docs(security): align gitea attestation approval lane [skip ci]
This commit is contained in:
@@ -1,3 +1,36 @@
|
||||
## 2026-05-17 | 資安供應鏈 S4.8:Gitea Owner Attestation Approval Lane 對齊
|
||||
|
||||
**背景**:S4.7 已把 Gitea coverage gap 的 owner attestation request 建立出來,但 AwoooP 既有 approval queue / gate / review packet / follow-up runtime gate 仍偏向「直接審 read-only token 或 redacted admin export」。為了維持低摩擦且避免流程跳太快,本輪不新增第 9 個 approval item,也不新增 runtime action;只把既有 Gitea 審查項明確改成 S4.7 owner attestation 先行。
|
||||
|
||||
**完成**:
|
||||
- 更新 `docs/security/security-approval-queue.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-QUEUE.md`,讓 Gitea queue item 先要求 S4.7 owner coverage attestation。
|
||||
- 更新 `docs/security/security-approval-gate.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-GATE.md`,把 Gitea gate 的批准範圍調整為 owner attestation + read-only inventory preparation。
|
||||
- 更新 `docs/security/security-approval-review-packet.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md`,讓 AwoooP review packet 顯示 5 個 owner attestation items、`received_attestation_count=0` 與相關 evidence refs。
|
||||
- 更新 `docs/security/security-followup-runtime-gate.snapshot.json` 與 `docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md`,要求任何 read-only inventory runtime gate 前必須先有 S4.7 owner scope decision。
|
||||
- 更新 status rollup、AwoooP checklist、handoff 與 progress,標示 approval queue total 仍為 8、review packets 仍為 8、active runtime gates 仍為 0。
|
||||
|
||||
**仍未完成**:
|
||||
- 尚未收到任何 owner coverage attestation。
|
||||
- 尚未收到任何 owner / admin redacted inventory payload。
|
||||
- 尚未產出 `gitea_repo_inventory_v1.status=ok` snapshot。
|
||||
- 尚未解開 GitHub primary readiness 中的 Gitea inventory blocker。
|
||||
- 任何 repo 建立、visibility 修改、refs sync、primary cutover 或 Gitea 停用。
|
||||
|
||||
**仍禁止**:
|
||||
- 不保存 token value、raw secret、cookie、session、private key、DB dump 或 git object pack。
|
||||
- 不使用 write token。
|
||||
- 不建立、刪除、封存或修改 Gitea repo。
|
||||
- 不建立 GitHub repo、不修改 visibility、不 sync refs、不 delete refs、不 force push。
|
||||
- 不把 S4.7 owner attestation 或 S4.8 approval lane 當成 repo migration approval 或 GitHub primary approval。
|
||||
|
||||
**驗證**:
|
||||
- JSON 全量 parse 通過:87 個 JSON files。
|
||||
- S4.8 assertion 通過:approval queue / review packets / follow-up runtime gate templates 維持 8 / 8 / 8,`active_runtime_gates=0`,未新增第 9 個 approval item 或 runtime gate。
|
||||
- Gitea owner attestation assertion 通過:required items 5 個、收到 / 接受 / 拒收 attestation 皆為 0,且 queue / gate / review packet / follow-up gate 都已引用 S4.7 attestation evidence。
|
||||
- Readiness assertion 通過:contract manifest 仍為 35 個主 contracts、mirror readiness 維持 32 ready / 2 partial / 1 contract-only / 0 blocked、`github_primary_ready_count=0`。
|
||||
- `git diff --check` 通過。
|
||||
- 敏感字串掃描確認本輪未保存 Kali SSH 密碼樣式、常見 token pattern、private key material 或 `GITEA_READONLY_TOKEN` value;dangerous runtime/write flags 維持 false。
|
||||
|
||||
## 2026-05-17 | 資安供應鏈 S4.7:Gitea 清冊覆蓋 Owner Attestation
|
||||
|
||||
**背景**:S4.5 已定義 Gitea 私有 / 內部清冊匯出請求,S4.6 已定義脫敏 payload 驗收 / 拒收 / 隔離規則;但在真正補齊 `gitea_repo_inventory_v1.status=ok` 之前,仍需要 owner 對 public-only 2 repos、本機 Gitea unique 4 repos、org/user endpoint、110 internal adjacent sources、canonical owner 與 legacy/inaccessible repo disposition 作 scope decision。為了維持低摩擦,本輪只建立 owner attestation gate,不呼叫 Gitea API、不匯入 payload、不修改 repo、不同步 refs、不切 GitHub primary。
|
||||
|
||||
@@ -94,12 +94,12 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
|
||||
| `security_finding_v1.severity=HIGH|CRITICAL` | `approve_required` | 產生 `approval_required_event_v1` |
|
||||
| `kali_integration_status_v1.status=partial_runtime_health_integrated` | `observe` | 顯示 Kali 112 health、更新紀錄、缺口與 approval gates;不得直接掃描 |
|
||||
| `kali_scan_scope_approval_v1.status=draft_waiting_approval` | `approve_required` | 顯示 Kali 112、111/168、核心主機、公開網站 scope 與 gate;不得執行 scan |
|
||||
