From 180db19f5163c98cb2765afdf351bf27e70eb7d1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 17 May 2026 21:46:51 +0800 Subject: [PATCH] docs(security): add github target owner response intake [skip ci] --- docs/LOGBOOK.md | 36 ++ ...get_owner_decision_response_v1.schema.json | 202 ++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 14 +- ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 33 +- .../GITHUB-TARGET-OWNER-DECISION-RESPONSE.md | 125 +++++ .../GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md | 5 +- ...GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md | 8 +- docs/security/SECURITY-APPROVAL-GATE.md | 2 +- docs/security/SECURITY-APPROVAL-QUEUE.md | 2 +- .../SECURITY-APPROVAL-REVIEW-PACKET.md | 2 +- .../SECURITY-FOLLOWUP-RUNTIME-GATE.md | 2 +- docs/security/SECURITY-MIRROR-READINESS.md | 2 + .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 4 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 6 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 17 +- .../security/SOURCE-CONTROL-APPROVAL-BOARD.md | 10 + .../SOURCE-CONTROL-PRIMARY-READINESS-GATE.md | 12 +- .../github-target-decision.snapshot.json | 21 +- ...rget-owner-decision-response.snapshot.json | 449 ++++++++++++++++++ ...target-repo-approval-package.snapshot.json | 21 +- .../security-approval-gate.snapshot.json | 6 +- .../security-approval-queue.snapshot.json | 8 +- ...urity-approval-review-packet.snapshot.json | 10 +- ...curity-followup-runtime-gate.snapshot.json | 3 + .../security-mirror-readiness.snapshot.json | 24 +- ...ecurity-mirror-status-rollup.snapshot.json | 10 +- ...pply-chain-contract-manifest.snapshot.json | 24 +- ...ource-control-approval-board.snapshot.json | 8 + ...ntrol-primary-readiness-gate.snapshot.json | 24 +- 29 files changed, 1014 insertions(+), 76 deletions(-) create mode 100644 docs/schemas/github_target_owner_decision_response_v1.schema.json create mode 100644 docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md create mode 100644 docs/security/github-target-owner-decision-response.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index fa08c08a2..66575603c 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,39 @@ +## 2026-05-17 | 資安供應鏈 S4.10:GitHub Target Owner Decision Response 收件包 + +**背景**:S1.1 / S1.2 已把 8 個 GitHub target 候選與 7 個 approval-required targets 文件化,S4.0 也已把 GitHub primary readiness gate 維持在 blocked;但 repo owner 真正回覆 owner / visibility / canonical 時,仍缺一份可填、可驗收、可拒收的 response intake 格式。為了維持低摩擦,本輪不新增第 36 個主 contract、不新增 approval item、不建立 GitHub repo、不改 visibility、不同步 refs、不切 primary;只新增 S4.10 owner response 收件包。 + +**完成**: +- 新增 `docs/schemas/github_target_owner_decision_response_v1.schema.json`。 +- 新增 `docs/security/github-target-owner-decision-response.snapshot.json` 與 `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md`。 +- 定義 7 個 response templates,對應 `awoooi`、`clawbot-v5`、`wooo-aiops`、`wooo-infra-config`、`ewoooc`、`bitan-pharmacy`、`tsenyang-website`。 +- 定義 8 個 acceptance checks 與 10 個 rejection rules,避免 owner response 夾帶 secret、repo creation、visibility change、refs sync、primary switch、Gitea disable/delete/archive 或 unrelated history auto-merge。 +- 更新 manifest、mirror readiness、status rollup、GitHub target decision table、repo approval package、source-control approval board、primary readiness gate、approval queue / gate / review packet / follow-up gate、AwoooP checklist、handoff 與 progress,使 AwoooP 能只讀顯示 S4.10 response templates。 + +**仍未完成**: +- 尚未收到任何 GitHub target owner response。 +- 尚未接受任何 owner / visibility / canonical decision。 +- 尚未完成 `ewoooc` / `momo-pro-system` canonical 判定。 +- 尚未補齊 refs truth、workflow / secret name parity、rollback ADR owner approval。 +- 尚未解開 GitHub primary readiness blocker。 + +**仍禁止**: +- 不建立 GitHub repo。 +- 不修改 GitHub repo visibility。 +- 不 push、delete、force push、mirror sync 或 rewrite refs。 +- 不切 GitHub primary。 +- 不停用、刪除、封存或降級 Gitea repo。 +- 不保存 token value、raw secret、cookie、session、private key、deploy key value 或未脫敏截圖。 +- 不把 S4.10 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。 + +**驗證**: +- JSON 全量 parse 通過:137 個 JSON files。 +- S4.10 assertion 通過:target decisions 8 個、approval-required targets 7 個、response templates 7 個、received / accepted / rejected response 皆為 0。 +- Acceptance / rejection assertion 通過:8 個 acceptance checks、10 個 rejection rules,repo creation / visibility change / refs sync / GitHub primary / secret value / action button flags 全為 false。 +- Readiness assertion 通過:contract manifest 仍為 35 個主 contracts、mirror readiness 維持 32 ready / 2 partial / 1 contract-only / 0 blocked。 +- Approval lane assertion 通過:approval queue / review packets / follow-up runtime gate templates 維持 8 / 8 / 8,`active_runtime_gates=0`,`github_primary_ready_count=0`。 +- `git diff --check` 通過。 +- 敏感字串掃描確認本輪未保存 Kali SSH 密碼樣式、常見 token pattern、private key material 或 `GITEA_READONLY_TOKEN` value。 + ## 2026-05-17 | 資安供應鏈 S4.9:Gitea Owner Attestation Response 收件包 **背景**:S4.7 已定義 Gitea coverage gap 的 5 個 owner attestation items,S4.8 已把既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊成 S4.7 先行;但 owner 真正回覆時仍缺一份可填、可驗收、可拒收的 response intake 格式。為了維持低摩擦,本輪不新增第 36 個主 contract、不新增第 9 個 approval item、不啟用 runtime gate;只新增 S4.9 owner response 收件包。 diff --git a/docs/schemas/github_target_owner_decision_response_v1.schema.json b/docs/schemas/github_target_owner_decision_response_v1.schema.json new file mode 100644 index 000000000..1655a93cb --- /dev/null +++ b/docs/schemas/github_target_owner_decision_response_v1.schema.json @@ -0,0 +1,202 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:github-target-owner-decision-response-v1", + "title": "GitHub Target Owner Decision Response 收件契約 v1", + "description": "定義 owner 回覆 GitHub target / owner / visibility / canonical 決策時的收件欄位、驗收規則與拒收規則。此 schema 不授權建立 repo、修改 visibility、同步 refs、保存 secret value 或切換 GitHub primary。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "runtime_execution_authorized", + "source_contract", + "target_contract", + "source_indexes", + "summary", + "response_templates", + "acceptance_checks", + "rejection_rules", + "allowed_outputs", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "github_target_owner_decision_response_v1" + }, + "status": { + "type": "string", + "enum": ["draft_waiting_owner_response"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["owner_decision_response_intake_only"] + }, + "runtime_execution_authorized": { + "type": "boolean", + "const": false + }, + "source_contract": { + "type": "string", + "const": "github_target_decision_v1" + }, + "target_contract": { + "type": "string", + "const": "github_target_repo_approval_package_v1" + }, + "source_indexes": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "owner_response_status", + "target_decision_count", + "approval_required_target_count", + "response_template_count", + "received_response_count", + "accepted_response_count", + "rejected_response_count", + "acceptance_check_count", + "rejection_rule_count", + "repo_creation_authorized", + "visibility_change_authorized", + "refs_sync_authorized", + "github_primary_switch_authorized", + "secret_value_collection_allowed", + "action_buttons_allowed" + ], + "properties": { + "owner_response_status": { + "type": "string", + "enum": ["waiting_owner_response"] + }, + "target_decision_count": {"type": "integer", "minimum": 0}, + "approval_required_target_count": {"type": "integer", "minimum": 0}, + "response_template_count": {"type": "integer", "minimum": 0}, + "received_response_count": {"type": "integer", "minimum": 0}, + "accepted_response_count": {"type": "integer", "minimum": 0}, + "rejected_response_count": {"type": "integer", "minimum": 0}, + "acceptance_check_count": {"type": "integer", "minimum": 0}, + "rejection_rule_count": {"type": "integer", "minimum": 0}, + "repo_creation_authorized": {"type": "boolean", "const": false}, + "visibility_change_authorized": {"type": "boolean", "const": false}, + "refs_sync_authorized": {"type": "boolean", "const": false}, + "github_primary_switch_authorized": {"type": "boolean", "const": false}, + "secret_value_collection_allowed": {"type": "boolean", "const": false}, + "action_buttons_allowed": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "response_templates": { + "type": "array", + "items": { + "type": "object", + "required": [ + "template_id", + "github_repo", + "source_key", + "target_state", + "risk", + "requested_owner_decision", + "required_owner_fields", + "acceptable_decisions", + "minimum_evidence_refs", + "acceptance_criteria", + "rejection_conditions", + "allowed_outputs", + "execution_authorized" + ], + "properties": { + "template_id": {"type": "string"}, + "github_repo": {"type": "string"}, + "source_key": {"type": "string"}, + "target_state": {"type": "string"}, + "risk": {"type": "string"}, + "requested_owner_decision": {"type": "string"}, + "required_owner_fields": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "acceptable_decisions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "minimum_evidence_refs": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "acceptance_criteria": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "rejection_conditions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "allowed_outputs": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "execution_authorized": { + "type": "boolean", + "const": false + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "acceptance_checks": { + "type": "array", + "items": { + "type": "object", + "required": [ + "check_id", + "title", + "required", + "pass_condition", + "failure_lane", + "execution_authorized" + ], + "properties": { + "check_id": {"type": "string"}, + "title": {"type": "string"}, + "required": {"type": "boolean"}, + "pass_condition": {"type": "string"}, + "failure_lane": {"type": "string"}, + "execution_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, + "rejection_rules": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "allowed_outputs": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_actions": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index bec6a5191..250af9035 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -47,8 +47,8 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidence、S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation 與 S4.9 owner