diff --git a/.gitea/workflows/cd-dev.yaml b/.gitea/workflows/cd-dev.yaml
index 8430467e..22885f37 100644
--- a/.gitea/workflows/cd-dev.yaml
+++ b/.gitea/workflows/cd-dev.yaml
@@ -53,10 +53,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "Dev deploy start notification mirrored through AWOOI API"
else
- printf '%b' "$MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text@-"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
# API 測試 (同 prod CI,確保 dev 也通過)
@@ -243,10 +240,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "Dev deploy success notification mirrored through AWOOI API"
else
- printf '%b' "$MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text@-"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
- name: Notify Dev Deploy Failure
@@ -266,8 +260,5 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "Dev deploy failure notification mirrored through AWOOI API"
else
- printf '%b' "$MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text@-"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index 46870eb4..3ce83b87 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -148,10 +148,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "✅ CI/CD start notification mirrored through AWOOI API"
else
- curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
@@ -1094,10 +1091,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "✅ CI/CD tests failure notification mirrored through AWOOI API"
else
- curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
build-and-deploy:
@@ -2289,10 +2283,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "✅ CI/CD build failure notification mirrored through AWOOI API"
else
- curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
post-deploy-checks:
@@ -2683,9 +2674,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "✅ CI/CD success notification mirrored through AWOOI API"
else
- printf '%b' "$TG_MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- --data-urlencode "text@-" || echo "TG notify warning (non-fatal)"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
- name: Notify Pipeline Failure
@@ -2708,10 +2697,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "✅ CI/CD post-deploy failure notification mirrored through AWOOI API"
else
- curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- -d "parse_mode=HTML" \
- --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
- name: Clean Post-Deploy Workspace Artifacts
diff --git a/.gitea/workflows/code-review.yaml b/.gitea/workflows/code-review.yaml
index 41edc67c..08f77fcf 100644
--- a/.gitea/workflows/code-review.yaml
+++ b/.gitea/workflows/code-review.yaml
@@ -125,14 +125,7 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "Code review start notification mirrored through AWOOI API"
else
- if [ -z "${TG_BOT_TOKEN:-}" ] || [ -z "${SRE_GROUP_CHAT_ID:-}" ]; then
- echo "Telegram secret missing and AWOOI API notify failed; skip start notification"
- exit 0
- fi
- curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendMessage" \
- -H "Content-Type: application/json" \
- -d "$(jq -n --arg c "$SRE_GROUP_CHAT_ID" --arg t "$MSG" '{chat_id:$c,text:$t,parse_mode:"HTML",disable_web_page_preview:true}')" \
- >/dev/null
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
- name: Run Deterministic Review
@@ -201,12 +194,5 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "Code review completion notification mirrored through AWOOI API"
else
- if [ -z "${TG_BOT_TOKEN:-}" ] || [ -z "${SRE_GROUP_CHAT_ID:-}" ]; then
- echo "Telegram secret missing and AWOOI API notify failed; skip completion notification"
- exit 0
- fi
- curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendMessage" \
- -H "Content-Type: application/json" \
- -d "$(jq -n --arg c "$SRE_GROUP_CHAT_ID" --arg t "$MSG" '{chat_id:$c,text:$t,parse_mode:"HTML",disable_web_page_preview:true}')" \
- >/dev/null
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
diff --git a/.gitea/workflows/deploy-alerts.yaml b/.gitea/workflows/deploy-alerts.yaml
index 4ac6eb3b..b64f7fb8 100644
--- a/.gitea/workflows/deploy-alerts.yaml
+++ b/.gitea/workflows/deploy-alerts.yaml
@@ -67,7 +67,5 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "Alert rule deploy notification mirrored through AWOOI API"
else
- curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \
- --data-urlencode "text=${MSG}" || true
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
diff --git a/.gitea/workflows/e2e-health.yaml b/.gitea/workflows/e2e-health.yaml
index 1749ddf1..92f0263a 100644
--- a/.gitea/workflows/e2e-health.yaml
+++ b/.gitea/workflows/e2e-health.yaml
@@ -95,8 +95,5 @@ jobs:
scripts/ci/notify-awoooi-cicd.sh; then
echo "E2E failure notification mirrored through AWOOI API"
else
- curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \
- -d chat_id="${{ env.SRE_GROUP_CHAT_ID }}" \
- -d parse_mode="HTML" \
- -d text="🔴 [E2E Health Check] 失敗%0A%0A📅 $(TZ=Asia/Taipei date '+%Y-%m-%d %H:%M')%0A🔗 API 健康檢查未通過%0A%0A請檢查 K3s 叢集狀態"
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
fi
diff --git a/.gitea/workflows/run-migration.yml b/.gitea/workflows/run-migration.yml
index 8157e8db..3f00ce78 100644
--- a/.gitea/workflows/run-migration.yml
+++ b/.gitea/workflows/run-migration.yml
@@ -196,10 +196,4 @@ jobs:
echo "Migration notification mirrored through AWOOI API"
exit 0
fi
- if [ -n "$TG_TOKEN" ] && [ -n "${SRE_GROUP_CHAT_ID:-}" ]; then
- MSG="🗄️ Migration CI: \`${STATUS}\` — commit ${{ github.sha }}"
- curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \
- -d chat_id="${SRE_GROUP_CHAT_ID}" \
- -d parse_mode="Markdown" \
- -d text="${MSG}" || true
- fi
+ echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain"
diff --git a/apps/api/tests/test_ai_agent_report_truth_actionability_review.py b/apps/api/tests/test_ai_agent_report_truth_actionability_review.py
index e7fc0991..2f6f9cfd 100644
--- a/apps/api/tests/test_ai_agent_report_truth_actionability_review.py
+++ b/apps/api/tests/test_ai_agent_report_truth_actionability_review.py
@@ -37,18 +37,18 @@ def test_load_latest_ai_agent_report_truth_actionability_review():
assert data["telegram_routing_consolidation"]["direct_telegram_api_send_allowed"] is False
assert data["rollups"]["telegram_route_finding_count"] == len(data["telegram_route_findings"])
assert data["telegram_egress_guard"]["status"] == "pass_no_new_bypass"
- assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 18
+ assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 5
assert data["telegram_egress_guard"]["summary"]["new_bypass_count"] == 0
- assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 13
+ assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 0
assert data["telegram_egress_guard"]["summary"]["ops_script_direct_bot_api_call_count"] == 4
assert data["telegram_egress_guard"]["summary"]["api_direct_bot_api_call_count"] == 1
assert (
data["telegram_egress_guard"]["summary"]["direct_bot_api_awooop_db_receipt_missing_count"]
- == 18
+ == 5
)
assert (
data["telegram_egress_guard"]["summary"]["direct_bot_api_ai_controlled_route_missing_count"]
- == 18
+ == 5
)
assert (
data["telegram_egress_guard"]["telegram_receipt_coverage"]["coverage_status"]
@@ -72,17 +72,16 @@ def test_load_latest_ai_agent_report_truth_actionability_review():
]
is False
)
- assert data["rollups"]["telegram_route_finding_count"] == 22
- assert data["rollups"]["legacy_or_direct_route_count"] == 22
+ assert data["rollups"]["telegram_route_finding_count"] == 9
+ assert data["rollups"]["legacy_or_direct_route_count"] == 9
assert sum(
1
for route in data["telegram_route_findings"]
if route["route_id"].startswith("telegram_direct_bot_api_")
- ) == 18
+ ) == 5
assert {
item["surface_kind"] for item in data["telegram_egress_guard"]["current_direct_bot_api_calls"]
} == {
- "gitea_workflow_direct_bot_api",
"ops_script_direct_bot_api",
"api_direct_bot_api",
}
diff --git a/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py b/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py
index ba591969..1d4e7a05 100644
--- a/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py
+++ b/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py
@@ -34,18 +34,18 @@ def test_get_ai_agent_report_truth_actionability_review_api():
assert data["telegram_routing_consolidation"]["canonical_room_env"] == "SRE_GROUP_CHAT_ID"
assert data["telegram_routing_consolidation"]["other_bot_or_group_alerts_allowed"] is False
assert data["telegram_routing_consolidation"]["direct_telegram_api_send_allowed"] is False
- assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 18
+ assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 5
assert data["telegram_egress_guard"]["summary"]["new_bypass_count"] == 0
- assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 13
+ assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 0
assert data["telegram_egress_guard"]["summary"]["ops_script_direct_bot_api_call_count"] == 4
assert data["telegram_egress_guard"]["summary"]["api_direct_bot_api_call_count"] == 1
assert (
data["telegram_egress_guard"]["summary"]["direct_bot_api_awooop_db_receipt_missing_count"]
- == 18
+ == 5
)
assert (
data["telegram_egress_guard"]["summary"]["direct_bot_api_ai_controlled_route_missing_count"]
- == 18
+ == 5
)
assert (
data["telegram_egress_guard"]["telegram_receipt_coverage"][
@@ -57,6 +57,6 @@ def test_get_ai_agent_report_truth_actionability_review_api():
data["telegram_egress_guard"]["telegram_receipt_coverage"]["all_telegram_alerts_ai_controlled"]
is False
)
- assert data["rollups"]["telegram_route_finding_count"] == 22
- assert data["rollups"]["legacy_or_direct_route_count"] == 22
+ assert data["rollups"]["telegram_route_finding_count"] == 9
+ assert data["rollups"]["legacy_or_direct_route_count"] == 9
assert data["rollups"]["operator_action_count"] == 5
diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 7fd58694..d820727f 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -229,7 +229,7 @@
},
"credential_escrow": {
"title": "P0-005 credential escrow",
- "description": "已收斂 non-secret evidence refs 與 reviewer acceptance readback;不寫 credential marker、不收 secret。",
+ "description": "已收斂 non-secret evidence 參照 與 reviewer acceptance readback;不寫 credential marker、不收 secret。",
"metric": "evidence {accepted}/{required}"
},
"gitea": {
@@ -251,7 +251,7 @@
"boundaries": {
"secret": "不收機密明文、授權憑證、瀏覽器憑證或私有存取材料。",
"production": "不直接改 production runtime、public gateway、Nginx、Docker、K8s 或 firewall。",
- "repo": "不直接建立 repo、改 visibility、sync refs、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。",
+ "repo": "不直接建立 repo、改 visibility、sync 參照、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。",
"data": "不直接做資料庫、backup、restore 或 migration 寫操作。",
"security": "不啟動 Wazuh / Kali 主動回應流程、active scan 或 host containment。"
},
@@ -978,7 +978,7 @@
},
"sourceDossier": {
"title": "Sentry / SigNoz 來源卷宗證據",
- "detail": "最近來源 {sources} 筆;Sentry refs {sentry}、SigNoz refs {signoz},用 provider 篩選驗證,不再被整體樣本誤判。"
+ "detail": "最近來源 {sources} 筆;Sentry 參照 {sentry}、SigNoz 參照 {signoz},用 provider 篩選驗證,不再被整體樣本誤判。"
},
"callbackEvidence": {
"title": "Telegram 詳情 / 歷史 DB 真相鏈",
@@ -1212,8 +1212,8 @@
"kmBurndown": "/api/v1/ai/governance/km-stale-owner-review-burndown"
},
"signal": {
- "metric": "來源 {sources} / refs {refs}",
- "detail": "missing refs {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}"
+ "metric": "來源 {sources} / 參照 {參照}",
+ "detail": "missing 參照 {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}"
},
"intake": {
"metric": "Runs {runs} / linked {linked}",
@@ -1347,47 +1347,47 @@
"messageOk": "所有系統運作正常,無需處理。",
"messageWarning": "{host} 狀態異常,建議檢查相關服務。",
"liveOpsSpace": {
- "title": "Live Ops Space",
+ "title": "OpenClaw 持續工作室",
"status": {
- "loading": "Loading scene",
- "ready": "Scene connected",
- "degraded": "Waiting for readback"
+ "loading": "讀取場景中",
+ "ready": "場景已連線",
+ "degraded": "等待讀回"
},
"actions": {
- "refresh": "Refresh"
+ "refresh": "重新讀取"
},
"source": {
- "marker": "marker",
- "updated": "updated"
+ "marker": "部署 marker",
+ "updated": "更新"
},
"animation": {
- "loop": "loop",
- "on": "on",
- "off": "off"
+ "loop": "動畫迴圈",
+ "on": "開啟",
+ "off": "關閉"
},
"panels": {
- "rollups": "Scene metrics",
- "boundaries": "Safety boundaries",
- "workItems": "Work items"
+ "rollups": "場景指標",
+ "boundaries": "安全邊界",
+ "workItems": "工作項目"
},
"metrics": {
- "agents": "Agents",
- "workItems": "Work items",
- "animated": "Animated",
- "blocked": "Blocked"
+ "agents": "Agent",
+ "workItems": "工作項",
+ "animated": "動畫物件",
+ "blocked": "阻擋"
},
"boundary": {
- "closed": "closed",
- "open": "open"
+ "closed": "關閉",
+ "open": "開啟"
},
"states": {
- "working": "working",
- "verified": "verified",
- "blocked": "blocked",
- "waiting": "waiting",
- "idle": "idle"
+ "working": "工作中",
+ "verified": "已驗證",
+ "blocked": "阻擋",
+ "waiting": "等待",
+ "idle": "待命"
},
- "empty": "Scene state is not available yet."
