wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
e00282908f7e140bdfbed13502792f85ea4488fd
awoooi/docs/security/source-control-ref-truth-owner-response.snapshot.json

387 lines
17 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_ref_truth_owner_response_v1",
"status": "draft_waiting_owner_response",
"date": "2026-05-17",
"mode": "owner_ref_truth_response_intake_only",
"runtime_execution_authorized": false,
"source_contract": "source_control_ref_truth_classification_v1",
"target_contract": "source_control_reconcile_plan_v1",
"source_indexes": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"owner_response_status": "waiting_owner_response",
"repo_count": 3,
"total_ref_review_item_count": 141,
"manual_truth_required_count": 4,
"deprecated_candidate_count": 114,
"release_tag_review_count": 3,
"github_only_review_count": 20,
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"refs_sync_authorized": false,
"refs_delete_authorized": false,
"force_push_authorized": false,
"github_primary_switch_authorized": false,
"secret_value_collection_allowed": false,
"action_buttons_allowed": false
},
"response_templates": [
{
"template_id": "response-main-branch-truth-source",
"lane": "main_truth_required",
"affected_repos": [
"wooo/awoooi -> owenhytsai/awoooi",
"wooo/clawbot-v5 -> owenhytsai/clawbot-v5",
"wooo/wooo-aiops -> owenhytsai/wooo-aiops"
],
"risk": "HIGH",
"covered_item_count": 3,
"requested_owner_decision": "判定三個 main branch 的真相來源、deploy marker owner、production source owner 與 rollback point owner維持 refs action disabled。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"ref_name",
"truth_source_or_sha",
"deploy_marker_owner",
"production_source_owner",
"rollback_point_owner",
"evidence_refs"
],
"acceptable_decisions": [
"choose_gitea_as_truth_candidate",
"choose_github_as_truth_candidate",
"choose_specific_sha_as_truth_candidate",
"hold_pending_deploy_marker",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
"必須逐 repo 標示 main branch 的候選真相來源,不可只寫全域結論。",
"必須說明 deploy marker、production source 與 rollback point 的 owner 或補證 owner。",
"必須承認通過收件後只更新 read-only classification / reconcile / readiness wording不授權 refs sync。"
],
"rejection_conditions": [
"把 main branch truth response 當成可直接 push refs 或切 primary。",
"沒有 repo、ref_name、truth_source_or_sha 或 deploy evidence owner。",
"含有 token、credential、private URL 憑證或未脫敏截圖。"
],
"allowed_outputs": [
"更新 `source-control-ref-truth-classification.snapshot.json` 的 read-only owner response 欄位。",
"更新 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 的 owner response 摘要。",
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording且 primary_ready_count 維持 0。"
],
"execution_authorized": false
},
{
"template_id": "response-active-dev-branch-truth-source",
"lane": "active_branch_truth_required",
"affected_repos": [
"wooo/awoooi -> owenhytsai/awoooi"
],
"risk": "HIGH",
"covered_item_count": 1,
"requested_owner_decision": "判定 `wooo/awoooi` 的 `dev` branch 是否仍是 active workflow、legacy branch 或需補證;維持 refs action disabled。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"ref_name",
"workflow_owner",
"branch_disposition",
"evidence_refs"
],
"acceptable_decisions": [
"keep_active_branch_candidate",
"mark_branch_legacy_candidate",
"hold_pending_workflow_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json"
],
"acceptance_criteria": [
"必須指出 `dev` 是否仍有開發、部署、CI 或 release workflow 用途。",
"若標為 legacy只能標記 candidate不代表刪除或封存批准。",
"必須提供 workflow owner 或 request_more_evidence owner。"
],
"rejection_conditions": [
"要求立即刪除或同步 `dev` branch。",
"沒有 workflow owner 或 branch disposition。",
"把 legacy candidate 當成 delete approval。"
],
"allowed_outputs": [
"更新 `dev` branch 的 read-only disposition 欄位。",
"更新 draft reconcile plan 的 blocked reason。",
"建立 request_more_evidence lane。"
],
