From 1d31c4f2b9cf2dc8d7bc1699b48305d997a9f02c Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 18 May 2026 16:15:55 +0800 Subject: [PATCH] docs(security): add github target collection checks --- docs/LOGBOOK.md | 17 ++++- ...get_owner_decision_response_v1.schema.json | 33 +++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 8 +-- ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 14 ++-- ...EA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md | 2 +- .../GITHUB-TARGET-OWNER-DECISION-RESPONSE.md | 27 ++++++-- .../GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md | 2 +- ...GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md | 2 +- docs/security/SECURITY-APPROVAL-GATE.md | 2 +- docs/security/SECURITY-APPROVAL-QUEUE.md | 2 +- .../SECURITY-APPROVAL-REVIEW-PACKET.md | 2 +- .../SECURITY-FOLLOWUP-RUNTIME-GATE.md | 2 +- docs/security/SECURITY-MIRROR-DRY-RUN.md | 2 +- docs/security/SECURITY-MIRROR-READINESS.md | 2 +- .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 5 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 4 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 13 ++-- .../security/SOURCE-CONTROL-APPROVAL-BOARD.md | 2 +- ...ONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md | 2 +- .../SOURCE-CONTROL-PRIMARY-READINESS-GATE.md | 8 +-- ...rget-owner-decision-response.snapshot.json | 69 +++++++++++++++++++ .../security-approval-gate.snapshot.json | 4 +- .../security-approval-queue.snapshot.json | 6 +- ...urity-approval-review-packet.snapshot.json | 4 +- ...curity-followup-runtime-gate.snapshot.json | 4 +- .../security-mirror-dry-run.snapshot.json | 2 +- .../security-mirror-readiness.snapshot.json | 4 +- ...ecurity-mirror-status-rollup.snapshot.json | 24 +++++-- ...pply-chain-contract-manifest.snapshot.json | 4 +- ...ource-control-approval-board.snapshot.json | 2 +- ...r-response-validation-rollup.snapshot.json | 2 +- ...ntrol-primary-readiness-gate.snapshot.json | 4 +- .../security-mirror-progress-guard.py | 1 + .../source-control-owner-response-guard.py | 8 +++ 34 files changed, 223 insertions(+), 66 deletions(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index acbb648ae..a3a1a9fc7 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,10 +1,25 @@ +## 2026-05-18 | 資安供應鏈 S4.10:GitHub Target Owner Response Collection Checks + +**背景**:S4.10 已有 request packet、template status ledger、audit event templates 與 redaction examples;本輪補上 6 個 collection checks,讓 AwoooP 在顯示 request packet 到收回 owner response 之間,能固定維持 request / received / accepted 狀態分離,避免把 request ready、audit template 或 redaction example 誤判成 owner response 已收到或已接受。 + +**完成**: +- `github_target_owner_decision_response_v1` schema 新增 optional `owner_response_collection_checks`,summary 新增 `owner_response_collection_check_count=6`。 +- `github-target-owner-decision-response.snapshot.json` 新增 6 個 collection checks:request packet displayed、read-only submission mode、seven target tracking、redacted evidence only、no approval language、audit metadata only。 +- `source-control-owner-response-guard.py` 反查 S4.10 collection check count、check id 順序、display order、`required=true`、`execution_authorized=false` 與 `not_approval=true`。 +- 更新 S4.10 人讀文件與 AwoooP / readiness / approval / status rollup / manifest / progress 顯示說明。 + +**仍禁止**: +- 不把 S4.10 collection checks 當成 owner response received、accepted 或 AwoooP production ingestion。 +- 不把 owner wording 裡的「同意 / OK / 可進行」當成 repo creation、visibility change、refs sync、delete refs、force push 或 GitHub primary approval。 +- 不保存 owner response raw body、token value、secret value、private clone URL credential、repo archive、git object pack、DB dump 或 execution request payload。 + ## 2026-05-18 | 資安供應鏈:58% Headline Progress 判讀與 Delta Ledger **背景**:統帥提醒整體進度看起來像卡住;實際原因是 58% 為 headline progress,只在 owner response、runtime gate、payload ingestion、GitHub primary readiness 或 AwoooP production landing 等高層 gate 有實質 evidence 時調整。近期 S4.10 多輪工作屬於 framework detail,應顯示微進度,但不能灌水成落地進度。 **完成**: - `security_mirror_status_rollup_v1` schema 新增 `progress_display_policy` 與 `progress_delta_ledger`。 -- `security-mirror-status-rollup.snapshot.json` 固定 58% 為 `holding_until_owner_response_or_runtime_gate`,並列出 4 個 S4.10 micro progress:request packet、template status ledger、audit event templates、redaction examples。 +- `security-mirror-status-rollup.snapshot.json` 固定 58% 為 `holding_until_owner_response_or_runtime_gate`,並列出 5 個 S4.10 micro progress:request packet、template status ledger、audit event templates、redaction examples、collection checks。 - `SECURITY-MIRROR-STATUS-ROLLUP.md` 與 `SECURITY-SUPPLY-CHAIN-PROGRESS.md` 新增「為什麼 58% 看起來沒動」說明,明確列出 headline 要再往上所需的 owner response / runtime gate / primary readiness evidence。 - `security-mirror-progress-guard.py` 補驗證 progress display policy 與 delta ledger,避免後續把 micro progress 誤當成 authorization。 diff --git a/docs/schemas/github_target_owner_decision_response_v1.schema.json b/docs/schemas/github_target_owner_decision_response_v1.schema.json index 379e72ce6..488157e50 100644 --- a/docs/schemas/github_target_owner_decision_response_v1.schema.json +++ b/docs/schemas/github_target_owner_decision_response_v1.schema.json @@ -62,6 +62,7 @@ "owner_response_template_status_count", "owner_response_audit_event_template_count", "owner_response_redaction_example_count", + "owner_response_collection_check_count", "response_template_count", "received_response_count", "accepted_response_count", @@ -86,6 +87,7 @@ "owner_response_template_status_count": {"type": "integer", "minimum": 0}, "owner_response_audit_event_template_count": {"type": "integer", "minimum": 0}, "owner_response_redaction_example_count": {"type": "integer", "minimum": 0}, + "owner_response_collection_check_count": {"type": "integer", "minimum": 0}, "response_template_count": {"type": "integer", "minimum": 0}, "received_response_count": {"type": "integer", "minimum": 0}, "accepted_response_count": {"type": "integer", "minimum": 0}, @@ -281,6 +283,37 @@ }, "minItems": 1 }, + "owner_response_collection_checks": { + "type": "array", + "description": "AwoooP 顯示 S4.10 request packet 到收回 GitHub target owner response 之間的只讀收件檢查;不得把 request ready、audit template、redaction example 誤判為 response received / accepted。", + "items": { + "type": "object", + "required": [ + "check_id", + "display_order", + "title", + "required", + "pass_condition", + "failure_lane", + "awooop_display", + "execution_authorized", + "not_approval" + ], + "properties": { + "check_id": {"type": "string"}, + "display_order": {"type": "integer", "minimum": 1}, + "title": {"type": "string"}, + "required": {"type": "boolean"}, + "pass_condition": {"type": "string"}, + "failure_lane": {"type": "string"}, + "awooop_display": {"type": "string"}, + "execution_authorized": {"type": "boolean", "const": false}, + "not_approval": {"type": "boolean", "const": true} + }, + "additionalProperties": false + }, + "minItems": 1 + }, "response_templates": { "type": "array", "items": { diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index 38482e06a..3ed544b3b 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -48,8 +48,8 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidence、S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation、S4.9 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;不保存 token value、不刪除或停用 Gitea repo | | `local_git_remote_inventory_v1` | 本機可見 Git working tree remote | Source-control coverage evidence、migration matrix | mirror-only | 不視為 Gitea server 全量、不修改 remote | | `github_target_probe_v1` | 候選 GitHub repo read-only probe | Migration target evidence | mirror-only | `not_found_or_private` 不等同確認不存在 | -| `github_target_decision_v1` | GitHub target 建立與可見性決策草案;S4.10 owner decision response request packet / 收件包 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs;S4.10 request packet 只顯示 7 個 target 要求,template status ledger 逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只顯示可接受的脫敏 metadata shape,response 目前 0 筆,不代表執行批准 | -| `github_target_repo_approval_package_v1` | GitHub target 逐 repo approval package;S4.10 request packet / template status ledger / audit event templates / redaction examples / response templates | Approval queue、Migration target evidence | mirror-only | 低摩擦,只 gate 高風險執行;request packet 只顯示 owner 要回覆什麼,response 通過也只更新 read-only evidence | +| `github_target_decision_v1` | GitHub target 建立與可見性決策草案;S4.10 owner decision response request packet / 收件包 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs;S4.10 request packet 只顯示 7 個 target 要求,template status ledger 逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只顯示可接受的脫敏 metadata shape,collection checks 只維持 request / received / accepted 分離,response 目前 0 筆,不代表執行批准 | +| `github_target_repo_approval_package_v1` | GitHub