+ "empty": "尚未取得場景狀態。"
}
},
"ai": {
@@ -2078,7 +2078,7 @@
"openNavigation": "開啟導航選單",
"closeNavigation": "關閉導航選單",
"iwooos": "IwoooS",
- "iwooosSecurityCompliance": "IwoooS Security Compliance"
+ "iwooosSecurityCompliance": "IwoooS 安全合規"
},
"settings": {
"title": "系統設定",
@@ -3013,11 +3013,11 @@
"repairLock": "冪等鎖",
"riskMediumDesc": "操作不可即時撤銷,但有備份保護",
"confirmExec": "長按 5 秒確認授權執行",
- "rejectApproval": "Reject authorization - route to AI controlled completion",
+ "rejectApproval": "拒絕授權 — 轉 AI 受控補齊",
"approvalGranted": "授權已核准",
"approvalGrantedDesc": "NemoTron 正在執行 ansible-playbook...",
"approvalRejected": "授權已拒絕",
- "approvalRejectedDesc": "Routed into the AI controlled completion flow",
+ "approvalRejectedDesc": "已轉入 AI 受控補齊流程",
"noHistory": "尚無修復紀錄",
"noActiveAlerts": "目前無活躍告警",
"noPlaybooks": "尚無 Playbook 紀錄",
@@ -3391,7 +3391,7 @@
"ready_for_reverify": "可重驗",
"needs_target_mapping": "待補目標",
"needs_playbook_ticket": "待建 Ticket",
- "manual_review": "Controlled review",
+ "manual_review": "受控檢查",
"unknown": "待分類"
},
"remediationAction": {
@@ -3404,12 +3404,12 @@
}
},
"legacyHitl": {
- "title": "Legacy HITL Evidence Queue",
- "subtitle": "These rows come from approval_records and are not AwoooP run approvals; keep them as historical evidence and route follow-up into AI controlled work items.",
+ "title": "Legacy HITL 歷史證據佇列",
+ "subtitle": "這批來自 批准_records,不屬於 AwoooP run 批准;以歷史證據保留,後續導回 AI 受控工作項。",
"openAuthorizations": "開啟授權中心",
"loadFailed": "Legacy HITL backlog 載入失敗:{error}",
- "tableLabel": "Legacy HITL Evidence Queue",
- "moreRows": "Only the latest 8 rows are shown; track the remaining {count} in the authorization center.",
+ "tableLabel": "Legacy HITL 歷史證據佇列",
+ "moreRows": "只顯示最新 8 筆,其餘 {count} 筆請到授權中心追蹤。",
"noTelegram": "no TG",
"telegramRef": "TG #{id}",
"summary": {
@@ -3855,7 +3855,7 @@
"cockpit": {
"liveLabel": "LIVE PRODUCTION",
"title": "AI Agent Cockpit",
- "subtitle": "Production readback for the active control layer, closed loop, receipts, and hard boundaries.",
+ "subtitle": "用 production readback 呈現控制層、閉環、收據與硬邊界。",
"production": "Production",
"dbOk": "DB readback OK",
"dbReview": "DB readback review",
@@ -3878,8 +3878,8 @@
"riskTitle": "Controlled risk lanes",
"on": "ON",
"off": "OFF",
- "ownerRequired": "Controlled evidence review required",
- "ownerNotRequired": "Controlled evidence review cleared",
+ "ownerRequired": "受控證據複核需要補齊",
+ "ownerNotRequired": "受控證據複核已免除",
"criticalBreakGlass": "critical break-glass",
"criticalReview": "critical review"
},
@@ -3898,7 +3898,7 @@
"executorDetail": "post verifier {verifier} · KM {km} · Telegram {telegram}",
"loop": "latest flow closed",
"loopDetail": "MCP {mcp} · RAG {rag} · PlayBook {playbook}",
- "ledger": "operation-id loop ledger",
+ "ledger": "operation-id 閉環總帳",
"ledgerDetail": "{state} · stages {stages} · missing {missing}",
"stageLedger": "candidate → check-mode → apply → verifier → KM → Telegram"
},
@@ -6016,13 +6016,13 @@
"legacyRoutesDetail": "direct send / legacy chat / multi bot 必須收斂",
"ttl": "TTL: {value}",
"requiredAssets": "必填資產 {count} 項",
- "guardCalls": "Direct scan {count}",
- "newBypass": "New bypass {count}",
- "dbReceiptMissing": "DB receipt gap {count}",
- "aiRouteMissing": "AI route gap {count}",
- "workflowDirect": "workflow direct {count}",
- "opsDirect": "ops direct {count}",
- "apiDirect": "API direct {count}"
+ "guardCalls": "直送掃描 {count} 條",
+ "newBypass": "新增旁路 {count}",
+ "dbReceiptMissing": "DB receipt 缺口 {count}",
+ "aiRouteMissing": "AI route 缺口 {count}",
+ "workflowDirect": "workflow 直送 {count}",
+ "opsDirect": "ops 直送 {count}",
+ "apiDirect": "API 直送 {count}"
}
},
"reportAutomationReview": {
@@ -9081,35 +9081,35 @@
"blocked": "阻塞"
},
"aiLoopLogSources": {
- "eyebrow": "P0 visual state",
- "title": "Current blocker and repair intake",
- "subtitle": "Shows the blocker, blocker diagnosis, and receipt contract first; technical fields are collapsed so the workbench does not read like a long text list.",
- "loading": "Loading LOG source labels",
- "empty": "No LOG source labels read back yet.",
- "blocker": "Current blocker: {value}",
- "boundary": "Metadata-only labels; no raw log read, no secret display, no writeback, and no runtime apply from this panel.",
- "details": "Expand technical fields",
+ "eyebrow": "P0 視覺狀態",
+ "title": "目前卡點與修復收件",
+ "subtitle": "先顯示目前真正卡住的 blocker、阻塞診斷與收件契約;技術欄位收在展開區,避免把工作台變成長文字清單。",
+ "loading": "讀取 LOG 來源貼標中",
+ "empty": "尚未讀回 LOG 來源貼標。",
+ "blocker": "Current blocker:{value}",
+ "boundary": "只顯示 metadata-only 標籤;不讀 raw log、不顯示 secret、不觸發寫入或 runtime apply。",
+ "details": "展開技術欄位",
"visual": {
- "blocker": "Current blocker",
- "diagnosis": "Blocker diagnosis",
- "receipt": "Receipt contract",
+ "blocker": "目前卡點",
+ "diagnosis": "阻塞診斷",
+ "receipt": "收件契約",
"receiptValue": "{inputs} inputs / {outputs} outputs",
- "currentCd": "Latest CD run",
+ "currentCd": "最新 CD run",
"currentCdValue": "#{run} · {status}",
- "currentCdDetail": "closure: {state}",
- "resolvedByProductionReadback": "Closed by production readback",
- "noActionRequired": "Do not reopen this queue"
+ "currentCdDetail": "closure:{state}",
+ "resolvedByProductionReadback": "已由 production readback 關閉",
+ "noActionRequired": "不需重開此 queue"
},
"rootCause": {
- "sessionTimeout": "Key accepted, session timeout",
+ "sessionTimeout": "Key accepted,session timeout",
"offerTimeout": "Publickey offer timeout",
- "controlledCdLaneGuardrails": "SSH control path and Harbor v2 are readable; controlled CD lane guardrails are still blocked.",
- "productionReadbackResolved": "Latest production readback verified this queue item; it is no longer the current blocker.",
- "unknown": "Waiting for queue diagnosis"
+ "controlledCdLaneGuardrails": "SSH 控制通道與 Harbor v2 已可讀;目前卡在 controlled CD lane guardrails。",
+ "productionReadbackResolved": "最新 production readback 已驗證此 queue item,不再當作目前卡點。",
+ "unknown": "等待 queue 診斷"
},
"phases": {
"ssh": {
- "label": "SSH control path",
+ "label": "SSH 控制通道",
"value": "ready"
},
"harbor": {
@@ -9124,12 +9124,12 @@
},
"liveMetrics": {
"enforcer": "110 enforcer",
- "ready": "metric fresh",
- "missing": "metric missing",
+ "ready": "metric 已更新",
+ "missing": "metric 未讀回",
"enforcerDetail": "apply={apply} · metadata-only={metadata}",
"drainGuard": "Drain guard",
"drainGuardValue": "active={active} / staging={staging}",
- "blockers": "blockers={count}",
+ "blockers": "阻塞項={count}",
"jobs": "Jobs / lane",
"jobsValue": "jobs={jobs} / lane={lane}",
"restoreSources": "restore sources={count}",
@@ -9139,56 +9139,56 @@
},
"metrics": {
"tags": "Tags",
- "groups": "Groups",
+ "groups": "分群鍵",
"contract": "Contract",
"queue": "Queue fields"
},
"queueFields": "Queue normalizer fields",
- "safeNextAction": "Next AI action",
- "safeNextStage": "Stage: {stage} · local console: {local}",
- "safeNextCommand": "Command: {command}",
+ "safeNextAction": "下一步 AI action",
+ "safeNextStage": "Stage:{stage} · local console:{local}",
+ "safeNextCommand": "Command:{command}",
"receipt": {
"inputs": "Receipt inputs",
"outputs": "Receipt outputs"
},
"tagLabels": {
- "projectId": "Project",
- "product": "Product",
- "siteOrRoute": "Site / route",
- "service": "Service",
- "package": "Package",
- "tool": "Tool",
- "sourceSystem": "Source system",
+ "projectId": "專案",
+ "product": "產品",
+ "siteOrRoute": "網站 / 路由",
+ "service": "服務",
+ "package": "套件",
+ "tool": "工具",
+ "sourceSystem": "來源系統",
"runtimeComponent": "Runtime",
- "signalLane": "Signal lane",
- "evidenceBoundary": "Evidence boundary"
+ "signalLane": "訊號 Lane",
+ "evidenceBoundary": "證據邊界"
}
},
"commanderInsertedRequirements": {
- "eyebrow": "Mainline priority",
- "title": "Commander inserted requirement work items",
- "subtitle": "Turns the requirements inserted during this run into ordered work items with P0/P1/P2/P3 priority, status, acceptance criteria, and next action.",
- "total": "Total work items",
- "next": "Current priority",
- "nextAction": "Next action",
- "acceptance": "Acceptance",
- "rowNextAction": "Next action",
- "spotlight": "Mainline spotlight",
- "spotlightSubtitle": "Surfaces the current P0, OpenClaw Live Ops, and non-text-wall UX directly instead of burying them in the long ledger.",
- "fullLedger": "Full ledger: {count} items",
- "loading": "Loading inserted requirement work items",
- "empty": "No inserted requirement work items read back yet.",
+ "eyebrow": "主線優先序",
+ "title": "統帥插入需求工作項",
+ "subtitle": "把本輪中途插入的要求收成正式工作項,依 P0/P1/P2/P3 排序,並顯示狀態、驗收條件與下一步。",
+ "total": "總工作項",
+ "next": "目前優先項",
+ "nextAction": "下一步",
+ "acceptance": "驗收條件",
+ "rowNextAction": "下一步",
+ "spotlight": "主線焦點",
+ "spotlightSubtitle": "直接露出目前 P0、OpenClaw Live Ops 與非文字牆 UX,避免工作項藏在長清單裡。",
+ "fullLedger": "完整總帳 {count} 項",
+ "loading": "讀取插入需求工作項",
+ "empty": "尚未讀回插入需求工作項。",
"order": "order={order}",
"source": "source={source}",
"metrics": {
"active": "active"
},
"statuses": {
- "done": "Done",
- "inProgress": "In progress",
- "pending": "Not started",
- "blocked": "Blocked",
- "deferred": "Deferred"
+ "done": "已完成",
+ "inProgress": "進行中",
+ "pending": "未開始",
+ "blocked": "阻塞",
+ "deferred": "延後"
}
},
"operatorSop": {
@@ -9214,7 +9214,7 @@
},
"inProgress": {
"title": "自動化資產正在補齊,仍需追蹤候選品質",
- "detail": "優先確認候選是否有證據 refs、安全路由、回滾計畫與修復後驗證。"
+ "detail": "優先確認候選是否有證據 參照、安全路由、回滾計畫與修復後驗證。"
},
"watching": {
"title": "目前沒有明顯 AI 受控卡點,持續觀察資料新鮮度",
@@ -9525,7 +9525,7 @@
}
},
"gates": {
- "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 refs",
+ "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 參照",
"autoRepair": "必須同時有 auto_repair、verification_result=success與KM 回寫",
"recurrenceWorkItems": "Run 完成無修復、修復失敗與 AI 受控佇列必須進入可追蹤工作項",
"aiRouteRepairWorkItem": "Provider lane 降級時必須顯示 evidence、owner、PlayBook候選與是否可自動修復",
@@ -9632,7 +9632,7 @@
"githubPrimaryReadiness": "候選專案庫={candidates};範圍內={inScope};主要來源就緒={ready}",
"githubPrimaryOwnerResponses": "負責人回覆仍為 0/22;請求可送出不等於已接受",
"githubPrimaryWorkflowNames": "工作流程 / 機密名稱清冊完成=0/7;只收名稱不收機密明文值",
- "githubPrimaryBoundary": "未核准建立專案庫、同步 refs、切換 GitHub primary 或停用 Gitea。",
+ "githubPrimaryBoundary": "未核准建立專案庫、同步 參照、切換 GitHub primary 或停用 Gitea。",
"ownerResponseValidation": "回覆包={packets};範本={templates};已收到={received};已接受={accepted};已拒收={rejected}",
"ownerResponseValidationChecks": "跨包驗收={crossPacket};證據路由={routing};顯示區塊={sections}",
"ownerResponseValidationBoundary": "不建立審批紀錄、不切主要來源、不開執行期閘門"
@@ -10243,7 +10243,7 @@
},
"fields": {
"target_selector": "Target selector",
- "mcp_evidence_refs": "MCP 證據",
+ "mcp_evidence_參照": "MCP 證據",
"route_id": "Route",
"repair_command_template": "修復模板",
"rollback_command_template": "Rollback",
@@ -10297,7 +10297,7 @@
"required": {
"alertname": "告警名稱與觸發條件,避免把不同服務的症狀混用。",
"target_selector": "命名空間、Pod、Deployment、host 或服務選擇器。",
- "mcp_evidence_refs": "MCP / Sentry / SigNoz / K8s / log 證據參照。",
+ "mcp_evidence_參照": "MCP / Sentry / SigNoz / K8s / log 證據參照。",
"repair_command": "受控修復命令或 Ansible playbook,不能是純診斷命令。",
"rollback_command": "修復失敗時的回滾或安全停止方案。",
"verifier_plan": "修復後如何驗證成功、失敗與是否要升級 AI 補齊或 break-glass。",
@@ -10380,10 +10380,10 @@
"matchedIncident": "配對目標:{incident}",
"stage": "階段:{stage}",
"sourceEvent": "來源事件:{event}",
- "sourceRefs": "來源 refs:{refs}(Sentry {sentry} / SignOz {signoz})",
+ "sourceRefs": "來源 參照:{參照}(Sentry {sentry} / SignOz {signoz})",
"sourceFlow": {
"label": "來源流程:{status}",
- "detail": "參照={refs};Sentry={sentry};SigNoz={signoz};事件={event}",
+ "detail": "參照={參照};Sentry={sentry};SigNoz={signoz};事件={event}",
"statuses": {
"applied": "已套用",
"reviewed": "覆核已記錄",
@@ -10633,15 +10633,15 @@
"refs": "關聯索引",
"missingRefs": "缺關聯",
"duplicates": "重複事件",
- "sentry": "Sentry refs",
- "signoz": "SignOz refs"
+ "sentry": "Sentry 參照",
+ "signoz": "SignOz 參照"
},
"details": {
"latest": "最新 {time}",
- "withRefs": "{count} 筆含 來源 refs",
+ "withRefs": "{count} 筆含 來源 參照",
"missingEnvelope": "{count} 筆缺 來源 envelope",
"redacted": "{count} 筆已 redacted",
- "alertRefs": "{count} 個 alert refs",
+ "alertRefs": "{count} 個 alert 參照",
"limit": "最近 {count} 筆視窗"
},
"provider": {
@@ -10770,8 +10770,8 @@
"error": "Callback evidence 載入失敗:{error}",
"summary": {
"outbound": "出站鏡像",
- "outboundDetail": "來源_refs {sourceRefs};trace refs {traceRefs};incident refs {incidentRefs};覆蓋 {coverage}",
- "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace refs {missingTraceRefs};缺 incident refs {missingIncidentRefs}",
+ "outboundDetail": "來源_參照 {sourceRefs};trace 參照 {traceRefs};incident 參照 {incidentRefs};覆蓋 {coverage}",
+ "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace 參照 {missingTraceRefs};缺 incident 參照 {missingIncidentRefs}",
"outboundReplyMarkupTraceFreshness": "缺 trace 活躍度:1h {recent1h} / 24h {recent24h} / 最新 {latest}",
"outboundReplyMarkupTraceDecision": "缺 trace 判讀:{status};下一步:{action}",
"outboundReplyMarkupTraceRecovery": "缺 trace 復原訊號:{status};gap 後 traced {count};首筆 {first};最新 {latest}",
@@ -10806,7 +10806,7 @@
},
"traceGapNextActions": {
"none": "不需補動作",
- "inspect_recent_outbound_source_refs": "檢查近 1 小時 outbound 來源_refs",
+ "inspect_recent_outbound_source_參照": "檢查近 1 小時 outbound 來源_參照",
"watch_24h_decay": "觀察 24 小時窗口自然歸零",
"backfill_or_archive_legacy_callbacks": "歸檔或回補舊 callback 缺口",
"observed": "等待下一次 outbound evidence"
@@ -10833,7 +10833,7 @@
"press_telegram_detail_or_history": "按一次 Telegram 詳情 / 歷史產生 callback evidence",
"press_telegram_detail_or_history_after_rollout": "重新按 Telegram 詳情 / 歷史補新版 snapshot",
"review_legacy_callback_snapshot_gap": "新版已捕捉;舊 callback 缺 snapshot不需重複按",
- "review_outbound_source_refs": "檢查 outbound 來源_refs 缺口",
+ "review_outbound_source_參照": "檢查 outbound 來源_參照 缺口",
"observed": "等待下一次 callback evidence"
}
},
@@ -11157,7 +11157,7 @@
"incidentRef": "Incident 參照",
"routeId": "受控路由",
"dryRunEvidence": "乾跑證據",
- "mcpEvidenceRefs": "MCP 證據 refs",
+ "mcpEvidenceRefs": "MCP 證據 參照",
"ownerApprovalReceipt": "Owner 放行回執",
"maintenanceWindow": "維護窗口",
"rollbackOwner": "Rollback Owner",
@@ -11484,11 +11484,11 @@
"unknown": "待負責人補證"
},
"sourceActions": {
- "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 refs 或切主來源。",
+ "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 參照 或切主來源。",
"targetDecision": "先取得 GitHub 目標、可見性、標準負責人與後續 owner 的脫敏回覆;未接受前不得建立專案庫或改可見性。",
"internalRemoteDecision": "先確認內部 remote 用途、維運 owner、移除或保留理由與 rollback 方式;未接受前不得改 remote、workflow 或 secret。",
"scopeReview": "先確認是否納入 IwoooS 管控範圍;未接受前只保留觀測,不升級為主來源候選。",
- "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence refs。"
+ "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence 參照。"
}
},
"securityTenantScopeCandidate": {
@@ -11560,7 +11560,7 @@
"sourceScopeWaiting": "租戶原始碼範圍仍等待正式負責人回覆。",
"ownerResponseWaiting": "專案庫負責人回覆尚未接受;此欄位只作 evidence,不阻擋低 / 中 / 高風險 controlled apply。",
"repoCreationLocked": "未取得正式決策前,不建立 GitHub 專案庫或修改可見性。",
- "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 refs。",
+ "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 參照。",
"githubPrimaryLocked": "GitHub primary 尚未核准切換。",
"giteaDisableLocked": "Gitea 不得停用,仍是目前 CI/CD 來源。",
"tenantPolicyLocked": "租戶政策與遷移模式不得因就緒度顯示而改變。",
@@ -11630,17 +11630,17 @@
}
},
"autonomousRuntime": {
- "title": "AI Controlled Execution Loop",
- "refresh": "Refresh",
- "completion": "{percent}% complete",
- "completionLoading": "Completion reading",
+ "title": "AI 受控執行閉環",
+ "refresh": "重新整理",
+ "completion": "完成 {percent}%",
+ "completionLoading": "完成度讀取中",
"detail": "Incident {incident} / op {op} / {catalog}",
"states": {
- "loading": "Reading production readback",
- "closed": "Loop closed",
- "open": "Loop open",
- "degraded": "Read degraded",
- "unavailable": "Read failed"
+ "loading": "讀取正式 readback",
+ "closed": "閉環完成",
+ "open": "閉環中",
+ "degraded": "讀取降級",
+ "unavailable": "讀取失敗"
},
"metrics": {
"loop": "Loop",
@@ -11658,18 +11658,18 @@
"telegram": "Telegram"
},
"proof": {
- "deploy": "Production deploy",
- "deployDetail": "CD / readback: {status}",
+ "deploy": "正式部署",
+ "deployDetail": "CD / readback:{status}",
"runtime": "Runtime DB",
- "runtimeDetail": "marker: {marker}",
- "workItems": "Work complete",
- "workItemsDetail": "{percent}% complete",
- "sources": "Log sources",
- "sourcesDetail": "Project, product, site, service, package, and tool",
- "events": "Classified events",
- "eventsDetail": "24h {recent}",
- "consumer": "Consumer writeback",
- "consumerDetail": "{targets} targets ready",
+ "runtimeDetail": "marker:{marker}",
+ "workItems": "工作完成",
+ "workItemsDetail": "完成度 {percent}%",
+ "sources": "Log 來源",
+ "sourcesDetail": "專案 / 產品 / 網站 / 服務 / 套件 / 工具",
+ "events": "分類事件",
+ "eventsDetail": "近 24h {recent}",
+ "consumer": "Consumer 回寫",
+ "consumerDetail": "{targets} 個 target ready",
"ok": "ok",
"degraded": "degraded"
},
@@ -11685,7 +11685,7 @@
"contextWrites": "Context receipts",
"contextWritesDetail": "target writeback receipts",
"blockers": "Active blockers",
- "noBlockers": "No active blocker",
+ "noBlockers": "無 active blocker",
"targetDetail": "context writes / bindings",
"targetsMap": {
"km": "KM",
@@ -11696,22 +11696,22 @@
"aiAgent": "AI Agent"
}
},
- "recent": "24h {count}",
- "missing": "{count} missing",
+ "recent": "近 24h {count}",
+ "missing": "缺 {count} 節點",
"closedDetail": "required stages ok",
- "traceCaption": "{count} stages / {missing} missing",
+ "traceCaption": "{count} 節點 / 缺 {missing}",
"taxonomy": {
- "sources": "Log sources",
- "products": "Product scopes",
- "labels": "Label dimensions",
- "events": "Classified events",
- "learning": "Learning sources",
- "workItems": "Work items",
- "productsDetail": "adapter active {active} / missing dimensions {missing}",
- "workItemsDetail": "Active {active} / pending {pending} / blocked {blocked}"
+ "sources": "Log 來源",
+ "products": "產品範圍",
+ "labels": "貼標維度",
+ "events": "分類事件",
+ "learning": "學習來源",
+ "workItems": "工作項目",
+ "productsDetail": "adapter active {active} / 缺維度 {missing}",
+ "workItemsDetail": "進行 {active} / 待辦 {pending} / 阻塞 {blocked}"
},
"policy": {
- "label": "Controlled risk tiers",
+ "label": "受控風險層",
"critical": "Critical",
"breakGlass": "break-glass"
},
@@ -11720,35 +11720,35 @@
"medium": "medium",
"high": "high"
},
- "nextAction": "Next action",
+ "nextAction": "下一步",
"workBoard": {
- "title": "Priority Work Board",
- "subtitle": "{ordered} mainline items; {sources} log source families.",
- "completedOfTotal": "{completed}/{total} completed",
- "sourceCoverage": "Source coverage",
- "sourceCoverageDetail": "Project, product, site, service, package, and tool logs are classified and labeled.",
- "empty": "No work items match this filter.",
+ "title": "優先工作板",
+ "subtitle": "主線 {ordered} 項;Log 來源 {sources} 組。",
+ "completedOfTotal": "完成 {completed}/{total}",
+ "sourceCoverage": "來源覆蓋",
+ "sourceCoverageDetail": "專案 / 產品 / 網站 / 服務 / 套件 / 工具 Log 已分類貼標。",
+ "empty": "此篩選目前沒有工作項。",
"filters": {
- "all": "All",
- "completed": "Completed",
- "active": "Active",
- "pending": "Pending",
- "blocked": "Blocked"
+ "all": "全部",
+ "completed": "已完成",
+ "active": "進行中",
+ "pending": "待推進",
+ "blocked": "阻塞"
},
"statuses": {
- "completed": "Completed",
- "in_progress": "In progress",
- "pending": "Pending",
- "blocked": "Blocked",
- "not_started": "Not started",
- "unknown": "Unknown"
+ "completed": "已完成",
+ "in_progress": "進行中",
+ "pending": "待推進",
+ "blocked": "阻塞",
+ "not_started": "未開始",
+ "unknown": "未知"
}
}
},
"alerts": {
"aiLoop": {
- "title": "Alert AI Loop",
- "subtitle": "Alert signals are aligned to LOG / KM / RAG / MCP / PlayBook / Verifier runtime receipts.",
+ "title": "告警 AI Loop",
+ "subtitle": "告警訊號直接對齊 LOG / KM / RAG / MCP / PlayBook / Verifier 的 runtime receipt。",
"badge": "controlled automation",
"runs": "Runs",
"workItems": "Work Items",
@@ -12079,32 +12079,32 @@
"expiredDetail": "改排 AI retry / rollback / verifier,不預設人工結案"
},
"logAutomation": {
- "eyebrow": "LOG / KM / RAG / MCP / PlayBook Mainline",
- "title": "AI Automation Writeback And Executor Queue",
- "subtitle": "Reads the production executor readback directly and connects service log labels, feedback receipts, post-write verifier, controlled plan, and AI Agent next action queue into one trackable mainline.",
- "refresh": "Refresh mainline",
- "loadFailed": "AI automation mainline readback failed to load",
- "emptyBatches": "No executor batches returned yet",
- "boundary": "This panel shows the low / medium / high metadata writeback queue available to AI controlled apply. Runtime dispatch truth still comes from production readback; critical remains break-glass.",
- "errorDetail": "AI automation mainline read failed: {error}",
+ "eyebrow": "LOG / KM / RAG / MCP / PlayBook 主線",
+ "title": "AI 自動化回寫與執行器隊列",
+ "subtitle": "直接讀取正式 API 的 executor readback,把服務日誌貼標、feedback receipt、post-write verifier、controlled plan 與 AI Agent next action queue 串成同一條可追蹤主線。",
+ "refresh": "刷新主線",
+ "loadFailed": "AI 自動化主線 readback 載入失敗",
+ "emptyBatches": "尚未取得 executor batch",
+ "boundary": "此面板顯示 AI controlled apply 已具備的低 / 中 / 高風險 metadata writeback 隊列;runtime dispatch 是否已執行仍以正式 readback 為準,critical 維持 break-glass。",
+ "errorDetail": "AI 自動化主線讀取失敗:{error}",
"status": {
- "loading": "Loading mainline",
+ "loading": "讀取主線",
"ready": "executor ready",
- "waiting": "waiting readback",
+ "waiting": "等待 readback",
"error": "readback failed"
},
"metrics": {
- "plans": "Writeback plans",
- "plansDetail": "Verified KM / RAG / MCP / PlayBook / Agent plans.",
- "batches": "Executor batches",
- "batchesDetail": "ready / total batches consumable by AI Agent controlled apply.",
- "selectors": "Target selectors",
- "selectorsDetail": "Every writeback binds project, service, package, and tool.",
- "verifiers": "Post-apply verifiers",
- "verifiersDetail": "Every target batch must carry a verifier ref."
