docs(security): 補 S4.9 canonical owner response envelope [skip ci]
This commit is contained in:
126
docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md
Normal file
126
docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md
Normal file
@@ -0,0 +1,126 @@
|
||||
# S4.9 Canonical Owner Response Envelope 規範
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-05 |
|
||||
| 基準 | `gitea/main=b615bde5 docs(security): 補 S4.9 owner response 缺口稽核 [skip ci]` |
|
||||
| 範圍 | S4.9 owner response 收件信封、欄位別名、隔離規則與驗收前狀態邊界 |
|
||||
| 模式 | 只讀文件規範,不送 request、不收 owner response、不改 API、不改 UI、不改 runtime |
|
||||
| 不可誤讀 | 本文件不是 request sent、不是 owner response received、不是 accepted、不是 Gitea / GitHub / refs / workflow / secret / runner / runtime 授權 |
|
||||
|
||||
## 1. 核心結論
|
||||
|
||||
S4.9 收件流程對外只接受一個 canonical owner response envelope。任何 source template、AwoooP handoff、reviewer note 或文件摘要,都可以保留細分欄位,但進入 S4.9 驗收前必須映射回六欄:
|
||||
|
||||
1. `owner_role_or_team`
|
||||
2. `decision`
|
||||
3. `decision_reason`
|
||||
4. `affected_scope`
|
||||
5. `redacted_evidence_refs`
|
||||
6. `followup_owner`
|
||||
|
||||
沒有完成六欄映射前,不得把候選回覆視為 received;沒有完成預檢、隔離檢查、跨包一致性與 reviewer checklist 前,不得視為 accepted。
|
||||
|
||||
## 2. Canonical Envelope
|
||||
|
||||
| 欄位 | 必填 | 允許格式 | 缺漏處理 | 安全邊界 |
|
||||
|------|------|----------|----------|----------|
|
||||
| `owner_role_or_team` | 是 | 角色、團隊、責任單位;不需要個人敏感資料 | `request_more_evidence`,不增加 received | 不收個人帳號密碼、token、session、private email |
|
||||
| `decision` | 是 | `confirm`、`defer`、`reject`、`request_more_evidence` | 非允許值 `hard_reject` | 不得包含執行命令或批准 runtime action |
|
||||
| `decision_reason` | 是 | 一段脫敏摘要;可含 ticket id、文件路徑、hash、短原因 | 缺漏補件;疑似敏感 payload 先隔離 | 不渲染 raw secret、token、cookie、authorization header、未脫敏截圖 |
|
||||
| `affected_scope` | 是 | repo 群、endpoint、namespace、host scope、legacy disposition、canonical owner 範圍 | 缺漏補件 | 不得把 scope 回覆解讀成 repo 建立、refs sync 或 primary 切換 |
|
||||
| `redacted_evidence_refs` | 是 | 文件路徑、snapshot id、ticket id、hash、脫敏 metadata pointer | 缺漏補件;疑似 payload 隔離 | 不收 secret value、masked token、partial token、private key、session value |
|
||||
| `followup_owner` | 是 | 後續補證、審查或決策負責角色 / 團隊 | 缺漏補件 | 不等於執行批准人;不等於 runtime operator |
|
||||
|
||||
## 3. Source Template Alias 映射
|
||||
|
||||
Source template 可以保留 domain-specific 欄位,方便 owner 回覆,但 S4.9 validator、AwoooP 顯示與 LOGBOOK 摘要必須使用 canonical 欄位。
|
||||
|
||||
| Canonical 欄位 | 可接受 alias | 映射規則 | 不可誤讀 |
|
||||
|----------------|--------------|----------|----------|
|
||||
| `owner_role_or_team` | `owner_role`、`owner_team`、`review_owner`、`responsible_team`、`rollback_owner` | 合併為負責角色 / 團隊;個人資訊只保留必要角色稱謂 | 不代表該 owner 已批准切 primary 或執行 rollback |
|
||||
| `decision` | `owner_decision`、`scope_decision`、`visibility_decision`、`canonical_decision`、`disposition` | 只能轉成四個允許值;其他值需補件或拒收 | `confirm` 只代表該題判定,不代表全包 accepted |
|
||||
| `decision_reason` | `reason`、`decision_summary`、`owner_note`、`review_note`、`rationale` | 只保留脫敏摘要;含 payload 的段落移入 quarantine metadata,不回寫 raw text | 不得把長原文、聊天內容或抱怨放進產品文案 |
