docs(security): 補 VibeWork 納管 handoff [skip ci]
This commit is contained in:
@@ -1,3 +1,42 @@
|
||||
## 2026-06-04|IwoooS P1-9 VibeWork Onboarding Handoff
|
||||
|
||||
**背景**:P1-8 已補 111 / 168 開發主機 scope handoff;本段接續 P1-9,將 VibeWork 納入 IwoooS 的 repo、product、surface、owner、evidence refs、資料分級、部署邊界與獨立產品邊界整理成 owner / reviewer 可審的只讀 handoff。這不是產品合併、不是部署批准、不是 repo / refs 同步、不是 workflow / secret 修改,也不是掃描或修復授權。
|
||||
|
||||
**本輪完成**:
|
||||
- 新增 `docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md`:整理 VibeWork 產品定位、repo / refs truth、surface、owner response 欄位、資料分級、部署邊界與獨立產品邊界。
|
||||
- 新增 `docs/security/vibework-iwooos-onboarding-handoff.snapshot.json`:固定 `onboarding_handoff_completion_percent=100`,並維持 `product_boundary_merged_into_awoooi=false`、`production_deploy_authorized=false`、`repo_creation_authorized=false`、`refs_sync_authorized=false`、`workflow_modification_authorized=false`、`secret_value_collection_authorized=false`、`shared_database_authorized=false`、`shared_session_authorized=false`、`shared_rbac_authorized=false`。
|
||||
- 新增 `docs/schemas/vibework_iwooos_onboarding_handoff_v1.schema.json`:讓 VibeWork onboarding handoff 有可驗契約。
|
||||
- 更新 `IWOOOS-POSTURE-PROJECTION.md`:把 `vibework_iwooos_onboarding_handoff_v1` 加入 IwoooS 可讀來源。
|
||||
- 更新 IwoooS P0/P1 主控總帳:P1-9 onboarding handoff 標記 `100%`;VibeWork runtime / deploy / repo mutation 仍 `0 / false`;IwoooS headline 仍 `64%`。
|
||||
|
||||
**完成度更新**:
|
||||
- P1-9 VibeWork onboarding handoff:`100%`。
|
||||
- VibeWork runtime / deploy / repo mutation:`0 / false`。
|
||||
- owner response received / accepted:`false / false`。
|
||||
- repo refs truth accepted:`false`。
|
||||
- data classification accepted:`false`。
|
||||
- deployment boundary accepted:`false`。
|
||||
- active runtime gate:`0`。
|
||||
- IwoooS headline:維持 `64%`,不因文件草案假性調高。
|
||||
|
||||
**驗證**:
|
||||
- `python3 -m json.tool docs/security/vibework-iwooos-onboarding-handoff.snapshot.json`:通過。
|
||||
- `python3 -m json.tool docs/schemas/vibework_iwooos_onboarding_handoff_v1.schema.json`:通過。
|
||||
- 本段自訂結構檢查:`VIBEWORK_IWOOOS_ONBOARDING_HANDOFF_STRUCTURE_OK`。
|
||||
- `git diff --check`:通過。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .`:`SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- 新增 diff 行 credential pattern 檢查:`NO_ADDED_URL_CREDENTIAL_PATTERNS`。
|
||||
- staged 授權旗標檢查:`NO_UNEXPECTED_AUTHORIZATION_OR_COUNTER_INCREASE`。
|
||||
- Schema validator 限制:本地沒有 Python `jsonschema` / Node AJV 驗證器時,以 JSON parse、自訂結構檢查與既有 guard 補位。
|
||||
- Production 頁面檢查:本段只改 docs / snapshot / schema / LOGBOOK,未改 IwoooS 前端與 production 文案,不宣稱新的 production 狀態;沿用既有 VibeWork 前端只讀納管卡與 P0 `/zh-TW/iwooos` live sanity 基準。
|
||||
|
||||
**目前邊界**:
|
||||
- VibeWork 是獨立產品;不得與 AWOOOI 共用 DB、Session、RBAC 或核心流程 runtime。
|
||||
- `/Users/ogt/Documents/VibeWork` 是 dirty active workspace;`/Users/ogt/Documents/VibeWork-current-main` 是 reference worktree;refs truth 需 owner 決定,不自動 commit / rebase / push / sync refs。
|
||||
- VibeWork production URL、Docker Compose、health endpoint 或 drift guard 可見,不代表本段做了 production verification 或部署批准。
|
||||
- `.env`、DB URL、auth secret、job secret、webhook token、API key、cookie、session、private key、使用者原始需求、完整 PRD、媒合個資與通知原文全部拒收或隔離。
|
||||
|
||||
## 2026-06-04|IwoooS P1-8 111 / 168 Dev Host Scope Handoff
|
||||
|
||||
**背景**:P1-7 已把 Kali `192.168.0.112` 維護窗口草案推到 owner / reviewer 可審;本段接續 P1-8,補 `192.168.0.111` 與 `192.168.0.168` 的開發主機 scope、credential handling、rollback owner 與 validation metrics。這是 observe-only handoff,不登入主機、不 SSH、不 credentialed scan、不 active scan、不讀未授權目錄、不改 Ollama fallback route、不改 CORS / firewall / service。
|
||||
|
||||
215
docs/schemas/vibework_iwooos_onboarding_handoff_v1.schema.json
Normal file
215
docs/schemas/vibework_iwooos_onboarding_handoff_v1.schema.json
Normal file
@@ -0,0 +1,215 @@
|
||||
{
|
||||
"$schema": "https://json-schema.org/draft/2020-12/schema",
|
||||
"$id": "urn:awoooi:vibework-iwooos-onboarding-handoff-v1",
|
||||
"title": "VibeWork IwoooS Onboarding Handoff v1",
|
||||
"description": "定義 VibeWork 納入 IwoooS 只讀視野時的 repo、product、surface、owner、evidence refs、資料分級、部署邊界與獨立產品邊界。此契約不授權 repo / refs / workflow 變更、secret 收集、production deploy、掃描、修復或 runtime execution。",
|
||||
"type": "object",
|
||||
"required": [
|
||||
"schema_version",
|
||||
"status",
|
||||
"date",
|
||||
"mode",
|
||||
"source_evidence_refs",
|
||||
"summary",
|
||||
"product_identity",
|
||||
"repo_scope",
|
||||
"product_surfaces",
|
||||
"owner_response_handoff",
|
||||
"independent_product_boundary",
|
||||
"data_classification_intake",
|
||||
"deployment_boundary",
|
||||
"acceptance_rules",
|
||||
"forbidden_actions"
|
||||
],
|
||||
"properties": {
|
||||
"schema_version": {"const": "vibework_iwooos_onboarding_handoff_v1"},
|
||||
"status": {"type": "string", "enum": ["draft_waiting_owner_review"]},
|
||||
"date": {"type": "string"},
|
||||
"mode": {"type": "string", "enum": ["product_scope_handoff_only"]},
