From 968466bb3ba775126e150e26d66a1b30a8b9d841 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 13 May 2026 19:30:48 +0800 Subject: [PATCH] docs(security): add workflow secret name inventory contract [skip ci] --- docs/LOGBOOK.md | 24 + ...curity_mirror_status_rollup_v1.schema.json | 15 + ...kflow_secret_name_inventory_v1.schema.json | 231 ++++++++++ ...WOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md | 5 +- ...ECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md | 34 +- docs/security/SECURITY-MIRROR-ACCEPTANCE.md | 2 +- docs/security/SECURITY-MIRROR-DRY-RUN.md | 2 +- docs/security/SECURITY-MIRROR-INTAKE-PLAN.md | 7 +- docs/security/SECURITY-MIRROR-READINESS.md | 7 +- docs/security/SECURITY-MIRROR-ROUTE.md | 8 +- .../security/SECURITY-MIRROR-STATUS-ROLLUP.md | 8 +- ...SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md | 5 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 13 +- .../SOURCE-CONTROL-PRIMARY-READINESS-GATE.md | 5 +- ...-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md | 65 +++ .../security-mirror-acceptance.snapshot.json | 8 +- .../security-mirror-dry-run.snapshot.json | 8 +- ...security-mirror-event-sample.snapshot.json | 9 +- .../security-mirror-intake-plan.snapshot.json | 9 +- .../security-mirror-quarantine.snapshot.json | 2 +- .../security-mirror-readiness.snapshot.json | 14 +- .../security-mirror-route.snapshot.json | 15 +- ...ecurity-mirror-status-rollup.snapshot.json | 32 +- ...pply-chain-contract-manifest.snapshot.json | 26 +- ...ntrol-primary-readiness-gate.snapshot.json | 3 +- ...rkflow-secret-name-inventory.snapshot.json | 428 ++++++++++++++++++ 26 files changed, 923 insertions(+), 62 deletions(-) create mode 100644 docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json create mode 100644 docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md create mode 100644 docs/security/source-control-workflow-secret-name-inventory.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 6c306991f..fd0dd9c3e 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,27 @@ +## 2026-05-13 | 資安供應鏈 S4.1:Workflow / Secret 名稱 Inventory Gate + +**背景**:S4.0 已把 GitHub primary readiness gate 定義清楚,但切回 GitHub primary 前仍缺 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 與 secret 名稱 inventory。統帥要求初期不要把資安等級一次拉太高,因此本輪只補契約與鏡像 gate,不收 secret value、不改 workflow、不做 repo / refs / primary 動作。 + +**完成**: +- 新增 `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json`。 +- 新增 `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md`。 +- 盤點 8 個 candidate repos,其中 7 個 in-scope repo 尚缺實際 redacted inventory,`inventory_complete_count=0`、`missing_inventory_count=7`。 +- 明確設定 `secret_value_collection_allowed=false`、`runtime_actions_authorized=false`、`action_buttons_allowed=false`。 +- 資安供應鏈 manifest 從 33 個 contract 增至 34 個 contract。 +- 鏡像 readiness 更新為 34 個 contracts:31 ready for mirror、2 partial ready、1 contract-only、0 blocked。 +- 同步更新 mirror route、intake、acceptance、quarantine、dry-run、event sample、status rollup、AwoooP handoff、mirror-only checklist 與整體 progress。 + +**仍禁止**: +- 不收集、不保存、不搬移 secret value。 +- 不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 secret。 +- 不建立 GitHub repo、不 sync refs、不切 GitHub primary、不停用 Gitea。 +- 不把 workflow / secret 名稱 inventory gate 轉成 runtime execution。 + +**驗證**: +- JSON 全量 parse 與契約一致性 assertion 通過。 +- `git diff --check` 通過。 +- 敏感字串掃描確認本輪文件未保存 Kali SSH 密碼或 secret value。 + ## 2026-05-13 | 資安供應鏈 S4.0:GitHub Primary Readiness Gate **背景**:長期方向已確認要讓 GitHub 成為 primary、Gitea 降成本地 mirror / fallback,但目前 Gitea 全量 inventory、refs truth、workflow/runner/secret name parity、owner/visibility/canonical 與 rollback ADR 都還沒完成。本輪補上 `source_control_primary_readiness_gate_v1`,先把 cutover 前必看的 gate 定義清楚。 diff --git a/docs/schemas/security_mirror_status_rollup_v1.schema.json b/docs/schemas/security_mirror_status_rollup_v1.schema.json index 5b4b36496..c805deee9 100644 --- a/docs/schemas/security_mirror_status_rollup_v1.schema.json +++ b/docs/schemas/security_mirror_status_rollup_v1.schema.json @@ -68,6 +68,9 @@ "active_runtime_gate_count", "primary_readiness_candidate_repo_count", "github_primary_ready_count", + "workflow_secret_inventory_candidate_repo_count", + "workflow_secret_inventory_complete_count", + "secret_value_collection_allowed", "pending_approval_count", "block_candidate_count", "dry_run_status", @@ -123,6 +126,18 @@ "type": "integer", "minimum": 0 }, + "workflow_secret_inventory_candidate_repo_count": { + "type": "integer", + "minimum": 0 + }, + "workflow_secret_inventory_complete_count": { + "type": "integer", + "minimum": 0 + }, + "secret_value_collection_allowed": { + "type": "boolean", + "const": false + }, "pending_approval_count": { "type": "integer", "minimum": 0 diff --git a/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json b/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json new file mode 100644 index 000000000..ebacf51c8 --- /dev/null +++ b/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json @@ -0,0 +1,231 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "urn:awoooi:source-control-workflow-secret-name-inventory-v1", + "title": "Source Control Workflow / Runner / Secret Name Inventory v1", + "description": "定義 GitHub primary cutover 前,AwoooP 需要只讀顯示的 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 與 secret 名稱 inventory。此契約禁止保存 secret value,也不授權任何 repo 或 refs 動作。", + "type": "object", + "required": [ + "schema_version", + "status", + "date", + "mode", + "runtime_execution_authorized", + "source_indexes", + "summary", + "inventory_lanes", + "repo_inventory_readiness", + "inventory_rules", + "forbidden_actions" + ], + "properties": { + "schema_version": { + "const": "source_control_workflow_secret_name_inventory_v1" + }, + "status": { + "type": "string", + "enum": ["draft_missing_evidence"] + }, + "date": { + "type": "string" + }, + "mode": { + "type": "string", + "enum": ["inventory_contract_only"] + }, + "runtime_execution_authorized": { + "type": "boolean", + "const": false + }, + "source_indexes": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "summary": { + "type": "object", + "required": [ + "candidate_repo_count", + "in_scope_repo_count", + "external_scope_count", + "inventory_complete_count", + "missing_inventory_count", + "secret_value_collection_allowed", + "runtime_actions_authorized", + "action_buttons_allowed" + ], + "properties": { + "candidate_repo_count": { + "type": "integer", + "minimum": 0 + }, + "in_scope_repo_count": { + "type": "integer", + "minimum": 0 + }, + "external_scope_count": { + "type": "integer", + "minimum": 0 + }, + "inventory_complete_count": { + "type": "integer", + "minimum": 0 + }, + "missing_inventory_count": { + "type": "integer", + "minimum": 0 + }, + "secret_value_collection_allowed": { + "type": "boolean", + "const": false + }, + "runtime_actions_authorized": { + "type": "boolean", + "const": false + }, + "action_buttons_allowed": { + "type": "boolean", + "const": false + } + }, + "additionalProperties": false + }, + "inventory_lanes": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "required": [ + "lane_id", + "title", + "status", + "allowed_fields", + "forbidden_fields", + "required_before_primary", + "execution_authorized" + ], + "properties": { + "lane_id": { + "type": "string" + }, + "title": { + "type": "string" + }, + "status": { + "type": "string", + "enum": ["missing_evidence", "contract_defined_not_collected"] + }, + "allowed_fields": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "forbidden_fields": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "required_before_primary": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "execution_authorized": { + "type": "boolean", + "const": false + } + }, + "additionalProperties": false + } + }, + "repo_inventory_readiness": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "required": [ + "github_repo", + "source_key", + "scope_status", + "inventory_state", + "risk", + "required_inventory", + "current_gap", + "allowed_now", + "still_forbidden" + ], + "properties": { + "github_repo": { + "type": "string" + }, + "source_key": { + "type": "string" + }, + "scope_status": { + "type": "string", + "enum": ["in_scope", "external_scope_review"] + }, + "inventory_state": { + "type": "string", + "enum": ["missing_evidence", "scope_review_only"] + }, + "risk": { + "type": "string", + "enum": ["LOW", "MEDIUM", "HIGH"] + }, + "required_inventory": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "current_gap": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "allowed_now": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "still_forbidden": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "inventory_rules": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + }, + "forbidden_actions": { + "type": "array", + "items": { + "type": "string" + }, + "minItems": 1 + } + }, + "additionalProperties": false +} diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index e0209724d..ddfc94550 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -54,6 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff,不 fetch、不 push、不刪 refs | | `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete | | `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` | +| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口與 redacted snapshot 需求;目前 `inventory_complete_count=0`,不得保存 secret value | | `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 | | `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror | | `approval_required_event_v1` | 上述事件的高風險 gate | Approval queue、Audit | approval-only | `blocked_until_approved=true` | @@ -99,7 +100,8 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state;不得把 transition 當 execution authorization | | `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates;不得新增 action button | | `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;不得切 primary | -| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 33 個 contracts 的 readiness;不得把 readiness 當 execution authorization | +| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope missing inventory、0 個 complete;不得收集 secret value、不得修改 workflow | +| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness;不得把 readiness 當 execution authorization | | `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates;不得執行 wave | | `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload,明確不授權執行、不顯示執行按鈕 | | `security_mirror_route_v1.status=draft` | `observe` | 顯示 5 個 route groups、channel policy 與 review lane;不得轉成 execution router | @@ -168,6 +170,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | Source Control branch/tag detail diff | `docs/security/source-control-ref-detail-diff.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md` | | Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` | | Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` | +| Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` | | Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` | | Security finding contract | `docs/security/security-finding-kali-sample.snapshot.json` / `docs/security/SECURITY-FINDING-CONTRACT.md` | | Kali scan scope approval package | `docs/security/kali-scan-scope-approval.snapshot.json` / `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index 79380cd50..6844f0744 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -73,7 +73,7 @@ ```text Kali / Code Review / GitHub / Gitea / Codex -> security_supply_chain_contract_manifest_v1 - -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 + -> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / security_approval_state_transition_v1 / security_followup_runtime_gate_v1 / source_control_primary_readiness_gate_v1 / source_control_workflow_secret_name_inventory_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1 -> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL -> mirror 到 AwoooP Runtime State / Channel Event / Audit -> AwoooP Policy / Approval / Exception / Operator Console @@ -207,6 +207,18 @@ Snapshot:`docs/security/source-control-primary-readiness-gate.snapshot.json` AwoooP 初期處理方式:只顯示 blockers、evidence refs 與 required review,不建立 GitHub repo、不修改 visibility、不 sync refs、不切 primary、不停用 Gitea。 +### `source_control_workflow_secret_name_inventory_v1` + +用途:定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate,補上 GitHub primary 前不能缺的 CI/CD 與 secret hygiene evidence。 + +Schema:`docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` + +Snapshot:`docs/security/source-control-workflow-secret-name-inventory.snapshot.json` + +目前 inventory:8 個 candidate repos、7 個 in-scope repos、1 個 external review;`inventory_complete_count=0`、`missing_inventory_count=7`、`secret_value_collection_allowed=false`。 + +AwoooP 初期處理方式:只顯示 inventory lane 缺口、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。 + ### `security_mirror_readiness_v1` 用途:集中整理 Security Supply Chain contracts 的 mirror readiness,讓 AwoooP 先知道哪些可 mirror、哪些 partial、哪些 contract-only。 @@ -215,7 +227,7 @@ Schema:`docs/schemas/security_mirror_readiness_v1.schema.json` Snapshot:`docs/security/security-mirror-readiness.snapshot.json` -目前 readiness:33 個 contracts,30 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。 +目前 readiness:34 個 contracts,31 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。 AwoooP 初期處理方式:先 mirror readiness index,再依 readiness 分批 mirror 其他 snapshots;不得把 readiness 當 execution authorization。 @@ -251,7 +263,7 @@ Schema:`docs/schemas/security_mirror_route_v1.schema.json` Snapshot:`docs/security/security-mirror-route.snapshot.json` -目前 route:5 個 route groups,涵蓋 33 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。 +目前 route:5 個 route groups,涵蓋 34 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。 AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue,不把 route 轉成 execution router。 @@ -299,7 +311,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;33 個 contracts、30 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;34 個 contracts、31 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆;primary ready 0 筆;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -335,7 +347,7 @@ Schema:`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json` "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 33 + "contract_count": 34 } ``` @@ -610,6 +622,7 @@ Schema:`docs/schemas/approval_required_event_v1.schema.json` - 將低摩擦 rollout policy mirror 成 read-only policy。 - 將 contract manifest mirror 成 contract registry。 - 將 status rollup mirror 成跨 Session 共同狀態入口。 +- 將 workflow / secret 名稱 inventory gate mirror 成 source-control review evidence。 禁止: @@ -634,6 +647,7 @@ Schema:`docs/schemas/approval_required_event_v1.schema.json` - `github_target_repo_approval_package_v1` 進來後,AwoooP 回傳逐 repo approval queue draft,不阻擋 read-only evidence。 - `security_rollout_policy_v1` 進來後,AwoooP 回傳 observe / warn / approve_required 建議,不做 enforcement。 - `security_supply_chain_contract_manifest_v1` 進來後,AwoooP 回傳可消費 contract 清單,不新增 execution router。 +- `source_control_workflow_secret_name_inventory_v1` 進來後,AwoooP 回傳缺哪些 redacted workflow / secret name evidence,不收集 secret value、不修改 workflow。 ### Phase S3:Approval Gate @@ -688,6 +702,7 @@ Console 初期不提供高風險執行按鈕。 10. Approval queue 可容納 `github_target_decision_v1` 與 `github_target_repo_approval_package_v1`,但不得直接建立 repo 或改 visibility。 11. Read-only policy 可容納 `security_rollout_policy_v1`,但初期不得把它變成 runtime blocking rule。 12. Contract registry 可容納 `security_supply_chain_contract_manifest_v1`,但初期不得把它變成 direct tool router。 +13. Source-control review 可容納 `source_control_workflow_secret_name_inventory_v1`,但只能顯示 workflow / secret 名稱缺口,不得收集 value 或修改 workflow。 ## 7. Security Supply Chain Session 下一步 @@ -750,7 +765,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`、`docs/security/security-supply-chain-contract-manifest.snapshot.json` 與 `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry,不把 manifest 當 execution router。 -2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 33 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。 +2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 34 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。 2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json`、`docs/security/security-mirror-acceptance.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestion;blocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence,不得阻擋 runtime 流程。 @@ -758,7 +773,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 mirror dry-run 追加:已新增 `docs/schemas/security_mirror_dry_run_v1.schema.json`、`docs/security/security-mirror-dry-run.snapshot.json` 與 `docs/security/SECURITY-MIRROR-DRY-RUN.md`。AwoooP 未來可用 6 個 dry-run steps 回報接入演練結果;本 snapshot 狀態為 `contract_defined_not_executed`,不得視為 production ingestion 已啟用。 -2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json`、`docs/security/security-mirror-status-rollup.snapshot.json` 與 `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、33 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary、GitHub primary readiness summary 與下一個安全 gate;本契約不授權任何 runtime action。 +2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json`、`docs/security/security-mirror-status-rollup.snapshot.json` 與 `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、34 個 contracts、approval queue summary、review packet summary、state transition summary、follow-up runtime gate template summary、GitHub primary readiness summary、workflow / secret name inventory summary 與下一個安全 gate;本契約不授權任何 runtime action。 2026-05-13 S3 approval gate 追加:已新增 `docs/schemas/security_approval_gate_v1.schema.json`、`docs/security/security-approval-gate.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-GATE.md`。AwoooP 可用 8 個 gate items 記錄人工批准、拒絕、延後或補 evidence;批准後仍需 follow-up runtime gate,不得直接執行。 @@ -772,6 +787,8 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 S4.0 GitHub primary readiness gate 追加:已新增 `docs/schemas/source_control_primary_readiness_gate_v1.schema.json`、`docs/security/source-control-primary-readiness-gate.snapshot.json` 與 `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md`。AwoooP 可顯示 8 個 candidate repos、7 個 in-scope blocked repos、Gitea inventory、refs truth、workflow/runner/secret name parity 與 rollback ADR 缺口;目前 `primary_ready_count=0`,不得建立 repo、sync refs、切 GitHub primary 或停用 Gitea。 +2026-05-13 S4.1 workflow / secret name inventory 追加:已新增 `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json`、`docs/security/source-control-workflow-secret-name-inventory.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md`。AwoooP 可顯示 8 個 candidate repos 的 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 `inventory_complete_count=0`、`secret_value_collection_allowed=false`,不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。 + 2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 本波仍不做: @@ -830,6 +847,8 @@ Console 初期不提供高風險執行按鈕。 - [security_approval_decision_record_v1 snapshot](/Users/ogt/awoooi/docs/security/security-approval-decision-record.snapshot.json) - [Source Control ref truth classification](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md) - [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json) +- [Source Control workflow / secret name inventory](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md) +- [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json) - [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md) - [local_repo_canonical_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/local-repo-canonical-ewoooc-momo.snapshot.json) - [本機 repo canonical lineage script](/Users/ogt/awoooi/scripts/security/local-repo-canonical-probe.py) @@ -860,6 +879,7 @@ Console 初期不提供高風險執行按鈕。 - [security_approval_gate_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_gate_v1.schema.json) - [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json) - [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json) +- [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json) - [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json) - [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json) - [approval_required_event_v1 schema](/Users/ogt/awoooi/docs/schemas/approval_required_event_v1.schema.json) diff --git a/docs/security/SECURITY-MIRROR-ACCEPTANCE.md b/docs/security/SECURITY-MIRROR-ACCEPTANCE.md index 6731d00fd..d3a366159 100644 --- a/docs/security/SECURITY-MIRROR-ACCEPTANCE.md +++ b/docs/security/SECURITY-MIRROR-ACCEPTANCE.md @@ -27,7 +27,7 @@ | Check | 目的 | 失敗時是否阻擋鏡像 | |-------|------|--------------------| -| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 33 個 contracts | 是 | +| `CONTRACT_COUNT_MATCH` | 確認 manifest、readiness、route coverage 對齊 34 個 contracts | 是 | | `EVENT_ENVELOPE_REQUIRED` | 確認每筆 payload 都不可執行、不可顯示執行按鈕 | 是 | | `ROUTE_GROUP_COVERAGE` | 確認 5 個 route groups 覆蓋所有 contracts | 是 | | `REDACTION_ONLY` | 確認不保存 raw sensitive value | 是 | diff --git a/docs/security/SECURITY-MIRROR-DRY-RUN.md b/docs/security/SECURITY-MIRROR-DRY-RUN.md index 64af7f323..6d321b19d 100644 --- a/docs/security/SECURITY-MIRROR-DRY-RUN.md +++ b/docs/security/SECURITY-MIRROR-DRY-RUN.md @@ -19,7 +19,7 @@ | Step | 目的 | 必須維持 | |------|------|----------| -| `LOAD_CONTRACT_INDEXES` | 載入 manifest / readiness / route / acceptance / quarantine indexes | 不執行 contract | +| `LOAD_CONTRACT_INDEXES` | 載入 manifest / readiness / route / acceptance / quarantine / workflow-secret inventory indexes | 不執行 contract | | `CHECK_EVENT_ENVELOPE` | 確認每筆 payload 不可執行、不可顯示執行按鈕 | `execution_authorized=false` | | `CHECK_ROUTE_COVERAGE` | 確認 route groups 覆蓋所有 contracts | 不建立 fallback execution route | | `CHECK_ACCEPTANCE_AND_QUARANTINE` | 確認驗收與隔離只處理 mirror payload | 不阻擋 runtime | diff --git a/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md b/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md index 9ebe4d6f0..5083728dd 100644 --- a/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md +++ b/docs/security/SECURITY-MIRROR-INTAKE-PLAN.md @@ -19,10 +19,10 @@ | Wave | 目的 | 主要 contracts | Exit gate | |------|------|----------------|-----------| -| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation 與 GitHub primary readiness gate | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate | 顯示 33 個 contract 且 `execution_allowed=false` | +| `M0_index_bootstrap` | 先載入 readiness、manifest、低摩擦 policy、鏡像事件信封、鏡像路由矩陣、驗收契約、隔離契約、dry-run 報告格式、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate | readiness / manifest / rollout policy / mirror event / mirror route / acceptance / quarantine / dry-run / status rollup / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / workflow-secret inventory | 顯示 34 個 contract 且 `execution_allowed=false` | | `M1_kali_visibility` | 顯示 Kali 112、scan scope、approval queue | Kali status / scan scope / approval queue / finding sample | 顯示 5 個 scope groups 與 8 個 queue items,沒有執行按鈕 | -| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence 與 GitHub primary readiness blockers | migration / inventory / refs / approval board / primary readiness gate | 顯示 blocking reasons,repo/refs/primary actions 全 disabled | -| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / source-control board | 可留痕,不可自動批准或執行 | +| `M2_source_control_visibility` | 顯示 Gitea/GitHub source-control evidence、GitHub primary readiness blockers 與 workflow / secret 名稱 inventory 缺口 | migration / inventory / refs / approval board / primary readiness gate / workflow-secret inventory | 顯示 blocking reasons,repo/refs/primary/workflow/secret actions 全 disabled | +| `M3_approval_candidates` | 顯示 approval candidates、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、workflow / secret 名稱 inventory gate 與人工決策留痕 | approval events / approval queue / approval gate / decision record / review packet / state transition / follow-up runtime gate / primary readiness gate / workflow-secret inventory / source-control board | 可留痕,不可自動批准或執行 | | `M4_patch_only_backlog` | 顯示 Codex patch-only backlog lane | coding task | 只顯示 lane,不接 Codex runner action | ## 2. AwoooP 可做 @@ -42,6 +42,7 @@ 13. 使用 `security_approval_state_transition_v1` 顯示人工決策後的 next state,但不自動執行後續動作。 14. 使用 `security_followup_runtime_gate_v1` 顯示未來 runtime gate 的準備模板,但不啟用 runtime gate。 15. 使用 `source_control_primary_readiness_gate_v1` 顯示 GitHub primary parity、owner、rollback 與人工批准缺口,但不切 primary。 +16. 使用 `source_control_workflow_secret_name_inventory_v1` 顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,但不保存 secret value、不修改 workflow。 ## 3. AwoooP 不可做 diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index 0d7858f5a..47ee903d3 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -23,7 +23,7 @@ | 狀態 | 數量 | 說明 | |------|------|------| -| `ready_for_mirror` | 30 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence | +| `ready_for_mirror` | 31 | 可直接 mirror 成 Operator Console / Runtime State / Channel Event / Audit evidence | | `partial_ready` | 2 | 可 mirror,但 evidence 仍不完整 | | `contract_only` | 1 | 有 schema / handoff,尚無正式 snapshot | | `blocked` | 0 | 目前沒有禁止 mirror 的 contract | @@ -81,7 +81,8 @@ AwoooP 可以將 ready / partial contracts mirror 到: 13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。 14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。 15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。 -16. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 -17. 最後再 mirror source-control 其他 contracts。 +16. 再 mirror `source_control_workflow_secret_name_inventory_v1`,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,不保存 secret value。 +17. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 +18. 最後再 mirror source-control 其他 contracts。 整個 S2 不新增 execution router、不新增執行按鈕、不新增 runtime blocker。 diff --git a/docs/security/SECURITY-MIRROR-ROUTE.md b/docs/security/SECURITY-MIRROR-ROUTE.md index 20e011497..19c9ba6a6 100644 --- a/docs/security/SECURITY-MIRROR-ROUTE.md +++ b/docs/security/SECURITY-MIRROR-ROUTE.md @@ -25,10 +25,10 @@ | Route group | 目的 | 初期 channel policy | review lane | |-------------|------|---------------------|-------------| -| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packet、state transition 與 follow-up runtime gate 位置 | `no_channel_event` | `observe` | +| `M0_index_bootstrap` | 載入 readiness、manifest、policy、event、intake、route、acceptance、quarantine、dry-run、status rollup、S3 review packet、state transition、follow-up runtime gate、GitHub primary readiness gate 與 workflow / secret name inventory 位置 | `no_channel_event` | `observe` | | `M1_kali_visibility` | 顯示 Kali 112、111 / 168 scope、approval queue 與 finding sample | `approval_required_only` | `approval_required` | -| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異與 GitHub primary readiness blockers | `low_noise_status` | `source_control_review` | -| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與留痕 | `approval_required_only` | `approval_required` | +| `M2_source_control_visibility` | 顯示 Gitea / GitHub repo、branch、tag、canonical 差異、GitHub primary readiness blockers 與 workflow / secret 名稱 inventory 缺口 | `low_noise_status` | `source_control_review` | +| `M3_approval_candidates` | 顯示人工批准候選、S3 gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate、workflow / secret 名稱 inventory gate 與留痕 | `approval_required_only` | `approval_required` | | `M4_patch_only_backlog` | 顯示 Code Review 後的 Codex patch-only backlog lane | `no_channel_event` | `patch_only` | ## 2. AwoooP 可做 @@ -52,7 +52,7 @@ S2.7 後,AwoooP 主線只需要能讀到: -1. 33 個 contracts。 +1. 34 個 contracts。 2. 5 個 route groups。 3. 所有 route group 都是 `runtime_execution_authorized=false`。 4. Channel Event 初期低噪音。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 6fc4cf95e..865b71e42 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -19,8 +19,8 @@ | 類型 | 狀態 | |------|------| -| Contract manifest | 33 個 contracts | -| Mirror readiness | 30 ready、2 partial、1 contract-only、0 blocked | +| Contract manifest | 34 個 contracts | +| Mirror readiness | 31 ready、2 partial、1 contract-only、0 blocked | | Approval queue | 8 items:7 pending approval、1 block candidate | | Approval gate | S3.0 已建立;0 approved、7 pending、1 block candidate | | Decision records | S3.1 已建立;目前 0 筆決策紀錄 | @@ -28,6 +28,7 @@ | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | | GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | +| Workflow / secret name inventory | S4.1 已建立;8 個 candidate repos、0 個 inventory complete、禁止收集 secret value | | Dry-run | `contract_defined_not_executed` | | Runtime actions | `false` | | Payload ingestion | `false` | @@ -52,7 +53,7 @@ 下一步仍不是 runtime enforcement。 -建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1` 與 `source_control_primary_readiness_gate_v1`,並由人工依序 review: +建議先讓 AwoooP 主線只讀消費本 rollup、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1`,並由人工依序 review: 1. redacted finding ingestion adapter。 2. safe web crawl scope。 @@ -60,5 +61,6 @@ 4. GitHub target / owner / visibility / canonical。 5. Kali `/execute` 維持 block candidate。 6. GitHub primary readiness blockers 與 rollback ADR 缺口。 +7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,且只保存名稱與 owner,不保存 value。 任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence,不得由本 rollup 自動觸發。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index 3196c97a8..f4670dbcc 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -11,7 +11,7 @@ ## 0. 核心結論 -目前 Security Supply Chain 已有 33 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 +目前 Security Supply Chain 已有 34 個主要契約可交給 AwoooP 消費。Manifest 的用途是把分散的 schema、snapshot、人讀文件、允許動作與禁止動作收成一份入口,避免不同 Session 各自解讀。 初期預設仍是 `mirror_only`。Manifest 不授權 runtime enforcement、不授權 GitHub/Gitea 主控切換、不授權 repo 建立或 refs sync。 @@ -49,6 +49,7 @@ | `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` | | `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` | | `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` | +| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | `source-control-workflow-secret-name-inventory.snapshot.json` | | `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` | | `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang`、`wooo-infra-config` | | `approval_required_event_v1` | approval-only | 高風險 / 敏感邊界 approval | `gitea-readonly-inventory-approval.snapshot.json` | @@ -58,7 +59,7 @@ 1. 先讀 `security_rollout_policy_v1`,確認目前仍是 `mirror_only`。 2. 再讀本 manifest,取得可消費 contract 與禁止動作。 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 -4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1` 與 `source_control_primary_readiness_gate_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display。 +4. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / workflow-secret name inventory gate。 5. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index e507674fc..26ba1f400 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -4,7 +4,7 @@ |------|------| | 日期 | 2026-05-13 | | 狀態 | S0/S1 read-only evidence 建置中 | -| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | +| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | ## 0. 本階段完成後整體進度 @@ -20,11 +20,11 @@ | S1.2b branch/tag detail diff | 完成草案 | 3 個 refs-blocked mapped repos 已完成 branch/tag 明細 diff;已忽略本 PR 分支避免 evidence 自我污染 | 人工判定真相來源與 deprecated refs | | S1.2c refs 真相來源分類 | 完成草案 | 141 個 ref review items 已分類:4 個真相來源、114 個 drift deprecated 候選、3 個 release tags、20 個 GitHub-only refs | repo owner 單 ref / 單 repo 判定 | | S1.3 低摩擦 rollout policy | 完成草案 | observe-first / mirror-only matrix 已建立 | AwoooP read-only policy 消費 | -| S1.4 契約索引 | 完成草案 | 33 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | +| S1.4 契約索引 | 完成草案 | 34 個主要 contract 已集中成 manifest | AwoooP mirror-only contract registry | | S1.5 Kali 112 live 整合狀態 | 完成第一波 | 112 已登入盤點、scanner API healthy、targeted scanner packages updated、Asia/Taipei timezone、no reboot required | scan result ingestion + `/execute` high-risk gate | | S1.6 Kali finding / scan scope approval | 完成草案 | `security_finding_v1` sample snapshot 與 `kali_scan_scope_approval_v1` approval package 已建立;111/168 已納入 observe-only scope | 人工批准 safe crawl / credentialed scan / runtime ingestion / full-upgrade gate | | S1.7 Security approval queue | 完成草案 | 8 個 approval queue items 已集中:7 pending approval、1 block candidate;AwoooP 可 mirror 但不得執行 | 先 review redacted finding ingestion,再 review safe crawl / Gitea inventory | -| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 33 個 contracts:30 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 | +| S2 AwoooP mirror-only readiness | 完成草案 | `security_mirror_readiness_v1` 已整理 34 個 contracts:31 ready、2 partial、1 contract-only、0 blocked | AwoooP 主線建立只讀入口 | | S2.1 AwoooP mirror-only intake plan | 完成草案 | `security_mirror_intake_plan_v1` 已建立 5 個 intake waves 與 4 個 acceptance gates | AwoooP 主線照 wave mirror,不新增 execution router | | S2.2 AwoooP 鏡像事件信封 | 完成草案 | `security_mirror_event_v1` 已建立,要求每筆鏡像 payload 標示 `execution_authorized=false` 與 `action_buttons_allowed=false` | AwoooP 鏡像 payload 統一信封 | | S2.3 AwoooP 鏡像路由矩陣 | 完成草案 | `security_mirror_route_v1` 已建立 5 個 route groups,定義目的地、channel policy 與 review lane | AwoooP 消費時不猜路由、不新增執行入口 | @@ -39,6 +39,7 @@ | S3.3 人工決策狀態轉移契約 | 完成草案 | `security_approval_state_transition_v1` 已建立;5 個 decision options 都有 next state、0 個 runtime action 授權 | AwoooP 可顯示決策後狀態,不可把 transition 當執行 | | S3.4 後續 runtime gate 準備契約 | 完成草案 | `security_followup_runtime_gate_v1` 已建立;8 個 gate templates、0 個 active runtime gates、0 個 approved scope | AwoooP 可顯示前置 evidence、preflight checks 與 rollback / disable requirement,不可啟用 runtime gate | | S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary | +| S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR | ## 1. 