target 逐 repo approval package;S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / response templates | Approval queue、Migration target evidence | mirror-only | 低摩擦,只 gate 高風險執行;request packet 只顯示 owner 要回覆什麼,response 通過也只更新 read-only evidence | | `source_control_approval_board_v1` | 逐 repo owner / visibility / canonical / refs 決策 board | Approval queue、PR reviewer handoff | approval-only | 只顯示決策隊列,不執行 board item | | `source_control_reconcile_plan_v1` | refs-blocked repo draft reconcile plan | Approval candidate、migration reviewer handoff | approval-only | 只顯示草案;S4.11 response 通過前只更新 wording,不 push refs、不切 primary | | `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs | @@ -123,7 +123,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `approval_required_event_v1.requested_action=run_gitea_readonly_inventory` | `approve_required` | 只允許 read-only token 或 redacted admin export,不保存 token value | | `local_git_remote_inventory_v1.status=partial` | `observe` | 補 server-side inventory,不做主控切換 | | `github_target_probe_v1.status=ok` 且有 `not_found_or_private` | `observe` | 補 GitHub target 決策,不自動建立 repo | -| `github_target_decision_v1.approval_required_count>0` | `approve_required` | 產生 approval candidate,並顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples 與 owner decision response templates;不執行 repo 建立、visibility 修改、refs sync 或 primary switch | +| `github_target_decision_v1.approval_required_count>0` | `approve_required` | 產生 approval candidate,並顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 owner decision response templates;不執行 repo 建立、visibility 修改、refs sync 或 primary switch | | `github_target_repo_approval_package_v1.status=draft` | `observe` | 建立 approval queue draft,不阻擋 read-only evidence;S4.10 response 通過前不得視為 repo / visibility / refs 批准 | | `source_control_approval_board_v1.pending_approval_count>0` | `approve_required` | 顯示逐 repo 決策隊列,不執行 repo 建立、visibility 修改、refs sync | | `source_control_reconcile_plan_v1.status=draft_blocked` | `approve_required` | 只顯示 refs reconcile 草案與 gate,不執行 sync | @@ -217,7 +217,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 1. AwoooP 主線先把本清單視為契約消費檢查清單。 2. Security Supply Chain Session 補齊 Gitea 全量 repo inventory 的只讀 token 或管理匯出來源。 3. AwoooP 先 mirror S4.13 owner response validation rollup,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;不得把 rollup 視為 approval 或 execution authorization。 -4. Security Supply Chain Session 依 S4.10 request packet 與 template status ledger 收到並驗收 7 個 GitHub target owner / visibility / canonical response。 +4. Security Supply Chain Session 依 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response。 5. Security Supply Chain Session 依 S4.11 收到並驗收 5 個 refs truth owner response templates;response 通過也只更新 read-only classification / reconcile / readiness wording。 6. Security Supply Chain Session 依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates;response 通過也只更新 read-only inventory / export request / readiness wording。 7. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。 diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index bd32176c9..f4539d774 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -36,7 +36,7 @@ AwoooP 目前應同步顯示 S4.9-S4.13 owner response 缺口、Gitea authenticated inventory partial 狀態、GitHub primary ready 0/7、workflow / secret inventory complete 0,以及 Kali `/execute` block candidate。這些狀態只供治理與人工審查,不代表 scan、repo 建立、refs sync、workflow 修改、secret 搬移、runner 啟用或 GitHub primary cutover 已獲授權。 -2026-05-18 補充:58% 是 headline progress,近期 S4.10 request packet、template status ledger、audit event templates 與 redaction examples 屬於 framework detail,所以會列入 `progress_delta_ledger`,但 `headline_percent_delta=0`。headline 要再往上,需要 owner response received / accepted、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 等實質 evidence。 +2026-05-18 補充:58% 是 headline progress,近期 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 屬於 framework detail,所以會列入 `progress_delta_ledger`,但 `headline_percent_delta=0`。headline 要再往上,需要 owner response received / accepted、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 等實質 evidence。 同步驗收時可先跑: @@ -393,7 +393,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response templates 5 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response templates 5 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -547,7 +547,7 @@ S4.6 支援性驗收:已新增 `docs/schemas/gitea_authenticated_inventory_imp S4.7 支援性 owner attestation:已新增 `docs/schemas/gitea_inventory_coverage_attestation_v1.schema.json`、`docs/security/gitea-inventory-coverage-attestation.snapshot.json` 與 `docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md`。此 attestation 仍不新增第 36 個主 contract,只定義 public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible disposition 的 owner decision;目前 `required_attestation_item_count=5`、`received_attestation_count=0`、`accepted_attestation_count=0`、`runtime_execution_authorized=false`,不得把 attestation request 視為 repo migration approval。 -S4.9 支援性 owner response request packet 與收件包:已新增 `docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json`、`docs/security/gitea-inventory-owner-attestation-response.snapshot.json` 與 `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`。此 response packet 仍不新增第 36 個主 contract,只定義 AwoooP 可顯示給 owner 的回覆請求、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner 回覆 S4.7 五個 items 時的必填欄位、intake preflight checks、outcome lanes、驗收規則、拒收規則與 allowed output;目前 `owner_response_request_packet_count=1`、`owner_response_template_status_count=5`、`owner_response_audit_event_template_count=3`、`owner_response_redaction_example_count=5`、`owner_response_display_section_count=8`、`owner_response_collection_check_count=6`、`required_response_item_count=5`、`intake_preflight_check_count=6`、`intake_outcome_lane_count=5`、`received_response_count=0`、`accepted_response_count=0`、`runtime_execution_authorized=false`,不得把 request packet、template status ledger、audit event templates、redaction examples、display sections 或 response packet 視為 read-only inventory 已執行、audit production ingestion、repo migration approval 或 GitHub primary approval。 +S4.9 支援性 owner response request packet 與收件包:已新增 `docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json`、`docs/security/gitea-inventory-owner-attestation-response.snapshot.json` 與 `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`。此 response packet 仍不新增第 36 個主 contract,只定義 AwoooP 可顯示給 owner 的回覆請求、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner 回覆 S4.7 五個 items 時的必填欄位、intake preflight checks、outcome lanes、驗收規則、拒收規則與 allowed output;目前 `owner_response_request_packet_count=1`、`owner_response_template_status_count=5`、`owner_response_audit_event_template_count=3`、`owner_response_redaction_example_count=5`、`owner_response_display_section_count=8`、`owner_response_collection_check_count=6`、`required_response_item_count=5`、`intake_preflight_check_count=6`、`intake_outcome_lane_count=5`、`received_response_count=0`、`accepted_response_count=0`、`runtime_execution_authorized=false`,不得把 request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 或 response packet 視為 read-only inventory 已執行、audit production ingestion、repo migration approval 或 GitHub primary approval。 ### `local_git_remote_inventory_v1` @@ -647,7 +647,7 @@ Schema:`docs/schemas/github_target_decision_v1.schema.json` } ``` -AwoooP 初期處理方式:作為 approval candidate 與 migration target evidence;需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、owner decision response templates、received_response_count=0 與 rejection rules;不得直接建立 GitHub repo、修改 visibility、同步 refs 或切 GitHub primary。 +AwoooP 初期處理方式:作為 approval candidate 與 migration target evidence;需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、owner decision response templates、received_response_count=0 與 rejection rules;不得直接建立 GitHub repo、修改 visibility、同步 refs 或切 GitHub primary。 ### `github_target_owner_decision_response_v1` @@ -670,7 +670,7 @@ Schema:`docs/schemas/github_target_owner_decision_response_v1.schema.json` } ``` -AwoooP 初期處理方式:mirror 成 owner response request / status / review lane。request packet 只顯示要請 owner 回覆哪 7 個 target 與不得貼什麼,template status ledger 只逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata;response 通過後只更新 read-only decision table、approval package、approval board 與 primary readiness gate;不得把 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 +AwoooP 初期處理方式:mirror 成 owner response request / status / review lane。request packet 只顯示要請 owner 回覆哪 7 個 target 與不得貼什麼,template status ledger 只逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範脫敏 metadata shape,collection checks 只維持 request / received / accepted 分離;response 通過後只更新 read-only decision table、approval package、approval board 與 primary readiness gate;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 ### `github_target_repo_approval_package_v1` @@ -689,7 +689,7 @@ Schema:`docs/schemas/github_target_repo_approval_package_v1.schema.json` } ``` -AwoooP 初期處理方式:mirror 成 approval queue draft,並連到 S4.10 request packet / template status ledger / audit event templates / redaction examples / response 收件包。