+ "plans": "回寫計畫",
+ "plansDetail": "已驗證的 KM / RAG / MCP / PlayBook / Agent plan。",
+ "batches": "Executor 批次",
+ "batchesDetail": "ready / total,供 AI Agent controlled apply 消費。",
+ "selectors": "目標 selector",
+ "selectorsDetail": "每筆回寫都要綁 project、service、package、tool。",
+ "verifiers": "Post-apply verifier",
+ "verifiersDetail": "每個 target batch 都必須有 verifier ref。"
},
"stages": {
- "logs": "LOG labels",
+ "logs": "LOG 貼標",
"receipts": "Feedback receipts",
"verifier": "Post-write verifier",
"plan": "Controlled plan",
@@ -12120,20 +12120,20 @@
"unknown": "Unknown"
},
"policy": {
- "controlledApply": "L/M/H controlled apply",
- "ownerReview": "L/M/H controlled review",
+ "controlledApply": "低中高風險 controlled apply",
+ "ownerReview": "低中高受控審查",
"critical": "Critical",
"runtime": "Runtime dispatch",
"queue": "Next action queue",
"evidence": "Evidence chain"
},
"values": {
- "on": "on",
- "off": "off",
- "required": "required",
- "notRequired": "not required",
- "performed": "performed",
- "notPerformed": "not performed"
+ "on": "開啟",
+ "off": "關閉",
+ "required": "必要",
+ "notRequired": "不必要",
+ "performed": "已執行",
+ "notPerformed": "未執行"
}
},
"decisionRail": {
@@ -12167,8 +12167,8 @@
"detail": "需要 AI 補齊、retry、rollback 或 break-glass 的審批"
},
"handoff": {
- "title": "Action Packages",
- "detail": "Gate 5 projections, historical evidence, and AI work item backfill"
+ "title": "處置包",
+ "detail": "Gate 5、歷史證據與 AI 工作項補齊"
},
"verifier": {
"title": "驗證",
@@ -12181,7 +12181,7 @@
"detail": "找出 learning_recorded、execution_failed、AI retry / rollback 或逾時的審批。",
"cta": "查看卡點",
"meta": {
- "controlledAction": "AI action package",
+ "controlledAction": "AI 處置包",
"executionFailed": "執行失敗 / 降級",
"learningRecorded": "卡在學習紀錄"
}
@@ -12203,7 +12203,7 @@
"meta": {
"gate5": "Gate 5 投影",
"legacy": "Legacy HITL",
- "controlledAction": "AI backfill"
+ "controlledAction": "AI 補齊"
}
},
"guardrail": {
@@ -12218,8 +12218,8 @@
}
},
"controlledProof": {
- "title": "Low / Medium / High default to AI controlled apply",
- "detail": "AI action packages {packages}; Gate 5 {gate5}; historical HITL evidence {legacy}. Only critical / break-glass goes to incident-grade authorization; the rest is completed by AI selectors, check-mode, rollback, and verifiers."
+ "title": "低 / 中 / 高風險預設 AI controlled apply",
+ "detail": "AI 處置包 {packages};Gate 5 {gate5};既有 HITL 歷史證據 {legacy}。critical / break-glass 才進事故級授權,其餘由 AI 補齊 selector、check-mode、rollback 與 verifier。"
}
},
"badges": {
@@ -12270,7 +12270,7 @@
"openTickets": "Tickets",
"empty": "無",
"flowTitle": "處理流程",
- "handoffTitle": "Approvals And AI Action Packages",
+ "handoffTitle": "審批與 AI 處置包",
"timelineEmpty": "尚未取得 Incident timeline。",
"linkedExplanation": "此 Incident 已有受控決策 / timeline 關聯;若下方 AI 受控清單為空,代表它可能已完成、過期、拒絕,或已轉成 verifier / rollback / AI 補齊。",
"unlinkedExplanation": "目前沒有對應 批准 id;這代表此 Incident不是等待批准的狀態,應從 Work Items / Runs 追下一步。",
@@ -12279,15 +12279,15 @@
"no": "不需 AI 補齊"
},
"controlledAction": {
- "yes": "AI action package pending",
- "no": "AI action package clear"
+ "yes": "AI 處置包待補齊",
+ "no": "AI 處置包已清空"
},
"metrics": {
"approvals": "關聯審批",
"stage": "目前階段",
"repair": "修復狀態",
"verification": "驗證",
- "handoff": "AI Action Package"
+ "handoff": "AI 處置包"
},
"handoff": {
"approvalIds": "Approval IDs",
@@ -12330,12 +12330,12 @@
}
},
"legacyHitl": {
- "title": "Existing HITL Evidence Queue",
- "subtitle": "These rows come from approval_records and are not AwoooP run approvals; keep them as historical evidence and route follow-up into AI controlled work items.",
+ "title": "既有 HITL 歷史證據佇列",
+ "subtitle": "這批來自 批准_records,不屬於 AwoooP run 批准;以歷史證據保留,後續導回 AI 受控工作項。",
"openAuthorizations": "開啟授權中心",
"loadFailed": "既有 HITL backlog 載入失敗:{error}",
- "tableLabel": "Existing HITL Evidence Queue",
- "moreRows": "Only the latest 8 rows are shown; track the remaining {count} in the authorization center.",
+ "tableLabel": "既有 HITL 歷史證據佇列",
+ "moreRows": "只顯示最新 8 筆,其餘 {count} 筆請到授權中心追蹤。",
"noTelegram": "無 Telegram",
"telegramRef": "Telegram #{id}",
"summary": {
@@ -13236,7 +13236,7 @@
"boundary": {
"label": "目前邊界",
"state": "AI 受控推進 / critical break-glass",
- "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 refs 破壞維持 break-glass。"
+ "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 參照 破壞維持 break-glass。"
},
"commandRail": {
"eyebrow": "控制面",
@@ -17322,7 +17322,7 @@
"handoffRuntimeGatePointer": {
"title": "執行期閘門指標包",
"body": "任何掃描、修復、主機更新或阻擋控制都必須留在獨立執行期閘門。",
- "handoff": "Only mark which controlled runtime gate may be needed later.",
+ "handoff": "只標記後續可能需要哪一種受控執行期閘門。",
"guard": "不呼叫 Kali、不開 SSH、不更新主機、不執行修復。"
},
"handoffSourceControlPointer": {
@@ -17334,8 +17334,8 @@
}
},
"ownerResponseFormalRecordOwnerHandoffReviewBoard": {
- "title": "Controlled Decision Record Handoff Checklist",
- "subtitle": "Before a handoff packet enters controlled review, seven read-only acceptance checks confirm whether the data is sufficient; this is still not record-owner assignment, a formal record, break-glass approval, or execution authorization. Checks=7, passed=0, assigned=0, runtime gates=0.",
+ "title": "受控決策正式紀錄交接驗收清單",
+ "subtitle": "交接包進入受控檢查前,先用七個只讀驗收項確認資料是否足夠;這仍不是紀錄負責人指派、正式紀錄、break-glass 批准或執行授權。現在驗收項=7、通過=0、已指派=0、執行期閘門=0。",
"checkLabel": "驗收項",
"reviewLabel": "檢查方式",
"guardLabel": "仍不會做",
@@ -17361,14 +17361,14 @@
"items": {
"packetCompleteness": {
"title": "交接包完整性",
- "body": "Check whether all seven handoff packets include source, summary, limits, gaps, and follow-up controlled confirmation fields.",
+ "body": "檢查七個交接包是否都有來源、摘要、限制、缺口與後續受控確認欄位。",
"review": "只列出缺漏欄位與待補項目。",
"guard": "不補寫正式紀錄、不自動產生批准文字。"
},
"recordOwnerIdentityScope": {
"title": "負責人身分範圍",
"body": "檢查交接包是否說明未來紀錄負責人的角色範圍、責任邊界與可聯絡依據。",
- "review": "Only confirm whether identity fields are sufficient for controlled interpretation.",
+ "review": "只確認身分欄位是否足夠受控判讀。",
"guard": "不代填姓名、不查外部帳號、不自動指派。"
},
"authorityBoundaryMatch": {
@@ -17385,7 +17385,7 @@
},
"reviewerNoteConfirm": {
"title": "審查備註確認",
- "body": "Check whether return reasons, evidence-completion status, review notes, and unresolved items are sufficient for the next reviewer.",
+ "body": "檢查退回理由、補證狀態、審查備註與未決事項是否足夠讓下一位審查者接手。",
"review": "只整理既有備註是否完整。",
"guard": "不建立外部任務、不自動通知、不改審查結論。"
},
@@ -17404,8 +17404,8 @@
}
},
"ownerResponseFormalRecordOwnerHandoffReviewOutcomeBoard": {
- "title": "Controlled Decision Record Handoff Outcome Routing",
- "subtitle": "After handoff acceptance, outcomes only land in eight read-only routes; this is still not record-owner assignment, a formal record, break-glass approval, or execution authorization. Routes=8, ready for controlled review=0, assigned=0, runtime gates=0.",
+ "title": "受控決策正式紀錄交接驗收結果分流",
+ "subtitle": "交接驗收後只會落到八條只讀結果分流;這仍不是紀錄負責人指派、正式紀錄、break-glass 批准或執行授權。現在分流=8、可進負責人檢查=0、已指派=0、執行期閘門=0。",
"laneLabel": "結果分流",
"resultLabel": "分流結果",
"guardLabel": "仍不會做",
@@ -17431,7 +17431,7 @@
"items": {
"remainReviewWaiting": {
"title": "維持驗收等待",
- "body": "If the handoff packet is still waiting for controlled review, the result can only remain in a waiting state.",
+ "body": "若交接包仍在等待受控檢查,結果只能維持等待狀態。",
"result": "只顯示仍待驗收與缺少哪一類檢查。",
"guard": "不自動通過、不建立正式紀錄、不指派負責人。"
},
@@ -17443,7 +17443,7 @@
},
"requestOwnerScopeClarification": {
"title": "要求負責人範圍說明",
- "body": "If the future record owner's role, authority, or contact basis is unclear, request controlled clarification.",
+ "body": "若未來紀錄負責人的角色、權責或聯絡依據不清,必須要求受控說明。",
"result": "只標記需要補充哪一類負責人範圍。",
"guard": "不查外部帳號、不代填姓名、不自動指派。"
},
@@ -17454,9 +17454,9 @@
"guard": "不讀取機密明文、不保存原始載荷、不抓外部系統。"
},
"readyForRecordOwnerReview": {
- "title": "Ready for Controlled Record Review",
- "body": "If all acceptance checks are sufficient, the handoff packet can enter controlled record review, but this is still not an assignment.",
- "result": "Only mark it ready for controlled review and wait for controlled review confirmation.",
+ "title": "可進受控負責人檢查",
+ "body": "若驗收項都足夠,交接包可以進入受控紀錄負責人檢查,但仍不是指派。",
+ "result": "只標記可進受控檢查,等待 controlled review 確認。",
"guard": "不自動升格、不建立正式紀錄、不建立審批紀錄。"
},
"quarantineSensitivePayload": {
@@ -17480,8 +17480,8 @@
}
},
"ownerResponseFormalRecordOwnerReviewPreparationBoard": {
- "title": "Controlled Decision Record Owner Review Preparation Packets",
- "subtitle": "If the handoff outcome can enter controlled review, only eight preparation packets are assembled before controlled review; this is not record-owner assignment, a formal record, break-glass approval, or execution authorization. Packets=8, review-ready=0, assigned=0, runtime gates=0.",
+ "title": "受控決策正式紀錄負責人檢查準備包",
+ "subtitle": "交接驗收結果若可進負責人檢查,仍只能整理受控檢查前需要看的八個準備包;這不是紀錄負責人指派、正式紀錄、break-glass 批准或執行授權。現在準備包=8、可檢查=0、已指派=0、執行期閘門=0。",
"packetLabel": "準備包",
"prepareLabel": "準備方式",
"guardLabel": "仍不會做",
@@ -20849,7 +20849,7 @@
"sourceRepo": {
"title": "版本來源與 dirty workspace 判定",
"missing": "本機 repo 有 51 個修改或未追蹤項目;尚未判定 WIP、release candidate 與 canonical remote。",
- "next": "先收 refs truth 與 dirty workspace disposition;不得 push、rebase、同步 refs 或改 workflow。"
+ "next": "先收 參照 truth 與 dirty workspace disposition;不得 push、rebase、同步 參照 或改 workflow。"
},
"deployBoundary": {
"title": "部署邊界與回復條件",
@@ -21279,7 +21279,7 @@
"waiting_redacted_counts": "待脫敏計數",
"waiting_per_host_matrix": "待逐主機矩陣",
"waiting_time_window": "待時間窗",
- "waiting_health_refs": "待健康參照",
+ "waiting_health_參照": "待健康參照",
"reject_sensitive_payloads": "拒收敏感內容",
"waiting_owner_decision": "待負責人決策",
"runtime_closed": "執行期關閉"
@@ -21409,7 +21409,7 @@
"wazuhManagerRegistryReviewerValidation": {
"eyebrow": "Wazuh manager registry reviewer validation",
"title": "Owner export 進來後,先由 reviewer 驗收脫敏清單",
- "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence refs 通過 reviewer validation,但仍不開 runtime。",
+ "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence 參照 通過 reviewer validation,但仍不開 runtime。",
"loadingBoundary": "正在讀取 Wazuh manager registry reviewer validation API",
"validationEndpointLabel": "脫敏 owner export 驗證端點",
"validationModeLabel": "驗證模式",
@@ -21423,7 +21423,7 @@
"checksLoading": "正在讀取 reviewer checks。",
"checksFallback": "Reviewer checks 尚未由正式 API 讀回,維持 fallback 停止線。",
"boundaryTitle": "Reviewer validation 停止線",
- "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence refs 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。",
+ "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence 參照 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。",
"status": {
"loading": "正在讀取 Wazuh manager registry reviewer validation",
"failed": "Wazuh manager registry reviewer validation API 尚未部署或讀取失敗",
@@ -21444,7 +21444,7 @@
},
"passed": {
"label": "Reviewer passed",
- "detail": "一筆脫敏 owner export refs 已通過 no-persist reviewer validation。"
+ "detail": "一筆脫敏 owner export 參照 已通過 no-persist reviewer validation。"
},
"postEnable": {
"label": "Post-enable",
@@ -21464,7 +21464,7 @@
},
"received": {
"label": "已收 export",
- "detail": "已收到一筆 owner-provided redacted registry export refs。"
+ "detail": "已收到一筆 owner-provided redacted registry export 參照。"
},
"accepted": {
"label": "已接受",
@@ -21647,7 +21647,7 @@
},
"signals": {
"label": "訊號源",
- "detail": "12 條訊號源等待 owner 提供脫敏 evidence refs。"
+ "detail": "12 條訊號源等待 owner 提供脫敏 evidence 參照。"
},
"runtimeGate": {
"label": "執行期",
@@ -21661,7 +21661,7 @@
},
"wazuhSiem": {
"title": "Wazuh SIEM 待收件",
- "body": "manager、agent、FIM、rule、decoder 與 event refs 只能用脫敏參照進入 IwoooS,不接 raw payload。"
+ "body": "manager、agent、FIM、rule、decoder 與 event 參照 只能用脫敏參照進入 IwoooS,不接 raw payload。"
},
"kali112": {
"title": "資安觀測節點 維持只讀",
@@ -21734,7 +21734,7 @@
},
"hostForensics": {
"title": "主機入侵不能只靠宣稱",
- "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof refs。"
+ "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof 參照。"
},
"gatewayNginx": {
"title": "Nginx 入口先收 live diff",
@@ -21746,7 +21746,7 @@
},
"hostRuntime": {
"title": "Docker 與 systemd 要收 runtime 證據",
- "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck refs,避免只靠 route 回 200 誤判。"
+ "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck 參照,避免只靠 route 回 200 誤判。"
},
"alertReceipt": {
"title": "告警要能收件與行動",
@@ -21765,7 +21765,7 @@
"securityAssetControlLedger": {
"eyebrow": "P0-A 資安資產控制總帳",
"title": "把主機、入口、版本來源、監控、Wazuh、Kali 與供應鏈收成一張總帳",
- "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence refs 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。",
+ "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence 參照 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。",
"checkLabel": "檢核",
"stateLabel": "狀態",
"boundaryTitle": "資安資產總帳邊界",
@@ -21781,7 +21781,7 @@
},
"evidenceRefs": {
"label": "證據參照",
- "detail": "64 個 committed evidence refs 全部存在,缺失為 0。"
+ "detail": "64 個 committed evidence 參照 全部存在,缺失為 0。"
},
"runtimeGate": {
"label": "執行期",
@@ -21803,7 +21803,7 @@
},
"wazuhKali": {
"title": "Wazuh / Kali 維持證據收件",
- "body": "Wazuh event refs、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。"
+ "body": "Wazuh event 參照、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。"
},
"alertBackup": {
"title": "告警與復原避免假綠燈",
@@ -21972,7 +21972,7 @@
},
"canonicalFields": {
"title": "欄位對齊 S4.9 envelope",
- "body": "owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。"
+ "body": "owner role / team、decision、decision reason、affected scope、redacted evidence 參照、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。"
},
"requestState": {
"title": "尚未送出 owner request",
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index 18907b92..d820727f 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -229,7 +229,7 @@
},
"credential_escrow": {
"title": "P0-005 credential escrow",
- "description": "已收斂 non-secret evidence refs 與 reviewer acceptance readback;不寫 credential marker、不收 secret。",
+ "description": "已收斂 non-secret evidence 參照 與 reviewer acceptance readback;不寫 credential marker、不收 secret。",
"metric": "evidence {accepted}/{required}"
},
"gitea": {
@@ -251,7 +251,7 @@
"boundaries": {
"secret": "不收機密明文、授權憑證、瀏覽器憑證或私有存取材料。",
"production": "不直接改 production runtime、public gateway、Nginx、Docker、K8s 或 firewall。",
- "repo": "不直接建立 repo、改 visibility、sync refs、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。",
+ "repo": "不直接建立 repo、改 visibility、sync 參照、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。",
"data": "不直接做資料庫、backup、restore 或 migration 寫操作。",
"security": "不啟動 Wazuh / Kali 主動回應流程、active scan 或 host containment。"
},
@@ -978,7 +978,7 @@
},
"sourceDossier": {
"title": "Sentry / SigNoz 來源卷宗證據",
- "detail": "最近來源 {sources} 筆;Sentry refs {sentry}、SigNoz refs {signoz},用 provider 篩選驗證,不再被整體樣本誤判。"
+ "detail": "最近來源 {sources} 筆;Sentry 參照 {sentry}、SigNoz 參照 {signoz},用 provider 篩選驗證,不再被整體樣本誤判。"
},
"callbackEvidence": {
"title": "Telegram 詳情 / 歷史 DB 真相鏈",
@@ -1212,8 +1212,8 @@
"kmBurndown": "/api/v1/ai/governance/km-stale-owner-review-burndown"
},
"signal": {
- "metric": "來源 {sources} / refs {refs}",
- "detail": "missing refs {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}"
+ "metric": "來源 {sources} / 參照 {參照}",
+ "detail": "missing 參照 {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}"
},
"intake": {
"metric": "Runs {runs} / linked {linked}",
@@ -9129,7 +9129,7 @@
"enforcerDetail": "apply={apply} · metadata-only={metadata}",
"drainGuard": "Drain guard",
"drainGuardValue": "active={active} / staging={staging}",
- "blockers": "阻塞={count}",
+ "blockers": "阻塞項={count}",
"jobs": "Jobs / lane",
"jobsValue": "jobs={jobs} / lane={lane}",
"restoreSources": "restore sources={count}",
@@ -9214,7 +9214,7 @@
},
"inProgress": {
"title": "自動化資產正在補齊,仍需追蹤候選品質",
- "detail": "優先確認候選是否有證據 refs、安全路由、回滾計畫與修復後驗證。"
+ "detail": "優先確認候選是否有證據 參照、安全路由、回滾計畫與修復後驗證。"
},
"watching": {
"title": "目前沒有明顯 AI 受控卡點,持續觀察資料新鮮度",
@@ -9525,7 +9525,7 @@
}
},
"gates": {
- "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 refs",
+ "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 參照",
"autoRepair": "必須同時有 auto_repair、verification_result=success與KM 回寫",
"recurrenceWorkItems": "Run 完成無修復、修復失敗與 AI 受控佇列必須進入可追蹤工作項",
"aiRouteRepairWorkItem": "Provider lane 降級時必須顯示 evidence、owner、PlayBook候選與是否可自動修復",
@@ -9632,7 +9632,7 @@
"githubPrimaryReadiness": "候選專案庫={candidates};範圍內={inScope};主要來源就緒={ready}",
"githubPrimaryOwnerResponses": "負責人回覆仍為 0/22;請求可送出不等於已接受",
"githubPrimaryWorkflowNames": "工作流程 / 機密名稱清冊完成=0/7;只收名稱不收機密明文值",
- "githubPrimaryBoundary": "未核准建立專案庫、同步 refs、切換 GitHub primary 或停用 Gitea。",
+ "githubPrimaryBoundary": "未核准建立專案庫、同步 參照、切換 GitHub primary 或停用 Gitea。",
"ownerResponseValidation": "回覆包={packets};範本={templates};已收到={received};已接受={accepted};已拒收={rejected}",
"ownerResponseValidationChecks": "跨包驗收={crossPacket};證據路由={routing};顯示區塊={sections}",
"ownerResponseValidationBoundary": "不建立審批紀錄、不切主要來源、不開執行期閘門"
@@ -10243,7 +10243,7 @@
},
"fields": {
"target_selector": "Target selector",
- "mcp_evidence_refs": "MCP 證據",
+ "mcp_evidence_參照": "MCP 證據",
"route_id": "Route",
"repair_command_template": "修復模板",
"rollback_command_template": "Rollback",
@@ -10297,7 +10297,7 @@
"required": {
"alertname": "告警名稱與觸發條件,避免把不同服務的症狀混用。",
"target_selector": "命名空間、Pod、Deployment、host 或服務選擇器。",
- "mcp_evidence_refs": "MCP / Sentry / SigNoz / K8s / log 證據參照。",
+ "mcp_evidence_參照": "MCP / Sentry / SigNoz / K8s / log 證據參照。",
"repair_command": "受控修復命令或 Ansible playbook,不能是純診斷命令。",
"rollback_command": "修復失敗時的回滾或安全停止方案。",
"verifier_plan": "修復後如何驗證成功、失敗與是否要升級 AI 補齊或 break-glass。",
@@ -10380,10 +10380,10 @@
"matchedIncident": "配對目標:{incident}",
"stage": "階段:{stage}",
"sourceEvent": "來源事件:{event}",
- "sourceRefs": "來源 refs:{refs}(Sentry {sentry} / SignOz {signoz})",
+ "sourceRefs": "來源 參照:{參照}(Sentry {sentry} / SignOz {signoz})",
"sourceFlow": {
"label": "來源流程:{status}",
- "detail": "參照={refs};Sentry={sentry};SigNoz={signoz};事件={event}",
+ "detail": "參照={參照};Sentry={sentry};SigNoz={signoz};事件={event}",
"statuses": {
"applied": "已套用",
"reviewed": "覆核已記錄",
@@ -10633,15 +10633,15 @@
"refs": "關聯索引",
"missingRefs": "缺關聯",
"duplicates": "重複事件",
- "sentry": "Sentry refs",
- "signoz": "SignOz refs"
+ "sentry": "Sentry 參照",
+ "signoz": "SignOz 參照"
},
"details": {
"latest": "最新 {time}",
- "withRefs": "{count} 筆含 來源 refs",
+ "withRefs": "{count} 筆含 來源 參照",
"missingEnvelope": "{count} 筆缺 來源 envelope",
"redacted": "{count} 筆已 redacted",
- "alertRefs": "{count} 個 alert refs",