| `security_approval_queue_v1.status=draft` | `approve_required` | 顯示 8 個 queue items、review order 與 blocked reason;不得執行 item |
|
||||
| `security_approval_queue_v1.status=draft` | `approve_required` | 顯示 8 個 queue items、review order 與 blocked reason;Gitea item 已要求 S4.7 owner attestation 先行;不得執行 item |
|
||||
| `security_approval_gate_v1.mode=approval_gate_only` | `approve_required` | 顯示 8 個 gate items、批准範圍與 follow-up runtime gate;批准後不得自動執行 |
|
||||
| `security_approval_decision_record_v1.mode=decision_record_only` | `observe` | 顯示人工決策紀錄;每筆紀錄都必須 `execution_authorized=false` |
|
||||
| `security_approval_review_packet_v1.mode=approval_review_packet_only` | `approve_required` | 顯示 8 個 review packets、review lane 與 still forbidden;不得當成批准或執行授權 |
|
||||
| `security_approval_review_packet_v1.mode=approval_review_packet_only` | `approve_required` | 顯示 8 個 review packets、review lane 與 still forbidden;Gitea packet 需顯示 5 個 attestation items;不得當成批准或執行授權 |
|
||||
| `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state;不得把 transition 當 execution authorization |
|
||||
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates;不得新增 action button |
|
||||
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates;Gitea template 需先看 S4.7 owner decision;不得新增 action button |
|
||||
| `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;不得切 primary |
|
||||
| `source_control_primary_rollback_adr_v1.status=draft_waiting_owner_review` | `approve_required` | 顯示 7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed;不得執行 rollback 或切 primary |
|
||||
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、S4.3 export request 7 repos / 5 lanes、0 個 complete;不得收集 secret value、不得修改 workflow |
|
||||
|
||||
@@ -131,7 +131,7 @@ Schema:`docs/schemas/security_approval_queue_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/security-approval-queue.snapshot.json`
|
||||
|
||||
目前 queue:8 items,7 個 pending approval,1 個 block candidate。建議先 review redacted Kali finding ingestion,再 review safe web crawl 與 Gitea read-only inventory。
|
||||
目前 queue:8 items,7 個 pending approval,1 個 block candidate。建議先 review redacted Kali finding ingestion,再 review safe web crawl;Gitea lane 必須先顯示 S4.7 的 5 個 owner attestation items,owner scope decision 接受前不得進入 read-only inventory。
|
||||
|
||||
AwoooP 初期處理方式:只顯示 review order、blocked reason、required reviewers 與 evidence refs,可建立 approval candidate,但不得執行 queue item。
|
||||
|
||||
@@ -143,7 +143,7 @@ Schema:`docs/schemas/security_approval_gate_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/security-approval-gate.snapshot.json`
|
||||
|
||||
目前 gate:8 items,7 個 pending human decision,1 個 block candidate,0 個 approved。批准後仍不得自動執行。
|
||||
目前 gate:8 items,7 個 pending human decision,1 個 block candidate,0 個 approved。Gitea gate 已對齊 S4.7 owner coverage attestation 先行條件;批准後仍不得自動執行。
|
||||
|
||||
AwoooP 初期處理方式:只記錄人工決策、audit evidence 與批准範圍;不得把 gate item 接成 runner,不得在批准後自動啟動 scan、repo、refs、deploy 或 secret 類動作。
|
||||
|
||||
@@ -167,7 +167,7 @@ Schema:`docs/schemas/security_approval_review_packet_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/security-approval-review-packet.snapshot.json`
|
||||
|
||||
目前 review packets:8 筆;7 個 ready for human review、1 個 block candidate。所有 packet 都必須維持 `execution_authorized=false`,且 `action_buttons_allowed=false`。
|
||||
目前 review packets:8 筆;7 個 ready for human review、1 個 block candidate。Gitea review packet 必須顯示 S4.7 的 5 個 attestation items、`received_attestation_count=0` 與仍禁止事項;所有 packet 都必須維持 `execution_authorized=false`,且 `action_buttons_allowed=false`。
|
||||
|
||||
AwoooP 初期處理方式:只顯示 review order、review lane、required reviewers、requested decision、evidence refs 與 still forbidden;不得把 review packet 視為批准或執行授權。
|
||||
|
||||
@@ -191,7 +191,7 @@ Schema:`docs/schemas/security_followup_runtime_gate_v1.schema.json`
|
||||
|
||||
Snapshot:`docs/security/security-followup-runtime-gate.snapshot.json`
