diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 017faad54..662526541 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,18 @@ +## 2026-05-18 | 資安供應鏈 S4.9:Owner Response Audit Event Templates + +**背景**:S4.9 已有 request packet、template status ledger 與 collection checks;本輪補上 3 個 audit event templates,讓 AwoooP 可顯示 request shown、response received metadata、outcome classified 的稽核模板,但仍不啟用 production ingestion。 + +**完成**: +- `gitea_inventory_owner_attestation_response_v1` schema 新增 optional `owner_response_audit_event_templates`,summary 新增 `owner_response_audit_event_template_count=3`。 +- `gitea-inventory-owner-attestation-response.snapshot.json` 新增 3 個 audit event templates,全部維持 `template_only_not_emitted`、`emitted_event_count=0`、`stored_raw_payload_allowed=false`、`execution_authorized=false` 與 `not_approval=true`。 +- `source-control-owner-response-guard.py` 反查 audit event template count、template id 順序、display order、狀態、emitted count、raw payload 儲存禁令與 approval / execution 禁令。 +- 更新 S4.9 人讀文件、AwoooP checklist、handoff、readiness、manifest、status rollup、dry-run、approval queue / gate / review packet、follow-up runtime gate、primary readiness gate、runbook、read-only approval package 與 progress。 + +**仍禁止**: +- 不把 audit event templates 當成 AwoooP production ingestion 已啟用。 +- 不保存 owner response raw body、token value、secret value、private key、cookie、session、DB dump、git object pack、repo archive 或 execution request payload。 +- 不把 request shown、response received metadata 或 outcome classified 當成 owner response accepted、inventory runtime、repo migration、refs sync、workflow / secret / runner 變更或 GitHub primary approval。 + ## 2026-05-18 | 資安供應鏈 S4.9:Owner Response Template Status Ledger **背景**:S4.9 已有 request packet 與 collection checks;本輪補上五個 response templates 的逐項 status ledger,讓 AwoooP 可以顯示每個 template 仍為 `waiting_owner_response`,避免只看整體 count 時漏掉哪一項尚未回覆。 diff --git a/docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json b/docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json index fc1f483a9..2a8650e47 100644 --- a/docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json +++ b/docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json @@ -62,6 +62,7 @@ "rejected_response_count", "response_template_count", "owner_response_template_status_count", + "owner_response_audit_event_template_count", "owner_response_request_packet_count", "owner_response_collection_check_count", "intake_preflight_check_count", @@ -86,6 +87,7 @@ "rejected_response_count": {"type": "integer", "minimum": 0}, "response_template_count": {"type": "integer", "minimum": 0}, "owner_response_template_status_count": {"type": "integer", "minimum": 0}, + "owner_response_audit_event_template_count": {"type": "integer", "minimum": 0}, "owner_response_request_packet_count": {"type": "integer", "minimum": 0}, "owner_response_collection_check_count": {"type": "integer", "minimum": 0}, "intake_preflight_check_count": {"type": "integer", "minimum": 0}, @@ -229,6 +231,60 @@ }, "minItems": 1 }, + "owner_response_audit_event_templates": { + "type": "array", + "description": "AwoooP 可照此格式記錄 S4.9 owner response 流程的脫敏 audit metadata;此欄位只是模板,尚未代表 runtime ingestion。", + "items": { + "type": "object", + "required": [ + "event_template_id", + "display_order", + "event_status", + "trigger", + "purpose", + "allowed_metadata_fields", + "forbidden_payloads", + "emitted_event_count", + "stored_raw_payload_allowed", + "awooop_display_mode", + "execution_authorized", + "not_approval" + ], + "properties": { + "event_template_id": {"type": "string"}, + "display_order": {"type": "integer", "minimum": 1}, + "event_status": {"type": "string", "enum": ["template_only_not_emitted"]}, + "trigger": {"type": "string"}, + "purpose": {"type": "string"}, + "allowed_metadata_fields": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "forbidden_payloads": { + "type": "array", + "items": {"type": "string"}, + "minItems": 1 + }, + "emitted_event_count": {"type": "integer", "minimum": 0}, + "stored_raw_payload_allowed": { + "type": "boolean", + "const": false + }, + "awooop_display_mode": {"type": "string", "enum": ["display_audit_template_only"]}, + "execution_authorized": { + "type": "boolean", + "const": false + }, + "not_approval": { + "type": "boolean", + "const": true + } + }, + "additionalProperties": false + }, + "minItems": 1 + }, "owner_response_request_packet": { "type": "object", "description": "AwoooP 可直接顯示給 owner 的 S4.9 回覆請求;只說明要填什麼與不得貼什麼,不授權任何執行。", diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index d5d9b32e5..fae9fbf44 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -45,7 +45,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_owner_response_validation_rollup_v1` | S4.9 / S4.10 / S4.11 / S4.12 owner response validation rollup | Operator Console、Source-control review、Audit | mirror-only | 只顯示四包 response packets、22 個 templates、missing response lanes、owner response collection order、next collection candidate、10 個 cross-packet checks、quarantine rules 與 latest local validation;不得視為 approval 或 runtime gate | | `coding_task_v1` | Code Review / Codex Security / manual review | Approval candidate、Channel Event、Audit | suggest-only | 不自動開 patch runner、不自動 merge | | `source_control_migration_event_v1` | Gitea/GitHub branch/tag/SHA diff | Supply-chain evidence、Approval candidate | mirror-only | 不觸發 deploy、不切換 primary | -| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidence、S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation、S4.9 owner response request packet、5 個 template statuses、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;不保存 token value、不刪除或停用 Gitea repo | +| `gitea_repo_inventory_v1` | Gitea org/user repo list 或管理匯出 | Supply-chain evidence、migration matrix | mirror-only | 顯示 public-only evidence、S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation、S4.9 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;不保存 token value、不刪除或停用 Gitea repo | | `local_git_remote_inventory_v1` | 本機可見 Git working tree remote | Source-control coverage evidence、migration matrix | mirror-only | 不視為 Gitea server 全量、不修改 remote | | `github_target_probe_v1` | 候選 GitHub repo read-only probe | Migration target evidence | mirror-only | `not_found_or_private` 不等同確認不存在 | | `github_target_decision_v1` | GitHub target 建立與可見性決策草案;S4.10 owner decision response 收件包 | Approval candidate、Migration target evidence | mirror-only | approval 前不得建立 repo、修改 visibility、同步 refs;S4.10 response 目前 0 筆,不代表執行批准 | @@ -118,7 +118,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_migration_event_v1.status=blocked` | `observe` | 顯示 blocking reason,不允許切 primary | | `source_control_migration_event_v1.status=verified` | `approve_required` | 仍需人工批准主控切換 | | `gitea_repo_inventory_v1.status=blocked` | `observe` | 補只讀 token 或管理匯出,不做同步 | -| `gitea_repo_inventory_v1.status=partial` | `observe` | 視為 public-only evidence,顯示 S4.5 export request、S4.6 import acceptance、S4.7 owner attestation request、S4.9 owner response request packet、template status ledger、collection checks、owner response templates、intake preflight checks、outcome lanes 與 coverage gap,不做同步 | +| `gitea_repo_inventory_v1.status=partial` | `observe` | 視為 public-only evidence,顯示 S4.5 export request、S4.6 import acceptance、S4.7 owner attestation request、S4.9 owner response request packet、template status ledger、audit event templates、collection checks、owner response templates、intake preflight checks、outcome lanes 與 coverage gap,不做同步 | | `gitea_repo_inventory_v1.status=ok` | `warn` | 進入 repo mapping / branch tag diff | | `approval_required_event_v1.requested_action=run_gitea_readonly_inventory` | `approve_required` | 只允許 read-only token 或 redacted admin export,不保存 token value | | `local_git_remote_inventory_v1.status=partial` | `observe` | 補 server-side inventory,不做主控切換 | diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index 59ac29449..f20a9d52a 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -62,6 +62,8 @@ S4.9 也提供 1 個 `owner_response_request_packet`:AwoooP 可直接顯示 ow S4.9 也提供 5 個 `owner_response_template_statuses`:逐 template 顯示 `waiting_owner_response`、`request_ready_not_sent`、received / accepted / rejected 皆為 0,以及下一步 owner action。這只是 status ledger,不是 approval queue,也不能讓 request ready 自動變成 request sent。 +S4.9 也提供 3 個 `owner_response_audit_event_templates`:request shown、response received metadata、outcome classified。