docs(security): add workflow secret local evidence [skip ci]

This commit is contained in:
Your Name
2026-05-13 19:45:39 +08:00
parent e8827965f6
commit cdf0a2ec06
18 changed files with 1941 additions and 21 deletions

View File

@@ -54,7 +54,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `source_control_ref_detail_diff_v1` | refs-blocked repo branch/tag 明細 diff | Migration reviewer evidence | mirror-only | 只顯示 diff不 fetch、不 push、不刪 refs |
| `source_control_ref_truth_classification_v1` | refs diff 真相來源與 deprecated 候選分類 | Repo owner review queue、migration reviewer handoff | approval-only | 只顯示分類與人工判定隊列,不執行 sync/delete |
| `source_control_primary_readiness_gate_v1` | GitHub primary readiness / parity gate | Source-control review、Operator Console、Audit | approval-only | 只顯示 primary blockers、parity gates、rollback ADR 缺口;目前 `primary_ready_count=0` |
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口與 redacted snapshot 需求;目前 `inventory_complete_count=0`,不得保存 secret value |
| `source_control_workflow_secret_name_inventory_v1` | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | Source-control review、Secret hygiene audit、Operator Console | approval-only | 只顯示缺口與 S4.2 local evidence;目前 `inventory_complete_count=0`,不得保存 secret value |
| `local_repo_canonical_probe_v1` | 本機 working tree lineage 比對 | Canonical decision evidence | mirror-only | 不自動合併、不自動建 repo、不刪除 |
| `git_remote_refs_probe_v1` | 指定 repo remote refs read-only probe | Source readiness evidence | mirror-only | 不 fetch、不 push、不自動 mirror |
| `approval_required_event_v1` | 上述事件的高風險 gate | Approval queue、Audit | approval-only | `blocked_until_approved=true` |
@@ -100,7 +100,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| `security_approval_state_transition_v1.mode=approval_state_transition_only` | `observe` | 顯示 5 個 decision options 的 next state不得把 transition 當 execution authorization |
| `security_followup_runtime_gate_v1.mode=runtime_gate_preparation_only` | `observe` | 顯示 8 個後續 runtime gate 準備模板、0 個 active runtime gates不得新增 action button |
| `source_control_primary_readiness_gate_v1.status=draft_blocked` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready不得切 primary |
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、7 個 in-scope missing inventory、0 個 complete不得收集 secret value、不得修改 workflow |
| `source_control_workflow_secret_name_inventory_v1.status=draft_missing_evidence` | `approve_required` | 顯示 8 個 candidate repos、S4.2 local evidence 4 repos / 31 workflows / 43 referenced secret names、0 個 complete不得收集 secret value、不得修改 workflow |
| `security_mirror_readiness_v1.status=draft` | `observe` | 顯示 34 個 contracts 的 readiness不得把 readiness 當 execution authorization |
| `security_mirror_intake_plan_v1.status=draft` | `observe` | 顯示 5 個 intake waves 與 4 個 acceptance gates不得執行 wave |
| `security_mirror_event_v1.execution_authorized=false` | `observe` | 只包裝鏡像 payload明確不授權執行、不顯示執行按鈕 |
@@ -171,6 +171,7 @@ AwoooP 初期不得直接啟動掃描、不得呼叫 Codex patch runner、不得
| Source Control ref truth classification | `docs/security/source-control-ref-truth-classification.snapshot.json` / `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md` |
| Source Control GitHub primary readiness gate | `docs/security/source-control-primary-readiness-gate.snapshot.json` / `docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md` |
| Source Control workflow / secret name inventory | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
| Source Control workflow / secret name local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` / `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
| Kali 112 integration status | `docs/security/kali-integration-status.snapshot.json` / `docs/security/KALI-INTEGRATION-STATUS.md` |
| Security finding contract | `docs/security/security-finding-kali-sample.snapshot.json` / `docs/security/SECURITY-FINDING-CONTRACT.md` |
| Kali scan scope approval package | `docs/security/kali-scan-scope-approval.snapshot.json` / `docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` |