|
||||
|
||||
目前 templates:8 筆,對應 redacted finding ingestion、safe web crawl、Gitea read-only inventory、GitHub target decisions、ref truth review、credentialed scan、Kali full-upgrade/reboot 與 Kali `/execute` block candidate。`active_runtime_gates=0`、`approved_scope_count=0`、`runtime_actions_authorized=false`。
|
||||
目前 templates:8 筆,對應 redacted finding ingestion、safe web crawl、Gitea owner attestation + read-only inventory、GitHub target decisions、ref truth review、credentialed scan、Kali full-upgrade/reboot 與 Kali `/execute` block candidate。Gitea follow-up template 必須先檢查 S4.7 owner scope decision;`active_runtime_gates=0`、`approved_scope_count=0`、`runtime_actions_authorized=false`。
|
||||
|
||||
AwoooP 初期處理方式:只顯示準備條件與禁止事項,不新增 action button,不啟用 runtime gate,不執行 scan、repo、refs、deploy、secret、RBAC、NetworkPolicy 或 firewall 類動作。
|
||||
|
||||
@@ -823,6 +823,8 @@ Console 初期不提供高風險執行按鈕。
|
||||
|
||||
2026-05-17 S4.7 Gitea 清冊覆蓋 owner attestation 追加:已新增 `docs/schemas/gitea_inventory_coverage_attestation_v1.schema.json`、`docs/security/gitea-inventory-coverage-attestation.snapshot.json` 與 `docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md`。本輪只定義 5 個 owner scope decision items:public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible repo disposition;目前收到 attestation 0 筆、接受 0 筆;不得保存 token value、不得寫 Gitea、不得建立 GitHub repo、不得 sync refs、不得切 GitHub primary。
|
||||
|
||||
2026-05-17 S4.8 Gitea owner attestation approval lane 對齊追加:已更新既有 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_review_packet_v1` 與 `security_followup_runtime_gate_v1` 的 Gitea lane,要求 AwoooP 先顯示 S4.7 的 5 個 owner attestation items 與 scope decision evidence。queue / review packet / follow-up template 數量維持 8 / 8 / 8,`active_runtime_gates=0`,不得新增 action button、不得執行 read-only inventory、不得把 owner attestation 視為 repo migration approval 或 GitHub primary approval。
|
||||
|
||||
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。
|
||||
|
||||
本波仍不做:
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-13 |
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | 草案 |
|
||||
| Schema | `docs/schemas/security_approval_gate_v1.schema.json` |
|
||||
| Snapshot | `docs/security/security-approval-gate.snapshot.json` |
|
||||
@@ -37,7 +37,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1`
|
||||
|------|------|--------------|
|
||||
| 1 | Redacted finding ingestion | 只批准設計或 draft PR |
|
||||
| 2 | Safe web crawl | 只批准低噪音 scope 定義 |
|
||||
| 3 | Gitea read-only inventory | 只批准只讀 inventory 或 redacted admin export |
|
||||
| 3 | Gitea owner attestation + read-only inventory | 先批准 S4.7 owner scope decision,再只批准只讀 inventory 或 redacted admin export |
|
||||
| 4 | GitHub target decisions | 只批准逐 repo 決策草案 |
|
||||
| 5 | Ref truth review | 只批准人工分類與 reconcile 草案 |
|
||||
| 6 | Credentialed scan | 只允許人工 exception 設計,仍需 runtime gate |
|
||||
@@ -70,3 +70,5 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1`
|
||||
S3.0 只讓人工批准有一致語言與可稽核格式。
|
||||
|
||||
它仍然不是 runtime enforcement,也不是一次把資安等級拉滿。低風險與中風險觀察仍以 observe / warn 為主;只有不可逆或高風險動作才進 gate。
|
||||
|
||||
2026-05-17 S4.8 追加:Gitea gate 的批准範圍已改為 owner attestation 先行。`approve_scope` 最多允許補 S4.7 owner coverage attestation、更新 matrix / decision table,並在後續 runtime gate 準備妥當後才可做一次 read-only inventory;仍不得保存 token value、寫 Gitea、建立 GitHub repo、sync refs 或切 primary。
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-13 |
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | 草案 |
|
||||
| Schema | `docs/schemas/security_approval_queue_v1.schema.json` |
|
||||
| Snapshot | `docs/security/security-approval-queue.snapshot.json` |
|
||||
@@ -34,7 +34,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1
|
||||
|------|------------|------------|
|
||||
| 1 | `kali-finding-runtime-ingestion-approval-20260513` | 先接 redacted finding evidence,風險低、價值高 |
|
||||
| 2 | `kali-safe-web-crawl-approval-20260513` | TLS/header/basic crawl 屬低噪音,但仍需批准 scope |
