diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 0a92479c6..b0030dce4 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,18 @@ +## 2026-05-19 | 資安供應鏈 S4.12:Workflow / Secret Name Owner Response Intake Preflight Checks + +**背景**:S4.12 已有 workflow / secret name owner response request packet、5 個 template status ledger、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、5 個 response templates、8 個 acceptance checks 與 10 個 rejection rules;本輪補上 6 個 intake preflight checks,讓 AwoooP 在 owner response 到來時先判斷可審、補證、隔離或拒收,而不是直接推進 secret 建立、workflow 修改、runner 啟用或 primary readiness。 + +**完成**: +- `source_control_workflow_secret_name_owner_response_v1` schema 新增 optional `intake_preflight_checks`,summary 新增 `intake_preflight_check_count=6`。 +- `source-control-workflow-secret-name-owner-response.snapshot.json` 新增 6 個 preflight checks:已知 workflow / secret lane、必填欄位、允許 decision、脫敏 evidence、不得夾帶 workflow / secret 執行要求、接受前覆蓋五個 templates。 +- `source-control-owner-response-guard.py` 反查 S4.12 preflight check count、check id 順序、display order、`required=true` 與 `execution_authorized=false`。 +- 更新 S4.12 人讀文件與 AwoooP / readiness / approval / status rollup / manifest / progress 顯示說明。 + +**仍禁止**: +- 不把 S4.12 preflight pass 當成 owner response accepted、secret 建立 / 複製 / rotate approval、workflow modification approval、runner enablement approval、deploy key rotation approval、branch protection change approval 或 GitHub primary approval。 +- 不保存 secret value、hash、masked token、partial credential、webhook secret、runner token、private key、deploy key value、authorization header、cookie、session、未脫敏截圖、raw owner response 或 execution request payload。 +- 不讓 preflight checks 觸發 action button、runtime gate、workflow / secret / runner 變更、Kali scan 或任何 runtime action。 + ## 2026-05-19 | 資安供應鏈 S4.12:Workflow / Secret Name Owner Response Collection Checks **背景**:S4.12 已有 workflow / secret name owner response request packet、5 個 template status ledger、3 個 audit event templates、5 個 redaction examples、5 個 response templates、8 個 acceptance checks 與 10 個 rejection rules;本輪補上 6 個 collection checks,讓 AwoooP 在顯示 request packet 到收到 owner response 之間,固定維持 request / received / accepted 分離,避免把 request ready、redaction example、audit template 或 owner wording 誤判成 response received / accepted、secret value collection 或 workflow / runner 授權。 diff --git a/docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json b/docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json index 8ca5e1263..24c053d82 100644 --- a/docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json +++ b/docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json @@ -68,6 +68,7 @@ "owner_response_audit_event_template_count", "owner_response_redaction_example_count", "owner_response_collection_check_count", + "intake_preflight_check_count", "response_template_count", "received_response_count", "accepted_response_count", @@ -101,6 +102,7 @@ "owner_response_audit_event_template_count": {"type": "integer", "minimum": 0}, "owner_response_redaction_example_count": {"type": "integer", "minimum": 0}, "owner_response_collection_check_count": {"type": "integer", "minimum": 0}, + "intake_preflight_check_count": {"type": "integer", "minimum": 0}, "response_template_count": {"type": "integer", "minimum": 0}, "received_response_count": {"type": "integer", "minimum": 0}, "accepted_response_count": {"type": "integer", "minimum": 0}, @@ -270,6 +272,43 @@ }, "minItems": 1 }, + "intake_preflight_checks": { + "type": "array", + "description": "AwoooP 收到 S4.12 workflow / secret 名稱 owner response 前後可執行的只讀 preflight;只分類可收、補證、隔離或拒收,不授權 secret value collection、workflow/webhook/runner/deploy key/branch protection/secret 修改或 primary 執行。", + "items": { + "type": "object", + "required": [ + "check_id", + "display_order", + "title", + "required", + "pass_condition", + "failure_lane", + "awooop_display", + "execution_authorized" + ], + "properties": { + "check_id": {"type": "string"}, + "display_order": {"type": "integer", "minimum": 1}, + "title": {"type": "string"}, + "required": {"type": "boolean"}, + "pass_condition": {"type": "string"}, + "failure_lane": {"type": "string"}, + "awooop_display": { + "type": "string", + "enum": [ + "ready_for_owner_review", + "request_more_evidence", + "quarantine_sensitive_payload", + "reject_execution_request" + ] + }, + "execution_authorized": {"type": "boolean", "const": false} + }, + "additionalProperties": false + }, + "minItems": 1 + }, "owner_response_request_packet": { "type": "object", "description": "AwoooP 可直接顯示給 owner 的 S4.12 workflow / secret 名稱回覆請求;只說明要填什麼與不得貼什麼,不授權收集 secret value、使用 write token、修改 workflow/webhook/runner/deploy key/branch protection/secret 或切換 GitHub primary。", diff --git a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md index 6abe411ee..0c56a5b5c 100644 --- a/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md +++ b/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md @@ -56,7 +56,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類;S4.11 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類、1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 response templates 與人工判定隊列,不執行 sync/delete/force push | | `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` | | `source_control_primary_rollback_adr_v1` | GitHub primary rollback ADR 草案與 validation window | Source-control review、Operator Console、Audit | approval-only | 只顯示 7 個 repo 的 rollback draft、owner review、validation window;不得執行 rollback 或切 primary | -| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.12 owner response 收件包 | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence、S4.3 redacted export request、S4.12 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 response templates;目前 `inventory_complete_count=0`,不得保存 secret value | +| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.12 owner response 收件包 | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口、S4.2 local evidence、S4.3 redacted export request、S4.12 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates;目前 `inventory_complete_count=0`,不得保存 secret value | | `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 | | `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror | | `approval_required_event_v1` | 上述事件的高風險 gate | Approval queue、Audit | approval-only | `blocked_until_approved=true` | @@ -129,7 +129,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 | `source_control_reconcile_plan_v1.status=draft_blocked` | `approve_required` | 只顯示 refs reconcile 草案與 gate,不執行 sync | | `source_control_ref_detail_diff_v1.status=draft_blocked` | `observe` | 顯示 branch/tag 明細 diff,支援人工 review | | `source_control_ref_truth_classification_v1.status=draft_blocked` | `approve_required` | 顯示 main/dev 真相來源、drift deprecated 候選、release / UAT tag review lane、S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates;不執行分類結果 | -| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 S4.2 local evidence、S4.3 export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與 templates;不收 secret value、不改 workflow、不啟用 runner | +| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 S4.2 local evidence、S4.3 export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates;不收 secret value、不改 workflow、不啟用 runner | | `local_repo_canonical_probe_v1.status=unrelated` | `approve_required` | 禁止自動合併,需人工 canonical 判定 | | `git_remote_refs_probe_v1.status=ok` | `observe` | 可作 source evidence,但仍需 GitHub target 與 approval | | `security_rollout_policy_v1.enforcement_level=mirror_only` | `observe` | 只顯示 policy,不阻擋既有流程 | @@ -219,6 +219,6 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得 3. AwoooP 先 mirror S4.13 owner response validation rollup,集中顯示 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;不得把 rollup 視為 approval 或 execution authorization。 4. Security Supply Chain Session 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response。 5. Security Supply Chain Session 依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates;audit event templates 目前 0 emitted,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,preflight 只分類可審、補證、隔離、拒收或等待,response 通過也只更新 read-only classification / reconcile / readiness wording。 -6. Security Supply Chain Session 依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates;request packet 只提示 owner 要回覆什麼,template status ledger 只逐項顯示 waiting,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,response 通過也只更新 read-only inventory / export request / readiness wording。 +6. Security Supply Chain Session 依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates;request packet 只提示 owner 要回覆什麼,template status ledger 只逐項顯示 waiting,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,response 通過也只更新 read-only inventory / export request / readiness wording。 7. AwoooP 只建立 mirror/read-only policy 入口,不新增 execution action。 8. 任一方要把事件升級成實際執行,都必須先產出 `approval_required_event_v1`,並在 `security_approval_queue_v1` 中維持 `blocked_until_approved=true` 直到人工決策完成。 diff --git a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md index 4e12c7144..bf29f3a12 100644 --- a/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md +++ b/docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md @@ -297,9 +297,9 @@ S4.2 local evidence:已新增本機只讀 collector 與 snapshot,7 個 local S4.3 export request:已新增 `source_control_workflow_secret_name_export_request_v1` supporting schema、snapshot 與人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity。`write_token_allowed=false`、`secret_value_collection_allowed=false`。 -S4.12 owner response:已新增 `source_control_workflow_secret_name_owner_response_v1` supporting schema、snapshot 與人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity。`received_response_count=0`、`accepted_response_count=0`、`audit_events_emitted=0`、`secret_value_collection_allowed=false`、`write_token_allowed=false`。 +S4.12 owner response:已新增 `source_control_workflow_secret_name_owner_response_v1` supporting schema、snapshot 與人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity。`received_response_count=0`、`accepted_response_count=0`、`audit_events_emitted=0`、`secret_value_collection_allowed=false`、`write_token_allowed=false`。 -AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、S4.3 export request、S4.12 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / templates、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、啟用 GitHub hosted runner、sync refs 或切 GitHub primary。 +AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、S4.3 export request、S4.12 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / templates、要求 redacted snapshot 與人工 review;不得收集 secret value、修改 workflow、rotate secret、啟用 GitHub hosted runner、sync refs 或切 GitHub primary。 ### `security_mirror_readiness_v1` @@ -393,7 +393,7 @@ Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json` Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json` -目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response request packet 1 筆、S4.12 template statuses 5 筆、S4.12 audit event templates 3 筆、S4.12 redaction examples 5 筆、S4.12 collection checks 6 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 +目前 rollup:`framework_ready_waiting_approval`;35 個 contracts、32 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆;state transition rules 5 筆;follow-up runtime gate templates 8 筆;active runtime gates 0 筆;GitHub primary candidate repos 8 筆、primary ready 0 筆;S4.4 rollback ADR repo plans 7 筆、owner approved 0 筆、dry-run completed 0 筆;S4.10 GitHub target owner response request packet 1 筆、template statuses 7 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、owner decision response templates 7 筆、received response 0 筆、accepted response 0 筆;S4.11 refs truth owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、collection checks 6 筆、intake preflight checks 6 筆、templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;Gitea inventory 目前 `partial_waiting_authenticated_inventory`,public-only repo 2 個、本機可見 Gitea unique repo 4 個、export source options 2 類、S4.6 import acceptance payload 0 筆、S4.7 owner attestation items 5 筆、received attestation 0 筆、S4.9 owner response request packet 1 筆、template statuses 5 筆、audit event templates 3 筆、redaction examples 5 筆、display sections 8 筆、collection checks 6 筆、S4.9 owner response templates 5 筆、intake preflight checks 6 筆、outcome lanes 5 筆、received response 0 筆、audit events emitted 0 筆、quarantine required=true、token value collection allowed=false;workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆、S4.12 owner response request packet 1 筆、S4.12 template statuses 5 筆、S4.12 audit event templates 3 筆、S4.12 redaction examples 5 筆、S4.12 collection checks 6 筆、S4.12 intake preflight checks 6 筆、S4.12 owner response templates 5 筆、received response 0 筆、accepted response 0 筆、audit events emitted 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。 AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。 @@ -670,7 +670,7 @@ Schema:`docs/schemas/github_target_owner_decision_response_v1.schema.json` } ``` -AwoooP 初期處理方式:mirror 成 owner response request / status / review lane。request packet 只顯示要請 owner 回覆哪 7 個 target 與不得貼什麼,template status ledger 只逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範脫敏 metadata shape,collection checks 只維持 request / received / accepted 分離;response 通過後只更新 read-only decision table、approval package、approval board 與 primary readiness gate;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 +AwoooP 初期處理方式:mirror 成 owner response request / status / review lane。request packet 只顯示要請 owner 回覆哪 7 個 target 與不得貼什麼,template status ledger 只逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範脫敏 metadata shape,collection checks 只維持 request / received / accepted 分離;response 通過後只更新 read-only decision table、approval package、approval board 與 primary readiness gate;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation、visibility change、refs sync 或 GitHub primary approval。 ### `github_target_repo_approval_package_v1` @@ -911,7 +911,7 @@ Console 初期不提供高風險執行按鈕。 2026-05-13 S4.3 workflow / secret name redacted export request 追加:已新增 `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json`、`docs/security/source-control-workflow-secret-name-export-request.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md`。本輪只定義 7 個 in-scope repos、5 類 export lanes 的 owner / read-only export 欄位與拒收規則:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;`write_token_allowed=false`、`secret_value_collection_allowed=false`,不得呼叫 API 或修改 GitHub/Gitea。 -2026-05-17 S4.12 workflow / secret name owner response 追加,2026-05-19 補 request packet、template status ledger、audit event templates、redaction examples 與 collection checks:已新增 `docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json`、`docs/security/source-control-workflow-secret-name-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md`。目前 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0、audit events emitted 仍為 0。AwoooP 可 mirror 成 owner response intake queue,但不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。 +2026-05-17 S4.12 workflow / secret name owner response 追加,2026-05-19 補 request packet、template status ledger、audit event templates、redaction examples 與 collection checks:已新增 `docs/schemas/source_control_workflow_secret_name_owner_response_v1.schema.json`、`docs/security/source-control-workflow-secret-name-owner-response.snapshot.json` 與 `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md`。目前 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0、audit events emitted 仍為 0。AwoooP 可 mirror 成 owner response intake queue,但不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。 2026-05-17 S4.13 owner response validation rollup 追加:已新增 `docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json`、`docs/security/source-control-owner-response-validation-rollup.snapshot.json` 與 `docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md`。目前彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,22 個 response templates、received / accepted / rejected response 皆為 0、cross-packet checks 10 個。AwoooP 可 mirror 成只讀驗收總覽,但不得把 rollup 當成 approval、runtime gate、repo / refs / workflow / secret / runner 執行授權或 GitHub primary approval。 diff --git a/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md b/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md index 7a892c2c4..3e5de96cb 100644 --- a/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md +++ b/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md @@ -52,7 +52,7 @@ - GitHub target 決策表已建立,8 個候選中 7 個需人工批准;其中 `ewoooc`、`bitan-pharmacy`、`tsenyang-website` 在 target visibility / owner 決策前不得自動建立或同步。 - GitHub target repo-by-repo approval package 已建立,7 個 approval-required targets 拆成 refs reconcile、target 建立 / 授權、internal remote 用途確認三條路徑;此 package 採低摩擦原則,只 gate 高風險執行,不阻擋 read-only evidence。 - Source Control ref truth classification 已建立,141 個 refs review items 已拆成 4 個真相來源判定、114 個 drift deprecated 候選、3 個 release tag review、20 個 GitHub-only refs review;S4.11 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates,received / accepted response 皆為 0、audit events emitted 仍為 0。這是人工判定隊列與收件框架,不是同步批准。 -- Workflow / secret 名稱 owner response 已建立,S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 response templates,received / accepted response 皆為 0、audit events emitted 仍為 0;這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition,不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。 +- Workflow / secret 名稱 owner response 已建立,S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates,received / accepted response 皆為 0、audit events emitted 仍為 0;這只允許 owner 補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition,不授權收 secret value、修改 workflow、啟用 GitHub hosted runner 或切 GitHub primary。 - Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,共 22 個 response templates、received / accepted response 皆為 0;這只是驗收總覽,不是 approval、runtime gate 或執行授權。 - 本機可見 Git working tree 輔助盤點已找到 13 個 repo,其中去重後 Gitea repo 4 個、GitHub repo 5 個、110 內部 repo 4 個;此結果可用來補遷移矩陣,但不能取代 Gitea server 全量清單。 diff --git a/docs/security/SECURITY-APPROVAL-GATE.md b/docs/security/SECURITY-APPROVAL-GATE.md index 248d6eb87..777c5c402 100644 --- a/docs/security/SECURITY-APPROVAL-GATE.md +++ b/docs/security/SECURITY-APPROVAL-GATE.md @@ -38,7 +38,7 @@ S3.1 開始,實際人工決策紀錄由 `security_approval_decision_record_v1` | 1 | Redacted finding ingestion | 只批准設計或 draft PR | | 2 | Safe web crawl | 只批准低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | 先依 S4.9 驗收 S4.7 owner response,再只批准只讀 inventory 或 redacted admin export | -| 4 | GitHub target decisions | 只批准逐 repo S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / workflow secret 名稱 response 驗收與決策草案 | +| 4 | GitHub target decisions | 只批准逐 repo S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / workflow secret 名稱 response 驗收與決策草案 | | 5 | Ref truth review | 只批准 S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response 驗收、人工分類與 reconcile 草案 | | 6 | Credentialed scan | 只允許人工 exception 設計,仍需 runtime gate | | 7 | Kali full-upgrade / reboot | 只允許維護窗口與 rollback 規劃 | diff --git a/docs/security/SECURITY-APPROVAL-QUEUE.md b/docs/security/SECURITY-APPROVAL-QUEUE.md index 4266d41b5..3f9b85fd7 100644 --- a/docs/security/SECURITY-APPROVAL-QUEUE.md +++ b/docs/security/SECURITY-APPROVAL-QUEUE.md @@ -35,7 +35,7 @@ S3.0 開始,人工批准範圍由 `security_approval_gate_v1` 承接。S3.1 | 1 | `kali-finding-runtime-ingestion-approval-20260513` | 先接 redacted finding evidence,風險低、價值高 | | 2 | `kali-safe-web-crawl-approval-20260513` | TLS/header/basic crawl 屬低噪音,但仍需批准 scope | | 3 | `gitea-private-internal-server-side-inventory-2026-05-12` | 先依 S4.9 收到並驗收 S4.7 owner coverage attestation response,再審 Gitea 全量版本轉 GitHub 的只讀 inventory gate | -| 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收逐 repo owner / visibility / canonical response,並依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收 workflow / secret 名稱 owner response | +| 4 | `source-control-target-repo-approval-bundle-20260513` | 先依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收逐 repo owner / visibility / canonical response,並依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 workflow / secret 名稱 owner response | | 5 | `source-control-ref-truth-review-bundle-20260513` | 先依 S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 refs truth owner response,再看 deprecated / release tag review | | 6 | `kali-credentialed-scan-approval-20260513` | 需要憑證,風險較高 | | 7 | `kali-full-upgrade-reboot-approval-20260513` | 需要維護窗口、snapshot、rollback 與 post-check | diff --git a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md index f4bb18bd6..51828f3a8 100644 --- a/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md +++ b/docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md @@ -39,7 +39,7 @@ S3.4 開始,等待 runtime gate 時要看哪些前置條件,由 `security_fo | 1 | Redacted finding ingestion | `design_or_draft_review` | 只審是否可設計或建立 draft PR | | 2 | Safe web crawl | `low_noise_scan_scope_review` | 只審低噪音 scope 定義 | | 3 | Gitea owner attestation + read-only inventory | `read_only_inventory_review` | 先依 S4.9 審 S4.7 owner response,再審只讀 token 或 redacted export | -| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 workflow / secret 名稱 request packet / template status ledger / audit event templates / redaction examples / collection checks / response,再審 owner / visibility / canonical 草案 | +| 4 | GitHub target decisions | `design_or_draft_review` | 先審 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 與 S4.12 workflow / secret 名稱 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response,再審 owner / visibility / canonical 草案 | | 5 | Ref truth review | `design_or_draft_review` | 先審 S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response 驗收,再審人工分類與 reconcile 草案 | | 6 | Credentialed scan | `manual_exception_review` | 只審 exception 設計 | | 7 | Kali full-upgrade / reboot | `manual_exception_review` | 只審維護窗口與 rollback 計畫 | diff --git a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md index a4baa5294..1380a1d85 100644 --- a/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md +++ b/docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md @@ -34,7 +34,7 @@ | Redacted finding ingestion | MEDIUM | 只準備 ingestion adapter 的 redaction / audit 前置條件 | | Safe web crawl scope | MEDIUM | 只準備 TLS/header/basic crawl 的低噪音 scope | | Gitea owner attestation + read-only inventory | MEDIUM | 先依 S4.9 驗收 S4.7 owner response,再準備 read-only token 或 redacted export inventory | -| GitHub target decision | HIGH | 只準備 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response、S4.12 workflow / secret 名稱 request packet / template status ledger / audit event templates / redaction examples / collection checks / response 驗收、owner / visibility / canonical / workflow parity 決策 | +| GitHub target decision | HIGH | 只準備 S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response、S4.12 workflow / secret 名稱 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response 驗收、owner / visibility / canonical / workflow parity 決策 | | Ref truth review | HIGH | 只準備 S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response 驗收、refs truth / deprecated / release tag 人工判定 | | Credentialed scan exception | HIGH | 只準備人工 exception、credential lifecycle 與停用方式 | | Kali full-upgrade / reboot | HIGH | 只準備維護窗口、snapshot、rollback 與 post-health | diff --git a/docs/security/SECURITY-MIRROR-DRY-RUN.md b/docs/security/SECURITY-MIRROR-DRY-RUN.md index 8c65ff5fc..85bc2446f 100644 --- a/docs/security/SECURITY-MIRROR-DRY-RUN.md +++ b/docs/security/SECURITY-MIRROR-DRY-RUN.md @@ -24,7 +24,7 @@ | `CHECK_ROUTE_COVERAGE` | 