|
||||
| `affected_scope` | `affected_repos`、`affected_sources`、`affected_repos_or_sources_or_namespace`、`canonical_namespace`、`target_repos`、`host_scope`、`legacy_scope` | 以人類可讀 scope 摘要呈現;必要時列出 repo / source ids,但不觸發任何 git action | 不代表可建立 repo、同步 refs、改 visibility、改 workflow |
|
||||
| `redacted_evidence_refs` | `evidence_refs`、`redacted_refs`、`source_refs`、`snapshot_refs`、`ticket_refs`、`metadata_refs` | 只接受指標與脫敏 metadata;任何 raw payload 先隔離 | 不收 token value、secret value、hash fragment、authorization header、runner token |
|
||||
| `followup_owner` | `next_owner`、`followup_team`、`reviewer_owner`、`fallback_owner`、`resolution_owner` | 映射為後續處理負責角色 / 團隊 | 不代表 AwoooP approval 或 security approval 已完成 |
|
||||
|
||||
## 4. 五題 Template 的 Canonical 投影
|
||||
|
||||
| 順序 | Template | `affected_scope` 投影 | `decision` 判讀 | `redacted_evidence_refs` 最低要求 |
|
||||
|------|----------|------------------------|-----------------|-----------------------------------|
|
||||
| 1 | `response-public-only-vs-local-gitea-gap` | public-only / local Gitea scope、候選 repo、是否納入 inventory | `confirm`、`defer`、`reject`、`request_more_evidence` | public probe snapshot、local inventory ref、owner note id |
|
||||
| 2 | `response-org-user-endpoint-identity` | `wooo` user / org endpoint、canonical endpoint、blocked endpoint 判讀 | 同上 | endpoint probe summary、HTTP status metadata、owner note id |
|
||||
| 3 | `response-internal-110-adjacent-scope` | 110 adjacent repo / host / namespace 是否 in scope | 同上 | local repo / host scope snapshot、redacted owner note |
|
||||
| 4 | `response-repo-owner-canonical-scope` | repo owner、canonical source、GitHub target candidate、visibility review owner | 同上 | refs truth summary、target probe summary、owner note id |
|
||||
| 5 | `response-legacy-or-inaccessible-disposition` | legacy / inaccessible / external repo disposition 與後續 owner | 同上 | disposition note、archive candidate summary、ticket id |
|
||||
|
||||
## 5. 收件狀態分離
|
||||
|
||||
S4.9 必須把以下狀態分開,不得連動調高:
|
||||
|
||||
| 狀態 | 可為 true / 大於 0 的前提 | 不得連動 |
|
||||
|------|---------------------------|----------|
|
||||
| `request_sent` / `request_sent_count` | 有人工送件 audit metadata,且送件內容未夾帶執行要求 | 不得同步調高 received / accepted |
|
||||
| `received_response_count` | 收到完整六欄 canonical envelope,且敏感 payload 已先隔離 | 不得同步視為 accepted |
|
||||
| `accepted_response_count` | 五題都通過 preflight、quarantine check、cross-packet consistency、reviewer checklist | 不得開 runtime gate |
|
||||
| `rejected_response_count` | 實際回覆被 hard reject,且 rejection reason 已記錄 | 不得自動要求 repo / host / runtime action |
|
||||
| `quarantine_response_count` | 疑似包含敏感 payload、執行要求或未脫敏 evidence | 不得渲染 raw payload,不得複製到 LOGBOOK |
|
||||
|
||||
## 6. Quarantine-first 規則
|
||||
|
||||
以下內容一律先隔離,不得進入一般文件、LOGBOOK、前端文案或 API response:
|
||||
|
||||
| 類別 | 範例 | 處理 |
|
||||
|------|------|------|
|
||||
| Secret / credential | token、secret、private key、cookie、session、authorization header、runner token、webhook secret、database URL | 隔離並記錄類型與長度,不記值 |
|
||||