|
||||
| 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | Gitea 全量版本轉 GitHub 的前置 gate |
|
||||
| 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | 先審 S4.7 owner coverage attestation,再審 Gitea 全量版本轉 GitHub 的只讀 inventory gate |
|
||||
| 4 | `source-control-target-repo-approval-bundle-20260513` | 逐 repo owner / visibility / canonical 決策 |
|
||||
| 5 | `source-control-ref-truth-review-bundle-20260513` | refs truth / deprecated / release tag review |
|
||||
| 6 | `kali-credentialed-scan-approval-20260513` | 需要憑證,風險較高 |
|
||||
@@ -68,3 +68,5 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1
|
||||
原因是它只允許接收已脫敏 `security_finding_v1` 摘要,能讓 Kali findings 進入 AwoooP 可見性與 audit,卻不會改變 firewall、RBAC、NetworkPolicy、deploy 或 Git 主控面。
|
||||
|
||||
`kali-execute-endpoint-approval-20260513` 則應維持 block candidate。除非未來建立 allowlist、disable gate、完整 audit 與人工 exception,否則不應讓 AwoooP runtime 直接碰這條路徑。
|
||||
|
||||
2026-05-17 S4.8 追加:Gitea queue item 不新增第 9 筆,而是把既有 `gitea-private-internal-server-side-inventory-2026-05-12` 升級為「S4.7 owner coverage attestation 先行」。AwoooP 應先要求 owner 對 5 個 coverage items 作 scope decision;未完成前不得把 inventory 標記 complete,也不得啟動 read-only token / redacted admin export runtime gate。
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-13 |
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | 草案 |
|
||||
| Schema | `docs/schemas/security_approval_review_packet_v1.schema.json` |
|
||||
| Snapshot | `docs/security/security-approval-review-packet.snapshot.json` |
|
||||
@@ -38,7 +38,7 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo
|
||||
|------|--------|-------------|----------|
|
||||
| 1 | Redacted finding ingestion | `design_or_draft_review` | 只審是否可設計或建立 draft PR |
|
||||
| 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 |
|
||||
| 3 | Gitea read-only inventory | `read_only_inventory_review` | 只審只讀 token 或 redacted export |
|
||||
| 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先審 S4.7 owner scope decision,再審只讀 token 或 redacted export |
|
||||
| 4 | GitHub target decisions | `design_or_draft_review` | 只審 owner / visibility / canonical 草案 |
|
||||
| 5 | Ref truth review | `design_or_draft_review` | 只審人工分類與 reconcile 草案 |
|
||||
| 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 |
|
||||
@@ -68,3 +68,5 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo
|
||||
S3.2 只補上「讓人好審」的封包,不提高資安阻力。
|
||||
|
||||
低風險與中風險仍以 observe / warn / draft review 為主;只有不可逆或高風險動作才持續留在 approval gate,且批准後仍必須再過 runtime gate。
|
||||
|
||||
2026-05-17 S4.8 追加:Gitea review packet 會顯示 S4.7 的 5 個 owner attestation items、`received_attestation_count=0` 與 `accepted_attestation_count=0`。這讓 reviewer 先判斷 coverage gap 與 scope decision,不會把 read-only inventory approval 誤解成 repo migration 或 GitHub primary approval。
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-05-13 |
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | 草案 |
|
||||
| Schema | `docs/schemas/security_followup_runtime_gate_v1.schema.json` |
|
||||
| Snapshot | `docs/security/security-followup-runtime-gate.snapshot.json` |
|
||||
@@ -33,7 +33,7 @@
|
||||
|----------|------|----------|
|
||||
| Redacted finding ingestion | MEDIUM | 只準備 ingestion adapter 的 redaction / audit 前置條件 |
|
||||
| Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope |
|
||||
| Gitea read-only inventory | MEDIUM | 只準備 read-only token 或 redacted export inventory |
|
||||
| Gitea owner attestation + read-only inventory | MEDIUM | 先準備 S4.7 owner scope decision,再準備 read-only token 或 redacted export inventory |
|
||||
| GitHub target decision | HIGH | 只準備 owner / visibility / canonical / workflow parity 決策 |
|
||||
| Ref truth review | HIGH | 只準備 refs truth / deprecated / release tag 人工判定 |
|
||||
| Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 |
|
||||
@@ -61,3 +61,5 @@
|
||||
S3.4 是「批准後仍不能直接做事」的保險絲。
|
||||
|
||||