|
||||
"source_evidence_refs": {
|
||||
"type": "array",
|
||||
"items": {"type": "string"},
|
||||
"minItems": 1
|
||||
},
|
||||
"summary": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"product_name",
|
||||
"onboarding_handoff_package_ready",
|
||||
"onboarding_handoff_completion_percent",
|
||||
"product_boundary_merged_into_awoooi",
|
||||
"owner_response_received",
|
||||
"owner_response_accepted",
|
||||
"repo_refs_truth_accepted",
|
||||
"data_classification_accepted",
|
||||
"deployment_boundary_accepted",
|
||||
"runtime_gate_open",
|
||||
"runtime_execution_authorized",
|
||||
"production_deploy_authorized",
|
||||
"repo_creation_authorized",
|
||||
"refs_sync_authorized",
|
||||
"workflow_modification_authorized",
|
||||
"secret_value_collection_authorized",
|
||||
"shared_database_authorized",
|
||||
"shared_session_authorized",
|
||||
"shared_rbac_authorized",
|
||||
"action_buttons_allowed"
|
||||
],
|
||||
"properties": {
|
||||
"product_name": {"type": "string"},
|
||||
"onboarding_handoff_package_ready": {"type": "boolean"},
|
||||
"onboarding_handoff_completion_percent": {"type": "integer", "minimum": 0, "maximum": 100},
|
||||
"product_boundary_merged_into_awoooi": {"type": "boolean", "const": false},
|
||||
"owner_response_received": {"type": "boolean", "const": false},
|
||||
"owner_response_accepted": {"type": "boolean", "const": false},
|
||||
"repo_refs_truth_accepted": {"type": "boolean", "const": false},
|
||||
"data_classification_accepted": {"type": "boolean", "const": false},
|
||||
"deployment_boundary_accepted": {"type": "boolean", "const": false},
|
||||
"runtime_gate_open": {"type": "boolean", "const": false},
|
||||
"runtime_execution_authorized": {"type": "boolean", "const": false},
|
||||
"production_deploy_authorized": {"type": "boolean", "const": false},
|
||||
"repo_creation_authorized": {"type": "boolean", "const": false},
|
||||
"refs_sync_authorized": {"type": "boolean", "const": false},
|
||||
"workflow_modification_authorized": {"type": "boolean", "const": false},
|
||||
"secret_value_collection_authorized": {"type": "boolean", "const": false},
|
||||
"shared_database_authorized": {"type": "boolean", "const": false},
|
||||
"shared_session_authorized": {"type": "boolean", "const": false},
|
||||
"shared_rbac_authorized": {"type": "boolean", "const": false},
|
||||
"action_buttons_allowed": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"product_identity": {
|
||||
"type": "object",
|
||||
"required": ["product_type", "current_focus", "technical_stack", "language_policy"],
|
||||
"properties": {
|
||||
"product_type": {"type": "string"},
|
||||
"current_focus": {"type": "string"},
|
||||
"technical_stack": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"language_policy": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"repo_scope": {
|
||||
"type": "object",
|
||||
"required": ["active_workspace", "reference_worktree", "required_owner_answers"],
|
||||
"properties": {
|
||||
"active_workspace": {
|
||||
"type": "object",
|
||||
"required": ["path", "status_summary", "canonical_for_iwooos", "forbidden_actions"],
|
||||
"properties": {
|
||||
"path": {"type": "string"},
|
||||
"status_summary": {"type": "string"},
|
||||
"canonical_for_iwooos": {"type": "boolean", "const": false},
|
||||
"forbidden_actions": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"reference_worktree": {
|
||||
"type": "object",
|
||||
"required": ["path", "head_sha", "origin_main_sha", "main_sha", "remote", "refs_truth_status"],
|
||||
"properties": {
|
||||
"path": {"type": "string"},
|
||||
"head_sha": {"type": "string"},
|
||||
"origin_main_sha": {"type": "string"},
|
||||
"main_sha": {"type": "string"},
|
||||
"remote": {"type": "string"},
|
||||
"refs_truth_status": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"required_owner_answers": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"product_surfaces": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": ["surface_id", "routes", "boundary"],
|
||||
"properties": {
|
||||
"surface_id": {"type": "string"},
|
||||
"routes": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"boundary": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"owner_response_handoff": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"status",
|
||||
"request_dispatch_authorized",
|
||||
"required_response_fields",
|
||||
"allowed_decisions",
|
||||
"forbidden_inputs",
|
||||
"response_received",
|
||||
"response_accepted"
|
||||
],
|
||||
"properties": {
|
||||
"status": {"type": "string", "enum": ["ready_not_dispatched"]},
|
||||
"request_dispatch_authorized": {"type": "boolean", "const": false},
|
||||
"required_response_fields": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"allowed_decisions": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"forbidden_inputs": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"response_received": {"type": "boolean", "const": false},