View File

@@ -217,7 +217,9 @@ Snapshot`docs/security/source-control-workflow-secret-name-inventory.snapshot
目前 inventory8 個 candidate repos、7 個 in-scope repos、1 個 external review`inventory_complete_count=0``missing_inventory_count=7``secret_value_collection_allowed=false`
AwoooP 初期處理方式:只顯示 inventory lane 缺口、要求 redacted snapshot 與人工 review不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary
S4.2 local evidence已新增本機只讀 collector 與 snapshot7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、5 個 runner labels、`secret_value_detected=false`。webhook、deploy key、branch protection 與 repository secret parity 仍需後續 redacted evidence
AwoooP 初期處理方式:只顯示 inventory lane 缺口、S4.2 local evidence、要求 redacted snapshot 與人工 review不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。
### `security_mirror_readiness_v1`
@@ -311,7 +313,7 @@ Schema`docs/schemas/security_mirror_status_rollup_v1.schema.json`
Snapshot`docs/security/security-mirror-status-rollup.snapshot.json`
目前 rollup`framework_ready_waiting_approval`34 個 contracts、31 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆follow-up runtime gate templates 8 筆active runtime gates 0 筆GitHub primary candidate repos 8 筆primary ready 0 筆workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆decision records 目前 0 筆。
目前 rollup`framework_ready_waiting_approval`34 個 contracts、31 ready、2 partial、1 contract-only、0 blockedapproval queue 仍為 8 items其中 7 pending approval、1 block candidatereview packets 8 筆state transition rules 5 筆follow-up runtime gate templates 8 筆active runtime gates 0 筆GitHub primary candidate repos 8 筆primary ready 0 筆workflow / secret 名稱 inventory candidate repos 8 筆、complete 0 筆;S4.2 local evidence repos 4 筆、workflow files 31 筆、referenced secret names 43 筆;decision records 目前 0 筆。
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence不得把 rollup 當 runtime authorization。
@@ -789,6 +791,8 @@ Console 初期不提供高風險執行按鈕。
2026-05-13 S4.1 workflow / secret name inventory 追加:已新增 `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json``docs/security/source-control-workflow-secret-name-inventory.snapshot.json``docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md`。AwoooP 可顯示 8 個 candidate repos 的 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 `inventory_complete_count=0``secret_value_collection_allowed=false`,不得收集 secret value、修改 workflow、rotate secret、sync refs 或切 GitHub primary。
2026-05-13 S4.2 workflow / secret name local evidence 追加:已新增 `scripts/security/source-control-workflow-secret-name-local-inventory.py``docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json``docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json``docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md`。本輪只從本機 working tree 的 `.github/workflows``.gitea/workflows` 與 CODEOWNERS 萃取名稱級 metadata7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、`secret_value_detected=false`;不得視為 GitHub primary ready。
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json``docs/security/kali-integration-status.snapshot.json``docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up已 targeted update `nmap``nikto``nuclei``curl``openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence但不得直接啟動 scan、credentialed scan 或 `/execute`
本波仍不做:
@@ -849,6 +853,9 @@ Console 初期不提供高風險執行按鈕。
- [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json)
- [Source Control workflow / secret name inventory](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md)
- [source_control_workflow_secret_name_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json)
- [Source Control workflow / secret name local evidence](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md)
- [source_control_workflow_secret_name_local_evidence_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json)
- [source-control workflow / secret name local collector](/Users/ogt/awoooi/scripts/security/source-control-workflow-secret-name-local-inventory.py)
- [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md)
- [local_repo_canonical_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/local-repo-canonical-ewoooc-momo.snapshot.json)
- [本機 repo canonical lineage script](/Users/ogt/awoooi/scripts/security/local-repo-canonical-probe.py)
@@ -880,6 +887,7 @@ Console 初期不提供高風險執行按鈕。
- [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json)
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
- [source_control_workflow_secret_name_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json)
- [source_control_workflow_secret_name_local_evidence_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json)
- [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json)
- [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json)
- [approval_required_event_v1 schema](/Users/ogt/awoooi/docs/schemas/approval_required_event_v1.schema.json)

View File

@@ -81,7 +81,7 @@ AwoooP 可以將 ready / partial contracts mirror 到:
13. 再 mirror `security_approval_state_transition_v1`,只顯示決策後 next state 與 follow-up runtime gate。
14. 再 mirror `security_followup_runtime_gate_v1`,只顯示 runtime gate 準備模板、preflight checks 與 rollback / disable requirement。
15. 再 mirror `source_control_primary_readiness_gate_v1`,只顯示 GitHub primary parity、owner、rollback 與人工批准缺口。
16. 再 mirror `source_control_workflow_secret_name_inventory_v1`,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,不保存 secret value。
16. 再 mirror `source_control_workflow_secret_name_inventory_v1` 與 S4.2 local evidence,只顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口;目前 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret names,不保存 secret value。
17. 再 mirror `kali_integration_status_v1``kali_scan_scope_approval_v1`
18. 最後再 mirror source-control 其他 contracts。