它讓未來真正進 runtime 前的資料門檻先被定義清楚,但仍維持初期低摩擦:目前只顯示、只準備、只留痕,不執行。
|
||||
|
||||
2026-05-17 S4.8 追加:Gitea follow-up runtime gate 已要求 S4.7 owner coverage attestation 先完成。即使未來 read-only inventory 被批准,仍要先看 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition 的 owner decision;未完成前不得執行 inventory。
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
| Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates |
|
||||
| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready |
|
||||
| GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover |
|
||||
| Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、敏感 payload 必須隔離、允許收集 token value=false |
|
||||
| Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、敏感 payload 必須隔離、允許收集 token value=false |
|
||||
| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;0 個 inventory complete、禁止收集 secret value、禁止 write token |
|
||||
| Dry-run | `contract_defined_not_executed` |
|
||||
| Runtime actions | `false` |
|
||||
@@ -59,7 +59,7 @@
|
||||
|
||||
1. redacted finding ingestion adapter。
|
||||
2. safe web crawl scope。
|
||||
3. Gitea private/internal read-only inventory:先依 S4.7 取得 owner coverage attestation,再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個,不保存 token value。
|
||||
3. Gitea private/internal read-only inventory:先依 S4.7 取得 owner coverage attestation,且 S4.8 已把這個先行條件接到既有 approval queue / gate / review packet / follow-up runtime gate;再依 S4.5 認證匯出請求補全量清冊;收到脫敏 payload 後先依 S4.6 驗收 / 拒收 / 隔離;目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個,不保存 token value。
|
||||
4. GitHub target / owner / visibility / canonical。
|
||||
5. Kali `/execute` 維持 block candidate。
|
||||
6. GitHub primary readiness blockers 與 rollback ADR 缺口。
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
|------|------|
|
||||
| 日期 | 2026-05-17 |
|
||||
| 狀態 | S0/S1 read-only evidence 建置中 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
|
||||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||||
|
||||
## 0. 本階段完成後整體進度
|
||||
@@ -46,6 +46,7 @@
|
||||
| S4.5 Gitea 認證清冊匯出請求 | 完成草案 | 已建立匯出請求 schema / snapshot / 人讀版;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;允許收集 token value=false | repo owner 依只讀 token API 或已脫敏管理匯出補私有 / 內部全量 repo list;仍不可保存 token、不可 write Gitea、不可 refs sync |
|
||||
| S4.6 Gitea 認證清冊匯入驗收契約 | 完成草案 | 已建立匯入驗收 schema / snapshot / 人讀版;目前 received payload 0、accepted 0、rejected 0;定義 10 個驗收檢查、10 個拒收規則與 4 個 quarantine lanes | owner 提供脫敏 payload 後先驗收 / 拒收 / 隔離;仍不可把驗收當 primary approval |
|
||||
| S4.7 Gitea 清冊覆蓋 Owner Attestation | 完成草案 | 已建立 coverage attestation schema / snapshot / 人讀版;5 個 owner decision items、received attestation 0、accepted 0、execution authorized=false | owner 判定 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition;仍不可把 attestation 當 migration approval |
|
||||
| S4.8 Gitea Owner Attestation Approval Lane 對齊 | 完成草案 | 已將既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊 S4.7 先行條件;queue items 維持 8、review packets 維持 8、active runtime gates 維持 0 | AwoooP 先顯示 5 個 attestation items,owner decision 接受前不得執行 read-only inventory 或標記 complete |
|
||||
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate |
|
||||
|
||||
## 1. 已建立的主要 evidence
|
||||
@@ -149,7 +150,7 @@
|
||||
|
||||
## 3. 下一階段建議
|
||||
|
||||
1. 先依 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 取得 owner coverage attestation,再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。
|
||||
1. 先依 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 取得 owner coverage attestation;S4.8 已把這件事接到既有 approval queue / gate / review packet / follow-up runtime gate。之後再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。
|
||||
2. 依 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical 決策。
|
||||
3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。
|
||||
4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"schema_version": "security_approval_gate_v1",
|
||||
"status": "draft",