低摩擦原則下,read-only evidence 不被阻擋;只有 repo creation、visibility change、refs sync、primary switch 等高風險執行才需要 approval。 +AwoooP 初期處理方式:mirror 成 approval queue draft,並連到 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / response 收件包。低摩擦原則下,read-only evidence 不被阻擋;只有 repo creation、visibility change、refs sync、primary switch 等高風險執行才需要 approval。 ### `approval_required_event_v1` @@ -877,7 +877,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-12 GitHub target repo-by-repo approval package 追加:已新增 `docs/schemas/github_target_repo_approval_package_v1.schema.json`、`docs/security/github-target-repo-approval-package.snapshot.json` 與 `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md`。7 個 approval-required targets 已拆成逐 repo pending package;依統帥提醒採低摩擦分階段,不把 read-only evidence 變成阻擋條件。 -2026-05-17 S4.10 GitHub target owner decision response 收件包追加,2026-05-18 補 request packet、template status ledger、audit event templates 與 redaction examples:已新增 `docs/schemas/github_target_owner_decision_response_v1.schema.json`、`docs/security/github-target-owner-decision-response.snapshot.json` 與 `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md`。AwoooP 可顯示 1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、7 個 response templates、8 個 acceptance checks 與 10 個 rejection rules;目前收到 response 0 筆、接受 0 筆,仍不得建立 repo、修改 visibility、sync refs、切 GitHub primary 或停用 Gitea。 +2026-05-17 S4.10 GitHub target owner decision response 收件包追加,2026-05-18 補 request packet、template status ledger、audit event templates、redaction examples 與 collection checks:已新增 `docs/schemas/github_target_owner_decision_response_v1.schema.json`、`docs/security/github-target-owner-decision-response.snapshot.json` 與 `docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md`。AwoooP 可顯示 1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、7 個 response templates、8 個 acceptance checks 與 10 個 rejection rules;目前收到 response 0 筆、接受 0 筆,仍不得建立 repo、修改 visibility、sync refs、切 GitHub primary 或停用 Gitea。 2026-05-12 低摩擦 rollout policy 追加:已新增 `docs/schemas/security_rollout_policy_v1.schema.json`、`docs/security/security-rollout-policy.snapshot.json` 與 `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md`。AwoooP 初期應採 observe-first / mirror-only,不把 LOW / MEDIUM observation 變成 blocking controls。 diff --git a/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md b/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md index 577ebe921..c9dc4c59a 100644 --- a/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md +++ b/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md @@ -72,7 +72,7 @@ AwoooP 可顯示 `owner_response_request_packet` 給 owner,要求只回覆 S4. ## 2.0.1 Owner Response Collection Checklist -AwoooP 顯示 request packet 後,必須用 `owner_response_collection_checks` 維持 request / response / accepted 三種狀態分離: +AwoooP 顯示 request packet 後,必須用 `owner_response_collection_checks` 維持 request / received / accepted 三種狀態分離: | 順序 | 檢查 | 目的 | |------|------|------| diff --git a/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md b/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md index a432a9a60..f06a5d8ad 100644 --- a/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md +++ b/docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md @@ -30,6 +30,7 @@ S4.10 不是 repo creation approval、不是 visibility change approval、不是 | owner response template statuses | 7 | | owner response audit event templates | 3 | | owner response redaction examples | 5 | +| owner response collection checks | 6 | | response templates | 7 | | 已收到 response | 0 | | 已接受 response | 0 | @@ -102,6 +103,21 @@ S4.10 redaction examples 只讓 AwoooP / owner 知道「可以怎麼安全描述 這 5 個 examples 都是 `template_example_only`,`stored_raw_payload_allowed=false`。它們不代表 owner response 已收到、已驗收或已批准;也不授權 repo creation、visibility change、refs sync、delete refs、force push、GitHub primary switch 或 GitHub/Gitea write。 +## 1.5 Owner Response Collection Checks + +AwoooP 顯示 S4.10 request packet 後,必須用 `owner_response_collection_checks` 維持 request / received / accepted 三種狀態分離: + +| Check | 目的 | 失敗 lane | +|-------|------|-----------| +| `collection-github-target-request-packet-displayed` | 只顯示 7 個 target templates、允許欄位、脫敏 evidence 規則與禁止 payload | `keep_waiting_owner_response` | +| `collection-github-target-read-only-submission-mode` | 收件模式只允許 read-only response 或 redacted metadata pointer | `quarantine_sensitive_payload` | +| `collection-seven-target-template-tracking` | 7 個 GitHub targets 必須逐項追蹤,不接受單一整體同意 | `request_more_evidence` | +| `collection-github-target-redacted-evidence-only` | 只收 repo 內路徑、snapshot path 或脫敏 metadata pointer | `quarantine_sensitive_payload` | +| `collection-github-target-no-approval-language` | 不把「同意 / OK / 可進行」升級成 repo / refs / primary approval | `reject_execution_request` | +| `collection-github-target-audit-metadata-only` | 只記錄 request / response / outcome 的脫敏 audit metadata | `quarantine_sensitive_payload` | + +這 6 個 checks 都是 required,但只約束 AwoooP 如何顯示與收件。它們不是 owner response accepted,也不授權 repo creation、visibility change、refs sync、delete refs、force push、GitHub primary switch、workflow / secret / runner 變更或任何 runtime action。 + ## 2. Owner Response 必填欄位 每筆 response 至少要能回答: @@ -168,11 +184,12 @@ S4.10 redaction examples 只讓 AwoooP / owner 知道「可以怎麼安全描述 2. 顯示 7 個 owner response template statuses。 3. 顯示 3 個 owner response audit event templates。 4. 顯示 5 個 owner response redaction examples。 -5. 顯示 7 個 owner decision response templates。 -6. 顯示 acceptance checks 與 rejection rules。 -7. 在 owner response 到來後,只更新 read-only decision table、approval package、approval board、primary readiness gate 與 status rollup。 -8. 將不完整或可疑 response 放進 mirror quarantine。 -9. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 +5. 顯示 6 個 owner response collection checks。 +6. 顯示 7 個 owner decision response templates。 +7. 顯示 acceptance checks 與 rejection rules。 +8. 在 owner response 到來後,只更新 read-only decision table、approval package、approval board、primary readiness gate 與 status rollup。 +9. 將不完整或可疑 response 放進 mirror quarantine。 +10. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 ## 8. AwoooP 不可做 diff --git a/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md b/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md index 8af252352..0eaefdb29 100644 --- a/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md +++ b/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md @@ -21,7 +21,7 @@ 這份 package 只讓 AwoooP / 統帥看到每個 repo 的批准條件與禁止動作,不代表已批准 push、mirror、repo creation、visibility 修改或 GitHub primary。 -S4.10 已補 1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples 與 7 個 owner decision response templates。owner response 通過後只允許更新 read-only decision table、approval package、approval board 與 primary readiness gate;它不等於 repo creation、visibility change、refs sync 或 primary approval。 +S4.10 已補 1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 7 個 owner decision response templates。owner response 通過後只允許更新 read-only decision table、approval package、approval board 與 primary readiness gate;它不等於 repo creation、visibility change、refs sync 或 primary approval。 ## 0.1 低摩擦分階段原則 diff --git a/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md b/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md index ae0337c90..e0e965d97 100644 --- a/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md +++ b/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md @@ -21,7 +21,7 @@ 因此現階段不得建立自動 mirror,也不得把 GitHub primary 視為 ready。 -S4.10 已補 owner decision response request packet、template status ledger、audit event templates、redaction examples 與收件包;它只定義 7 個 approval-required targets 的回覆請求、回覆欄位、驗收規則與拒收規則,目前 received / accepted response 皆為 0,不代表 repo creation、visibility change、refs sync 或 primary approval。 +S4.10 已補 owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包;它只定義 7 個 approval-required targets 的回覆請求、回覆欄位、驗收規則與拒收規則,目前 received / accepted response 皆為 0,不代表 repo creation、visibility change、refs sync 或 primary approval。 ## 1. 