|
||||
"response_accepted": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"independent_product_boundary": {
|
||||
"type": "object",
|
||||
"required": ["must_remain_independent", "forbidden_couplings", "allowed_future_integrations"],
|
||||
"properties": {
|
||||
"must_remain_independent": {"type": "boolean"},
|
||||
"forbidden_couplings": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"allowed_future_integrations": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"data_classification_intake": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"required": ["data_type", "status", "collection_rule"],
|
||||
"properties": {
|
||||
"data_type": {"type": "string"},
|
||||
"status": {"type": "string", "enum": ["waiting_owner_classification"]},
|
||||
"collection_rule": {"type": "string"}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"minItems": 1
|
||||
},
|
||||
"deployment_boundary": {
|
||||
"type": "object",
|
||||
"required": [
|
||||
"public_host",
|
||||
"production_mode",
|
||||
"compose_host",
|
||||
"compose_directory",
|
||||
"internal_web",
|
||||
"database_boundary",
|
||||
"k3s_namespace_reference",
|
||||
"production_verification_in_this_awoooi_stage",
|
||||
"deployment_authorized"
|
||||
],
|
||||
"properties": {
|
||||
"public_host": {"type": "string"},
|
||||
"production_mode": {"type": "string"},
|
||||
"compose_host": {"type": "string"},
|
||||
"compose_directory": {"type": "string"},
|
||||
"internal_web": {"type": "string"},
|
||||
"database_boundary": {"type": "string"},
|
||||
"k3s_namespace_reference": {"type": "string"},
|
||||
"production_verification_in_this_awoooi_stage": {"type": "boolean", "const": false},
|
||||
"deployment_authorized": {"type": "boolean", "const": false}
|
||||
},
|
||||
"additionalProperties": false
|
||||
},
|
||||
"acceptance_rules": {"type": "array", "items": {"type": "string"}, "minItems": 1},
|
||||
"forbidden_actions": {"type": "array", "items": {"type": "string"}, "minItems": 1}
|
||||
},
|
||||
"additionalProperties": false
|
||||
}
|
||||
@@ -28,6 +28,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence:
|
||||
| `source_control_owner_response_validation_rollup_v1` | owner response 仍為 0、S4.9 下一個收件候選 |
|
||||
| `source_control_primary_readiness_gate_v1` | GitHub primary readiness 仍為 0、候選 repo 與切換前置缺口 |
|
||||
| `kali_integration_status_v1` | Kali 112 observe-only 整合態勢 |
|
||||
| `vibework_iwooos_onboarding_handoff_v1` | VibeWork repo / product / surface / owner / evidence refs / 獨立產品邊界只讀 handoff |
|
||||
| `2026-06-04-iwooos-security-governance-p0.md` | IwoooS P0 完成度、優先順序、跨 Session 同步與驗證節點 |
|
||||
| `/iwooos` 前端路由 | 顯示入口,不提供執行按鈕 |
|
||||
| 既有前端資安頁面 | 只讀索引,不搬移原頁責任邊界、不新增執行控制 |
|
||||
|
||||
139
docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md
Normal file
139
docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md
Normal file
@@ -0,0 +1,139 @@
|
||||
# VibeWork 納入 IwoooS 只讀 Handoff
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-04 |
|
||||
| 狀態 | 草案,等待 owner review |
|
||||
| 產品 | `VibeWork` |
|
||||
| Schema | `docs/schemas/vibework_iwooos_onboarding_handoff_v1.schema.json` |
|
||||
| Snapshot | `docs/security/vibework-iwooos-onboarding-handoff.snapshot.json` |
|
||||
| 上游證據 | `docs/security/iwooos-posture-projection.snapshot.json`、`apps/web/src/app/[locale]/iwooos/page.tsx`、`/Users/ogt/Documents/VibeWork-current-main/README.md` |
|
||||
| 模式 | `product_scope_handoff_only` |
|
||||
| 執行面授權 | `false` |
|
||||
|
||||
## 0. 核心結論
|
||||
|
||||
P1-9 補的是 VibeWork 納入 IwoooS 後的 repo / product / surface / owner / evidence refs / 獨立產品邊界 handoff。它不是產品合併、不是部署批准、不是 repo / refs 同步、不是 workflow / secret 修改,也不是掃描或修復授權。
|
||||
|
||||
VibeWork 目前在 IwoooS 前端已是只讀納管範圍;本階段要補的是後台治理契約,讓 owner / reviewer 能逐項收件,而不是只靠前端卡片理解。
|
||||
|
||||
## 1. 已讀到的只讀 evidence
|
||||
|
||||
| 類別 | evidence | 判讀 |
|
||||
|------|----------|------|
|
||||
| 產品定位 | `/Users/ogt/Documents/VibeWork-current-main/README.md` | VibeWork 是獨立 AI Vibe Coding 接案媒合平台 |
|
||||
| 技術棧 | `package.json` | Next.js 14、TypeScript、Prisma、PostgreSQL、Tailwind、Zod、Zustand |
|
||||
| 產品邊界 | `docs/PROJECT_BOUNDARIES.md` | 第一階段不得共用既有產品資料庫、Session、RBAC 或核心流程 runtime |
|
||||
| 部署策略 | `docs/DEPLOYMENT_STRATEGY.md` | 正式主線為獨立 Docker Compose;public host `https://vibework.wooo.work` |
|
||||
| 推版流程 | `docs/RELEASE_PROCESS.md` | 正式 image 必須可追溯 Gitea commit,部署後跑 smoke check |
|
||||
| IwoooS 前端 | `apps/web/src/app/[locale]/iwooos/page.tsx` | 已有 VibeWork 六項收件卡,runtime gate count 仍為 `0` |
|
||||
|
||||
## 2. Scope 摘要
|
||||
|
||||
| 指標 | 值 |
|
||||
|------|----|
|
||||
| onboarding handoff package | `ready` |
|
||||
| package completion | `100%` |
|
||||
| VibeWork product boundary merged into AWOOOI | `false` |
|
||||
| owner response received / accepted | `false / false` |
|
||||
| repo refs truth accepted | `false` |
|
||||
| data classification accepted | `false` |