View File

@@ -28,7 +28,7 @@
| State transitions | S3.3 已建立5 個 decision options 都有 next state且都不授權執行 |
| Follow-up runtime gate templates | S3.4 已建立8 個 templates、0 個 active runtime gates |
| GitHub primary readiness gate | S4.0 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready |
| Workflow / secret name inventory | S4.1 已建立;8 個 candidate repos、0 個 inventory complete、禁止收集 secret value |
| Workflow / secret name inventory | S4.1 已建立;S4.2 補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的 local evidence0 個 inventory complete、禁止收集 secret value |
| Dry-run | `contract_defined_not_executed` |
| Runtime actions | `false` |
| Payload ingestion | `false` |
@@ -61,6 +61,6 @@
4. GitHub target / owner / visibility / canonical。
5. Kali `/execute` 維持 block candidate。
6. GitHub primary readiness blockers 與 rollback ADR 缺口。
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,只保存名稱與 owner不保存 value。
7. workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口,先看 S4.2 local evidence再補 webhook / deploy key / branch protection / repository secret parity只保存名稱與 owner不保存 value。
任何批准後的執行仍需下一階段 runtime gate 與獨立 evidence不得由本 rollup 自動觸發。

View File

@@ -49,7 +49,7 @@
| `source_control_ref_detail_diff_v1` | mirror-only | refs-blocked repo 的 branch/tag 明細 diff | `source-control-ref-detail-diff.snapshot.json` |
| `source_control_ref_truth_classification_v1` | approval-only | refs diff 的真相來源候選與 deprecated 候選分類 | `source-control-ref-truth-classification.snapshot.json` |
| `source_control_primary_readiness_gate_v1` | approval-only | GitHub primary readiness / parity gate | `source-control-primary-readiness-gate.snapshot.json` |
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gate | `source-control-workflow-secret-name-inventory.snapshot.json` |
| `source_control_workflow_secret_name_inventory_v1` | approval-only | workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory gateS4.2 已補 local evidence | `source-control-workflow-secret-name-inventory.snapshot.json` / `source-control-workflow-secret-name-local-evidence.snapshot.json` |
| `local_repo_canonical_probe_v1` | mirror-only | momo/ewoooc lineage evidence | `local-repo-canonical-ewoooc-momo.snapshot.json` |
| `git_remote_refs_probe_v1` | mirror-only | 110 / GitHub remote refs readiness | `bitan-tsenyang``wooo-infra-config` |
| `approval_required_event_v1` | approval-only | 高風險 / 敏感邊界 approval | `gitea-readonly-inventory-approval.snapshot.json` |

View File

@@ -4,7 +4,7 @@
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | S0/S1 read-only evidence 建置中 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + GitHub Primary Readiness Gate + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
## 0. 本階段完成後整體進度
@@ -40,6 +40,7 @@
| S3.4 後續 runtime gate 準備契約 | 完成草案 | `security_followup_runtime_gate_v1` 已建立8 個 gate templates、0 個 active runtime gates、0 個 approved scope | AwoooP 可顯示前置 evidence、preflight checks 與 rollback / disable requirement不可啟用 runtime gate |
| S4.0 GitHub primary readiness gate | 完成草案 | `source_control_primary_readiness_gate_v1` 已建立8 個 candidate repos、7 個 in-scope blocked、0 個 primary ready | AwoooP 可顯示 parity、owner、rollback ADR 缺口,不可切 primary |
| S4.1 Workflow / Secret 名稱 inventory 契約 | 完成草案 | `source_control_workflow_secret_name_inventory_v1` 已建立8 個 candidate repos、7 個 in-scope repos 尚缺實際 inventory、0 個 complete、禁止收集 secret value | AwoooP 可顯示 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱缺口,不可修改 workflow 或 secret |
| S4.2 Workflow / Secret 名稱 local evidence | 完成草案 | 已建立 local read-only collector 與 snapshot7 個 local repos visible、4 個 local evidence repos、31 個 workflow files、43 個 referenced secret names、secret value detected=false | 補 webhook / deploy key / branch protection / repository secret parity 的 redacted evidence仍不可切 primary |
| S4 migration execution | 未開始 | GitHub primary 長期方向已確認,但 refs / tags / workflow / secret 名稱尚未全量驗證 | SHA/tag/workflow parity 與 rollback ADR |
## 1. 已建立的主要 evidence
@@ -72,6 +73,9 @@
| Source Control GitHub primary readiness gate JSON | `docs/security/source-control-primary-readiness-gate.snapshot.json` |
| Source Control workflow / secret name inventory | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md` |
| Source Control workflow / secret name inventory JSON | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
| Source Control workflow / secret name local evidence | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md` |
| Source Control workflow / secret name local evidence JSON | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
| Source Control workflow / secret name local collector | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
| Kali 112 integration status | `docs/security/KALI-INTEGRATION-STATUS.md` |
| Kali 112 integration status JSON | `docs/security/kali-integration-status.snapshot.json` |
| Security finding contract | `docs/security/SECURITY-FINDING-CONTRACT.md` |