確認 route groups 覆蓋所有 contracts | 不建立 fallback execution route | | `CHECK_ACCEPTANCE_AND_QUARANTINE` | 確認驗收與隔離只處理 mirror payload | 不阻擋 runtime | | `CHECK_PROGRESS_GUARD` | 確認 58% headline 進度與 micro progress delta ledger 只作狀態顯示 | 不把進度或 delta ledger 當 approval 或 runtime authorization | -| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、脫敏範例與只讀 UI 區塊、維持收件狀態分離、分類可審、補證、隔離、拒收或等待;S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 也只提示 7 個 GitHub target 要回覆的欄位、逐項顯示 waiting / request ready、定義 0 emitted 的脫敏 metadata、維持 request / received / accepted 分離,並只分類可收、補證、隔離或拒收;S4.11 request packet 只提示 5 類 refs truth owner response 欄位,template status ledger 逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,intake preflight checks 只分類可審、補證、隔離、拒收或等待;S4.12 request packet 只提示 5 類 workflow / secret 名稱 owner response 欄位,template status ledger 逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離 | 不把 guard pass、request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | +| `CHECK_OWNER_RESPONSE_GUARD` | 確認四包 owner response 仍未收到 / 接受,且 S4.9 request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / preflight / outcome lanes 只提示 owner、逐項顯示 waiting、只定義 0 emitted 的 metadata audit 模板、脫敏範例與只讀 UI 區塊、維持收件狀態分離、分類可審、補證、隔離、拒收或等待;S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 也只提示 7 個 GitHub target 要回覆的欄位、逐項顯示 waiting / request ready、定義 0 emitted 的脫敏 metadata、維持 request / received / accepted 分離,並只分類可收、補證、隔離或拒收;S4.11 request packet 只提示 5 類 refs truth owner response 欄位,template status ledger 逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,intake preflight checks 只分類可審、補證、隔離、拒收或等待;S4.12 request packet 只提示 5 類 workflow / secret 名稱 owner response 欄位,template status ledger 逐項顯示 waiting / request ready,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,intake preflight checks 只分類可審、補證、隔離或拒收 | 不把 guard pass、request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo、refs、workflow、secret、runner、primary、audit production ingestion 或 runtime 授權 | | `CHECK_LOW_NOISE_CHANNEL` | 確認 Channel Event 低噪音 | 不對 LOW / MEDIUM 洗版 | | `CONFIRM_NO_RUNTIME_ACTION` | 確認 dry-run 沒有任何 runtime action | 不掃描、不 deploy、不 sync refs | diff --git a/docs/security/SECURITY-MIRROR-READINESS.md b/docs/security/SECURITY-MIRROR-READINESS.md index f31f14039..c77f20b88 100644 --- a/docs/security/SECURITY-MIRROR-READINESS.md +++ b/docs/security/SECURITY-MIRROR-READINESS.md @@ -91,7 +91,7 @@ GitHub target 決策面需同時 mirror S4.10 `GITHUB-TARGET-OWNER-DECISION-RESP Ref truth 決策面需同時 mirror S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` 與 `source-control-ref-truth-owner-response.snapshot.json`,只顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、received / accepted response 皆為 0、audit events emitted 仍為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 refs sync、delete、force push 或 GitHub primary approval。 -Workflow / secret 名稱決策面需同時 mirror S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` 與 `source-control-workflow-secret-name-owner-response.snapshot.json`,只顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、5 個 owner response templates、received / accepted response 皆為 0、audit events emitted 仍為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 GitHub primary approval。 +Workflow / secret 名稱決策面需同時 mirror S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` 與 `source-control-workflow-secret-name-owner-response.snapshot.json`,只顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、received / accepted response 皆為 0、audit events emitted 仍為 0、8 個 acceptance checks 與 10 個 rejection rules;不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 GitHub primary approval。 Owner response validation 決策面需同時 mirror S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 與 `source-control-owner-response-validation-rollup.snapshot.json`,只顯示 S4.9 / S4.10 / S4.11 / S4.12 四個 response packets 的驗收總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個;不得把 rollup 當成 approval、runtime gate 或 execution authorization。 diff --git a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md index 01bd5a6e9..1341d2680 100644 --- a/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md +++ b/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md @@ -28,10 +28,10 @@ | Review packets | S3.2 已建立;8 packets、7 ready for human review、1 block candidate | | State transitions | S3.3 已建立;5 個 decision options 都有 next state,且都不授權執行 | | Follow-up runtime gate templates | S3.4 已建立;8 個 templates、0 個 active runtime gates | -| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | +| GitHub primary readiness gate | S4.0 已建立;8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,7 個 response templates、owner response 0 筆;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包,5 個 response templates、owner response 0 筆、audit events emitted 0 筆;S4.13 已補四包 owner response validation rollup,22 個 templates、received / accepted / rejected 皆為 0 | | GitHub primary rollback ADR | S4.4 已建立;7 個 in-scope rollback drafts、0 個 owner approved、0 個 dry-run completed、0 個 active cutover | | Gitea inventory | S4.5 已補認證清冊匯出請求;S4.6 已補匯入驗收契約;S4.7 已補 owner coverage attestation;S4.8 已把既有 Gitea queue/gate/review packet/follow-up gate 對齊 attestation 先行;S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response 收件包、6 個 intake preflight checks 與 5 個 outcome lanes;目前 status=`partial_waiting_authenticated_inventory`、未認證公開範圍 repos 2 個、本機可見 Gitea unique repos 4 個、匯出來源選項 2 類、匯入驗收 payload 0 筆、owner attestation items 5 個、收到 attestation 0 筆、owner response 0 筆、audit events emitted 0 筆、敏感 payload 必須隔離、允許收集 token value=false | -| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 owner response templates;0 個 inventory complete、audit events emitted 0 筆、禁止收集 secret value、禁止 write token | +| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence;S4.3 補 7 個 repos、5 類 lanes 的 redacted export request;S4.12 補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates;0 個 inventory complete、audit events emitted 0 筆、禁止收集 secret value、禁止 write token | | Owner response validation | S4.13 已建立;四包 owner response 目前 received/accepted 皆為 0;4 條 missing response lanes、4 步 collection order 與 next collection candidate 可供 AwoooP 直接顯示;下一個建議收件為 S4.9 Gitea owner attestation;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`,不代表 owner response 已收到或任何執行授權 | | Dry-run | `contract_defined_not_executed`;已納入 `CHECK_PROGRESS_GUARD` 與 `CHECK_OWNER_RESPONSE_GUARD`,latest local validation 為 `repo_snapshot_guard_pass`,仍不代表 production ingestion | | Runtime actions | `false` | @@ -69,6 +69,7 @@ | S4.12 audit event templates | framework detail | 0 | event templates 仍為 `template_only_not_emitted`,emitted 仍為 0,不代表 production ingestion、secret value collection、workflow 修改、runner 啟用或 primary 授權 | | S4.12 redaction examples | framework detail | 0 | 只示範安全 metadata shape,不代表 owner response received / accepted 或 secret value collection、workflow 修改、runner 啟用授權 | | S4.12 collection checks | framework detail | 0 | 只維持 request / received / accepted 狀態分離,不代表 owner response received / accepted、secret value collection、workflow 修改、runner 啟用或 primary 授權 | +| S4.12 intake preflight checks | framework detail | 0 | 只分類可審、補證、隔離或拒收,不代表 owner response accepted、secret 建立、workflow 修改、runner 啟用或 primary 授權 | headline 進度要再往上,至少需要下列任一高層 gate 有實質 evidence: @@ -115,10 +116,10 @@ python3 scripts/security/security-mirror-progress-guard.py 4. GitHub target / owner / visibility / canonical:先依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 owner decision response templates;received / accepted response 目前皆為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation、visibility change、refs sync 或 primary approval。 5. Kali `/execute` 維持 block candidate。 6. Refs truth owner response:先依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 顯示 main/dev truth、deprecated drift、release tag、GitHub-only refs 的 5 個 response templates;received / accepted response 目前皆為 0,audit events emitted 仍為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 refs sync、delete、force push 或 primary approval。 -7. Workflow / secret 名稱 owner response:先依 S4.12 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 顯示 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 5 個 response templates;received / accepted response 目前皆為 0,audit events emitted 仍為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 primary approval。 +7. Workflow / secret 名稱 owner response:先依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 顯示 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 5 個 response templates;received / accepted response 目前皆為 0,audit events emitted 仍為 0,不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value 收集、workflow 修改、GitHub hosted runner 啟用或 primary approval。 8. Owner response validation rollup:先依 S4.13 顯示 S4.9/S4.10/S4.11/S4.12 四包 response packets、22 個 templates、10 個 cross-packet checks 與 quarantine rules;不得把 rollup 當成 approval、runtime gate 或 execution authorization。 9. GitHub primary readiness blockers 與 rollback ADR 缺口。 10. S4.4 GitHub primary rollback ADR 草案:先顯示 7 個 repo 的 rollback owner、validation window 與 triggers,owner approval 前不可執行。 -11. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 與 S4.12 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / 收件包補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。 +11. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence,再依 S4.3 redacted export request 與 S4.12 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包補 webhook / runner / deploy key / branch protection / repository secret parity;只保存名稱與 owner,不保存 value,不使用 write token。 任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence,不得由本 rollup 自動觸發。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md index 3d8c79ee3..ecca62aa6 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md @@ -50,7 +50,7 @@ | `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類;S4.11 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,5 templates、received 0、audit events emitted 0 | `source-control-ref-truth-classification.snapshot.json` / `source-control-ref-truth-owner-response.snapshot.json` | | `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` | | `source_control_primary_rollback_adr_v1` | approval-only | GitHub primary rollback ADR 草案與 validation window | `source-control-primary-rollback-adr.snapshot.json` | -| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence,S4.3 已補 redacted export request,S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包 | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` / `source-control-workflow-secret-name-owner-response.snapshot.json` | +| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate;S4.2 已補 local evidence,S4.3 已補 redacted export request,S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包 | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` / `source-control-workflow-secret-name-export-request.snapshot.json` / `source-control-workflow-secret-name-owner-response.snapshot.json` | | `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` | | `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang`、`wooo-infra-config` | | `approval_required_event_v1` | approval-only | 高風險 / 敏感邊界 approval | `gitea-readonly-inventory-approval.snapshot.json` | @@ -62,7 +62,7 @@ 3. 將 snapshot mirror 成 Runtime State / Channel Event / Audit evidence。 4. 讀到 `source-control-ref-truth-owner-response.snapshot.json` 時,只顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、response templates、acceptance checks 與 rejection rules;不得新增 refs action。 5. 讀到 `source-control-owner-response-validation-rollup.snapshot.json` 時,只顯示 S4.9/S4.10/S4.11/S4.12 四個 response packets 的總覽:22 個 templates、received / accepted / rejected 皆為 0、cross-packet checks 10 個;不得把 rollup 當成 approval 或 execution authorization。 -6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`source_control_workflow_secret_name_inventory_v1` 只能顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、owner response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 secret collection、workflow 修改或 runner 啟用;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 +6. 只對 `approval_required_event_v1`、repo approval package、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1` 建 approval candidate / review lane / next-state display / runtime gate preparation / primary readiness display / rollback ADR display / workflow-secret name inventory gate / redacted export request display;`github_target_decision_v1` 只能顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner decision response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 repo creation、visibility change、refs sync 或 primary switch;`source_control_workflow_secret_name_inventory_v1` 只能顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner response templates、received_response_count=0、acceptance checks 與 rejection rules,不得觸發 secret collection、workflow 修改或 runner 啟用;`gitea_repo_inventory_v1` 只能顯示 S4.5 認證匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation request、S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、owner response 收件包、intake preflight checks、outcome lanes 與覆蓋缺口,不得觸發 token collection 或 Gitea write。 7. 不新增執行按鈕,不做 runtime enforcement。 ## 3. 永久禁止 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index e99d857ba..4b9e4257f 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -27,7 +27,7 @@ python3 scripts/security/security-mirror-progress-guard.py ### 0.2 Headline 58% 不代表停滯 -近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 +近期 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks,以及 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 都是有效進展,但它們是 framework detail,不是 owner response、runtime gate 或 GitHub primary readiness。因此 headline 仍維持 58%,避免把只讀框架誤算成已落地執行。 | 最近完成 | 目前狀態 | headline delta | |----------|----------|----------------| @@ -48,6 +48,7 @@ python3 scripts/security/security-mirror-progress-guard.py | S4.12 audit event templates | 已完成草案,`emitted_event_count=0`,只定義脫敏 metadata | 0 | | S4.12 redaction examples | 已完成草案,只示範安全 metadata shape | 0 | | S4.12 collection checks | 已完成草案,只維持 request / received / accepted 狀態分離 | 0 | +| S4.12 intake preflight checks | 已完成草案,只分類可審、補證、隔離或拒收 | 0 | headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner response 收到並通過脫敏驗收,或人工批准後出現 active runtime gate、redacted payload ingestion、GitHub primary readiness 這類落地 evidence。 @@ -84,7 +85,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立;8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret | | S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot;7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence;仍不可切 primary | | S4.3 Workflow / Secret 名稱 redacted export request | 完成草案 | 已建立 export request schema / snapshot / 人讀版;7 個 in-scope repos、5 類 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;write token allowed=false | repo owner 或未來只讀 API 依 request 補 redacted export;仍不可收 secret value、不可修改 GitHub/Gitea | -| S4.12 Workflow / Secret Name Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、5 個 response templates、8 個 acceptance checks、10 個 rejection rules、candidate repos 8、in-scope repos 7、received response 0、accepted 0、audit events emitted 0、execution authorized=false | owner 依 request packet、template status ledger、audit event templates、redaction examples、collection checks 與模板回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;response 通過只更新 read-only inventory / export request / readiness wording,不代表收 secret value、改 workflow、啟用 runner 或 primary approval | +| S4.12 Workflow / Secret Name Owner Response 收件包 | 完成草案 | 已建立 owner response schema / snapshot / 人讀版;1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 response templates、8 個 acceptance checks、10 個 rejection rules、candidate repos 8、in-scope repos 7、received response 0、accepted 0、audit events emitted 0、execution authorized=false | owner 依 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與模板回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity;response 通過只更新 read-only inventory / export request / readiness wording,不代表收 secret value、改 workflow、啟用 runner 或 primary approval | | S4.13 Source Control Owner Response Validation Rollup | 完成草案 | 已建立 validation rollup schema / snapshot / 人讀版;彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets、4 條 missing response lanes、4 步 owner response collection order、next collection candidate、22 個 response templates、10 個 cross-packet checks、40 個 rejection rules、received / accepted / rejected response 皆為 0、execution authorized=false;latest local validation 為 `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK` | AwoooP 可顯示四包 owner response 驗收總覽、缺口摘要、建議收件順序、下一個建議收件項目與 quarantine rules;rollup 不代表 approval、runtime gate、repo / refs / workflow / secret / runner 執行授權或 primary approval | | S4.4 GitHub Primary rollback ADR | 完成草案 | 已建立 rollback ADR schema / snapshot / 人讀版;7 個 in-scope rollback drafts、0 owner approved、0 dry-run completed、0 active cutover | repo owner 審查 rollback owner、validation window 與 triggers;仍不可切 primary 或執行 rollback | | S4.5 Gitea 認證清冊匯出請求 | 完成草案 | 已建立匯出請求 schema / snapshot / 人讀版;目前未認證公開範圍 repo 2 個、本機可見 Gitea unique repo 4 個、覆蓋缺口 2 個、匯出來源選項 2 類;允許收集 token value=false | repo owner 依只讀 token API 或已脫敏管理匯出補私有 / 內部全量 repo list;仍不可保存 token、不可 write Gitea、不可 refs sync | @@ -210,10 +211,10 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons 1. 先依 S4.9 `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` 收到並驗收 S4.7 `GITEA-INVENTORY-COVERAGE-ATTESTATION.md` 的 owner response;S4.8 已把這件事接到既有 approval queue / gate / review packet / follow-up runtime gate。之後再依 S4.5 `GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md` 取得 Gitea 認證清冊;收到 payload 後依 S4.6 `GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md` 驗收 / 拒收 / 隔離。目前未認證公開範圍 2 個、本機可見 Gitea unique 4 個、覆蓋缺口 2 個、attestation items 5 個、owner response 0 筆;只能用只讀 token API 或已脫敏管理匯出補私有 / 內部 server-side 全量 repo list,不保存 token value。 2. 依 S4.10 `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 與 `SOURCE-CONTROL-APPROVAL-BOARD.md` 對 7 個 `approval_required=true` 的 GitHub target 做 owner / visibility / canonical response;目前 response 0 筆、accepted 0 筆,通過後也只更新 read-only decision table / approval package / readiness gate,不代表 repo creation、visibility change、refs sync 或 primary approval。 3. 依 S4.11 `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 `SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` 對 `awoooi`、`clawbot-v5`、`wooo-aiops` 做單 repo / 單 ref owner response 驗收;audit event templates 目前 0 emitted,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,preflight 只分類可審、補證、隔離、拒收或等待,response 通過也只更新 read-only classification / reconcile / readiness wording,仍不得 push/delete refs 或 force push。 -4. 依 S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples 與 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` 對 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 做 owner response 驗收;request packet 只顯示要回覆欄位與拒收 payload,template status ledger 只顯示 waiting,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,不代表已送出、已收到或 production ingestion,response 通過也只更新 read-only inventory / export request / readiness wording,仍不得收 secret value、改 workflow 或啟用 runner。 +4. 依 S4.12 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 與 `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md` 對 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 做 owner response 驗收;request packet 只顯示要回覆欄位與拒收 payload,template status ledger 只顯示 waiting,audit event templates 只定義 0 emitted 的脫敏 metadata,redaction examples 只示範安全 metadata shape,collection checks 只維持 request / received / accepted 分離,preflight 只分類可審、補證、隔離或拒收,不代表已送出、已收到、已接受或 production ingestion,response 通過也只更新 read-only inventory / export request / readiness wording,仍不得收 secret value、改 workflow 或啟用 runner。 5. 依 S4.13 `SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md` 集中檢查 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets;rollup 通過也只更新 read-only wording,不代表 approval 或 execution authorization。 6. 對 `ewoooc` / `momo-pro-system` 完成 server-side canonical 判定。 7. 依 `KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 取得 safe crawl、credentialed scan、runtime ingestion、full-upgrade / reboot 等 gate 的人工批准;不得直接接 `/execute`。 -8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、6 個 collection checks 與 5 個 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 +8. AwoooP 主線先讀 `security_mirror_readiness_v1`、`security_mirror_intake_plan_v1`、`security_mirror_event_v1`、`security_mirror_route_v1`、`security_mirror_acceptance_v1`、`security_mirror_quarantine_v1`、`security_mirror_dry_run_v1`、`security_mirror_status_rollup_v1`、S4.13 `source_control_owner_response_validation_rollup_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1` 與 `source_control_workflow_secret_name_inventory_v1`,只建立 mirror-only / read-only policy 入口,不新增執行按鈕;其中 Gitea inventory 需同時顯示 S4.5 認證清冊匯出請求、S4.6 匯入驗收契約、S4.7 owner coverage attestation 與 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / 收件包,GitHub target 決策需同時顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response templates,refs truth 需同時顯示 S4.11 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 templates,workflow / secret inventory 需同時顯示 S4.3 redacted export request、S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 5 個 owner response templates,primary readiness 需同時顯示 S4.4 rollback ADR 草案。 9. AwoooP 主線消費 `security_rollout_policy_v1` 時,只做 read-only policy,不做 runtime blocking。 -10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response intake preflight checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response request packet、S4.11 refs truth owner response template status ledger、S4.11 refs truth owner response audit event templates、S4.11 refs truth owner response redaction examples、S4.11 refs truth owner response collection checks、S4.11 refs truth owner response intake preflight checks、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response request packet、S4.12 workflow / secret 名稱 owner response template status ledger、S4.12 workflow / secret 名稱 owner response audit event templates、S4.12 workflow / secret 名稱 owner response redaction examples、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 +10. AwoooP 主線再讀 `security_approval_queue_v1`、`security_approval_gate_v1`、`security_approval_decision_record_v1`、`security_approval_review_packet_v1`、`security_approval_state_transition_v1`、`security_followup_runtime_gate_v1`、`source_control_primary_readiness_gate_v1`、`source_control_primary_rollback_adr_v1`、`source_control_workflow_secret_name_inventory_v1` 與 `security_supply_chain_contract_manifest_v1`,顯示 review order、批准範圍、審查封包、決策紀錄、決策後狀態、後續 runtime gate 準備條件、Gitea inventory 覆蓋缺口、S4.5 認證匯出請求、S4.6 匯入驗收 / 隔離規則、S4.7 owner attestation items、S4.9 owner response request packet、S4.9 owner response template status ledger、S4.9 owner response audit event templates、S4.9 owner response redaction examples、S4.9 owner response display sections、S4.9 owner response collection checks、S4.9 owner response templates、S4.10 GitHub target owner response request packet、S4.10 GitHub target owner response template status ledger、S4.10 GitHub target owner response audit event templates、S4.10 GitHub target owner response redaction examples、S4.10 GitHub target owner response collection checks、S4.10 GitHub target owner response intake preflight checks、S4.10 GitHub target owner response templates、S4.11 refs truth owner response request packet、S4.11 refs truth owner response template status ledger、S4.11 refs truth owner response audit event templates、S4.11 refs truth owner response redaction examples、S4.11 refs truth owner response collection checks、S4.11 refs truth owner response intake preflight checks、S4.11 refs truth owner response templates、S4.12 workflow / secret 名稱 owner response request packet、S4.12 workflow / secret 名稱 owner response template status ledger、S4.12 workflow / secret 名稱 owner response audit event templates、S4.12 workflow / secret 名稱 owner response redaction examples、S4.12 workflow / secret 名稱 owner response collection checks、S4.12 workflow / secret 名稱 owner response intake preflight checks、S4.12 workflow / secret 名稱 owner response templates、S4.13 owner response validation rollup、GitHub primary readiness blockers、rollback ADR 草案、workflow / secret 名稱 inventory 缺口、redacted export request 與 blocked reason,不新增 execution router。 