+ "alertRefs": "{count} 個 alert 參照",
"limit": "最近 {count} 筆視窗"
},
"provider": {
@@ -10770,8 +10770,8 @@
"error": "Callback evidence 載入失敗:{error}",
"summary": {
"outbound": "出站鏡像",
- "outboundDetail": "來源_refs {sourceRefs};trace refs {traceRefs};incident refs {incidentRefs};覆蓋 {coverage}",
- "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace refs {missingTraceRefs};缺 incident refs {missingIncidentRefs}",
+ "outboundDetail": "來源_參照 {sourceRefs};trace 參照 {traceRefs};incident 參照 {incidentRefs};覆蓋 {coverage}",
+ "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace 參照 {missingTraceRefs};缺 incident 參照 {missingIncidentRefs}",
"outboundReplyMarkupTraceFreshness": "缺 trace 活躍度:1h {recent1h} / 24h {recent24h} / 最新 {latest}",
"outboundReplyMarkupTraceDecision": "缺 trace 判讀:{status};下一步:{action}",
"outboundReplyMarkupTraceRecovery": "缺 trace 復原訊號:{status};gap 後 traced {count};首筆 {first};最新 {latest}",
@@ -10806,7 +10806,7 @@
},
"traceGapNextActions": {
"none": "不需補動作",
- "inspect_recent_outbound_source_refs": "檢查近 1 小時 outbound 來源_refs",
+ "inspect_recent_outbound_source_參照": "檢查近 1 小時 outbound 來源_參照",
"watch_24h_decay": "觀察 24 小時窗口自然歸零",
"backfill_or_archive_legacy_callbacks": "歸檔或回補舊 callback 缺口",
"observed": "等待下一次 outbound evidence"
@@ -10833,7 +10833,7 @@
"press_telegram_detail_or_history": "按一次 Telegram 詳情 / 歷史產生 callback evidence",
"press_telegram_detail_or_history_after_rollout": "重新按 Telegram 詳情 / 歷史補新版 snapshot",
"review_legacy_callback_snapshot_gap": "新版已捕捉;舊 callback 缺 snapshot不需重複按",
- "review_outbound_source_refs": "檢查 outbound 來源_refs 缺口",
+ "review_outbound_source_參照": "檢查 outbound 來源_參照 缺口",
"observed": "等待下一次 callback evidence"
}
},
@@ -11157,7 +11157,7 @@
"incidentRef": "Incident 參照",
"routeId": "受控路由",
"dryRunEvidence": "乾跑證據",
- "mcpEvidenceRefs": "MCP 證據 refs",
+ "mcpEvidenceRefs": "MCP 證據 參照",
"ownerApprovalReceipt": "Owner 放行回執",
"maintenanceWindow": "維護窗口",
"rollbackOwner": "Rollback Owner",
@@ -11484,11 +11484,11 @@
"unknown": "待負責人補證"
},
"sourceActions": {
- "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 refs 或切主來源。",
+ "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 參照 或切主來源。",
"targetDecision": "先取得 GitHub 目標、可見性、標準負責人與後續 owner 的脫敏回覆;未接受前不得建立專案庫或改可見性。",
"internalRemoteDecision": "先確認內部 remote 用途、維運 owner、移除或保留理由與 rollback 方式;未接受前不得改 remote、workflow 或 secret。",
"scopeReview": "先確認是否納入 IwoooS 管控範圍;未接受前只保留觀測,不升級為主來源候選。",
- "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence refs。"
+ "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence 參照。"
}
},
"securityTenantScopeCandidate": {
@@ -11560,7 +11560,7 @@
"sourceScopeWaiting": "租戶原始碼範圍仍等待正式負責人回覆。",
"ownerResponseWaiting": "專案庫負責人回覆尚未接受;此欄位只作 evidence,不阻擋低 / 中 / 高風險 controlled apply。",
"repoCreationLocked": "未取得正式決策前,不建立 GitHub 專案庫或修改可見性。",
- "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 refs。",
+ "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 參照。",
"githubPrimaryLocked": "GitHub primary 尚未核准切換。",
"giteaDisableLocked": "Gitea 不得停用,仍是目前 CI/CD 來源。",
"tenantPolicyLocked": "租戶政策與遷移模式不得因就緒度顯示而改變。",
@@ -13236,7 +13236,7 @@
"boundary": {
"label": "目前邊界",
"state": "AI 受控推進 / critical break-glass",
- "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 refs 破壞維持 break-glass。"
+ "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 參照 破壞維持 break-glass。"
},
"commandRail": {
"eyebrow": "控制面",
@@ -20849,7 +20849,7 @@
"sourceRepo": {
"title": "版本來源與 dirty workspace 判定",
"missing": "本機 repo 有 51 個修改或未追蹤項目;尚未判定 WIP、release candidate 與 canonical remote。",
- "next": "先收 refs truth 與 dirty workspace disposition;不得 push、rebase、同步 refs 或改 workflow。"
+ "next": "先收 參照 truth 與 dirty workspace disposition;不得 push、rebase、同步 參照 或改 workflow。"
},
"deployBoundary": {
"title": "部署邊界與回復條件",
@@ -21279,7 +21279,7 @@
"waiting_redacted_counts": "待脫敏計數",
"waiting_per_host_matrix": "待逐主機矩陣",
"waiting_time_window": "待時間窗",
- "waiting_health_refs": "待健康參照",
+ "waiting_health_參照": "待健康參照",
"reject_sensitive_payloads": "拒收敏感內容",
"waiting_owner_decision": "待負責人決策",
"runtime_closed": "執行期關閉"
@@ -21409,7 +21409,7 @@
"wazuhManagerRegistryReviewerValidation": {
"eyebrow": "Wazuh manager registry reviewer validation",
"title": "Owner export 進來後,先由 reviewer 驗收脫敏清單",
- "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence refs 通過 reviewer validation,但仍不開 runtime。",
+ "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence 參照 通過 reviewer validation,但仍不開 runtime。",
"loadingBoundary": "正在讀取 Wazuh manager registry reviewer validation API",
"validationEndpointLabel": "脫敏 owner export 驗證端點",
"validationModeLabel": "驗證模式",
@@ -21423,7 +21423,7 @@
"checksLoading": "正在讀取 reviewer checks。",
"checksFallback": "Reviewer checks 尚未由正式 API 讀回,維持 fallback 停止線。",
"boundaryTitle": "Reviewer validation 停止線",
- "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence refs 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。",
+ "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence 參照 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。",
"status": {
"loading": "正在讀取 Wazuh manager registry reviewer validation",
"failed": "Wazuh manager registry reviewer validation API 尚未部署或讀取失敗",
@@ -21444,7 +21444,7 @@
},
"passed": {
"label": "Reviewer passed",
- "detail": "一筆脫敏 owner export refs 已通過 no-persist reviewer validation。"
+ "detail": "一筆脫敏 owner export 參照 已通過 no-persist reviewer validation。"
},
"postEnable": {
"label": "Post-enable",
@@ -21464,7 +21464,7 @@
},
"received": {
"label": "已收 export",
- "detail": "已收到一筆 owner-provided redacted registry export refs。"
+ "detail": "已收到一筆 owner-provided redacted registry export 參照。"
},
"accepted": {
"label": "已接受",
@@ -21647,7 +21647,7 @@
},
"signals": {
"label": "訊號源",
- "detail": "12 條訊號源等待 owner 提供脫敏 evidence refs。"
+ "detail": "12 條訊號源等待 owner 提供脫敏 evidence 參照。"
},
"runtimeGate": {
"label": "執行期",
@@ -21661,7 +21661,7 @@
},
"wazuhSiem": {
"title": "Wazuh SIEM 待收件",
- "body": "manager、agent、FIM、rule、decoder 與 event refs 只能用脫敏參照進入 IwoooS,不接 raw payload。"
+ "body": "manager、agent、FIM、rule、decoder 與 event 參照 只能用脫敏參照進入 IwoooS,不接 raw payload。"
},
"kali112": {
"title": "資安觀測節點 維持只讀",
@@ -21734,7 +21734,7 @@
},
"hostForensics": {
"title": "主機入侵不能只靠宣稱",
- "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof refs。"
+ "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof 參照。"
},
"gatewayNginx": {
"title": "Nginx 入口先收 live diff",
@@ -21746,7 +21746,7 @@
},
"hostRuntime": {
"title": "Docker 與 systemd 要收 runtime 證據",
- "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck refs,避免只靠 route 回 200 誤判。"
+ "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck 參照,避免只靠 route 回 200 誤判。"
},
"alertReceipt": {
"title": "告警要能收件與行動",
@@ -21765,7 +21765,7 @@
"securityAssetControlLedger": {
"eyebrow": "P0-A 資安資產控制總帳",
"title": "把主機、入口、版本來源、監控、Wazuh、Kali 與供應鏈收成一張總帳",
- "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence refs 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。",
+ "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence 參照 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。",
"checkLabel": "檢核",
"stateLabel": "狀態",
"boundaryTitle": "資安資產總帳邊界",
@@ -21781,7 +21781,7 @@
},
"evidenceRefs": {
"label": "證據參照",
- "detail": "64 個 committed evidence refs 全部存在,缺失為 0。"
+ "detail": "64 個 committed evidence 參照 全部存在,缺失為 0。"
},
"runtimeGate": {
"label": "執行期",
@@ -21803,7 +21803,7 @@
},
"wazuhKali": {
"title": "Wazuh / Kali 維持證據收件",
- "body": "Wazuh event refs、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。"
+ "body": "Wazuh event 參照、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。"
},
"alertBackup": {
"title": "告警與復原避免假綠燈",
@@ -21972,7 +21972,7 @@
},
"canonicalFields": {
"title": "欄位對齊 S4.9 envelope",
- "body": "owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。"
+ "body": "owner role / team、decision、decision reason、affected scope、redacted evidence 參照、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。"
},
"requestState": {
"title": "尚未送出 owner request",
diff --git a/apps/web/src/components/command-palette/CommandPalette.tsx b/apps/web/src/components/command-palette/CommandPalette.tsx
index ccd994a3..7c5bd642 100644
--- a/apps/web/src/components/command-palette/CommandPalette.tsx
+++ b/apps/web/src/components/command-palette/CommandPalette.tsx
@@ -70,8 +70,10 @@ export function CommandPalette() {
setOpen(false)
}
+ const productNavigationItems = PRODUCT_NAV_SECTIONS.flatMap(section => section.items)
+
const navigationSources: PaletteNavSource[] = [
- ...PRODUCT_NAV_SECTIONS.flatMap(section => section.items.flatMap(item => [
+ ...productNavigationItems.flatMap(item => [
item,
...(item.children ?? []).map(child => ({
...child,
@@ -80,7 +82,7 @@ export function CommandPalette() {
parentId: item.id,
surface: 'secondary' as const,
})),
- ])),
+ ]),
...PRODUCT_BOTTOM_NAV_ITEMS,
]
diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md
index 0bd6ebe1..c2f5c847 100644
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -129,6 +129,18 @@
**下一步**:
- commit / push Gitea `main` 後讀回 CD;接續目前 active P0:110 Stock/Postgres hot pressure 的 read-only evidence / source freshness / query attribution。
+## 2026-07-02 — 14:08 Telegram workflow 直送 fallback 收斂到 AWOOI API / AwoooP
+
+**完成內容**:
+- 6 個 Gitea workflow 的 Telegram direct fallback 已移除:`.gitea/workflows/cd.yaml`、`cd-dev.yaml`、`code-review.yaml`、`deploy-alerts.yaml`、`e2e-health.yaml`、`run-migration.yml`。
+- workflow 通知仍先走 `scripts/ci/notify-awoooi-cicd.sh` → AWOOI Alertmanager webhook → TelegramGateway / AwoooP;若 AWOOI API 通知失敗,只留下 CI log evidence,不再旁路直打 Telegram Bot API。
+- Telegram egress scanner 讀回已從 `direct_bot_api_call_count=18` / `workflow_direct_bot_api_call_count=13` 收斂為 `direct_bot_api_call_count=5` / `workflow_direct_bot_api_call_count=0`;剩餘缺口為 ops script `4` 與 API direct `1`。
+- `agent-report-truth-actionability-review` regression 更新為 direct `5`、workflow `0`、ops `4`、API `1`、route finding `9`,避免 UI/API 繼續展示舊 18 條 workflow 旁路。
+
+**仍維持**:
+- 未使用 GitHub / `gh` / GitHub API;未讀 secret / token / `.env` / raw sessions / SQLite / auth;未送 Telegram;未觸發 workflow;未對 production DB 寫入。
+- 剩餘 5 個 direct Bot API path 尚未宣告完成:必須下一批收斂到 AWOOI API / TelegramGateway 或建立 redacted DB receipt、AI controlled route、KM / PlayBook / verifier writeback。
+
## 2026-07-02 — 13:34 統帥插入需求升級為 API/UI 工作項讀回
**完成內容**:
diff --git a/docs/security/telegram-notification-egress-inventory.snapshot.json b/docs/security/telegram-notification-egress-inventory.snapshot.json
index b97ffff2..9e0c6b67 100644
--- a/docs/security/telegram-notification-egress-inventory.snapshot.json
+++ b/docs/security/telegram-notification-egress-inventory.snapshot.json
@@ -1,7 +1,7 @@
{
"schema_version": "telegram_notification_egress_inventory_v1",
- "generated_at": "2026-06-18T22:30:00+08:00",
- "git_commit": "27d9f394",
+ "generated_at": "2026-07-02T14:22:12+08:00",
+ "git_commit": "f9469bcc2",
"status": "inventory_ready_no_runtime_action",
"mode": "repo_only_scan_no_secret_value_no_telegram_send",
"scan_roots": [
@@ -11,14 +11,14 @@
"apps/api/src"
],
"summary": {
- "scanned_file_count": 554,
- "direct_bot_api_file_count": 11,
- "direct_bot_api_call_count": 18,
- "workflow_direct_bot_api_call_count": 13,
+ "scanned_file_count": 636,
+ "direct_bot_api_file_count": 5,
+ "direct_bot_api_call_count": 5,
+ "workflow_direct_bot_api_call_count": 0,
"ops_script_direct_bot_api_call_count": 4,
"ci_script_direct_bot_api_call_count": 0,
"api_direct_bot_api_call_count": 1,
- "gateway_normalized_callsite_count": 56,
+ "gateway_normalized_callsite_count": 57,
"gateway_final_exit_formatter_present_count": 1,
"required_owner_field_count": 18,
"reviewer_check_count": 14,
@@ -58,1241 +58,6 @@
"not_authorization": true
},
"direct_bot_api_calls": [
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd-dev.yaml:54",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd-dev.yaml",
- "line": 54,
- "line_hash": "f503c2c0f61100a9",
- "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd-dev.yaml:241",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd-dev.yaml",
- "line": 241,
- "line_hash": "c41f88fbca91a4b9",
- "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd-dev.yaml:262",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd-dev.yaml",
- "line": 262,
- "line_hash": "eaa9a6cb8326dc79",
- "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:113",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd.yaml",
- "line": 113,
- "line_hash": "b57e6587a106976b",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:305",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd.yaml",
- "line": 305,
- "line_hash": "19c1de8d67af874a",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:1203",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd.yaml",
- "line": 1203,
- "line_hash": "6ef020c2b6eac91f",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:1552",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd.yaml",
- "line": 1552,
- "line_hash": "d029b95242f39c03",
- "sanitized_excerpt": "printf '%b' \"$TG_MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:1575",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/cd.yaml",
- "line": 1575,
- "line_hash": "d62c45a8595984fc",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/code-review.yaml:137",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/code-review.yaml",
- "line": 137,
- "line_hash": "a7ebbd735dad5ab2",
- "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/code-review.yaml:216",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/code-review.yaml",
- "line": 216,
- "line_hash": "f10f7782dc7c8125",
- "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/deploy-alerts.yaml:69",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/deploy-alerts.yaml",
- "line": 69,
- "line_hash": "79e83190f68f27c9",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/e2e-health.yaml:98",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/e2e-health.yaml",
- "line": 98,
- "line_hash": "d73ce94678f970a9",
- "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/run-migration.yml:210",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "path": ".gitea/workflows/run-migration.yml",
- "line": 210,
- "line_hash": "934a8dd69fca99b3",
- "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "required_owner_fields": [
- "egress_surface_id",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_plan",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "direct_bot_api_surface_identified",
- "owner_role_present",
- "target_route_is_sre_owned",
- "message_shape_is_ai_automation_card_or_documented_exception",
- "redaction_contract_present",
- "formatter_convergence_path_present",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "fallback_mode_does_not_leak_raw_payload",
- "secret_name_only_no_value",
- "workflow_or_script_change_requires_separate_approval",
- "telegram_send_not_executed_by_inventory",
- "no_false_green_claim",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "request_owner_route_supplement",
- "request_formatter_convergence_plan",
- "request_redaction_contract",
- "request_delivery_receipt_metadata",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_notification_egress_review",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification_without_owner",
- "secret_value_collection",
- "secret_hash_collection",
- "partial_token_collection",
- "chat_id_collection_without_owner",
- "store_raw_message_payload",
- "store_unredacted_workflow_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "workflow_dispatch",
- "production_deploy",
- "accept_route_200_as_delivery_receipt",
- "accept_cd_success_as_notification_acceptance",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_review",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
{
"egress_surface_id": "telegram_egress:api_direct_bot_api:apps/api/src/services/channel_hub.py:1138",
"surface_kind": "api_direct_bot_api",
@@ -1484,11 +249,11 @@
"not_authorization": true
},
{
- "egress_surface_id": "telegram_egress:ops_script_direct_bot_api:scripts/ops/docker-health-monitor.sh:90",
+ "egress_surface_id": "telegram_egress:ops_script_direct_bot_api:scripts/ops/docker-health-monitor.sh:120",
"surface_kind": "ops_script_direct_bot_api",
"path": "scripts/ops/docker-health-monitor.sh",
- "line": 90,
- "line_hash": "6611406903bc7d65",
+ "line": 120,
+ "line_hash": "283499ad28d35d6a",
"sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
"required_owner_fields": [
"egress_surface_id",
@@ -1837,13 +602,13 @@
},
{
"path": "apps/api/src/services/failure_watcher.py",
- "line": 747,
- "line_hash": "8bee0a47e4dce615"
+ "line": 752,
+ "line_hash": "7673481130594095"
},
{
"path": "apps/api/src/services/failure_watcher.py",
- "line": 779,
- "line_hash": "dcc8fed7fe94b63d"
+ "line": 784,
+ "line_hash": "ccb72a2e0a9ec582"
},
{
"path": "apps/api/src/services/gitea_webhook_service.py",
@@ -1882,173 +647,178 @@
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 4904,
- "line_hash": "2ded92c9f0cf648c"
+ "line": 5374,
+ "line_hash": "6abe4f6f01027f51"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 5141,
- "line_hash": "2c16c0d99e3ba896"
+ "line": 5615,
+ "line_hash": "6b08bb5969e6bf81"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 5574,
- "line_hash": "f9fa7599c8c630f3"
+ "line": 6048,
+ "line_hash": "e31cf0f5587583bd"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 5664,
- "line_hash": "0cd3409b20409bd5"
+ "line": 6138,
+ "line_hash": "fcb7c764d12ed4ad"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 5667,
- "line_hash": "4b46eec88f95b7fc"
+ "line": 6141,
+ "line_hash": "d7865613da2925eb"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 5725,
- "line_hash": "435e4b8871b9ea20"
+ "line": 6199,
+ "line_hash": "7ce4aec16700add3"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 5784,
- "line_hash": "d67a07fbc4e8e104"
+ "line": 6258,
+ "line_hash": "c38b1044dc1936ed"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6107,
- "line_hash": "57dff0f99cd63bb4"
+ "line": 6581,
+ "line_hash": "a2b428c7cd26f6df"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6165,
- "line_hash": "2cf36365a86d725d"
+ "line": 6639,
+ "line_hash": "940568cc70f135da"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6221,