response 收件包;不保存 token value、不刪除或停用 Gitea repo | | `local_git_remote_inventory_v1` | 本機可見 Git working tree remote | Source-control coverage evidence、migration matrix | mirror-only | 不視為 Gitea server 全量、不修改 remote | | `github_target_probe_v1` | 候選 GitHub repo read-only probe | Migration target evidence | mirror-only | `not_found_or_private` 不等同確認不存在 | -| `github_target_decision_v1` | GitHub target 建立與可見性決策草案 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs | -| `github_target_repo_approval_package_v1` | GitHub target 逐 repo approval package | Approval queue、Migration target evidence | mirror-only | 低摩擦,只 gate 高風險執行 | +| `github_target_decision_v1` | GitHub target 建立與可見性決策草案;S4.10 owner decision response 收件包 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs;S4.10 response 目前 0 筆,不代表執行批准 | +| `github_target_repo_approval_package_v1` | GitHub target 逐 repo approval package;S4.10 response templates | Approval queue、Migration target evidence | mirror-only | 低摩擦,只 gate 高風險執行;response 通過也只更新 read-only evidence | | `source_control_approval_board_v1` | 逐 repo owner / visibility / canonical / refs 決策 board | Approval queue、PR reviewer handoff | approval-only | 只顯示決策隊列,不執行 board item | | `source_control_reconcile_plan_v1` | refs-blocked repo draft reconcile plan | Approval candidate、migration reviewer handoff | approval-only | 只顯示草案,不 push refs、不切 primary | | `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs | @@ -121,8 +121,8 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `approval_required_event_v1.requested_action=run_gitea_readonly_inventory` | `approve_required` | 只允許 read-only token 或 redacted admin export,不保存 token value | | `local_git_remote_inventory_v1.status=partial` | `observe` | 補 server-side inventory,不做主控切換 | | `github_target_probe_v1.status=ok` 且有 `not_found_or_private` | `observe` | 補 GitHub target 決策,不自動建立 repo | -| `github_target_decision_v1.approval_required_count>0` | `approve_required` | 產生 approval candidate,但不執行 repo 建立或 visibility 修改 | -| `github_target_repo_approval_package_v1.status=draft` | `observe` | 建立 approval queue draft,不阻擋 read-only evidence | +| `github_target_decision_v1.approval_required_count>0` | `approve_required` | 產生 approval candidate,並顯示 S4.10 owner decision response templates;不執行 repo 建立、visibility 修改、refs sync 或 primary switch | +| `github_target_repo_approval_package_v1.status=draft` | `observe` | 建立 approval queue draft,不阻擋 read-only evidence;S4.10 response 通過前不得視為 repo / visibility / refs 批准 | | `source_control_approval_board_v1.pending_approval_count>0` | `approve_required` | 顯示逐 repo 決策隊列,不執行 repo 建立、visibility 修改、refs sync | | `source_control_reconcile_plan_v1.status=draft_blocked` | `approve_required` | 只顯示 refs reconcile 草案與 gate,不執行 sync | | `source_control_ref_detail_diff_v1.status=draft_blocked` | `observe` | 顯示 branch/tag 明細 diff,支援人工 review | @@ -170,6 +170,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | Source Control Canonical Repo 判定表 | `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md` | | GitHub target probe snapshot | `docs/security/github-target-probe.snapshot.json` / `docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md` | | GitHub target 決策 snapshot | `docs/security/github-target-decision.snapshot.json` / `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` | +| GitHub target owner decision response 收件包 | `docs/security/github-target-owner-decision-response.snapshot.json` / `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | | GitHub target repo approval package | `docs/security/github-target-repo-approval-package.snapshot.json` / `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md` | | Source Control approval board | `docs/security/source-control-approval-board.snapshot.json` / `docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md` | | Source Control draft reconcile plan | `docs/security/source-control-reconcile-plan.snapshot.json` / `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md` | @@ -209,5 +210,6 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 1. AwoooP 主線先把本清單視為契約消費檢查清單。 2. Security Supply Chain Session 補齊 Gitea 全量 repo inventory 的只讀 token 或管理匯出來源。 -3. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。 -4. 任一方要把事件升級成實際執行,都必須先產出 `approval_required_event_v1`,並在 `security_approval_queue_v1` 中維持 `blocked_until_approved=true` 直到人工決策完成。 +3. Security Supply Chain Session 依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response。 +4. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。 +5. 任一方要把事件升級成實際執行,都必須先產出 `approval_required_event_v1`,並在 `security_approval_queue_v1` 中維持 `blocked_until_approved=true` 直到人工決策完成。 diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index 75c810435..0e2b685f4 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -73,7 +73,7 @@ ```text Kali / Code Review / GitHub / Gitea / Codex -> security_supply_chain_contract_manifest_v1 - -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_primary_rollback_adr_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 + -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_primary_rollback_adr_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_owner_decision_response_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 -> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL -> mirror 到 AwoooP Runtime State / Channel Event / Audit -> AwoooP Policy / Approval / Exception / Operator Console @@ -327,7 +327,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response templates 5 筆、received response 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response templates 5 筆、received response 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -581,7 +581,27 @@ Schema:`docs/schemas/github_target_decision_v1.schema.json` } ``` -AwoooP 初期處理方式:作為 approval candidate 與 migration target evidence;不得直接建立 GitHub repo、修改 visibility、同步 refs 或切 GitHub primary。 +AwoooP 初期處理方式:作為 approval candidate 與 migration target evidence;需同時顯示 S4.10 owner decision response templates、received_response_count=0 與 rejection rules;不得直接建立 GitHub repo、修改 visibility、同步 refs 或切 GitHub primary。 + +### `github_target_owner_decision_response_v1` + +用途:定義 7 個 approval-required GitHub targets 的 owner / visibility / canonical response 收件欄位、驗收規則與拒收規則。 + +Schema:`docs/schemas/github_target_owner_decision_response_v1.schema.json` + +最小欄位: + +```json +{ + "schema_version": "github_target_owner_decision_response_v1", + "status": "draft_waiting_owner_response", + "response_template_count": 7, + "received_response_count": 0, + "accepted_response_count": 0 +} +``` + +AwoooP 初期處理方式:mirror 成 owner response review lane。response 通過後只更新 read-only decision table、approval package、approval board 與 primary readiness gate;不得把 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 ### `github_target_repo_approval_package_v1` @@ -600,7 +620,7 @@ Schema:`docs/schemas/github_target_repo_approval_package_v1.schema.json` } ``` -AwoooP 初期處理方式:mirror 成 approval queue draft。低摩擦原則下,read-only evidence 不被阻擋;只有 repo creation、visibility change、refs sync、primary switch 等高風險執行才需要 approval。 +AwoooP 初期處理方式:mirror 成 approval queue draft,並連到 S4.10 response 收件包。低摩擦原則下,read-only evidence 不被阻擋;只有 repo creation、visibility change、refs sync、primary switch 等高風險執行才需要 approval。 ### `approval_required_event_v1` @@ -785,6 +805,8 @@ Console 初期不提供高風險執行按鈕。 2026-05-12 GitHub target repo-by-repo approval package 追加:已新增 `docs/schemas/github_target_repo_approval_package_v1.schema.json`、`docs/security/github-target-repo-approval-package.snapshot.json` 與 `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md`。7 個 approval-required targets 已拆成逐 repo pending package;依統帥提醒採低摩擦分階段,不把 read-only evidence 變成阻擋條件。 +2026-05-17 S4.10 GitHub target owner decision response 收件包追加:已新增 `docs/schemas/github_target_owner_decision_response_v1.schema.json`、`docs/security/github-target-owner-decision-response.snapshot.json` 與 `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md`。AwoooP 可顯示 7 個 response templates、8 個 acceptance checks 與 10 個 rejection rules;目前收到 response 0 筆、接受 0 筆,仍不得建立 repo、修改 visibility、sync refs、切 GitHub primary 或停用 Gitea。 + 2026-05-12 低摩擦 rollout policy 追加:已新增 `docs/schemas/security_rollout_policy_v1.schema.json`、`docs/security/security-rollout-policy.snapshot.json` 與 `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md`。AwoooP 初期應採 observe-first / mirror-only,不把 LOW / MEDIUM observation 變成 blocking controls。 2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`、`docs/security/security-supply-chain-contract-manifest.snapshot.json` 與 `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry,不把 manifest 當 execution router。 @@ -881,6 +903,8 @@ Console 初期不提供高風險執行按鈕。 - [GitHub target probe script](/Users/ogt/awoooi/scripts/security/github-target-probe.py) - [GitHub target 決策表](/Users/ogt/awoooi/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md) - [github_target_decision_v1 snapshot](/Users/ogt/awoooi/docs/security/github-target-decision.snapshot.json) +- [GitHub target owner decision response 收件包](/Users/ogt/awoooi/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md) +- [github_target_owner_decision_response_v1 snapshot](/Users/ogt/awoooi/docs/security/github-target-owner-decision-response.snapshot.json) - [GitHub target repo-by-repo approval package](/Users/ogt/awoooi/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md) - [github_target_repo_approval_package_v1 snapshot](/Users/ogt/awoooi/docs/security/github-target-repo-approval-package.snapshot.json) - [低摩擦資安 rollout policy](/Users/ogt/awoooi/docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md) @@ -930,6 +954,7 @@ Console 初期不提供高風險執行按鈕。 - [local_git_remote_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/local_git_remote_inventory_v1.schema.json) - [github_target_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_probe_v1.schema.json) - [github_target_decision_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_decision_v1.schema.json) +- [github_target_owner_decision_response_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_owner_decision_response_v1.schema.json) - [github_target_repo_approval_package_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_repo_approval_package_v1.schema.json) - [security_rollout_policy_v1 schema](/Users/ogt/awoooi/docs/schemas/security_rollout_policy_v1.schema.json) - [security_supply_chain_contract_manifest_v1 schema](/Users/ogt/awoooi/docs/schemas/security_supply_chain_contract_manifest_v1.schema.json) diff --git a/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md b/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md new file mode 100644 index 000000000..8e40aa3cf --- /dev/null +++ b/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md @@ -0,0 +1,125 @@ +# GitHub Target Owner Decision Response 收件包 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-17 | +| 狀態 | 草案,等待 owner response | +| 資料契約 | `docs/schemas/github_target_owner_decision_response_v1.schema.json` | +| 快照 | `docs/security/github-target-owner-decision-response.snapshot.json` | +| 來源契約 | `github_target_decision_v1` | +| 目標契約 | `github_target_repo_approval_package_v1` | +| 模式 | `owner_decision_response_intake_only` | +| 執行面授權 | `false` | + +## 0. 核心結論 + +S4.10 補的是「owner 要怎麼回覆 7 個 GitHub target 的 owner / visibility / canonical 決策」。 + +S4.10 不是 repo creation approval、不是 visibility change approval、不是 refs sync approval,也不是 GitHub primary approval。它只把 owner response 的欄位、可接受決策、驗收規則、拒收規則與允許輸出固定下來,讓 AwoooP 能只讀顯示並等待人工補證。 + +此文件不要求貼 token,不接受 raw secret,不建立 GitHub repo,不修改 visibility,不 sync refs,不切 primary,也不停用 Gitea。 + +## 1. Response 摘要 + +| 指標 | 值 | +|------|----| +| owner response 狀態 | `waiting_owner_response` | +| GitHub target decisions | 8 | +| 需要人工決策 targets | 7 | +| response templates | 7 | +| 已收到 response | 0 | +| 已接受 response | 0 | +| 已拒收 response | 0 | +| acceptance checks | 8 | +| rejection rules | 10 | +| 授權建立 repo | `false` | +| 授權修改 visibility | `false` | +| 授權 sync refs | `false` | +| 授權切換 GitHub primary | `false` | +| 允許收集 secret value | `false` | +| 允許 action button | `false` | + +## 2. Owner Response 必填欄位 + +每筆 response 至少要能回答: + +1. `owner_role_or_team`:回覆者角色或團隊,不要求個人敏感資訊。 +2. `decision`:必須是該 target template 允許的決策值。 +3. `decision_reason`:為什麼做此 owner / visibility / canonical 判定。 +4. `canonical_source`:in-scope 或 candidate target 必須標示;未知時要明確寫 `unknown_requires_more_evidence`。 +5. `github_target_disposition` 或 `internal_remote_disposition`:說明 target 是 existing candidate、private access request、new target candidate、out-of-scope 或需補證。 +6. `visibility_review_owner`:repo visibility 的 review 責任人;若 out-of-scope,需提供 disposition。 +7. `evidence_refs`:只能指向 repo 內文件、snapshot 或 owner 提供的脫敏 metadata。 + +## 3. 七個 Response Template + +| Template | GitHub target | 驗收重點 | +|----------|---------------|----------| +| `target-awoooi-refs-blocked` | `owenhytsai/awoooi` | 指定 canonical source、visibility owner、refs truth owner;維持 primary blocked | +| `target-clawbot-v5-refs-blocked` | `owenhytsai/clawbot-v5` | 判定 main SHA / tag 真相來源與 owner | +| `target-wooo-aiops-refs-blocked` | `owenhytsai/wooo-aiops` | 判定 GitHub-only branch / tags 的來源 owner 與 disposition | +| `target-wooo-infra-config-internal-remote` | `owenhytsai/wooo-infra-config` | 判定 110 internal remote 用途與 infra secret 名稱 inventory owner | +| `target-ewoooc-private-or-new` | `owenhytsai/ewoooc` | 判定 ewoooc / momo-pro-system canonical 關係與 private/new target disposition | +| `target-bitan-pharmacy-private-or-new` | `owenhytsai/bitan-pharmacy` | 判定 repo 是否仍 active、GitHub target disposition、owner 與 visibility owner | +| `target-tsenyang-website-private-or-new` | `owenhytsai/tsenyang-website` | 判定 repo 是否仍 active、GitHub target disposition、owner 與 visibility owner | + +## 4. 可接受決策值 + +| Decision | 意義 | +|----------|------| +| `approve_existing_target_as_candidate` | 只同意既有 GitHub target 作為候選,不授權 refs / primary 執行 | +| `approve_private_target_access_request` | 只同意要求 owner 補 private target access evidence,不授權修改設定 | +| `approve_new_target_creation_candidate` | 只同意把新 target 建立列為候選計畫,不授權建立 repo | +| `hold_pending_refs_truth` | 維持等待 refs truth / tag disposition | +| `hold_pending_canonical_review` | 維持等待 canonical / owner review | +| `mark_external_or_out_of_scope` | 標示為外部或不納入本輪 scope,需附 owner 理由 | +| `unknown_requires_more_evidence` | 證據不足,需補脫敏 evidence | + +## 5. 驗收規則 + +1. response 必須對應 7 個 approval-required GitHub targets 之一。 +2. `decision` 必須在該 target 的允許值內。 +3. 必須有 owner 與 visibility review 責任,或明確 out-of-scope disposition。 +4. in-scope 或 candidate target 必須說明 canonical source。 +5. 不得繞過 refs truth、workflow-secret parity、Gitea inventory、rollback ADR 或 server-side diff 缺口。 +6. 不得夾帶 repo creation 或 visibility change 指令。 +7. 不得夾帶 refs sync、primary switch 或 disable Gitea 指令。 +8. `evidence_refs` 必須已脫敏,不得包含 token、credential、secret value、private key 或 deploy key value。 + +## 6. 必須拒收 + +1. token value、PAT、cookie、session、CSRF token、private key 或 partial credential。 +2. repo creation command、API request body、CLI command 或 automation payload。 +3. visibility change command 或要求立即修改 public/private/internal visibility。 +4. push refs、delete refs、force push、mirror sync、tag rewrite 或 branch rewrite。 +5. 切 GitHub primary、停用 Gitea、刪除 Gitea、封存 Gitea 或移除 fallback。 +6. 缺 owner、visibility review owner、canonical source 或 out-of-scope disposition。 +7. 把 `not_found_or_private` 自動解釋為 repo 不存在或可建立。 +8. 要求自動合併 unrelated histories 或刪除 momo / ewoooc working tree。 +9. 把 owner decision response 當成 repo migration approval、refs sync approval 或 primary approval。 +10. 任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆。 + +## 7. AwoooP 可做 + +1. 顯示 7 個 owner decision response templates。 +2. 顯示 acceptance checks 與 rejection rules。 +3. 在 owner response 到來後,只更新 read-only decision table、approval package、approval board、primary readiness gate 與 status rollup。 +4. 將不完整或可疑 response 放進 mirror quarantine。 +5. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 + +## 8. AwoooP 不可做 + +1. 不要求使用者貼 token、secret、private key、cookie、session 或 deploy key。 +2. 不把 response 當成 repo creation approval。 +3. 不把 response 當成 visibility change approval。 +4. 不把 response 當成 refs sync approval。 +5. 不把 response 當成 GitHub primary approval。 +6. 不建立 GitHub repo。 +7. 不修改 GitHub/Gitea repo。 +8. 不新增執行按鈕。 + +## 9. 階段定位 + +S4.10 是 S1.1 / S1.2 / S4.0 後面的安全收件包。 + +它讓 7 個 GitHub target 的 owner / visibility / canonical response 變得可審、可驗收、可拒收,但仍停在框架期。真正進入 GitHub primary 或 refs migration 前,仍必須等 Gitea inventory、refs truth、workflow-secret parity、rollback ADR、owner approval 與後續 runtime gate 全部補齊。 diff --git a/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md b/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md index 13846d338..2c3565807 100644 --- a/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md +++ b/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md @@ -7,6 +7,7 @@ | 上游決策 | `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` | | JSON snapshot | `docs/security/github-target-repo-approval-package.snapshot.json` | | Schema | `docs/schemas/github_target_repo_approval_package_v1.schema.json` | +| Owner response 收件包 | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | | 低摩擦 policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` | | 原則 | 低摩擦、逐 repo 決策,不自動建 repo、不改 visibility、不同步 refs、不切 primary | @@ -20,6 +21,8 @@ 這份 package 只讓 AwoooP / 統帥看到每個 repo 的批准條件與禁止動作,不代表已批准 push、mirror、repo creation、visibility 修改或 GitHub primary。 +S4.10 已補 7 個 owner decision response templates。owner response 通過後只允許更新 read-only decision table、approval package、approval board 與 primary readiness gate;它不等於 repo creation、visibility change、refs sync 或 primary approval。 + ## 0.1 低摩擦分階段原則 初期資安網的目標是先建立框架與 evidence,不是把整個產品、架構、流程一次拉到最高限制。為避免造成開發、部署與營運流程過度複雜,本 package 採用以下原則: @@ -73,6 +76,6 @@ AwoooP 不得直接執行 GitHub repo creation、visibility change、refs sync ## 5. 下一步 1. 等待 Gitea full inventory approval 完成,補 private/internal repo list。 -2. 逐 repo 取得 owner / visibility / canonical 決策。 +2. 依 S4.10 逐 repo 取得 owner / visibility / canonical response,並先通過 acceptance / rejection rules。 3. 對 refs blocked repos 產生 reconcile plan。 4. 對 `ewoooc` 先完成 canonical 判定,再決定 target 建立或授權。 diff --git a/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md b/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md index 03d55612b..c858d767b 100644 --- a/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md +++ b/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md @@ -7,6 +7,7 @@ | 上游 evidence | `docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md`、`docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md` | | JSON snapshot | `docs/security/github-target-decision.snapshot.json` | | Repo-by-repo approval package | `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md` | +| Owner response 收件包 | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | | 原則 | 不自動建立 repo、不改 visibility、不同步 refs、不切 primary | ## 0. 核心結論 @@ -20,6 +21,8 @@ 因此現階段不得建立自動 mirror,也不得把 GitHub primary 視為 ready。 +S4.10 已補 owner decision response 收件包;它只定義 7 個 approval-required targets 的回覆欄位、驗收規則與拒收規則,目前 received / accepted response 皆為 0,不代表 repo creation、visibility change、refs sync 或 primary approval。 + ## 1. 決策表 | GitHub target | Source key | Probe | Target state | 建議動作 | 風險 | 人工批准 | @@ -64,5 +67,6 @@ AwoooP 不得直接做: 2. 針對 `ewoooc/momo-pro-system` 完成 server-side refs diff 與 canonical 判定。 3. 確認 `bitan-pharmacy`、`tsenyang-website` 是否仍 active。 4. 確認 `wooo-infra-config` 的 110 internal remote 是否應移除或保留為 mirror。 -5. 任何 repo 建立、visibility 修改或 mirror 行為,都必須先走 approval。 -6. Approval 只套用高風險執行動作;read-only inventory 與 evidence mirror 不應被過度阻擋。 +5. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 收到並驗收 owner / visibility / canonical response。 +6. 任何 repo 建立、visibility 修改或 mirror 行為,都必須先走 approval。 +7. Approval 只套用高風險執行動作;read-only inventory 與 evidence mirror 不應被過度阻擋。 