這些都維持 `template_only_not_emitted`、`emitted_event_count=0`,只描述未來可記錄的脫敏 metadata 欄位;不得保存 owner response raw body、token、secret、private key、cookie、session、DB dump、git object、repo archive 或 execution request payload,也不代表 AwoooP production ingestion 已啟用。 + S4.9 也提供 6 個 `owner_response_collection_checks`:request packet 已顯示、read-only submission mode、五個 templates 分開追蹤、脫敏 evidence only、不得把回覆語意升級成批准、只記錄 audit metadata。AwoooP 應用它把 request sent、response received、response accepted 三種狀態分開,不得因為 request 已發出就增加 received / accepted count。 S4.9 也提供 6 個 `intake_preflight_checks`:已知 item、必填欄位、允許 decision、脫敏 evidence、不得夾帶執行要求、接受前覆蓋五個 items。AwoooP 只能用它判斷可收、補證、隔離或拒收,不得把 preflight pass 當成 inventory runtime、repo migration 或 primary approval。 @@ -385,7 +387,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response templates 5 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response templates 5 筆、received response 0 筆、accepted response 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -539,7 +541,7 @@ S4.6 支援性驗收:已新增 `docs/schemas/gitea_authenticated_inventory_imp S4.7 支援性 owner attestation:已新增 `docs/schemas/gitea_inventory_coverage_attestation_v1.schema.json`、`docs/security/gitea-inventory-coverage-attestation.snapshot.json` 與 `docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md`。此 attestation 仍不新增第 36 個主 contract,只定義 public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible disposition 的 owner decision;目前 `required_attestation_item_count=5`、`received_attestation_count=0`、`accepted_attestation_count=0`、`runtime_execution_authorized=false`,不得把 attestation request 視為 repo migration approval。 -S4.9 支援性 owner response request packet 與收件包:已新增 `docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json`、`docs/security/gitea-inventory-owner-attestation-response.snapshot.json` 與 `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`。此 response packet 仍不新增第 36 個主 contract,只定義 AwoooP 可顯示給 owner 的回覆請求、template status ledger、collection checks、owner 回覆 S4.7 五個 items 時的必填欄位、intake preflight checks、outcome lanes、驗收規則、拒收規則與 allowed output;目前 `owner_response_request_packet_count=1`、`owner_response_template_status_count=5`、`owner_response_collection_check_count=6`、`required_response_item_count=5`、`intake_preflight_check_count=6`、`intake_outcome_lane_count=5`、`received_response_count=0`、`accepted_response_count=0`、`runtime_execution_authorized=false`,不得把 request packet、template status ledger 或 response packet 視為 read-only inventory 已執行、repo migration approval 或 GitHub primary approval。 +S4.9 支援性 owner response request packet 與收件包:已新增 `docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json`、`docs/security/gitea-inventory-owner-attestation-response.snapshot.json` 與 `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`。此 response packet 仍不新增第 36 個主 contract,只定義 AwoooP 可顯示給 owner 的回覆請求、template status ledger、audit event templates、collection checks、owner 回覆 S4.7 五個 items 時的必填欄位、intake preflight checks、outcome lanes、驗收規則、拒收規則與 allowed output;目前 `owner_response_request_packet_count=1`、`owner_response_template_status_count=5`、`owner_response_audit_event_template_count=3`、`owner_response_collection_check_count=6`、`required_response_item_count=5`、`intake_preflight_check_count=6`、`intake_outcome_lane_count=5`、`received_response_count=0`、`accepted_response_count=0`、`runtime_execution_authorized=false`,不得把 request packet、template status ledger、audit event templates 或 response packet 視為 read-only inventory 已執行、audit production ingestion、repo migration approval 或 GitHub primary approval。 ### `local_git_remote_inventory_v1` @@ -914,7 +916,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-17 S4.8 Gitea owner attestation approval lane 對齊追加:已更新既有 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_review_packet_v1` 與 `security_followup_runtime_gate_v1` 的 Gitea lane,要求 AwoooP 先顯示 S4.7 的 5 個 owner attestation items 與 scope decision evidence。queue / review packet / follow-up template 數量維持 8 / 8 / 8,`active_runtime_gates=0`,不得新增 action button、不得執行 read-only inventory、不得把 owner attestation 視為 repo migration approval 或 GitHub primary approval。 -2026-05-17 S4.9 Gitea owner attestation response 收件包追加,2026-05-18 補 owner response request packet、template status ledger 與 collection checks:已新增 `docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json`、`docs/security/gitea-inventory-owner-attestation-response.snapshot.json` 與 `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`。AwoooP 可顯示 1 個 owner response request packet、5 個 template statuses、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks 與 10 個 rejection rules;目前收到 response 0 筆、接受 0 筆,仍不得保存 token value、不得寫 Gitea、不得 sync refs、不得切 GitHub primary。 +2026-05-17 S4.9 Gitea owner attestation response 收件包追加,2026-05-18 補 owner response request packet、template status ledger、audit event templates 與 collection checks:已新增 `docs/schemas/gitea_inventory_owner_attestation_response_v1.schema.json`、`docs/security/gitea-inventory-owner-attestation-response.snapshot.json` 與 `docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md`。AwoooP 可顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks 與 10 個 rejection rules;目前收到 response 0 筆、接受 0 筆、audit events emitted 0 筆,仍不得保存 token value、不得寫 Gitea、不得 sync refs、不得切 GitHub primary,也不得把 audit template 當成 production ingestion。 2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。 diff --git a/docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md b/docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md index b32ebfca3..be982e88b 100644 --- a/docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md +++ b/docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md @@ -19,7 +19,7 @@ S4.6 定義「收到 owner 或 Gitea 管理者提供的脫敏清冊後,怎麼 這不是實際匯入,也不是宣告 Gitea inventory 完成。它只把未來可接受的 payload 形狀、必要欄位、拒收規則、隔離 lane 與允許輸出先固定下來,避免 owner 提供資料時把 token、DB dump、git object 或 repo 操作要求混進來。 -S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、template status ledger、collection checks 與收件包:即使 payload 通過 S4.6,也仍需 owner 依 S4.9 request packet 回覆 public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible disposition,且 template status ledger、collection checks 與 response 驗收通過後,才可把 blocker 往 primary readiness 下一關推進。 +S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、template status ledger、audit event templates、collection checks 與收件包:即使 payload 通過 S4.6,也仍需 owner 依 S4.9 request packet 回覆 public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible disposition,且 template status ledger、audit event templates、collection checks 與 response 驗收通過後,才可把 blocker 往 primary readiness 下一關推進;audit event templates 目前只允許顯示 0 emitted 的脫敏 metadata 模板,不代表 production ingestion。 ## 1. 驗收摘要 diff --git a/docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md b/docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md index 308fb31c3..2d68f539f 100644 --- a/docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md +++ b/docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md @@ -16,7 +16,7 @@ S4.7 補的是「owner 怎麼說明 Gitea 清冊覆蓋缺口」。 -S4.9 已補上 owner response request packet、template status ledger、collection checks 與收件包,規範 AwoooP 要如何提示 owner、如何逐 template 顯示 waiting / request ready、如何維持 request / received / accepted 分離、owner 回覆這 5 個 items 時的必填欄位、驗收規則與拒收規則;目前仍未收到 response。 +S4.9 已補上 owner response request packet、template status ledger、audit event templates、collection checks 與收件包,規範 AwoooP 要如何提示 owner、如何逐 template 顯示 waiting / request ready、如何顯示 0 emitted 的脫敏 metadata audit template、如何維持 request / received / accepted 分離、owner 回覆這 5 個 items 時的必填欄位、驗收規則與拒收規則;目前仍未收到 response。 目前 `gitea_repo_inventory_v1` 仍是 public-only / partial:未認證公開範圍只看到 2 個 repos,本機 remote evidence 看到 4 個 Gitea unique repos,另有 4 個 110 internal adjacent sources 需要判定是否屬本輪 GitHub migration scope。 @@ -33,6 +33,7 @@ S4.9 已補上 owner response request packet、template status ledger、collecti | 已拒收 attestation | 0 | | S4.9 owner response request packet | 1 | | S4.9 owner response template statuses | 5 | +| S4.9 owner response audit event templates | 3 | | S4.9 owner response collection checks | 6 | | S4.9 owner response templates | 5 | | 已收到 owner response | 0 | diff --git a/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md b/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md index 8d72874bb..8fb0d8d4e 100644 --- a/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md +++ b/docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md @@ -30,6 +30,7 @@ S4.7 已定義要問什麼,S4.8 已把它接到 AwoooP approval lane;S4.9 | 已拒收 response | 0 | | response templates | 5 | | owner response template statuses | 5 | +| owner response audit event templates | 3 | | owner response request packet | 1 | | owner response collection checks | 6 | | intake preflight checks | 6 | @@ -96,6 +97,18 @@ AwoooP 可用 `owner_response_template_statuses` 顯示五個 templates 的逐 這個 ledger 只顯示逐項狀態,不是 approval queue。