From ed31bed5c8e9159778ace7b460599860e63b13d8 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 2 Jul 2026 14:38:09 +0800 Subject: [PATCH] fix(awooop): route workflow telegram alerts through ai receipts --- .gitea/workflows/cd-dev.yaml | 15 +- .gitea/workflows/cd.yaml | 24 +- .gitea/workflows/code-review.yaml | 18 +- .gitea/workflows/deploy-alerts.yaml | 4 +- .gitea/workflows/e2e-health.yaml | 5 +- .gitea/workflows/run-migration.yml | 8 +- ...agent_report_truth_actionability_review.py | 15 +- ...t_report_truth_actionability_review_api.py | 12 +- apps/web/messages/en.json | 492 +++--- apps/web/messages/zh-TW.json | 80 +- .../command-palette/CommandPalette.tsx | 6 +- docs/LOGBOOK.md | 12 + ...otification-egress-inventory.snapshot.json | 1404 +---------------- ...-egress-migration-plan-draft.snapshot.json | 619 +------- ...n-egress-no-new-bypass-guard.snapshot.json | 109 +- ...n-egress-owner-request-draft.snapshot.json | 972 +----------- ...ss-owner-response-acceptance.snapshot.json | 1346 +--------------- .../security-mirror-progress-guard.py | 84 +- 18 files changed, 482 insertions(+), 4743 deletions(-) diff --git a/.gitea/workflows/cd-dev.yaml b/.gitea/workflows/cd-dev.yaml index 8430467e..22885f37 100644 --- a/.gitea/workflows/cd-dev.yaml +++ b/.gitea/workflows/cd-dev.yaml @@ -53,10 +53,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "Dev deploy start notification mirrored through AWOOI API" else - printf '%b' "$MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text@-" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi # API 測試 (同 prod CI,確保 dev 也通過) @@ -243,10 +240,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "Dev deploy success notification mirrored through AWOOI API" else - printf '%b' "$MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text@-" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi - name: Notify Dev Deploy Failure @@ -266,8 +260,5 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "Dev deploy failure notification mirrored through AWOOI API" else - printf '%b' "$MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text@-" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 46870eb4..3ce83b87 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -148,10 +148,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "✅ CI/CD start notification mirrored through AWOOI API" else - curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi @@ -1094,10 +1091,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "✅ CI/CD tests failure notification mirrored through AWOOI API" else - curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi build-and-deploy: @@ -2289,10 +2283,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "✅ CI/CD build failure notification mirrored through AWOOI API" else - curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi post-deploy-checks: @@ -2683,9 +2674,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "✅ CI/CD success notification mirrored through AWOOI API" else - printf '%b' "$TG_MSG" | curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - --data-urlencode "text@-" || echo "TG notify warning (non-fatal)" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi - name: Notify Pipeline Failure @@ -2708,10 +2697,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "✅ CI/CD post-deploy failure notification mirrored through AWOOI API" else - curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - -d "parse_mode=HTML" \ - --data-urlencode "text=${MSG}" || echo "TG notify failed (non-fatal): exit=$?" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi - name: Clean Post-Deploy Workspace Artifacts diff --git a/.gitea/workflows/code-review.yaml b/.gitea/workflows/code-review.yaml index 41edc67c..08f77fcf 100644 --- a/.gitea/workflows/code-review.yaml +++ b/.gitea/workflows/code-review.yaml @@ -125,14 +125,7 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "Code review start notification mirrored through AWOOI API" else - if [ -z "${TG_BOT_TOKEN:-}" ] || [ -z "${SRE_GROUP_CHAT_ID:-}" ]; then - echo "Telegram secret missing and AWOOI API notify failed; skip start notification" - exit 0 - fi - curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendMessage" \ - -H "Content-Type: application/json" \ - -d "$(jq -n --arg c "$SRE_GROUP_CHAT_ID" --arg t "$MSG" '{chat_id:$c,text:$t,parse_mode:"HTML",disable_web_page_preview:true}')" \ - >/dev/null + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi - name: Run Deterministic Review @@ -201,12 +194,5 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "Code review completion notification mirrored through AWOOI API" else - if [ -z "${TG_BOT_TOKEN:-}" ] || [ -z "${SRE_GROUP_CHAT_ID:-}" ]; then - echo "Telegram secret missing and AWOOI API notify failed; skip completion notification" - exit 0 - fi - curl -fsS -X POST "https://api.telegram.org/bot${TG_BOT_TOKEN}/sendMessage" \ - -H "Content-Type: application/json" \ - -d "$(jq -n --arg c "$SRE_GROUP_CHAT_ID" --arg t "$MSG" '{chat_id:$c,text:$t,parse_mode:"HTML",disable_web_page_preview:true}')" \ - >/dev/null + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi diff --git a/.gitea/workflows/deploy-alerts.yaml b/.gitea/workflows/deploy-alerts.yaml index 4ac6eb3b..b64f7fb8 100644 --- a/.gitea/workflows/deploy-alerts.yaml +++ b/.gitea/workflows/deploy-alerts.yaml @@ -67,7 +67,5 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "Alert rule deploy notification mirrored through AWOOI API" else - curl -fS -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d "chat_id=${{ env.SRE_GROUP_CHAT_ID }}" \ - --data-urlencode "text=${MSG}" || true + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi diff --git a/.gitea/workflows/e2e-health.yaml b/.gitea/workflows/e2e-health.yaml index 1749ddf1..92f0263a 100644 --- a/.gitea/workflows/e2e-health.yaml +++ b/.gitea/workflows/e2e-health.yaml @@ -95,8 +95,5 @@ jobs: scripts/ci/notify-awoooi-cicd.sh; then echo "E2E failure notification mirrored through AWOOI API" else - curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ - -d chat_id="${{ env.SRE_GROUP_CHAT_ID }}" \ - -d parse_mode="HTML" \ - -d text="🔴 [E2E Health Check] 失敗%0A%0A📅 $(TZ=Asia/Taipei date '+%Y-%m-%d %H:%M')%0A🔗 API 健康檢查未通過%0A%0A請檢查 K3s 叢集狀態" + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" fi diff --git a/.gitea/workflows/run-migration.yml b/.gitea/workflows/run-migration.yml index 8157e8db..3f00ce78 100644 --- a/.gitea/workflows/run-migration.yml +++ b/.gitea/workflows/run-migration.yml @@ -196,10 +196,4 @@ jobs: echo "Migration notification mirrored through AWOOI API" exit 0 fi - if [ -n "$TG_TOKEN" ] && [ -n "${SRE_GROUP_CHAT_ID:-}" ]; then - MSG="🗄️ Migration CI: \`${STATUS}\` — commit ${{ github.sha }}" - curl -s -X POST "https://api.telegram.org/bot${TG_TOKEN}/sendMessage" \ - -d chat_id="${SRE_GROUP_CHAT_ID}" \ - -d parse_mode="Markdown" \ - -d text="${MSG}" || true - fi + echo "AWOOI API notify failed; direct Telegram fallback disabled to preserve AwoooP receipt chain" diff --git a/apps/api/tests/test_ai_agent_report_truth_actionability_review.py b/apps/api/tests/test_ai_agent_report_truth_actionability_review.py index e7fc0991..2f6f9cfd 100644 --- a/apps/api/tests/test_ai_agent_report_truth_actionability_review.py +++ b/apps/api/tests/test_ai_agent_report_truth_actionability_review.py @@ -37,18 +37,18 @@ def test_load_latest_ai_agent_report_truth_actionability_review(): assert data["telegram_routing_consolidation"]["direct_telegram_api_send_allowed"] is False assert data["rollups"]["telegram_route_finding_count"] == len(data["telegram_route_findings"]) assert data["telegram_egress_guard"]["status"] == "pass_no_new_bypass" - assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 18 + assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 5 assert data["telegram_egress_guard"]["summary"]["new_bypass_count"] == 0 - assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 13 + assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 0 assert data["telegram_egress_guard"]["summary"]["ops_script_direct_bot_api_call_count"] == 4 assert data["telegram_egress_guard"]["summary"]["api_direct_bot_api_call_count"] == 1 assert ( data["telegram_egress_guard"]["summary"]["direct_bot_api_awooop_db_receipt_missing_count"] - == 18 + == 5 ) assert ( data["telegram_egress_guard"]["summary"]["direct_bot_api_ai_controlled_route_missing_count"] - == 18 + == 5 ) assert ( data["telegram_egress_guard"]["telegram_receipt_coverage"]["coverage_status"] @@ -72,17 +72,16 @@ def test_load_latest_ai_agent_report_truth_actionability_review(): ] is False ) - assert data["rollups"]["telegram_route_finding_count"] == 22 - assert data["rollups"]["legacy_or_direct_route_count"] == 22 + assert data["rollups"]["telegram_route_finding_count"] == 9 + assert data["rollups"]["legacy_or_direct_route_count"] == 9 assert sum( 1 for route in data["telegram_route_findings"] if route["route_id"].startswith("telegram_direct_bot_api_") - ) == 18 + ) == 5 assert { item["surface_kind"] for item in data["telegram_egress_guard"]["current_direct_bot_api_calls"] } == { - "gitea_workflow_direct_bot_api", "ops_script_direct_bot_api", "api_direct_bot_api", } diff --git a/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py b/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py index ba591969..1d4e7a05 100644 --- a/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py +++ b/apps/api/tests/test_ai_agent_report_truth_actionability_review_api.py @@ -34,18 +34,18 @@ def test_get_ai_agent_report_truth_actionability_review_api(): assert data["telegram_routing_consolidation"]["canonical_room_env"] == "SRE_GROUP_CHAT_ID" assert data["telegram_routing_consolidation"]["other_bot_or_group_alerts_allowed"] is False assert data["telegram_routing_consolidation"]["direct_telegram_api_send_allowed"] is False - assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 18 + assert data["telegram_egress_guard"]["summary"]["live_direct_bot_api_call_count"] == 5 assert data["telegram_egress_guard"]["summary"]["new_bypass_count"] == 0 - assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 13 + assert data["telegram_egress_guard"]["summary"]["gitea_workflow_direct_bot_api_call_count"] == 0 assert data["telegram_egress_guard"]["summary"]["ops_script_direct_bot_api_call_count"] == 4 assert data["telegram_egress_guard"]["summary"]["api_direct_bot_api_call_count"] == 1 assert ( data["telegram_egress_guard"]["summary"]["direct_bot_api_awooop_db_receipt_missing_count"] - == 18 + == 5 ) assert ( data["telegram_egress_guard"]["summary"]["direct_bot_api_ai_controlled_route_missing_count"] - == 18 + == 5 ) assert ( data["telegram_egress_guard"]["telegram_receipt_coverage"][ @@ -57,6 +57,6 @@ def test_get_ai_agent_report_truth_actionability_review_api(): data["telegram_egress_guard"]["telegram_receipt_coverage"]["all_telegram_alerts_ai_controlled"] is False ) - assert data["rollups"]["telegram_route_finding_count"] == 22 - assert data["rollups"]["legacy_or_direct_route_count"] == 22 + assert data["rollups"]["telegram_route_finding_count"] == 9 + assert data["rollups"]["legacy_or_direct_route_count"] == 9 assert data["rollups"]["operator_action_count"] == 5 diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 7fd58694..d820727f 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -229,7 +229,7 @@ }, "credential_escrow": { "title": "P0-005 credential escrow", - "description": "已收斂 non-secret evidence refs 與 reviewer acceptance readback;不寫 credential marker、不收 secret。", + "description": "已收斂 non-secret evidence 參照 與 reviewer acceptance readback;不寫 credential marker、不收 secret。", "metric": "evidence {accepted}/{required}" }, "gitea": { @@ -251,7 +251,7 @@ "boundaries": { "secret": "不收機密明文、授權憑證、瀏覽器憑證或私有存取材料。", "production": "不直接改 production runtime、public gateway、Nginx、Docker、K8s 或 firewall。", - "repo": "不直接建立 repo、改 visibility、sync refs、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。", + "repo": "不直接建立 repo、改 visibility、sync 參照、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。", "data": "不直接做資料庫、backup、restore 或 migration 寫操作。", "security": "不啟動 Wazuh / Kali 主動回應流程、active scan 或 host containment。" }, @@ -978,7 +978,7 @@ }, "sourceDossier": { "title": "Sentry / SigNoz 來源卷宗證據", - "detail": "最近來源 {sources} 筆;Sentry refs {sentry}、SigNoz refs {signoz},用 provider 篩選驗證,不再被整體樣本誤判。" + "detail": "最近來源 {sources} 筆;Sentry 參照 {sentry}、SigNoz 參照 {signoz},用 provider 篩選驗證,不再被整體樣本誤判。" }, "callbackEvidence": { "title": "Telegram 詳情 / 歷史 DB 真相鏈", @@ -1212,8 +1212,8 @@ "kmBurndown": "/api/v1/ai/governance/km-stale-owner-review-burndown" }, "signal": { - "metric": "來源 {sources} / refs {refs}", - "detail": "missing refs {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}" + "metric": "來源 {sources} / 參照 {參照}", + "detail": "missing 參照 {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}" }, "intake": { "metric": "Runs {runs} / linked {linked}", @@ -1347,47 +1347,47 @@ "messageOk": "所有系統運作正常,無需處理。", "messageWarning": "{host} 狀態異常,建議檢查相關服務。", "liveOpsSpace": { - "title": "Live Ops Space", + "title": "OpenClaw 持續工作室", "status": { - "loading": "Loading scene", - "ready": "Scene connected", - "degraded": "Waiting for readback" + "loading": "讀取場景中", + "ready": "場景已連線", + "degraded": "等待讀回" }, "actions": { - "refresh": "Refresh" + "refresh": "重新讀取" }, "source": { - "marker": "marker", - "updated": "updated" + "marker": "部署 marker", + "updated": "更新" }, "animation": { - "loop": "loop", - "on": "on", - "off": "off" + "loop": "動畫迴圈", + "on": "開啟", + "off": "關閉" }, "panels": { - "rollups": "Scene metrics", - "boundaries": "Safety boundaries", - "workItems": "Work items" + "rollups": "場景指標", + "boundaries": "安全邊界", + "workItems": "工作項目" }, "metrics": { - "agents": "Agents", - "workItems": "Work items", - "animated": "Animated", - "blocked": "Blocked" + "agents": "Agent", + "workItems": "工作項", + "animated": "動畫物件", + "blocked": "阻擋" }, "boundary": { - "closed": "closed", - "open": "open" + "closed": "關閉", + "open": "開啟" }, "states": { - "working": "working", - "verified": "verified", - "blocked": "blocked", - "waiting": "waiting", - "idle": "idle" + "working": "工作中", + "verified": "已驗證", + "blocked": "阻擋", + "waiting": "等待", + "idle": "待命" }, - "empty": "Scene state is not available yet." + "empty": "尚未取得場景狀態。" } }, "ai": { @@ -2078,7 +2078,7 @@ "openNavigation": "開啟導航選單", "closeNavigation": "關閉導航選單", "iwooos": "IwoooS", - "iwooosSecurityCompliance": "IwoooS Security Compliance" + "iwooosSecurityCompliance": "IwoooS 安全合規" }, "settings": { "title": "系統設定", @@ -3013,11 +3013,11 @@ "repairLock": "冪等鎖", "riskMediumDesc": "操作不可即時撤銷,但有備份保護", "confirmExec": "長按 5 秒確認授權執行", - "rejectApproval": "Reject authorization - route to AI controlled completion", + "rejectApproval": "拒絕授權 — 轉 AI 受控補齊", "approvalGranted": "授權已核准", "approvalGrantedDesc": "NemoTron 正在執行 ansible-playbook...", "approvalRejected": "授權已拒絕", - "approvalRejectedDesc": "Routed into the AI controlled completion flow", + "approvalRejectedDesc": "已轉入 AI 受控補齊流程", "noHistory": "尚無修復紀錄", "noActiveAlerts": "目前無活躍告警", "noPlaybooks": "尚無 Playbook 紀錄", @@ -3391,7 +3391,7 @@ "ready_for_reverify": "可重驗", "needs_target_mapping": "待補目標", "needs_playbook_ticket": "待建 Ticket", - "manual_review": "Controlled review", + "manual_review": "受控檢查", "unknown": "待分類" }, "remediationAction": { @@ -3404,12 +3404,12 @@ } }, "legacyHitl": { - "title": "Legacy HITL Evidence Queue", - "subtitle": "These rows come from approval_records and are not AwoooP run approvals; keep them as historical evidence and route follow-up into AI controlled work items.", + "title": "Legacy HITL 歷史證據佇列", + "subtitle": "這批來自 批准_records,不屬於 AwoooP run 批准;以歷史證據保留,後續導回 AI 受控工作項。", "openAuthorizations": "開啟授權中心", "loadFailed": "Legacy HITL backlog 載入失敗:{error}", - "tableLabel": "Legacy HITL Evidence Queue", - "moreRows": "Only the latest 8 rows are shown; track the remaining {count} in the authorization center.", + "tableLabel": "Legacy HITL 歷史證據佇列", + "moreRows": "只顯示最新 8 筆,其餘 {count} 筆請到授權中心追蹤。", "noTelegram": "no TG", "telegramRef": "TG #{id}", "summary": { @@ -3855,7 +3855,7 @@ "cockpit": { "liveLabel": "LIVE PRODUCTION", "title": "AI Agent Cockpit", - "subtitle": "Production readback for the active control layer, closed loop, receipts, and hard boundaries.", + "subtitle": "用 production readback 呈現控制層、閉環、收據與硬邊界。", "production": "Production", "dbOk": "DB readback OK", "dbReview": "DB readback review", @@ -3878,8 +3878,8 @@ "riskTitle": "Controlled risk lanes", "on": "ON", "off": "OFF", - "ownerRequired": "Controlled evidence review required", - "ownerNotRequired": "Controlled evidence review cleared", + "ownerRequired": "受控證據複核需要補齊", + "ownerNotRequired": "受控證據複核已免除", "criticalBreakGlass": "critical break-glass", "criticalReview": "critical review" }, @@ -3898,7 +3898,7 @@ "executorDetail": "post verifier {verifier} · KM {km} · Telegram {telegram}", "loop": "latest flow closed", "loopDetail": "MCP {mcp} · RAG {rag} · PlayBook {playbook}", - "ledger": "operation-id loop ledger", + "ledger": "operation-id 閉環總帳", "ledgerDetail": "{state} · stages {stages} · missing {missing}", "stageLedger": "candidate → check-mode → apply → verifier → KM → Telegram" }, @@ -6016,13 +6016,13 @@ "legacyRoutesDetail": "direct send / legacy chat / multi bot 必須收斂", "ttl": "TTL: {value}", "requiredAssets": "必填資產 {count} 項", - "guardCalls": "Direct scan {count}", - "newBypass": "New bypass {count}", - "dbReceiptMissing": "DB receipt gap {count}", - "aiRouteMissing": "AI route gap {count}", - "workflowDirect": "workflow direct {count}", - "opsDirect": "ops direct {count}", - "apiDirect": "API direct {count}" + "guardCalls": "直送掃描 {count} 條", + "newBypass": "新增旁路 {count}", + "dbReceiptMissing": "DB receipt 缺口 {count}", + "aiRouteMissing": "AI route 缺口 {count}", + "workflowDirect": "workflow 直送 {count}", + "opsDirect": "ops 直送 {count}", + "apiDirect": "API 直送 {count}" } }, "reportAutomationReview": { @@ -9081,35 +9081,35 @@ "blocked": "阻塞" }, "aiLoopLogSources": { - "eyebrow": "P0 visual state", - "title": "Current blocker and repair intake", - "subtitle": "Shows the blocker, blocker diagnosis, and receipt contract first; technical fields are collapsed so the workbench does not read like a long text list.", - "loading": "Loading LOG source labels", - "empty": "No LOG source labels read back yet.", - "blocker": "Current blocker: {value}", - "boundary": "Metadata-only labels; no raw log read, no secret display, no writeback, and no runtime apply from this panel.", - "details": "Expand technical fields", + "eyebrow": "P0 視覺狀態", + "title": "目前卡點與修復收件", + "subtitle": "先顯示目前真正卡住的 blocker、阻塞診斷與收件契約;技術欄位收在展開區,避免把工作台變成長文字清單。", + "loading": "讀取 LOG 來源貼標中", + "empty": "尚未讀回 LOG 來源貼標。", + "blocker": "Current blocker:{value}", + "boundary": "只顯示 metadata-only 標籤;不讀 raw log、不顯示 secret、不觸發寫入或 runtime apply。", + "details": "展開技術欄位", "visual": { - "blocker": "Current blocker", - "diagnosis": "Blocker diagnosis", - "receipt": "Receipt contract", + "blocker": "目前卡點", + "diagnosis": "阻塞診斷", + "receipt": "收件契約", "receiptValue": "{inputs} inputs / {outputs} outputs", - "currentCd": "Latest CD run", + "currentCd": "最新 CD run", "currentCdValue": "#{run} · {status}", - "currentCdDetail": "closure: {state}", - "resolvedByProductionReadback": "Closed by production readback", - "noActionRequired": "Do not reopen this queue" + "currentCdDetail": "closure:{state}", + "resolvedByProductionReadback": "已由 production readback 關閉", + "noActionRequired": "不需重開此 queue" }, "rootCause": { - "sessionTimeout": "Key accepted, session timeout", + "sessionTimeout": "Key accepted,session timeout", "offerTimeout": "Publickey offer timeout", - "controlledCdLaneGuardrails": "SSH control path and Harbor v2 are readable; controlled CD lane guardrails are still blocked.", - "productionReadbackResolved": "Latest production readback verified this queue item; it is no longer the current blocker.", - "unknown": "Waiting for queue diagnosis" + "controlledCdLaneGuardrails": "SSH 控制通道與 Harbor v2 已可讀;目前卡在 controlled CD lane guardrails。", + "productionReadbackResolved": "最新 production readback 已驗證此 queue item,不再當作目前卡點。", + "unknown": "等待 queue 診斷" }, "phases": { "ssh": { - "label": "SSH control path", + "label": "SSH 控制通道", "value": "ready" }, "harbor": { @@ -9124,12 +9124,12 @@ }, "liveMetrics": { "enforcer": "110 enforcer", - "ready": "metric fresh", - "missing": "metric missing", + "ready": "metric 已更新", + "missing": "metric 未讀回", "enforcerDetail": "apply={apply} · metadata-only={metadata}", "drainGuard": "Drain guard", "drainGuardValue": "active={active} / staging={staging}", - "blockers": "blockers={count}", + "blockers": "阻塞項={count}", "jobs": "Jobs / lane", "jobsValue": "jobs={jobs} / lane={lane}", "restoreSources": "restore sources={count}", @@ -9139,56 +9139,56 @@ }, "metrics": { "tags": "Tags", - "groups": "Groups", + "groups": "分群鍵", "contract": "Contract", "queue": "Queue fields" }, "queueFields": "Queue normalizer fields", - "safeNextAction": "Next AI action", - "safeNextStage": "Stage: {stage} · local console: {local}", - "safeNextCommand": "Command: {command}", + "safeNextAction": "下一步 AI action", + "safeNextStage": "Stage:{stage} · local console:{local}", + "safeNextCommand": "Command:{command}", "receipt": { "inputs": "Receipt inputs", "outputs": "Receipt outputs" }, "tagLabels": { - "projectId": "Project", - "product": "Product", - "siteOrRoute": "Site / route", - "service": "Service", - "package": "Package", - "tool": "Tool", - "sourceSystem": "Source system", + "projectId": "專案", + "product": "產品", + "siteOrRoute": "網站 / 路由", + "service": "服務", + "package": "套件", + "tool": "工具", + "sourceSystem": "來源系統", "runtimeComponent": "Runtime", - "signalLane": "Signal lane", - "evidenceBoundary": "Evidence boundary" + "signalLane": "訊號 Lane", + "evidenceBoundary": "證據邊界" } }, "commanderInsertedRequirements": { - "eyebrow": "Mainline priority", - "title": "Commander inserted requirement work items", - "subtitle": "Turns the requirements inserted during this run into ordered work items with P0/P1/P2/P3 priority, status, acceptance criteria, and next action.", - "total": "Total work items", - "next": "Current priority", - "nextAction": "Next action", - "acceptance": "Acceptance", - "rowNextAction": "Next action", - "spotlight": "Mainline spotlight", - "spotlightSubtitle": "Surfaces the current P0, OpenClaw Live Ops, and non-text-wall UX directly instead of burying them in the long ledger.", - "fullLedger": "Full ledger: {count} items", - "loading": "Loading inserted requirement work items", - "empty": "No inserted requirement work items read back yet.", + "eyebrow": "主線優先序", + "title": "統帥插入需求工作項", + "subtitle": "把本輪中途插入的要求收成正式工作項,依 P0/P1/P2/P3 排序,並顯示狀態、驗收條件與下一步。", + "total": "總工作項", + "next": "目前優先項", + "nextAction": "下一步", + "acceptance": "驗收條件", + "rowNextAction": "下一步", + "spotlight": "主線焦點", + "spotlightSubtitle": "直接露出目前 P0、OpenClaw Live Ops 與非文字牆 UX,避免工作項藏在長清單裡。", + "fullLedger": "完整總帳 {count} 項", + "loading": "讀取插入需求工作項", + "empty": "尚未讀回插入需求工作項。", "order": "order={order}", "source": "source={source}", "metrics": { "active": "active" }, "statuses": { - "done": "Done", - "inProgress": "In progress", - "pending": "Not started", - "blocked": "Blocked", - "deferred": "Deferred" + "done": "已完成", + "inProgress": "進行中", + "pending": "未開始", + "blocked": "阻塞", + "deferred": "延後" } }, "operatorSop": { @@ -9214,7 +9214,7 @@ }, "inProgress": { "title": "自動化資產正在補齊,仍需追蹤候選品質", - "detail": "優先確認候選是否有證據 refs、安全路由、回滾計畫與修復後驗證。" + "detail": "優先確認候選是否有證據 參照、安全路由、回滾計畫與修復後驗證。" }, "watching": { "title": "目前沒有明顯 AI 受控卡點,持續觀察資料新鮮度", @@ -9525,7 +9525,7 @@ } }, "gates": { - "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 refs", + "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 參照", "autoRepair": "必須同時有 auto_repair、verification_result=success與KM 回寫", "recurrenceWorkItems": "Run 完成無修復、修復失敗與 AI 受控佇列必須進入可追蹤工作項", "aiRouteRepairWorkItem": "Provider lane 降級時必須顯示 evidence、owner、PlayBook候選與是否可自動修復", @@ -9632,7 +9632,7 @@ "githubPrimaryReadiness": "候選專案庫={candidates};範圍內={inScope};主要來源就緒={ready}", "githubPrimaryOwnerResponses": "負責人回覆仍為 0/22;請求可送出不等於已接受", "githubPrimaryWorkflowNames": "工作流程 / 機密名稱清冊完成=0/7;只收名稱不收機密明文值", - "githubPrimaryBoundary": "未核准建立專案庫、同步 refs、切換 GitHub primary 或停用 Gitea。", + "githubPrimaryBoundary": "未核准建立專案庫、同步 參照、切換 GitHub primary 或停用 Gitea。", "ownerResponseValidation": "回覆包={packets};範本={templates};已收到={received};已接受={accepted};已拒收={rejected}", "ownerResponseValidationChecks": "跨包驗收={crossPacket};證據路由={routing};顯示區塊={sections}", "ownerResponseValidationBoundary": "不建立審批紀錄、不切主要來源、不開執行期閘門" @@ -10243,7 +10243,7 @@ }, "fields": { "target_selector": "Target selector", - "mcp_evidence_refs": "MCP 證據", + "mcp_evidence_參照": "MCP 證據", "route_id": "Route", "repair_command_template": "修復模板", "rollback_command_template": "Rollback", @@ -10297,7 +10297,7 @@ "required": { "alertname": "告警名稱與觸發條件,避免把不同服務的症狀混用。", "target_selector": "命名空間、Pod、Deployment、host 或服務選擇器。", - "mcp_evidence_refs": "MCP / Sentry / SigNoz / K8s / log 證據參照。", + "mcp_evidence_參照": "MCP / Sentry / SigNoz / K8s / log 證據參照。", "repair_command": "受控修復命令或 Ansible playbook,不能是純診斷命令。", "rollback_command": "修復失敗時的回滾或安全停止方案。", "verifier_plan": "修復後如何驗證成功、失敗與是否要升級 AI 補齊或 break-glass。", @@ -10380,10 +10380,10 @@ "matchedIncident": "配對目標:{incident}", "stage": "階段:{stage}", "sourceEvent": "來源事件:{event}", - "sourceRefs": "來源 refs:{refs}(Sentry {sentry} / SignOz {signoz})", + "sourceRefs": "來源 參照:{參照}(Sentry {sentry} / SignOz {signoz})", "sourceFlow": { "label": "來源流程:{status}", - "detail": "參照={refs};Sentry={sentry};SigNoz={signoz};事件={event}", + "detail": "參照={參照};Sentry={sentry};SigNoz={signoz};事件={event}", "statuses": { "applied": "已套用", "reviewed": "覆核已記錄", @@ -10633,15 +10633,15 @@ "refs": "關聯索引", "missingRefs": "缺關聯", "duplicates": "重複事件", - "sentry": "Sentry refs", - "signoz": "SignOz refs" + "sentry": "Sentry 參照", + "signoz": "SignOz 參照" }, "details": { "latest": "最新 {time}", - "withRefs": "{count} 筆含 來源 refs", + "withRefs": "{count} 筆含 來源 參照", "missingEnvelope": "{count} 筆缺 來源 envelope", "redacted": "{count} 筆已 redacted", - "alertRefs": "{count} 個 alert refs", + "alertRefs": "{count} 個 alert 參照", "limit": "最近 {count} 筆視窗" }, "provider": { @@ -10770,8 +10770,8 @@ "error": "Callback evidence 載入失敗:{error}", "summary": { "outbound": "出站鏡像", - "outboundDetail": "來源_refs {sourceRefs};trace refs {traceRefs};incident refs {incidentRefs};覆蓋 {coverage}", - "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace refs {missingTraceRefs};缺 incident refs {missingIncidentRefs}", + "outboundDetail": "來源_參照 {sourceRefs};trace 參照 {traceRefs};incident 參照 {incidentRefs};覆蓋 {coverage}", + "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace 參照 {missingTraceRefs};缺 incident 參照 {missingIncidentRefs}", "outboundReplyMarkupTraceFreshness": "缺 trace 活躍度:1h {recent1h} / 24h {recent24h} / 最新 {latest}", "outboundReplyMarkupTraceDecision": "缺 trace 