diff --git a/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md b/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md index 72c64e6a1..79bd3fc84 100644 --- a/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md +++ b/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md @@ -124,7 +124,7 @@ Repo-by-repo approval package 已建立,7 個 approval-required targets 皆為 Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops` 的 141 個 refs 差異拆成 review lane。`main` / `dev` 屬真相來源判定,`drift/adopt-*` 先列 deprecated candidate,release / UAT tags 先列保留判定;S4.11 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,5 個 templates、received / accepted response 皆為 0、audit events emitted 仍為 0。不得把分類結果、request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 直接執行成同步、刪除、force push 或 primary switch。 -Workflow / secret name owner response 已建立,S4.12 補 1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 templates,對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0、audit events emitted 仍為 0。不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 primary approval。 +Workflow / secret name owner response 已建立,S4.12 補 1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 templates,對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;received / accepted response 皆為 0、audit events emitted 仍為 0。不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 primary approval。 Owner response validation rollup 已建立,S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets,22 個 templates、10 個 cross-packet checks,received / accepted response 皆為 0。不得把 rollup 當成 approval、runtime gate 或 execution authorization。 @@ -158,7 +158,7 @@ Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-C 1. 先批准 Gitea read-only inventory package,再用只讀 token 或管理匯出補齊 Gitea server repo list。 2. 依 GitHub target repo-by-repo approval package 處理 7 個 approval-required target。 3. 依 S4.11 ref truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包與 classification 釐清 `wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。 -4. 依 S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / 收件包補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition;仍不得收 secret value、改 workflow 或啟用 hosted runner。 +4. 依 S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition;仍不得收 secret value、改 workflow 或啟用 hosted runner。 5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation;仍不得把 rollup 當 approval 或 execution authorization。 6. 釐清 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 的 canonical 關係。 7. 釐清 `bitan-pharmacy`、`tsenyang-website` 是否仍 active,並決定 GitHub owner / visibility。 diff --git a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md index 1ce615346..dc439a4da 100644 --- a/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md +++ b/docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md @@ -58,7 +58,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt | S4.9 Gitea owner attestation response | `GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md` | 5 | 等待 response | | S4.10 GitHub target owner decision response | `GITHUB-TARGET-OWNER-DECISION-RESPONSE.md` | 7 | 等待 response | | S4.11 refs truth owner response | `SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md` | 5 | 等待 response | -| S4.12 workflow / secret name owner response | `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` | 5 | request packet / template status ledger / audit event templates / redaction examples / collection checks 已定義,等待 response | +| S4.12 workflow / secret name owner response | `SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` | 5 | request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 已定義,等待 response | ## 2.1 AwoooP 可顯示的缺口摘要 @@ -67,7 +67,7 @@ S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runt | S4.9 Gitea owner attestation | 5 個 response templates 尚未收到 | Owner 回覆 5 個 Gitea coverage attestation items,只引用脫敏 evidence refs | 不收 token value、不寫 Gitea、不 sync refs、不切 primary | | S4.10 GitHub target decision | 7 個 response templates 尚未收到 | Owner 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition | 不建 repo、不改 visibility、不 sync refs、不切 primary | | S4.11 refs truth | 5 個 response templates 尚未收到 | Owner 依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition | 不 fetch / push / delete refs、不 force push、不切 primary | -| S4.12 workflow / secret name | 1 個 request packet 已定義、5 個 template statuses 仍 waiting、3 個 audit event templates 仍 0 emitted、5 個 redaction examples、6 個 collection checks 已定義、5 個 response templates 尚未收到 | Owner 依 request packet、audit event templates、redaction examples 與 collection checks 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity 的脫敏狀態 | 不收 secret value、不改 workflow、不啟用 runner、不切 primary | +| S4.12 workflow / secret name | 1 個 request packet 已定義、5 個 template statuses 仍 waiting、3 個 audit event templates 仍 0 emitted、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 已定義、5 個 response templates 尚未收到 | Owner 依 request packet、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity 的脫敏狀態 | 不收 secret value、不改 workflow、不啟用 runner、不切 primary | ## 2.2 建議收件順序 diff --git a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md index c6fc17a18..2a854d368 100644 --- a/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md +++ b/docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md @@ -39,7 +39,7 @@ |------|----------|------| | Gitea authenticated inventory | blocked | private/internal 全量 repo list 尚未完成;S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 與 collection checks 已可顯示,但 S4.7 owner coverage attestation response 仍未收到,audit events emitted 仍為 0;S4.13 已集中顯示四包 owner response validation,但 total accepted response 仍為 0 | | refs truth / branch-tag parity | blocked | 3 個 mapped repos 仍有 refs drift;S4.11 已補 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0、audit events emitted 仍為 0 | -| workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,received / accepted response 皆為 0、audit events emitted 仍為 0;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | +| workflow / runner / secret name parity | missing evidence | S4.1 已建立 inventory 契約;S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0、audit events emitted 仍為 0;尚未有實際 redacted workflow、webhook、runner、secret 名稱 snapshot | | owner / visibility / canonical | pending review | 7 個 in-scope targets 仍需人工決策;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,received / accepted response 皆為 0 | | rollback ADR | pending review | S4.4 已建立 rollback ADR 草案;7 個 in-scope repos 仍需 owner approval、dry-run 與 validation window | @@ -48,11 +48,11 @@ 1. 顯示每個 repo 的 readiness state、blockers 與 evidence refs。 2. 顯示 `primary_ready_count=0`。 3. 將 7 個 in-scope repos 維持在 approval / review lane。 -4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.11 refs truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 +4. 顯示哪些 evidence 仍缺:Gitea authenticated inventory、S4.7 owner coverage attestation、S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / owner response、S4.10 GitHub target owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.11 refs truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response、S4.13 validation rollup、workflow/runner/secret name inventory、rollback ADR。 5. 連到 S4.10 `github_target_owner_decision_response_v1` 顯示 1 個 owner response request packet、7 個 owner response template statuses、3 個 owner response audit event templates、5 個 owner response redaction examples、6 個 owner response collection checks、6 個 intake preflight checks、7 個 owner decision response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0。 6. 連到 S4.11 `source_control_ref_truth_owner_response_v1` 顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 refs owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0、audit events emitted 仍為 0。 7. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner,不保存 value。 -8. 連到 S4.12 `source_control_workflow_secret_name_owner_response_v1` 顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、5 個 owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0、audit events emitted 仍為 0。 +8. 連到 S4.12 `source_control_workflow_secret_name_owner_response_v1` 顯示 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、8 個 acceptance checks、10 個 rejection rules,且 received / accepted response 皆為 0、audit events emitted 仍為 0。 9. 連到 S4.13 `source_control_owner_response_validation_rollup_v1` 顯示四包 owner response validation 狀態:22 個 templates、10 個 cross-packet checks、received / accepted / rejected response 皆為 0。 10. 連到 `source_control_primary_rollback_adr_v1` 顯示 7 個 in-scope repos 的 rollback owner、trigger 與 validation window 草案。 11. 把狀態寫入 Audit evidence 與 Operator Console。 @@ -71,6 +71,6 @@ S4.0 只是把「切換前一定要看見什麼」先定義清楚。 -S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.11 已補上 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.12 已補上 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀收件檢查、只讀 preflight、只讀顯示順序與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 +S4.4 已補上 rollback ADR 草案,但它只是 owner review 的資料包,不是切換批准。S4.7 已補上 Gitea coverage owner attestation,S4.9 已補上 Gitea owner response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks、收件包、preflight 與 outcome lanes,S4.10 已補上 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.11 已補上 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.12 已補上 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,S4.13 已補上四包 owner response validation rollup;它們只是 scope decision、response 收件提示、metadata audit template、脫敏範例、只讀收件檢查、只讀 preflight、只讀顯示順序與驗收框架,不是 audit production ingestion、migration approval、repo creation approval、visibility change approval、refs sync approval、delete approval、force-push approval、secret value collection approval、workflow modification approval 或 primary approval。`owner_approved_count=0`、`dry_run_completed_count=0`、`active_cutover_count=0`。 這讓長期回到 GitHub 的方向可以繼續往前,但仍維持低摩擦:目前只 mirror、只顯示、只留痕,不執行。 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md index e1ab8075a..335d643ca 100644 --- a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md @@ -15,7 +15,7 @@ S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export request。 -這不是 API 執行、不是 GitHub primary cutover、也不是 workflow / secret 修改。它只是告訴 repo owner 或未來只讀匯出工具:每個 repo 要補哪些欄位、哪些欄位可以保存、哪些敏感值必須拒收。S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,讓請求、等待狀態、0 emitted 脫敏 audit metadata、安全回覆範例與回覆可審、可驗收、可拒收,但仍不授權任何變更。 +這不是 API 執行、不是 GitHub primary cutover、也不是 workflow / secret 修改。它只是告訴 repo owner 或未來只讀匯出工具:每個 repo 要補哪些欄位、哪些欄位可以保存、哪些敏感值必須拒收。S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,讓請求、等待狀態、0 emitted 脫敏 audit metadata、安全回覆範例與回覆可審、可驗收、可拒收,但仍不授權任何變更。 ## 1. 摘要 @@ -30,6 +30,7 @@ S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export req | S4.12 audit event templates | 3 | | S4.12 redaction examples | 5 | | S4.12 collection checks | 6 | +| S4.12 intake preflight checks | 6 | | S4.12 response templates | 5 | | S4.12 received / accepted / rejected | `0 / 0 / 0` | | Webhook export request repos | 2 | @@ -71,7 +72,7 @@ S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export req 3. 