`request_ready_not_sent` 只代表 AwoooP 有資料可顯示;在 owner 真的回覆前,`received_response_count`、`accepted_response_count` 與 `rejected_response_count` 都必須維持 0。 +## 2.0.3 Owner Response Audit Event Templates + +AwoooP 可用 `owner_response_audit_event_templates` 做未來 audit metadata 的格式參考: + +| 順序 | Event template | 觸發點 | 允許記錄 | +|------|----------------|--------|----------| +| 1 | `audit-owner-response-request-shown` | 顯示 request packet 時 | request id、template ids、target contract、顯示角色、台北時間與來源文件 | +| 2 | `audit-owner-response-received-metadata` | 收到 owner response metadata pointer 時 | template id、attestation item、owner role/team、台北時間與脫敏 evidence refs | +| 3 | `audit-owner-response-outcome-classified` | 完成 collection / preflight / outcome 分類時 | template id、collection status、outcome lane、next owner action、分類角色與台北時間 | + +這 3 個 event templates 目前都是 `template_only_not_emitted`,`emitted_event_count=0`。它們不代表 AwoooP production ingestion 已啟用,也不保存 owner response raw body、token、secret、private key、cookie、session、DB dump、git object pack、repo archive 或 execution request payload。 + ## 2.1 AwoooP 收件前 Preflight | 順序 | 檢查 | 失敗處理 | @@ -158,7 +171,7 @@ AwoooP 可用 `owner_response_template_statuses` 顯示五個 templates 的逐 ## 6. AwoooP 可做 1. 顯示 5 個 owner response templates。 -2. 顯示 owner response request packet、template status ledger、6 個 collection checks、6 個 intake preflight checks、5 個 outcome lanes、acceptance checks 與 rejection rules。 +2. 顯示 owner response request packet、template status ledger、audit event templates、6 個 collection checks、6 個 intake preflight checks、5 個 outcome lanes、acceptance checks 與 rejection rules。 3. 在 owner response 到來後,只更新 read-only snapshot、matrix、decision table、readiness gate 與 status rollup。 4. 將不完整或可疑 response 放進 mirror quarantine。 5. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 diff --git a/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md b/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md index 2306bb8cb..86a259f42 100644 --- a/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md +++ b/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md @@ -35,7 +35,7 @@ S4.6 已補 `gitea_authenticated_inventory_import_acceptance_v1`,把 owner / S4.7 已補 `gitea_inventory_coverage_attestation_v1`,把 public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible repo disposition 的 owner decision 正式文件化。attestation 只做 scope 判定,不等於 repo migration 或 primary cutover approval。 -S4.9 已補 `gitea_inventory_owner_attestation_response_v1`,把 AwoooP 可顯示給 owner 的 request packet、template status ledger、collection checks、owner 回覆 S4.7 五個 items 時的必填欄位、intake preflight checks、outcome lanes、驗收規則與拒收規則正式文件化。request packet 只是填寫提示,template status ledger / collection checks 只維持 request / received / accepted 分離;response 通過只代表可更新 read-only matrix / decision table,不等於 read-only inventory 已執行。 +S4.9 已補 `gitea_inventory_owner_attestation_response_v1`,把 AwoooP 可顯示給 owner 的 request packet、template status ledger、audit event templates、collection checks、owner 回覆 S4.7 五個 items 時的必填欄位、intake preflight checks、outcome lanes、驗收規則與拒收規則正式文件化。request packet 只是填寫提示,template status ledger / audit event templates / collection checks 只維持 request / received / accepted 分離;audit event templates 目前全為 `template_only_not_emitted`、0 emitted,只定義脫敏 metadata 欄位;response 通過只代表可更新 read-only matrix / decision table,不等於 read-only inventory 已執行或 AwoooP production ingestion 已啟用。 ## 1. 申請批准的動作 diff --git a/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md b/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md index 513b02a8b..f8dcee991 100644 --- a/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md +++ b/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md @@ -37,7 +37,7 @@ S4.6 已補 `gitea_authenticated_inventory_import_acceptance_v1`:收到 owner S4.7 已補 `gitea_inventory_coverage_attestation_v1`:owner 必須先對 public-only / local remote gap、org/user endpoint、110 internal adjacent source、canonical owner 與 legacy/inaccessible repo disposition 作 scope decision。此 attestation 仍不授權 token 收集、repo 寫入、refs sync 或 primary cutover。 -S4.9 已補 `gitea_inventory_owner_attestation_response_v1`:AwoooP 可先顯示 1 個 owner response request packet 與 5 個 template statuses,並用 6 個 collection checks 維持 request / received / accepted 分離;owner response 必須依 5 個 template 填寫,並先通過 6 個 intake preflight checks、5 個 outcome lanes 與基本驗收,才能把 S4.7 coverage attestation 視為可審 evidence。此 request packet / response 收件包仍不授權 read-only inventory runtime、repo migration 或 primary cutover。 +S4.9 已補 `gitea_inventory_owner_attestation_response_v1`:AwoooP 可先顯示 1 個 owner response request packet、5 個 template statuses 與 3 個 audit event templates,並用 6 個 collection checks 維持 request / received / accepted 分離;audit event templates 目前全為 `template_only_not_emitted`、0 emitted,只定義 request shown / response received metadata / outcome classified 的脫敏 metadata 欄位;owner response 必須依 5 個 template 填寫,並先通過 6 個 intake preflight checks、5 個 outcome lanes 與基本驗收,才能把 S4.7 coverage attestation 視為可審 evidence。此 request packet / response 收件包仍不授權 read-only inventory runtime、repo migration、audit production ingestion 或 primary cutover。 ## 1. Public-only 快照指令 diff --git a/docs/security/SECURITY-APPROVAL-GATE.md b/docs/security/SECURITY-APPROVAL-GATE.md index 850c07cbf..f2a0d9f58 100644 --- a/docs/security/SECURITY-APPROVAL-GATE.md +++ b/docs/security/SECURITY-APPROVAL-GATE.md @@ -73,4 +73,4 @@ S3.0 只讓人工批准有一致語言與可稽核格式。 2026-05-17 S4.8 追加:Gitea gate 的批准範圍已改為 owner attestation 先行。`approve_scope` 最多允許補 S4.7 owner coverage attestation、更新 matrix / decision table,並在後續 runtime gate 準備妥當後才可做一次 read-only inventory;仍不得保存 token value、寫 Gitea、建立 GitHub repo、sync refs 或切 primary。 -2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger 與 collection checks:Gitea gate 現在要求 AwoooP 先顯示 S4.9 owner response request packet 與五個 template statuses,並用 collection checks 確認 request / received / accepted 分離;owner response 依 S4.9 收件包通過 intake preflight checks、outcome lanes 與基本驗收後,才可把 S4.7 coverage attestation 視為可審 evidence。此驗收仍只更新 read-only matrix / decision table / readiness gate,不授權 inventory runtime、repo migration 或 GitHub primary。 +2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger、audit event templates 與 collection checks:Gitea gate 現在要求 AwoooP 先顯示 S4.9 owner response request packet 與五個 template statuses,並用 audit event templates / collection checks 確認只記錄 metadata、request / received / accepted 分離;owner response 依 S4.9 收件包通過 intake preflight checks、outcome lanes 與基本驗收後,才可把 S4.7 coverage attestation 視為可審 evidence。此驗收仍只更新 read-only matrix / decision table / readiness gate,不授權 inventory runtime、repo migration 或 GitHub primary。 diff --git a/docs/security/SECURITY-APPROVAL-QUEUE.md b/docs/security/SECURITY-APPROVAL-QUEUE.md index ac196a502..8e8933e11 100644 --- a/docs/security/SECURITY-APPROVAL-QUEUE.md +++ b/docs/security/SECURITY-APPROVAL-QUEUE.md @@ -71,4 +71,4 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 2026-05-17 S4.8 追加:Gitea queue item 不新增第 9 筆,而是把既有 `gitea-private-internal-server-side-inventory-2026-05-12` 升級為「S4.7 owner coverage attestation 先行」。AwoooP 應先要求 owner 對 5 個 coverage items 作 scope decision;未完成前不得把 inventory 標記 complete,也不得啟動 read-only token / redacted admin export runtime gate。 -2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger 與 collection checks:Gitea queue item 仍維持同一筆,新增 owner response request packet、template status ledger、collection checks 與收件包作為 S4.7 的填寫提示與驗收格式。AwoooP 可顯示 1 個 request packet、5 個 template statuses、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks 與 10 個 rejection rules;未收到並驗收 response 前,不得把 owner attestation 視為完成。 +2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger、audit event templates 與 collection checks:Gitea queue item 仍維持同一筆,新增 owner response request packet、template status ledger、audit event templates、collection checks 與收件包作為 S4.7 的填寫提示與驗收格式。AwoooP 可顯示 1 個 request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks 與 10 個 rejection rules;未收到並驗收 response 前,不得把 owner attestation 視為完成。 