決策表 diff --git a/docs/security/SECURITY-APPROVAL-GATE.md b/docs/security/SECURITY-APPROVAL-GATE.md index 6d316e06b..9dd001836 100644 --- a/docs/security/SECURITY-APPROVAL-GATE.md +++ b/docs/security/SECURITY-APPROVAL-GATE.md @@ -38,7 +38,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1` | 1 | Redacted finding ingestion | 只批准設計或 draft PR | | 2 | Safe web crawl | 只批准低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | 先依 S4.9 驗收 S4.7 owner response,再只批准只讀 inventory 或 redacted admin export | -| 4 | GitHub target decisions | 只批准逐 repo S4.10 request packet / template status ledger / audit event templates / redaction examples / response 與 S4.12 workflow / secret 名稱 response 驗收與決策草案 | +| 4 | GitHub target decisions | 只批准逐 repo S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / response 與 S4.12 workflow / secret 名稱 response 驗收與決策草案 | | 5 | Ref truth review | 只批准 S4.11 owner response 驗收、人工分類與 reconcile 草案 | | 6 | Credentialed scan | 只允許人工 exception 設計,仍需 runtime gate | | 7 | Kali full-upgrade / reboot | 只允許維護窗口與 rollback 規劃 | diff --git a/docs/security/SECURITY-APPROVAL-QUEUE.md b/docs/security/SECURITY-APPROVAL-QUEUE.md index c396ef7f6..cdc78d0df 100644 --- a/docs/security/SECURITY-APPROVAL-QUEUE.md +++ b/docs/security/SECURITY-APPROVAL-QUEUE.md @@ -35,7 +35,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 | 1 | `kali-finding-runtime-ingestion-approval-20260513` | 先接 redacted finding evidence,風險低、價值高 | | 2 | `kali-safe-web-crawl-approval-20260513` | TLS/header/basic crawl 屬低噪音,但仍需批准 scope | | 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | 先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,再審 Gitea 全量版本轉 GitHub 的只讀 inventory gate | -| 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 request packet / template status ledger / audit event templates / redaction examples 驗收逐 repo owner / visibility / canonical response,並依 S4.12 驗收 workflow / secret 名稱 owner response | +| 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收逐 repo owner / visibility / canonical response,並依 S4.12 驗收 workflow / secret 名稱 owner response | | 5 | `source-control-ref-truth-review-bundle-20260513` | 先依 S4.11 驗收 refs truth owner response,再看 deprecated / release tag review | | 6 | `kali-credentialed-scan-approval-20260513` | 需要憑證,風險較高 | | 7 | `kali-full-upgrade-reboot-approval-20260513` | 需要維護窗口、snapshot、rollback 與 post-check | diff --git a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md index 8d010ea13..5a01dada7 100644 --- a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md +++ b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md @@ -39,7 +39,7 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo | 1 | Redacted finding ingestion | `design_or_draft_review` | 只審是否可設計或建立 draft PR | | 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先依 S4.9 審 S4.7 owner response,再審只讀 token 或 redacted export | -| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / response 與 S4.12 workflow / secret 名稱 response,再審 owner / visibility / canonical 草案 | +| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / response 與 S4.12 workflow / secret 名稱 response,再審 owner / visibility / canonical 草案 | | 5 | Ref truth review | `design_or_draft_review` | 先審 S4.11 owner response 驗收,再審人工分類與 reconcile 草案 | | 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 | | 7 | Kali full-upgrade / reboot | `manual_exception_review` | 只審維護窗口與 rollback 計畫 | diff --git a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md index b79bb9553..3ccd443d1 100644 --- a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md +++ b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md @@ -34,7 +34,7 @@ | Redacted finding ingestion | MEDIUM | 只準備 ingestion adapter 的 redaction / audit 前置條件 | | Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope | | Gitea owner attestation + read-only inventory | MEDIUM | 先依 S4.9 驗收 S4.7 owner response,再準備 read-only token 或 redacted export inventory | -| GitHub target decision | HIGH | 只準備 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / response、S4.12 workflow / secret 名稱 response 驗收、owner / visibility / canonical / workflow parity 決策 | +| GitHub target decision | HIGH | 只準備 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / response、S4.12 workflow / secret 名稱 response 驗收、owner / visibility / canonical / workflow parity 決策 | | Ref truth review | HIGH | 只準備 S4.11 owner response 驗收、refs truth / deprecated / release tag 人工判定 | | Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 | | Kali full-upgrade / reboot | HIGH | 只準備維護窗口、snapshot、rollback 與 post-health | diff --git a/docs/security/SECURITY-MIRROR-DRY-RUN.md b/docs/security/SECURITY-MIRROR-DRY-RUN.md index 3f84dad79..ef4bf120d 100644 --- a/docs/security/SECURITY-MIRROR-DRY-RUN.md +++ b/docs/security/SECURITY-MIRROR-DRY-RUN.md @@ -24,7 +24,7 @@ | `CHECK_ROUTE_COVERAGE` | 確認 route groups 覆蓋所有 contracts | 不建立 fallback execution route | | `CHECK_ACCEPTANCE_AND_QUARANTINE` | 確認驗收與隔離只處理 mirror payload | 不阻擋 runtime | | `CHECK_PROGRESS_GUARD` | 確認 58% headline 進度與 micro progress delta ledger 只作狀態顯示 | 不把進度或 delta ledger 當 approval 或 runtime authorization | -| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、脫敏範例與只讀 UI 區塊、維持收件狀態分離、分類可審、補證、隔離、拒收或等待;S4.10 request packet / template status ledger / audit event templates / redaction examples 也只提示 7 個 GitHub target 要回覆的欄位、逐項顯示 waiting / request ready、定義 0 emitted 的脫敏 metadata | 不把 guard pass、request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | +| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、脫敏範例與只讀 UI 區塊、維持收件狀態分離、分類可審、補證、隔離、拒收或等待;S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks 也只提示 7 個 GitHub target 要回覆的欄位、逐項顯示 waiting / request ready、定義 0 emitted 的脫敏 metadata 並維持 request / received / accepted 分離 | 不把 guard pass、request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | | `CHECK_LOW_NOISE_CHANNEL` | 確認 Channel Event 低噪音 | 不對 LOW / MEDIUM 洗版 | | `CONFIRM_NO_RUNTIME_ACTION` | 確認 dry-run 沒有任何 runtime action | 不掃描、不 deploy、不 sync refs | diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 0e4077020..f7380b2d5 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -87,7 +87,7 @@ AwoooP 可以將 ready / partial contracts mirror 到: 19. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 20. 最後再 mirror source-control 其他 contracts。 -GitHub target 決策面需同時 mirror S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `github-target-owner-decision-response.snapshot.json`,只顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、7 個 owner decision response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 +GitHub target 決策面需同時 mirror S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` 與 `github-target-owner-decision-response.snapshot.json`,只顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、6 個 owner response collection checks、7 個 owner decision response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 Ref truth 決策面需同時 mirror S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `source-control-ref-truth-owner-response.snapshot.json`,只顯示 5 個 owner response templates、received / accepted response 皆為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index a8b485814..d658b3b14 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -28,7 +28,7 @@ | Review packets | S3.2 已建立;8 packets、7 ready for human review、1 block candidate | | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | -| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response 收件包,5 個 response templates、owner response 0 筆;S4.12 已補 workflow / secret 名稱 owner response 收件包,5 個 response templates、owner response 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | +| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response 收件包,5 個 response templates、owner response 0 筆;S4.12 已補 workflow / secret 名稱 owner response 收件包,5 個 response templates、owner response 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | | Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、audit events emitted 0 筆、敏感 payload 必須隔離、允許收集 token value=false | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 5 個 owner response templates;0 個 inventory complete、禁止收集 secret value、禁止 write token | @@ -56,6 +56,7 @@ | S4.10 template status ledger | framework detail | 0 | 只逐項顯示 7 個 target 仍為 waiting,received / accepted 仍為 0 | | S4.10 audit event templates | framework detail | 0 | event templates 仍為 `template_only_not_emitted`,production ingestion 尚未啟用 | | S4.10 redaction examples | framework detail | 0 | 只示範安全 metadata shape,不代表 owner response 已收到或可執行 repo / refs / primary 動作 | +| S4.10 collection checks | framework detail | 0 | 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到或已接受 | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: @@ -99,7 +100,7 @@ python3 scripts/security/security-mirror-progress-guard.py 1. redacted finding ingestion adapter。 2. safe web crawl scope。 3. Gitea private/internal read-only inventory:先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,且 S4.8 已把這個先行條件接到既有 approval queue / gate / review packet / follow-up runtime gate;再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆,不保存 token value。 -4. GitHub target / owner / visibility / canonical:先依 S4.10 request packet、template status ledger、audit event templates 與 redaction examples 收到並驗收 7 個 owner decision response templates;received / accepted response 目前皆為 0,不得把 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。 +4. GitHub target / owner / visibility / canonical:先依 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 收到並驗收 7 個 owner decision response templates;received / accepted response 目前皆為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。 5. Kali `/execute` 維持 block candidate。 6. Refs truth owner response:先依 S4.11 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templates;received / accepted response 目前皆為 0,不得把 response packet 當成 refs sync、delete、force push 或 primary approval。 7. Workflow / secret 名稱 owner response:先依 S4.12 顯示 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 5 個 response templates;received / accepted response 目前皆為 0,不得把 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 primary approval。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index cc5645bd9..efa65d3d5 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -42,7 +42,7 @@ | `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks 與 outcome lanes | public-only / blocked endpoint / S4.5 export request / S4.6 import acceptance / S4.7 coverage attestation / S4.9 response snapshots | | `local_git_remote_inventory_v1` | mirror-only | 本機 remote coverage | `local-git-remote-inventory.snapshot.json` | | `github_target_probe_v1` | mirror-only | GitHub target visibility | `github-target-probe.snapshot.json` | -| `github_target_decision_v1` | mirror-only | GitHub target 決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples 與 owner decision response 收件包 | `github-target-decision.snapshot.json` / `github-target-owner-decision-response.snapshot.json` | +| `github_target_decision_v1` | mirror-only | GitHub target 決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 owner decision response 收件包 | `github-target-decision.snapshot.json` / `github-target-owner-decision-response.snapshot.json` | | `github_target_repo_approval_package_v1` | approval-only | 逐 repo approval queue draft;S4.10 response 通過前不得視為 repo / visibility / refs 批准 | `github-target-repo-approval-package.snapshot.json` / `github-target-owner-decision-response.snapshot.json` | | `source_control_approval_board_v1` | approval-only | 逐 repo owner / visibility / canonical / refs 決策 board | `source-control-approval-board.snapshot.json` | | `source_control_reconcile_plan_v1` | approval-only | refs-blocked repo 的 draft reconcile plan;S4.11 response 通過前只更新草案 wording | `source-control-reconcile-plan.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` | @@ -62,7 +62,7 @@ 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 response templates、acceptance checks 與 rejection rules;不得新增 refs action。 5. 讀到 `source-control-owner-response-validation-rollup.snapshot.json` 時,只顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets 的總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個;不得把 rollup 當成 approval 或 execution authorization。 -6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 +6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 7. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 3ec01dd2b..94fff77a9 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -27,7 +27,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates 與 redaction examples 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 | 最近完成 | 目前狀態 | headline delta | |----------|----------|----------------| @@ -35,6 +35,7 @@ python3 scripts/security/security-mirror-progress-guard.py | S4.10 template status ledger | 已完成草案,7 個 targets 仍 waiting owner response | 0 | | S4.10 audit event templates | 已完成草案,`emitted_event_count=0` | 0 | | S4.10 redaction examples | 已完成草案,只示範脫敏 metadata shape | 0 | +| S4.10 collection checks | 已完成草案,只維持 request / received / accepted 狀態分離 | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -43,7 +44,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S0 文件與契約同步 | 完成 | Kali / Codex / GitHub / Gitea / AwoooP 邊界已文件化,核心 schema 草案已建立 | AwoooP 只讀 mirror 消費 | | S1 source-control read-only inventory | 進行中 | 已有 Gitea/GitHub refs、Gitea public-only user repo list、本機 remote、GitHub target probe、canonical lineage、110 refs evidence | Gitea private/internal 全量 repo list | | S1.0 Gitea 全量 inventory approval | 完成草案 | 已建立 read-only token / admin export approval package | 統帥或 repo owner 批准 | -| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選,7 個需人工批准;3 個 `not_found_or_private` 不得自動建立;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples 與收件包 | owner / visibility / canonical response | +| S1.1 GitHub target 決策 | 完成草案 | 8 個 target 候選,7 個需人工批准;3 個 `not_found_or_private` 不得自動建立;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包 | owner / visibility / canonical response | | S1.2 GitHub target 逐 repo approval | 完成草案 | 7 個 approval-required targets 已拆成逐 repo pending package,並彙整成 8-item approval board;S4.10 目前 response 0 筆 | 低摩擦逐項批准 | | S1.2a refs reconcile plan | 完成草案 | `awoooi`、`clawbot-v5`、`wooo-aiops` 已產生 draft plan;狀態仍為 `draft_blocked` | authenticated inventory + branch/tag diff + single-repo approval | | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | @@ -79,7 +80,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S4.7 Gitea 清冊覆蓋 Owner Attestation | 完成草案 | 已建立 coverage attestation schema / snapshot / 人讀版;5 個 owner decision items、received attestation 0、accepted 0、execution authorized=false | owner 判定 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition;仍不可把 attestation 當 migration approval | | S4.8 Gitea Owner Attestation Approval Lane 對齊 | 完成草案 | 已將既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊 S4.7 先行條件;queue items 維持 8、review packets 維持 8、active runtime gates 維持 0 | AwoooP 先顯示 5 個 attestation items,owner decision 接受前不得執行 read-only inventory 或標記 complete | | S4.9 Gitea Owner Attestation Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet 與模板回覆 S4.7 五個 items;AwoooP 先用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離,再用 preflight / outcome lanes 判斷可審、補證、隔離、拒收或等待;response 通過只更新 read-only matrix / decision table / readiness gate,不代表 inventory 執行、audit production ingestion 或 primary approval | -| S4.10 GitHub Target Owner Decision Response 收件包 | 完成草案 | 已建立 owner decision response schema / snapshot / 人讀版;1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、7 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet、template status ledger、audit event templates、redaction examples 與模板回覆 7 個 GitHub target 的 owner / visibility / canonical;response 通過只更新 read-only decision table / approval package / approval board / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval | +| S4.10 GitHub Target Owner Decision Response 收件包 | 完成草案 | 已建立 owner decision response schema / snapshot / 人讀版;1 個 owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、7 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet、template status ledger、audit event templates、redaction examples、collection checks 與模板回覆 7 個 GitHub target 的 owner / visibility / canonical;response 通過只更新 read-only decision table / approval package / approval board / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval | | S4.11 Source Control Ref Truth Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;5 個 response templates、8 個 acceptance checks、10 個 rejection rules、total ref review items 141、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 main/dev truth、deprecated drift、release tag、GitHub-only refs;response 通過只更新 read-only classification / reconcile / readiness wording,不代表 refs sync、delete、force push 或 primary approval | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate | @@ -195,12 +196,12 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons ## 3. 下一階段建議 1. 先依 S4.9 `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` 收到並驗收 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 的 owner response;S4.8 已把這件事接到既有 approval queue / gate / review packet / follow-up runtime gate。之後再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。 -2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` request packet / template status ledger / audit event templates、redaction examples 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。 +2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples / collection checks 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。 3. 依 S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner response 驗收;response 通過也只更新 read-only classification / reconcile / readiness wording,仍不得 push/delete refs 或 force push。 4. 依 S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` 與 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` 對 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 做 owner response 驗收;response 通過也只更新 read-only inventory / export request / readiness wording,仍不得收 secret value、改 workflow 或啟用 runner。 