判讀:{status};下一步:{action}", "outboundReplyMarkupTraceRecovery": "缺 trace 復原訊號:{status};gap 後 traced {count};首筆 {first};最新 {latest}", @@ -10806,7 +10806,7 @@ }, "traceGapNextActions": { "none": "不需補動作", - "inspect_recent_outbound_source_refs": "檢查近 1 小時 outbound 來源_refs", + "inspect_recent_outbound_source_參照": "檢查近 1 小時 outbound 來源_參照", "watch_24h_decay": "觀察 24 小時窗口自然歸零", "backfill_or_archive_legacy_callbacks": "歸檔或回補舊 callback 缺口", "observed": "等待下一次 outbound evidence" @@ -10833,7 +10833,7 @@ "press_telegram_detail_or_history": "按一次 Telegram 詳情 / 歷史產生 callback evidence", "press_telegram_detail_or_history_after_rollout": "重新按 Telegram 詳情 / 歷史補新版 snapshot", "review_legacy_callback_snapshot_gap": "新版已捕捉;舊 callback 缺 snapshot不需重複按", - "review_outbound_source_refs": "檢查 outbound 來源_refs 缺口", + "review_outbound_source_參照": "檢查 outbound 來源_參照 缺口", "observed": "等待下一次 callback evidence" } }, @@ -11157,7 +11157,7 @@ "incidentRef": "Incident 參照", "routeId": "受控路由", "dryRunEvidence": "乾跑證據", - "mcpEvidenceRefs": "MCP 證據 refs", + "mcpEvidenceRefs": "MCP 證據 參照", "ownerApprovalReceipt": "Owner 放行回執", "maintenanceWindow": "維護窗口", "rollbackOwner": "Rollback Owner", @@ -11484,11 +11484,11 @@ "unknown": "待負責人補證" }, "sourceActions": { - "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 refs 或切主來源。", + "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 參照 或切主來源。", "targetDecision": "先取得 GitHub 目標、可見性、標準負責人與後續 owner 的脫敏回覆;未接受前不得建立專案庫或改可見性。", "internalRemoteDecision": "先確認內部 remote 用途、維運 owner、移除或保留理由與 rollback 方式;未接受前不得改 remote、workflow 或 secret。", "scopeReview": "先確認是否納入 IwoooS 管控範圍;未接受前只保留觀測,不升級為主來源候選。", - "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence refs。" + "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence 參照。" } }, "securityTenantScopeCandidate": { @@ -11560,7 +11560,7 @@ "sourceScopeWaiting": "租戶原始碼範圍仍等待正式負責人回覆。", "ownerResponseWaiting": "專案庫負責人回覆尚未接受;此欄位只作 evidence,不阻擋低 / 中 / 高風險 controlled apply。", "repoCreationLocked": "未取得正式決策前,不建立 GitHub 專案庫或修改可見性。", - "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 refs。", + "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 參照。", "githubPrimaryLocked": "GitHub primary 尚未核准切換。", "giteaDisableLocked": "Gitea 不得停用,仍是目前 CI/CD 來源。", "tenantPolicyLocked": "租戶政策與遷移模式不得因就緒度顯示而改變。", @@ -11630,17 +11630,17 @@ } }, "autonomousRuntime": { - "title": "AI Controlled Execution Loop", - "refresh": "Refresh", - "completion": "{percent}% complete", - "completionLoading": "Completion reading", + "title": "AI 受控執行閉環", + "refresh": "重新整理", + "completion": "完成 {percent}%", + "completionLoading": "完成度讀取中", "detail": "Incident {incident} / op {op} / {catalog}", "states": { - "loading": "Reading production readback", - "closed": "Loop closed", - "open": "Loop open", - "degraded": "Read degraded", - "unavailable": "Read failed" + "loading": "讀取正式 readback", + "closed": "閉環完成", + "open": "閉環中", + "degraded": "讀取降級", + "unavailable": "讀取失敗" }, "metrics": { "loop": "Loop", @@ -11658,18 +11658,18 @@ "telegram": "Telegram" }, "proof": { - "deploy": "Production deploy", - "deployDetail": "CD / readback: {status}", + "deploy": "正式部署", + "deployDetail": "CD / readback:{status}", "runtime": "Runtime DB", - "runtimeDetail": "marker: {marker}", - "workItems": "Work complete", - "workItemsDetail": "{percent}% complete", - "sources": "Log sources", - "sourcesDetail": "Project, product, site, service, package, and tool", - "events": "Classified events", - "eventsDetail": "24h {recent}", - "consumer": "Consumer writeback", - "consumerDetail": "{targets} targets ready", + "runtimeDetail": "marker:{marker}", + "workItems": "工作完成", + "workItemsDetail": "完成度 {percent}%", + "sources": "Log 來源", + "sourcesDetail": "專案 / 產品 / 網站 / 服務 / 套件 / 工具", + "events": "分類事件", + "eventsDetail": "近 24h {recent}", + "consumer": "Consumer 回寫", + "consumerDetail": "{targets} 個 target ready", "ok": "ok", "degraded": "degraded" }, @@ -11685,7 +11685,7 @@ "contextWrites": "Context receipts", "contextWritesDetail": "target writeback receipts", "blockers": "Active blockers", - "noBlockers": "No active blocker", + "noBlockers": "無 active blocker", "targetDetail": "context writes / bindings", "targetsMap": { "km": "KM", @@ -11696,22 +11696,22 @@ "aiAgent": "AI Agent" } }, - "recent": "24h {count}", - "missing": "{count} missing", + "recent": "近 24h {count}", + "missing": "缺 {count} 節點", "closedDetail": "required stages ok", - "traceCaption": "{count} stages / {missing} missing", + "traceCaption": "{count} 節點 / 缺 {missing}", "taxonomy": { - "sources": "Log sources", - "products": "Product scopes", - "labels": "Label dimensions", - "events": "Classified events", - "learning": "Learning sources", - "workItems": "Work items", - "productsDetail": "adapter active {active} / missing dimensions {missing}", - "workItemsDetail": "Active {active} / pending {pending} / blocked {blocked}" + "sources": "Log 來源", + "products": "產品範圍", + "labels": "貼標維度", + "events": "分類事件", + "learning": "學習來源", + "workItems": "工作項目", + "productsDetail": "adapter active {active} / 缺維度 {missing}", + "workItemsDetail": "進行 {active} / 待辦 {pending} / 阻塞 {blocked}" }, "policy": { - "label": "Controlled risk tiers", + "label": "受控風險層", "critical": "Critical", "breakGlass": "break-glass" }, @@ -11720,35 +11720,35 @@ "medium": "medium", "high": "high" }, - "nextAction": "Next action", + "nextAction": "下一步", "workBoard": { - "title": "Priority Work Board", - "subtitle": "{ordered} mainline items; {sources} log source families.", - "completedOfTotal": "{completed}/{total} completed", - "sourceCoverage": "Source coverage", - "sourceCoverageDetail": "Project, product, site, service, package, and tool logs are classified and labeled.", - "empty": "No work items match this filter.", + "title": "優先工作板", + "subtitle": "主線 {ordered} 項;Log 來源 {sources} 組。", + "completedOfTotal": "完成 {completed}/{total}", + "sourceCoverage": "來源覆蓋", + "sourceCoverageDetail": "專案 / 產品 / 網站 / 服務 / 套件 / 工具 Log 已分類貼標。", + "empty": "此篩選目前沒有工作項。", "filters": { - "all": "All", - "completed": "Completed", - "active": "Active", - "pending": "Pending", - "blocked": "Blocked" + "all": "全部", + "completed": "已完成", + "active": "進行中", + "pending": "待推進", + "blocked": "阻塞" }, "statuses": { - "completed": "Completed", - "in_progress": "In progress", - "pending": "Pending", - "blocked": "Blocked", - "not_started": "Not started", - "unknown": "Unknown" + "completed": "已完成", + "in_progress": "進行中", + "pending": "待推進", + "blocked": "阻塞", + "not_started": "未開始", + "unknown": "未知" } } }, "alerts": { "aiLoop": { - "title": "Alert AI Loop", - "subtitle": "Alert signals are aligned to LOG / KM / RAG / MCP / PlayBook / Verifier runtime receipts.", + "title": "告警 AI Loop", + "subtitle": "告警訊號直接對齊 LOG / KM / RAG / MCP / PlayBook / Verifier 的 runtime receipt。", "badge": "controlled automation", "runs": "Runs", "workItems": "Work Items", @@ -12079,32 +12079,32 @@ "expiredDetail": "改排 AI retry / rollback / verifier,不預設人工結案" }, "logAutomation": { - "eyebrow": "LOG / KM / RAG / MCP / PlayBook Mainline", - "title": "AI Automation Writeback And Executor Queue", - "subtitle": "Reads the production executor readback directly and connects service log labels, feedback receipts, post-write verifier, controlled plan, and AI Agent next action queue into one trackable mainline.", - "refresh": "Refresh mainline", - "loadFailed": "AI automation mainline readback failed to load", - "emptyBatches": "No executor batches returned yet", - "boundary": "This panel shows the low / medium / high metadata writeback queue available to AI controlled apply. Runtime dispatch truth still comes from production readback; critical remains break-glass.", - "errorDetail": "AI automation mainline read failed: {error}", + "eyebrow": "LOG / KM / RAG / MCP / PlayBook 主線", + "title": "AI 自動化回寫與執行器隊列", + "subtitle": "直接讀取正式 API 的 executor readback,把服務日誌貼標、feedback receipt、post-write verifier、controlled plan 與 AI Agent next action queue 串成同一條可追蹤主線。", + "refresh": "刷新主線", + "loadFailed": "AI 自動化主線 readback 載入失敗", + "emptyBatches": "尚未取得 executor batch", + "boundary": "此面板顯示 AI controlled apply 已具備的低 / 中 / 高風險 metadata writeback 隊列;runtime dispatch 是否已執行仍以正式 readback 為準,critical 維持 break-glass。", + "errorDetail": "AI 自動化主線讀取失敗:{error}", "status": { - "loading": "Loading mainline", + "loading": "讀取主線", "ready": "executor ready", - "waiting": "waiting readback", + "waiting": "等待 readback", "error": "readback failed" }, "metrics": { - "plans": "Writeback plans", - "plansDetail": "Verified KM / RAG / MCP / PlayBook / Agent plans.", - "batches": "Executor batches", - "batchesDetail": "ready / total batches consumable by AI Agent controlled apply.", - "selectors": "Target selectors", - "selectorsDetail": "Every writeback binds project, service, package, and tool.", - "verifiers": "Post-apply verifiers", - "verifiersDetail": "Every target batch must carry a verifier ref." + "plans": "回寫計畫", + "plansDetail": "已驗證的 KM / RAG / MCP / PlayBook / Agent