snapshot.json

422 lines
16 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_primary_readiness_gate_v1",
"status": "draft_blocked",
"date": "2026-05-17",
"mode": "primary_readiness_gate_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json",
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"candidate_repo_count": 8,
"in_scope_repo_count": 7,
"external_scope_count": 1,
"primary_ready_count": 0,
"blocked_in_scope_count": 7,
"approval_required_count": 7,
"runtime_actions_authorized": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false,
"raw_secret_storage_authorized": false
},
"global_readiness_gates": [
{
"gate_id": "GITEA_AUTHENTICATED_INVENTORY_REQUIRED",
"title": "Gitea private/internal 全量 inventory",
"status": "blocked",
"required_before_primary": [
"Gitea authenticated inventory 或 redacted admin export status=ok",
"確認所有 private/internal repo 都被納入 mapping",
"只保存 token_present=true/false不保存 token value"
],
"current_gap": [
"目前只有 public-only / blocked endpoint evidence",
"S4.5 已建立 authenticated/admin export request但尚未取得 `gitea_repo_inventory_v1.status=ok` evidence",
"S4.6 已建立 redacted import acceptance但目前 received_payload_count=0、accepted_payload_count=0",
"S4.7 已建立 owner coverage attestation request但目前 received_attestation_count=0、accepted_attestation_count=0",
"S4.9 已建立 owner response 收件包,但目前 received_response_count=0、accepted_response_count=0",
"public-only API 只看到 2 個 repos本機 remote inventory 看到 4 個 unique Gitea reposgap 仍待 owner 解釋",
"GITEA_READONLY_TOKEN 未提供",
"不得使用 write-capable credential 當 read-only token"
],
"allowed_now": [
"顯示 blocked reason",
"mirror S4.5 authenticated inventory export request",
"mirror S4.6 redacted inventory import acceptance",
"mirror S4.7 owner coverage attestation request",
"mirror S4.9 owner attestation response templates",
"等待 read-only token 或 redacted admin export",
"更新 approval board 與 decision table"
],
"execution_authorized": false
},
{
"gate_id": "REFS_TRUTH_REQUIRED",
"title": "refs 真相來源與 branch/tag parity",
"status": "blocked",
"required_before_primary": [
"main/dev 與 active branch 真相來源已人工判定",
"release tags 保留或棄用決策完成",
"deprecated candidate refs 已由 repo owner review"
],
"current_gap": [
"3 個 mapped repos 仍有 refs drift",
"141 個 refs review items 尚待人工判定",
"S4.11 已建立 refs truth owner response 收件包,但目前 received_response_count=0、accepted_response_count=0",
"不得 push/delete/force push refs"
],
"allowed_now": [
"mirror ref truth classification",
"mirror S4.11 owner response templates、acceptance checks 與 rejection rules",
"顯示 single-ref review lane",
"更新 draft reconcile plan"
],
"execution_authorized": false
},
{
"gate_id": "WORKFLOW_SECRET_NAME_PARITY_REQUIRED",
"title": "workflow / webhook / runner / secret 名稱 parity",
"status": "missing_evidence",
"required_before_primary": [
"workflow 名稱與觸發條件 inventory 完成",
"webhook / deploy key / runner / branch protection / CODEOWNERS inventory 完成",
"secret 只列名稱與 owner不保存 value"
],
"current_gap": [
"S4.1 已定義 workflow / webhook / runner / secret 名稱 inventory 契約,但尚未收集實際 redacted snapshot",
"不得搬移或輸出 secret value",
"不得因缺資料而假設 GitHub ready"
],
"allowed_now": [
"建立 read-only inventory plan",
"列出需要 owner 補證的欄位",
"維持 GitHub primary blocked"
],
"execution_authorized": false
},
{
"gate_id": "OWNER_VISIBILITY_CANONICAL_REQUIRED",
"title": "owner / visibility / canonical 決策",
"status": "pending_review",
"required_before_primary": [
"7 個 in-scope targets 完成 owner 決策",
"visibility 與 canonical repo 已人工確認",
"not_found_or_private 不得自動解讀為 repo 不存在"
],
"current_gap": [
"7 個 targets 仍需人工批准",
"S4.10 已建立 GitHub target owner decision response 收件包,但目前 received_response_count=0、accepted_response_count=0",
"ewoooc / momo-pro-system canonical 關係尚未確認",
"bitan-pharmacy 與 tsenyang-website GitHub target 未確認"
],
"allowed_now": [
"顯示 approval board",
"mirror S4.10 owner decision response templates、acceptance checks 與 rejection rules",
"要求 repo owner 補決策",
"更新 visibility decision table"
],
"execution_authorized": false
},
{
"gate_id": "ROLLBACK_ADR_REQUIRED",
"title": "GitHub primary ADR 與 rollback plan",
"status": "pending_review",
"required_before_primary": [
"逐 repo GitHub primary ADR 完成",
"rollback plan 與 Gitea mirror/fallback 角色明確",
"切換前後監控與驗證 gate 已定義"
],
"current_gap": [
"S4.4 已建立 rollback ADR 草案,但尚無 owner-approved decision record",
"7 個 in-scope repos 的 rollback owner、validation window 與 trigger 仍需人工審查",
"dry_run_completed_count=0active_cutover_count=0不得切換 GitHub primary"
],
"allowed_now": [
"mirror rollback ADR 草案",
"列出 rollback evidence requirements",
"讓 AwoooP mirror blocked state"
],
"execution_authorized": false
}
],
"repo_readiness": [
{
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_refs_parity",
"risk": "HIGH",