diff --git a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md index d1440eb3f..bca523d89 100644 --- a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md +++ b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md @@ -71,4 +71,4 @@ S3.2 只補上「讓人好審」的封包,不提高資安阻力。 2026-05-17 S4.8 追加:Gitea review packet 會顯示 S4.7 的 5 個 owner attestation items、`received_attestation_count=0` 與 `accepted_attestation_count=0`。這讓 reviewer 先判斷 coverage gap 與 scope decision,不會把 read-only inventory approval 誤解成 repo migration 或 GitHub primary approval。 -2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger 與 collection checks:Gitea review packet 會顯示 S4.9 的 1 個 owner response request packet、5 個 template statuses、6 個 collection checks、5 個 owner response templates、6 個 intake preflight checks、5 個 outcome lanes、`received_response_count=0`、8 個 acceptance checks 與 10 個 rejection rules。reviewer 應先確認 request packet 只要求脫敏回覆,template statuses 仍逐項 waiting,collection checks 沒有把 request sent 誤判成 received / accepted,再看 response 是否可審、需補證、需隔離、需拒收或仍需等待,最後才看 read-only inventory gate;review packet 仍不代表批准,也不授權執行。 +2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger、audit event templates 與 collection checks:Gitea review packet 會顯示 S4.9 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、5 個 owner response templates、6 個 intake preflight checks、5 個 outcome lanes、`received_response_count=0`、8 個 acceptance checks 與 10 個 rejection rules。reviewer 應先確認 request packet 只要求脫敏回覆,template statuses 仍逐項 waiting,audit event templates 仍為 template-only 且不保存 raw payload,collection checks 沒有把 request sent 誤判成 received / accepted,再看 response 是否可審、需補證、需隔離、需拒收或仍需等待,最後才看 read-only inventory gate;review packet 仍不代表批准,也不授權執行。 diff --git a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md index 52235938a..9c049b50f 100644 --- a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md +++ b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md @@ -64,4 +64,4 @@ S3.4 是「批准後仍不能直接做事」的保險絲。 2026-05-17 S4.8 追加:Gitea follow-up runtime gate 已要求 S4.7 owner coverage attestation 先完成。即使未來 read-only inventory 被批准,仍要先看 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition 的 owner decision;未完成前不得執行 inventory。 -2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger 與 collection checks:Gitea follow-up runtime gate 已要求 AwoooP 先顯示 S4.9 owner response request packet 與五個 template statuses,並用 collection checks 確認收件流程只記錄 metadata、不保存敏感值、不把 request sent 當成 accepted;owner response 通過 preflight、outcome lane 判定與基本驗收後,才可把 S4.7 owner scope decision 當成 read-only inventory 的前置 evidence。未收到或未驗收 owner response 前,不得執行 inventory,也不得標記 inventory complete。 +2026-05-17 S4.9 追加,2026-05-18 補 request packet、template status ledger、audit event templates 與 collection checks:Gitea follow-up runtime gate 已要求 AwoooP 先顯示 S4.9 owner response request packet 與五個 template statuses,並用 audit event templates / collection checks 確認收件流程只記錄 metadata、不保存敏感值、不把 request sent 當成 accepted;owner response 通過 preflight、outcome lane 判定與基本驗收後,才可把 S4.7 owner scope decision 當成 read-only inventory 的前置 evidence。未收到或未驗收 owner response 前,不得執行 inventory,也不得標記 inventory complete。 diff --git a/docs/security/SECURITY-MIRROR-DRY-RUN.md b/docs/security/SECURITY-MIRROR-DRY-RUN.md index 420b24e73..abe5f6d7e 100644 --- a/docs/security/SECURITY-MIRROR-DRY-RUN.md +++ b/docs/security/SECURITY-MIRROR-DRY-RUN.md @@ -24,7 +24,7 @@ | `CHECK_ROUTE_COVERAGE` | 確認 route groups 覆蓋所有 contracts | 不建立 fallback execution route | | `CHECK_ACCEPTANCE_AND_QUARANTINE` | 確認驗收與隔離只處理 mirror payload | 不阻擋 runtime | | `CHECK_PROGRESS_GUARD` | 確認 58% 進度估算只作狀態顯示 | 不把進度當 approval 或 runtime authorization | -| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、維持收件狀態分離、分類可審、補證、隔離、拒收或等待 | 不把 guard pass 當成 repo、refs、workflow、secret、runner、primary 或 runtime 授權 | +| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、維持收件狀態分離、分類可審、補證、隔離、拒收或等待 | 不把 guard pass 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | | `CHECK_LOW_NOISE_CHANNEL` | 確認 Channel Event 低噪音 | 不對 LOW / MEDIUM 洗版 | | `CONFIRM_NO_RUNTIME_ACTION` | 確認 dry-run 沒有任何 runtime action | 不掃描、不 deploy、不 sync refs | diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index c39006071..a2f6ab006 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -35,7 +35,7 @@ | Contract | 狀態 | 原因 | 下一步 | |----------|------|------|--------| | `security_finding_v1` | `partial_ready` | 目前只有 Kali sample snapshot,runtime ingestion 尚未啟用 | 先 review `kali-finding-runtime-ingestion-approval-20260513` | -| `gitea_repo_inventory_v1` | `partial_ready` | 目前只有 public-only / blocked endpoint evidence;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、5 個 template statuses、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆 | 先依 S4.9 request packet 要求 owner 回覆,並用 template status ledger / collection checks 維持 request / received / accepted 分離,再驗收 S4.7 owner response;之後依 S4.5 請求取得脫敏清冊並用 S4.6 驗收 / 拒收 / 隔離;不保存 token value | +| `gitea_repo_inventory_v1` | `partial_ready` | 目前只有 public-only / blocked endpoint evidence;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆 | 先依 S4.9 request packet 要求 owner 回覆,並用 template status ledger / audit event templates / collection checks 維持 request / received / accepted 分離,再驗收 S4.7 owner response;之後依 S4.5 請求取得脫敏清冊並用 S4.6 驗收 / 拒收 / 隔離;不保存 token value | | `coding_task_v1` | `contract_only` | 已有 schema 與 handoff prompt,尚無正式 coding task snapshot | 等 code review 產生實際 task 後再 mirror | ## 2. AwoooP 鏡像目的地 @@ -82,7 +82,7 @@ AwoooP 可以將 ready / partial contracts mirror 到: 14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。 15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。 16. 再 mirror `source_control_primary_rollback_adr_v1`,只顯示 7 個 in-scope repo 的 rollback ADR 草案、validation window 與 owner review;不執行 rollback、不切 primary。 -17. 再 mirror `gitea_repo_inventory_v1`、S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / 收件包,只顯示未認證公開範圍 / 本機 evidence 覆蓋缺口、只讀 / 管理脫敏匯出選項、payload 驗收 / 拒收 / 隔離規則、5 個 owner scope decision items、request packet、template status ledger、collection checks、response templates、intake preflight checks 與 outcome lanes;不保存 token value、不寫 Gitea、不 sync refs。 +17. 再 mirror `gitea_repo_inventory_v1`、S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / 收件包,只顯示未認證公開範圍 / 本機 evidence 覆蓋缺口、只讀 / 管理脫敏匯出選項、payload 驗收 / 拒收 / 隔離規則、5 個 owner scope decision items、request packet、template status ledger、audit event templates、collection checks、response templates、intake preflight checks 與 outcome lanes;不保存 token value、不寫 Gitea、不 sync refs。 18. 再 mirror `source_control_workflow_secret_name_inventory_v1`、S4.2 local evidence 與 S4.3 redacted export request,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,export request 有 7 個 repos、5 類 lanes,不保存 secret value。 19. 再 mirror `kali_integration_status_v1` 與 `kali_scan_scope_approval_v1`。 20. 最後再 mirror source-control 其他 contracts。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 71d2168f2..cc548e90e 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -30,7 +30,7 @@ | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | | GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response 收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response 收件包,5 個 response templates、owner response 0 筆;S4.12 已補 workflow / secret 名稱 owner response 收件包,5 個 response templates、owner response 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | -| Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response request packet、5 個 template statuses、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、敏感 payload 必須隔離、允許收集 token value=false | +| Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、audit events emitted 0 筆、敏感 payload 必須隔離、允許收集 token value=false | | Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 5 個 owner response templates;0 個 inventory complete、禁止收集 secret value、禁止 write token | | Owner response validation | S4.13 已建立;四包 owner response 目前 received/accepted 皆為 0;4 條 missing response lanes、4 步 collection order 與 next collection candidate 可供 AwoooP 直接顯示;下一個建議收件為 S4.9 Gitea owner attestation;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`,不代表 owner response 已收到或任何執行授權 | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index d6b921714..fe14e30b3 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -39,7 +39,7 @@ | `security_mirror_status_rollup_v1` | mirror-only | AwoooP / Security Supply Chain 跨 Session 狀態總覽;S4.13 owner response validation rollup 與 next collection candidate | `security-mirror-status-rollup.snapshot.json` / `source-control-owner-response-validation-rollup.snapshot.json` | | `coding_task_v1` | suggest-only | Code Review 接 Codex patch-only | 無正式 snapshot | | `source_control_migration_event_v1` | mirror-only | Gitea/GitHub refs 差異 | `gitea-github-awoooi`、`clawbot-v5`、`wooo-aiops` | -| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、template status ledger、collection checks、owner response 收件包、intake preflight checks 與 outcome lanes | public-only / blocked endpoint / S4.5 export request / S4.6 import acceptance / S4.7 coverage attestation / S4.9 response snapshots | +| `gitea_repo_inventory_v1` | mirror-only | Gitea repo inventory;S4.5 已補認證清冊匯出請求,S4.6 已補匯入驗收契約,S4.7 已補 owner coverage attestation,S4.9 已補 owner response request packet、template status ledger、audit event templates、collection checks、owner response 收件包、intake preflight checks 與 outcome lanes | public-only / blocked endpoint / S4.5 export request / S4.6 import acceptance / S4.7 coverage attestation / S4.9 response snapshots | | `local_git_remote_inventory_v1` | mirror-only | 本機 remote coverage | `local-git-remote-inventory.snapshot.json` | | `github_target_probe_v1` | mirror-only | GitHub target visibility | `github-target-probe.snapshot.json` | | `github_target_decision_v1` | mirror-only | GitHub target 決策;S4.10 已補 owner decision response 收件包 | `github-target-decision.snapshot.json` / `github-target-owner-decision-response.snapshot.json` | @@ -62,7 +62,7 @@ 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 response templates、acceptance checks 與 rejection rules;不得新增 refs action。 5. 讀到 `source-control-owner-response-validation-rollup.snapshot.json` 時,只顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets 的總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個;不得把 rollup 當成 approval 或 execution authorization。 -6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 +6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 7. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index d84b37b3d..e92aed1c6 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -65,7 +65,7 @@ python3 scripts/security/security-mirror-progress-guard.py | S4.6 Gitea 認證清冊匯入驗收契約 | 完成草案 | 已建立匯入驗收 schema / snapshot / 人讀版;目前 received payload 0、accepted 0、rejected 0;定義 10 個驗收檢查、10 個拒收規則與 4 個 quarantine lanes | owner 提供脫敏 payload 後先驗收 / 拒收 / 隔離;仍不可把驗收當 primary approval | | S4.7 Gitea 清冊覆蓋 Owner Attestation | 完成草案 | 已建立 coverage attestation schema / snapshot / 人讀版;5 個 owner decision items、received attestation 0、accepted 0、execution authorized=false | owner 判定 public-only / local remote gap、org/user endpoint、110 adjacent source、canonical owner 與 legacy/inaccessible disposition;仍不可把 attestation 當 migration approval | | S4.8 Gitea Owner Attestation Approval Lane 對齊 | 完成草案 | 已將既有 Gitea approval queue / gate / review packet / follow-up runtime gate 對齊 S4.7 先行條件;queue items 維持 8、review packets 維持 8、active runtime gates 維持 0 | AwoooP 先顯示 5 個 attestation items,owner decision 接受前不得執行 read-only inventory 或標記 complete | -| S4.9 Gitea Owner Attestation Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet 與模板回覆 S4.7 五個 items;AwoooP 先用 template status ledger / collection checks 維持 request / received / accepted 分離,再用 preflight / outcome lanes 判斷可審、補證、隔離、拒收或等待;response 通過只更新 read-only matrix / decision table / readiness gate,不代表 inventory 執行或 primary approval | +| S4.9 Gitea Owner Attestation Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、5 個 response templates、6 個 intake preflight checks、5 個 outcome lanes、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依 request packet 與模板回覆 S4.7 五個 items;AwoooP 先用 template status ledger / audit event templates / collection checks 維持 request / received / accepted 分離,再用 preflight / outcome lanes 判斷可審、補證、隔離、拒收或等待;response 通過只更新 read-only matrix / decision table / readiness gate,不代表 inventory 執行、audit production ingestion 或 primary approval | | S4.10 GitHub Target Owner Decision Response 收件包 | 完成草案 | 已建立 owner decision response schema / snapshot / 人讀版;7 個 response templates、8 個 acceptance checks、10 個 rejection rules、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 7 個 GitHub target 的 owner / visibility / canonical;response 通過只更新 read-only decision table / approval package / approval board / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval | | S4.11 Source Control Ref Truth Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;5 個 response templates、8 個 acceptance checks、10 個 rejection rules、total ref review items 141、received response 0、accepted 0、execution authorized=false | owner 依模板回覆 main/dev truth、deprecated drift、release tag、GitHub-only refs;response 通過只更新 read-only classification / reconcile / readiness wording,不代表 refs sync、delete、force push 或 primary approval | | S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證,rollback ADR 仍待 owner approval | SHA/tag/workflow parity、rollback ADR owner approval 與 runtime gate | @@ -188,6 +188,6 @@ python3 scripts/security/security-mirror-progress-guard.py 5. 依 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 集中檢查 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;rollup 通過也只更新 read-only wording,不代表 approval 或 execution authorization。 6. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 7. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner decision response templates,refs truth 需同時顯示 S4.11 owner response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request 與 S4.12 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner decision response templates,refs truth 需同時顯示 S4.11 owner response templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request 與 S4.12 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 9. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response templates、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response templates、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md index b1baa2853..4c7409118 100644 --- a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md +++ b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md @@ -92,7 +92,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt `next_collection_candidate` 只讓 AwoooP Operator Console 顯示「現在先收 S4.9」。它不是批准、不是執行排程,也不是後續 S4.10 / S4.11 / S4.12 已可接受的訊號。 -AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-response.snapshot.json` 的 1 個 owner response request packet、5 個 template statuses、6 個 collection checks、6 個 intake preflight checks 與 5 個 outcome lanes;request packet 只提示 owner 要填什麼與不得貼什麼,template statuses 只逐項顯示 waiting / request ready,collection checks 只維持 request / received / accepted 狀態分離,preflight / outcome 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted。 +AwoooP 顯示 S4.9 時,應同步讀取 `gitea-inventory-owner-attestation-response.snapshot.json` 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、6 個 intake preflight checks 與 5 個 outcome lanes;request packet 只提示 owner 要填什麼與不得貼什麼,template statuses 只逐項顯示 waiting / request ready,audit event templates 只定義 request shown / response received metadata / outcome classified 的脫敏 metadata 欄位且目前 0 emitted,collection checks 只維持 request / received / accepted 狀態分離,preflight / outcome 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或 AwoooP production ingestion 已啟用。 ## 3. Cross-Packet 驗收規則 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index b3b1f2e19..7821a4e42 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -37,7 +37,7 @@ | Gate | 目前狀態 | 說明 | |------|----------|------| -| Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到;S4.13 已集中顯示四包 owner response validation,但 total accepted response 仍為 0 | +| Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger、audit event templates 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到,audit events emitted 仍為 0;S4.13 已集中顯示四包 owner response validation,但 total accepted response 仍為 0 | | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response 收件包,received / accepted response 皆為 0 | | workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;S4.12 已補 owner response 收件包,received / accepted response 皆為 0;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | | owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response 收件包,received / accepted response 皆為 0 | @@ -48,7 +48,7 @@ 1. 