已建立的主要 evidence @@ -69,6 +70,8 @@ | Source Control ref truth classification JSON | `docs/security/source-control-ref-truth-classification.snapshot.json` | | Source Control GitHub primary readiness gate | `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` | | Source Control GitHub primary readiness gate JSON | `docs/security/source-control-primary-readiness-gate.snapshot.json` | +| Source Control workflow / secret name inventory | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` | +| Source Control workflow / secret name inventory JSON | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` | | Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` | | Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` | | Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` | @@ -132,6 +135,6 @@ 3. 依 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner 判定;仍不得 push refs。 4. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 5. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1` 與 `source_control_primary_readiness_gate_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 +6. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕。 7. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers 與 blocked reason,不新增 execution router。 +8. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、GitHub primary readiness blockers、workflow / secret 名稱 inventory 缺口與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index 7a03e4cac..1cdb2a8d1 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -34,7 +34,7 @@ |------|----------|------| | Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成 | | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift | -| workflow / runner / secret name parity | missing evidence | 尚未有全量 workflow、webhook、runner、secret 名稱 inventory | +| workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | | owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策 | | rollback ADR | not started | 尚未有逐 repo GitHub primary ADR 與 rollback plan | @@ -44,7 +44,8 @@ 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、refs truth、workflow/runner/secret name inventory、rollback ADR。 -5. 把狀態寫入 Audit evidence 與 Operator Console。 +5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口;只保存 secret 名稱與 owner,不保存 value。 +6. 把狀態寫入 Audit evidence 與 Operator Console。 ## 4. AwoooP 不可做 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md new file mode 100644 index 000000000..bb018b783 --- /dev/null +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md @@ -0,0 +1,65 @@ +# Workflow / Runner / Secret 名稱 Inventory 契約 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-05-13 | +| 狀態 | 草案,missing evidence | +| Schema | `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` | +| Snapshot | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` | +| 模式 | `inventory_contract_only` | +| runtime 執行授權 | `false` | + +## 0. 核心結論 + +`source_control_workflow_secret_name_inventory_v1` 是 S4.1 的 workflow / runner / secret 名稱 inventory 契約。 + +它只定義 GitHub primary cutover 前要收集哪些只讀欄位:workflow 名稱、trigger、runner label、webhook 目的地、deploy key 名稱、branch protection、CODEOWNERS、secret 名稱與 owner。 + +它不收集 secret value,不修改 workflow,不搬移 secrets,也不授權 GitHub primary cutover。目前 `inventory_complete_count=0`。 + +## 1. 目前狀態 + +| 指標 | 數量 | +|------|------| +| Candidate repos | 8 | +| In-scope repos | 7 | +| External scope review | 1 | +| Inventory complete | 0 | +| Missing inventory | 7 | +| Secret value collection allowed | `false` | + +## 2. Inventory Lanes + +| Lane | 可保存 | 禁止保存 | +|------|--------|----------| +| Workflow | workflow path、名稱、trigger、runner label、environment、referenced secret names | secret value、token value | +| Webhook | webhook 名稱、目的地 host、事件類型、enabled flag、owner | webhook secret、含 token URL | +| Runner | runner label、scope、executor type、host alias、owner | registration token、SSH private key | +| Deploy key | key 名稱、read-only flag、repo scope、owner | private key | +| Branch protection / CODEOWNERS | protected branch、required checks、CODEOWNERS path、owner team | admin override token | +| Secret names | secret name、scope、owning team、used by workflow、rotation owner | secret value、credential value | +| Redaction audit | redaction status、evidence ref、producer、reviewer | raw secret、raw token、raw private key | + +## 3. AwoooP 可做 + +1. 顯示每個 repo 缺哪些 inventory lane。 +2. 顯示 secret 只允許名稱與 owner,不允許 value。 +3. 將 redacted inventory snapshot 寫入 Audit evidence。 +4. 對缺資料 repo 顯示 owner review lane。 +5. 將失敗或含敏感值 payload 交給 mirror quarantine。 + +## 4. AwoooP 不可做 + +1. 不收集、保存、顯示 secret value。 +2. 不修改 workflow、webhook、runner、deploy key 或 branch protection。 +3. 不建立 GitHub repo。 +4. 不 sync refs。 +5. 不切 GitHub primary。 +6. 不停用或降級 Gitea。 +7. 不顯示 repo、refs、secret、primary switch 類 action button。 + +## 5. 階段定位 + +S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口變成可追蹤清單。 + +這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。 diff --git a/docs/security/security-mirror-acceptance.snapshot.json b/docs/security/security-mirror-acceptance.snapshot.json index 9f9d39c08..ffb38dab3 100644 --- a/docs/security/security-mirror-acceptance.snapshot.json +++ b/docs/security/security-mirror-acceptance.snapshot.json @@ -11,8 +11,8 @@ "docs/security/security-mirror-route.snapshot.json" ], "summary": { - "total_contracts": 33, - "ready_for_mirror_count": 30, + "total_contracts": 34, + "ready_for_mirror_count": 31, "route_group_count": 5, "acceptance_check_count": 7, "blocking_check_count": 4 @@ -21,7 +21,7 @@ { "check_id": "CONTRACT_COUNT_MATCH", "title": "契約數量一致", - "expected_result": "AwoooP 讀到 33 個 contracts,且 manifest、readiness、route coverage 的 contract 集合一致。", + "expected_result": "AwoooP 讀到 34 個 contracts,且 manifest、readiness、route coverage 的 contract 集合一致。", "evidence_refs": [ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json", @@ -60,7 +60,7 @@ { "check_id": "ROUTE_GROUP_COVERAGE", "title": "路由群組覆蓋", - "expected_result": "5 個 route groups 合併後涵蓋 manifest 33 個 contracts,且每個 group 都有 destinations、channel_policy 與 review_lane。", + "expected_result": "5 個 route groups 合併後涵蓋 manifest 34 個 contracts,且每個 group 都有 destinations、channel_policy 與 review_lane。", "evidence_refs": [ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" diff --git a/docs/security/security-mirror-dry-run.snapshot.json b/docs/security/security-mirror-dry-run.snapshot.json index 550c7c93a..1cd9dca43 100644 --- a/docs/security/security-mirror-dry-run.snapshot.json +++ b/docs/security/security-mirror-dry-run.snapshot.json @@ -14,8 +14,8 @@ "docs/security/security-mirror-quarantine.snapshot.json" ], "summary": { - "total_contracts": 33, - "ready_for_mirror_count": 30, + "total_contracts": 34, + "ready_for_mirror_count": 31, "route_group_count": 5, "acceptance_check_count": 7, "quarantine_lane_count": 5, @@ -30,7 +30,7 @@ "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-readiness.snapshot.json" ], - "pass_condition": "看到 33 個 contracts、30 個 ready for mirror,且所有 contract execution_allowed=false。", + "pass_condition": "看到 34 個 contracts、31 個 ready for mirror,且所有 contract execution_allowed=false。", "execution_allowed": false, "blocked_actions": [ "execute_contract", @@ -60,7 +60,7 @@ "docs/security/security-mirror-route.snapshot.json", "docs/security/SECURITY-MIRROR-ROUTE.md" ], - "pass_condition": "route groups 合併後涵蓋 33 個 contracts,沒有未知 execution route。", + "pass_condition": "route groups 合併後涵蓋 34 個 contracts,沒有未知 execution route。", "execution_allowed": false, "blocked_actions": [ "fallback_to_execution_route", diff --git a/docs/security/security-mirror-event-sample.snapshot.json b/docs/security/security-mirror-event-sample.snapshot.json index 8712e89a3..ceba954c8 100644 --- a/docs/security/security-mirror-event-sample.snapshot.json +++ b/docs/security/security-mirror-event-sample.snapshot.json @@ -16,8 +16,8 @@ "risk": "LOW", "summary": "AwoooP 可 mirror Security Supply Chain readiness index,但不得把 readiness 視為執行授權。", "payload_summary": { - "total_contracts": 33, - "ready_for_mirror_count": 30, + "total_contracts": 34, + "ready_for_mirror_count": 31, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0, @@ -37,7 +37,8 @@ "docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md", "docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md", "docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md", - "docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md" + "docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md", + "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md" ], "blocked_actions": [ "execute_mirror_item", @@ -49,7 +50,7 @@ "store_secret_value" ], "labels": { - "phase": "S4.0", + "phase": "S4.1", "redacted": "true", "action_surface": "none", "mirror_only": "true" diff --git a/docs/security/security-mirror-intake-plan.snapshot.json b/docs/security/security-mirror-intake-plan.snapshot.json index 61a89701f..9c9bc839a 100644 --- a/docs/security/security-mirror-intake-plan.snapshot.json +++ b/docs/security/security-mirror-intake-plan.snapshot.json @@ -19,7 +19,8 @@ "docs/security/security-approval-review-packet.snapshot.json", "docs/security/security-approval-state-transition.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json", - "docs/security/source-control-primary-readiness-gate.snapshot.json" + "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json" ], "intake_waves": [ { @@ -57,7 +58,7 @@ "execution_router", "blocking_gate" ], - "exit_gate": "Operator Console 能顯示 33 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation 與 GitHub primary readiness gate,且 mirror event envelope action_buttons_allowed=false。" + "exit_gate": "Operator Console 能顯示 34 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate,且 mirror event envelope action_buttons_allowed=false。" }, { "wave_id": "M1_kali_visibility", @@ -104,6 +105,7 @@ "source_control_ref_detail_diff_v1", "source_control_ref_truth_classification_v1", "source_control_primary_readiness_gate_v1", + "source_control_workflow_secret_name_inventory_v1", "local_repo_canonical_probe_v1", "git_remote_refs_probe_v1" ], @@ -118,6 +120,7 @@ "顯示 pending owner / visibility / canonical decision", "顯示 refs truth review lane", "顯示 GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口", + "顯示 workflow / webhook / runner / secret 名稱 inventory 缺口,不保存 secret value", "顯示 Gitea inventory partial reason" ], "blocked_processing": [ @@ -141,6 +144,7 @@ "security_approval_state_transition_v1", "security_followup_runtime_gate_v1", "source_control_primary_readiness_gate_v1", + "source_control_workflow_secret_name_inventory_v1", "github_target_repo_approval_package_v1", "source_control_approval_board_v1", "kali_scan_scope_approval_v1" @@ -159,6 +163,7 @@ "display_decision_next_state", "display_followup_runtime_gate_template", "display_primary_readiness_gate", + "display_workflow_secret_name_inventory_gate", "display_required_reviewers", "display_blocked_until_approved" ], diff --git a/docs/security/security-mirror-quarantine.snapshot.json b/docs/security/security-mirror-quarantine.snapshot.json index 06b58db61..684928a5a 100644 --- a/docs/security/security-mirror-quarantine.snapshot.json +++ b/docs/security/security-mirror-quarantine.snapshot.json @@ -11,7 +11,7 @@ "docs/security/security-supply-chain-contract-manifest.snapshot.json" ], "summary": { - "total_contracts": 33, + "total_contracts": 34, "quarantine_lane_count": 5, "auto_retry_allowed": false, "runtime_blocking_allowed": false diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index 50be1ca3f..ac6fa9af6 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -5,8 +5,8 @@ "default_enforcement_level": "mirror_only", "runtime_execution_authorized": false, "summary": { - "total_contracts": 33, - "ready_for_mirror_count": 30, + "total_contracts": 34, + "ready_for_mirror_count": 31, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0 @@ -327,6 +327,16 @@ "human_docs": ["docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"], "notes": "可 mirror GitHub primary readiness blockers、parity gates 與 rollback ADR 缺口;目前 primary_ready_count=0。" }, + { + "contract": "source_control_workflow_secret_name_inventory_v1", + "readiness": "ready_for_mirror", + "consumption_mode": "approval_only", + "mirror_allowed": true, + "execution_allowed": false, + "snapshot_paths": ["docs/security/source-control-workflow-secret-name-inventory.snapshot.json"], + "human_docs": ["docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"], + "notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;inventory_complete_count=0,secret_value_collection_allowed=false。" + }, { "contract": "local_repo_canonical_probe_v1", "readiness": "ready_for_mirror", diff --git a/docs/security/security-mirror-route.snapshot.json b/docs/security/security-mirror-route.snapshot.json index 5bc0c0664..1c9c1e60c 100644 --- a/docs/security/security-mirror-route.snapshot.json +++ b/docs/security/security-mirror-route.snapshot.json @@ -8,10 +8,11 @@ "docs/security/security-mirror-readiness.snapshot.json", "docs/security/security-supply-chain-contract-manifest.snapshot.json", "docs/security/security-mirror-intake-plan.snapshot.json", - "docs/security/security-mirror-event-sample.snapshot.json" + "docs/security/security-mirror-event-sample.snapshot.json", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json" ], "summary": { - "total_contracts": 33, + "total_contracts": 34, "route_group_count": 5, "channel_event_policy": "初期只對階段完成、blocked 狀態或需要人工批准的高風險候選發低噪音事件;LOW / MEDIUM observation 不發阻擋事件。", "approval_queue_policy": "只有 approval-only、suggest-only 或 blocked-until-approved 項目可進 approval queue;approval queue 不代表可執行。" @@ -47,7 +48,7 @@ "顯示 security_mirror_quarantine_v1 隔離 lane 與 retry gate", "顯示 security_mirror_dry_run_v1 dry-run steps", "顯示 security_mirror_status_rollup_v1 跨 Session 狀態與下一個 gate", - "顯示 S3 review packet、state transition、follow-up runtime gate preparation 與 GitHub primary readiness gate contract 位置" + "顯示 S3 review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory contract 位置" ], "blocked_processing": [ "新增執行按鈕", @@ -55,7 +56,7 @@ "runtime blocking", "自動批准任何 queue item" ], - "exit_gate": "AwoooP 可顯示 33 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation 與 GitHub primary readiness gate,且所有 route 都維持 runtime_execution_authorized=false。" + "exit_gate": "AwoooP 可顯示 34 個 contract、5 個 route groups、7 個 acceptance checks、5 個 quarantine lanes、6 個 dry-run steps、status rollup、approval gate、decision record、review packet、state transition、follow-up runtime gate preparation、GitHub primary readiness gate 與 workflow / secret name inventory gate,且所有 route 都維持 runtime_execution_authorized=false。" }, { "wave_id": "M1_kali_visibility", @@ -105,6 +106,7 @@ "source_control_ref_detail_diff_v1", "source_control_ref_truth_classification_v1", "source_control_primary_readiness_gate_v1", + "source_control_workflow_secret_name_inventory_v1", "local_repo_canonical_probe_v1", "git_remote_refs_probe_v1", "approval_required_event_v1" @@ -121,6 +123,7 @@ "顯示 repo / branch / tag 差異", "顯示 owner、visibility、canonical 與 refs review lane", "顯示 GitHub primary readiness blockers 與 rollback ADR 缺口", + "顯示 workflow / webhook / runner / secret 名稱 inventory 缺口,不保存 secret value", "顯示 Gitea inventory partial reason", "顯示 GitHub primary cutover blocked reason" ], @@ -145,6 +148,7 @@ "security_approval_state_transition_v1", "security_followup_runtime_gate_v1", "source_control_primary_readiness_gate_v1", + "source_control_workflow_secret_name_inventory_v1", "github_target_repo_approval_package_v1", "source_control_approval_board_v1", "kali_scan_scope_approval_v1" @@ -164,6 +168,7 @@ "顯示人工 decision next state,且 approve_scope 仍需 follow-up runtime gate", "顯示 follow-up runtime gate template,且 active_runtime_gates=0", "顯示 GitHub primary readiness gate,且 primary_ready_count=0", + "顯示 workflow / secret 名稱 inventory gate,且 inventory_complete_count=0", "顯示 required reviewers", "顯示 blocked_until_approved", "記錄人工決策結果" @@ -206,7 +211,7 @@ "acceptance_gates": [ { "gate_id": "ROUTE_COVERS_ALL_CONTRACTS", - "requirement": "route_groups 合併後必須涵蓋 manifest 的 33 個 contracts。" + "requirement": "route_groups 合併後必須涵蓋 manifest 的 34 個 contracts。" }, { "gate_id": "NO_EXECUTION_SURFACE", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index b66ab152a..e19b03d4e 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -20,11 +20,12 @@ "docs/security/security-approval-state-transition.