plan。", + "batches": "Executor 批次", + "batchesDetail": "ready / total,供 AI Agent controlled apply 消費。", + "selectors": "目標 selector", + "selectorsDetail": "每筆回寫都要綁 project、service、package、tool。", + "verifiers": "Post-apply verifier", + "verifiersDetail": "每個 target batch 都必須有 verifier ref。" }, "stages": { - "logs": "LOG labels", + "logs": "LOG 貼標", "receipts": "Feedback receipts", "verifier": "Post-write verifier", "plan": "Controlled plan", @@ -12120,20 +12120,20 @@ "unknown": "Unknown" }, "policy": { - "controlledApply": "L/M/H controlled apply", - "ownerReview": "L/M/H controlled review", + "controlledApply": "低中高風險 controlled apply", + "ownerReview": "低中高受控審查", "critical": "Critical", "runtime": "Runtime dispatch", "queue": "Next action queue", "evidence": "Evidence chain" }, "values": { - "on": "on", - "off": "off", - "required": "required", - "notRequired": "not required", - "performed": "performed", - "notPerformed": "not performed" + "on": "開啟", + "off": "關閉", + "required": "必要", + "notRequired": "不必要", + "performed": "已執行", + "notPerformed": "未執行" } }, "decisionRail": { @@ -12167,8 +12167,8 @@ "detail": "需要 AI 補齊、retry、rollback 或 break-glass 的審批" }, "handoff": { - "title": "Action Packages", - "detail": "Gate 5 projections, historical evidence, and AI work item backfill" + "title": "處置包", + "detail": "Gate 5、歷史證據與 AI 工作項補齊" }, "verifier": { "title": "驗證", @@ -12181,7 +12181,7 @@ "detail": "找出 learning_recorded、execution_failed、AI retry / rollback 或逾時的審批。", "cta": "查看卡點", "meta": { - "controlledAction": "AI action package", + "controlledAction": "AI 處置包", "executionFailed": "執行失敗 / 降級", "learningRecorded": "卡在學習紀錄" } @@ -12203,7 +12203,7 @@ "meta": { "gate5": "Gate 5 投影", "legacy": "Legacy HITL", - "controlledAction": "AI backfill" + "controlledAction": "AI 補齊" } }, "guardrail": { @@ -12218,8 +12218,8 @@ } }, "controlledProof": { - "title": "Low / Medium / High default to AI controlled apply", - "detail": "AI action packages {packages}; Gate 5 {gate5}; historical HITL evidence {legacy}. Only critical / break-glass goes to incident-grade authorization; the rest is completed by AI selectors, check-mode, rollback, and verifiers." + "title": "低 / 中 / 高風險預設 AI controlled apply", + "detail": "AI 處置包 {packages};Gate 5 {gate5};既有 HITL 歷史證據 {legacy}。critical / break-glass 才進事故級授權,其餘由 AI 補齊 selector、check-mode、rollback 與 verifier。" } }, "badges": { @@ -12270,7 +12270,7 @@ "openTickets": "Tickets", "empty": "無", "flowTitle": "處理流程", - "handoffTitle": "Approvals And AI Action Packages", + "handoffTitle": "審批與 AI 處置包", "timelineEmpty": "尚未取得 Incident timeline。", "linkedExplanation": "此 Incident 已有受控決策 / timeline 關聯;若下方 AI 受控清單為空,代表它可能已完成、過期、拒絕,或已轉成 verifier / rollback / AI 補齊。", "unlinkedExplanation": "目前沒有對應 批准 id;這代表此 Incident不是等待批准的狀態,應從 Work Items / Runs 追下一步。", @@ -12279,15 +12279,15 @@ "no": "不需 AI 補齊" }, "controlledAction": { - "yes": "AI action package pending", - "no": "AI action package clear" + "yes": "AI 處置包待補齊", + "no": "AI 處置包已清空" }, "metrics": { "approvals": "關聯審批", "stage": "目前階段", "repair": "修復狀態", "verification": "驗證", - "handoff": "AI Action Package" + "handoff": "AI 處置包" }, "handoff": { "approvalIds": "Approval IDs", @@ -12330,12 +12330,12 @@ } }, "legacyHitl": { - "title": "Existing HITL Evidence Queue", - "subtitle": "These rows come from approval_records and are not AwoooP run approvals; keep them as historical evidence and route follow-up into AI controlled work items.", + "title": "既有 HITL 歷史證據佇列", + "subtitle": "這批來自 批准_records,不屬於 AwoooP run 批准;以歷史證據保留,後續導回 AI 受控工作項。", "openAuthorizations": "開啟授權中心", "loadFailed": "既有 HITL backlog 載入失敗:{error}", - "tableLabel": "Existing HITL Evidence Queue", - "moreRows": "Only the latest 8 rows are shown; track the remaining {count} in the authorization center.", + "tableLabel": "既有 HITL 歷史證據佇列", + "moreRows": "只顯示最新 8 筆,其餘 {count} 筆請到授權中心追蹤。", "noTelegram": "無 Telegram", "telegramRef": "Telegram #{id}", "summary": { @@ -13236,7 +13236,7 @@ "boundary": { "label": "目前邊界", "state": "AI 受控推進 / critical break-glass", - "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 refs 破壞維持 break-glass。" + "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 參照 破壞維持 break-glass。" }, "commandRail": { "eyebrow": "控制面", @@ -17322,7 +17322,7 @@ "handoffRuntimeGatePointer": { "title": "執行期閘門指標包", "body": "任何掃描、修復、主機更新或阻擋控制都必須留在獨立執行期閘門。", - "handoff": "Only mark which controlled runtime gate may be needed later.", + "handoff": "只標記後續可能需要哪一種受控執行期閘門。", "guard": "不呼叫 Kali、不開 SSH、不更新主機、不執行修復。" }, "handoffSourceControlPointer": { @@ -17334,8 +17334,8 @@ } }, "ownerResponseFormalRecordOwnerHandoffReviewBoard": { - "title": "Controlled Decision Record Handoff Checklist", - "subtitle": "Before a handoff packet enters controlled review, seven read-only acceptance checks confirm whether the data is sufficient; this is still not record-owner assignment, a formal record, break-glass approval, or execution authorization. Checks=7, passed=0, assigned=0, runtime gates=0.", + "title": "受控決策正式紀錄交接驗收清單", + "subtitle": "交接包進入受控檢查前,先用七個只讀驗收項確認資料是否足夠;這仍不是紀錄負責人指派、正式紀錄、break-glass 批准或執行授權。現在驗收項=7、通過=0、已指派=0、執行期閘門=0。", "checkLabel": "驗收項", "reviewLabel": "檢查方式", "guardLabel": "仍不會做", @@ -17361,14 +17361,14 @@ "items": { "packetCompleteness": { "title": "交接包完整性", - "body": "Check whether all seven handoff packets include source, summary, limits, gaps, and follow-up controlled confirmation fields.", + "body": "檢查七個交接包是否都有來源、摘要、限制、缺口與後續受控確認欄位。", "review": "只列出缺漏欄位與待補項目。", "guard": "不補寫正式紀錄、不自動產生批准文字。" }, "recordOwnerIdentityScope": { "title": "負責人身分範圍", "body": "檢查交接包是否說明未來紀錄負責人的角色範圍、責任邊界與可聯絡依據。", - "review": "Only confirm whether identity fields are sufficient for controlled interpretation.", + "review": "只確認身分欄位是否足夠受控判讀。", "guard": "不代填姓名、不查外部帳號、不自動指派。" }, "authorityBoundaryMatch": { @@ -17385,7 +17385,7 @@ }, "reviewerNoteConfirm": { "title": "審查備註確認", - "body": "Check whether return reasons, evidence-completion status, review notes, and unresolved items are sufficient for the next reviewer.", + "body": "檢查退回理由、補證狀態、審查備註與未決事項是否足夠讓下一位審查者接手。", "review": "只整理既有備註是否完整。", "guard": "不建立外部任務、不自動通知、不改審查結論。" }, @@ -17404,8 +17404,8 @@ } }, "ownerResponseFormalRecordOwnerHandoffReviewOutcomeBoard": { - "title": "Controlled Decision Record Handoff Outcome Routing", - "subtitle": "After handoff acceptance, outcomes only land in eight read-only routes; this is still not record-owner assignment, a formal record, break-glass approval, or execution authorization. Routes=8, ready for controlled review=0, assigned=0, runtime gates=0.", + "title": "受控決策正式紀錄交接驗收結果分流", + "subtitle": "交接驗收後只會落到八條只讀結果分流;這仍不是紀錄負責人指派、正式紀錄、break-glass 批准或執行授權。現在分流=8、可進負責人檢查=0、已指派=0、執行期閘門=0。", "laneLabel": "結果分流", "resultLabel": "分流結果", "guardLabel": "仍不會做", @@ -17431,7 +17431,7 @@ "items": { "remainReviewWaiting": { "title": "維持驗收等待", - "body": "If the handoff packet is still waiting for controlled review, the result can only remain in a waiting state.", + "body": "若交接包仍在等待受控檢查,結果只能維持等待狀態。", "result": "只顯示仍待驗收與缺少哪一類檢查。", "guard": "不自動通過、不建立正式紀錄、不指派負責人。" }, @@ -17443,7 +17443,7 @@ }, "requestOwnerScopeClarification": { "title": "要求負責人範圍說明", - "body": "If the future record owner's role, authority, or contact basis is unclear, request controlled clarification.", + "body": "若未來紀錄負責人的角色、權責或聯絡依據不清,必須要求受控說明。", "result": "只標記需要補充哪一類負責人範圍。", "guard": "不查外部帳號、不代填姓名、不自動指派。" }, @@ -17454,9 +17454,9 @@ "guard": "不讀取機密明文、不保存原始載荷、不抓外部系統。" }, "readyForRecordOwnerReview": { - "title": "Ready for Controlled Record Review", - "body": "If all acceptance checks are sufficient, the handoff packet can enter controlled record review, but this is still not an assignment.", - "result": "Only mark it ready for controlled review and wait for controlled review confirmation.", + "title": "可進受控負責人檢查", + "body": "若驗收項都足夠,交接包可以進入受控紀錄負責人檢查,但仍不是指派。", + "result": "只標記可進受控檢查,等待 controlled review 確認。", "guard": "不自動升格、不建立正式紀錄、不建立審批紀錄。" }, "quarantineSensitivePayload": { @@ -17480,8 +17480,8 @@ } }, "ownerResponseFormalRecordOwnerReviewPreparationBoard": { - "title": "Controlled Decision Record Owner Review Preparation Packets", - "subtitle": "If the handoff outcome can enter controlled review, only eight preparation packets are assembled before controlled review; this is not record-owner assignment, a formal record, break-glass approval, or execution authorization. Packets=8, review-ready=0, assigned=0, runtime gates=0.", + "title": "受控決策正式紀錄負責人檢查準備包", + "subtitle": "交接驗收結果若可進負責人檢查,仍只能整理受控檢查前需要看的八個準備包;這不是紀錄負責人指派、正式紀錄、break-glass 批准或執行授權。