5. 依 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 集中檢查 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;rollup 通過也只更新 read-only wording,不代表 approval 或 execution authorization。 6. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 7. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request 與 S4.12 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request 與 S4.12 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 9. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response templates、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md b/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md index af1af5733..e53c9823a 100644 --- a/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md +++ b/docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md @@ -15,7 +15,7 @@ 本 board 只整理決策,不授權執行。AwoooP 可以 mirror 成 approval candidate,但不得建立 repo、修改 visibility、同步 refs、切 GitHub primary 或保存 credential value。 -S4.10 已補 1 個 GitHub target owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples 與 7 個 owner decision response templates;目前 received / accepted response 皆為 0。response 通過後也只更新本 board、decision table、approval package 與 readiness gate 的 read-only 欄位,不代表 repo creation、visibility change、refs sync 或 primary approval。 +S4.10 已補 1 個 GitHub target owner response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 7 個 owner decision response templates;目前 received / accepted response 皆為 0。response 通過後也只更新本 board、decision table、approval package 與 readiness gate 的 read-only 欄位,不代表 repo creation、visibility change、refs sync 或 primary approval。 ## 1. 逐 repo 決策隊列 diff --git a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md index 2d53ec346..a5b249c64 100644 --- a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md +++ b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md @@ -65,7 +65,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt | Lane | 缺口 | 下一步 | 仍禁止 | |------|------|--------|--------| | S4.9 Gitea owner attestation | 5 個 response templates 尚未收到 | Owner 回覆 5 個 Gitea coverage attestation items,只引用脫敏 evidence refs | 不收 token value、不寫 Gitea、不 sync refs、不切 primary | -| S4.10 GitHub target decision | 7 個 response templates 尚未收到 | Owner 依 S4.10 request packet、template status ledger、audit event templates 與 redaction examples 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition | 不建 repo、不改 visibility、不 sync refs、不切 primary | +| S4.10 GitHub target decision | 7 個 response templates 尚未收到 | Owner 依 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition | 不建 repo、不改 visibility、不 sync refs、不切 primary | | S4.11 refs truth | 5 個 response templates 尚未收到 | Owner 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition | 不 fetch / push / delete refs、不 force push、不切 primary | | S4.12 workflow / secret name | 5 個 response templates 尚未收到 | Owner 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity 的脫敏狀態 | 不收 secret value、不改 workflow、不啟用 runner、不切 primary | diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index 73887e3a9..073d2301b 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -40,7 +40,7 @@ | Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到,audit events emitted 仍為 0;S4.13 已集中顯示四包 owner response validation,但 total accepted response 仍為 0 | | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response 收件包,received / accepted response 皆為 0 | | workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;S4.12 已補 owner response 收件包,received / accepted response 皆為 0;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | -| owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples 與收件包,received / accepted response 皆為 0 | +| owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,received / accepted response 皆為 0 | | rollback ADR | pending review | S4.4 已建立 rollback ADR 草案;7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window | ## 3. AwoooP 可做 @@ -48,8 +48,8 @@ 1. 顯示每個 repo 的 readiness state、blockers 與 evidence refs。 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 -4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / owner response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 -5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 +4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / owner response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 +5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、6 個 owner response collection checks、7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 7. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 8. 連到 S4.12 `source_control_workflow_secret_name_owner_response_v1` 顯示 5 個 owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 @@ -71,6 +71,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 -S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples 與收件包,S4.11 已補上 refs truth owner response 收件包,S4.12 已補上 workflow / secret 名稱 owner response 收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀顯示順序與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,S4.11 已補上 refs truth owner response 收件包,S4.12 已補上 workflow / secret 名稱 owner response 收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀顯示順序與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/github-target-owner-decision-response.snapshot.json b/docs/security/github-target-owner-decision-response.snapshot.json index 041f22890..ac3a30103 100644 --- a/docs/security/github-target-owner-decision-response.snapshot.json +++ b/docs/security/github-target-owner-decision-response.snapshot.json @@ -24,6 +24,7 @@ "owner_response_template_status_count": 7, "owner_response_audit_event_template_count": 3, "owner_response_redaction_example_count": 5, + "owner_response_collection_check_count": 6, "response_template_count": 7, "received_response_count": 0, "accepted_response_count": 0, @@ -569,6 +570,74 @@ "not_approval": true } ], + "owner_response_collection_checks": [ + { + "check_id": "collection-github-target-request-packet-displayed", + "display_order": 1, + "title": "已顯示 GitHub target owner response request packet", + "required": true, + "pass_condition": "AwoooP 必須只顯示 `owner_response_request_packet` 的 7 個 target templates、允許欄位、脫敏 evidence 規則與禁止 payload,不得附加 repo creation、visibility change、refs sync 或 primary switch 要求。", + "failure_lane": "keep_waiting_owner_response", + "awooop_display": "display_request_packet_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "collection-github-target-read-only-submission-mode", + "display_order": 2, + "title": "GitHub target 收件模式維持 read-only", + "required": true, + "pass_condition": "owner 只能用 read-only markdown response、redacted metadata pointer、request_more_evidence 或 out_of_scope_disposition;不得提交 token、repo archive、git object pack、API write request 或 execution request。", + "failure_lane": "quarantine_sensitive_payload", + "awooop_display": "display_read_only_submission_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "collection-seven-target-template-tracking", + "display_order": 3, + "title": "七個 GitHub targets 分開追蹤", + "required": true, + "pass_condition": "S4.10 七個 requested_template_ids 必須逐 target 追蹤 received / accepted / rejected 狀態;不可用單一整體同意取代逐 repo owner / visibility / canonical response。", + "failure_lane": "request_more_evidence", + "awooop_display": "display_per_target_tracking", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "collection-github-target-redacted-evidence-only", + "display_order": 4, + "title": "只收 GitHub target 脫敏 evidence refs", + "required": true, + "pass_condition": "收件內容只能包含 repo 內路徑、snapshot path 或已脫敏 metadata pointer;任何不確定是否含 token、private URL credential、secret、repo archive 或 git object 的資料都先進 quarantine。", + "failure_lane": "quarantine_sensitive_payload", + "awooop_display": "display_redacted_evidence_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "collection-github-target-no-approval-language", + "display_order": 5, + "title": "不得把 GitHub target 回覆語意升級成批准", + "required": true, + "pass_condition": "即使 owner response 文字包含同意、OK、可進行或批准,也只能視為 owner / visibility / canonical disposition response;不得視為 repo creation、visibility change、refs sync、delete refs、force push 或 GitHub primary approval。", + "failure_lane": "reject_execution_request", + "awooop_display": "display_scope_response_only", + "execution_authorized": false, + "not_approval": true + }, + { + "check_id": "collection-github-target-audit-metadata-only", + "display_order": 6, + "title": "只記錄 GitHub target audit metadata", + "required": true, + "pass_condition": "AwoooP 只能記錄 request shown、response received metadata、template id、github repo、owner role/team、redacted evidence refs 與 outcome lane;不得保存 token value、secret