View File

@@ -44,7 +44,7 @@
2. 顯示 `primary_ready_count=0`
3. 將 7 個 in-scope repos 維持在 approval / review lane。
4. 顯示哪些 evidence 仍缺Gitea authenticated inventory、refs truth、workflow/runner/secret name inventory、rollback ADR。
5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口;只保存 secret 名稱與 owner不保存 value。
5. 連到 `source_control_workflow_secret_name_inventory_v1` 顯示 8 個 candidate repos 的 inventory lane 缺口與 S4.2 local evidence;只保存 secret 名稱與 owner不保存 value。
6. 把狀態寫入 Audit evidence 與 Operator Console。
## 4. AwoooP 不可做

View File

@@ -6,6 +6,7 @@
| 狀態 | 草案missing evidence |
| Schema | `docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json` |
| Snapshot | `docs/security/source-control-workflow-secret-name-inventory.snapshot.json` |
| Local evidence | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
| 模式 | `inventory_contract_only` |
| runtime 執行授權 | `false` |
@@ -17,6 +18,8 @@
它不收集 secret value不修改 workflow不搬移 secrets也不授權 GitHub primary cutover。目前 `inventory_complete_count=0`
S4.2 已補本機可見 evidence4 個 repos 有 workflow / CODEOWNERS evidence、31 個 workflow files、43 個 referenced secret names、5 個 runner labels。這只是 local partial evidence仍不代表 GitHub primary ready。
## 1. 目前狀態
| 指標 | 數量 |
@@ -27,6 +30,9 @@
| Inventory complete | 0 |
| Missing inventory | 7 |
| Secret value collection allowed | `false` |
| Local evidence repos | 4 |
| Local workflow files | 31 |
| Local referenced secret names | 43 |
## 2. Inventory Lanes
@@ -47,6 +53,7 @@
3. 將 redacted inventory snapshot 寫入 Audit evidence。
4. 對缺資料 repo 顯示 owner review lane。
5. 將失敗或含敏感值 payload 交給 mirror quarantine。
6. 顯示 S4.2 本機 evidence 與仍缺的 API / export lanes。
## 4. AwoooP 不可做
@@ -62,4 +69,6 @@
S4.1 讓 GitHub primary readiness 的「workflow / secret 名稱 parity」缺口變成可追蹤清單。
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。
S4.2 讓本機可見 workflow / CODEOWNERS / referenced secret names 先形成 partial evidence。
這仍是低摩擦框架期:只定義欄位、只顯示缺口、只留痕,不碰任何實際 secret 或發版流程。webhook、deploy key、branch protection 與 repository secret parity 仍需要後續 redacted export 或 read-only API evidence。