顯示 GitHub hosted runner 可能造成額度消耗的 review lane。 4. 把完成的 redacted export 作為 Audit evidence 等待人工審查。 5. 若 payload 含敏感值,送進 mirror quarantine。 -6. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、templates、acceptance checks 與 rejection rules。 +6. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules。 ## 5. AwoooP 不可做 @@ -85,6 +86,6 @@ S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export req S4.1 建立 inventory gate,S4.2 補本機 workflow / CODEOWNERS / referenced secret name evidence,S4.3 補「下一步匯出請求包」。 -S4.12 補「owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包」,固定 5 類 export lanes 的請求欄位、等待狀態、0 emitted 脫敏 audit metadata、安全回覆範例、回覆欄位與拒收規則,避免後續誤收 secret value、誤用 write token、誤啟 GitHub hosted runner 或誤改 workflow。 +S4.12 補「owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包」,固定 5 類 export lanes 的請求欄位、等待狀態、0 emitted 脫敏 audit metadata、安全回覆範例、只讀收件檢查、只讀 preflight、回覆欄位與拒收規則,避免後續誤收 secret value、誤用 write token、誤啟 GitHub hosted runner 或誤改 workflow。 這仍然是低摩擦框架期:先把資料責任、欄位邊界與拒收規則定清楚,避免後續真的接 owner export 或只讀 API 時誤收秘密值、誤用 write token,或誤把資料補齊當成主控切換批准。 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md index c7070f4c9..48152d1c7 100644 --- a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md @@ -24,7 +24,7 @@ S4.2 已補本機可見 evidence:4 個 repos 有 workflow / CODEOWNERS evidenc S4.3 已補 redacted export request package:7 個 in-scope repos 需要 owner / read-only export,5 類 export lanes 包含 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;所有 export 都禁止 secret value 與 write token。 -S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包:1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;目前 received / accepted response 皆為 0、audit events emitted 仍為 0。response 通過也只更新 read-only evidence,不代表修改 workflow、secret、runner、deploy key 或 branch protection。 +S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包:1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 response templates 對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity;目前 received / accepted response 皆為 0、audit events emitted 仍為 0。response 通過也只更新 read-only evidence,不代表修改 workflow、secret、runner、deploy key 或 branch protection。 ## 1. 目前狀態 @@ -46,6 +46,7 @@ S4.12 已補 owner response request packet、template status ledger、audit even | S4.12 audit event templates | 3 | | S4.12 redaction examples | 5 | | S4.12 collection checks | 6 | +| S4.12 intake preflight checks | 6 | | S4.12 response templates | 5 | | S4.12 received / accepted / rejected | `0 / 0 / 0` | @@ -70,7 +71,7 @@ S4.12 已補 owner response request packet、template status ledger、audit even 5. 將失敗或含敏感值 payload 交給 mirror quarantine。 6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。 7. 顯示 S4.3 export request 的欄位清單、拒收欄位與 acceptance gate。 -8. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、templates、acceptance checks 與 rejection rules。 +8. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules。 ## 4. AwoooP 不可做 @@ -90,6 +91,6 @@ S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 p S4.3 讓後續 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret parity 的 owner / read-only export 有明確的欄位、拒收規則與驗收 gate。 -S4.12 讓 owner response request、template status、audit event templates、redaction examples、collection checks 與 response 有固定收件格式與拒收規則,避免 GitHub hosted runner 額度風險、secret value、write token 或未脫敏 payload 被誤接進 AwoooP。 +S4.12 讓 owner response request、template status、audit event templates、redaction examples、collection checks、intake preflight checks 與 response 有固定收件格式與拒收規則,避免 GitHub hosted runner 額度風險、secret value、write token 或未脫敏 payload 被誤接進 AwoooP。 這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。後續即使取得 redacted export,也只代表 evidence 可 review,不代表 GitHub primary ready。 diff --git a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md index 5bbfee0e4..c66478caf 100644 --- a/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md +++ b/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md @@ -36,6 +36,7 @@ S4.12 不是 secret 搬移、不是 workflow 修改、不是 runner 啟用、不 | audit event templates | 3 | | redaction examples | 5 | | collection checks | 6 | +| intake preflight checks | 6 | | response templates | 5 | | 已收到 response | 0 | | 已接受 response | 0 | @@ -110,6 +111,19 @@ Redaction examples 只示範 owner 可以怎麼安全回覆,全部維持 `temp Collection checks 只維持 request / received / accepted 分離,全部維持 `required=true`、`execution_authorized=false` 與 `not_approval=true`。即使 collection check pass,也不代表 owner response received、accepted、secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key rotation、branch protection change、repository secret change、refs sync 或 GitHub primary approval。 +## 1.6 Intake Preflight Checks + +| Check | 用途 | +|-------|------| +| `preflight-known-workflow-secret-lane` | 確認 response 對應 S4.12 五個 workflow / secret name templates 之一 | +| `preflight-required-workflow-secret-owner-fields` | 確認 owner、decision、repo、provider、lane-specific metadata 與 evidence refs 完整 | +| `preflight-allowed-workflow-secret-decision` | 確認 decision 落在該 template 的 acceptable decisions | +| `preflight-workflow-secret-redacted-evidence-only` | 只接受 repo 文件、snapshot、secret name list、redacted host、runner label、key name 或 ruleset metadata | +| `preflight-no-workflow-secret-execution-request` | 拒收 secret 建立 / rotate、workflow 修改、runner 啟用、write token、refs sync、Kali scan 或 runtime 要求 | +| `preflight-all-five-workflow-secret-lanes-before-accepted` | 接受前必須覆蓋五個 workflow / secret response templates | + +Intake preflight checks 只在收件前後分類 `ready_for_owner_review`、`request_more_evidence`、`quarantine_sensitive_payload` 或 `reject_execution_request`,全部維持 `required=true` 與 `execution_authorized=false`。Preflight pass 不是 accepted,不會建立 secret、改 workflow、啟用 runner、rotate key、修改 branch protection、sync refs、切 GitHub primary 或觸發 Kali scan。 + ## 2. Owner Response 必填欄位 每筆 response 至少要能回答: @@ -173,12 +187,13 @@ Collection checks 只維持 request / received / accepted 分離,全部維持 3. 顯示 3 個 audit event templates,全部維持 `template_only_not_emitted` 與 `emitted_event_count=0`。 4. 顯示 5 個 redaction examples,全部維持 `template_example_only` 與 `stored_raw_payload_allowed=false`。 5. 顯示 6 個 collection checks,全部維持 `required=true`、`execution_authorized=false` 與 `not_approval=true`。 -6. 顯示 5 個 owner response templates。 -7. 顯示 8 個 acceptance checks 與 10 個 rejection rules。 -8. 顯示 GitHub hosted runner 額度風險 review lane,但不啟用 hosted runner。 -9. 在 owner response 到來後,只更新 read-only inventory、export request、primary readiness blocker wording 與 status rollup。 -10. 將不完整或可疑 response 放進 mirror quarantine。 -11. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 +6. 顯示 6 個 intake preflight checks,只分類可審、補證、隔離或拒收。 +7. 顯示 5 個 owner response templates。 +8. 顯示 8 個 acceptance checks 與 10 個 rejection rules。 +9. 顯示 GitHub hosted runner 額度風險 review lane,但不啟用 hosted runner。 +10. 在 owner response 到來後,只更新 read-only inventory、export request、primary readiness blocker wording 與 status rollup。 +11. 將不完整或可疑 response 放進 mirror quarantine。 +12. 持續顯示 `received_response_count=0`、`accepted_response_count=0`,直到真的收到脫敏 response。 ## 8. AwoooP 不可做 diff --git a/docs/security/security-approval-gate.snapshot.json b/docs/security/security-approval-gate.snapshot.json index 6d23f6053..548c87880 100644 --- a/docs/security/security-approval-gate.snapshot.json +++ b/docs/security/security-approval-gate.snapshot.json @@ -160,7 +160,7 @@ ], "allowed_after_approval": [ "依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 owner decision response", - "依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收 workflow / secret 名稱 owner response", + "依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 workflow / secret 名稱 owner response", "逐 repo 更新 owner/visibility/canonical decision", "更新 workflow / secret name parity read-only wording", "產生 draft reconcile plan 或 ADR", @@ -170,7 +170,7 @@ "建立 repo", "修改 visibility", "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation 或 visibility approval", - "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", + "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", "push refs", "delete refs", "切 GitHub primary" diff --git a/docs/security/security-approval-queue.snapshot.json b/docs/security/security-approval-queue.snapshot.json index 26e73dda4..db6f2a3e5 100644 --- a/docs/security/security-approval-queue.snapshot.json +++ b/docs/security/security-approval-queue.snapshot.json @@ -126,7 +126,7 @@ "risk": "HIGH", "state": "pending_approval", "recommended_awooop_mode": "approve_required", - "requested_decision": "是否依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 逐 repo 收到並驗收 GitHub target、owner、visibility、canonical response,並依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收 workflow / secret 名稱 owner response;此 bundle 不授權執行。", + "requested_decision": "是否依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 逐 repo 收到並驗收 GitHub target、owner、visibility、canonical response,並依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 workflow / secret 名稱 owner response;此 bundle 不授權執行。", "blocked_until_approved": true, "required_reviewers": [ "migration-engineer", @@ -144,7 +144,7 @@ ], "allowed_after_approval": [ "依 S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 owner decision response", - "依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 驗收 workflow / secret 名稱 owner response", + "依 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 驗收 workflow / secret 名稱 owner response", "逐 repo 更新 owner/visibility/canonical decision", "更新 workflow / secret name parity read-only wording", "產生 draft reconcile plan 或 ADR", @@ -154,7 +154,7 @@ "建立 repo", "修改 visibility", "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation 或 visibility approval", - "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", + "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", "push refs", "delete refs", "切 GitHub primary" diff --git a/docs/security/security-approval-review-packet.snapshot.json b/docs/security/security-approval-review-packet.snapshot.json index 8e88f0698..4be5f1957 100644 --- a/docs/security/security-approval-review-packet.snapshot.json +++ b/docs/security/security-approval-review-packet.snapshot.json @@ -196,7 +196,7 @@ "allowed_pre_decision_actions": [ "顯示 7 個 approval-required target", "顯示 S4.10 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、owner response templates、received_response_count=0 與 rejection rules", - "顯示 S4.12 workflow / secret 名稱 owner response request packet、template statuses、audit event templates、redaction examples、collection checks、templates、received_response_count=0 與 rejection rules", + "顯示 S4.12 workflow / secret 名稱 owner response request packet、template statuses、audit event templates、redaction examples、collection checks、intake preflight checks、templates、received_response_count=0 與 rejection rules", "要求 repo owner 補 owner/visibility/canonical 判定", "維持 refs action disabled" ], @@ -208,7 +208,7 @@ "建立 repo", "修改 visibility", "把 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 repo creation 或 visibility approval", - "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", + "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification 或 runner enablement approval", "push refs", "delete refs", "切 GitHub primary" diff --git a/docs/security/security-followup-runtime-gate.snapshot.json b/docs/security/security-followup-runtime-gate.snapshot.json index 55d2a3d72..618c41e4d 100644 --- a/docs/security/security-followup-runtime-gate.snapshot.json +++ b/docs/security/security-followup-runtime-gate.snapshot.json @@ -158,7 +158,7 @@ "applies_after_decision": "approve_scope", "minimum_required_evidence": [ "S4.10 owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / decision response 驗收結果:docs/security/github-target-owner-decision-response.snapshot.json", - "S4.12 