現在準備包=8、可檢查=0、已指派=0、執行期閘門=0。", "packetLabel": "準備包", "prepareLabel": "準備方式", "guardLabel": "仍不會做", @@ -20849,7 +20849,7 @@ "sourceRepo": { "title": "版本來源與 dirty workspace 判定", "missing": "本機 repo 有 51 個修改或未追蹤項目;尚未判定 WIP、release candidate 與 canonical remote。", - "next": "先收 refs truth 與 dirty workspace disposition;不得 push、rebase、同步 refs 或改 workflow。" + "next": "先收 參照 truth 與 dirty workspace disposition;不得 push、rebase、同步 參照 或改 workflow。" }, "deployBoundary": { "title": "部署邊界與回復條件", @@ -21279,7 +21279,7 @@ "waiting_redacted_counts": "待脫敏計數", "waiting_per_host_matrix": "待逐主機矩陣", "waiting_time_window": "待時間窗", - "waiting_health_refs": "待健康參照", + "waiting_health_參照": "待健康參照", "reject_sensitive_payloads": "拒收敏感內容", "waiting_owner_decision": "待負責人決策", "runtime_closed": "執行期關閉" @@ -21409,7 +21409,7 @@ "wazuhManagerRegistryReviewerValidation": { "eyebrow": "Wazuh manager registry reviewer validation", "title": "Owner export 進來後,先由 reviewer 驗收脫敏清單", - "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence refs 通過 reviewer validation,但仍不開 runtime。", + "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence 參照 通過 reviewer validation,但仍不開 runtime。", "loadingBoundary": "正在讀取 Wazuh manager registry reviewer validation API", "validationEndpointLabel": "脫敏 owner export 驗證端點", "validationModeLabel": "驗證模式", @@ -21423,7 +21423,7 @@ "checksLoading": "正在讀取 reviewer checks。", "checksFallback": "Reviewer checks 尚未由正式 API 讀回,維持 fallback 停止線。", "boundaryTitle": "Reviewer validation 停止線", - "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence refs 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。", + "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence 參照 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。", "status": { "loading": "正在讀取 Wazuh manager registry reviewer validation", "failed": "Wazuh manager registry reviewer validation API 尚未部署或讀取失敗", @@ -21444,7 +21444,7 @@ }, "passed": { "label": "Reviewer passed", - "detail": "一筆脫敏 owner export refs 已通過 no-persist reviewer validation。" + "detail": "一筆脫敏 owner export 參照 已通過 no-persist reviewer validation。" }, "postEnable": { "label": "Post-enable", @@ -21464,7 +21464,7 @@ }, "received": { "label": "已收 export", - "detail": "已收到一筆 owner-provided redacted registry export refs。" + "detail": "已收到一筆 owner-provided redacted registry export 參照。" }, "accepted": { "label": "已接受", @@ -21647,7 +21647,7 @@ }, "signals": { "label": "訊號源", - "detail": "12 條訊號源等待 owner 提供脫敏 evidence refs。" + "detail": "12 條訊號源等待 owner 提供脫敏 evidence 參照。" }, "runtimeGate": { "label": "執行期", @@ -21661,7 +21661,7 @@ }, "wazuhSiem": { "title": "Wazuh SIEM 待收件", - "body": "manager、agent、FIM、rule、decoder 與 event refs 只能用脫敏參照進入 IwoooS,不接 raw payload。" + "body": "manager、agent、FIM、rule、decoder 與 event 參照 只能用脫敏參照進入 IwoooS,不接 raw payload。" }, "kali112": { "title": "資安觀測節點 維持只讀", @@ -21734,7 +21734,7 @@ }, "hostForensics": { "title": "主機入侵不能只靠宣稱", - "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof refs。" + "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof 參照。" }, "gatewayNginx": { "title": "Nginx 入口先收 live diff", @@ -21746,7 +21746,7 @@ }, "hostRuntime": { "title": "Docker 與 systemd 要收 runtime 證據", - "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck refs,避免只靠 route 回 200 誤判。" + "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck 參照,避免只靠 route 回 200 誤判。" }, "alertReceipt": { "title": "告警要能收件與行動", @@ -21765,7 +21765,7 @@ "securityAssetControlLedger": { "eyebrow": "P0-A 資安資產控制總帳", "title": "把主機、入口、版本來源、監控、Wazuh、Kali 與供應鏈收成一張總帳", - "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence refs 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。", + "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence 參照 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。", "checkLabel": "檢核", "stateLabel": "狀態", "boundaryTitle": "資安資產總帳邊界", @@ -21781,7 +21781,7 @@ }, "evidenceRefs": { "label": "證據參照", - "detail": "64 個 committed evidence refs 全部存在,缺失為 0。" + "detail": "64 個 committed evidence 參照 全部存在,缺失為 0。" }, "runtimeGate": { "label": "執行期", @@ -21803,7 +21803,7 @@ }, "wazuhKali": { "title": "Wazuh / Kali 維持證據收件", - "body": "Wazuh event refs、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。" + "body": "Wazuh event 參照、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。" }, "alertBackup": { "title": "告警與復原避免假綠燈", @@ -21972,7 +21972,7 @@ }, "canonicalFields": { "title": "欄位對齊 S4.9 envelope", - "body": "owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。" + "body": "owner role / team、decision、decision reason、affected scope、redacted evidence 參照、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。" }, "requestState": { "title": "尚未送出 owner request", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 18907b92..d820727f 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -229,7 +229,7 @@ }, "credential_escrow": { "title": "P0-005 credential escrow", - "description": "已收斂 non-secret evidence refs 與 reviewer acceptance readback;不寫 credential marker、不收 secret。", + "description": "已收斂 non-secret evidence 參照 與 reviewer acceptance readback;不寫 credential marker、不收 secret。", "metric": "evidence {accepted}/{required}" }, "gitea": { @@ -251,7 +251,7 @@ "boundaries": { "secret": "不收機密明文、授權憑證、瀏覽器憑證或私有存取材料。", "production": "不直接改 production runtime、public gateway、Nginx、Docker、K8s 或 firewall。", - "repo": "不直接建立 repo、改 visibility、sync refs、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。", + "repo": "不直接建立 repo、改 visibility、sync 參照、force push 或 trigger workflow;GitHub 維持 stopped / do_not_use。", "data": "不直接做資料庫、backup、restore 或 migration 寫操作。", "security": "不啟動 Wazuh / Kali 主動回應流程、active scan 或 host containment。" }, @@ -978,7 +978,7 @@ }, "sourceDossier": { "title": "Sentry / SigNoz 來源卷宗證據", - "detail": "最近來源 {sources} 筆;Sentry refs {sentry}、SigNoz refs {signoz},用 provider 篩選驗證,不再被整體樣本誤判。" + "detail": "最近來源 {sources} 筆;Sentry 參照 {sentry}、SigNoz 參照 {signoz},用 provider 篩選驗證,不再被整體樣本誤判。" }, "callbackEvidence": { "title": "Telegram 詳情 / 歷史 DB 真相鏈", @@ -1212,8 +1212,8 @@ "kmBurndown": "/api/v1/ai/governance/km-stale-owner-review-burndown" }, "signal": { - "metric": "來源 {sources} / refs {refs}", - "detail": "missing refs {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}" + "metric": "來源 {sources} / 參照 {參照}", + "detail": "missing 參照 {missing},duplicates {duplicates};Alert {alert} / Sentry(provider) {sentry} / SigNoz(provider) {signoz}" }, "intake": { "metric": "Runs {runs} / linked {linked}", @@ -9129,7 +9129,7 @@ "enforcerDetail": "apply={apply} · metadata-only={metadata}", "drainGuard": "Drain guard", "drainGuardValue": "active={active} / staging={staging}", - "blockers": "阻塞={count}", + "blockers": "阻塞項={count}", "jobs": "Jobs / lane", "jobsValue": "jobs={jobs} / lane={lane}", "restoreSources": "restore sources={count}", @@ -9214,7 +9214,7 @@ }, "inProgress": { "title": "自動化資產正在補齊,仍需追蹤候選品質", - "detail": "優先確認候選是否有證據 refs、安全路由、回滾計畫與修復後驗證。" + "detail": "優先確認候選是否有證據 參照、安全路由、回滾計畫與修復後驗證。" }, "watching": { "title": "目前沒有明顯 AI 受控卡點,持續觀察資料新鮮度", @@ -9525,7 +9525,7 @@ } }, "gates": { - "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 refs", + "sourceDossier": "入站告警必須能查到 received / incident_linked / 來源 參照", "autoRepair": "必須同時有 auto_repair、verification_result=success與KM 回寫", "recurrenceWorkItems": "Run 完成無修復、修復失敗與 AI 受控佇列必須進入可追蹤工作項", "aiRouteRepairWorkItem": "Provider lane 降級時必須顯示 evidence、owner、PlayBook候選與是否可自動修復", @@ -9632,7 +9632,7 @@ "githubPrimaryReadiness": "候選專案庫={candidates};範圍內={inScope};主要來源就緒={ready}", "githubPrimaryOwnerResponses": "負責人回覆仍為 0/22;請求可送出不等於已接受", "githubPrimaryWorkflowNames": "工作流程 / 機密名稱清冊完成=0/7;只收名稱不收機密明文值", - "githubPrimaryBoundary": "未核准建立專案庫、同步 refs、切換 GitHub primary 或停用 Gitea。", + "githubPrimaryBoundary": "未核准建立專案庫、同步 參照、切換 GitHub primary 或停用 Gitea。", "ownerResponseValidation": "回覆包={packets};範本={templates};已收到={received};已接受={accepted};已拒收={rejected}", "ownerResponseValidationChecks": "跨包驗收={crossPacket};證據路由={routing};顯示區塊={sections}", "ownerResponseValidationBoundary": "不建立審批紀錄、不切主要來源、不開執行期閘門" @@ -10243,7 +10243,7 @@ }, "fields": { "target_selector": "Target selector", - "mcp_evidence_refs": "MCP 證據", + "mcp_evidence_參照": "MCP 證據", "route_id": "Route", "repair_command_template": "修復模板", "rollback_command_template": "Rollback", @@ -10297,7 +10297,7 @@ "required": { "alertname": "告警名稱與觸發條件,避免把不同服務的症狀混用。", "target_selector": "命名空間、Pod、Deployment、host 或服務選擇器。", - "mcp_evidence_refs": "MCP / Sentry / SigNoz / K8s / log 證據參照。", + "mcp_evidence_參照": "MCP / Sentry / SigNoz / K8s / log 證據參照。", "repair_command": "受控修復命令或 Ansible playbook,不能是純診斷命令。", "rollback_command": "修復失敗時的回滾或安全停止方案。", "verifier_plan": "修復後如何驗證成功、失敗與是否要升級 AI 補齊或 break-glass。", @@ -10380,10 +10380,10 @@ "matchedIncident": "配對目標:{incident}", "stage": "階段:{stage}", "sourceEvent": "來源事件:{event}", - "sourceRefs": "來源 refs:{refs}(Sentry {sentry} / SignOz {signoz})", + "sourceRefs": "來源 參照:{參照}(Sentry {sentry} / SignOz {signoz})", "sourceFlow": { "label": "來源流程:{status}", - "detail": "參照={refs};Sentry={sentry};SigNoz={signoz};事件={event}", + "detail": "參照={參照};Sentry={sentry};SigNoz={signoz};事件={event}", "statuses": { "applied": "已套用", "reviewed": "覆核已記錄", @@ -10633,15 +10633,15 @@ "refs": "關聯索引", "missingRefs": "缺關聯", "duplicates": "重複事件", - "sentry": "Sentry refs", - "signoz": "SignOz refs" + "sentry": "Sentry 參照", + "signoz": "SignOz 參照" }, "details": { "latest": "最新 {time}", - "withRefs": "{count} 筆含 來源 refs", + "withRefs": "{count} 