|
||||
| deployment boundary accepted | `false` |
|
||||
| runtime gate open | `false` |
|
||||
| production deploy authorized | `false` |
|
||||
| repo creation / refs sync / workflow modification authorized | `false / false / false` |
|
||||
|
||||
## 3. Repo / Refs Handoff
|
||||
|
||||
目前只讀觀察到兩個本機路徑與一個 Gitea remote:
|
||||
|
||||
| 類型 | 路徑 / remote | 只讀判讀 | 不可誤讀 |
|
||||
|------|---------------|----------|----------|
|
||||
| active workspace | `/Users/ogt/Documents/VibeWork` | 工作目錄存在大量本地修改與未追蹤檔;不適合作為 AWOOOI 直接引用的 canonical evidence | 不可自動 commit、rebase、push、刪檔或同步 refs |
|
||||
| reference worktree | `/Users/ogt/Documents/VibeWork-current-main` | HEAD `1a902530141004d958cda639bea9a837282c867f`;`origin/main=421c834756b7f41ef554c0348274f3762c3fc2de`;`main=48275cc52be79107e887147d3fe10310a887afe9` | refs truth 需 owner 決定;不可自動把 worktree 當正式 main |
|
||||
| Gitea remote | `ssh://git@192.168.0.110:2222/wooo/vibework.git` | VibeWork 正式版本來源候選 | 不收 SSH key、不改 remote、不 push、不建 GitHub mirror |
|
||||
|
||||
後續 owner response 必須回答:
|
||||
|
||||
1. canonical repo path / remote 以哪個為準。
|
||||
2. `VibeWork` / `VibeWork-current-main` / `origin/main` / `main` 的 refs truth 如何處理。
|
||||
3. 哪些 dirty workspace 檔案只是本機 WIP,哪些是待整合 release candidate。
|
||||
4. 是否需要 GitHub target;若需要,也只收 target metadata,不建立 repo。
|
||||
5. workflow、runner、secret name parity 是否要納入後續 source-control owner response;不收 secret value。
|
||||
|
||||
## 4. Product / Surface Handoff
|
||||
|
||||
| Surface | 類型 | 本階段 evidence | 邊界 |
|
||||
|---------|------|----------------|------|
|
||||
| `/`、`/en` | public marketing | 官網首頁與英文入口存在 | 不代表 production smoke 已在本段執行 |
|
||||
| `/client/projects/new`、`/client/projects/*` | client workspace | 需求者 intake、PRD、媒合流程 | 不接 AWOOOI DB、不共用 Session |
|
||||
| `/coder/matches`、`/coder/profile` | coder workspace | 接案者履歷、媒合機會與回應 | 不共用 AWOOOI RBAC |
|
||||
| `/admin`、`/api/v1/admin/*` | admin / reviewer | 管理後台、審核、內容管理 | 需 VibeWork 自身角色邊界 |
|
||||
| `/notifications` | logged-in user | 站內通知 | 不導入 AWOOOI Telegram approval 語義 |
|
||||
| `/api/v1/health` | health | 正式 smoke 目標之一 | 只作 health evidence,不代表 runtime gate |
|
||||
| `/api/ai/*` | AI assistance | intake / milestone / support agent 路徑 | AI evidence 必須保留 VibeWork 內部稽核與授權邊界 |
|
||||
|
||||
## 5. Owner Response Handoff
|
||||
|
||||
此 handoff 只讓 AwoooP 或 reviewer 請 owner 補 VibeWork metadata。它不是 request sent、不是 approval queue,也不是可執行動作。
|
||||
|
||||
### 5.1 必填欄位
|
||||
|
||||
| 欄位 | 說明 |
|
||||
|------|------|
|
||||
| `product_owner_role_or_team` | VibeWork 產品 owner 或 team |
|
||||
| `security_owner_role_or_team` | VibeWork 資安 / 資料保護 owner |
|
||||
| `source_control_owner_role_or_team` | repo / refs / workflow / secret name owner |
|
||||
| `deployment_owner_role_or_team` | Docker Compose / K3s / domain / smoke owner |
|
||||
| `data_classification_owner_role_or_team` | 需求、PRD、個資、媒合、稽核與通知資料分級 owner |
|
||||
| `surface_scope` | 本次納入 IwoooS 的 route、API、admin、worker、job 範圍 |
|
||||
| `decision` | 允許值:`confirm_observe_only`、`defer`、`reject`、`request_more_evidence` |
|
||||
| `decision_reason` | 決策理由摘要,不得貼 raw secret、token、cookie 或未脫敏截圖 |
|
||||
| `redacted_evidence_refs` | 只填文件、snapshot、ticket、commit、hash 或脫敏 metadata pointer |
|
||||
| `followup_owner` | 補件、拒收或下一階段 owner |
|
||||
|
||||
### 5.2 禁止輸入
|
||||
|
||||
| 類型 | 規則 |
|
||||
|------|------|
|
||||
| credential | 不貼 `.env`、DB URL、auth secret、job secret、webhook token、API key、cookie、session、private key |
|
||||
| raw data | 不貼需求者原始需求、PRD 原文、媒合個資、會員資料、通知內容、稽核原文 |
|
||||
| source-control action | 不要求建立 repo、同步 refs、rebase、push、改 workflow、改 runner、改 secret |
|
||||
| production action | 不要求 deploy、restart、compose up/down、DB migration、drift guard apply |
|
||||
| runtime coupling | 不要求共用 AWOOOI DB、Session、RBAC、Telegram approval 或 AwoooP execution router |
|
||||
|
||||
## 6. 獨立產品邊界
|
||||
|
||||
VibeWork 可以納入 IwoooS 的全產品資安視野,但第一階段仍必須維持獨立產品邊界:
|
||||
|
||||
1. 不共用 AWOOOI 或其他產品資料庫。
|
||||
2. 不共用 AWOOOI 會員 Session。
|
||||
3. 不把 VibeWork RBAC 綁到 AWOOOI 權限模型。
|
||||
4. 不讓 VibeWork 核心流程依賴 AWOOOI runtime 可用性。
|
||||
5. 不把 AwoooP approval 當 VibeWork 資安批准或部署批准。
|
||||
6. 後續整合只能走版本化 API、Webhook、outbox、匯入匯出配接器、SSO / OAuth 或 Anti-Corruption Layer。
|
||||
7. 即使未來做 SSO / OAuth,也不得取代 VibeWork 自己的 RBAC 與稽核事件。
|
||||
|
||||
## 7. 資料分級收件
|
||||
|
||||
| 資料類型 | 初期分級狀態 | 收件規則 |
|
||||
|----------|--------------|----------|
|
||||
| 需求者需求 / intake answer | waiting owner classification | 只收欄位類型、資料流與脫敏摘要,不收原文 |
|
||||
| PRD block / source anchor | waiting owner classification | 只收資料模型與風險摘要,不收完整 PRD |
|
||||
| 接案者履歷 / 作品集 | waiting owner classification | 只收欄位與公開 / 私有邊界,不收個資內容 |
|
||||
| 媒合紀錄 / 分數理由 | waiting owner classification | 只收評分因子與稽核規則,不收個案資料 |
|
||||
| AuditEvent / 通知 | waiting owner classification | 只收事件類型與保存策略,不收訊息原文 |
|
||||
| admin / marketing content | waiting owner classification | 只收發布流程與權限邊界,不收未發布內容 |
|
||||
|
||||
## 8. 驗收規則
|