|
||||
"date": "2026-05-13",
|
||||
"date": "2026-05-17",
|
||||
"mode": "approval_gate_only",
|
||||
"runtime_execution_authorized": false,
|
||||
"source_indexes": [
|
||||
@@ -11,7 +11,8 @@
|
||||
"docs/security/security-rollout-policy.snapshot.json",
|
||||
"docs/security/kali-scan-scope-approval.snapshot.json",
|
||||
"docs/security/source-control-approval-board.snapshot.json",
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json"
|
||||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
"total_gate_items": 8,
|
||||
@@ -95,6 +96,7 @@
|
||||
],
|
||||
"decision_options": ["approve_scope", "reject", "defer", "request_more_evidence"],
|
||||
"allowed_after_approval": [
|
||||
"先完成 S4.7 owner coverage attestation 並保留 scope decision evidence",
|
||||
"使用 read-only token 或 redacted admin export 補齊 repo list",
|
||||
"只保存 token_present=true/false",
|
||||
"更新 migration matrix 與 repo decision table"
|
||||
@@ -102,6 +104,8 @@
|
||||
"still_forbidden": [
|
||||
"保存 token value",
|
||||
"使用 write-capable token",
|
||||
"未完成 S4.7 owner attestation 就標記 inventory complete",
|
||||
"把 owner attestation 當成 repo migration 或 primary cutover approval",
|
||||
"建立 GitHub repo",
|
||||
"sync refs",
|
||||
"切 GitHub primary"
|
||||
@@ -110,7 +114,10 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
|
||||
"docs/security/gitea-readonly-inventory-approval.snapshot.json",
|
||||
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md"
|
||||
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md",
|
||||
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md"
|
||||
]
|
||||
},
|
||||
{
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"schema_version": "security_approval_queue_v1",
|
||||
"status": "draft",
|
||||
"date": "2026-05-13",
|
||||
"date": "2026-05-17",
|
||||
"default_mode": "approval_only",
|
||||
"execution_authorized": false,
|
||||
"runtime_changes_authorized": false,
|
||||
@@ -82,7 +82,7 @@
|
||||
"risk": "MEDIUM",
|
||||
"state": "pending_approval",
|
||||
"recommended_awooop_mode": "approve_required",
|
||||
"requested_decision": "是否批准使用 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。",
|
||||
"requested_decision": "是否先要求 owner 完成 S4.7 coverage attestation,並在 scope decision 被接受後,批准使用 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。",
|
||||
"blocked_until_approved": true,
|
||||
"required_reviewers": [
|
||||
"migration-engineer",
|
||||
@@ -92,9 +92,14 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
|
||||
"docs/security/gitea-readonly-inventory-approval.snapshot.json",
|
||||
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md"
|
||||
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md",
|
||||
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
|
||||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md"
|
||||
],
|
||||
"allowed_after_approval": [
|
||||
"先完成 S4.7 owner coverage attestation,更新 migration matrix 與 decision table",
|
||||
"使用 read-only token 或 redacted admin export 執行一次 inventory",
|
||||
"只保存 token_present=true/false",
|
||||
"更新 migration matrix 與 repo decision table"
|
||||
@@ -102,6 +107,8 @@
|
||||
"still_forbidden": [
|
||||
"保存 token value",
|
||||
"使用 write-capable token",
|
||||
"未完成 S4.7 owner attestation 就標記 inventory complete",
|
||||
"把 S4.7 owner attestation 當成 repo migration approval",
|
||||
"建立 GitHub repo",
|
||||
"sync refs",
|
||||
"切 GitHub primary"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"schema_version": "security_approval_review_packet_v1",
|
||||
"status": "draft",
|
||||
"date": "2026-05-13",
|
||||
"date": "2026-05-17",
|
||||
"mode": "approval_review_packet_only",
|
||||
"runtime_execution_authorized": false,
|
||||
"source_indexes": [
|
||||
@@ -11,7 +11,8 @@
|
||||
"docs/security/security-approval-state-transition.snapshot.json",
|
||||
"docs/security/security-followup-runtime-gate.snapshot.json",