diff --git a/docs/security/SECURITY-APPROVAL-GATE.md b/docs/security/SECURITY-APPROVAL-GATE.md index d4022dda1..79dc08716 100644 --- a/docs/security/SECURITY-APPROVAL-GATE.md +++ b/docs/security/SECURITY-APPROVAL-GATE.md @@ -38,7 +38,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1` | 1 | Redacted finding ingestion | 只批准設計或 draft PR | | 2 | Safe web crawl | 只批准低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | 先依 S4.9 驗收 S4.7 owner response,再只批准只讀 inventory 或 redacted admin export | -| 4 | GitHub target decisions | 只批准逐 repo 決策草案 | +| 4 | GitHub target decisions | 只批准逐 repo S4.10 response 驗收與決策草案 | | 5 | Ref truth review | 只批准人工分類與 reconcile 草案 | | 6 | Credentialed scan | 只允許人工 exception 設計,仍需 runtime gate | | 7 | Kali full-upgrade / reboot | 只允許維護窗口與 rollback 規劃 | diff --git a/docs/security/SECURITY-APPROVAL-QUEUE.md b/docs/security/SECURITY-APPROVAL-QUEUE.md index 72ef9f03a..ced6f5101 100644 --- a/docs/security/SECURITY-APPROVAL-QUEUE.md +++ b/docs/security/SECURITY-APPROVAL-QUEUE.md @@ -35,7 +35,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 | 1 | `kali-finding-runtime-ingestion-approval-20260513` | 先接 redacted finding evidence,風險低、價值高 | | 2 | `kali-safe-web-crawl-approval-20260513` | TLS/header/basic crawl 屬低噪音,但仍需批准 scope | | 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | 先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,再審 Gitea 全量版本轉 GitHub 的只讀 inventory gate | -| 4 | `source-control-target-repo-approval-bundle-20260513` | 逐 repo owner / visibility / canonical 決策 | +| 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 驗收逐 repo owner / visibility / canonical response | | 5 | `source-control-ref-truth-review-bundle-20260513` | refs truth / deprecated / release tag review | | 6 | `kali-credentialed-scan-approval-20260513` | 需要憑證,風險較高 | | 7 | `kali-full-upgrade-reboot-approval-20260513` | 需要維護窗口、snapshot、rollback 與 post-check | diff --git a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md index 717825981..ca92b28b7 100644 --- a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md +++ b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md @@ -39,7 +39,7 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo | 1 | Redacted finding ingestion | `design_or_draft_review` | 只審是否可設計或建立 draft PR | | 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先依 S4.9 審 S4.7 owner response,再審只讀 token 或 redacted export | -| 4 | GitHub target decisions | `design_or_draft_review` | 只審 owner / visibility / canonical 草案 | +| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response,再審 owner / visibility / canonical 草案 | | 5 | Ref truth review | `design_or_draft_review` | 只審人工分類與 reconcile 草案 | | 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 | | 7 | Kali full-upgrade / reboot | `manual_exception_review` | 只審維護窗口與 rollback 計畫 | diff --git a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md index 93d15b1ba..f4d485c11 100644 --- a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md +++ b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md @@ -34,7 +34,7 @@ | Redacted finding ingestion | MEDIUM | 只準備 ingestion adapter 的 redaction / audit 前置條件 | | Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope | | Gitea owner attestation + read-only inventory | MEDIUM | 先依 S4.9 驗收 S4.7 owner response,再準備 read-only token 或 redacted export inventory | -| GitHub target decision | HIGH | 只準備 owner / visibility / canonical / workflow parity 決策 | +| GitHub target decision | HIGH | 只準備 S4.10 owner response 驗收、owner / visibility / canonical / workflow parity 決策 | | Ref truth review | HIGH | 只準備 refs truth / deprecated / release tag 人工判定 | | Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 | | Kali full-upgrade / reboot | HIGH | 只準備維護窗口、snapshot、rollback 與 post-health | diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 5ae926ad0..03f75463d 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -87,4 +87,6 @@ AwoooP 可以將 ready / partial contracts mirror 到: 19. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 20. 最後再 mirror source-control 其他 contracts。 +GitHub target 決策面需同時 mirror S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `github-target-owner-decision-response.snapshot.json`,只顯示 7 個 owner decision response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 + 整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 11fbd05bf..109768a83 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -27,7 +27,7 @@ | Review packets | S3.2 已建立;8 packets、7 ready for human review、1 block candidate | | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | -| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | +| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response 收件包,7 個 response templates、owner response 0 筆 | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | | Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response 收件包;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、敏感 payload 必須隔離、允許收集 token value=false | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;0 個 inventory complete、禁止收集 secret value、禁止 write token | @@ -60,7 +60,7 @@ 1. redacted finding ingestion adapter。 2. safe web crawl scope。 3. Gitea private/internal read-only inventory:先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,且 S4.8 已把這個先行條件接到既有 approval queue / gate / review packet / follow-up runtime gate;再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆,不保存 token value。 -4. GitHub target / owner / visibility / canonical。 +4. GitHub target / owner / visibility / canonical:先依 S4.10 收到並驗收 7 個 owner decision response templates;received / accepted response 目前皆為 0,不得把 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。 5. Kali `/execute` 維持 block candidate。 6. GitHub primary readiness blockers 與 rollback ADR 缺口。 7. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggers,owner approval 前不可執行。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index a61de30b8..112687981 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -42,8 +42,8 @@ | `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response 收件包 | public-only / blocked endpoint / S4.5 export request / S4.6 import acceptance / S4.7 coverage attestation / S4.9 response snapshots | | `local_git_remote_inventory_v1` | mirror-only | 本機 remote coverage | `local-git-remote-inventory.snapshot.json` | | `github_target_probe_v1` | mirror-only | GitHub target visibility | `github-target-probe.snapshot.json` | -| `github_target_decision_v1` | mirror-only | GitHub target 決策 | `github-target-decision.snapshot.json` | -| `github_target_repo_approval_package_v1` | approval-only | 逐 repo approval queue draft | `github-target-repo-approval-package.snapshot.json` | +| `github_target_decision_v1` | mirror-only | GitHub target 決策;S4.10 已補 owner decision response 收件包 | `github-target-decision.snapshot.json` / `github-target-owner-decision-response.snapshot.json` | +| `github_target_repo_approval_package_v1` | approval-only | 逐 repo approval queue draft;S4.10 response 通過前不得視為 repo / visibility / refs 批准 | `github-target-repo-approval-package.snapshot.json` / `github-target-owner-decision-response.snapshot.json` | | `source_control_approval_board_v1` | approval-only | 逐 repo owner / visibility / canonical / refs 決策 board | `source-control-approval-board.snapshot.json` | | `source_control_reconcile_plan_v1` | approval-only | refs-blocked repo 的 draft reconcile plan | `source-control-reconcile-plan.snapshot.json` | | `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` | @@ -60,7 +60,7 @@ 1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 -4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response 收件包與覆蓋缺口,不得觸發 token collection 或 Gitea write。 +4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response 收件包與覆蓋缺口,不得觸發 token collection 或 Gitea write。 5. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index f7f2d5ef7..10d9e8864 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-17 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | +| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -14,8 +14,8 @@ | S0 文件與契約同步 | 完成 | Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立 | AwoooP 只讀 mirror 消費 | | S1 source-control read-only inventory | 進行中 | 已有 Gitea/GitHub refs、Gitea public-only user repo list、本機 remote、GitHub target probe、canonical lineage、110 refs evidence | Gitea private/internal 全量 repo list | | S1.0 Gitea 全量 inventory approval | 完成草案 | 已建立 read-only token / admin export approval package | 統帥或 repo owner 批准 | -| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選,7 個需人工批准;3 個 `not_found_or_private` 不得自動建立 | owner / visibility / canonical approval | -| S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board | 低摩擦逐項批准 | +| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選,7 個需人工批准;3 個 `not_found_or_private` 不得自動建立;S4.10 已補 owner response 收件包 | owner / visibility / canonical response | +| S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board;S4.10 目前 response 0 筆 | 低摩擦逐項批准 | | S1.2a refs reconcile plan | 完成草案 | `awoooi`、`clawbot-v5`、`wooo-aiops` 已產生 draft plan;狀態仍為 `draft_blocked` | authenticated inventory + branch/tag diff + single-repo approval | | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | | S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 | @@ -38,7 +38,7 @@ | S3.2 人工審查封包契約 | 完成草案 | `security_approval_review_packet_v1` 已建立;8 個 review packets、7 ready for human review、1 block candidate、0 個 runtime action 授權 | AwoooP 可顯示 review lane,不可把 packet 當批准或執行 | | S3.3 人工決策狀態轉移契約 | 完成草案 | `security_approval_state_transition_v1` 已建立;5 個 decision options 都有 next state、0 個 runtime action 授權 | AwoooP 可顯示決策後狀態,不可把 transition 當執行 | | S3.4 後續 runtime gate 準備契約 | 完成草案 | `security_followup_runtime_gate_v1` 已建立;8 個 gate templates、0 個 active runtime gates、0 個 approved scope | AwoooP 可顯示前置 evidence、preflight checks 與 rollback / disable requirement,不可啟用 runtime gate | -| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary | +| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 target owner response gate | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary | | S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret | | S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary | | S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea | @@ -48,6 +48,7 @@ | S4.7 Gitea 清冊覆蓋 Owner Attestation | 完成草案 | 已建立 coverage attestation schema / snapshot / 人讀版;5 個 owner decision items、received attestation 0、accepted 0、execution authorized=false | owner 判定 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition;仍不可把 attestation 當 migration approval | | S4.8 Gitea Owner Attestation Approval Lane 對齊 | 完成草案 | 已將既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊 S4.7 先行條件;queue items 維持 8、review packets 維持 8、active runtime gates 維持 0 | AwoooP 先顯示 5 個 attestation items,owner decision 接受前不得執行 read-only inventory 或標記 complete | | S4.9 Gitea Owner Attestation Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;5 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 S4.7 五個 items;response 通過只更新 read-only matrix / decision table / readiness gate,不代表 inventory 執行或 primary approval | +| S4.10 GitHub Target Owner Decision Response 收件包 | 完成草案 | 已建立 owner decision response schema / snapshot / 人讀版;7 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 7 個 GitHub target 的 owner / visibility / canonical;response 通過只更新 read-only decision table / approval package / approval board / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate | ## 1. 