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與驗收結果:docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", + "S4.12 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與驗收結果:docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "repo owner / visibility / canonical decision", "GitHub target 是否已存在的最新 probe", "workflow parity checklist", @@ -171,7 +171,7 @@ ], "preflight_checks": [ "確認 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 未被當成 repo creation、visibility change、refs sync 或 primary approval", - "確認 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 未被當成 secret value collection、workflow modification、runner enablement 或 primary approval", + "確認 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 未被當成 secret value collection、workflow modification、runner enablement 或 primary approval", "確認 not_found_or_private 不被當成可自動建立 repo", "確認 visibility change 仍未授權", "確認 refs action disabled", diff --git a/docs/security/security-mirror-dry-run.snapshot.json b/docs/security/security-mirror-dry-run.snapshot.json index 978de49a0..a7f5f2fe8 100644 --- a/docs/security/security-mirror-dry-run.snapshot.json +++ b/docs/security/security-mirror-dry-run.snapshot.json @@ -107,7 +107,7 @@ }, { "step_id": "CHECK_OWNER_RESPONSE_GUARD", - "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 7 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離,S4.10 intake preflight checks 只分類可收、補證、隔離或拒收,S4.11 request packet 只提示 5 類 refs truth owner response 欄位,S4.11 template status ledger 逐項顯示 waiting / request ready,S4.11 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.11 redaction examples 只顯示安全 metadata shape,S4.11 collection checks 只維持 request / received / accepted 分離,S4.11 intake preflight checks 只分類可審、補證、隔離、拒收或等待,S4.12 request packet 只提示 5 類 workflow / secret 名稱 owner response 欄位,S4.12 template status ledger 逐項顯示 waiting / request ready,S4.12 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.12 redaction examples 只顯示安全 metadata shape,S4.12 collection checks 只維持 request / received / accepted 分離;不能把 request shown、template status、response received metadata、redaction example、collection check pass、preflight pass 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", + "expected_observation": "AwoooP dry-run 必須確認 S4.9 / S4.10 / S4.11 / S4.12 四包 owner response 仍為 waiting_owner_response,received / accepted 皆為 0,且 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / collection checks / intake preflight / outcome lanes 只提示 owner,S4.10 owner response request packet 只提示 7 個 GitHub target 要回覆的 owner / visibility / canonical 欄位,S4.10 template status ledger 逐項顯示 waiting / request ready,S4.10 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.10 redaction examples 只顯示可接受的脫敏 metadata shape,S4.10 collection checks 只維持 request / received / accepted 分離,S4.10 intake preflight checks 只分類可收、補證、隔離或拒收,S4.11 request packet 只提示 5 類 refs truth owner response 欄位,S4.11 template status ledger 逐項顯示 waiting / request ready,S4.11 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.11 redaction examples 只顯示安全 metadata shape,S4.11 collection checks 只維持 request / received / accepted 分離,S4.11 intake preflight checks 只分類可審、補證、隔離、拒收或等待,S4.12 request packet 只提示 5 類 workflow / secret 名稱 owner response 欄位,S4.12 template status ledger 逐項顯示 waiting / request ready,S4.12 audit event templates 只定義 0 emitted 的脫敏 metadata,S4.12 redaction examples 只顯示安全 metadata shape,S4.12 collection checks 只維持 request / received / accepted 分離,S4.12 intake preflight checks 只分類可審、補證、隔離或拒收;不能把 request shown、template status、response received metadata、redaction example、collection check pass、preflight pass 或 outcome classified 當成 approval,不能解鎖 repo、refs、workflow、secret、runner、GitHub primary、audit production ingestion 或 runtime action。", "evidence_refs": [ "docs/security/source-control-owner-response-validation-rollup.snapshot.json", "docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md", diff --git a/docs/security/security-mirror-readiness.snapshot.json b/docs/security/security-mirror-readiness.snapshot.json index 3ec1afd00..f3f73e455 100644 --- a/docs/security/security-mirror-readiness.snapshot.json +++ b/docs/security/security-mirror-readiness.snapshot.json @@ -491,7 +491,7 @@ "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md", "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md" ], - "notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names;S4.3 export request 有 7 個 repos、5 類 export lanes;S4.12 owner response request packet 1 個、template statuses 5 個、audit event templates 3 個、redaction examples 5 個、collection checks 6 個、templates 5 個、received_response_count=0、audit_events_emitted=0;secret_value_collection_allowed=false。" + "notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names;S4.3 export request 有 7 個 repos、5 類 export lanes;S4.12 owner response request packet 1 個、template statuses 5 個、audit event templates 3 個、redaction examples 5 個、collection checks 6 個、intake preflight checks 6 個、templates 5 個、received_response_count=0、audit_events_emitted=0;secret_value_collection_allowed=false。" }, { "contract": "local_repo_canonical_probe_v1", diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index e7697938d..99b517384 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -143,15 +143,15 @@ { "phase_id": "S4_migration_execution", "state": "not_started", - "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9/S4.11/S4.12 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", - "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates、依 S4.12 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" + "current_result": "GitHub primary 是長期方向;source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary ready;S4.1 已定義 workflow / secret 名稱 inventory 契約;S4.2 已補 local evidence;S4.3 已補 redacted export request;S4.4 已補 rollback ADR 草案;S4.5 已補 Gitea authenticated inventory export request;S4.6 已補 redacted import acceptance;S4.7 已補 owner coverage attestation request;S4.9 已補 Gitea owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;S4.10 已補 GitHub target owner decision response request packet、7 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.11 已補 refs truth owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與收件包;S4.12 已補 workflow / secret 名稱 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 intake packet;S4.13 已補四包 owner response validation rollup,彙整 22 個 templates、received=0、accepted=0,並標示 next_collection_candidate=S4.9,但 inventory status 仍 partial,S4.9/S4.11/S4.12 audit events emitted 仍 0 筆,GitHub target / refs truth / workflow-secret response 仍 0 筆。", + "next_gate": "依 S4.13 先集中檢查四包 owner response validation 狀態,AwoooP 只顯示 next_collection_candidate=S4.9 Gitea owner attestation,依 S4.9 owner response request packet 要求 owner 回覆,並用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離;再依 S4.9 收到並驗收 S4.7 Gitea owner response、依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 7 個 GitHub target owner / visibility / canonical response、依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 refs truth owner response templates、依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 收到並驗收 5 個 workflow / secret 名稱 owner response templates、authenticated inventory payload 通過 S4.6 驗收、rollback ADR owner approval 與逐 repo 人工批准。" } ], "progress_display_policy": { "headline_percent": 58, "headline_status": "holding_until_owner_response_or_runtime_gate", "why_headline_is_holding": [ - "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight,以及 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks 的框架細節,改善可見性與收件安全,但 owner response received / accepted 仍為 0。", + "最近完成的是 S4.10 owner response request / status / audit / redaction / collection checks / intake preflight、S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight,以及 S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 的框架細節,改善可見性與收件安全,但 owner response received / accepted 仍為 0。", "overall_percent 只在 owner response、redacted payload ingestion、active runtime gate、GitHub primary readiness 或 AwoooP production ingestion 這些高層 gate 有實質變化時調整。", "維持 58% 是為了避免把 read-only scaffold 誤算成 runtime enforcement、Kali scan、repo migration 或 GitHub primary cutover。" ], @@ -371,6 +371,18 @@ "runtime_delta": false, "execution_authorized": false, "not_authorization": true + }, + { + "delta_id": "s4_12_workflow_secret_name_owner_response_intake_preflight_checks", + "display_order": 18, + "completed_stage": "S4.12 workflow / secret 名稱 owner response intake preflight checks", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "intake preflight checks 只分類可審、補證、隔離或拒收,received_response_count=0、accepted_response_count=0,不代表 secret value collection、workflow 修改、runner 啟用或 primary 授權。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true } ], "next_safe_actions": [ @@ -575,14 +587,14 @@ "source_contract": "source_control_workflow_secret_name_inventory_v1", "allowed_processing": [ "顯示 8 個 candidate repos 的 inventory lanes、4 個 repos 的 local evidence 與 7 個 repos 的 redacted export request", - "顯示 S4.12 owner response request packet、template statuses、audit event templates、redaction examples、collection checks、templates、received_response_count=0 與 rejection rules", + "顯示 S4.12 owner response request packet、template statuses、audit event templates、redaction examples、collection checks、intake preflight checks、templates、received_response_count=0 與 rejection rules", "要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot", "顯示 GitHub hosted runner 額度風險與 self-hosted runner owner review lane", "response 通過後只更新 read-only inventory、export request 與 readiness blocker wording", "只保存 secret name、owner 與 present/absent metadata,不保存 value" ], "blocked_processing": [ - "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當成 workflow 修改、secret 建立、runner 啟用或 primary approval", + "把 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 workflow 修改、secret 建立、runner 啟用或 primary approval", "收集或保存 secret value", "修改 workflow 或 webhook", "啟用 GitHub hosted runner 或消耗 GitHub Actions 額度", @@ -626,7 +638,7 @@ "S4.9 只新增 Gitea owner attestation response request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 與 response 收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_display_section_count=8、owner_response_collection_check_count=6、required_response_item_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、display sections、collection checks 或 response packet 當 inventory 執行、audit production ingestion 或 primary approval。", "S4.10 新增 GitHub target owner decision response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=7、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 repo creation、visibility change、refs sync 或 GitHub primary approval。", "S4.11 已新增 refs truth owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_request_packet_count=1、owner_response_template_status_count=5、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、response_template_count=5、received_response_count=0、accepted_response_count=0、audit_events_emitted=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 refs sync、delete、force push 或 GitHub primary approval。", - "S4.12 只新增 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包;owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、audit_events_emitted=0、response_template_count=5、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks 或 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。", + "S4.12 只新增 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包;owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、audit_events_emitted=0、response_template_count=5、received_response_count=0、accepted_response_count=0,不把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當 secret value collection、workflow modification、GitHub hosted runner enablement 或 GitHub primary approval。", "S4.13 只新增 owner response validation