- "line_hash": "9724fba690e79a29"
+ "line": 6695,
+ "line_hash": "dc4975526f170c4b"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6278,
- "line_hash": "c1481223ca6712a7"
+ "line": 6752,
+ "line_hash": "4431802f09177793"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6341,
- "line_hash": "171855265b7f7b5f"
+ "line": 6815,
+ "line_hash": "3b403ecc07e58580"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6416,
- "line_hash": "f92bfa489791754e"
+ "line": 6890,
+ "line_hash": "217eddafb1892d3f"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6459,
- "line_hash": "a7c1d96474e5004c"
+ "line": 6933,
+ "line_hash": "5d3959b2a3a6ef6b"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 6727,
- "line_hash": "1b52a7acba5f263d"
+ "line": 7201,
+ "line_hash": "ae305742e8413fb9"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7058,
- "line_hash": "e4d15cc17412e1df"
+ "line": 7532,
+ "line_hash": "f8e757b0b1940dfd"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7075,
- "line_hash": "ef392666ead2a935"
+ "line": 7549,
+ "line_hash": "6aa3d0c6f294c9db"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7131,
- "line_hash": "b01759a295fe888d"
+ "line": 7605,
+ "line_hash": "edce43618980911d"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7476,
- "line_hash": "6de51111c3b3effb"
+ "line": 7950,
+ "line_hash": "040c55f344e63e2e"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7633,
- "line_hash": "3ae60919d622d66a"
+ "line": 8107,
+ "line_hash": "46d66b2145372dd8"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7778,
- "line_hash": "098e96b906782f66"
+ "line": 8252,
+ "line_hash": "8ebe1f28478b8b11"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7852,
- "line_hash": "cd2982fc71f17ded"
+ "line": 8326,
+ "line_hash": "91d2ca0efcac21ee"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 7946,
- "line_hash": "e3c7a73810453996"
+ "line": 8420,
+ "line_hash": "6eb41eedd8070d91"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8566,
- "line_hash": "60fee84eb559944b"
+ "line": 9040,
+ "line_hash": "bc576b6fda533964"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8573,
- "line_hash": "d7d36ac583acec88"
+ "line": 9047,
+ "line_hash": "e4b078f7815ac3db"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8700,
- "line_hash": "eef16286b46db389"
+ "line": 9174,
+ "line_hash": "8dbb002e7811389c"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8718,
- "line_hash": "145af1001d016aef"
+ "line": 9199,
+ "line_hash": "54e1ad827084af7d"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8732,
- "line_hash": "71d1eae60f8d1eea"
+ "line": 9213,
+ "line_hash": "12d58f7f2fbb2a64"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8757,
- "line_hash": "891f75aab51d14ce"
+ "line": 9238,
+ "line_hash": "9394a79d9cfe4020"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8783,
- "line_hash": "3d838580c426d3f3"
+ "line": 9344,
+ "line_hash": "9ffceb53c73f29e2"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 8819,
- "line_hash": "85016472bc808598"
+ "line": 9370,
+ "line_hash": "e987f2b54961d32c"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 9810,
- "line_hash": "94c427fd9136122f"
+ "line": 9406,
+ "line_hash": "766c1cf3c2e7b37c"
},
{
"path": "apps/api/src/services/telegram_gateway.py",
- "line": 9907,
- "line_hash": "b57f776b5430f121"
+ "line": 10423,
+ "line_hash": "f47ba2d2e8f18e9b"
+ },
+ {
+ "path": "apps/api/src/services/telegram_gateway.py",
+ "line": 10527,
+ "line_hash": "b058b22806044d84"
},
{
"path": "apps/api/src/services/weekly_report_service.py",
- "line": 277,
- "line_hash": "aa0200c41090d012"
+ "line": 457,
+ "line_hash": "c2a061a65eade81f"
}
],
"operator_interpretation": [
diff --git a/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json b/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json
index e152b0e7..270d6495 100644
--- a/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json
+++ b/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json
@@ -1,29 +1,29 @@
{
"schema_version": "telegram_notification_egress_migration_plan_draft_v1",
- "generated_at": "2026-06-18T23:00:00+08:00",
- "git_commit": "f171ffc2",
+ "generated_at": "2026-07-02T14:24:46+08:00",
+ "git_commit": "f9469bcc2",
"status": "migration_plan_draft_ready_no_runtime_action",
"mode": "metadata_only_no_workflow_script_api_change_no_telegram_send",
"source_snapshot": "docs/security/telegram-notification-egress-owner-request-draft.snapshot.json",
"source_schema_version": "telegram_notification_egress_owner_request_draft_v1",
"source_status": "owner_request_draft_ready_no_dispatch_no_runtime_action",
"summary": {
- "source_request_draft_count": 11,
- "source_direct_bot_api_call_count": 18,
- "migration_candidate_count": 11,
- "workflow_migration_candidate_count": 6,
+ "source_request_draft_count": 5,
+ "source_direct_bot_api_call_count": 5,
+ "migration_candidate_count": 5,
+ "workflow_migration_candidate_count": 0,
"ops_script_migration_candidate_count": 4,
"api_direct_migration_candidate_count": 1,
- "proposed_wave_count": 3,
+ "proposed_wave_count": 2,
"plan_field_count": 17,
"reviewer_check_count": 15,
"outcome_lane_count": 9,
"blocked_action_count": 21,
- "owner_response_required_count": 11,
- "maintenance_window_required_count": 11,
- "rollback_owner_required_count": 11,
- "postcheck_required_count": 11,
- "delivery_receipt_required_count": 11,
+ "owner_response_required_count": 5,
+ "maintenance_window_required_count": 5,
+ "rollback_owner_required_count": 5,
+ "postcheck_required_count": 5,
+ "delivery_receipt_required_count": 5,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"migration_authorized_count": 0,
@@ -52,605 +52,10 @@
"not_authorization": true
},
"proposed_waves": [
- "wave_1_workflow_notification_wrapper",
"wave_2_ops_notification_wrapper",
"wave_3_api_sender_gateway"
],
"migration_candidates": [
- {
- "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd-dev.yaml",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_dev_yaml",
- "source_path": ".gitea/workflows/cd-dev.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 3,
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "plan_fields": [
- "migration_candidate_id",
- "source_request_draft_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "proposed_change_summary",
- "required_owner_response_ref",
- "required_maintenance_window",
- "required_rollback_owner",
- "required_postcheck_ref",
- "required_delivery_receipt_ref",
- "required_no_secret_value_attestation",
- "required_no_raw_payload_attestation",
- "required_no_false_green_attestation",
- "not_authorization"
- ],
- "reviewer_checks": [
- "source_owner_request_draft_current",
- "owner_response_required_before_change",
- "maintenance_window_required_before_change",
- "rollback_owner_required_before_change",
- "delivery_receipt_plan_required",
- "postcheck_plan_required",
- "redaction_contract_required",
- "break_glass_fallback_explicit",
- "no_secret_value_required",
- "no_raw_payload_required",
- "no_false_green_required",
- "workflow_changes_separate_from_docs",
- "script_changes_separate_from_docs",
- "api_sender_refactor_separate_from_docs",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_response",
- "ready_for_workflow_migration_review",
- "ready_for_ops_script_migration_review",
- "ready_for_api_sender_migration_review",
- "request_missing_owner_response",
- "request_missing_maintenance_or_rollback",
- "reject_secret_or_raw_payload",
- "reject_false_green_claim",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "send_telegram",
- "call_bot_api",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "store_raw_payload",
- "store_unredacted_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_required": true,
- "maintenance_window_required": true,
- "rollback_owner_required": true,
- "postcheck_required": true,
- "delivery_receipt_required": true,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd.yaml",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_yaml",
- "source_path": ".gitea/workflows/cd.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 5,
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "plan_fields": [
- "migration_candidate_id",
- "source_request_draft_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "proposed_change_summary",
- "required_owner_response_ref",
- "required_maintenance_window",
- "required_rollback_owner",
- "required_postcheck_ref",
- "required_delivery_receipt_ref",
- "required_no_secret_value_attestation",
- "required_no_raw_payload_attestation",
- "required_no_false_green_attestation",
- "not_authorization"
- ],
- "reviewer_checks": [
- "source_owner_request_draft_current",
- "owner_response_required_before_change",
- "maintenance_window_required_before_change",
- "rollback_owner_required_before_change",
- "delivery_receipt_plan_required",
- "postcheck_plan_required",
- "redaction_contract_required",
- "break_glass_fallback_explicit",
- "no_secret_value_required",
- "no_raw_payload_required",
- "no_false_green_required",
- "workflow_changes_separate_from_docs",
- "script_changes_separate_from_docs",
- "api_sender_refactor_separate_from_docs",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_response",
- "ready_for_workflow_migration_review",
- "ready_for_ops_script_migration_review",
- "ready_for_api_sender_migration_review",
- "request_missing_owner_response",
- "request_missing_maintenance_or_rollback",
- "reject_secret_or_raw_payload",
- "reject_false_green_claim",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "send_telegram",
- "call_bot_api",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "store_raw_payload",
- "store_unredacted_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_required": true,
- "maintenance_window_required": true,
- "rollback_owner_required": true,
- "postcheck_required": true,
- "delivery_receipt_required": true,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/code-review.yaml",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_code_review_yaml",
- "source_path": ".gitea/workflows/code-review.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 2,
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "plan_fields": [
- "migration_candidate_id",
- "source_request_draft_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "proposed_change_summary",
- "required_owner_response_ref",
- "required_maintenance_window",
- "required_rollback_owner",
- "required_postcheck_ref",
- "required_delivery_receipt_ref",
- "required_no_secret_value_attestation",
- "required_no_raw_payload_attestation",
- "required_no_false_green_attestation",
- "not_authorization"
- ],
- "reviewer_checks": [
- "source_owner_request_draft_current",
- "owner_response_required_before_change",
- "maintenance_window_required_before_change",
- "rollback_owner_required_before_change",
- "delivery_receipt_plan_required",
- "postcheck_plan_required",
- "redaction_contract_required",
- "break_glass_fallback_explicit",
- "no_secret_value_required",
- "no_raw_payload_required",
- "no_false_green_required",
- "workflow_changes_separate_from_docs",
- "script_changes_separate_from_docs",
- "api_sender_refactor_separate_from_docs",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_response",
- "ready_for_workflow_migration_review",
- "ready_for_ops_script_migration_review",
- "ready_for_api_sender_migration_review",
- "request_missing_owner_response",
- "request_missing_maintenance_or_rollback",
- "reject_secret_or_raw_payload",
- "reject_false_green_claim",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "send_telegram",
- "call_bot_api",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "store_raw_payload",
- "store_unredacted_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_required": true,
- "maintenance_window_required": true,
- "rollback_owner_required": true,
- "postcheck_required": true,
- "delivery_receipt_required": true,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/deploy-alerts.yaml",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_deploy_alerts_yaml",
- "source_path": ".gitea/workflows/deploy-alerts.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "plan_fields": [
- "migration_candidate_id",
- "source_request_draft_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "proposed_change_summary",
- "required_owner_response_ref",
- "required_maintenance_window",
- "required_rollback_owner",
- "required_postcheck_ref",
- "required_delivery_receipt_ref",
- "required_no_secret_value_attestation",
- "required_no_raw_payload_attestation",
- "required_no_false_green_attestation",
- "not_authorization"
- ],
- "reviewer_checks": [
- "source_owner_request_draft_current",
- "owner_response_required_before_change",
- "maintenance_window_required_before_change",
- "rollback_owner_required_before_change",
- "delivery_receipt_plan_required",
- "postcheck_plan_required",
- "redaction_contract_required",
- "break_glass_fallback_explicit",
- "no_secret_value_required",
- "no_raw_payload_required",
- "no_false_green_required",
- "workflow_changes_separate_from_docs",
- "script_changes_separate_from_docs",
- "api_sender_refactor_separate_from_docs",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_response",
- "ready_for_workflow_migration_review",
- "ready_for_ops_script_migration_review",
- "ready_for_api_sender_migration_review",
- "request_missing_owner_response",
- "request_missing_maintenance_or_rollback",
- "reject_secret_or_raw_payload",
- "reject_false_green_claim",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "send_telegram",
- "call_bot_api",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "store_raw_payload",
- "store_unredacted_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_required": true,
- "maintenance_window_required": true,
- "rollback_owner_required": true,
- "postcheck_required": true,
- "delivery_receipt_required": true,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/e2e-health.yaml",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_e2e_health_yaml",
- "source_path": ".gitea/workflows/e2e-health.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "plan_fields": [
- "migration_candidate_id",
- "source_request_draft_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "proposed_change_summary",
- "required_owner_response_ref",
- "required_maintenance_window",
- "required_rollback_owner",
- "required_postcheck_ref",
- "required_delivery_receipt_ref",
- "required_no_secret_value_attestation",
- "required_no_raw_payload_attestation",
- "required_no_false_green_attestation",
- "not_authorization"
- ],
- "reviewer_checks": [
- "source_owner_request_draft_current",
- "owner_response_required_before_change",
- "maintenance_window_required_before_change",
- "rollback_owner_required_before_change",
- "delivery_receipt_plan_required",
- "postcheck_plan_required",
- "redaction_contract_required",
- "break_glass_fallback_explicit",
- "no_secret_value_required",
- "no_raw_payload_required",
- "no_false_green_required",
- "workflow_changes_separate_from_docs",
- "script_changes_separate_from_docs",
- "api_sender_refactor_separate_from_docs",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_response",
- "ready_for_workflow_migration_review",
- "ready_for_ops_script_migration_review",
- "ready_for_api_sender_migration_review",
- "request_missing_owner_response",
- "request_missing_maintenance_or_rollback",
- "reject_secret_or_raw_payload",
- "reject_false_green_claim",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "send_telegram",
- "call_bot_api",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "store_raw_payload",
- "store_unredacted_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_required": true,
- "maintenance_window_required": true,
- "rollback_owner_required": true,
- "postcheck_required": true,
- "delivery_receipt_required": true,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/run-migration.yml",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_run_migration_yml",
- "source_path": ".gitea/workflows/run-migration.yml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "plan_fields": [
- "migration_candidate_id",
- "source_request_draft_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "proposed_change_summary",
- "required_owner_response_ref",
- "required_maintenance_window",
- "required_rollback_owner",
- "required_postcheck_ref",
- "required_delivery_receipt_ref",
- "required_no_secret_value_attestation",
- "required_no_raw_payload_attestation",
- "required_no_false_green_attestation",
- "not_authorization"
- ],
- "reviewer_checks": [
- "source_owner_request_draft_current",
- "owner_response_required_before_change",
- "maintenance_window_required_before_change",
- "rollback_owner_required_before_change",
- "delivery_receipt_plan_required",
- "postcheck_plan_required",
- "redaction_contract_required",
- "break_glass_fallback_explicit",
- "no_secret_value_required",
- "no_raw_payload_required",
- "no_false_green_required",
- "workflow_changes_separate_from_docs",
- "script_changes_separate_from_docs",
- "api_sender_refactor_separate_from_docs",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_response",
- "ready_for_workflow_migration_review",
- "ready_for_ops_script_migration_review",
- "ready_for_api_sender_migration_review",
- "request_missing_owner_response",
- "request_missing_maintenance_or_rollback",
- "reject_secret_or_raw_payload",
- "reject_false_green_claim",
- "waiting_runtime_gate"
- ],
- "blocked_actions": [
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "send_telegram",
- "call_bot_api",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "store_raw_payload",
- "store_unredacted_log",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "open_runtime_gate",
- "add_action_button"
- ],
- "owner_response_required": true,
- "maintenance_window_required": true,
- "rollback_owner_required": true,
- "postcheck_required": true,
- "delivery_receipt_required": true,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
{
"migration_candidate_id": "telegram_notification_egress_migration:apps/api/src/services/channel_hub.py",