"target_state": "exists_refs_blocked",
"primary_ready": false,
"blockers": [
"main SHA 不一致",
"branches/tags/workflows/webhooks/secrets 名稱 inventory 尚未完成",
"GitHub primary ADR 與 rollback plan 尚未完成"
],
"evidence_refs": [
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 refs truth review lane",
"更新 draft reconcile plan",
"要求 repo owner 判定真相來源"
],
"still_forbidden": [
"push refs",
"force push",
"delete refs",
"switch GitHub primary",
"disable Gitea"
]
},
{
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_refs_parity",
"risk": "MEDIUM",
"target_state": "exists_refs_blocked",
"primary_ready": false,
"blockers": [
"main SHA 不一致",
"GitHub 缺 Gitea tag 的處理方式尚未決定",
"逐 repo rollback plan 尚未完成"
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 refs blocked reason",
"更新 draft reconcile plan",
"要求 repo owner 決定 tag 保留方式"
],
"still_forbidden": [
"push refs",
"delete refs",
"switch GitHub primary",
"delete Gitea repo"
]
},
{
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_refs_parity",
"risk": "MEDIUM",
"target_state": "exists_refs_blocked",
"primary_ready": false,
"blockers": [
"main SHA 不一致",
"GitHub-only branch 與 tags 來源尚未釐清",
"逐 repo rollback plan 尚未完成"
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 GitHub-only refs review lane",
"更新 refs truth classification",
"要求 repo owner 判定來源"
],
"still_forbidden": [
"push refs",
"delete GitHub-only refs",
"force push",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_internal_remote_decision",
"risk": "MEDIUM",
"target_state": "exists_aligned",
"primary_ready": false,
"blockers": [
"110 internal remote 用途尚未確認",
"infra secrets 名稱 inventory 尚未完成",
"逐 repo primary ADR 尚未完成"
],
"evidence_refs": [
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 internal remote purpose review",
"要求 owner 判定 110 remote 是 active source、legacy mirror 或 fallback",
"只保存 secret 名稱 inventory不保存 value"
],
"still_forbidden": [
"delete remote",
"sync refs",
"move secret values",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_target_decision",
"risk": "HIGH",
"target_state": "not_found_or_private",
"primary_ready": false,
"blockers": [
"GitHub target 未授權 probe 看不到",
"ewoooc/momo-pro-system canonical 關係尚未確認",
"server-side refs diff 尚未完成"
],
"evidence_refs": [
"docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md",
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner / visibility / canonical 決策",
"補 server-side read-only refs diff"
],
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
"delete_working_tree",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_target_decision",
"risk": "MEDIUM",
"target_state": "not_found_or_private",
"primary_ready": false,
"blockers": [
"GitHub target 未確認",
"repo 是否仍 active 尚未確認",
"owner / visibility 決策尚未完成"
],
"evidence_refs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner 確認 active 狀態",
"保持 read-only evidence"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"delete 110 remote",
"switch GitHub primary"
]
},
{
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"readiness_state": "blocked_waiting_target_decision",
"risk": "MEDIUM",
"target_state": "not_found_or_private",
"primary_ready": false,
"blockers": [
"GitHub target 未確認",
"repo 是否仍 active 尚未確認",
"owner / visibility 決策尚未完成"
],
"evidence_refs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner 確認 active 狀態",
"保持 read-only evidence"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"delete 110 remote",
"switch GitHub primary"
]
},
{
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"readiness_state": "observe_scope_review",
"risk": "LOW",
"target_state": "external_scope",
"primary_ready": false,
"blockers": [
"尚未確認是否屬於 AWOOOI 資安供應鏈範圍",
"不納入 GitHub primary cutover 候選"
],
"evidence_refs": [
"docs/security/github-target-probe.snapshot.json"
],
"allowed_now": [
"顯示 scope review",
"維持 observe-only"
],
"still_forbidden": [
"加入 primary cutover queue",
"修改 repo visibility",
"sync refs"
]
}
],
"gate_rules": [
"本契約只定義 GitHub primary readiness gate不代表任何 repo 已可切換 primary。",
"primary_ready_count 必須維持 0直到逐 repo parity、owner、visibility、rollback ADR 與人工批准全部完成。",
"not_found_or_private 不能當成 repo 不存在,也不能自動建立 GitHub repo。",
"Gitea 在 cutover 前仍是實際本地控制面;不得停用、刪除、封存或降級任何 repo。",
"secret 只能 inventory 名稱與 owner不得搬移或保存 secret value。",
"任何 refs sync / repo creation / visibility change / primary switch 都需要新的 runtime gate 與人工批准。"
],
"forbidden_actions": [
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"delete_git_refs",
"force_push",
"switch_github_primary",
"disable_gitea",
"delete_or_archive_gitea_repo",
"move_secret_values",
"store_secret_token_cookie_private_key_or_exploit_payload",
"add_action_button"
]
}
Reference in New Issue View Git Blame Copy Permalink