筆含 來源 參照", "missingEnvelope": "{count} 筆缺 來源 envelope", "redacted": "{count} 筆已 redacted", - "alertRefs": "{count} 個 alert refs", + "alertRefs": "{count} 個 alert 參照", "limit": "最近 {count} 筆視窗" }, "provider": { @@ -10770,8 +10770,8 @@ "error": "Callback evidence 載入失敗:{error}", "summary": { "outbound": "出站鏡像", - "outboundDetail": "來源_refs {sourceRefs};trace refs {traceRefs};incident refs {incidentRefs};覆蓋 {coverage}", - "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace refs {missingTraceRefs};缺 incident refs {missingIncidentRefs}", + "outboundDetail": "來源_參照 {sourceRefs};trace 參照 {traceRefs};incident 參照 {incidentRefs};覆蓋 {coverage}", + "outboundReplyMarkupDetail": "reply_markup {replyMarkup};缺 trace 參照 {missingTraceRefs};缺 incident 參照 {missingIncidentRefs}", "outboundReplyMarkupTraceFreshness": "缺 trace 活躍度:1h {recent1h} / 24h {recent24h} / 最新 {latest}", "outboundReplyMarkupTraceDecision": "缺 trace 判讀:{status};下一步:{action}", "outboundReplyMarkupTraceRecovery": "缺 trace 復原訊號:{status};gap 後 traced {count};首筆 {first};最新 {latest}", @@ -10806,7 +10806,7 @@ }, "traceGapNextActions": { "none": "不需補動作", - "inspect_recent_outbound_source_refs": "檢查近 1 小時 outbound 來源_refs", + "inspect_recent_outbound_source_參照": "檢查近 1 小時 outbound 來源_參照", "watch_24h_decay": "觀察 24 小時窗口自然歸零", "backfill_or_archive_legacy_callbacks": "歸檔或回補舊 callback 缺口", "observed": "等待下一次 outbound evidence" @@ -10833,7 +10833,7 @@ "press_telegram_detail_or_history": "按一次 Telegram 詳情 / 歷史產生 callback evidence", "press_telegram_detail_or_history_after_rollout": "重新按 Telegram 詳情 / 歷史補新版 snapshot", "review_legacy_callback_snapshot_gap": "新版已捕捉;舊 callback 缺 snapshot不需重複按", - "review_outbound_source_refs": "檢查 outbound 來源_refs 缺口", + "review_outbound_source_參照": "檢查 outbound 來源_參照 缺口", "observed": "等待下一次 callback evidence" } }, @@ -11157,7 +11157,7 @@ "incidentRef": "Incident 參照", "routeId": "受控路由", "dryRunEvidence": "乾跑證據", - "mcpEvidenceRefs": "MCP 證據 refs", + "mcpEvidenceRefs": "MCP 證據 參照", "ownerApprovalReceipt": "Owner 放行回執", "maintenanceWindow": "維護窗口", "rollbackOwner": "Rollback Owner", @@ -11484,11 +11484,11 @@ "unknown": "待負責人補證" }, "sourceActions": { - "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 refs 或切主來源。", + "refsParity": "先取得分支 / 標籤參照一致性、部署真相來源與 rollback owner 的脫敏證據;未接受前不得同步 參照 或切主來源。", "targetDecision": "先取得 GitHub 目標、可見性、標準負責人與後續 owner 的脫敏回覆;未接受前不得建立專案庫或改可見性。", "internalRemoteDecision": "先確認內部 remote 用途、維運 owner、移除或保留理由與 rollback 方式;未接受前不得改 remote、workflow 或 secret。", "scopeReview": "先確認是否納入 IwoooS 管控範圍;未接受前只保留觀測,不升級為主來源候選。", - "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence refs。" + "unknown": "先補 owner role / team、decision、decision reason、affected scope 與 redacted evidence 參照。" } }, "securityTenantScopeCandidate": { @@ -11560,7 +11560,7 @@ "sourceScopeWaiting": "租戶原始碼範圍仍等待正式負責人回覆。", "ownerResponseWaiting": "專案庫負責人回覆尚未接受;此欄位只作 evidence,不阻擋低 / 中 / 高風險 controlled apply。", "repoCreationLocked": "未取得正式決策前,不建立 GitHub 專案庫或修改可見性。", - "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 refs。", + "refsMutationLocked": "未取得分支 / 標籤真相證據前,不同步或修改 參照。", "githubPrimaryLocked": "GitHub primary 尚未核准切換。", "giteaDisableLocked": "Gitea 不得停用,仍是目前 CI/CD 來源。", "tenantPolicyLocked": "租戶政策與遷移模式不得因就緒度顯示而改變。", @@ -13236,7 +13236,7 @@ "boundary": { "label": "目前邊界", "state": "AI 受控推進 / critical break-glass", - "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 refs 破壞維持 break-glass。" + "detail": "低 / 中 / 高風險走 selector、dry-run、rollback 與 verifier;secret、破壞性 DB、重啟、付費 provider 與 參照 破壞維持 break-glass。" }, "commandRail": { "eyebrow": "控制面", @@ -20849,7 +20849,7 @@ "sourceRepo": { "title": "版本來源與 dirty workspace 判定", "missing": "本機 repo 有 51 個修改或未追蹤項目;尚未判定 WIP、release candidate 與 canonical remote。", - "next": "先收 refs truth 與 dirty workspace disposition;不得 push、rebase、同步 refs 或改 workflow。" + "next": "先收 參照 truth 與 dirty workspace disposition;不得 push、rebase、同步 參照 或改 workflow。" }, "deployBoundary": { "title": "部署邊界與回復條件", @@ -21279,7 +21279,7 @@ "waiting_redacted_counts": "待脫敏計數", "waiting_per_host_matrix": "待逐主機矩陣", "waiting_time_window": "待時間窗", - "waiting_health_refs": "待健康參照", + "waiting_health_參照": "待健康參照", "reject_sensitive_payloads": "拒收敏感內容", "waiting_owner_decision": "待負責人決策", "runtime_closed": "執行期關閉" @@ -21409,7 +21409,7 @@ "wazuhManagerRegistryReviewerValidation": { "eyebrow": "Wazuh manager registry reviewer validation", "title": "Owner export 進來後,先由 reviewer 驗收脫敏清單", - "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence refs 通過 reviewer validation,但仍不開 runtime。", + "subtitle": "這張卡固定 Wazuh manager registry owner export 的驗收規則:欄位、計數、公開別名矩陣、Dashboard API 修復讀回、唯讀 credential metadata、拒收內容與下一個 Gate 都先可視化;目前已有一筆脫敏 evidence 參照 通過 reviewer validation,但仍不開 runtime。", "loadingBoundary": "正在讀取 Wazuh manager registry reviewer validation API", "validationEndpointLabel": "脫敏 owner export 驗證端點", "validationModeLabel": "驗證模式", @@ -21423,7 +21423,7 @@ "checksLoading": "正在讀取 reviewer checks。", "checksFallback": "Reviewer checks 尚未由正式 API 讀回,維持 fallback 停止線。", "boundaryTitle": "Reviewer validation 停止線", - "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence refs 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。", + "boundaryIntro": "以下鍵值固定:reviewer validation passed 只代表脫敏 evidence 參照 通過 no-persist 驗證;accepted 不代表 manager registry accepted、主動回應流程、agent restart、主機變更、機密輪替或 runtime gate 已授權。", "status": { "loading": "正在讀取 Wazuh manager registry reviewer validation", "failed": "Wazuh manager registry reviewer validation API 尚未部署或讀取失敗", @@ -21444,7 +21444,7 @@ }, "passed": { "label": "Reviewer passed", - "detail": "一筆脫敏 owner export refs 已通過 no-persist reviewer validation。" + "detail": "一筆脫敏 owner export 參照 已通過 no-persist reviewer validation。" }, "postEnable": { "label": "Post-enable", @@ -21464,7 +21464,7 @@ }, "received": { "label": "已收 export", - "detail": "已收到一筆 owner-provided redacted registry export refs。" + "detail": "已收到一筆 owner-provided redacted registry export 參照。" }, "accepted": { "label": "已接受", @@ -21647,7 +21647,7 @@ }, "signals": { "label": "訊號源", - "detail": "12 條訊號源等待 owner 提供脫敏 evidence refs。" + "detail": "12 條訊號源等待 owner 提供脫敏 evidence 參照。" }, "runtimeGate": { "label": "執行期", @@ -21661,7 +21661,7 @@ }, "wazuhSiem": { "title": "Wazuh SIEM 待收件", - "body": "manager、agent、FIM、rule、decoder 與 event refs 只能用脫敏參照進入 IwoooS,不接 raw payload。" + "body": "manager、agent、FIM、rule、decoder 與 event 參照 只能用脫敏參照進入 IwoooS,不接 raw payload。" }, "kali112": { "title": "資安觀測節點 維持只讀", @@ -21734,7 +21734,7 @@ }, "hostForensics": { "title": "主機入侵不能只靠宣稱", - "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof refs。" + "body": "需要 Wazuh event、auth、process、network、FIM、package、persistence、containment 與 recovery proof 參照。" }, "gatewayNginx": { "title": "Nginx 入口先收 live diff", @@ -21746,7 +21746,7 @@ }, "hostRuntime": { "title": "Docker 與 systemd 要收 runtime 證據", - "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck refs,避免只靠 route 回 200 誤判。" + "body": "需要 daemon、unit、process、port binding、dependency、recovery proof 與 postcheck 參照,避免只靠 route 回 200 誤判。" }, "alertReceipt": { "title": "告警要能收件與行動", @@ -21765,7 +21765,7 @@ "securityAssetControlLedger": { "eyebrow": "P0-A 資安資產控制總帳", "title": "把主機、入口、版本來源、監控、Wazuh、Kali 與供應鏈收成一張總帳", - "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence refs 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。", + "subtitle": "這張卡把 16 個資安資產群組、64 個 evidence 參照 與 24 個 owner 必填欄位收成 P0-A 只讀總帳;目前只顯示脫敏群組、缺口與 0/false 邊界,不讀 live 主機、不呼叫 Wazuh / Kali、不執行掃描、封鎖、reload 或部署。", "checkLabel": "檢核", "stateLabel": "狀態", "boundaryTitle": "資安資產總帳邊界", @@ -21781,7 +21781,7 @@ }, "evidenceRefs": { "label": "證據參照", - "detail": "64 個 committed evidence refs 全部存在,缺失為 0。" + "detail": "64 個 committed evidence 參照 全部存在,缺失為 0。" }, "runtimeGate": { "label": "執行期", @@ -21803,7 +21803,7 @@ }, "wazuhKali": { "title": "Wazuh / Kali 維持證據收件", - "body": "Wazuh event refs、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。" + "body": "Wazuh event 參照、Kali scope、health 與 finding envelope 仍待補;主動回應流程、active scan 與 /execute 仍未授權。" }, "alertBackup": { "title": "告警與復原避免假綠燈", @@ -21972,7 +21972,7 @@ }, "canonicalFields": { "title": "欄位對齊 S4.9 envelope", - "body": "owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。" + "body": "owner role / team、decision、decision reason、affected scope、redacted evidence 參照、followup owner、rollback owner、maintenance window 與 validation plan 已成為 packet 欄位。" }, "requestState": { "title": "尚未送出 owner request", diff --git a/apps/web/src/components/command-palette/CommandPalette.tsx b/apps/web/src/components/command-palette/CommandPalette.tsx index ccd994a3..7c5bd642 100644 --- a/apps/web/src/components/command-palette/CommandPalette.tsx +++ b/apps/web/src/components/command-palette/CommandPalette.tsx @@ -70,8 +70,10 @@ export function CommandPalette() { setOpen(false) } + const productNavigationItems = PRODUCT_NAV_SECTIONS.flatMap(section => section.items) + const navigationSources: PaletteNavSource[] = [ - ...PRODUCT_NAV_SECTIONS.flatMap(section => section.items.flatMap(item => [ + ...productNavigationItems.flatMap(item => [ item, ...