||||
|
||||
1. 本 handoff 完成不代表 VibeWork owner response 已收到或 accepted。
|
||||
2. VibeWork 納入 IwoooS 只代表全產品資安視野可見,不代表掃描、部署、修復或 runtime execution。
|
||||
3. canonical repo、refs truth、workflow / secret name、GitHub target 仍需 source-control owner response。
|
||||
4. 正式 URL、Docker Compose、health endpoint 或 drift guard 可見,不等於本段已做 production verification。
|
||||
5. 任何 `.env`、secret、DB URL、token、private key、cookie、session、auth header、job secret 都必須拒收或隔離。
|
||||
6. 未來若要改 VibeWork production、deploy、compose、DB migration、worker、domain、TLS 或 smoke 帳密,必須另開 VibeWork owner approval 與 rollback / post-check。
|
||||
|
||||
## 9. 階段定位
|
||||
|
||||
P1-9 只把 VibeWork 從「前端已只讀納管」推到「owner / reviewer 可照表審 repo、product、surface、owner、data classification、deployment boundary 與 evidence refs」。它不改 VibeWork repo、不改 AWOOOI 前端、不部署、不掃描、不開 runtime gate,也不提高 IwoooS headline 64%。
|
||||
283
docs/security/vibework-iwooos-onboarding-handoff.snapshot.json
Normal file
283
docs/security/vibework-iwooos-onboarding-handoff.snapshot.json
Normal file
@@ -0,0 +1,283 @@
|
||||
{
|
||||
"schema_version": "vibework_iwooos_onboarding_handoff_v1",
|
||||
"status": "draft_waiting_owner_review",
|
||||
"date": "2026-06-04",
|
||||
"mode": "product_scope_handoff_only",
|
||||
"source_evidence_refs": [
|
||||
"docs/security/iwooos-posture-projection.snapshot.json",
|
||||
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md",
|
||||
"apps/web/src/app/[locale]/iwooos/page.tsx",
|
||||
"apps/web/messages/zh-TW.json",
|
||||
"/Users/ogt/Documents/VibeWork-current-main/README.md",
|
||||
"/Users/ogt/Documents/VibeWork-current-main/docs/PROJECT_BOUNDARIES.md",
|
||||
"/Users/ogt/Documents/VibeWork-current-main/docs/DEPLOYMENT_STRATEGY.md",
|
||||
"/Users/ogt/Documents/VibeWork-current-main/docs/RELEASE_PROCESS.md",
|
||||
"/Users/ogt/Documents/VibeWork-current-main/package.json"
|
||||
],
|
||||
"summary": {
|
||||
"product_name": "VibeWork",
|
||||
"onboarding_handoff_package_ready": true,
|
||||
"onboarding_handoff_completion_percent": 100,
|
||||
"product_boundary_merged_into_awoooi": false,
|
||||
"owner_response_received": false,
|
||||
"owner_response_accepted": false,
|
||||
"repo_refs_truth_accepted": false,
|
||||
"data_classification_accepted": false,
|
||||
"deployment_boundary_accepted": false,
|
||||
"runtime_gate_open": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"production_deploy_authorized": false,
|
||||
"repo_creation_authorized": false,
|
||||
"refs_sync_authorized": false,
|
||||
"workflow_modification_authorized": false,
|
||||
"secret_value_collection_authorized": false,
|
||||
"shared_database_authorized": false,
|
||||
"shared_session_authorized": false,
|
||||
"shared_rbac_authorized": false,
|
||||
"action_buttons_allowed": false
|
||||
},
|
||||
"product_identity": {
|
||||
"product_type": "獨立 AI Vibe Coding 接案媒合平台",
|
||||
"current_focus": "需求者引導式需求收集、區塊式 PRD、可解釋媒合、接案者回應、合作確認、站內通知、管理後台監控",
|
||||
"technical_stack": [
|
||||
"Next.js 14 App Router",
|
||||
"TypeScript",
|
||||
"Tailwind CSS",
|
||||
"React Hook Form",
|
||||
"Zod",
|
||||
"Zustand",
|
||||
"Prisma",
|
||||
"PostgreSQL"
|
||||
],
|
||||
"language_policy": "所有文件、產品文案、註解與說明文字皆使用繁體中文;技術名詞與識別字可保留英文。"
|
||||
},
|
||||
"repo_scope": {
|
||||
"active_workspace": {
|
||||
"path": "/Users/ogt/Documents/VibeWork",
|
||||
"status_summary": "read_only_observed_dirty_workspace_ahead_3_behind_92_with_many_modified_and_untracked_files",
|
||||
"canonical_for_iwooos": false,
|
||||
"forbidden_actions": [
|
||||
"commit",
|
||||
"rebase",
|
||||
"push",
|
||||
"delete_files",
|
||||
"sync_refs"
|
||||
]
|
||||
},
|
||||
"reference_worktree": {
|
||||
"path": "/Users/ogt/Documents/VibeWork-current-main",
|
||||
"head_sha": "1a902530141004d958cda639bea9a837282c867f",
|
||||
"origin_main_sha": "421c834756b7f41ef554c0348274f3762c3fc2de",
|
||||
"main_sha": "48275cc52be79107e887147d3fe10310a887afe9",
|
||||
"remote": "ssh://git@192.168.0.110:2222/wooo/vibework.git",
|
||||
"refs_truth_status": "waiting_owner_decision"
|
||||
},
|
||||
"required_owner_answers": [
|
||||
"canonical repo path / remote",
|
||||
"refs truth between active workspace, reference worktree, origin/main and main",
|
||||
"dirty workspace WIP vs release candidate disposition",
|
||||
"GitHub target metadata if needed",
|
||||
"workflow / runner / secret name parity owner"
|
||||
]
|
||||
},
|
||||
"product_surfaces": [
|
||||
{
|
||||
"surface_id": "public-marketing",
|
||||
"routes": [
|
||||
"/",
|
||||
"/en",
|
||||
"/services",
|
||||
"/industries",
|
||||
"/resources",
|
||||
"/case-studies",
|
||||
"/pricing"
|
||||
],
|
||||
"boundary": "public content surface only; not production smoke in this AWOOOI handoff"
|
||||
},
|
||||
{
|
||||
"surface_id": "client-workspace",
|
||||
"routes": [
|
||||
"/client/projects/new",
|
||||
"/client/projects",
|
||||
"/client/projects/[projectId]/intake/[sessionId]",
|
||||