View File

@@ -0,0 +1,75 @@
# Workflow / Secret 名稱本機 Evidence Snapshot
| 項目 | 內容 |
|------|------|
| 日期 | 2026-05-13 |
| 狀態 | 草案partial local evidence |
| Schema | `docs/schemas/source_control_workflow_secret_name_local_evidence_v1.schema.json` |
| Snapshot | `docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json` |
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
| 收集器 | `scripts/security/source-control-workflow-secret-name-local-inventory.py` |
| runtime 執行授權 | `false` |
## 0. 核心結論
S4.2 先補本機可見 working tree 的只讀 workflow / secret 名稱 evidence。
本 snapshot 只從 `.github/workflows/``.gitea/workflows/``CODEOWNERS``.github/CODEOWNERS` 萃取名稱級 metadata。它不呼叫 GitHub / Gitea API、不讀 `.env`、不讀 secret store、不收集 secret value、不修改 workflow。
這仍不代表 GitHub primary ready。webhook、deploy key、branch protection 與 repository secret parity 還需要後續 redacted export 或 read-only API evidence。
## 1. 摘要
| 指標 | 數量 |
|------|------|
| Candidate repos | 8 |
| Local repo visible | 7 |
| Local evidence repos | 4 |
| Workflow files | 31 |
| Gitea workflow files | 10 |
| GitHub workflow files | 21 |
| CODEOWNERS files | 2 |
| Unique referenced secret names | 43 |
| Runner labels | 5 |
| Secret value detected | `false` |
## 2. Repo 結果
| Repo | Local status | Workflow files | Secret names | CODEOWNERS | 說明 |
|------|--------------|----------------|--------------|------------|------|
| `owenhytsai/awoooi` | `partial_local_evidence` | 14 | 37 | 0 | Gitea / GitHub workflows 都可見;仍需 webhook、branch protection、repository secret parity evidence |
| `owenhytsai/clawbot-v5` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
| `owenhytsai/wooo-aiops` | `partial_local_evidence` | 14 | 12 | 2 | GitHub / Gitea workflow 與 CODEOWNERS 可見;仍需 webhook 與 branch protection evidence |
| `owenhytsai/wooo-infra-config` | `partial_local_evidence` | 1 | 2 | 0 | GitHub validate workflow 可見infra secret value 不可搬移 |
| `owenhytsai/ewoooc` | `partial_local_evidence` | 2 | 4 | 0 | 以本機 `momo-pro-system` working tree 作為 ewoooc/momo canonical review 的暫時 evidence |
| `owenhytsai/bitan-pharmacy` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
| `owenhytsai/tsenyang-website` | `local_repo_visible_no_workflow_files` | 0 | 0 | 0 | 本機 repo 可見,但未找到 workflow / CODEOWNERS |
| `nexu-io/open-design` | `missing_local_repo` | 0 | 0 | 0 | 外部 scope review未納入 GitHub primary cutover queue |
## 3. 已知 runner labels
本 snapshot 只保存 runner label 名稱:
| Label |
|-------|
| `awoooi-host` |
| `harbor` |
| `k8s` |
| `self-hosted` |
| `ubuntu-latest` |
## 4. 仍需補齊
1. Gitea / GitHub webhook inventory只列 destination host、event types、enabled flag不保存 webhook secret。
2. Deploy key / machine key inventory只列 key name、read-only flag、owner不保存 private key。
3. Branch protection inventory只列 protected branch、required status checks、review count。
4. Repository secret parity只比對 secret 名稱與 owner不輸出 value。
5. 逐 repo owner review確認本機可見 workflow 是否為 canonical尤其是 `ewoooc` / `momo-pro-system`
## 5. 永久禁止
1. 不收集 secret value、token value、private key、webhook secret、runner registration token。
2. 不修改 workflow、webhook、runner、deploy key、branch protection 或 CODEOWNERS。
3. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
4. 不把本機 evidence 當成 primary cutover approval。
5. 不把 LOW / MEDIUM observation 變成 runtime blocker。

View File

@@ -333,9 +333,15 @@
"consumption_mode": "approval_only",
"mirror_allowed": true,
"execution_allowed": false,
"snapshot_paths": ["docs/security/source-control-workflow-secret-name-inventory.snapshot.json"],
"human_docs": ["docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"],
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口inventory_complete_count=0secret_value_collection_allowed=false。"
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md"
],
"notes": "可 mirror workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 缺口S4.2 local evidence 有 4 個 repos、31 個 workflow files、43 個 referenced secret namessecret_value_collection_allowed=false。"
},
{
"contract": "local_repo_canonical_probe_v1",