已建立的主要 evidence @@ -74,6 +75,8 @@ | Canonical repo 判定表 | `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md` | | GitHub target 決策表 | `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` | | GitHub target 決策 JSON | `docs/security/github-target-decision.snapshot.json` | +| GitHub target owner decision response 收件包 | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | +| GitHub target owner decision response JSON | `docs/security/github-target-owner-decision-response.snapshot.json` | | GitHub target repo approval package | `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md` | | GitHub target repo approval JSON | `docs/security/github-target-repo-approval-package.snapshot.json` | | Source Control approval board | `docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md` | @@ -154,10 +157,10 @@ ## 3. 下一階段建議 1. 先依 S4.9 `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` 收到並驗收 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 的 owner response;S4.8 已把這件事接到既有 approval queue / gate / review packet / follow-up runtime gate。之後再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。 -2. 依 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。 +2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response 收件包,workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response 收件包,GitHub target 決策需同時顯示 S4.10 owner decision response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response templates、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response templates、S4.10 GitHub target owner response templates、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md b/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md index 2cd875e4a..f3c10b43e 100644 --- a/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md +++ b/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md @@ -7,6 +7,7 @@ | 預設模式 | `mirror_only` | | authenticated inventory gate | `blocked` | | gate 原因 | GITEA_READONLY_TOKEN 未提供,且不使用可 push 的既有 remote credential 當 read-only token;server-side private/internal repo list 仍未完成。 | +| GitHub target owner response | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | | repo items | 8 | | pending approval | 7 | @@ -14,6 +15,8 @@ 本 board 只整理決策,不授權執行。AwoooP 可以 mirror 成 approval candidate,但不得建立 repo、修改 visibility、同步 refs、切 GitHub primary 或保存 credential value。 +S4.10 已補 7 個 GitHub target owner decision response templates;目前 received / accepted response 皆為 0。response 通過後也只更新本 board、decision table、approval package 與 readiness gate 的 read-only 欄位,不代表 repo creation、visibility change、refs sync 或 primary approval。 + ## 1. 逐 repo 決策隊列 | GitHub repo | Lane | Risk | Probe | Approval | 下一步 | @@ -47,6 +50,7 @@ - Evidence refs: - `docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md` - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/github-target-probe.snapshot.json` ### owenhytsai/clawbot-v5 @@ -64,6 +68,7 @@ - Evidence refs: - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` - `docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/github-target-probe.snapshot.json` ### owenhytsai/wooo-aiops @@ -81,6 +86,7 @@ - Evidence refs: - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` - `docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/github-target-probe.snapshot.json` ### owenhytsai/wooo-infra-config @@ -99,6 +105,7 @@ - Evidence refs: - `docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md` - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/github-target-probe.snapshot.json` ### owenhytsai/ewoooc @@ -119,6 +126,7 @@ - `docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md` - `docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md` - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md` - `docs/security/github-target-probe.snapshot.json` @@ -137,6 +145,7 @@ - Evidence refs: - `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md` - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/github-target-probe.snapshot.json` ### owenhytsai/tsenyang-website @@ -154,6 +163,7 @@ - Evidence refs: - `docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md` - `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md` + - `docs/security/github-target-owner-decision-response.snapshot.json` - `docs/security/github-target-probe.snapshot.json` ### nexu-io/open-design diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index 9abe99496..baf68f1fb 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -7,6 +7,7 @@ | Schema | `docs/schemas/source_control_primary_readiness_gate_v1.schema.json` | | Snapshot | `docs/security/source-control-primary-readiness-gate.snapshot.json` | | Rollback ADR | `docs/security/source-control-primary-rollback-adr.snapshot.json` | +| GitHub target owner response | `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | | 模式 | `primary_readiness_gate_only` | | runtime 執行授權 | `false` | @@ -36,7 +37,7 @@ | Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.7 owner coverage attestation 與 S4.9 owner response 仍未收到 | | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift | | workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | -| owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策 | +| owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response 收件包,received / accepted response 皆為 0 | | rollback ADR | pending review | S4.4 已建立 rollback ADR 草案;7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window | ## 3. AwoooP 可做 @@ -45,9 +46,10 @@ 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response、refs truth、workflow/runner/secret name inventory、rollback ADR。 -5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 -6. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。 -7. 把狀態寫入 Audit evidence 與 Operator Console。 +5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 +6. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 +7. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。 +8. 把狀態寫入 Audit evidence 與 Operator Console。 ## 4. AwoooP 不可做 @@ -63,6 +65,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 -S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 owner response 收件包;它們只是 scope decision 與 response 驗收框架,不是 migration approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response 收件包,S4.10 已補上 GitHub target owner decision response 收件包;它們只是 scope decision 與 response 驗收框架,不是 migration approval、repo creation approval、visibility change approval、refs sync approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/github-target-decision.snapshot.json b/docs/security/github-target-decision.snapshot.json index 2f518fefa..00c495377 100644 --- a/docs/security/github-target-decision.snapshot.json +++ b/docs/security/github-target-decision.snapshot.json @@ -19,7 +19,8 @@ ], "evidence_refs": [ "docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub repo 可讀,但 refs blocked,不可切 primary。" }, @@ -37,7 +38,8 @@ ], "evidence_refs": [ "docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub repo 可讀,但 main SHA 與 tag 不一致。" }, @@ -55,7 +57,8 @@ ], "evidence_refs": [ "docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub repo 可讀,但 GitHub tags 比 Gitea 多,需釐清真相來源。" }, @@ -74,7 +77,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub 與本機 main 對齊;110 internal remote 不可讀,需判斷用途。" }, @@ -94,7 +98,8 @@ "evidence_refs": [ "docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md", "docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub target 未授權 probe 看不到,且 momo/ewoooc lineage unrelated,不可自動建立 mirror。" }, @@ -112,7 +117,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "110 remote 與本機 main 對齊,可作 source candidate;GitHub target 未確認。" }, @@ -130,7 +136,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", - "docs/security/github-target-probe.snapshot.json" + "docs/security/github-target-probe.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "110 remote 與本機 main 對齊,可作 source candidate;GitHub target 未確認。" }, diff --git a/docs/security/github-target-owner-decision-response.snapshot.json b/docs/security/github-target-owner-decision-response.snapshot.json new file mode 100644 index 000000000..e697cca92 --- /dev/null +++ b/docs/security/github-target-owner-decision-response.snapshot.json @@ -0,0 +1,449 @@ +{ + "schema_version": "github_target_owner_decision_response_v1", + "status": "draft_waiting_owner_response", + "date": "2026-05-17", + "mode": "owner_decision_response_intake_only", + "runtime_execution_authorized": false, + "source_contract": "github_target_decision_v1", + "target_contract": "github_target_repo_approval_package_v1", + "source_indexes": [ + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-repo-approval-package.snapshot.json", + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", + "docs/security/source-control-approval-board.snapshot.json", + "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/security-approval-review-packet.snapshot.json", + "docs/security/security-followup-runtime-gate.snapshot.json" + ], + "summary": { + "owner_response_status": "waiting_owner_response", + "target_decision_count": 8, + "approval_required_target_count": 7, + "response_template_count": 7, + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "acceptance_check_count": 8, + "rejection_rule_count": 10, + "repo_creation_authorized": false, + "visibility_change_authorized": false, + "refs_sync_authorized": false, + "github_primary_switch_authorized": false, + "secret_value_collection_allowed": false, + "action_buttons_allowed": false + }, + "response_templates": [ + { + "template_id": "target-awoooi-refs-blocked", + "github_repo": "owenhytsai/awoooi", + "source_key": "wooo/awoooi", + "target_state": "exists_refs_blocked", + "risk": "HIGH", + "requested_owner_decision": "指定 owner、canonical source、visibility review owner 與 refs truth review owner;維持 refs action disabled。