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json", "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/security-rollout-policy.snapshot.json" ], "summary": { - "total_contracts": 33, - "ready_for_mirror_count": 30, + "total_contracts": 34, + "ready_for_mirror_count": 31, "partial_ready_count": 2, "contract_only_count": 1, "blocked_count": 0, @@ -35,6 +36,9 @@ "active_runtime_gate_count": 0, "primary_readiness_candidate_repo_count": 8, "github_primary_ready_count": 0, + "workflow_secret_inventory_candidate_repo_count": 8, + "workflow_secret_inventory_complete_count": 0, + "secret_value_collection_allowed": false, "pending_approval_count": 7, "block_candidate_count": 1, "dry_run_status": "contract_defined_not_executed", @@ -69,8 +73,8 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready。", - "next_gate": "Gitea authenticated inventory、refs truth、workflow/runner/secret name parity、rollback ADR 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約,inventory_complete_count=0。", + "next_gate": "Gitea authenticated inventory、refs truth、redacted workflow/runner/secret name inventory、rollback ADR 與逐 repo 人工批准。" } ], "next_safe_actions": [ @@ -205,6 +209,23 @@ "停用或封存 Gitea repo" ] }, + { + "action_id": "review_workflow_secret_name_inventory", + "title": "審查 workflow / secret 名稱 inventory 缺口", + "mode": "approval_required", + "source_contract": "source_control_workflow_secret_name_inventory_v1", + "allowed_processing": [ + "顯示 8 個 candidate repos 的 inventory lanes", + "要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot", + "只保存 secret name、owner 與 present/absent metadata,不保存 value" + ], + "blocked_processing": [ + "收集或保存 secret value", + "修改 workflow 或 webhook", + "rotate secret", + "sync refs 或切 GitHub primary" + ] + }, { "action_id": "keep_kali_execute_blocked", "title": "Kali /execute 維持 block candidate", @@ -229,7 +250,8 @@ "S3.2 只新增人工審查封包格式;review packet 只讓 AwoooP 顯示與準備人審,不代表批准。", "S3.3 只新增人工決策狀態轉移語義;approve_scope 只進入 waiting runtime gate,不代表可立即執行。", "S3.4 只新增後續 runtime gate 準備模板;active_runtime_gates=0,不新增 action button。", - "S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。" + "S4.0 只新增 GitHub primary readiness gate;github_primary_ready_count=0,不新增 repo / refs / primary switch action。", + "S4.1 只新增 workflow / secret 名稱 inventory 契約;workflow_secret_inventory_complete_count=0,secret_value_collection_allowed=false,不新增 workflow、secret、repo、refs 或 primary switch action。" ], "forbidden_actions": [ "start_kali_scan", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index 50502c6e9..d3ab5e781 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -2,7 +2,7 @@ "schema_version": "security_supply_chain_contract_manifest_v1", "status": "draft", "default_enforcement_level": "mirror_only", - "contract_count": 33, + "contract_count": 34, "contracts": [ { "contract": "security_rollout_policy_v1", @@ -203,7 +203,7 @@ "switch_github_primary", "store_secret_value" ], - "notes": "整理 33 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。" + "notes": "整理 34 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。" }, { "contract": "security_mirror_intake_plan_v1", @@ -535,6 +535,28 @@ ], "notes": "定義 S4.0 GitHub primary readiness gate;7 個 in-scope repos 仍 blocked,primary_ready_count=0。" }, + { + "contract": "source_control_workflow_secret_name_inventory_v1", + "schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json", + "snapshot_paths": ["docs/security/source-control-workflow-secret-name-inventory.snapshot.json"], + "human_docs": ["docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"], + "consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console", + "consumption_mode": "approval_only", + "allowed_actions": [ + "mirror_workflow_secret_name_inventory_gap", + "display_missing_inventory_lanes", + "request_redacted_workflow_secret_snapshot" + ], + "forbidden_actions": [ + "collect_secret_value", + "modify_workflow", + "rotate_secret", + "create_repo", + "sync_refs", + "switch_github_primary" + ], + "notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;目前 inventory_complete_count=0,不保存 secret value。" + }, { "contract": "local_repo_canonical_probe_v1", "schema_path": "docs/schemas/local_repo_canonical_probe_v1.schema.json", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index d006221bf..272e0edde 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -10,6 +10,7 @@ "docs/security/source-control-reconcile-plan.snapshot.json", "docs/security/source-control-ref-detail-diff.snapshot.json", "docs/security/source-control-ref-truth-classification.snapshot.json", + "docs/security/source-control-workflow-secret-name-inventory.snapshot.json", "docs/security/gitea-repo-inventory.snapshot.json", "docs/security/gitea-org-repo-inventory-blocked.snapshot.json", "docs/security/security-followup-runtime-gate.snapshot.json" @@ -79,7 +80,7 @@ "secret 只列名稱與 owner,不保存 value" ], "current_gap": [ - "尚未建立全量 workflow / webhook / runner / secret 名稱 inventory", + "S4.1 已定義 workflow / webhook / runner / secret 名稱 inventory 契約,但尚未收集實際 redacted snapshot", "不得搬移或輸出 secret value", "不得因缺資料而假設 GitHub ready" ], diff --git a/docs/security/source-control-workflow-secret-name-inventory.snapshot.json b/docs/security/source-control-workflow-secret-name-inventory.snapshot.json new file mode 100644 index 000000000..0583b3abc --- /dev/null +++ b/docs/security/source-control-workflow-secret-name-inventory.snapshot.json @@ -0,0 +1,428 @@ +{ + "schema_version": "source_control_workflow_secret_name_inventory_v1", + "status": "draft_missing_evidence", + "date": "2026-05-13", + "mode": "inventory_contract_only", + "runtime_execution_authorized": false, + "source_indexes": [ + "docs/security/source-control-primary-readiness-gate.snapshot.json", + "docs/security/github-target-decision.snapshot.json", + "docs/security/source-control-approval-board.snapshot.json", + "docs/security/source-control-reconcile-plan.snapshot.json", + "docs/security/security-rollout-policy.snapshot.json" + ], + "summary": { + "candidate_repo_count": 8, + "in_scope_repo_count": 7, + "external_scope_count": 1, + "inventory_complete_count": 0, + "missing_inventory_count": 7, + "secret_value_collection_allowed": false, + "runtime_actions_authorized": false, + "action_buttons_allowed": false + }, + "inventory_lanes": [ + { + "lane_id": "workflow_file_inventory", + "title": "workflow 名稱與觸發條件 inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "workflow_file_path", + "workflow_display_name", + "trigger_names", + "runner_label_names", + "environment_names", + "referenced_secret_names" + ], + "forbidden_fields": [ + "secret_value", + "token_value", + "private_key", + "webhook_secret", + "deploy_key_private_material" + ], + "required_before_primary": [ + "列出 Gitea/GitHub workflow 名稱與觸發條件差異", + "確認 self-hosted runner label 是否一致", + "確認 deployment marker / production deploy workflow 真相來源" + ], + "execution_authorized": false + }, + { + "lane_id": "webhook_inventory", + "title": "webhook 名稱、目的地與事件類型 inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "webhook_name", + "destination_host_redacted", + "event_types", + "active_enabled_flag", + "owner" + ], + "forbidden_fields": [ + "webhook_secret", + "full_payload_url_with_token", + "authorization_header", + "cookie" + ], + "required_before_primary": [ + "列出 Gitea/GitHub webhook 目的地與事件類型差異", + "確認 primary cutover 後哪一端發 webhook", + "確認不重複觸發 deploy 或 