| 未脫敏 evidence | 未遮蔽截圖、raw API response、含 private URL credential 的 log | 隔離,只保留 redacted evidence ref |
|
||||
| 執行要求 | 建 repo、改 visibility、sync refs、delete refs、force push、改 workflow、啟 runner、Kali scan、`/execute`、host update | `hard_reject` 或切出獨立人工批准流程 |
|
||||
| 產品文案污染 | 內部對話、抱怨、Session 指令、聊天式同意 | 不進產品文案;只保留治理摘要 |
|
||||
|
||||
## 7. Reviewer Checklist
|
||||
|
||||
收件 reviewer 在標記 accepted 前必須逐項確認:
|
||||
|
||||
| 檢查 | 必須結果 |
|
||||
|------|----------|
|
||||
| 六欄 canonical envelope | 全部存在且可讀 |
|
||||
| 五題 response templates | 全部有對應回覆或明確補件狀態 |
|
||||
| Alias mapping | 所有 source 欄位已映射回 canonical 欄位 |
|
||||
| Sensitive payload check | raw payload 已隔離,LOGBOOK / UI 只保留 redacted refs |
|
||||
| Execution request check | 沒有 repo / refs / workflow / secret / runner / scan / host / runtime 執行要求 |
|
||||
| Cross-packet consistency | S4.9 / S4.10 / S4.11 / S4.12 口徑一致,沒有互相矛盾的 owner / scope / disposition |
|
||||
| Count transition | request sent、received、accepted、rejected 只依實際 audit metadata 分段更新 |
|
||||
| Gate boundary | active runtime gate、GitHub primary、Kali / host maintenance、Code Review candidate automation 仍需獨立人工批准 |
|
||||
|
||||
## 8. 驗收前仍必須維持
|
||||
|
||||
```text
|
||||
request_sent=false
|
||||
request_sent_count=0
|
||||
received_response_count=0
|
||||
accepted_response_count=0
|
||||
rejected_response_count=0
|
||||
owner_response_received_count=0
|
||||
owner_response_accepted_count=0
|
||||
redacted_payload_ingested=false
|
||||
active_runtime_gate_count=0
|
||||
runtime_execution_authorized=false
|
||||
action_buttons_allowed=false
|
||||
repo_creation_authorized=false
|
||||
refs_sync_authorized=false
|
||||
workflow_modification_authorized=false
|
||||
github_primary_switch_authorized=false
|
||||
host_update_authorized=false
|
||||
active_scan_authorized=false
|
||||
secret_value_collection_authorized=false
|
||||
```
|
||||
|
||||
## 9. 本輪完成度
|
||||
|
||||
| 工作 | 完成度 | 說明 |
|
||||
|------|--------|------|
|
||||
| Canonical owner response envelope | 100% | 六欄信封、alias 映射、五題投影、quarantine-first、reviewer checklist 已文件化 |
|
||||
| S4.9 owner response gate | 0% | 尚未送 request、尚未收到 owner response、尚未 accepted |
|
||||
| IwoooS 整體 | 維持 64% | 規範完成不代表 runtime readiness 提升 |
|
||||
| active runtime gate | 0 | 不變 |
|
||||
@@ -3,7 +3,7 @@
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-05 |
|
||||
| 基準 | `gitea/main=f1bad81d docs(logbook): 記錄 P1-305 P1-306 正式驗證 [skip ci]` |
|
||||
| 基準 | `gitea/main=b615bde5 docs(security): 補 S4.9 owner response 缺口稽核 [skip ci]` |
|
||||
| 範圍 | S4.9 Gitea owner attestation response gate 與 S4.13 owner response validation rollup |
|
||||
| 模式 | 只讀 committed snapshot / 文件稽核 |
|
||||
| 不可誤讀 | 不是 request sent、不是 owner response received、不是 accepted、不是 repo / refs / workflow / secret / runtime 授權 |
|
||||
@@ -32,7 +32,7 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
|
||||
|------|------|--------|
|
||||
| P0 主控總帳的同步基線仍停在較舊 commit | 新 Session 可能誤用舊 `gitea/main` 或舊 P1 狀態 | 將總帳更新到 `f1bad81d`,並標註 P1-001 由另一 Session 進行中 |