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "canonical_source", + "github_target_disposition", + "visibility_review_owner", + "refs_truth_review_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_existing_target_as_candidate", + "hold_pending_refs_truth", + "hold_pending_canonical_review", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md", + "docs/security/source-control-ref-detail-diff.snapshot.json", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json" + ], + "acceptance_criteria": [ + "必須明確指定 `wooo/awoooi` 的 canonical source 與 owner review 責任人。", + "必須承認 refs truth / workflow-secret parity / rollback ADR 未完成前不得推 refs 或切 primary。", + "若 decision 是 hold,必須說明下一個 evidence owner。" + ], + "rejection_conditions": [ + "把既有 GitHub repo 視為可直接 primary。", + "要求 push、delete、force push refs 或修改 visibility。", + "缺 canonical source、visibility review owner 或 refs truth review owner。" + ], + "allowed_outputs": [ + "更新 GitHub target decision table 的 owner / canonical / visibility read-only 欄位。", + "更新 repo approval package 的 blocked_until 說明。", + "維持 primary readiness blocked。" + ], + "execution_authorized": false + }, + { + "template_id": "target-clawbot-v5-refs-blocked", + "github_repo": "owenhytsai/clawbot-v5", + "source_key": "wooo/clawbot-v5", + "target_state": "exists_refs_blocked", + "risk": "MEDIUM", + "requested_owner_decision": "指定 main SHA / tag 真相來源與 owner;維持 refs action disabled。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "canonical_source", + "tag_disposition_owner", + "visibility_review_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_existing_target_as_candidate", + "hold_pending_refs_truth", + "mark_external_or_out_of_scope", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md", + "docs/security/source-control-reconcile-plan.snapshot.json", + "docs/security/source-control-ref-truth-classification.snapshot.json" + ], + "acceptance_criteria": [ + "必須說明 main SHA 與 tag 差異要由哪個 owner 判定。", + "若仍 active,必須保留 refs review lane。", + "若排除 scope,必須附 owner 理由與後續 disposition。" + ], + "rejection_conditions": [ + "用單一句話批准 refs sync。", + "未處理 GitHub 缺 Gitea tag 的 disposition。", + "要求刪除任一端 repo 或 refs。" + ], + "allowed_outputs": [ + "更新 refs truth review lane。", + "更新 approval package 的 owner decision 欄位。", + "維持 refs action disabled。" + ], + "execution_authorized": false + }, + { + "template_id": "target-wooo-aiops-refs-blocked", + "github_repo": "owenhytsai/wooo-aiops", + "source_key": "wooo/wooo-aiops", + "target_state": "exists_refs_blocked", + "risk": "MEDIUM", + "requested_owner_decision": "指定 GitHub-only branch / tags 的來源 owner 與 disposition;維持 refs action disabled。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "canonical_source", + "github_only_refs_owner", + "visibility_review_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_existing_target_as_candidate", + "hold_pending_refs_truth", + "mark_external_or_out_of_scope", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md", + "docs/security/source-control-ref-detail-diff.snapshot.json", + "docs/security/source-control-ref-truth-classification.snapshot.json" + ], + "acceptance_criteria": [ + "必須指定 GitHub-only branch / tags 的 owner 或補證 owner。", + "必須說明 main SHA truth source 尚未判定時要維持 blocked。", + "若標為 out_of_scope,必須說明與 AwoooP / AWOOOI scope 的關係。" + ], + "rejection_conditions": [ + "要求刪除 GitHub-only refs。", + "未指定 GitHub-only refs owner。", + "把 refs classification 當成已批准 sync。" + ], + "allowed_outputs": [ + "更新 refs truth classification 的 owner review 欄位。", + "更新 GitHub target decision table。", + "維持 GitHub primary readiness blocked。" + ], + "execution_authorized": false + }, + { + "template_id": "target-wooo-infra-config-internal-remote", + "github_repo": "owenhytsai/wooo-infra-config", + "source_key": "wooo/wooo-infra-config", + "target_state": "exists_aligned", + "risk": "MEDIUM", + "requested_owner_decision": "判定 110 internal remote 用途、infra owner 與 secret name inventory owner。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "canonical_source", + "internal_remote_disposition", + "secret_name_inventory_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_existing_target_as_candidate", + "hold_pending_canonical_review", + "mark_external_or_out_of_scope", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", + "docs/security/source-control-workflow-secret-name-export-request.snapshot.json" + ], + "acceptance_criteria": [ + "必須判定 110 internal remote 是 active source、mirror、legacy 或需要補證。", + "必須指定 infra secret 名稱 inventory owner。", + "不得把 internal remote disposition 當成刪除 remote 的批准。" + ], + "rejection_conditions": [ + "要求直接刪除 remote 或改 remote URL。", + "要求搬移或貼出 secret value。", + "未說明 110 internal remote 用途。" + ], + "allowed_outputs": [ + "更新 canonical decision table 的 remote disposition。", + "更新 workflow / secret name inventory 的 owner gap。", + "維持 repo / secret / refs 執行 disabled。" + ], + "execution_authorized": false + }, + { + "template_id": "target-ewoooc-private-or-new", + "github_repo": "owenhytsai/ewoooc", + "source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees", + "target_state": "not_found_or_private", + "risk": "HIGH", + "requested_owner_decision": "判定 ewoooc / momo-pro-system canonical 關係與 GitHub target 是既有 private repo、候選新 repo 或需補證。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "canonical_source", + "github_target_disposition", + "visibility_review_owner", + "server_side_refs_diff_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_private_target_access_request", + "approve_new_target_creation_candidate", + "hold_pending_canonical_review", + "mark_external_or_out_of_scope", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md", + "docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md", + "docs/security/github-target-decision.snapshot.json" + ], + "acceptance_criteria": [ + "必須明確說明 `not_found_or_private` 不能自動視為不存在。", + "必須指定 ewoooc / momo-pro-system canonical 判定 owner。", + "若只是批准候選新 repo,仍不得建立 repo,必須先產生 migration plan。" + ], + "rejection_conditions": [ + "把 `not_found_or_private` 當成建立 repo 的直接批准。", + "自動合併 unrelated histories。", + "要求刪除任一 momo / ewoooc working tree。" + ], + "allowed_outputs": [ + "更新 target decision table 的 disposition。", + "更新 approval package 的 canonical blocker。", + "建立 request_more_evidence lane。" + ], + "execution_authorized": false + }, + { + "template_id": "target-bitan-pharmacy-private-or-new", + "github_repo": "owenhytsai/bitan-pharmacy", + "source_key": "bitan-pharmacy", + "target_state": "not_found_or_private", + "risk": "MEDIUM", + "requested_owner_decision": "判定 repo 是否仍 active、GitHub target disposition、owner 與 visibility review owner。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "active_status", + "canonical_source", + "github_target_disposition", + "visibility_review_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_private_target_access_request", + "approve_new_target_creation_candidate", + "hold_pending_canonical_review", + "mark_external_or_out_of_scope", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", + "docs/security/github-target-decision.snapshot.json", + "docs/security/source-control-primary-readiness-gate.snapshot.json" + ], + "acceptance_criteria": [ + "必須說明 repo 是否仍 active。", + "必須指定 GitHub target 是既有 private、候選新 repo、out-of-scope 或需補證。", + "若 active,必須保留 workflow / secret name parity gate。" + ], + "rejection_conditions": [ + "把 target 看不到當成可直接建立 repo。", + "沒有 active_status 或 visibility review owner。", + "要求自動 push refs 或刪除 110 remote。" + ], + "allowed_outputs": [ + "更新 target decision table 的 active / disposition 欄位。", + "更新 approval package 的 blocked_until。", + "維持 repo creation 與 refs action disabled。" + ], + "execution_authorized": false + }, + { + "template_id": "target-tsenyang-website-private-or-new", + "github_repo": "owenhytsai/tsenyang-website", + "source_key": "tsenyang-website", + "target_state": "not_found_or_private", + "risk": "MEDIUM", + "requested_owner_decision": "判定 repo 是否仍 active、GitHub target disposition、owner 與 visibility review owner。", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "active_status", + "canonical_source", + "github_target_disposition", + "visibility_review_owner", + "evidence_refs" + ], + "acceptable_decisions": [ + "approve_private_target_access_request", + "approve_new_target_creation_candidate", + "hold_pending_canonical_review", + "mark_external_or_out_of_scope", + "unknown_requires_more_evidence" + ], + "minimum_evidence_refs": [ + "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", + "docs/security/github-target-decision.snapshot.json", + "docs/security/source-control-primary-readiness-gate.snapshot.json" + ], + "acceptance_criteria": [ + "必須說明 repo 是否仍 active。", + "必須指定 GitHub target 是既有 private、候選新 repo、out-of-scope 或需補證。", + "若 active,必須保留 workflow / secret name parity gate。" + ], + "rejection_conditions": [ + "把 target 看不到當成可直接建立 repo。", + "沒有 active_status 或 visibility review owner。", + "要求自動 push refs 或刪除 110 remote。" + ], + "allowed_outputs": [ + "更新 target decision table 的 active / disposition 欄位。", + "更新 approval package 的 blocked_until。", + "維持 repo creation 與 refs action disabled。" + ], + "execution_authorized": false + } + ], + "acceptance_checks": [ + { + "check_id": "maps_to_known_github_target", + "title": "回覆對應既有 GitHub target", + "required": true, + "pass_condition": "`github_repo` 必須對應 github_target_decision_v1 的 7 個 approval-required targets 之一。", + "failure_lane": "reject_unknown_target", + "execution_authorized": false + }, + { + "check_id": "decision_value_allowed", + "title": "決策值在允許範圍內", + "required": true, + "pass_condition": "`decision` 必須是該 target template 的 acceptable_decisions 之一。", + "failure_lane": "request_owner_correction", + "execution_authorized": false + }, + { + "check_id": "owner_and_visibility_present", + "title": "owner 與 visibility review 責任存在", + "required": true, + "pass_condition": "每筆回覆必須有 owner role/team、visibility review owner 或明確 out-of-scope disposition。", + "failure_lane": "request_more_evidence", + "execution_authorized": false + }, + { + "check_id": "canonical_source_present", + "title": "canonical source 已說明", + "required": true, + "pass_condition": "in-scope 或 candidate target 必須標示 canonical source;未知時必須選 unknown_requires_more_evidence。", + "failure_lane": "keep_primary_blocked", + "execution_authorized": false + }, + { + "check_id": "blocked_until_respected", + "title": "blocked_until 不被繞過", + "required": true, + "pass_condition": "回覆不得把 