"execution_authorized": false
},
{
"template_id": "response-drift-deprecated-candidate-batch",
"lane": "archive_or_deprecate_candidate",
"affected_repos": [
"wooo/awoooi drift/adopt-*"
],
"risk": "LOW",
"covered_item_count": 114,
"requested_owner_decision": "批次判定 `drift/adopt-*` refs 是否可列為 deprecated candidate、audit retention candidate 或需拆批補證;標記 deprecated candidate 不等於 delete approval。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"ref_pattern_or_ref_list",
"retention_owner",
"audit_or_rollback_use",
"evidence_refs"
],
"acceptable_decisions": [
"mark_deprecated_candidate",
"keep_audit_retention_candidate",
"split_batch_requires_more_evidence",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md"
],
"acceptance_criteria": [
"必須明確說明這是批次 owner disposition不是刪除批准。",
"必須提供 retention owner 或補證 owner。",
"若需要拆批,必須說明拆分準則與下一個 evidence owner。"
],
"rejection_conditions": [
"把 deprecated candidate 當成 delete approval。",
"要求刪除、rewrite、force push 或 prune refs。",
"未說明 audit / rollback / retention 用途是否仍存在。"
],
"allowed_outputs": [
"更新 classification 的 deprecated candidate owner response 欄位。",
"更新人工 review checklist。",
"維持 refs delete / push / force push 禁用。"
],
"execution_authorized": false
},
{
"template_id": "response-release-tag-retention",
"lane": "release_tag_missing_on_github",
"affected_repos": [
"wooo/awoooi v7.2.0",
"wooo/awoooi v7.3.0",
"wooo/clawbot-v5 v5.5-sprint1"
],
"risk": "MEDIUM",
"covered_item_count": 3,
"requested_owner_decision": "判定 release tags 是否需要保留、是否為 legacy candidate或是否等待 artifact / deploy owner 補證;維持 tag action disabled。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"tag_name",
"artifact_owner",
"deploy_marker_owner",
"retention_disposition",
"evidence_refs"
],
"acceptable_decisions": [
"keep_release_tag_candidate",
"mark_tag_legacy_candidate",
"hold_pending_artifact_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-primary-rollback-adr.snapshot.json"
],
"acceptance_criteria": [
"必須逐 tag 指定 artifact owner、deploy marker owner 或補證 owner。",
"必須說明保留或 legacy candidate 的依據。",
"必須明確不授權 tag push、tag rewrite 或 tag delete。"
],
"rejection_conditions": [
"要求立即同步、重寫或刪除 tag。",
"缺 artifact owner 或 deploy marker owner。",
"把 tag retention response 當成 release approval。"
],
"allowed_outputs": [
"更新 release tag review lane。",
"更新 rollback ADR 的 evidence gap wording。",
"維持 tag action disabled。"
],
"execution_authorized": false
},
{
"template_id": "response-github-only-ref-review",
"lane": "github_only_manual_review",
"affected_repos": [
"wooo/wooo-aiops refactor/phase-9.3",
"wooo/wooo-aiops 19 UAT tags"
],
"risk": "MEDIUM",
"covered_item_count": 20,
"requested_owner_decision": "判定 GitHub-only branch / UAT tags 是否保留、回補候選、legacy candidate 或需稽核 owner 補證backfill 只能是 candidate不代表 push。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"ref_name_or_pattern",
"github_only_owner",
"audit_owner",
"backfill_candidate_reason",
"evidence_refs"
],
"acceptable_decisions": [
"keep_github_only_candidate",
"backfill_to_gitea_candidate",
"mark_legacy_github_only_candidate",
"hold_pending_audit_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md"
],
"acceptance_criteria": [
"必須說明 GitHub-only refs 的用途、owner 或補證 owner。",
"若選 backfill_to_gitea_candidate必須明確標示只是候選不授權 push。",
"必須維持 GitHub primary readiness blocked。"
],
"rejection_conditions": [
"把 backfill candidate 當成 push approval。",
"要求刪除 GitHub-only refs 或直接同步到 Gitea。",
"缺 GitHub-only owner 或 audit owner。"
],
"allowed_outputs": [
"更新 GitHub-only review lane。",
"更新 draft reconcile plan 的 candidate wording。",
"維持 refs action disabled。"
],
"execution_authorized": false
}
],
"acceptance_checks": [
{
"check_id": "maps_to_known_ref_truth_lane",
"title": "回覆對應既有 refs truth lane",
"required": true,