"/client/projects/[projectId]/prd",
|
||||
"/client/projects/[projectId]/matches",
|
||||
"/client/projects/[projectId]/workspace"
|
||||
],
|
||||
"boundary": "client Session and data ownership stay inside VibeWork"
|
||||
},
|
||||
{
|
||||
"surface_id": "coder-workspace",
|
||||
"routes": [
|
||||
"/coder/profile",
|
||||
"/coder/matches",
|
||||
"/coder/projects/[projectId]/workspace"
|
||||
],
|
||||
"boundary": "coder profile, portfolio and match data require VibeWork data classification"
|
||||
},
|
||||
{
|
||||
"surface_id": "admin-review",
|
||||
"routes": [
|
||||
"/admin",
|
||||
"/admin/growth-analytics",
|
||||
"/admin/growth-launch",
|
||||
"/admin/growth-leads",
|
||||
"/admin/marketing-preview",
|
||||
"/api/v1/admin/*"
|
||||
],
|
||||
"boundary": "admin / reviewer RBAC remains VibeWork-owned"
|
||||
},
|
||||
{
|
||||
"surface_id": "health-and-jobs",
|
||||
"routes": [
|
||||
"/api/v1/health",
|
||||
"/api/v1/jobs/*"
|
||||
],
|
||||
"boundary": "health and job routes need VibeWork job-secret handling; no secret value collection"
|
||||
},
|
||||
{
|
||||
"surface_id": "ai-assistance",
|
||||
"routes": [
|
||||
"/api/ai/intake-assistant",
|
||||
"/api/ai/milestone-assistant",
|
||||
"/api/ai/support"
|
||||
],
|
||||
"boundary": "AI evidence must remain within VibeWork audit and authorization boundary"
|
||||
}
|
||||
],
|
||||
"owner_response_handoff": {
|
||||
"status": "ready_not_dispatched",
|
||||
"request_dispatch_authorized": false,
|
||||
"required_response_fields": [
|
||||
"product_owner_role_or_team",
|
||||
"security_owner_role_or_team",
|
||||
"source_control_owner_role_or_team",
|
||||
"deployment_owner_role_or_team",
|
||||
"data_classification_owner_role_or_team",
|
||||
"surface_scope",
|
||||
"decision",
|
||||
"decision_reason",
|
||||
"redacted_evidence_refs",
|
||||
"followup_owner"
|
||||
],
|
||||
"allowed_decisions": [
|
||||
"confirm_observe_only",
|
||||
"defer",
|
||||
"reject",
|
||||
"request_more_evidence"
|
||||
],
|
||||
"forbidden_inputs": [
|
||||
".env content",
|
||||
"database URL value",
|
||||
"auth secret value",
|
||||
"job secret value",
|
||||
"webhook token value",
|
||||
"API key value",
|
||||
"cookie",
|
||||
"session",
|
||||
"private key",
|
||||
"client raw requirement",
|
||||
"PRD raw content",
|
||||
"match personal data",
|
||||
"notification raw content",
|
||||
"audit raw payload",
|
||||
"deploy command request",
|
||||
"compose restart request",
|
||||
"DB migration request",
|
||||
"repo push request",
|
||||
"refs sync request"
|
||||
],
|
||||
"response_received": false,
|
||||
"response_accepted": false
|
||||
},
|
||||
"independent_product_boundary": {
|
||||
"must_remain_independent": true,
|
||||
"forbidden_couplings": [
|
||||
"share_awoooi_database",
|
||||
"share_awoooi_session",
|
||||
"bind_vibework_rbac_to_awoooi_rbac",
|
||||
"depend_on_awoooi_runtime_for_core_flow",
|
||||
"treat_awooop_approval_as_vibework_security_approval",
|
||||
"direct_cross_database_join"
|
||||
],
|
||||
"allowed_future_integrations": [
|
||||
"versioned API",
|
||||
"Webhook event",
|
||||
"outbox pattern",
|
||||
"import / export adapter",
|
||||
"SSO / OAuth with VibeWork RBAC preserved",
|
||||
"Anti-Corruption Layer"
|
||||
]
|
||||
},
|
||||
"data_classification_intake": [
|
||||
{
|
||||
"data_type": "client requirement / intake answer",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "metadata and field type only; no raw answer content"
|
||||
},
|
||||
{
|
||||
"data_type": "PRD block / source anchor",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "model and risk summary only; no full PRD"
|
||||
},
|
||||
{
|
||||
"data_type": "coder profile / portfolio",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "field and public / private boundary only; no personal data content"
|
||||
},
|
||||
{
|
||||
"data_type": "match record / score reason",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "scoring factor and audit rule only; no case data"
|
||||
},
|
||||
{
|
||||
"data_type": "AuditEvent / notification",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "event type and retention policy only; no message body"
|
||||
},
|
||||
{
|
||||
"data_type": "admin / marketing content",
|
||||
"status": "waiting_owner_classification",
|
||||
"collection_rule": "publication workflow and permission boundary only; no unpublished content"
|
||||
}
|
||||
],
|
||||
"deployment_boundary": {
|
||||
"public_host": "https://vibework.wooo.work",
|
||||
"production_mode": "Docker Compose on independent product boundary",
|
||||
"compose_host": "192.168.0.188",
|
||||
"compose_directory": "/home/ollama/vibework-production",
|
||||
"internal_web": "http://192.168.0.188:32336",
|
||||
"database_boundary": "Compose PostgreSQL service; host binding documented as 127.0.0.1:54329",
|
||||
"k3s_namespace_reference": "vibework namespace manifests retained as optional reference; runtime deployment scaled to 0 in source evidence",