顯示每個 repo 的 readiness state、blockers 與 evidence refs。 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 -4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / collection checks / owner response、S4.10 GitHub target owner response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 +4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / collection checks / owner response、S4.10 GitHub target owner response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 7. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 @@ -71,6 +71,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 -S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response 收件包,S4.11 已補上 refs truth owner response 收件包,S4.12 已補上 workflow / secret 名稱 owner response 收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示與驗收框架,不是 migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response 收件包,S4.11 已補上 refs truth owner response 收件包,S4.12 已補上 workflow / secret 名稱 owner response 收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template 與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/gitea-inventory-owner-attestation-response.snapshot.json b/docs/security/gitea-inventory-owner-attestation-response.snapshot.json index aaa2b38b2..692723fe9 100644 --- a/docs/security/gitea-inventory-owner-attestation-response.snapshot.json +++ b/docs/security/gitea-inventory-owner-attestation-response.snapshot.json @@ -23,6 +23,7 @@ "rejected_response_count": 0, "response_template_count": 5, "owner_response_template_status_count": 5, + "owner_response_audit_event_template_count": 3, "owner_response_request_packet_count": 1, "owner_response_collection_check_count": 6, "intake_preflight_check_count": 6, @@ -360,6 +361,106 @@ ] } ], + "owner_response_audit_event_templates": [ + { + "event_template_id": "audit-owner-response-request-shown", + "display_order": 1, + "event_status": "template_only_not_emitted", + "trigger": "AwoooP 顯示 S4.9 owner response request packet 時。", + "purpose": "只記錄 request packet 已可顯示或已顯示的 metadata,不代表 owner response 已收到。", + "allowed_metadata_fields": [ + "event_template_id", + "request_id", + "requested_template_ids", + "target_contract", + "displayed_by_role", + "displayed_at_taipei", + "source_document_ref" + ], + "forbidden_payloads": [ + "owner_response_raw_body", + "token_value", + "secret_value", + "private_key", + "cookie_or_session", + "db_dump", + "git_object_pack", + "repo_archive", + "execution_request_payload" + ], + "emitted_event_count": 0, + "stored_raw_payload_allowed": false, + "awooop_display_mode": "display_audit_template_only", + "execution_authorized": false, + "not_approval": true + }, + { + "event_template_id": "audit-owner-response-received-metadata", + "display_order": 2, + "event_status": "template_only_not_emitted", + "trigger": "Owner 提供 S4.9 response metadata pointer 時。", + "purpose": "只記錄 response 已收到的脫敏 metadata pointer;不得保存 response 原文或敏感 payload。", + "allowed_metadata_fields": [ + "event_template_id", + "template_id", + "attestation_item_id", + "owner_role_or_team", + "received_at_taipei", + "redacted_evidence_refs", + "source_document_ref" + ], + "forbidden_payloads": [ + "owner_response_raw_body", + "token_value", + "secret_value", + "private_key", + "cookie_or_session", + "private_clone_url_credential", + "db_dump", + "git_object_pack", + "repo_archive", + "execution_request_payload" + ], + "emitted_event_count": 0, + "stored_raw_payload_allowed": false, + "awooop_display_mode": "display_audit_template_only", + "execution_authorized": false, + "not_approval": true + }, + { + "event_template_id": "audit-owner-response-outcome-classified", + "display_order": 3, + "event_status": "template_only_not_emitted", + "trigger": "AwoooP 依 collection checks、preflight checks 與 outcome lanes 分類 S4.9 response 時。", + "purpose": "只記錄分類結果與下一步提示;不得把 outcome lane 當成 approval 或 execution authorization。", + "allowed_metadata_fields": [ + "event_template_id", + "template_id", + "collection_status", + "latest_outcome_lane", + "next_owner_action", + "classified_at_taipei", + "classified_by_role" + ], + "forbidden_payloads": [ + "owner_response_raw_body", + "token_value", + "secret_value", + "private_key", + "cookie_or_session", + "db_dump", + "git_object_pack", + "repo_archive", + "repo_or_refs_execution_request", + "workflow_secret_runner_execution_request" + ], + "emitted_event_count": 0, + "stored_raw_payload_allowed": false, + "awooop_display_mode": "display_audit_template_only", + "execution_authorized": false, + "not_approval": true + } + ], "owner_response_request_packet": { "request_id": "s4_9_gitea_owner_attestation_response_request", "display_status": "ready_to_request_owner_response", diff --git a/docs/security/security-approval-gate.snapshot.json b/docs/security/security-approval-gate.snapshot.json index f68bd160c..9c20121dc 100644 --- a/docs/security/security-approval-gate.snapshot.json +++ b/docs/security/security-approval-gate.snapshot.json @@ -98,7 +98,7 @@ ], "decision_options": ["approve_scope", "reject", "defer", "request_more_evidence"], "allowed_after_approval": [ - "先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner coverage attestation response,保留 scope decision evidence", + "先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / audit event templates / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner coverage attestation response,保留 scope decision evidence", "使用 read-only token 或 redacted admin export 補齊 repo list", "只保存 token_present=true/false", "更新 migration matrix 與 repo decision table" @@ -108,7 +108,7 @@ "使用 write-capable token", "未完成 S4.7 owner attestation 就標記 inventory complete", "把 owner attestation 當成 repo migration 或 primary cutover approval", - "把 S4.9 owner response request packet、template status ledger 或 response packet 當成 inventory 執行授權", + "把 S4.9 owner response request packet、template status ledger、audit event templates 或 response packet 當成 inventory 執行授權", "建立 GitHub repo", "sync refs", "切 GitHub primary" diff --git a/docs/security/security-approval-queue.snapshot.json b/docs/security/security-approval-queue.snapshot.json index 5dc9cb918..88c5a3677 100644 --- a/docs/security/security-approval-queue.snapshot.json +++ b/docs/security/security-approval-queue.snapshot.json @@ -82,7 +82,7 @@ "risk": "MEDIUM", "state": "pending_approval", "recommended_awooop_mode": "approve_required", - "requested_decision": "是否先要求 owner 依 S4.9 owner response request packet / template status ledger / response 收件包完成 S4.7 coverage attestation,並在 scope decision 被接受後,批准使用 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。", + "requested_decision": "是否先要求 owner 依 S4.9 owner response request packet / template status ledger / audit event templates / response 收件包完成 S4.7 coverage attestation,並在 scope decision 被接受後,批准使用 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。", "blocked_until_approved": true, "required_reviewers": [ "migration-engineer", @@ -101,7 +101,7 @@ "docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md" ], "allowed_after_approval": [ - "先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner coverage attestation response,更新 migration matrix 與 decision table", + "先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / audit event templates / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner coverage attestation response,更新 migration matrix 與 decision table", "使用 read-only token 或 redacted admin export 執行一次 inventory", "只保存 token_present=true/false", "更新 migration matrix 與 repo decision table" @@ -111,7 +111,7 @@ "使用 write-capable token", "未完成 S4.7 owner attestation 就標記 inventory complete", "把 S4.7 owner attestation 當成 repo migration approval", - "把 S4.9 owner response request packet、template status ledger 或 response packet 當成 inventory 執行授權", + "把 S4.9 owner response request packet、template status ledger、audit event templates 或 response packet 當成 inventory 執行授權", "建立 GitHub repo", "sync refs", "切 GitHub primary" diff --git a/docs/security/security-approval-review-packet.snapshot.json b/docs/security/security-approval-review-packet.snapshot.json index c0761f7e4..f0e0f953c 100644 --- a/docs/security/security-approval-review-packet.snapshot.json +++ b/docs/security/security-approval-review-packet.snapshot.json @@ -106,7 +106,7 @@ "risk": "MEDIUM", "review_state": "ready_for_human_review", "review_lane": "read_only_inventory_review", - "requested_decision": "是否先要求 