|
||||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||||
"docs/security/security-rollout-policy.snapshot.json"
|
||||
"docs/security/security-rollout-policy.snapshot.json",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
"total_review_packets": 8,
|
||||
@@ -103,7 +104,7 @@
|
||||
"risk": "MEDIUM",
|
||||
"review_state": "ready_for_human_review",
|
||||
"review_lane": "read_only_inventory_review",
|
||||
"requested_decision": "是否允許使用 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。",
|
||||
"requested_decision": "是否先要求 owner 完成 S4.7 coverage attestation,並在 scope decision 被接受後,才允許 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。",
|
||||
"required_reviewers": [
|
||||
"migration-engineer",
|
||||
"security-commander",
|
||||
@@ -113,20 +114,28 @@
|
||||
"evidence_refs": [
|
||||
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
|
||||
"docs/security/gitea-readonly-inventory-approval.snapshot.json",
|
||||
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md"
|
||||
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md",
|
||||
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
|
||||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md"
|
||||
],
|
||||
"allowed_pre_decision_actions": [
|
||||
"顯示 public-only 與 blocked endpoint evidence",
|
||||
"顯示 S4.7 的 5 個 owner attestation items 與 received_attestation_count=0",
|
||||
"要求 owner 確認 read-only token 或 redacted export 來源",
|
||||
"不保存 token value"
|
||||
],
|
||||
"allowed_after_decision_actions": [
|
||||
"若 approve_scope,先更新 S4.7 owner attestation evidence 與 scope decision",
|
||||
"若 approve_scope,只能做一次 read-only inventory 或匯入 redacted export",
|
||||
"更新 migration matrix 與 repo decision table"
|
||||
],
|
||||
"still_forbidden": [
|
||||
"保存 token value",
|
||||
"使用 write-capable token",
|
||||
"未完成 owner attestation 就標記 inventory complete",
|
||||
"把 owner attestation 當成 repo migration 或 primary approval",
|
||||
"建立 GitHub repo",
|
||||
"sync refs",
|
||||
"切 GitHub primary"
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"schema_version": "security_followup_runtime_gate_v1",
|
||||
"status": "draft",
|
||||
"date": "2026-05-13",
|
||||
"date": "2026-05-17",
|
||||
"mode": "runtime_gate_preparation_only",
|
||||
"runtime_execution_authorized": false,
|
||||
"source_indexes": [
|
||||
@@ -10,7 +10,8 @@
|
||||
"docs/security/security-approval-gate.snapshot.json",
|
||||
"docs/security/security-approval-decision-record.snapshot.json",
|
||||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||||
"docs/security/security-rollout-policy.snapshot.json"
|
||||
"docs/security/security-rollout-policy.snapshot.json",
|
||||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json"
|
||||
],
|
||||
"summary": {
|
||||
"total_gate_templates": 8,
|
||||
@@ -108,6 +109,7 @@
|
||||
"gate_state": "waiting_approved_scope",
|
||||
"applies_after_decision": "approve_scope",
|
||||
"minimum_required_evidence": [
|
||||
"S4.7 owner coverage attestation 已完成且 5 個 items 都有 scope decision",
|
||||
"read-only token scope 或 redacted admin export 來源",
|
||||
"token_present=true/false,不保存 token value",
|
||||
"allowed export fields checklist",
|
||||
@@ -119,12 +121,14 @@
|
||||
"human-owner"
|
||||
],
|
||||
"preflight_checks": [
|
||||
"確認 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition 已由 owner 判定",
|
||||
"確認 token 不具 write 權限",
|
||||
"確認不保存 token value",
|
||||
"確認 export 不含 webhook secret / deploy key private key / repository secret value",
|
||||
"確認只更新 inventory snapshot"
|
||||
],
|
||||
"allowed_pre_runtime_artifacts": [
|
||||
"owner coverage attestation update",
|
||||
"redacted admin export sample",
|
||||
"read-only inventory command plan",
|
||||
"updated migration matrix draft",
|
||||
@@ -132,6 +136,7 @@
|
||||
],
|
||||
"rollback_or_disable_requirement": "read-only token 必須可撤銷;admin export 必須可刪除本地暫存原檔,只保留 redacted snapshot。",