"source_request_draft_id": "telegram_notification_egress_owner_request:apps_api_src_services_channel_hub_py",
diff --git a/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json b/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json
index 7e976dcc..447a89e2 100644
--- a/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json
+++ b/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json
@@ -1,96 +1,5 @@
{
"current_direct_bot_api_calls": [
- {
- "line": 54,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd-dev.yaml",
- "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd-dev.yaml::sendmessage::printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 241,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd-dev.yaml",
- "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd-dev.yaml::sendmessage::printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 262,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd-dev.yaml",
- "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd-dev.yaml::sendmessage::printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 113,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd.yaml",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 305,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd.yaml",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 1203,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd.yaml",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 1552,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd.yaml",
- "sanitized_excerpt": "printf '%b' \"$TG_MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd.yaml::sendmessage::printf '%b' \"$TG_MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 1575,
- "method": "sendMessage",
- "path": ".gitea/workflows/cd.yaml",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 137,
- "method": "sendMessage",
- "path": ".gitea/workflows/code-review.yaml",
- "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/code-review.yaml::sendmessage::curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 216,
- "method": "sendMessage",
- "path": ".gitea/workflows/code-review.yaml",
- "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/code-review.yaml::sendmessage::curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 69,
- "method": "sendMessage",
- "path": ".gitea/workflows/deploy-alerts.yaml",
- "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/deploy-alerts.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 98,
- "method": "sendMessage",
- "path": ".gitea/workflows/e2e-health.yaml",
- "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/e2e-health.yaml::sendmessage::curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
- {
- "line": 210,
- "method": "sendMessage",
- "path": ".gitea/workflows/run-migration.yml",
- "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
- "signature": ".gitea/workflows/run-migration.yml::sendmessage::curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
- },
{
"line": 1138,
"method": "sendMessage",
@@ -106,7 +15,7 @@
"signature": "scripts/ops/backup-from-110.sh::sendmessage::curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\"
},
{
- "line": 90,
+ "line": 120,
"method": "sendMessage",
"path": "scripts/ops/docker-health-monitor.sh",
"sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\",
@@ -144,8 +53,8 @@
"telegram_send_authorized": false,
"workflow_modification_authorized": false
},
- "generated_at": "2026-06-19T09:40:00+08:00",
- "git_commit": "4d0150e1",
+ "generated_at": "2026-07-02T14:24:46+08:00",
+ "git_commit": "f9469bcc2",
"guarded_bot_methods": [
"sendMessage",
"sendDocument",
@@ -177,9 +86,9 @@
"status": "pass_no_new_bypass",
"summary": {
"action_button_count": 0,
- "baseline_signature_count": 18,
- "current_direct_bot_api_call_count": 18,
- "current_direct_bot_api_file_count": 11,
+ "baseline_signature_count": 5,
+ "current_direct_bot_api_call_count": 5,
+ "current_direct_bot_api_file_count": 5,
"editMessageText_call_count": 0,
"guarded_method_count": 9,
"new_bypass_count": 0,
@@ -189,9 +98,9 @@
"runtime_gate_count": 0,
"sendDocument_call_count": 0,
"sendMediaGroup_call_count": 0,
- "sendMessage_call_count": 18,
+ "sendMessage_call_count": 5,
"sendPhoto_call_count": 0,
- "source_direct_bot_api_call_count": 18,
- "source_direct_bot_api_file_count": 11
+ "source_direct_bot_api_call_count": 5,
+ "source_direct_bot_api_file_count": 5
}
}
diff --git a/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json b/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json
index ec03a94c..ff772ec7 100644
--- a/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json
+++ b/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json
@@ -1,17 +1,17 @@
{
"schema_version": "telegram_notification_egress_owner_request_draft_v1",
- "generated_at": "2026-06-18T22:45:00+08:00",
- "git_commit": "8cbedfe4",
+ "generated_at": "2026-07-02T14:24:46+08:00",
+ "git_commit": "f9469bcc2",
"status": "owner_request_draft_ready_no_dispatch_no_runtime_action",
"mode": "metadata_only_no_secret_value_no_telegram_send_no_workflow_change",
"source_snapshot": "docs/security/telegram-notification-egress-inventory.snapshot.json",
"source_schema_version": "telegram_notification_egress_inventory_v1",
"source_status": "inventory_ready_no_runtime_action",
"summary": {
- "source_direct_bot_api_call_count": 18,
- "source_direct_bot_api_file_count": 11,
- "request_draft_count": 11,
- "workflow_request_draft_count": 6,
+ "source_direct_bot_api_call_count": 5,
+ "source_direct_bot_api_file_count": 5,
+ "request_draft_count": 5,
+ "workflow_request_draft_count": 0,
"ops_script_request_draft_count": 4,
"ci_script_request_draft_count": 0,
"api_direct_request_draft_count": 1,
@@ -59,962 +59,6 @@
"not_authorization": true
},
"request_drafts": [
- {
- "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_dev_yaml",
- "source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
- "source_path": ".gitea/workflows/cd-dev.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 3,
- "line_refs": [
- 54,
- 241,
- 262
- ],
- "line_hash_refs": [
- "f503c2c0f61100a9",
- "c41f88fbca91a4b9",
- "eaa9a6cb8326dc79"
- ],
- "request_fields": [
- "request_draft_id",
- "source_inventory_schema_version",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "line_refs",
- "line_hash_refs",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "preflight_checks": [
- "source_inventory_current",
- "owner_role_present",
- "route_purpose_present",
- "message_shape_contract_present",
- "redaction_contract_present",
- "formatter_convergence_decision_present",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_present",
- "dedup_or_fingerprint_present",
- "maintenance_window_present_for_change",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_secret_value_attested",
- "no_raw_payload_attested",
- "no_false_green_attested",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_dispatch",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_break_glass_fallback_supplement",
- "request_redaction_or_receipt_supplement",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_manual_dispatch",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "send_owner_request",
- "confirm_recipient",
- "emit_audit_event",
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification",
- "api_sender_refactor",
- "change_chat_route",
- "change_bot_token",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "workflow_dispatch",
- "production_deploy",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "open_runtime_gate",
- "add_action_button"
- ],
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_yaml",
- "source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
- "source_path": ".gitea/workflows/cd.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 5,
- "line_refs": [
- 113,
- 305,
- 1203,
- 1552,
- 1575
- ],
- "line_hash_refs": [
- "b57e6587a106976b",
- "19c1de8d67af874a",
- "6ef020c2b6eac91f",
- "d029b95242f39c03",
- "d62c45a8595984fc"
- ],
- "request_fields": [
- "request_draft_id",
- "source_inventory_schema_version",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "line_refs",
- "line_hash_refs",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "preflight_checks": [
- "source_inventory_current",
- "owner_role_present",
- "route_purpose_present",
- "message_shape_contract_present",
- "redaction_contract_present",
- "formatter_convergence_decision_present",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_present",
- "dedup_or_fingerprint_present",
- "maintenance_window_present_for_change",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_secret_value_attested",
- "no_raw_payload_attested",
- "no_false_green_attested",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_dispatch",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_break_glass_fallback_supplement",
- "request_redaction_or_receipt_supplement",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_manual_dispatch",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "send_owner_request",
- "confirm_recipient",
- "emit_audit_event",
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification",
- "api_sender_refactor",
- "change_chat_route",
- "change_bot_token",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "workflow_dispatch",
- "production_deploy",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "open_runtime_gate",
- "add_action_button"
- ],
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_code_review_yaml",
- "source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
- "source_path": ".gitea/workflows/code-review.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 2,
- "line_refs": [
- 137,
- 216
- ],
- "line_hash_refs": [
- "a7ebbd735dad5ab2",
- "f10f7782dc7c8125"
- ],
- "request_fields": [
- "request_draft_id",
- "source_inventory_schema_version",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "line_refs",
- "line_hash_refs",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "preflight_checks": [
- "source_inventory_current",
- "owner_role_present",
- "route_purpose_present",
- "message_shape_contract_present",
- "redaction_contract_present",
- "formatter_convergence_decision_present",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_present",
- "dedup_or_fingerprint_present",
- "maintenance_window_present_for_change",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_secret_value_attested",
- "no_raw_payload_attested",
- "no_false_green_attested",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_dispatch",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_break_glass_fallback_supplement",
- "request_redaction_or_receipt_supplement",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_manual_dispatch",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "send_owner_request",
- "confirm_recipient",
- "emit_audit_event",
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification",
- "api_sender_refactor",
- "change_chat_route",
- "change_bot_token",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "workflow_dispatch",
- "production_deploy",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "open_runtime_gate",
- "add_action_button"
- ],
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_deploy_alerts_yaml",
- "source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
- "source_path": ".gitea/workflows/deploy-alerts.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "line_refs": [
- 69
- ],
- "line_hash_refs": [
- "79e83190f68f27c9"
- ],
- "request_fields": [
- "request_draft_id",
- "source_inventory_schema_version",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "line_refs",
- "line_hash_refs",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "preflight_checks": [
- "source_inventory_current",
- "owner_role_present",
- "route_purpose_present",
- "message_shape_contract_present",
- "redaction_contract_present",
- "formatter_convergence_decision_present",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_present",
- "dedup_or_fingerprint_present",
- "maintenance_window_present_for_change",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_secret_value_attested",
- "no_raw_payload_attested",
- "no_false_green_attested",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_dispatch",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_break_glass_fallback_supplement",
- "request_redaction_or_receipt_supplement",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_manual_dispatch",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "send_owner_request",
- "confirm_recipient",
- "emit_audit_event",
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification",
- "api_sender_refactor",
- "change_chat_route",
- "change_bot_token",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "workflow_dispatch",
- "production_deploy",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "open_runtime_gate",
- "add_action_button"
- ],
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_e2e_health_yaml",
- "source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
- "source_path": ".gitea/workflows/e2e-health.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "line_refs": [
- 98
- ],
- "line_hash_refs": [
- "d73ce94678f970a9"
- ],
- "request_fields": [
- "request_draft_id",
- "source_inventory_schema_version",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "line_refs",
- "line_hash_refs",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "preflight_checks": [
- "source_inventory_current",
- "owner_role_present",
- "route_purpose_present",
- "message_shape_contract_present",
- "redaction_contract_present",
- "formatter_convergence_decision_present",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_present",
- "dedup_or_fingerprint_present",
- "maintenance_window_present_for_change",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_secret_value_attested",
- "no_raw_payload_attested",
- "no_false_green_attested",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_dispatch",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_break_glass_fallback_supplement",
- "request_redaction_or_receipt_supplement",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_manual_dispatch",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "send_owner_request",
- "confirm_recipient",
- "emit_audit_event",
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification",
- "api_sender_refactor",
- "change_chat_route",
- "change_bot_token",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "workflow_dispatch",
- "production_deploy",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "open_runtime_gate",
- "add_action_button"
- ],
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
- {
- "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_run_migration_yml",
- "source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
- "source_path": ".gitea/workflows/run-migration.yml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "line_refs": [
- 210
- ],
- "line_hash_refs": [
- "934a8dd69fca99b3"
- ],
- "request_fields": [
- "request_draft_id",
- "source_inventory_schema_version",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "line_refs",
- "line_hash_refs",
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "preflight_checks": [
- "source_inventory_current",
- "owner_role_present",
- "route_purpose_present",
- "message_shape_contract_present",
- "redaction_contract_present",
- "formatter_convergence_decision_present",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_present",
- "dedup_or_fingerprint_present",
- "maintenance_window_present_for_change",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_secret_value_attested",
- "no_raw_payload_attested",
- "no_false_green_attested",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "draft_waiting_owner_dispatch",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_break_glass_fallback_supplement",
- "request_redaction_or_receipt_supplement",
- "quarantine_secret_or_raw_payload",
- "reject_false_green_claim",
- "ready_for_manual_dispatch",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "send_owner_request",
- "confirm_recipient",
- "emit_audit_event",
- "telegram_send",
- "bot_api_call",
- "workflow_modification",
- "script_modification",
- "api_sender_refactor",
- "change_chat_route",
- "change_bot_token",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "workflow_dispatch",
- "production_deploy",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "open_runtime_gate",
- "add_action_button"
- ],
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false,
- "not_authorization": true
- },
{
"request_draft_id": "telegram_notification_egress_owner_request:apps_api_src_services_channel_hub_py",
"source_inventory_schema_version": "telegram_notification_egress_inventory_v1",
@@ -1336,10 +380,10 @@
"surface_kind": "ops_script_direct_bot_api",
"direct_call_count": 1,
"line_refs": [
- 90
+ 120
],
"line_hash_refs": [
- "6611406903bc7d65"
+ "283499ad28d35d6a"
],
"request_fields": [
"request_draft_id",
diff --git a/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json b/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json
index 66c337d6..14f0f2f7 100644
--- a/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json
+++ b/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json
@@ -1,7 +1,7 @@
{
"schema_version": "telegram_notification_egress_owner_response_acceptance_v1",
- "generated_at": "2026-06-19T02:05:13+08:00",
- "git_commit": "1eaa51e6",
+ "generated_at": "2026-07-02T14:24:46+08:00",
+ "git_commit": "f9469bcc2",
"status": "owner_response_acceptance_ledger_ready_no_runtime_action",
"mode": "metadata_only_no_secret_value_no_telegram_send_no_workflow_script_api_change",
"source_owner_request_snapshot": "docs/security/telegram-notification-egress-owner-request-draft.snapshot.json",
@@ -12,11 +12,11 @@
"source_migration_plan_status": "migration_plan_draft_ready_no_runtime_action",
"message_readability_guard_snapshot": "docs/security/telegram-alert-readability-guard.snapshot.json",
"summary": {
- "source_request_draft_count": 11,
