docs(security): add owner response audit retention rules
This commit is contained in:
@@ -39,6 +39,7 @@
|
||||
"owner_response_validation_reviewer_audit_display_section_count": 5,
|
||||
"owner_response_validation_reviewer_audit_collection_check_count": 6,
|
||||
"owner_response_validation_reviewer_audit_redaction_example_count": 5,
|
||||
"owner_response_validation_reviewer_audit_retention_rule_count": 5,
|
||||
"quarantine_required": true,
|
||||
"primary_ready_count": 0,
|
||||
"runtime_execution_authorized": false,
|
||||
@@ -1196,6 +1197,98 @@
|
||||
"not_approval": true
|
||||
}
|
||||
],
|
||||
"owner_response_validation_reviewer_audit_retention_rules": [
|
||||
{
|
||||
"rule_id": "retention-reviewer-start-metadata-only",
|
||||
"display_order": 1,
|
||||
"title": "Reviewer start metadata retention",
|
||||
"retained_metadata_shape": "只可保留 reviewer_role、lane_id、template_id、source_packet_path、review_started_at_taipei 與 redacted_evidence_ref_count。",
|
||||
"retention_boundary": "保留範圍僅限 reviewer audit metadata;不得保留 owner response 內文、截圖內容、私有 URL credential 或 session 類資料。",
|
||||
"blocked_payloads": [
|
||||
"raw_owner_response_body",
|
||||
"unredacted_screenshot",
|
||||
"private_url_credential",
|
||||
"authorization_header",
|
||||
"cookie_or_session"
|
||||
],
|
||||
"retention_status": "metadata_retention_rule_only",
|
||||
"awooop_display_mode": "display_reviewer_audit_retention_rule_only",
|
||||
"execution_authorized": false,
|
||||
"not_approval": true
|
||||
},
|
||||
{
|
||||
"rule_id": "retention-classification-summary-only",
|
||||
"display_order": 2,
|
||||
"title": "Classification summary retention",
|
||||
"retained_metadata_shape": "只可保留 outcome_lane_id、classification_reason_summary、checklist_pass_count、checklist_fail_count、redacted_evidence_ref_ids 與 reviewed_at_taipei。",
|
||||
"retention_boundary": "分類理由必須是摘要;不得保留 token 片段、secret hash、partial credential、runner token 或 webhook secret。",
|
||||
"blocked_payloads": [
|
||||
"token_or_secret_value",
|
||||
"secret_hash_or_masked_token",
|
||||
"partial_credential",
|
||||
"runner_token",
|
||||
"webhook_secret"
|
||||
],
|
||||
"retention_status": "metadata_retention_rule_only",
|
||||
"awooop_display_mode": "display_reviewer_audit_retention_rule_only",
|
||||
"execution_authorized": false,
|
||||
"not_approval": true
|
||||
},
|
||||
{
|
||||
"rule_id": "retention-quarantine-pointer-only",
|
||||
"display_order": 3,
|
||||
"title": "Quarantine pointer retention",
|
||||
"retained_metadata_shape": "只可保留 outcome_lane_id、blocked_reason_code、redaction_required、quarantine_pointer_id、blocked_action_summary 與 reviewed_at_taipei。",
|
||||
"retention_boundary": "隔離資料只保留 pointer 與 reason code;不得保留 raw request / response body、credential value、private key 或 execution payload。",
|
||||
"blocked_payloads": [
|
||||
"raw_request_body",
|
||||
"raw_response_body",
|
||||
"credential_value",
|
||||
"private_key",
|
||||
"execution_payload"
|
||||
],
|
||||
"retention_status": "metadata_retention_rule_only",
|
||||
"awooop_display_mode": "display_reviewer_audit_retention_rule_only",
|
||||
"execution_authorized": false,
|
||||
"not_approval": true
|
||||
},
|
||||
{
|
||||
"rule_id": "retention-readonly-update-targets-only",
|
||||
"display_order": 4,
|
||||
"title": "Read-only update target retention",
|
||||
"retained_metadata_shape": "只可保留 outcome_lane_id、read_only_update_target_ids、followup_runtime_gate_required、active_runtime_gate_count、github_primary_ready_count 與 action_buttons_allowed=false。",
|
||||
"retention_boundary": "只讀更新候選只保留目標 ID 與 gate counter;不得保留 execution command、repo write token、refs update payload、workflow secret value 或 primary switch payload。",
|
||||
"blocked_payloads": [
|
||||
"execution_command",
|
||||
"repo_write_token",
|
||||
"refs_update_payload",
|
||||
"workflow_secret_value",
|
||||
"github_primary_switch_payload"
|
||||
],
|
||||
"retention_status": "metadata_retention_rule_only",
|
||||
"awooop_display_mode": "display_reviewer_audit_retention_rule_only",
|
||||
"execution_authorized": false,
|
||||
"not_approval": true
|
||||
},
|
||||
{
|
||||
"rule_id": "retention-counter-snapshot-only",
|
||||
"display_order": 5,
|
||||
"title": "Counter snapshot retention",
|
||||
"retained_metadata_shape": "只可保留 received_response_count=0、accepted_response_count=0、reviewer_audit_events_emitted=0、primary_ready_count=0、active_runtime_gate_count=0 與 not_authorization=true。",
|
||||
"retention_boundary": "counter snapshot 只作狀態顯示;不得把 counter 或 check pass 轉成 runtime approval、execution queue、action button、scan request 或 primary switch。",
|
||||
"blocked_payloads": [
|
||||
"runtime_approval",
|
||||
"execution_queue_id",
|
||||
"action_button_payload",
|
||||
"scan_request_payload",
|
||||
"primary_switch_payload"
|
||||
],
|
||||
"retention_status": "metadata_retention_rule_only",
|
||||
"awooop_display_mode": "display_reviewer_audit_retention_rule_only",
|
||||
"execution_authorized": false,
|
||||
"not_approval": true
|
||||
}
|
||||
],
|
||||
"readiness_effects": [
|
||||
{
|
||||
"effect_id": "gitea_owner_response_accepted",
|
||||
@@ -1258,6 +1351,7 @@
|
||||
"display_owner_response_validation_reviewer_audit_display_sections",
|
||||
"display_owner_response_validation_reviewer_audit_collection_checks",
|
||||
"display_owner_response_validation_reviewer_audit_redaction_examples",
|
||||
"display_owner_response_validation_reviewer_audit_retention_rules",
|
||||
"route_invalid_response_to_quarantine",
|
||||
"update_read_only_readiness_wording_after_accepted_response"
|
||||
],
|
||||
|
||||
Reference in New Issue
Block a user