|
||||
| S4.9 gate 仍只有 request-ready,沒有 owner response | IwoooS 64% 不能因規範存在而往前解鎖 | 維持 `0%`,只準備收件缺口,不調高 progress |
|
||||
| request packet 的欄位名稱存在同義詞 | `affected_repos`、`affected_sources`、`affected_repos_or_sources_or_namespace`、`evidence_refs` 與使用者要求的 `affected_scope`、`redacted_evidence_refs` 容易在 UI / handoff 中混用 | 後續顯示層以六欄 canonical envelope 呈現;source templates 可保留細分欄位 |
|
||||
| request packet 的欄位名稱存在同義詞 | `affected_repos`、`affected_sources`、`affected_repos_or_sources_or_namespace`、`evidence_refs` 與使用者要求的 `affected_scope`、`redacted_evidence_refs` 容易在 UI / handoff 中混用 | 已補 `S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md`,後續顯示層以六欄 canonical envelope 呈現;source templates 可保留細分欄位 |
|
||||
| 沒有實際 dispatch / received audit event | 目前 audit event templates 仍是 template-only,不能證明已送件或已收件 | 等人工送件後才增加 request_sent metadata;未送前所有 count 維持 0 |
|
||||
| 尚未有 owner response reviewer outcome | reviewer checklist 存在,但沒有任何可分類 response | 等脫敏 metadata 進來後,才能進補件、隔離、拒收、只讀更新候選 |
|
||||
| 部分文件仍可能把 P1-305 / P1-306 或 P1-001 當下一步文字混用 | 平行 Session 正在推 P1-001,S4.9 仍是獨立 P0 gate | 後續 LOGBOOK / workplan 每次都標註平行 Session 與最新基線 |
|
||||
@@ -41,8 +41,8 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
|
||||
|
||||
| 規範 | 內容 | 狀態 |
|
||||
|------|------|------|
|
||||
| Canonical owner response envelope | 對外與 AwoooP 顯示固定六欄:`owner_role_or_team`、`decision`、`decision_reason`、`affected_scope`、`redacted_evidence_refs`、`followup_owner` | 需在下一個 UI / handoff 切片統一 |
|
||||
| Source template alias 規則 | 允許 source template 保留 `affected_repos`、`affected_sources`、`canonical_namespace` 等細分欄位,但必須映射回 `affected_scope` | 需新增顯示層 mapping |
|
||||
| Canonical owner response envelope | 對外與 AwoooP 顯示固定六欄:`owner_role_or_team`、`decision`、`decision_reason`、`affected_scope`、`redacted_evidence_refs`、`followup_owner` | 已補文件規範;後續 UI / handoff 切片需沿用 |
|
||||
| Source template alias 規則 | 允許 source template 保留 `affected_repos`、`affected_sources`、`canonical_namespace` 等細分欄位,但必須映射回 `affected_scope` | 已補文件規範;後續顯示層 mapping 需照表實作 |
|
||||
| Request sent 與 received 分離 | request packet 顯示、人工送件、owner response received、accepted 必須是四個獨立狀態 | 已有規範,需在後續 audit metadata 實作時保持 |
|
||||
| Quarantine-first 收件 | 疑似 token、secret、private key、cookie、session、authorization header、private URL credential、未脫敏截圖先隔離,不渲染 raw payload | 已有規範,需維持 |
|
||||
| 平行 Session 衝突規則 | 任一 Session 推送前必須 fetch / fast-forward 到最新 `gitea/main`,並同步 commit / run / production evidence / gate 0 false | 已執行,需持續 |
|
||||
@@ -85,7 +85,7 @@ S4.9 的基礎規範已存在,且已能被 `source-control-owner-response-guar
|
||||
| 工作 | 完成度 | 說明 |
|
||||
|------|--------|------|
|
||||
| S4.9 現況缺口稽核 | 100% | 已列出已符合、仍不符合、需新增、需調整、五題回覆與 0 / false 邊界 |
|
||||
| S4.9 canonical owner response envelope | 100% | 已補六欄信封、alias 映射、五題投影、quarantine-first 與 reviewer checklist |
|
||||
| S4.9 owner response gate | 0% | 沒有收到 owner response,不得調高 |
|
||||
| IwoooS 整體 | 維持 64% | 只讀稽核不改 runtime readiness |
|
||||
| active runtime gate | 0 | 不變 |
|
||||
|
||||
|
||||
Reference in New Issue
Block a user