- "source_migration_candidate_count": 11,
- "source_direct_bot_api_call_count": 18,
- "acceptance_candidate_count": 11,
- "workflow_acceptance_candidate_count": 6,
+ "source_request_draft_count": 5,
+ "source_migration_candidate_count": 5,
+ "source_direct_bot_api_call_count": 5,
+ "acceptance_candidate_count": 5,
+ "workflow_acceptance_candidate_count": 0,
"ops_script_acceptance_candidate_count": 4,
"api_direct_acceptance_candidate_count": 1,
"acceptance_field_count": 33,
@@ -75,1334 +75,6 @@
"not_authorization": true
},
"acceptance_candidates": [
- {
- "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/cd-dev.yaml",
- "status": "waiting_owner_response",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_dev_yaml",
- "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd-dev.yaml",
- "source_path": ".gitea/workflows/cd-dev.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 3,
- "line_refs": [
- 54,
- 241,
- 262
- ],
- "line_hash_refs": [
- "f503c2c0f61100a9",
- "c41f88fbca91a4b9",
- "eaa9a6cb8326dc79"
- ],
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "owner_response_ref": null,
- "owner_role_or_team": "pending_owner_response",
- "decision": "pending_owner_response",
- "decision_reason": "pending_owner_response",
- "affected_scope": "pending_owner_response",
- "redacted_evidence_refs": [],
- "message_shape_contract_ref": null,
- "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json",
- "redaction_contract_ref": null,
- "formatter_convergence_decision": "pending_owner_response",
- "gateway_or_alertmanager_target": "pending_owner_response",
- "break_glass_fallback_decision": "pending_owner_response",
- "delivery_receipt_ref": null,
- "dedup_or_fingerprint_plan": "pending_owner_response",
- "fallback_or_degraded_mode": "pending_owner_response",
- "migration_or_exception_reason": "pending_owner_response",
- "maintenance_window": "pending_owner_response",
- "rollback_owner": "pending_owner_response",
- "postcheck_evidence_ref": null,
- "no_secret_value_attestation": "pending_owner_response",
- "no_raw_payload_attestation": "pending_owner_response",
- "no_false_green_attestation": "pending_owner_response",
- "reviewer_outcome": "waiting_owner_response",
- "followup_owner": "pending_owner_response",
- "acceptance_fields": [
- "acceptance_candidate_id",
- "source_request_draft_id",
- "source_migration_candidate_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "owner_response_ref",
- "owner_role_or_team",
- "decision",
- "decision_reason",
- "affected_scope",
- "redacted_evidence_refs",
- "message_shape_contract_ref",
- "message_readability_guard_ref",
- "redaction_contract_ref",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "reviewer_outcome",
- "followup_owner",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "source_owner_request_current",
- "source_migration_plan_current",
- "owner_identity_present",
- "decision_reason_present",
- "affected_scope_matches_source",
- "redacted_refs_only",
- "no_secret_or_token_value",
- "no_raw_message_payload",
- "message_shape_contract_present",
- "message_readability_guard_present",
- "redaction_contract_present",
- "formatter_convergence_explicit",
- "gateway_or_alertmanager_target_valid",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "maintenance_window_present",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_false_green_attested",
- "migration_authorization_separate",
- "counts_transition_safe",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "quarantine_secret_or_raw_payload",
- "reject_execution_request",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_redaction_or_receipt_supplement",
- "request_maintenance_or_rollback_supplement",
- "ready_for_migration_review",
- "owner_review_only_update",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "mark_owner_response_received_without_record",
- "mark_owner_response_accepted_without_reviewer_record",
- "send_telegram",
- "call_bot_api",
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "store_internal_work_window_transcript",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "accept_telegram_sent_without_delivery_receipt",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "skip_dedup_or_fingerprint_review",
- "skip_break_glass_fallback_review",
- "authorize_migration",
- "authorize_workflow_modification",
- "authorize_script_modification",
- "authorize_api_sender_refactor",
- "open_runtime_gate",
- "add_action_button"
- ],
- "not_authorization": true,
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "owner_response_rejected": false,
- "owner_response_quarantined": false,
- "supplement_requested": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "maintenance_window_accepted": false,
- "rollback_owner_accepted": false,
- "postcheck_evidence_accepted": false,
- "dedup_or_fingerprint_accepted": false,
- "no_false_green_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_dispatch_authorized": false,
- "production_deploy_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false
- },
- {
- "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/cd.yaml",
- "status": "waiting_owner_response",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_yaml",
- "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd.yaml",
- "source_path": ".gitea/workflows/cd.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 5,
- "line_refs": [
- 113,
- 305,
- 1203,
- 1552,
- 1575
- ],
- "line_hash_refs": [
- "b57e6587a106976b",
- "19c1de8d67af874a",
- "6ef020c2b6eac91f",
- "d029b95242f39c03",
- "d62c45a8595984fc"
- ],
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "owner_response_ref": null,
- "owner_role_or_team": "pending_owner_response",
- "decision": "pending_owner_response",
- "decision_reason": "pending_owner_response",
- "affected_scope": "pending_owner_response",
- "redacted_evidence_refs": [],
- "message_shape_contract_ref": null,
- "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json",
- "redaction_contract_ref": null,
- "formatter_convergence_decision": "pending_owner_response",
- "gateway_or_alertmanager_target": "pending_owner_response",
- "break_glass_fallback_decision": "pending_owner_response",
- "delivery_receipt_ref": null,
- "dedup_or_fingerprint_plan": "pending_owner_response",
- "fallback_or_degraded_mode": "pending_owner_response",
- "migration_or_exception_reason": "pending_owner_response",
- "maintenance_window": "pending_owner_response",
- "rollback_owner": "pending_owner_response",
- "postcheck_evidence_ref": null,
- "no_secret_value_attestation": "pending_owner_response",
- "no_raw_payload_attestation": "pending_owner_response",
- "no_false_green_attestation": "pending_owner_response",
- "reviewer_outcome": "waiting_owner_response",
- "followup_owner": "pending_owner_response",
- "acceptance_fields": [
- "acceptance_candidate_id",
- "source_request_draft_id",
- "source_migration_candidate_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "owner_response_ref",
- "owner_role_or_team",
- "decision",
- "decision_reason",
- "affected_scope",
- "redacted_evidence_refs",
- "message_shape_contract_ref",
- "message_readability_guard_ref",
- "redaction_contract_ref",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "reviewer_outcome",
- "followup_owner",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "source_owner_request_current",
- "source_migration_plan_current",
- "owner_identity_present",
- "decision_reason_present",
- "affected_scope_matches_source",
- "redacted_refs_only",
- "no_secret_or_token_value",
- "no_raw_message_payload",
- "message_shape_contract_present",
- "message_readability_guard_present",
- "redaction_contract_present",
- "formatter_convergence_explicit",
- "gateway_or_alertmanager_target_valid",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "maintenance_window_present",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_false_green_attested",
- "migration_authorization_separate",
- "counts_transition_safe",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "quarantine_secret_or_raw_payload",
- "reject_execution_request",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_redaction_or_receipt_supplement",
- "request_maintenance_or_rollback_supplement",
- "ready_for_migration_review",
- "owner_review_only_update",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "mark_owner_response_received_without_record",
- "mark_owner_response_accepted_without_reviewer_record",
- "send_telegram",
- "call_bot_api",
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "store_internal_work_window_transcript",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "accept_telegram_sent_without_delivery_receipt",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "skip_dedup_or_fingerprint_review",
- "skip_break_glass_fallback_review",
- "authorize_migration",
- "authorize_workflow_modification",
- "authorize_script_modification",
- "authorize_api_sender_refactor",
- "open_runtime_gate",
- "add_action_button"
- ],
- "not_authorization": true,
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "owner_response_rejected": false,
- "owner_response_quarantined": false,
- "supplement_requested": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "maintenance_window_accepted": false,
- "rollback_owner_accepted": false,
- "postcheck_evidence_accepted": false,
- "dedup_or_fingerprint_accepted": false,
- "no_false_green_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_dispatch_authorized": false,
- "production_deploy_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false
- },
- {
- "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/code-review.yaml",
- "status": "waiting_owner_response",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_code_review_yaml",
- "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/code-review.yaml",
- "source_path": ".gitea/workflows/code-review.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 2,
- "line_refs": [
- 137,
- 216
- ],
- "line_hash_refs": [
- "a7ebbd735dad5ab2",
- "f10f7782dc7c8125"
- ],
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "owner_response_ref": null,
- "owner_role_or_team": "pending_owner_response",
- "decision": "pending_owner_response",
- "decision_reason": "pending_owner_response",
- "affected_scope": "pending_owner_response",
- "redacted_evidence_refs": [],
- "message_shape_contract_ref": null,
- "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json",
- "redaction_contract_ref": null,
- "formatter_convergence_decision": "pending_owner_response",
- "gateway_or_alertmanager_target": "pending_owner_response",
- "break_glass_fallback_decision": "pending_owner_response",
- "delivery_receipt_ref": null,
- "dedup_or_fingerprint_plan": "pending_owner_response",
- "fallback_or_degraded_mode": "pending_owner_response",
- "migration_or_exception_reason": "pending_owner_response",
- "maintenance_window": "pending_owner_response",
- "rollback_owner": "pending_owner_response",
- "postcheck_evidence_ref": null,
- "no_secret_value_attestation": "pending_owner_response",
- "no_raw_payload_attestation": "pending_owner_response",
- "no_false_green_attestation": "pending_owner_response",
- "reviewer_outcome": "waiting_owner_response",
- "followup_owner": "pending_owner_response",
- "acceptance_fields": [
- "acceptance_candidate_id",
- "source_request_draft_id",
- "source_migration_candidate_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "owner_response_ref",
- "owner_role_or_team",
- "decision",
- "decision_reason",
- "affected_scope",
- "redacted_evidence_refs",
- "message_shape_contract_ref",
- "message_readability_guard_ref",
- "redaction_contract_ref",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "reviewer_outcome",
- "followup_owner",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "source_owner_request_current",
- "source_migration_plan_current",
- "owner_identity_present",
- "decision_reason_present",
- "affected_scope_matches_source",
- "redacted_refs_only",
- "no_secret_or_token_value",
- "no_raw_message_payload",
- "message_shape_contract_present",
- "message_readability_guard_present",
- "redaction_contract_present",
- "formatter_convergence_explicit",
- "gateway_or_alertmanager_target_valid",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "maintenance_window_present",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_false_green_attested",
- "migration_authorization_separate",
- "counts_transition_safe",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "quarantine_secret_or_raw_payload",
- "reject_execution_request",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_redaction_or_receipt_supplement",
- "request_maintenance_or_rollback_supplement",
- "ready_for_migration_review",
- "owner_review_only_update",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "mark_owner_response_received_without_record",
- "mark_owner_response_accepted_without_reviewer_record",
- "send_telegram",
- "call_bot_api",
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "store_internal_work_window_transcript",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "accept_telegram_sent_without_delivery_receipt",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "skip_dedup_or_fingerprint_review",
- "skip_break_glass_fallback_review",
- "authorize_migration",
- "authorize_workflow_modification",
- "authorize_script_modification",
- "authorize_api_sender_refactor",
- "open_runtime_gate",
- "add_action_button"
- ],
- "not_authorization": true,
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "owner_response_rejected": false,
- "owner_response_quarantined": false,
- "supplement_requested": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "maintenance_window_accepted": false,
- "rollback_owner_accepted": false,
- "postcheck_evidence_accepted": false,
- "dedup_or_fingerprint_accepted": false,
- "no_false_green_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_dispatch_authorized": false,
- "production_deploy_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false
- },
- {
- "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/deploy-alerts.yaml",
- "status": "waiting_owner_response",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_deploy_alerts_yaml",
- "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/deploy-alerts.yaml",
- "source_path": ".gitea/workflows/deploy-alerts.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "line_refs": [
- 69
- ],
- "line_hash_refs": [
- "79e83190f68f27c9"
- ],
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "owner_response_ref": null,
- "owner_role_or_team": "pending_owner_response",
- "decision": "pending_owner_response",
- "decision_reason": "pending_owner_response",
- "affected_scope": "pending_owner_response",
- "redacted_evidence_refs": [],
- "message_shape_contract_ref": null,
- "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json",
- "redaction_contract_ref": null,
- "formatter_convergence_decision": "pending_owner_response",
- "gateway_or_alertmanager_target": "pending_owner_response",
- "break_glass_fallback_decision": "pending_owner_response",
- "delivery_receipt_ref": null,
- "dedup_or_fingerprint_plan": "pending_owner_response",
- "fallback_or_degraded_mode": "pending_owner_response",
- "migration_or_exception_reason": "pending_owner_response",
- "maintenance_window": "pending_owner_response",
- "rollback_owner": "pending_owner_response",
- "postcheck_evidence_ref": null,
- "no_secret_value_attestation": "pending_owner_response",
- "no_raw_payload_attestation": "pending_owner_response",
- "no_false_green_attestation": "pending_owner_response",
- "reviewer_outcome": "waiting_owner_response",
- "followup_owner": "pending_owner_response",
- "acceptance_fields": [
- "acceptance_candidate_id",
- "source_request_draft_id",
- "source_migration_candidate_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "owner_response_ref",
- "owner_role_or_team",
- "decision",
- "decision_reason",
- "affected_scope",
- "redacted_evidence_refs",
- "message_shape_contract_ref",
- "message_readability_guard_ref",
- "redaction_contract_ref",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "reviewer_outcome",
- "followup_owner",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "source_owner_request_current",
- "source_migration_plan_current",
- "owner_identity_present",
- "decision_reason_present",
- "affected_scope_matches_source",
- "redacted_refs_only",
- "no_secret_or_token_value",
- "no_raw_message_payload",
- "message_shape_contract_present",
- "message_readability_guard_present",
- "redaction_contract_present",
- "formatter_convergence_explicit",
- "gateway_or_alertmanager_target_valid",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "maintenance_window_present",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_false_green_attested",
- "migration_authorization_separate",
- "counts_transition_safe",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "quarantine_secret_or_raw_payload",
- "reject_execution_request",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_redaction_or_receipt_supplement",
- "request_maintenance_or_rollback_supplement",
- "ready_for_migration_review",
- "owner_review_only_update",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "mark_owner_response_received_without_record",
- "mark_owner_response_accepted_without_reviewer_record",
- "send_telegram",
- "call_bot_api",
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "store_internal_work_window_transcript",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "accept_telegram_sent_without_delivery_receipt",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "skip_dedup_or_fingerprint_review",
- "skip_break_glass_fallback_review",
- "authorize_migration",
- "authorize_workflow_modification",
- "authorize_script_modification",
- "authorize_api_sender_refactor",
- "open_runtime_gate",
- "add_action_button"
- ],
- "not_authorization": true,
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "owner_response_rejected": false,
- "owner_response_quarantined": false,
- "supplement_requested": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "maintenance_window_accepted": false,