value、private clone URL credential、repo archive、git object pack 或可執行 payload。", + "failure_lane": "quarantine_sensitive_payload", + "awooop_display": "display_audit_metadata_only", + "execution_authorized": false, + "not_approval": true + } + ], "response_templates": [ { "template_id": "target-awoooi-refs-blocked", diff --git a/docs/security/security-approval-gate.snapshot.json b/docs/security/security-approval-gate.snapshot.json index 2961f1c5d..9c50104b4 100644 --- a/docs/security/security-approval-gate.snapshot.json +++ b/docs/security/security-approval-gate.snapshot.json @@ -139,7 +139,7 @@ ], "decision_options": ["approve_scope", "reject", "defer", "request_more_evidence"], "allowed_after_approval": [ - "依 S4.10 request packet / template status ledger / audit event templates / redaction examples 驗收 owner decision response", + "依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收 owner decision response", "依 S4.12 驗收 workflow / secret 名稱 owner response", "逐 repo 更新 owner/visibility/canonical decision", "更新 workflow / secret name parity read-only wording", @@ -149,7 +149,7 @@ "still_forbidden": [ "建立 repo", "修改 visibility", - "把 S4.10 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation 或 visibility approval", + "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation 或 visibility approval", "把 S4.12 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", "push refs", "delete refs", diff --git a/docs/security/security-approval-queue.snapshot.json b/docs/security/security-approval-queue.snapshot.json index 4e91119a5..6c9e4d740 100644 --- a/docs/security/security-approval-queue.snapshot.json +++ b/docs/security/security-approval-queue.snapshot.json @@ -126,7 +126,7 @@ "risk": "HIGH", "state": "pending_approval", "recommended_awooop_mode": "approve_required", - "requested_decision": "是否依 S4.10 request packet / template status ledger / audit event templates / redaction examples 逐 repo 收到並驗收 GitHub target、owner、visibility、canonical response,並依 S4.12 驗收 workflow / secret 名稱 owner response;此 bundle 不授權執行。", + "requested_decision": "是否依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks 逐 repo 收到並驗收 GitHub target、owner、visibility、canonical response,並依 S4.12 驗收 workflow / secret 名稱 owner response;此 bundle 不授權執行。", "blocked_until_approved": true, "required_reviewers": [ "migration-engineer", @@ -143,7 +143,7 @@ "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json" ], "allowed_after_approval": [ - "依 S4.10 request packet / template status ledger / audit event templates / redaction examples 驗收 owner decision response", + "依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收 owner decision response", "依 S4.12 驗收 workflow / secret 名稱 owner response", "逐 repo 更新 owner/visibility/canonical decision", "更新 workflow / secret name parity read-only wording", @@ -153,7 +153,7 @@ "still_forbidden": [ "建立 repo", "修改 visibility", - "把 S4.10 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation 或 visibility approval", + "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation 或 visibility approval", "把 S4.12 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", "push refs", "delete refs", diff --git a/docs/security/security-approval-review-packet.snapshot.json b/docs/security/security-approval-review-packet.snapshot.json index ed1749082..01c99cb6c 100644 --- a/docs/security/security-approval-review-packet.snapshot.json +++ b/docs/security/security-approval-review-packet.snapshot.json @@ -175,7 +175,7 @@ ], "allowed_pre_decision_actions": [ "顯示 7 個 approval-required target", - "顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、owner response templates、received_response_count=0 與 rejection rules", + "顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、owner response templates、received_response_count=0 與 rejection rules", "顯示 S4.12 workflow / secret 名稱 owner response templates、received_response_count=0 與 rejection rules", "要求 repo owner 補 owner/visibility/canonical 判定", "維持 refs action disabled" @@ -187,7 +187,7 @@ "still_forbidden": [ "建立 repo", "修改 visibility", - "把 S4.10 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation 或 visibility approval", + "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation 或 visibility approval", "把 S4.12 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", "push refs", "delete refs", diff --git a/docs/security/security-followup-runtime-gate.snapshot.json b/docs/security/security-followup-runtime-gate.snapshot.json index 9d263edf8..443ce7d51 100644 --- a/docs/security/security-followup-runtime-gate.snapshot.json +++ b/docs/security/security-followup-runtime-gate.snapshot.json @@ -157,7 +157,7 @@ "gate_state": "waiting_approved_scope", "applies_after_decision": "approve_scope", "minimum_required_evidence": [ - "S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / decision response 驗收結果:docs/security/github-target-owner-decision-response.snapshot.json", + "S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / decision response 驗收結果:docs/security/github-target-owner-decision-response.snapshot.json", "S4.12 workflow / secret 名稱 owner response 驗收結果:docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "repo owner / visibility / canonical decision", "GitHub target 是否已存在的最新 probe", @@ -170,7 +170,7 @@ "human-owner" ], "preflight_checks": [ - "確認 S4.10 request packet、template status ledger、audit event templates、redaction examples 或 response packet 未被當成 repo creation、visibility change、refs sync 或 primary approval", + "確認 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 未被當成 repo creation、visibility change、refs sync 或 primary approval", "確認 S4.12 response packet 未被當成 secret value collection、workflow modification、runner enablement 或 primary approval", "確認 not_found_or_private 不被當成可自動建立 repo", "確認 visibility change 仍未授權", diff --git a/docs/security/security-mirror-dry-run.snapshot.json b/docs/security/security-mirror-dry-run.snapshot.json index 8430ae157..b21e012ed 100644 --- a/docs/security/security-mirror-dry-run.snapshot.json +++ b/docs/security/security-mirror-dry-run.snapshot.json @@ -107,7 +107,7 @@ }, { "step_id": "CHECK_OWNER_RESPONSE_GUARD", - "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 7 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,並維持 request / received / accepted 分離;不能把 request shown、response received metadata 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", + "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 7 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離;不能把 request shown、response received metadata 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", "evidence_refs": [ "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md", diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index 9ed0cbf23..bf2a2b8b0 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -287,7 +287,7 @@ "docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md", "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" ], - "notes": "可 mirror target decision、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples 與 owner response templates;repo 建立、visibility 修改、refs sync 與 primary switch 仍需後續人工批准與 runtime gate。" + "notes": "可 mirror target decision、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 owner response templates;repo 建立、visibility 修改、refs sync 與 primary switch 仍需後續人工批准與 runtime gate。" }, { "contract": "github_target_repo_approval_package_v1", @@ -303,7 +303,7 @@ "docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md", "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md" ], - "notes": "可 mirror 逐 repo approval package、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples 與 owner decision response 收件包;不得執行 item。" + "notes": "可 mirror 逐 repo approval package、S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 owner decision response 收件包;不得執行 item。" }, { "contract": "source_control_approval_board_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 93c132aa1..244eebe93 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -143,15 +143,15 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples 與 intake packet;S4.11 已補 refs truth owner response intake packet;S4.12 已補 workflow / secret 名稱 owner response intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", - "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates 與 redaction examples 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 收到並驗收 5 個 refs truth owner response templates、依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 intake packet;S4.11 已補 refs truth owner response intake packet;S4.12 已補 workflow / secret 名稱 owner response intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", + "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 收到並驗收 5 個 refs truth owner response templates、依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" } ], "progress_display_policy": { "headline_percent": 58, "headline_status": "holding_until_owner_response_or_runtime_gate", "why_headline_is_holding": [ - "最近完成的是 S4.10 owner response request / status / audit / redaction 的框架細節,改善可見性與收件安全,但 owner response received / accepted 仍為 0。", + "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks 的框架細節,改善可見性與收件安全,但 owner response received / accepted 仍為 0。", "overall_percent 只在 owner response、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 這些高層 gate 有實質變化時調整。", "維持 58% 是為了避免把 read-only scaffold 誤算成 runtime enforcement、Kali scan、repo migration 或 GitHub primary cutover。" ], @@ -215,6 +215,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s4_10_owner_response_collection_checks", + "display_order": 5, + "completed_stage": "S4.10 GitHub target owner response collection checks", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "collection checks 只維持 request / received / accepted 狀態分離,不代表 owner response 已收到、已接受或授權 repo / refs / primary 操作。