docs(security): add owner response audit templates

This commit is contained in:
Your Name
2026-05-19 11:04:34 +08:00
parent 06adeecbe2
commit ebefc7d3bc
19 changed files with 309 additions and 40 deletions

View File

@@ -126,7 +126,7 @@ Ref truth classification 已建立,將 `awoooi`、`clawbot-v5`、`wooo-aiops`
Workflow / secret name owner response 已建立S4.12 補 1 個 request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 templates對應 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parityreceived / accepted response 皆為 0、audit events emitted 仍為 0。不得把 request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 或 response packet 當成 secret value collection、workflow modification、GitHub hosted runner enablement 或 primary approval。
Owner response validation rollup 已建立S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanesreceived / accepted response 皆為 0。不得把 rollup、routing、sections、transition rules、reviewer checklistreviewer outcome lanes 當成 approval、runtime gate 或 execution authorization。
Owner response validation rollup 已建立S4.13 彙整 S4.9 / S4.10 / S4.11 / S4.12 四包 response packets22 個 templates、10 個 cross-packet checks、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes、4 個 reviewer audit event templatesreceived / accepted response 皆為 0reviewer audit emitted 仍為 0。不得把 rollup、routing、sections、transition rules、reviewer checklistreviewer outcome lanes 或 reviewer audit templates 當成 approval、runtime gate、production ingestion 或 execution authorization。
## 3. 必要驗收 gate
@@ -159,7 +159,7 @@ Ref truth classification 補充:完整 review lane 見 `docs/security/SOURCE-C
2. 依 GitHub target repo-by-repo approval package 處理 7 個 approval-required target。
3. 依 S4.11 ref truth owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包與 classification 釐清 `wooo/awoooi``wooo/clawbot-v5``wooo/wooo-aiops` 的雙端分歧來源;仍不得 push/delete refs。
4. 依 S4.12 workflow / secret name owner response request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / 收件包補 webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 的 redacted disposition仍不得收 secret value、改 workflow 或啟用 hosted runner。
5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklistreviewer outcome lanes仍不得把 rollup、routing、sections、transition rules、reviewer checklistreviewer outcome lanes 當 approval 或 execution authorization。
5. 依 S4.13 owner response validation rollup 集中檢查 S4.9-S4.12 四包 response validation、evidence routing、display sections、state transition rules、reviewer checklistreviewer outcome lanes 與 reviewer audit event templates;仍不得把 rollup、routing、sections、transition rules、reviewer checklistreviewer outcome lanes 或 reviewer audit templates 當 approval、production ingestion 或 execution authorization。
6. 釐清 `wooo/ewoooc``root/momo-pro-system``momo-pro-system``momo_pro_system` 的 canonical 關係。
7. 釐清 `bitan-pharmacy``tsenyang-website` 是否仍 active並決定 GitHub owner / visibility。
8. 產出 GitHub primary ADR 前,不做主控切換。