- "rollback_owner_accepted": false,
- "postcheck_evidence_accepted": false,
- "dedup_or_fingerprint_accepted": false,
- "no_false_green_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_dispatch_authorized": false,
- "production_deploy_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false
- },
- {
- "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/e2e-health.yaml",
- "status": "waiting_owner_response",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_e2e_health_yaml",
- "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/e2e-health.yaml",
- "source_path": ".gitea/workflows/e2e-health.yaml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "line_refs": [
- 98
- ],
- "line_hash_refs": [
- "d73ce94678f970a9"
- ],
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "owner_response_ref": null,
- "owner_role_or_team": "pending_owner_response",
- "decision": "pending_owner_response",
- "decision_reason": "pending_owner_response",
- "affected_scope": "pending_owner_response",
- "redacted_evidence_refs": [],
- "message_shape_contract_ref": null,
- "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json",
- "redaction_contract_ref": null,
- "formatter_convergence_decision": "pending_owner_response",
- "gateway_or_alertmanager_target": "pending_owner_response",
- "break_glass_fallback_decision": "pending_owner_response",
- "delivery_receipt_ref": null,
- "dedup_or_fingerprint_plan": "pending_owner_response",
- "fallback_or_degraded_mode": "pending_owner_response",
- "migration_or_exception_reason": "pending_owner_response",
- "maintenance_window": "pending_owner_response",
- "rollback_owner": "pending_owner_response",
- "postcheck_evidence_ref": null,
- "no_secret_value_attestation": "pending_owner_response",
- "no_raw_payload_attestation": "pending_owner_response",
- "no_false_green_attestation": "pending_owner_response",
- "reviewer_outcome": "waiting_owner_response",
- "followup_owner": "pending_owner_response",
- "acceptance_fields": [
- "acceptance_candidate_id",
- "source_request_draft_id",
- "source_migration_candidate_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "owner_response_ref",
- "owner_role_or_team",
- "decision",
- "decision_reason",
- "affected_scope",
- "redacted_evidence_refs",
- "message_shape_contract_ref",
- "message_readability_guard_ref",
- "redaction_contract_ref",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "reviewer_outcome",
- "followup_owner",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "source_owner_request_current",
- "source_migration_plan_current",
- "owner_identity_present",
- "decision_reason_present",
- "affected_scope_matches_source",
- "redacted_refs_only",
- "no_secret_or_token_value",
- "no_raw_message_payload",
- "message_shape_contract_present",
- "message_readability_guard_present",
- "redaction_contract_present",
- "formatter_convergence_explicit",
- "gateway_or_alertmanager_target_valid",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "maintenance_window_present",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_false_green_attested",
- "migration_authorization_separate",
- "counts_transition_safe",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "quarantine_secret_or_raw_payload",
- "reject_execution_request",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_redaction_or_receipt_supplement",
- "request_maintenance_or_rollback_supplement",
- "ready_for_migration_review",
- "owner_review_only_update",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "mark_owner_response_received_without_record",
- "mark_owner_response_accepted_without_reviewer_record",
- "send_telegram",
- "call_bot_api",
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "store_internal_work_window_transcript",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "accept_telegram_sent_without_delivery_receipt",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "skip_dedup_or_fingerprint_review",
- "skip_break_glass_fallback_review",
- "authorize_migration",
- "authorize_workflow_modification",
- "authorize_script_modification",
- "authorize_api_sender_refactor",
- "open_runtime_gate",
- "add_action_button"
- ],
- "not_authorization": true,
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "owner_response_rejected": false,
- "owner_response_quarantined": false,
- "supplement_requested": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "maintenance_window_accepted": false,
- "rollback_owner_accepted": false,
- "postcheck_evidence_accepted": false,
- "dedup_or_fingerprint_accepted": false,
- "no_false_green_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_dispatch_authorized": false,
- "production_deploy_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false
- },
- {
- "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/run-migration.yml",
- "status": "waiting_owner_response",
- "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_run_migration_yml",
- "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/run-migration.yml",
- "source_path": ".gitea/workflows/run-migration.yml",
- "surface_kind": "gitea_workflow_direct_bot_api",
- "direct_call_count": 1,
- "line_refs": [
- 210
- ],
- "line_hash_refs": [
- "934a8dd69fca99b3"
- ],
- "proposed_wave": "wave_1_workflow_notification_wrapper",
- "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook",
- "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.",
- "owner_response_ref": null,
- "owner_role_or_team": "pending_owner_response",
- "decision": "pending_owner_response",
- "decision_reason": "pending_owner_response",
- "affected_scope": "pending_owner_response",
- "redacted_evidence_refs": [],
- "message_shape_contract_ref": null,
- "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json",
- "redaction_contract_ref": null,
- "formatter_convergence_decision": "pending_owner_response",
- "gateway_or_alertmanager_target": "pending_owner_response",
- "break_glass_fallback_decision": "pending_owner_response",
- "delivery_receipt_ref": null,
- "dedup_or_fingerprint_plan": "pending_owner_response",
- "fallback_or_degraded_mode": "pending_owner_response",
- "migration_or_exception_reason": "pending_owner_response",
- "maintenance_window": "pending_owner_response",
- "rollback_owner": "pending_owner_response",
- "postcheck_evidence_ref": null,
- "no_secret_value_attestation": "pending_owner_response",
- "no_raw_payload_attestation": "pending_owner_response",
- "no_false_green_attestation": "pending_owner_response",
- "reviewer_outcome": "waiting_owner_response",
- "followup_owner": "pending_owner_response",
- "acceptance_fields": [
- "acceptance_candidate_id",
- "source_request_draft_id",
- "source_migration_candidate_id",
- "source_path",
- "surface_kind",
- "direct_call_count",
- "proposed_wave",
- "proposed_target",
- "owner_response_ref",
- "owner_role_or_team",
- "decision",
- "decision_reason",
- "affected_scope",
- "redacted_evidence_refs",
- "message_shape_contract_ref",
- "message_readability_guard_ref",
- "redaction_contract_ref",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation",
- "reviewer_outcome",
- "followup_owner",
- "not_authorization"
- ],
- "required_owner_fields": [
- "owner_role_or_team",
- "routing_purpose",
- "current_sender",
- "target_chat_route",
- "message_shape_contract",
- "redaction_contract",
- "formatter_convergence_decision",
- "gateway_or_alertmanager_target",
- "break_glass_fallback_decision",
- "delivery_receipt_ref",
- "dedup_or_fingerprint_plan",
- "fallback_or_degraded_mode",
- "migration_or_exception_reason",
- "maintenance_window",
- "rollback_owner",
- "postcheck_evidence_ref",
- "no_secret_value_attestation",
- "no_raw_payload_attestation",
- "no_false_green_attestation"
- ],
- "reviewer_checks": [
- "source_owner_request_current",
- "source_migration_plan_current",
- "owner_identity_present",
- "decision_reason_present",
- "affected_scope_matches_source",
- "redacted_refs_only",
- "no_secret_or_token_value",
- "no_raw_message_payload",
- "message_shape_contract_present",
- "message_readability_guard_present",
- "redaction_contract_present",
- "formatter_convergence_explicit",
- "gateway_or_alertmanager_target_valid",
- "break_glass_fallback_explicit",
- "delivery_receipt_metadata_only",
- "dedup_or_fingerprint_present",
- "maintenance_window_present",
- "rollback_owner_present",
- "postcheck_evidence_present",
- "no_false_green_attested",
- "migration_authorization_separate",
- "counts_transition_safe",
- "runtime_gate_stays_zero"
- ],
- "outcome_lanes": [
- "waiting_owner_response",
- "quarantine_secret_or_raw_payload",
- "reject_execution_request",
- "request_owner_route_supplement",
- "request_formatter_convergence_supplement",
- "request_redaction_or_receipt_supplement",
- "request_maintenance_or_rollback_supplement",
- "ready_for_migration_review",
- "owner_review_only_update",
- "waiting_runtime_gate"
- ],
- "forbidden_payloads": [
- "bot_token_value",
- "chat_secret_value",
- "secret_hash",
- "partial_token",
- "masked_token",
- "authorization_header",
- "raw_message_payload",
- "raw_workflow_log",
- "raw_action_log",
- "raw_screenshot_with_secret",
- "internal_work_window_transcript",
- "private_namespace",
- "unredacted_internal_path",
- "unredacted_private_ip"
- ],
- "blocked_actions": [
- "mark_owner_response_received_without_record",
- "mark_owner_response_accepted_without_reviewer_record",
- "send_telegram",
- "call_bot_api",
- "modify_workflow",
- "modify_ops_script",
- "refactor_api_sender",
- "dispatch_workflow",
- "trigger_cd",
- "deploy_production",
- "change_chat_route",
- "change_bot_token",
- "rotate_secret",
- "read_secret_store",
- "collect_secret_value",
- "collect_secret_hash",
- "collect_partial_token",
- "collect_chat_id_secret",
- "store_raw_message_payload",
- "store_unredacted_log",
- "store_internal_work_window_transcript",
- "accept_cd_success_as_delivery_receipt",
- "accept_route_200_as_notification_delivery",
- "accept_ui_visible_as_notification_acceptance",
- "accept_telegram_sent_without_delivery_receipt",
- "skip_formatter_convergence",
- "skip_redaction_contract",
- "skip_dedup_or_fingerprint_review",
- "skip_break_glass_fallback_review",
- "authorize_migration",
- "authorize_workflow_modification",
- "authorize_script_modification",
- "authorize_api_sender_refactor",
- "open_runtime_gate",
- "add_action_button"
- ],
- "not_authorization": true,
- "request_sent": false,
- "recipient_confirmed": false,
- "audit_event_emitted": false,
- "owner_response_received": false,
- "owner_response_accepted": false,
- "owner_response_rejected": false,
- "owner_response_quarantined": false,
- "supplement_requested": false,
- "formatter_convergence_accepted": false,
- "redaction_contract_accepted": false,
- "delivery_receipt_accepted": false,
- "break_glass_fallback_accepted": false,
- "maintenance_window_accepted": false,
- "rollback_owner_accepted": false,
- "postcheck_evidence_accepted": false,
- "dedup_or_fingerprint_accepted": false,
- "no_false_green_accepted": false,
- "direct_bot_api_migration_authorized": false,
- "workflow_modification_authorized": false,
- "script_modification_authorized": false,
- "api_sender_refactor_authorized": false,
- "telegram_send_authorized": false,
- "bot_api_call_authorized": false,
- "workflow_dispatch_authorized": false,
- "production_deploy_authorized": false,
- "secret_value_collection_allowed": false,
- "raw_payload_storage_allowed": false,
- "production_write_authorized": false,
- "runtime_gate": false,
- "action_buttons_allowed": false
- },
{
"acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:apps/api/src/services/channel_hub.py",
"status": "waiting_owner_response",
@@ -1850,10 +522,10 @@
"surface_kind": "ops_script_direct_bot_api",
"direct_call_count": 1,
"line_refs": [
- 90
+ 120
],
"line_hash_refs": [
- "6611406903bc7d65"
+ "283499ad28d35d6a"
],
"proposed_wave": "wave_2_ops_notification_wrapper",
"proposed_target": "scripts/ops/notify-awoooi-ops.sh or AWOOI Alertmanager webhook",
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index 82f6274e..79ba3c66 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -21645,13 +21645,13 @@ def validate(root: Path) -> None:
"repo_only_scan_no_secret_value_no_telegram_send",
)
expected_telegram_notification_egress_summary = {
- "direct_bot_api_file_count": 11,
- "direct_bot_api_call_count": 18,
- "workflow_direct_bot_api_call_count": 13,
+ "direct_bot_api_file_count": 5,
+ "direct_bot_api_call_count": 5,
+ "workflow_direct_bot_api_call_count": 0,
"ops_script_direct_bot_api_call_count": 4,
"ci_script_direct_bot_api_call_count": 0,
"api_direct_bot_api_call_count": 1,
- "gateway_normalized_callsite_count": 56,
+ "gateway_normalized_callsite_count": 57,
"gateway_final_exit_formatter_present_count": 1,
"required_owner_field_count": 18,
"reviewer_check_count": 14,
@@ -21680,12 +21680,6 @@ def validate(root: Path) -> None:
expected,
)
expected_telegram_direct_path_counts = {
- ".gitea/workflows/cd-dev.yaml": 3,
- ".gitea/workflows/cd.yaml": 5,
- ".gitea/workflows/code-review.yaml": 2,
- ".gitea/workflows/deploy-alerts.yaml": 1,
- ".gitea/workflows/e2e-health.yaml": 1,
- ".gitea/workflows/run-migration.yml": 1,
"apps/api/src/services/channel_hub.py": 1,
"scripts/ops/backup-from-110.sh": 1,
"scripts/ops/docker-health-monitor.sh": 1,
@@ -21767,10 +21761,10 @@ def validate(root: Path) -> None:
"metadata_only_no_secret_value_no_telegram_send_no_workflow_change",
)
expected_telegram_egress_owner_request_summary = {
- "source_direct_bot_api_call_count": 18,
- "source_direct_bot_api_file_count": 11,
- "request_draft_count": 11,
- "workflow_request_draft_count": 6,
+ "source_direct_bot_api_call_count": 5,
+ "source_direct_bot_api_file_count": 5,
+ "request_draft_count": 5,
+ "workflow_request_draft_count": 0,
"ops_script_request_draft_count": 4,
"ci_script_request_draft_count": 0,
"api_direct_request_draft_count": 1,
@@ -21808,12 +21802,6 @@ def validate(root: Path) -> None:
expected,
)
expected_telegram_egress_request_paths = [
- ".gitea/workflows/cd-dev.yaml",
- ".gitea/workflows/cd.yaml",
- ".gitea/workflows/code-review.yaml",
- ".gitea/workflows/deploy-alerts.yaml",
- ".gitea/workflows/e2e-health.yaml",
- ".gitea/workflows/run-migration.yml",
"apps/api/src/services/channel_hub.py",
"scripts/ops/backup-from-110.sh",
"scripts/ops/docker-health-monitor.sh",
@@ -21907,22 +21895,22 @@ def validate(root: Path) -> None:
"metadata_only_no_workflow_script_api_change_no_telegram_send",
)
expected_telegram_egress_migration_plan_summary = {
- "source_request_draft_count": 11,
- "source_direct_bot_api_call_count": 18,
- "migration_candidate_count": 11,
- "workflow_migration_candidate_count": 6,
+ "source_request_draft_count": 5,
+ "source_direct_bot_api_call_count": 5,
+ "migration_candidate_count": 5,
+ "workflow_migration_candidate_count": 0,
"ops_script_migration_candidate_count": 4,
"api_direct_migration_candidate_count": 1,
- "proposed_wave_count": 3,
+ "proposed_wave_count": 2,
"plan_field_count": 17,
"reviewer_check_count": 15,
"outcome_lane_count": 9,
"blocked_action_count": 21,
- "owner_response_required_count": 11,
- "maintenance_window_required_count": 11,
- "rollback_owner_required_count": 11,
- "postcheck_required_count": 11,
- "delivery_receipt_required_count": 11,
+ "owner_response_required_count": 5,
+ "maintenance_window_required_count": 5,
+ "rollback_owner_required_count": 5,
+ "postcheck_required_count": 5,
+ "delivery_receipt_required_count": 5,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"migration_authorized_count": 0,
@@ -21947,7 +21935,6 @@ def validate(root: Path) -> None:
"telegram_notification_egress_migration_plan_draft.proposed_waves",
telegram_notification_egress_migration_plan_draft["proposed_waves"],
[
- "wave_1_workflow_notification_wrapper",
"wave_2_ops_notification_wrapper",
"wave_3_api_sender_gateway",
],
@@ -22025,13 +22012,13 @@ def validate(root: Path) -> None:
"repo_source_scan_no_secret_value_no_telegram_send",
)
expected_telegram_egress_no_new_bypass_summary = {
- "source_direct_bot_api_call_count": 18,
- "source_direct_bot_api_file_count": 11,
- "baseline_signature_count": 18,
- "current_direct_bot_api_call_count": 18,
- "current_direct_bot_api_file_count": 11,
+ "source_direct_bot_api_call_count": 5,
+ "source_direct_bot_api_file_count": 5,
+ "baseline_signature_count": 5,
+ "current_direct_bot_api_call_count": 5,
+ "current_direct_bot_api_file_count": 5,
"guarded_method_count": 9,
- "sendMessage_call_count": 18,
+ "sendMessage_call_count": 5,
"sendDocument_call_count": 0,
"sendPhoto_call_count": 0,
"sendMediaGroup_call_count": 0,
@@ -22053,19 +22040,6 @@ def validate(root: Path) -> None:
"telegram_notification_egress_no_new_bypass_guard.current_paths",
[item["path"] for item in telegram_notification_egress_no_new_bypass_guard["current_direct_bot_api_calls"]],
[
- ".gitea/workflows/cd-dev.yaml",
- ".gitea/workflows/cd-dev.yaml",
- ".gitea/workflows/cd-dev.yaml",
- ".gitea/workflows/cd.yaml",
- ".gitea/workflows/cd.yaml",
- ".gitea/workflows/cd.yaml",
- ".gitea/workflows/cd.yaml",
- ".gitea/workflows/cd.yaml",
- ".gitea/workflows/code-review.yaml",
- ".gitea/workflows/code-review.yaml",
- ".gitea/workflows/deploy-alerts.yaml",
- ".gitea/workflows/e2e-health.yaml",
- ".gitea/workflows/run-migration.yml",
"apps/api/src/services/channel_hub.py",
"scripts/ops/backup-from-110.sh",
"scripts/ops/docker-health-monitor.sh",
@@ -22104,11 +22078,11 @@ def validate(root: Path) -> None:
"metadata_only_no_secret_value_no_telegram_send_no_workflow_script_api_change",
)
expected_telegram_egress_owner_response_acceptance_summary = {
- "source_request_draft_count": 11,
- "source_migration_candidate_count": 11,
- "source_direct_bot_api_call_count": 18,
- "acceptance_candidate_count": 11,
- "workflow_acceptance_candidate_count": 6,
+ "source_request_draft_count": 5,
+ "source_migration_candidate_count": 5,
+ "source_direct_bot_api_call_count": 5,
+ "acceptance_candidate_count": 5,
+ "workflow_acceptance_candidate_count": 0,
"ops_script_acceptance_candidate_count": 4,
"api_direct_acceptance_candidate_count": 1,
"acceptance_field_count": 33,