refs truth、workflow-secret parity、Gitea inventory、rollback ADR 或 server-side diff 缺口視為已完成。", + "failure_lane": "reject_scope_jump", + "execution_authorized": false + }, + { + "check_id": "no_repo_creation_or_visibility_change", + "title": "不含 repo creation 或 visibility change 指令", + "required": true, + "pass_condition": "回覆只能批准候選方向或補證方向,不得包含立即建立 repo 或修改 visibility 的執行要求。", + "failure_lane": "reject_runtime_source_control_action", + "execution_authorized": false + }, + { + "check_id": "no_refs_or_primary_action", + "title": "不含 refs 或 primary action", + "required": true, + "pass_condition": "回覆不得要求 push、delete、force push、mirror sync、primary switch 或 disable Gitea。", + "failure_lane": "reject_refs_or_primary_action", + "execution_authorized": false + }, + { + "check_id": "secret_values_absent", + "title": "未包含 secret value", + "required": true, + "pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或已脫敏 owner metadata,不得含 token、credential、secret value、private key 或 deploy key value。", + "failure_lane": "quarantine_sensitive_payload", + "execution_authorized": false + } + ], + "rejection_rules": [ + "回覆含 token value、PAT、cookie、session、CSRF token、private key 或 partial credential 時必須拒收。", + "回覆含 repo creation command、API request body、CLI command 或 automation payload 時必須拒收。", + "回覆含 visibility change command 或要求立即修改 public/private/internal visibility 時必須拒收。", + "回覆要求 push refs、delete refs、force push、mirror sync、tag rewrite 或 branch rewrite 時必須拒收。", + "回覆要求切 GitHub primary、停用 Gitea、刪除 Gitea、封存 Gitea 或移除 fallback 時必須拒收。", + "回覆缺 owner、visibility review owner、canonical source 或 out-of-scope disposition 時不得標記 accepted。", + "回覆把 `not_found_or_private` 自動解釋為 repo 不存在或可建立時必須拒收。", + "回覆要求自動合併 unrelated histories 或刪除 momo / ewoooc working tree 時必須拒收。", + "回覆把 owner decision response 當成 repo migration approval、refs sync approval 或 primary approval 時必須拒收。", + "任何不確定是否含敏感值、私有 URL 憑證或未脫敏截圖的回覆必須先進 mirror quarantine。" + ], + "allowed_outputs": [ + "更新 `github-target-decision.snapshot.json` 的 read-only owner / visibility / canonical decision 欄位。", + "更新 `github-target-repo-approval-package.snapshot.json` 的 blocked_until、review owner 與 evidence refs。", + "更新 `source-control-primary-readiness-gate.snapshot.json` 的 blocker wording。", + "更新 `source-control-approval-board.snapshot.json` 的 review lane。", + "建立 request_more_evidence / quarantine lane。", + "維持 `github_primary_ready_count=0` 與所有 execution flags false。" + ], + "forbidden_actions": [ + "建立 GitHub repo。", + "修改 GitHub repo visibility。", + "push、delete、force push、mirror sync 或 rewrite refs。", + "切 GitHub primary。", + "停用、刪除、封存或降級 Gitea repo。", + "保存 secret value、token value、private key、cookie、session 或 deploy key value。", + "把 response packet 當成 migration execution approval。", + "新增 AwoooP execution action button。" + ] +} diff --git a/docs/security/github-target-repo-approval-package.snapshot.json b/docs/security/github-target-repo-approval-package.snapshot.json index 54af7283a..12ff831ed 100644 --- a/docs/security/github-target-repo-approval-package.snapshot.json +++ b/docs/security/github-target-repo-approval-package.snapshot.json @@ -30,7 +30,8 @@ ], "evidence_refs": [ "docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "Gitea/GitHub main SHA、branches、tags 未對齊,必須先做 reconcile plan。" }, @@ -56,7 +57,8 @@ ], "evidence_refs": [ "docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub repo 可見,但 main SHA 與 tag 狀態未對齊。" }, @@ -82,7 +84,8 @@ ], "evidence_refs": [ "docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub tags 比 Gitea 多,需先釐清真相來源。" }, @@ -109,7 +112,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "GitHub 與本機 main 對齊,但 110 internal remote 不可讀,需判斷用途。" }, @@ -138,7 +142,8 @@ "evidence_refs": [ "docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md", "docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "momo/ewoooc lineage sample 目前 unrelated,不能自動視為同 repo。" }, @@ -164,7 +169,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "110 remote 與本機 main 對齊,可作 source candidate;GitHub target 未確認。" }, @@ -190,7 +196,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", - "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md" + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "notes": "110 remote 與本機 main 對齊,可作 source candidate;GitHub target 未確認。" } diff --git a/docs/security/security-approval-gate.snapshot.json b/docs/security/security-approval-gate.snapshot.json index 8e561d770..a1c50d4b5 100644 --- a/docs/security/security-approval-gate.snapshot.json +++ b/docs/security/security-approval-gate.snapshot.json @@ -138,6 +138,7 @@ ], "decision_options": ["approve_scope", "reject", "defer", "request_more_evidence"], "allowed_after_approval": [ + "依 S4.10 驗收 owner decision response", "逐 repo 更新 owner/visibility/canonical decision", "產生 draft reconcile plan 或 ADR", "更新 GitHub target decision snapshot" @@ -145,6 +146,7 @@ "still_forbidden": [ "建立 repo", "修改 visibility", + "把 S4.10 response packet 當成 repo creation 或 visibility approval", "push refs", "delete refs", "切 GitHub primary" @@ -153,7 +155,9 @@ "evidence_refs": [ "docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md", "docs/security/source-control-approval-board.snapshot.json", - "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md" + "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ] }, { diff --git a/docs/security/security-approval-queue.snapshot.json b/docs/security/security-approval-queue.snapshot.json index 300a06782..db11acfa2 100644 --- a/docs/security/security-approval-queue.snapshot.json +++ b/docs/security/security-approval-queue.snapshot.json @@ -126,7 +126,7 @@ "risk": "HIGH", "state": "pending_approval", "recommended_awooop_mode": "approve_required", - "requested_decision": "是否逐 repo 批准 GitHub target、owner、visibility、canonical 與 refs reconcile review;此 bundle 不授權執行。", + "requested_decision": "是否依 S4.10 逐 repo 收到並驗收 GitHub target、owner、visibility、canonical response;此 bundle 不授權執行。", "blocked_until_approved": true, "required_reviewers": [ "migration-engineer", @@ -136,9 +136,12 @@ "evidence_refs": [ "docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md", "docs/security/source-control-approval-board.snapshot.json", - "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md" + "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_after_approval": [ + "依 S4.10 驗收 owner decision response", "逐 repo 更新 owner/visibility/canonical decision", "產生 draft reconcile plan 或 ADR", "更新 GitHub target decision snapshot" @@ -146,6 +149,7 @@ "still_forbidden": [ "建立 repo", "修改 visibility", + "把 S4.10 response packet 當成 repo creation 或 visibility approval", "push refs", "delete refs", "切 GitHub primary" diff --git a/docs/security/security-approval-review-packet.snapshot.json b/docs/security/security-approval-review-packet.snapshot.json index 7a923edbe..0e577c3b5 100644 --- a/docs/security/security-approval-review-packet.snapshot.json +++ b/docs/security/security-approval-review-packet.snapshot.json @@ -156,7 +156,7 @@ "risk": "HIGH", "review_state": "ready_for_human_review", "review_lane": "design_or_draft_review", - "requested_decision": "是否逐 repo 確認 GitHub target、owner、visibility、canonical 與 refs reconcile review;本封包不授權建立 repo 或改 visibility。", + "requested_decision": "是否依 S4.10 逐 repo 確認 GitHub target、owner、visibility、canonical response 與 refs reconcile review;本封包不授權建立 repo 或改 visibility。", "required_reviewers": [ "migration-engineer", "security-commander", @@ -166,20 +166,24 @@ "evidence_refs": [ "docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md", "docs/security/source-control-approval-board.snapshot.json", - "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md" + "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_pre_decision_actions": [ "顯示 7 個 approval-required target", + "顯示 S4.10 owner response templates、received_response_count=0 與 rejection rules", "要求 repo owner 補 owner/visibility/canonical 判定", "維持 refs action disabled" ], "allowed_after_decision_actions": [ - "若 approve_scope,只能更新決策草案、draft reconcile plan 或 ADR", + "若 approve_scope,只能更新 S4.10 response 驗收結果、決策草案、draft reconcile plan 或 ADR", "任何 repo creation 或 visibility change 仍需後續 runtime gate" ], "still_forbidden": [ "建立 repo", "修改 visibility", + "把 S4.10 response packet 當成 repo creation 或 visibility approval", "push refs", "delete refs", "切 GitHub primary" diff --git a/docs/security/security-followup-runtime-gate.snapshot.json b/docs/security/security-followup-runtime-gate.snapshot.json index afd02c31d..a744ad065 100644 --- a/docs/security/security-followup-runtime-gate.snapshot.json +++ b/docs/security/security-followup-runtime-gate.snapshot.json @@ -155,6 +155,7 @@ "gate_state": "waiting_approved_scope", "applies_after_decision": "approve_scope", "minimum_required_evidence": [ + "S4.10 owner decision response 驗收結果:docs/security/github-target-owner-decision-response.snapshot.json", "repo owner / visibility / canonical decision", "GitHub target 是否已存在的最新 probe", "workflow parity checklist", @@ -166,12 +167,14 @@ "human-owner" ], "preflight_checks": [ + "確認 S4.10 response packet 未被當成 repo creation、visibility change、refs sync 或 primary approval", "確認 not_found_or_private 不被當成可自動建立 repo", "確認 visibility change 仍未授權", "確認 refs action disabled", "確認只更新決策草案" ], "allowed_pre_runtime_artifacts": [ + "owner decision response acceptance note", "target decision table update", "draft reconcile ADR", "repo owner review note", diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index ec46e4f33..240e3b17d 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -273,9 +273,15 @@ "consumption_mode": "mirror_only", "mirror_allowed": true, "execution_allowed": false, - "snapshot_paths": ["docs/security/github-target-decision.snapshot.json"], - "human_docs": ["docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md"], - "notes": "可 mirror target decision;repo 建立與 visibility 修改仍需人工批准。" + "snapshot_paths": [ + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" + ], + "human_docs": [ + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" + ], + "notes": "可 mirror target decision 與 S4.10 owner response templates;repo 建立、visibility 修改、refs sync 與 primary switch 仍需後續人工批准與 runtime gate。" }, { "contract": "github_target_repo_approval_package_v1", @@ -283,9 +289,15 @@ "consumption_mode": "approval_only", "mirror_allowed": true, "execution_allowed": false, - "snapshot_paths": ["docs/security/github-target-repo-approval-package.snapshot.json"], - "human_docs": ["docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md"], - "notes": "可 mirror 逐 repo approval package;不得執行 item。" + "snapshot_paths": [ + "docs/security/github-target-repo-approval-package.