owner 依 S4.9 owner response request packet / template status ledger / response 收件包完成 S4.7 coverage attestation,並在 scope decision 被接受後,才允許 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。", + "requested_decision": "是否先要求 owner 依 S4.9 owner response request packet / template status ledger / audit event templates / response 收件包完成 S4.7 coverage attestation,並在 scope decision 被接受後,才允許 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。", "required_reviewers": [ "migration-engineer", "security-commander", @@ -127,12 +127,12 @@ "allowed_pre_decision_actions": [ "顯示 public-only 與 blocked endpoint evidence", "顯示 S4.7 的 5 個 owner attestation items 與 received_attestation_count=0", - "顯示 S4.9 的 1 個 owner response request packet、5 個 template statuses、6 個 collection checks、5 個 owner response templates、6 個 intake preflight checks、5 個 outcome lanes、received_response_count=0 與 rejection rules", + "顯示 S4.9 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、5 個 owner response templates、6 個 intake preflight checks、5 個 outcome lanes、received_response_count=0、audit_events_emitted=0 與 rejection rules", "要求 owner 確認 read-only token 或 redacted export 來源", "不保存 token value" ], "allowed_after_decision_actions": [ - "若 approve_scope,先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner response,再更新 attestation evidence 與 scope decision", + "若 approve_scope,先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / audit event templates / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner response,再更新 attestation evidence 與 scope decision", "若 approve_scope,只能做一次 read-only inventory 或匯入 redacted export", "更新 migration matrix 與 repo decision table" ], @@ -141,7 +141,7 @@ "使用 write-capable token", "未完成 owner attestation 就標記 inventory complete", "把 owner attestation 當成 repo migration 或 primary approval", - "把 S4.9 owner response request packet、template status ledger 或 response packet 當成 inventory 執行授權", + "把 S4.9 owner response request packet、template status ledger、audit event templates 或 response packet 當成 inventory 執行授權", "建立 GitHub repo", "sync refs", "切 GitHub primary" diff --git a/docs/security/security-followup-runtime-gate.snapshot.json b/docs/security/security-followup-runtime-gate.snapshot.json index 8a3fd2369..923a1b7d3 100644 --- a/docs/security/security-followup-runtime-gate.snapshot.json +++ b/docs/security/security-followup-runtime-gate.snapshot.json @@ -112,7 +112,7 @@ "gate_state": "waiting_approved_scope", "applies_after_decision": "approve_scope", "minimum_required_evidence": [ - "S4.9 owner response request packet 已顯示,template status ledger 與 collection checks 已確認 request / received / accepted 分離,owner response 已完成 intake preflight、outcome lane 判定與驗收,且 S4.7 owner coverage attestation 的 5 個 items 都有 scope decision", + "S4.9 owner response request packet 已顯示,template status ledger、audit event templates 與 collection checks 已確認 request / received / accepted 分離,audit events emitted=0,owner response 已完成 intake preflight、outcome lane 判定與驗收,且 S4.7 owner coverage attestation 的 5 個 items 都有 scope decision", "read-only token scope 或 redacted admin export 來源", "token_present=true/false,不保存 token value", "allowed export fields checklist", @@ -140,7 +140,7 @@ "rollback_or_disable_requirement": "read-only token 必須可撤銷;admin export 必須可刪除本地暫存原檔,只保留 redacted snapshot。", "still_forbidden": [ "未完成 S4.7 owner attestation 就執行 inventory", - "未完成 S4.9 owner response request packet 顯示、template status ledger、collection checks 與 owner response 驗收就執行 inventory", + "未完成 S4.9 owner response request packet 顯示、template status ledger、audit event templates、collection checks 與 owner response 驗收就執行 inventory", "使用 write-capable token", "建立 GitHub repo", "sync refs", diff --git a/docs/security/security-mirror-dry-run.snapshot.json b/docs/security/security-mirror-dry-run.snapshot.json index 6aaaf6920..b3048ac5c 100644 --- a/docs/security/security-mirror-dry-run.snapshot.json +++ b/docs/security/security-mirror-dry-run.snapshot.json @@ -107,7 +107,7 @@ }, { "step_id": "CHECK_OWNER_RESPONSE_GUARD", - "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / collection checks / intake preflight / outcome lanes 只提示 owner、逐項顯示 waiting / request ready、維持 request / received / accepted 分離、分類可審、補證、隔離、拒收或等待,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary 或 runtime action。", + "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / collection checks / intake preflight / outcome lanes 只提示 owner、逐項顯示 waiting / request ready、只定義 0 emitted 的脫敏 metadata audit 模板、維持 request / received / accepted 分離、分類可審、補證、隔離、拒收或等待,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", "evidence_refs": [ "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md", diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index c91973cb4..67b36ab04 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -251,7 +251,7 @@ "docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md", "docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md" ], - "notes": "目前仍是 public-only / blocked endpoint evidence;S4.5 已補 authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,S4.9 已補 owner response request packet、5 個 template statuses、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;private/internal 全量需 approval、脫敏 payload 驗收與 owner scope decision。" + "notes": "目前仍是 public-only / blocked endpoint evidence;S4.5 已補 authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;private/internal 全量需 approval、脫敏 payload 驗收與 owner scope decision,audit templates 仍為 0 emitted。" }, { "contract": "local_git_remote_inventory_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index dc653a7d3..73f523be2 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -143,8 +143,8 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response intake packet;S4.11 已補 refs truth owner response intake packet;S4.12 已補 workflow / secret 名稱 owner response intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,GitHub target / refs truth / workflow-secret response 仍 0 筆。", - "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 收到並驗收 5 個 refs truth owner response templates、依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response intake packet;S4.11 已補 refs truth owner response intake packet;S4.12 已補 workflow / secret 名稱 owner response intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", + "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 收到並驗收 5 個 refs truth owner response templates、依 S4.12 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" } ], "next_safe_actions": [ @@ -254,7 +254,7 @@ "allowed_processing": [ "顯示 S4.5 authenticated/admin export request、S4.6 redacted import acceptance、S4.7 owner coverage attestation request 與 coverage gap", "顯示 5 個 owner attestation items、received_attestation_count=0 與 accepted_attestation_count=0", - "顯示 S4.9 owner response request packet、template status ledger、collection checks、owner response templates、intake preflight checks、outcome lanes、received_response_count=0 與 rejection rules", + "顯示 S4.9 owner response request packet、template status ledger、audit event templates、collection checks、owner response templates、intake preflight checks、outcome lanes、received_response_count=0、audit_events_emitted=0 與 rejection rules", "在 security_approval_queue_v1、security_approval_gate_v1、security_approval_review_packet_v1 與 security_followup_runtime_gate_v1 中顯示 S4.7 owner attestation 先行條件", "使用 read-only token 或 redacted admin export 補齊 repo list", "收到 payload 後只做 schema / redaction / coverage gap 驗收與隔離", @@ -265,7 +265,7 @@ "保存 token value", "使用 write-capable token", "未完成 S4.7 owner attestation 就標記 inventory complete", - "把 S4.9 owner response request packet、template status ledger 或 response packet 當成 read-only inventory 已執行或 primary approval", + "把 S4.9 owner response request packet、template status ledger、audit event templates 或 response packet 當成 read-only inventory 已執行、audit production ingestion 或 primary approval", "把 S4.7 owner attestation request 當成 repo migration approval", "把 S4.6 payload 驗收當成 primary approval", "建立 GitHub repo 或 sync refs" @@ -397,7 +397,7 @@ "S4.6 只新增 Gitea redacted import acceptance;received_payload_count=0、accepted_payload_count=0,不匯入 DB dump/git object、不寫 Gitea、不切 primary。", "S4.7 只新增 Gitea owner coverage attestation request;required_attestation_item_count=5、received_attestation_count=0,不把 