notification" + ], + "execution_authorized": false + }, + { + "lane_id": "runner_inventory", + "title": "runner label 與 executor inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "runner_label", + "runner_scope", + "executor_type", + "host_alias", + "owner" + ], + "forbidden_fields": [ + "runner_registration_token", + "ssh_private_key", + "host_password", + "api_token" + ], + "required_before_primary": [ + "確認 GitHub primary 後使用 self-hosted runner,不消耗 GitHub hosted 額度", + "確認 runner label 與 workflow expectations 一致", + "確認 runner owner 與維護窗口" + ], + "execution_authorized": false + }, + { + "lane_id": "deploy_key_inventory", + "title": "deploy key / machine key 名稱 inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "key_name", + "read_only_flag", + "repo_scope", + "owner", + "last_seen_metadata" + ], + "forbidden_fields": [ + "private_key", + "public_key_full_value_if_sensitive", + "token_value", + "password" + ], + "required_before_primary": [ + "確認 deploy key 是否 read-only", + "確認 key owner 與 repo scope", + "確認 primary cutover 不需要搬移 private key value" + ], + "execution_authorized": false + }, + { + "lane_id": "branch_protection_codeowners_inventory", + "title": "branch protection / CODEOWNERS inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "protected_branch_name", + "required_review_count", + "required_status_check_names", + "codeowners_path", + "owner_team_names" + ], + "forbidden_fields": [ + "team_secret", + "personal_access_token", + "admin_override_token" + ], + "required_before_primary": [ + "確認 main/dev branch protection 差異", + "確認 required status checks 名稱與 CI provider 對齊", + "確認 CODEOWNERS 是否存在與 owner team 是否有效" + ], + "execution_authorized": false + }, + { + "lane_id": "secret_name_inventory", + "title": "secret 名稱與 owner inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "secret_name", + "secret_scope", + "owning_team", + "used_by_workflow_name", + "rotation_owner" + ], + "forbidden_fields": [ + "secret_value", + "secret_plaintext", + "token_value", + "private_key", + "credential_value" + ], + "required_before_primary": [ + "只列 secret 名稱與 owner,不列 value", + "確認 Gitea/GitHub secret name parity", + "確認缺漏 secret 的 owner 與補證流程" + ], + "execution_authorized": false + }, + { + "lane_id": "redaction_audit_inventory", + "title": "redaction 與 audit inventory", + "status": "contract_defined_not_collected", + "allowed_fields": [ + "redaction_status", + "evidence_ref", + "producer", + "reviewer", + "collection_timestamp" + ], + "forbidden_fields": [ + "raw_secret", + "raw_token", + "raw_cookie", + "raw_private_key", + "raw_webhook_secret" + ], + "required_before_primary": [ + "每份 inventory snapshot 都必須標示已脫敏", + "敏感值掃描通過後才可 mirror", + "失敗 payload 必須進 quarantine,不得寫入 Runtime State" + ], + "execution_authorized": false + } + ], + "repo_inventory_readiness": [ + { + "github_repo": "owenhytsai/awoooi", + "source_key": "wooo/awoooi", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "HIGH", + "required_inventory": [ + "workflow_file_inventory", + "webhook_inventory", + "runner_inventory", + "secret_name_inventory", + "branch_protection_codeowners_inventory" + ], + "current_gap": [ + "production deploy workflow / deployment marker 名稱 parity 尚未完成", + "runner label 與 required status checks 尚未整理", + "secret 只能列名稱與 owner,尚無 redacted snapshot" + ], + "allowed_now": [ + "建立 read-only inventory request", + "顯示缺口與 owner", + "等待 redacted snapshot" + ], + "still_forbidden": [ + "搬移 secret value", + "修改 workflow", + "切 GitHub primary", + "停用 Gitea deploy path" + ] + }, + { + "github_repo": "owenhytsai/clawbot-v5", + "source_key": "wooo/clawbot-v5", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "MEDIUM", + "required_inventory": [ + "workflow_file_inventory", + "secret_name_inventory", + "branch_protection_codeowners_inventory" + ], + "current_gap": [ + "workflow / secret 名稱 parity 尚未整理", + "required status checks 尚未確認" + ], + "allowed_now": [ + "顯示 missing evidence", + "要求 repo owner 補 redacted inventory" + ], + "still_forbidden": [ + "建立或修改 secrets", + "sync refs", + "切 primary" + ] + }, + { + "github_repo": "owenhytsai/wooo-aiops", + "source_key": "wooo/wooo-aiops", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "MEDIUM", + "required_inventory": [ + "workflow_file_inventory", + "webhook_inventory", + "secret_name_inventory" + ], + "current_gap": [ + "GitHub-only refs 與 workflow 來源尚未釐清", + "webhook / secret 名稱 parity 尚未整理" + ], + "allowed_now": [ + "顯示 source-control review lane", + "要求 owner 補 workflow / webhook 名稱" + ], + "still_forbidden": [ + "delete GitHub-only refs", + "搬 secret value", + "切 primary" + ] + }, + { + "github_repo": "owenhytsai/wooo-infra-config", + "source_key": "wooo/wooo-infra-config", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "MEDIUM", + "required_inventory": [ + "deploy_key_inventory", + "secret_name_inventory", + "branch_protection_codeowners_inventory" + ], + "current_gap": [ + "infra secret 名稱 inventory 尚未完成", + "deploy key / machine key owner 尚未確認", + "110 internal remote 用途仍需 owner 決策" + ], + "allowed_now": [ + "只列 key / secret 名稱與 owner", + "顯示 internal remote purpose review" + ], + "still_forbidden": [ + "搬 infra secret value", + "輸出 private key", + "刪除 remote", + "切 primary" + ] + }, + { + "github_repo": "owenhytsai/ewoooc", + "source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "HIGH", + "required_inventory": [ + "workflow_file_inventory", + "secret_name_inventory", + "branch_protection_codeowners_inventory" + ], + "current_gap": [ + "canonical repo 尚未人工確認", + "GitHub target 未授權 probe 看不到", + "workflow / secret 名稱 inventory 尚未建立" + ], + "allowed_now": [ + "顯示 target creation/access review", + "要求 owner 補 canonical 與 redacted inventory" + ], + "still_forbidden": [ + "auto_create_repo", + "auto_merge_unrelated_histories", + "搬 secret value", + "切 primary" + ] + }, + { + "github_repo": "owenhytsai/bitan-pharmacy", + "source_key": "bitan-pharmacy", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "MEDIUM", + "required_inventory": [ + "workflow_file_inventory", + "secret_name_inventory" + ], + "current_gap": [ + "GitHub target 未確認", + "repo 是否仍 active 尚未確認", + "workflow / secret 名稱 inventory 尚未建立" + ], + "allowed_now": [ + "顯示 target creation/access review", + "要求 owner 確認 active 狀態" + ], + "still_forbidden": [ + "auto_create_repo", + "push refs", + "搬 secret value", + "切 primary" + ] + }, + { + "github_repo": "owenhytsai/tsenyang-website", + "source_key": "tsenyang-website", + "scope_status": "in_scope", + "inventory_state": "missing_evidence", + "risk": "MEDIUM", + "required_inventory": [ + "workflow_file_inventory", + "secret_name_inventory" + ], + "current_gap": [ + "GitHub target 未確認", + "repo 是否仍 active 尚未確認", + "workflow / secret 名稱 inventory 尚未建立" + ], + "allowed_now": [ + "顯示 target creation/access review", + "要求 owner 確認 active 狀態" + ], + "still_forbidden": [ + "auto_create_repo", + "push refs", + "搬 secret value", + "切 primary" + ] + }, + { + "github_repo": "nexu-io/open-design", + "source_key": "open-design", + "scope_status": "external_scope_review", + "inventory_state": "scope_review_only", + "risk": "LOW", + "required_inventory": [ + "scope ownership only" + ], + "current_gap": [ + "尚未確認是否屬於 AWOOOI 資安供應鏈範圍" + ], + "allowed_now": [ + "顯示 scope review", + "維持 observe-only" + ], + "still_forbidden": [ + "加入 primary cutover queue", + "修改 repo visibility", + "sync refs" + ] + } + ], + "inventory_rules": [ + "本契約只定義 workflow / runner / webhook / deploy key / secret 名稱 inventory 欄位,不代表 inventory 已完成。", + "secret_name_inventory 只允許保存 secret_name、scope、owner 與 used_by_workflow_name,禁止保存 value。", + "任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。", + "此 inventory 完成前,GitHub primary readiness gate 必須維持 blocked。", + "inventory snapshot 只能 mirror 成 Operator Console / Audit evidence,不得新增 execution action。" + ], + "forbidden_actions": [ + "collect_secret_value", + "store_secret_token_cookie_private_key_or_exploit_payload", + "create_github_repo", + "change_repo_visibility", + "sync_git_refs", + "delete_git_refs", + "force_push", + "switch_github_primary", + "disable_gitea", + "modify_workflow", + "rotate_secret", + "add_action_button" + ] +}