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" + ], + "human_docs": [ + "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" + ], + "notes": "可 mirror 逐 repo approval package 與 S4.10 owner decision response 收件包;不得執行 item。" }, { "contract": "source_control_approval_board_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index a993f40ea..0629381c6 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -23,6 +23,7 @@ "docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json", "docs/security/gitea-inventory-coverage-attestation.snapshot.json", "docs/security/gitea-inventory-owner-attestation-response.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", "docs/security/source-control-primary-rollback-adr.snapshot.json", "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", @@ -104,8 +105,8 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 owner response intake packet,但 inventory status 仍 partial。", - "next_gate": "依 S4.9 收到並驗收 S4.7 owner response、authenticated inventory payload 通過 S4.6 驗收、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response intake packet;S4.10 已補 GitHub target owner decision response intake packet,但 inventory status 仍 partial,GitHub target response 仍 0 筆。", + "next_gate": "依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response、authenticated inventory payload 通過 S4.6 驗收、refs truth、webhook / runner / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR owner approval 與逐 repo 人工批准。" } ], "next_safe_actions": [ @@ -221,11 +222,13 @@ "mode": "approval_required", "source_contract": "source_control_approval_board_v1", "allowed_processing": [ + "顯示 S4.10 owner decision response templates、received_response_count=0 與 rejection rules", "逐 repo 更新 owner / visibility / canonical decision", "產生 draft reconcile plan 或 ADR", "維持 refs action disabled" ], "blocked_processing": [ + "把 S4.10 response packet 當成 repo creation、visibility change、refs sync 或 primary approval", "建立 repo", "修改 visibility", "push / delete refs", @@ -317,7 +320,8 @@ "S4.6 只新增 Gitea redacted import acceptance;received_payload_count=0、accepted_payload_count=0,不匯入 DB dump/git object、不寫 Gitea、不切 primary。", "S4.7 只新增 Gitea owner coverage attestation request;required_attestation_item_count=5、received_attestation_count=0,不把 attestation 當 migration approval。", "S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件;approval_queue_total 仍為 8、active_runtime_gates 仍為 0,不新增執行入口。", - "S4.9 只新增 Gitea owner attestation response 收件包;required_response_item_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 inventory 執行或 primary approval。" + "S4.9 只新增 Gitea owner attestation response 收件包;required_response_item_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 inventory 執行或 primary approval。", + "S4.10 只新增 GitHub target owner decision response 收件包;response_template_count=7、received_response_count=0、accepted_response_count=0,不把 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 54ec268a0..da5c16498 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -429,24 +429,36 @@ { "contract": "github_target_decision_v1", "schema_path": "docs/schemas/github_target_decision_v1.schema.json", - "snapshot_paths": ["docs/security/github-target-decision.snapshot.json"], - "human_docs": ["docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md"], + "snapshot_paths": [ + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" + ], + "human_docs": [ + "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" + ], "consumer": "AwoooP approval candidate / migration target evidence", "consumption_mode": "mirror_only", "allowed_actions": ["mirror_target_decision", "create_approval_candidate"], "forbidden_actions": ["change_visibility", "create_repo", "sync_refs"], - "notes": "8 個 targets 中 7 個需要人工批准。" + "notes": "8 個 targets 中 7 個需要人工批准;S4.10 已補 owner decision response 收件包,received_response_count=0,不授權 repo / visibility / refs / primary 動作。" }, { "contract": "github_target_repo_approval_package_v1", "schema_path": "docs/schemas/github_target_repo_approval_package_v1.schema.json", - "snapshot_paths": ["docs/security/github-target-repo-approval-package.snapshot.json"], - "human_docs": ["docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md"], + "snapshot_paths": [ + "docs/security/github-target-repo-approval-package.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" + ], + "human_docs": [ + "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", + "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" + ], "consumer": "AwoooP approval queue draft", "consumption_mode": "approval_only", "allowed_actions": ["display_repo_approval_queue", "request_owner_decision"], "forbidden_actions": ["execute_approval_item", "push_refs", "change_visibility"], - "notes": "7 個 pending packages,逐 repo 低摩擦批准。" + "notes": "7 個 pending packages,逐 repo 低摩擦批准;S4.10 只定義 owner response 驗收 / 拒收格式,不代表任何執行批准。" }, { "contract": "source_control_approval_board_v1", diff --git a/docs/security/source-control-approval-board.snapshot.json b/docs/security/source-control-approval-board.snapshot.json index 7d8186f7f..66fc5726a 100644 --- a/docs/security/source-control-approval-board.snapshot.json +++ b/docs/security/source-control-approval-board.snapshot.json @@ -9,6 +9,7 @@ "allowed_next_step": [ "提供 read-only token 後重跑 gitea-repo-inventory", "或提供 redacted admin export JSON", + "依 S4.10 收到 GitHub target owner / visibility / canonical response 後更新 read-only board 欄位", "在 gate 前仍可維護 approval board 與 decision table" ], "still_forbidden": [ @@ -52,6 +53,7 @@ "evidence_refs": [ "docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md", "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/github-target-probe.snapshot.json" ], "awooop_consumption": "approval_candidate" @@ -82,6 +84,7 @@ "evidence_refs": [ "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", "docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/github-target-probe.snapshot.json" ], "awooop_consumption": "approval_candidate" @@ -112,6 +115,7 @@ "evidence_refs": [ "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", "docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/github-target-probe.snapshot.json" ], "awooop_consumption": "approval_candidate" @@ -143,6 +147,7 @@ "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md", "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/github-target-probe.snapshot.json" ], "awooop_consumption": "approval_candidate" @@ -176,6 +181,7 @@ "docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md", "docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md", "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md", "docs/security/github-target-probe.snapshot.json" ], @@ -207,6 +213,7 @@ "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/github-target-probe.snapshot.json" ], "awooop_consumption": "approval_candidate" @@ -237,6 +244,7 @@ "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/github-target-probe.snapshot.json" ], "awooop_consumption": "approval_candidate" diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index 1e3e71c1d..45d8b1653 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -6,6 +6,7 @@ "runtime_execution_authorized": false, "source_indexes": [ "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json", "docs/security/source-control-approval-board.snapshot.json", "docs/security/source-control-reconcile-plan.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", @@ -116,11 +117,13 @@ ], "current_gap": [ "7 個 targets 仍需人工批准", + "S4.10 已建立 GitHub target owner decision response 收件包,但目前 received_response_count=0、accepted_response_count=0", "ewoooc / momo-pro-system canonical 關係尚未確認", "bitan-pharmacy 與 tsenyang-website GitHub target 未確認" ], "allowed_now": [ "顯示 approval board", + "mirror S4.10 owner decision response templates、acceptance checks 與 rejection rules", "要求 repo owner 補決策", "更新 visibility decision table" ], @@ -165,7 +168,8 @@ "evidence_refs": [ "docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md", "docs/security/source-control-ref-detail-diff.snapshot.json", - "docs/security/source-control-ref-truth-classification.snapshot.json" + "docs/security/source-control-ref-truth-classification.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 refs truth review lane", @@ -195,7 +199,8 @@ ], "evidence_refs": [ "docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md", - "docs/security/source-control-reconcile-plan.snapshot.json" + "docs/security/source-control-reconcile-plan.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 refs blocked reason", @@ -224,7 +229,8 @@ ], "evidence_refs": [ "docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md", - "docs/security/source-control-reconcile-plan.snapshot.json" + "docs/security/source-control-reconcile-plan.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 GitHub-only refs review lane", @@ -253,7 +259,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md", - "docs/security/github-target-decision.snapshot.json" + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 internal remote purpose review", @@ -283,7 +290,8 @@ "evidence_refs": [ "docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md", "docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md", - "docs/security/github-target-decision.snapshot.json" + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 target creation/access review", @@ -312,7 +320,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", - "docs/security/github-target-decision.snapshot.json" + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 target creation/access review", @@ -341,7 +350,8 @@ ], "evidence_refs": [ "docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md", - "docs/security/github-target-decision.snapshot.json" + "docs/security/github-target-decision.snapshot.json", + "docs/security/github-target-owner-decision-response.snapshot.json" ], "allowed_now": [ "顯示 target creation/access review",