View File

@@ -21,6 +21,7 @@
"docs/security/security-followup-runtime-gate.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
@@ -38,7 +39,11 @@
"github_primary_ready_count": 0,
"workflow_secret_inventory_candidate_repo_count": 8,
"workflow_secret_inventory_complete_count": 0,
"workflow_secret_inventory_local_evidence_repo_count": 4,
"workflow_secret_inventory_local_workflow_file_count": 31,
"workflow_secret_inventory_unique_secret_name_count": 43,
"secret_value_collection_allowed": false,
"secret_value_detected": false,
"pending_approval_count": 7,
"block_candidate_count": 1,
"dry_run_status": "contract_defined_not_executed",
@@ -73,8 +78,8 @@
{
"phase_id": "S4_migration_execution",
"state": "not_started",
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約inventory_complete_count=0。",
"next_gate": "Gitea authenticated inventory、refs truth、redacted workflow/runner/secret name inventory、rollback ADR 與逐 repo 人工批准。"
"current_result": "GitHub primary 是長期方向source_control_primary_readiness_gate_v1 已定義 8 個 candidate repos、7 個 in-scope blocked repos、0 個 primary readyS4.1 已定義 workflow / secret 名稱 inventory 契約S4.2 已補 4 個 repos、31 個 workflow files、43 個 referenced secret names 的本機 evidenceinventory_complete_count=0。",
"next_gate": "Gitea authenticated inventory、refs truth、webhook / deploy key / branch protection / repository secret parity redacted evidence、rollback ADR 與逐 repo 人工批准。"
}
],
"next_safe_actions": [
@@ -215,7 +220,7 @@
"mode": "approval_required",
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"allowed_processing": [
"顯示 8 個 candidate repos 的 inventory lanes",
"顯示 8 個 candidate repos 的 inventory lanes 與 4 個 repos 的 local evidence",
"要求 repo owner 補 redacted workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 snapshot",
"只保存 secret name、owner 與 present/absent metadata不保存 value"
],
@@ -251,7 +256,8 @@
"S3.3 只新增人工決策狀態轉移語義approve_scope 只進入 waiting runtime gate不代表可立即執行。",
"S3.4 只新增後續 runtime gate 準備模板active_runtime_gates=0不新增 action button。",
"S4.0 只新增 GitHub primary readiness gategithub_primary_ready_count=0不新增 repo / refs / primary switch action。",
"S4.1 只新增 workflow / secret 名稱 inventory 契約workflow_secret_inventory_complete_count=0secret_value_collection_allowed=false不新增 workflow、secret、repo、refs 或 primary switch action。"
"S4.1 只新增 workflow / secret 名稱 inventory 契約workflow_secret_inventory_complete_count=0secret_value_collection_allowed=false不新增 workflow、secret、repo、refs 或 primary switch action。",
"S4.2 只新增本機可見 workflow / CODEOWNERS / referenced secret name evidencelocal_evidence_repo_count=4、workflow_file_count=31、unique_secret_name_count=43secret_value_detected=false。"
],
"forbidden_actions": [
"start_kali_scan",

View File

@@ -538,8 +538,14 @@
{
"contract": "source_control_workflow_secret_name_inventory_v1",
"schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json",
"snapshot_paths": ["docs/security/source-control-workflow-secret-name-inventory.snapshot.json"],
"human_docs": ["docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"],
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md"
],
"consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console",
"consumption_mode": "approval_only",
"allowed_actions": [
@@ -555,7 +561,7 @@
"sync_refs",
"switch_github_primary"
],
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;目前 inventory_complete_count=0不保存 secret value。"
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence4 repos、31 workflow files、43 個 referenced secret names不保存 secret value。"
},
{
"contract": "local_repo_canonical_probe_v1",

View File

@@ -6,6 +6,7 @@
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/github-target-decision.snapshot.json",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/source-control-reconcile-plan.snapshot.json",
@@ -409,6 +410,7 @@
"secret_name_inventory 只允許保存 secret_name、scope、owner 與 used_by_workflow_name禁止保存 value。",
"任何 raw secret、token、cookie、private key、webhook secret 或 credential value 都必須被拒收並進 quarantine。",
"此 inventory 完成前GitHub primary readiness gate 必須維持 blocked。",
"S4.2 已補本機可見 workflow / CODEOWNERS / referenced secret name evidence但 webhook、deploy key、branch protection 與 repository secret parity 仍未完成。",
"inventory snapshot 只能 mirror 成 Operator Console / Audit evidence不得新增 execution action。"
],
"forbidden_actions": [

File diff suppressed because it is too large Load Diff