attestation 當 migration approval。", "S4.8 只把既有 Gitea approval queue/gate/review packet/follow-up gate 對齊 S4.7 先行條件;approval_queue_total 仍為 8、active_runtime_gates 仍為 0,不新增執行入口。", - "S4.9 只新增 Gitea owner attestation response request packet、template status ledger、collection checks 與 response 收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_collection_check_count=6、required_response_item_count=5、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、collection checks 或 response packet 當 inventory 執行或 primary approval。", + "S4.9 只新增 Gitea owner attestation response request packet、template status ledger、audit event templates、collection checks 與 response 收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_collection_check_count=6、required_response_item_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、collection checks 或 response packet 當 inventory 執行、audit production ingestion 或 primary approval。", "S4.10 只新增 GitHub target owner decision response 收件包;response_template_count=7、received_response_count=0、accepted_response_count=0,不把 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。", "S4.11 只新增 refs truth owner response 收件包;response_template_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 refs sync、delete、force push 或 GitHub primary approval。", "S4.12 只新增 workflow / secret 名稱 owner response 收件包;response_template_count=5、received_response_count=0、accepted_response_count=0,不把 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。", diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index d1f4ae2fd..e62af139e 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -405,10 +405,11 @@ "display_authenticated_inventory_export_request", "display_redacted_inventory_import_acceptance", "display_coverage_attestation_request", + "display_owner_response_audit_event_templates", "display_owner_attestation_response_packet" ], "forbidden_actions": ["store_token_value", "write_to_gitea", "delete_or_archive_repo"], - "notes": "目前是 partial/public_only;S4.5 已補 authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,S4.9 已補 owner response request packet、5 個 template statuses、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;private/internal 全量仍需批准後補齊。" + "notes": "目前是 partial/public_only;S4.5 已補 authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;private/internal 全量仍需批准後補齊,audit templates 仍為 0 emitted。" }, { "contract": "local_git_remote_inventory_v1", diff --git a/docs/security/source-control-owner-response-validation-rollup.snapshot.json b/docs/security/source-control-owner-response-validation-rollup.snapshot.json index 3715de2ee..9010bd818 100644 --- a/docs/security/source-control-owner-response-validation-rollup.snapshot.json +++ b/docs/security/source-control-owner-response-validation-rollup.snapshot.json @@ -256,7 +256,7 @@ "readiness_effects": [ { "effect_id": "gitea_owner_response_accepted", - "when_all_checks_pass": "S4.9 request packet 已顯示、template status ledger / collection checks 已確認 request / received / accepted 分離,且 5 個 response templates 全部接受;S4.6 redacted payload 仍需另外驗收。", + "when_all_checks_pass": "S4.9 request packet 已顯示、template status ledger / audit event templates / collection checks 已確認 request / received / accepted 分離,audit events emitted=0,且 5 個 response templates 全部接受;S4.6 redacted payload 仍需另外驗收。", "allowed_update": "只更新 Gitea coverage matrix、owner / canonical disposition 與 readiness wording;gitea_repo_inventory_v1 仍不得直接標記 ok。", "still_forbidden": [ "store_token_value", @@ -317,7 +317,7 @@ "received_response_count": 0, "accepted_response_count": 0, "current_status": "waiting_owner_response", - "next_owner_action": "Owner 需依 S4.9 owner response request packet 回覆 5 個 Gitea coverage attestation items;AwoooP 需用 template status ledger / collection checks 逐項追蹤,且只能引用脫敏 evidence refs。", + "next_owner_action": "Owner 需依 S4.9 owner response request packet 回覆 5 個 Gitea coverage attestation items;AwoooP 需用 template status ledger / audit event templates / collection checks 逐項追蹤,且只能引用脫敏 evidence refs。", "awooop_display_mode": "observe_missing_response", "still_forbidden": [ "store_token_value", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index f800c6430..e3dcf9a27 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -51,7 +51,7 @@ "S4.5 已建立 authenticated/admin export request,但尚未取得 `gitea_repo_inventory_v1.status=ok` evidence", "S4.6 已建立 redacted import acceptance,但目前 received_payload_count=0、accepted_payload_count=0", "S4.7 已建立 owner coverage attestation request,但目前 received_attestation_count=0、accepted_attestation_count=0", - "S4.9 已建立 owner response request packet、5 個 template statuses、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes,但目前 received_response_count=0、accepted_response_count=0", + "S4.9 已建立 owner response request packet、5 個 template statuses、3 個 audit event templates、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0", "S4.13 validation rollup 已將 S4.9 納入四包 owner response 驗收總覽,但目前 total_received_response_count=0、total_accepted_response_count=0", "public-only API 只看到 2 個 repos,本機 remote inventory 看到 4 個 unique Gitea repos,gap 仍待 owner 解釋", "GITEA_READONLY_TOKEN 未提供", @@ -62,7 +62,7 @@ "mirror S4.5 authenticated inventory export request", "mirror S4.6 redacted inventory import acceptance", "mirror S4.7 owner coverage attestation request", - "mirror S4.9 owner response request packet、template status ledger、collection checks、owner attestation response templates、intake preflight checks 與 outcome lanes", + "mirror S4.9 owner response request packet、template status ledger、audit event templates、collection checks、owner attestation response templates、intake preflight checks 與 outcome lanes", "mirror S4.13 owner response validation rollup", "等待 read-only token 或 redacted admin export", "更新 approval board 與 decision table" diff --git a/scripts/security/source-control-owner-response-guard.py b/scripts/security/source-control-owner-response-guard.py index da118d899..597205b48 100755 --- a/scripts/security/source-control-owner-response-guard.py +++ b/scripts/security/source-control-owner-response-guard.py @@ -57,6 +57,11 @@ LANES = [ "response-repo-owner-canonical-scope", "response-legacy-or-inaccessible-disposition", ], + "expected_audit_event_templates": [ + "audit-owner-response-request-shown", + "audit-owner-response-received-metadata", + "audit-owner-response-outcome-classified", + ], }, { "lane_id": "s4_10_github_target_owner_decision_response", @@ -233,6 +238,45 @@ def validate(root: Path) -> None: item["execution_authorized"], ) assert_true(f"{lane['lane_id']}.{item['template_id']}.not_approval", item["not_approval"]) + expected_audit_event_templates = lane.get("expected_audit_event_templates") + if expected_audit_event_templates is not None: + audit_event_templates = snapshot["owner_response_audit_event_templates"] + assert_equal( + f"{lane['lane_id']}.owner_response_audit_event_template_count", + summary["owner_response_audit_event_template_count"], + len(expected_audit_event_templates), + ) + assert_equal( + f"{lane['lane_id']}.owner_response_audit_event_template_ids", + [item["event_template_id"] for item in audit_event_templates], + expected_audit_event_templates, + ) + assert_equal( + f"{lane['lane_id']}.owner_response_audit_event_display_order", + [item["display_order"] for item in audit_event_templates], + list(range(1, len(expected_audit_event_templates) + 1)), + ) + for item in audit_event_templates: + assert_equal( + f"{lane['lane_id']}.{item['event_template_id']}.event_status", + item["event_status"], + "template_only_not_emitted", + ) + assert_equal(f"{lane['lane_id']}.{item['event_template_id']}.emitted_event_count", item["emitted_event_count"], 0) + assert_false( + f"{lane['lane_id']}.{item['event_template_id']}.stored_raw_payload_allowed", + item["stored_raw_payload_allowed"], + ) + assert_equal( + f"{lane['lane_id']}.{item['event_template_id']}.awooop_display_mode", + item["awooop_display_mode"], + "display_audit_template_only", + ) + assert_false( + f"{lane['lane_id']}.{item['event_template_id']}.execution_authorized", + item["execution_authorized"], + ) + assert_true(f"{lane['lane_id']}.{item['event_template_id']}.not_approval", item["not_approval"]) expected_request_packet_id = lane.get("expected_request_packet_id") if expected_request_packet_id is not None: request_packet = snapshot["owner_response_request_packet"]