|
||||
"still_forbidden": [
|
||||
"未完成 S4.7 owner attestation 就執行 inventory",
|
||||
"使用 write-capable token",
|
||||
"建立 GitHub repo",
|
||||
"sync refs",
|
||||
|
||||
@@ -97,8 +97,8 @@
|
||||
{
|
||||
"phase_id": "S3_approval_gate",
|
||||
"state": "draft_ready",
|
||||
"current_result": "Approval queue 已列出 8 個候選,security_approval_gate_v1 已定義人工 gate,security_approval_decision_record_v1 已定義決策紀錄格式,security_approval_review_packet_v1 已定義人工審查封包,security_approval_state_transition_v1 已定義決策狀態轉移語義,security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板。",
|
||||
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea read-only inventory;review packet、decision record、state transition 與 follow-up runtime gate template 都不等於執行授權。"
|
||||
"current_result": "Approval queue 已列出 8 個候選,security_approval_gate_v1 已定義人工 gate,security_approval_decision_record_v1 已定義決策紀錄格式,security_approval_review_packet_v1 已定義人工審查封包,security_approval_state_transition_v1 已定義決策狀態轉移語義,security_followup_runtime_gate_v1 已定義後續 runtime gate 準備模板;S4.8 已把 Gitea queue/gate/review packet/follow-up gate 對齊 S4.7 owner attestation 先行。",
|
||||
"next_gate": "先 review redacted finding ingestion、safe crawl 與 Gitea owner attestation + read-only inventory;review packet、decision record、state transition 與 follow-up runtime gate template 都不等於執行授權。"
|
||||
},
|
||||
{
|
||||
"phase_id": "S4_migration_execution",
|
||||
@@ -197,6 +197,7 @@
|
||||
"allowed_processing": [
|
||||
"顯示 S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation request 與 coverage gap",
|
||||
"顯示 5 個 owner attestation items、received_attestation_count=0 與 accepted_attestation_count=0",
|
||||
"在 security_approval_queue_v1、security_approval_gate_v1、security_approval_review_packet_v1 與 security_followup_runtime_gate_v1 中顯示 S4.7 owner attestation 先行條件",
|
||||
"使用 read-only token 或 redacted admin export 補齊 repo list",
|
||||
"收到 payload 後只做 schema / redaction / coverage gap 驗收與隔離",
|
||||
"只保存 token_present=true/false",
|
||||
@@ -205,6 +206,7 @@
|
||||
"blocked_processing": [
|
||||
"保存 token value",
|
||||
"使用 write-capable token",
|
||||
"未完成 S4.7 owner attestation 就標記 inventory complete",
|
||||
"把 S4.7 owner attestation request 當成 repo migration approval",
|
||||
"把 S4.6 payload 驗收當成 primary approval",
|
||||
"建立 GitHub repo 或 sync refs"
|
||||
@@ -308,7 +310,10 @@
|
||||
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidence;local_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43,secret_value_detected=false。",
|
||||
"S4.3 只新增 redacted export request package;export_request_count=7、export_lane_count=5、write_token_allowed=false,不呼叫 API、不收 secret value、不修改 GitHub/Gitea 設定。",
|
||||
"S4.4 只新增 GitHub primary rollback ADR 草案;repo_rollback_plan_count=7、owner_approved_count=0、dry_run_completed_count=0、rollback_execution_authorized=false,不切 primary、不執行 rollback。",
|
||||
"S4.5 只新增 Gitea authenticated inventory export request;public_only_repo_count=2、local_gitea_unique_repo_count=4、export_source_option_count=2、token_value_collection_allowed=false,不使用 token、不寫入 Gitea、不 sync refs。"
|
||||
"S4.5 只新增 Gitea authenticated inventory export request;public_only_repo_count=2、local_gitea_unique_repo_count=4、export_source_option_count=2、token_value_collection_allowed=false,不使用 token、不寫入 Gitea、不 sync refs。",
|
||||
"S4.6 只新增 Gitea redacted import acceptance;received_payload_count=0、accepted_payload_count=0,不匯入 DB dump/git object、不寫 Gitea、不切 primary。",
|
||||
"S4.7 只新增 Gitea owner coverage attestation request;required_attestation_item_count=5、received_attestation_count=0,不把 attestation 當 migration approval。",
|
||||
"S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件;approval_queue_total 仍為 8、active_runtime_gates 仍為 0,不新增執行入口。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"start_kali_scan",
|
||||
|
||||
Reference in New Issue
Block a user