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -347,13 +359,13 @@ "mode": "approval_required", "source_contract": "source_control_approval_board_v1", "allowed_processing": [ - "顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、owner decision response templates、received_response_count=0 與 rejection rules", + "顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、owner decision response templates、received_response_count=0 與 rejection rules", "逐 repo 更新 owner / visibility / canonical decision", "產生 draft reconcile plan 或 ADR", "維持 refs action disabled" ], "blocked_processing": [ - "把 S4.10 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval", + "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval", "建立 repo", "修改 visibility", "push / delete refs", @@ -468,7 +480,7 @@ "S4.7 只新增 Gitea owner coverage attestation request;required_attestation_item_count=5、received_attestation_count=0,不把 attestation 當 migration approval。", "S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件;approval_queue_total 仍為 8、active_runtime_gates 仍為 0,不新增執行入口。", "S4.9 只新增 Gitea owner attestation response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 與 response 收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_display_section_count=8、owner_response_collection_check_count=6、required_response_item_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 或 response packet 當 inventory 執行、audit production ingestion 或 primary approval。", - "S4.10 新增 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、response_template_count=7、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples 或 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。", + "S4.10 新增 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、response_template_count=7、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。", "S4.11 只新增 refs truth owner response 收件包;response_template_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 refs sync、delete、force push 或 GitHub primary approval。", "S4.12 只新增 workflow / secret 名稱 owner response 收件包;response_template_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。", "S4.13 只新增 owner response validation rollup;response_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、next_collection_candidate=S4.9,不把 rollup 當 approval、runtime gate 或 execution authorization。" diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 484b85fb0..75dbf165d 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -450,7 +450,7 @@ "consumption_mode": "mirror_only", "allowed_actions": ["mirror_target_decision", "create_approval_candidate"], "forbidden_actions": ["change_visibility", "create_repo", "sync_refs"], - "notes": "8 個 targets 中 7 個需要人工批准;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples 與 owner decision response 收件包,owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、received_response_count=0,不授權 repo / visibility / refs / primary 動作。" + "notes": "8 個 targets 中 7 個需要人工批准;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 owner decision response 收件包,owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、received_response_count=0,不授權 repo / visibility / refs / primary 動作。" }, { "contract": "github_target_repo_approval_package_v1", @@ -467,7 +467,7 @@ "consumption_mode": "approval_only", "allowed_actions": ["display_repo_approval_queue", "request_owner_decision"], "forbidden_actions": ["execute_approval_item", "push_refs", "change_visibility"], - "notes": "7 個 pending packages,逐 repo 低摩擦批准;S4.10 只定義 owner response request packet、template status ledger、audit event templates、redaction examples 與驗收 / 拒收格式,不代表任何執行批准。" + "notes": "7 個 pending packages,逐 repo 低摩擦批准;S4.10 只定義 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與驗收 / 拒收格式,不代表任何執行批准。" }, { "contract": "source_control_approval_board_v1", diff --git a/docs/security/source-control-approval-board.snapshot.json b/docs/security/source-control-approval-board.snapshot.json index 78c3cbfc5..526b3d55d 100644 --- a/docs/security/source-control-approval-board.snapshot.json +++ b/docs/security/source-control-approval-board.snapshot.json @@ -9,7 +9,7 @@ "allowed_next_step": [ "提供 read-only token 後重跑 gitea-repo-inventory", "或提供 redacted admin export JSON", - "依 S4.10 request packet / template status ledger / audit event templates / redaction examples 收到 GitHub target owner / visibility / canonical response 後更新 read-only board 欄位", + "依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks 收到 GitHub target owner / visibility / canonical response 後更新 read-only board 欄位", "在 gate 前仍可維護 approval board 與 decision table" ], "still_forbidden": [ diff --git a/docs/security/source-control-owner-response-validation-rollup.snapshot.json b/docs/security/source-control-owner-response-validation-rollup.snapshot.json index 9b048dc2f..053e344a7 100644 --- a/docs/security/source-control-owner-response-validation-rollup.snapshot.json +++ b/docs/security/source-control-owner-response-validation-rollup.snapshot.json @@ -333,7 +333,7 @@ "received_response_count": 0, "accepted_response_count": 0, "current_status": "waiting_owner_response", - "next_owner_action": "Owner 需依 S4.10 request packet、template status ledger、audit event templates 與 redaction examples 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition。", + "next_owner_action": "Owner 需依 S4.10 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition。", "awooop_display_mode": "observe_missing_response", "still_forbidden": [ "create_github_repo", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index 87d863d9a..29e228417 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -126,13 +126,13 @@ ], "current_gap": [ "7 個 targets 仍需人工批准", - "S4.10 已建立 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples 與收件包,但目前 received_response_count=0、accepted_response_count=0", + "S4.10 已建立 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,但目前 received_response_count=0、accepted_response_count=0", "ewoooc / momo-pro-system canonical 關係尚未確認", "bitan-pharmacy 與 tsenyang-website GitHub target 未確認" ], "allowed_now": [ "顯示 approval board", - "mirror S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、owner decision response templates、acceptance checks 與 rejection rules", + "mirror S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、owner decision response templates、acceptance checks 與 rejection rules", "要求 repo owner 補決策", "更新 visibility decision table" ], diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 8085ee5db..877ba0ee0 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -86,6 +86,7 @@ def validate(root: Path) -> None: "s4_10_owner_response_template_status_ledger", "s4_10_owner_response_audit_event_templates", "s4_10_owner_response_redaction_examples", + "s4_10_owner_response_collection_checks", ] assert_equal( "progress_delta_ledger.delta_ids", diff --git a/scripts/security/source-control-owner-response-guard.py b/scripts/security/source-control-owner-response-guard.py index aa5c92ec2..519c58e89 100755 --- a/scripts/security/source-control-owner-response-guard.py +++ b/scripts/security/source-control-owner-response-guard.py @@ -130,6 +130,14 @@ LANES = [ "redaction-refs-truth-dependency-summary", "redaction-github-target-quarantine-pointer", ], + "expected_collection_checks": [ + "collection-github-target-request-packet-displayed", + "collection-github-target-read-only-submission-mode", + "collection-seven-target-template-tracking", + "collection-github-target-redacted-evidence-only", + "collection-github-target-no-approval-language", + "collection-github-target-audit-metadata-only", + ], }, { "lane_id": "s4_11_ref_truth_owner_response",