rollup;response_packet_count=4、template_count=22、received_response_count=0、accepted_response_count=0、cross_packet_check_count=10、next_collection_candidate=S4.9,不把 rollup 當 approval、runtime gate 或 execution authorization。" ], "forbidden_actions": [ diff --git a/docs/security/security-supply-chain-contract-manifest.snapshot.json b/docs/security/security-supply-chain-contract-manifest.snapshot.json index f45bc2f01..5d4cbac0b 100644 --- a/docs/security/security-supply-chain-contract-manifest.snapshot.json +++ b/docs/security/security-supply-chain-contract-manifest.snapshot.json @@ -853,7 +853,7 @@ "sync_refs", "switch_github_primary" ], - "notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence:4 repos、31 workflow files、43 個 referenced secret names;S4.3 已補 7 repos / 5 lanes 的 redacted export request;S4.12 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks 與 5 個 owner response templates,received_response_count=0、audit_events_emitted=0;仍不保存 secret value。" + "notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence:4 repos、31 workflow files、43 個 referenced secret names;S4.3 已補 7 repos / 5 lanes 的 redacted export request;S4.12 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates,received_response_count=0、audit_events_emitted=0;仍不保存 secret value。" }, { "contract": "local_repo_canonical_probe_v1", diff --git a/docs/security/source-control-owner-response-validation-rollup.snapshot.json b/docs/security/source-control-owner-response-validation-rollup.snapshot.json index 1c92b7546..0f55122b9 100644 --- a/docs/security/source-control-owner-response-validation-rollup.snapshot.json +++ b/docs/security/source-control-owner-response-validation-rollup.snapshot.json @@ -139,7 +139,7 @@ "source_contract": "source_control_workflow_secret_name_owner_response_v1", "response_packet": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json", "human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md", - "scope_summary": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted owner response request / template status ledger / audit event templates / redaction examples / collection checks / response。", + "scope_summary": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted owner response request / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / response。", "response_template_count": 5, "received_response_count": 0, "accepted_response_count": 0, @@ -152,7 +152,8 @@ "template status ledger 只逐項顯示 waiting_owner_response,不代表 request sent、response received 或 accepted", "audit event templates 只定義 0 emitted 的脫敏 metadata,不代表 production ingestion 或 runtime authorization", "redaction examples 只示範安全回覆形狀,不代表 owner response received、accepted 或 secret value collection", - "collection checks 只維持 request / received / accepted 分離,不代表 owner response received、accepted 或 workflow / secret 執行授權" + "collection checks 只維持 request / received / accepted 分離,不代表 owner response received、accepted 或 workflow / secret 執行授權", + "intake preflight checks 只分類可審、補證、隔離或拒收,不代表 owner response accepted 或 workflow / secret 執行授權" ], "allowed_outputs": [ "更新 read-only workflow / secret name inventory wording", @@ -295,7 +296,7 @@ }, { "effect_id": "workflow_secret_owner_response_accepted", - "when_all_checks_pass": "S4.12 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 只作顯示,5 個 workflow / secret lanes 全部接受,且所有 evidence 已脫敏。", + "when_all_checks_pass": "S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 只作顯示,5 個 workflow / secret lanes 全部接受,且所有 evidence 已脫敏。", "allowed_update": "只更新 workflow / secret name inventory、redacted export request 與 readiness wording。", "still_forbidden": [ "store_secret_value", @@ -371,7 +372,7 @@ "received_response_count": 0, "accepted_response_count": 0, "current_status": "waiting_owner_response", - "next_owner_action": "Owner 需依 S4.12 request packet、template status ledger、audit event templates、redaction examples 與 collection checks 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的脫敏狀態;template status ledger 會維持 waiting、audit event templates 維持 0 emitted、redaction examples 只作參考,直到實際收到脫敏 response。", + "next_owner_action": "Owner 需依 S4.12 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的脫敏狀態;template status ledger 會維持 waiting、audit event templates 維持 0 emitted、redaction examples 只作參考,直到實際收到脫敏 response。", "awooop_display_mode": "observe_missing_response", "still_forbidden": [ "store_secret_value", diff --git a/docs/security/source-control-primary-readiness-gate.snapshot.json b/docs/security/source-control-primary-readiness-gate.snapshot.json index 87f2a5d50..f348707a6 100644 --- a/docs/security/source-control-primary-readiness-gate.snapshot.json +++ b/docs/security/source-control-primary-readiness-gate.snapshot.json @@ -103,7 +103,7 @@ ], "current_gap": [ "S4.1 已定義 workflow / webhook / runner / secret 名稱 inventory 契約,但尚未收集實際 redacted snapshot", - "S4.12 已建立 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0", + "S4.12 已建立 workflow / secret 名稱 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,但目前 received_response_count=0、accepted_response_count=0、audit_events_emitted=0", "不得搬移或輸出 secret value", "不得因缺資料而假設 GitHub ready" ], diff --git a/docs/security/source-control-workflow-secret-name-inventory.snapshot.json b/docs/security/source-control-workflow-secret-name-inventory.snapshot.json index fd41aa18c..f5ddf313c 100644 --- a/docs/security/source-control-workflow-secret-name-inventory.snapshot.json +++ b/docs/security/source-control-workflow-secret-name-inventory.snapshot.json @@ -427,7 +427,7 @@ "此 inventory 完成前,GitHub primary readiness gate 必須維持 blocked。", "S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence,但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。", "S4.3 已補 redacted export request package,將 webhook、runner、deploy key、branch protection/CODEOWNERS 與 repository secret name parity 的 owner / read-only export 欄位、拒收欄位與 acceptance gate 文件化;它仍不是 API 執行或 primary cutover 批准。", - "S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks 與收件包,將 5 類 export lanes 的 request 欄位、等待狀態、0 emitted 脫敏 audit metadata 模板、安全回覆範例、只讀收件檢查、response 欄位、驗收規則與拒收規則文件化;received_response_count=0、audit_events_emitted=0,仍不得收集 secret value 或修改 workflow。", + "S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包,將 5 類 export lanes 的 request 欄位、等待狀態、0 emitted 脫敏 audit metadata 模板、安全回覆範例、只讀收件檢查、response 欄位、驗收規則與拒收規則文件化;received_response_count=0、audit_events_emitted=0,仍不得收集 secret value 或修改 workflow。", "inventory snapshot 只能 mirror 成 Operator Console / Audit evidence,不得新增 execution action。" ], "forbidden_actions": [ diff --git a/docs/security/source-control-workflow-secret-name-owner-response.snapshot.json b/docs/security/source-control-workflow-secret-name-owner-response.snapshot.json index de30263d5..6f43cb430 100644 --- a/docs/security/source-control-workflow-secret-name-owner-response.snapshot.json +++ b/docs/security/source-control-workflow-secret-name-owner-response.snapshot.json @@ -48,7 +48,8 @@ "refs_sync_authorized": false, "github_primary_switch_authorized": false, "action_buttons_allowed": false, - "owner_response_collection_check_count": 6 + "owner_response_collection_check_count": 6, + "intake_preflight_check_count": 6 }, "owner_response_request_packet": { "request_id": "s4_12_workflow_secret_name_owner_response_request", @@ -671,6 +672,68 @@ "not_approval": true } ], + "intake_preflight_checks": [ + { + "check_id": "preflight-known-workflow-secret-lane", + "display_order": 1, + "title": "回覆必須對應已知 workflow / secret 名稱 lane", + "required": true, + "pass_condition": "`template_id` 或 `lane` 必須對應 S4.12 五個 workflow / secret name templates 之一,不得新增未盤點 repo、未請求 workflow / secret 類別,或把 out-of-scope repo 自動視為可補 secret / workflow。", + "failure_lane": "request_owner_correction", + "awooop_display": "request_more_evidence", + "execution_authorized": false + }, + { + "check_id": "preflight-required-workflow-secret-owner-fields", + "display_order": 2, + "title": "workflow / secret 名稱必填欄位完整", + "required": true, + "pass_condition": "每筆 response 必須有 owner role/team、decision、decision_reason、repo、provider、lane、lane-specific owner、必要的 redacted metadata 與 evidence_refs;secret name parity 批次回覆必須有可重現 repo list 與 scope。", + "failure_lane": "request_more_evidence", + "awooop_display": "request_more_evidence", + "execution_authorized": false + }, + { + "check_id": "preflight-allowed-workflow-secret-decision", + "display_order": 3, + "title": "workflow / secret decision 在模板允許值內", + "required": true, + "pass_condition": "`decision` 必須落在對應 response template 的 acceptable_decisions;口頭同意、整體 OK、可進行、請幫我建立 secret 或未列出的執行語句都不得進入 accepted。", + "failure_lane": "request_owner_correction", + "awooop_display": "request_more_evidence", + "execution_authorized": false + }, + { + "check_id": "preflight-workflow-secret-redacted-evidence-only", + "display_order": 4, + "title": "只接受 workflow / secret 名稱脫敏 evidence refs", + "required": true, + "pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot、redacted metadata pointer、secret name list、redacted host、runner label、key name、ruleset / CODEOWNERS metadata;不得含 secret value、hash、masked token、partial credential、webhook secret、runner token、private key、deploy key value、authorization header、cookie、session、request body 或未脫敏截圖。", + "failure_lane": "quarantine_sensitive_payload", + "awooop_display": "quarantine_sensitive_payload", + "execution_authorized": false + }, + { + "check_id": "preflight-no-workflow-secret-execution-request", + "display_order": 5, + "title": "不得夾帶 workflow / secret 執行要求", + "required": true, + "pass_condition": "response 不得要求建立 / 複製 / rotate secret、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS、啟用 GitHub hosted runner、使用 write token、建立 repo、sync refs、GitHub primary switch、Kali scan 或任何 runtime action。", + "failure_lane": "reject_execution_request", + "awooop_display": "reject_execution_request", + "execution_authorized": false + }, + { + "check_id": "preflight-all-five-workflow-secret-lanes-before-accepted", + "display_order": 6, + "title": "接受前需覆蓋五個 workflow / secret templates", + "required": true, + "pass_condition": "S4.12 要被標示 accepted 前,五個 response templates 都必須收到可驗收的 owner response;部分回覆只能維持 waiting、ready_for_owner_review、request_more_evidence 或 quarantine。", + "failure_lane": "keep_waiting_owner_response", + "awooop_display": "ready_for_owner_review", + "execution_authorized": false + } + ], "response_templates": [ { "template_id": "response-webhook-redacted-export", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 1d1e8b0c3..945e44d03 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -99,6 +99,7 @@ def validate(root: Path) -> None: "s4_12_workflow_secret_name_owner_response_audit_event_templates", "s4_12_workflow_secret_name_owner_response_redaction_examples", "s4_12_workflow_secret_name_owner_response_collection_checks", + "s4_12_workflow_secret_name_owner_response_intake_preflight_checks", ] assert_equal( "progress_delta_ledger.delta_ids", diff --git a/scripts/security/source-control-owner-response-guard.py b/scripts/security/source-control-owner-response-guard.py index 56187b0a8..4effbff03 100755 --- a/scripts/security/source-control-owner-response-guard.py +++ b/scripts/security/source-control-owner-response-guard.py @@ -256,6 +256,14 @@ LANES = [ "collection-workflow-secret-no-approval-language", "collection-workflow-secret-audit-metadata-only", ], + "expected_preflight_checks": [ + "preflight-known-workflow-secret-lane", + "preflight-required-workflow-secret-owner-fields", + "preflight-allowed-workflow-secret-decision", + "preflight-workflow-secret-redacted-evidence-only", + "preflight-no-workflow-secret-execution-request", + "preflight-all-five-workflow-secret-lanes-before-accepted", + ], }, ]