docs(security): add owner response audit retention rules

This commit is contained in:
Your Name
2026-05-19 12:36:13 +08:00
parent ba034582bf
commit 7f00490c58
19 changed files with 266 additions and 40 deletions

View File

@@ -126,7 +126,7 @@ Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops`
Workflow / secret name owner response 已建立S4.12 補 1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 templates對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parityreceived / accepted response 皆為 0、audit events emitted 仍為 0。不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 primary approval。
Owner response validation rollup 已建立S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examplesreceived / accepted response 皆為 0reviewer audit emitted 仍為 0。不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checksreviewer audit redaction examples 當成 approval、runtime gate、production ingestion 或 execution authorization。
Owner response validation rollup 已建立S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templates、5 個 reviewer audit display sections、6 個 reviewer audit collection checks、5 個 reviewer audit redaction examples、5 條 reviewer audit retention rulesreceived / accepted response 皆為 0reviewer audit emitted 仍為 0。不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checksreviewer audit redaction examples 或 reviewer audit retention rules 當成 approval、runtime gate、production ingestion 或 execution authorization。
## 3. 必要驗收 gate
@@ -159,7 +159,7 @@ Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-C
2. 依 GitHub target repo-by-repo approval package 處理 7 個 approval-required target。
3. 依 S4.11 ref truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包與 classification 釐清 `wooo/awoooi``wooo/clawbot-v5``wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。
4. 依 S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition仍不得收 secret value、改 workflow 或啟用 hosted runner。
5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checksreviewer audit redaction examples仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checksreviewer audit redaction examples 當 approval、production ingestion 或 execution authorization。
5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit event templates、reviewer audit display sections、reviewer audit collection checksreviewer audit redaction examples 與 reviewer audit retention rules;仍不得把 rollup、routing、sections、transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates、reviewer audit display sections、reviewer audit collection checksreviewer audit redaction examples 或 reviewer audit retention rules 當 approval、production ingestion 或 execution authorization。
6. 釐清 `wooo/ewoooc``root/momo-pro-system``momo-pro-system``momo_pro_system` 的 canonical 關係。
7. 釐清 `bitan-pharmacy``tsenyang-website` 是否仍 active並決定 GitHub owner / visibility。
8. 產出 GitHub primary ADR 前,不做主控切換。