"pass_condition": "`lane` 必須對應 source_control_ref_truth_classification_v1 既有 lanemain_truth_required、active_branch_truth_required、archive_or_deprecate_candidate、release_tag_missing_on_github 或 github_only_manual_review。",
"failure_lane": "reject_unknown_ref_truth_lane",
"execution_authorized": false
},
{
"check_id": "decision_value_allowed",
"title": "決策值在允許範圍內",
"required": true,
"pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。",
"failure_lane": "request_owner_correction",
"execution_authorized": false
},
{
"check_id": "repo_and_ref_scope_present",
"title": "repo 與 ref scope 已標示",
"required": true,
"pass_condition": "每筆回覆必須有 repo 與 ref_name、tag_name、ref_pattern 或 ref_list批次回覆必須有可重現範圍。",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "truth_source_or_disposition_present",
"title": "真相來源或 disposition 已說明",
"required": true,
"pass_condition": "main/dev lane 必須有 truth source 或 workflow dispositiondeprecated/release/GitHub-only lane 必須有 retention、legacy、backfill candidate 或補證 disposition。",
"failure_lane": "keep_ref_truth_blocked",
"execution_authorized": false
},
{
"check_id": "deploy_or_artifact_evidence_present_for_high_risk",
"title": "高風險 ref 有 deploy 或 artifact owner",
"required": true,
"pass_condition": "main branch 與 release tag response 必須提供 deploy marker、production source、rollback point 或 artifact owner未知時必須選 hold/unknown。",
"failure_lane": "request_deploy_or_artifact_owner",
"execution_authorized": false
},
{
"check_id": "no_refs_action_requested",
"title": "不含 refs 執行要求",
"required": true,
"pass_condition": "回覆不得要求 fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs。",
"failure_lane": "reject_refs_action",
"execution_authorized": false
},
{
"check_id": "no_primary_or_repo_change_requested",
"title": "不含 primary 或 repo 變更要求",
"required": true,
"pass_condition": "回覆不得要求切 GitHub primary、建立 repo、修改 visibility、停用 Gitea、刪除 Gitea 或封存 Gitea。",
"failure_lane": "reject_primary_or_repo_action",
"execution_authorized": false
},
{
"check_id": "secret_values_absent",
"title": "未包含 secret value",
"required": true,
"pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata不得含 token、credential、secret value、private key、deploy key value、cookie 或 session。",
"failure_lane": "quarantine_sensitive_payload",
"execution_authorized": false
}
],
"rejection_rules": [
"回覆含 token value、PAT、cookie、session、CSRF token、private key、deploy key value 或 partial credential 時必須拒收。",
"回覆要求 fetch、push refs、delete refs、force push、mirror sync、tag rewrite、branch rewrite 或 prune refs 時必須拒收。",
"回覆要求切 GitHub primary 或把 GitHub primary readiness 視為已完成時必須拒收。",
"回覆要求建立 repo、修改 repo visibility 或改 remote URL 時必須拒收。",
"回覆把 deprecated_candidate 當成 delete approval 時必須拒收。",
"回覆把 backfill_to_gitea_candidate 當成 push approval 時必須拒收。",
"回覆缺 repo/ref/lane 或批次範圍無法重現時不得標記 accepted。",
"main / release high-risk 回覆缺 deploy marker、artifact、rollback 或補證 owner 時不得標記 accepted。",
"回覆要求停用、刪除、封存或降級 Gitea 時必須拒收。",
"任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆必須先進 mirror quarantine。"
],
"allowed_outputs": [
"更新 `source-control-ref-truth-classification.snapshot.json` 的 read-only owner response 欄位。",
"更新 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 的 owner response 摘要。",
"更新 `source-control-reconcile-plan.snapshot.json` 的 draft wording。",
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording。",
"建立 request_more_evidence / quarantine lane。",
"維持 `github_primary_ready_count=0` 與所有 refs / repo / primary execution flags false。"
],
"forbidden_actions": [
"fetch refs。",
"push refs。",
"delete refs。",
"force push。",
"rewrite branch 或 tag。",
"切 GitHub primary。",
"建立 GitHub repo 或修改 visibility。",
"停用、刪除、封存或降級 Gitea repo。",
"保存 secret value、token value、private key、cookie、session 或 deploy key value。",
"新增 AwoooP execution action button。"
]
}
Reference in New Issue View Git Blame Copy Permalink