|
||||
"production_verification_in_this_awoooi_stage": false,
|
||||
"deployment_authorized": false
|
||||
},
|
||||
"acceptance_rules": [
|
||||
"本 handoff 完成不代表 VibeWork owner response 已收到或 accepted。",
|
||||
"VibeWork 納入 IwoooS 只代表全產品資安視野可見,不代表掃描、部署、修復或 runtime execution。",
|
||||
"canonical repo、refs truth、workflow / secret name、GitHub target 仍需 source-control owner response。",
|
||||
"正式 URL、Docker Compose、health endpoint 或 drift guard 可見,不等於本段已做 production verification。",
|
||||
"任何 .env、secret、DB URL、token、private key、cookie、session、auth header、job secret 都必須拒收或隔離。",
|
||||
"未來若要改 VibeWork production、deploy、compose、DB migration、worker、domain、TLS 或 smoke 帳密,必須另開 VibeWork owner approval 與 rollback / post-check。"
|
||||
],
|
||||
"forbidden_actions": [
|
||||
"modify_vibework_repo",
|
||||
"commit_vibework_changes",
|
||||
"push_vibework_refs",
|
||||
"sync_refs",
|
||||
"create_github_repo",
|
||||
"change_workflow",
|
||||
"collect_secret_value",
|
||||
"read_env_file",
|
||||
"deploy_production",
|
||||
"restart_compose",
|
||||
"run_db_migration",
|
||||
"run_active_scan",
|
||||
"run_credentialed_scan",
|
||||
"share_database",
|
||||
"share_session",
|
||||
"bind_rbac",
|
||||
"enable_runtime_gate",
|
||||
"add_awooop_action_button"
|
||||
]
|
||||
}
|
||||
@@ -9,7 +9,7 @@
|
||||
| 工作視窗 | IwoooS / AWOOOI 資安治理 P0 |
|
||||
| 本次乾淨 worktree | `/private/tmp/awoooi-iwooos-governance-p0-20260604` |
|
||||
| 本次分支 | `codex/iwooos-governance-p0-20260604` |
|
||||
| 最新觀察到的 `gitea/main` | `65bdfd1d chore(cd): deploy 29a67ec [skip ci]` |
|
||||
| 最新觀察到的 `gitea/main` | `5fcf4f8e docs(logbook): record source link canary repair [skip ci]` |
|
||||
| 前一個正式 IwoooS 候選基準 | code `7b8fc093`、deploy marker `45c63488`、LOGBOOK `02cadee6` |
|
||||
| 最新導航 IA 基準 | code `973fc7a4`、LOGBOOK `2555c811`、deploy marker `0260ec89` |
|
||||
| 禁止事項 | 不 force push、不 destructive git、不 SSH 修改主機、不 active scan、不收 secrets 明文、不把 AwoooP approval 當資安批准、不把 UI 可見當 runtime 授權 |
|
||||
@@ -26,7 +26,7 @@
|
||||
| GitHub primary readiness | 0 | 否 | primary gate 仍為 0;P1 只讀重盤工作本身目前約 70%,不代表可切 primary |
|
||||
| Kali 112 維護準備 | P1-7 maintenance window draft `100%`;維護尚未開始 | 否 | 不更新套件、不重啟、不 hardening、不 active scan |
|
||||
| 111 / 168 開發主機納管 | P1-8 scope handoff package `100%`;主機執行 `0%` | 否 | 仍不 credentialed scan、不讀未授權資料、不改 fallback route、不改 CORS / firewall / service、不自動修復 |
|
||||
| VibeWork 納入 IwoooS | 前端態勢已有 onboarding 欄位,產品邊界需補規範 | 可補文件 | 保留 VibeWork 獨立產品邊界 |
|
||||
| VibeWork 納入 IwoooS | P1-9 onboarding handoff package `100%`;產品 / repo / surface / owner / evidence 邊界已可交接 | 否 | 保留 VibeWork 獨立產品邊界;不部署、不掃描、不改 repo / refs / workflow、不收 secrets |
|
||||
|
||||
## 2. P0 工作拆解與優先順序
|
||||
|
||||
@@ -131,7 +131,7 @@ S4.9 是目前 IwoooS 64% 能往前的第一優先 gate。驗收前所有 count
|
||||
| P1 | GitHub primary readiness 只讀重盤 | repo visibility、refs、tags、workflow、secret name、runner、rollback ADR | 只讀 inventory;不建立 repo、不同步 refs |
|
||||
| P1 | Kali 112 維護窗口草案 | 1994 pending updates、`networking.service` failed、服務硬化 0/4、rollback、post-check | P1-7 草案已完成;不 `apt upgrade`、不 restart |
|
||||
| P1 | 111 / 168 主機 scope 補強 | P1-8 已補 `DEV-HOSTS-111-168-SCOPE-HANDOFF.md`、snapshot 與 schema;scope、maintenance window、credential handling、rollback owner、validation 指標已可交接 | observe-only;不 credentialed scan、不改 route / CORS / firewall / service |
|
||||
| P1 | VibeWork 納入 IwoooS | repo、product、surface、owner、evidence refs、獨立產品邊界 | 繁中 docs/specs;不合併產品責任 |
|
||||
| P1 | VibeWork 納入 IwoooS | P1-9 已補 `VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md`、snapshot 與 schema;repo、product、surface、owner、evidence refs、資料分級、部署邊界與獨立產品邊界已可交接 | 繁中 docs/specs;不合併產品責任、不部署、不改 refs |
|
||||
| P1 | Code Review 候選分類 | 前端體驗、測試補洞、文件同步、低風險重構;人工批准後才 Codex | 候選不自動改 code、不自動 deploy |
|
||||
| P2 | IwoooS UX 精簡 | 首屏摘要、圖、矩陣、Gate;長證據改展開式 | desktop/mobile 開頁、overflow |
|
||||
| P2 | 資安圖表專業化 | 主拓樸圖、攻擊路徑圖、主機 / 產品 / 版本來源關聯圖、Gate flow | local + production browser |
|
||||
@@ -178,6 +178,9 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory /
|
||||
| 需要新增規範 | 111 / 168 開發主機 scope handoff | 原本只有 observe-only mapping,缺 owner 可審的 scope boundary、credential refusal、rollback owner、validation metrics 與維護窗口欄位 | 已新增 P1-8 handoff、snapshot 與 schema;host execution 仍 `0%` |
|
||||
| 需要調整規範 | 111 Ollama fallback wording | 111 是 ADR-110 local fallback evidence 範圍,不可被誤讀成可直接改 route、重啟 Ollama 或停止模型 | 已在 P1-8 固定 `fallback_route_change_authorized=false` 與 route truth observe-only |
|
||||
| 需要調整規範 | 168 dev origin / repo hygiene wording | repo hygiene 與 local service exposure 容易被誤讀成可掃個人資料、讀未授權目錄或改 CORS / firewall | 已在 P1-8 固定未授權目錄、個人資料、secret derivative、CORS / firewall / service change 全部拒收 / 禁止 |
|
||||
| 需要新增規範 | VibeWork owner / repo / surface handoff | 既有前端已有 VibeWork 收件卡,但缺可交接的 repo、product、surface、owner、evidence refs、資料分級與獨立產品邊界契約 | 已新增 P1-9 handoff、snapshot 與 schema;product runtime / deploy / repo mutation 仍 `0 / false` |
|
||||
| 需要調整規範 | VibeWork refs truth wording | 本機同時存在 active workspace 與 reference worktree,且 refs 有差異;不能把 dirty workspace 或 worktree HEAD 當正式 main | 已在 P1-9 固定 `refs_truth_status=waiting_owner_decision`,不自動 commit / rebase / push / sync refs |
|
||||
| 需要調整規範 | VibeWork 獨立產品邊界 | VibeWork 可納入 IwoooS 視野,但不得與 AWOOOI 共用 DB、Session、RBAC 或核心流程 runtime | 已在 P1-9 固定獨立產品邊界與未來 API / Webhook / ACL 整合方式 |
|
||||
|
||||
## 6.3 P1 優先順序細化
|
||||
|
||||
@@ -191,7 +194,7 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory /
|
||||
| P1-6 | AwoooP Session 同步 | 同步 commits、runs、production sanity、P1 refresh counts、gate 0 / false | 另一 Session 不再使用舊 refs count |
|
||||
| P1-7 | Kali 112 maintenance window 草案 | 已補 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md`、snapshot 與 schema;packages、`networking.service` failed、hardening 0/4、rollback、post-check 已進 owner handoff | 文件草案,不執行 `apt upgrade` / restart / hardening / scan |
|
||||
| P1-8 | 111 / 168 開發主機 scope | 已補 `DEV-HOSTS-111-168-SCOPE-HANDOFF.md`、`dev-hosts-111-168-scope-handoff.snapshot.json`、`dev_host_scope_handoff_v1.schema.json`;111 fallback truth / model inventory / service posture 與 168 dev origin / repo hygiene / CORS / local exposure 已拆成 handoff | scope handoff `100%`;主機執行 `0%`;不 credentialed scan、不讀未授權資料、不改 fallback route、不改 CORS / firewall / service |
|
||||
| P1-9 | VibeWork 納入 IwoooS | repo / product / surface / owner / evidence refs / 獨立產品邊界 | docs/specs 繁中,產品責任不合併 |
|
||||
| P1-9 | VibeWork 納入 IwoooS | 已補 `VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md`、`vibework-iwooos-onboarding-handoff.snapshot.json`、`vibework_iwooos_onboarding_handoff_v1.schema.json`;repo / product / surface / owner / evidence refs / 資料分級 / 部署邊界 / 獨立產品邊界已拆成 handoff | onboarding handoff `100%`;runtime / deploy / repo mutation `0 / false`;docs/specs 繁中,產品責任不合併 |
|
||||
|
||||
## 7. 2026-06-04 本輪驗證紀錄
|
||||
|
||||
@@ -223,6 +226,8 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory /
|
||||
| P1-7 Kali 112 maintenance window draft | 新增 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md`、`kali-112-maintenance-window-draft.snapshot.json`、`kali_maintenance_window_draft_v1.schema.json`;1994 pending updates、`networking.service` failed、hardening `0 / 4`、rollback owner、post-check owner 已整理成 handoff | `host_update_authorized=false`、`service_restart_authorized=false`、`hardening_authorized=false`、`reboot_authorized=false`、`active_scan_authorized=false`、`execute_endpoint_authorized=false` |
|
||||
| P1-8 111 / 168 dev host scope handoff | 新增 `DEV-HOSTS-111-168-SCOPE-HANDOFF.md`、`dev-hosts-111-168-scope-handoff.snapshot.json`、`dev_host_scope_handoff_v1.schema.json`;111 fallback truth / model inventory / service posture 與 168 dev origin / repo hygiene / CORS / local exposure 已整理成 owner handoff | `host_change_authorized=false`、`fallback_route_change_authorized=false`、`credentialed_scan_authorized=false`、`active_scan_authorized=false`、`secret_value_collection_authorized=false`、`runtime_execution_authorized=false` |
|
||||
| P1-8 JSON parse / structure check | `dev-hosts-111-168-scope-handoff.snapshot.json` 與 `dev_host_scope_handoff_v1.schema.json` JSON parse 通過;本段自訂結構檢查 `DEV_HOST_SCOPE_HANDOFF_STRUCTURE_OK` | 本地無 `jsonschema` / AJV 時以 JSON parse、自訂結構檢查與既有 guard 補位 |
|
||||
| P1-9 VibeWork onboarding handoff | 新增 `VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md`、`vibework-iwooos-onboarding-handoff.snapshot.json`、`vibework_iwooos_onboarding_handoff_v1.schema.json`;VibeWork repo / refs truth、產品定位、surface、owner response、資料分級、部署邊界與獨立產品邊界已整理成 owner handoff | `product_boundary_merged_into_awoooi=false`、`production_deploy_authorized=false`、`repo_creation_authorized=false`、`refs_sync_authorized=false`、`workflow_modification_authorized=false`、`shared_database_authorized=false`、`shared_session_authorized=false` |
|
||||
| P1-9 JSON parse / structure check | `vibework-iwooos-onboarding-handoff.snapshot.json` 與 `vibework_iwooos_onboarding_handoff_v1.schema.json` JSON parse 通過;本段自訂結構檢查 `VIBEWORK_IWOOOS_ONBOARDING_HANDOFF_STRUCTURE_OK` | 本地無 `jsonschema` / AJV 時以 JSON parse、自訂結構檢查與既有 guard 補位 |
|
||||
| P1 JSON parse | `gitea-github-awoooi-inventory`、`github-target-probe`、`source-control-primary-readiness-gate`、`source-control-workflow-secret-name-local-evidence`、Gitea repo / search / org blocked snapshots 皆通過 |
|
||||
| P1 production 頁面檢查 | 本輪未改前端、未改 production 文案、未新增 deploy;不宣稱新的 production 狀態,沿用 P0 live sanity 作為基準 |
|
||||
|
||||
@@ -240,6 +245,10 @@ host_change_authorized=false
|
||||
fallback_route_change_authorized=false
|
||||
credentialed_scan_authorized=false
|
||||
secret_value_collection_authorized=false
|
||||
production_deploy_authorized=false
|
||||
repo_creation_authorized=false
|
||||
refs_sync_authorized=false
|
||||
workflow_modification_authorized=false
|
||||
active_scan_authorized=false
|
||||
```
|
||||
|
||||
|
||||
Reference in New Issue
Block a user