(item.children ?? []).map(child => ({ ...child, @@ -80,7 +82,7 @@ export function CommandPalette() { parentId: item.id, surface: 'secondary' as const, })), - ])), + ]), ...PRODUCT_BOTTOM_NAV_ITEMS, ] diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 0bd6ebe1..c2f5c847 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -129,6 +129,18 @@ **下一步**: - commit / push Gitea `main` 後讀回 CD;接續目前 active P0:110 Stock/Postgres hot pressure 的 read-only evidence / source freshness / query attribution。 +## 2026-07-02 — 14:08 Telegram workflow 直送 fallback 收斂到 AWOOI API / AwoooP + +**完成內容**: +- 6 個 Gitea workflow 的 Telegram direct fallback 已移除:`.gitea/workflows/cd.yaml`、`cd-dev.yaml`、`code-review.yaml`、`deploy-alerts.yaml`、`e2e-health.yaml`、`run-migration.yml`。 +- workflow 通知仍先走 `scripts/ci/notify-awoooi-cicd.sh` → AWOOI Alertmanager webhook → TelegramGateway / AwoooP;若 AWOOI API 通知失敗,只留下 CI log evidence,不再旁路直打 Telegram Bot API。 +- Telegram egress scanner 讀回已從 `direct_bot_api_call_count=18` / `workflow_direct_bot_api_call_count=13` 收斂為 `direct_bot_api_call_count=5` / `workflow_direct_bot_api_call_count=0`;剩餘缺口為 ops script `4` 與 API direct `1`。 +- `agent-report-truth-actionability-review` regression 更新為 direct `5`、workflow `0`、ops `4`、API `1`、route finding `9`,避免 UI/API 繼續展示舊 18 條 workflow 旁路。 + +**仍維持**: +- 未使用 GitHub / `gh` / GitHub API;未讀 secret / token / `.env` / raw sessions / SQLite / auth;未送 Telegram;未觸發 workflow;未對 production DB 寫入。 +- 剩餘 5 個 direct Bot API path 尚未宣告完成:必須下一批收斂到 AWOOI API / TelegramGateway 或建立 redacted DB receipt、AI controlled route、KM / PlayBook / verifier writeback。 + ## 2026-07-02 — 13:34 統帥插入需求升級為 API/UI 工作項讀回 **完成內容**: diff --git a/docs/security/telegram-notification-egress-inventory.snapshot.json b/docs/security/telegram-notification-egress-inventory.snapshot.json index b97ffff2..9e0c6b67 100644 --- a/docs/security/telegram-notification-egress-inventory.snapshot.json +++ b/docs/security/telegram-notification-egress-inventory.snapshot.json @@ -1,7 +1,7 @@ { "schema_version": "telegram_notification_egress_inventory_v1", - "generated_at": "2026-06-18T22:30:00+08:00", - "git_commit": "27d9f394", + "generated_at": "2026-07-02T14:22:12+08:00", + "git_commit": "f9469bcc2", "status": "inventory_ready_no_runtime_action", "mode": "repo_only_scan_no_secret_value_no_telegram_send", "scan_roots": [ @@ -11,14 +11,14 @@ "apps/api/src" ], "summary": { - "scanned_file_count": 554, - "direct_bot_api_file_count": 11, - "direct_bot_api_call_count": 18, - "workflow_direct_bot_api_call_count": 13, + "scanned_file_count": 636, + "direct_bot_api_file_count": 5, + "direct_bot_api_call_count": 5, + "workflow_direct_bot_api_call_count": 0, "ops_script_direct_bot_api_call_count": 4, "ci_script_direct_bot_api_call_count": 0, "api_direct_bot_api_call_count": 1, - "gateway_normalized_callsite_count": 56, + "gateway_normalized_callsite_count": 57, "gateway_final_exit_formatter_present_count": 1, "required_owner_field_count": 18, "reviewer_check_count": 14, @@ -58,1241 +58,6 @@ "not_authorization": true }, "direct_bot_api_calls": [ - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd-dev.yaml:54", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd-dev.yaml", - "line": 54, - "line_hash": "f503c2c0f61100a9", - "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd-dev.yaml:241", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd-dev.yaml", - "line": 241, - "line_hash": "c41f88fbca91a4b9", - "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd-dev.yaml:262", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd-dev.yaml", - "line": 262, - "line_hash": "eaa9a6cb8326dc79", - "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:113", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd.yaml", - "line": 113, - "line_hash": "b57e6587a106976b", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:305", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd.yaml", - "line": 305, - "line_hash": "19c1de8d67af874a", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:1203", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd.yaml", - "line": 1203, - "line_hash": "6ef020c2b6eac91f", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:1552", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd.yaml", - "line": 1552, - "line_hash": "d029b95242f39c03", - "sanitized_excerpt": "printf '%b' \"$TG_MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/cd.yaml:1575", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/cd.yaml", - "line": 1575, - "line_hash": "d62c45a8595984fc", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/code-review.yaml:137", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/code-review.yaml", - "line": 137, - "line_hash": "a7ebbd735dad5ab2", - "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/code-review.yaml:216", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/code-review.yaml", - "line": 216, - "line_hash": "f10f7782dc7c8125", - "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/deploy-alerts.yaml:69", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/deploy-alerts.yaml", - "line": 69, - "line_hash": "79e83190f68f27c9", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/e2e-health.yaml:98", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/e2e-health.yaml", - "line": 98, - "line_hash": "d73ce94678f970a9", - "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "egress_surface_id": "telegram_egress:gitea_workflow_direct_bot_api:.gitea/workflows/run-migration.yml:210", - "surface_kind": "gitea_workflow_direct_bot_api", - "path": ".gitea/workflows/run-migration.yml", - "line": 210, - "line_hash": "934a8dd69fca99b3", - "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "required_owner_fields": [ - "egress_surface_id", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_plan", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "direct_bot_api_surface_identified", - "owner_role_present", - "target_route_is_sre_owned", - "message_shape_is_ai_automation_card_or_documented_exception", - "redaction_contract_present", - "formatter_convergence_path_present", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "fallback_mode_does_not_leak_raw_payload", - "secret_name_only_no_value", - "workflow_or_script_change_requires_separate_approval", - "telegram_send_not_executed_by_inventory", - "no_false_green_claim", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "request_owner_route_supplement", - "request_formatter_convergence_plan", - "request_redaction_contract", - "request_delivery_receipt_metadata", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_notification_egress_review", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification_without_owner", - "secret_value_collection", - "secret_hash_collection", - "partial_token_collection", - "chat_id_collection_without_owner", - "store_raw_message_payload", - "store_unredacted_workflow_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "workflow_dispatch", - "production_deploy", - "accept_route_200_as_delivery_receipt", - "accept_cd_success_as_notification_acceptance", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_review", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, { "egress_surface_id": "telegram_egress:api_direct_bot_api:apps/api/src/services/channel_hub.py:1138", "surface_kind": "api_direct_bot_api", @@ -1484,11 +249,11 @@ "not_authorization": true }, { - "egress_surface_id": "telegram_egress:ops_script_direct_bot_api:scripts/ops/docker-health-monitor.sh:90", + "egress_surface_id": "telegram_egress:ops_script_direct_bot_api:scripts/ops/docker-health-monitor.sh:120", "surface_kind": "ops_script_direct_bot_api", "path": "scripts/ops/docker-health-monitor.sh", - "line": 90, - "line_hash": "6611406903bc7d65", + "line": 120, + "line_hash": "283499ad28d35d6a", "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\", "required_owner_fields": [ "egress_surface_id", @@ -1837,13 +602,13 @@ }, { "path": "apps/api/src/services/failure_watcher.py", - "line": 747, - "line_hash": "8bee0a47e4dce615" + "line": 752, + "line_hash": "7673481130594095" }, { "path": "apps/api/src/services/failure_watcher.py", - "line": 779, - "line_hash": "dcc8fed7fe94b63d" + "line": 784, + "line_hash": "ccb72a2e0a9ec582" }, { "path": "apps/api/src/services/gitea_webhook_service.py", @@ -1882,173 +647,178 @@ }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 4904, - "line_hash": "2ded92c9f0cf648c" + "line": 5374, + "line_hash": "6abe4f6f01027f51" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 5141, - "line_hash": "2c16c0d99e3ba896" + "line": 5615, + "line_hash": "6b08bb5969e6bf81" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 5574, - "line_hash": "f9fa7599c8c630f3" + "line": 6048, + "line_hash": "e31cf0f5587583bd" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 5664, - "line_hash": "0cd3409b20409bd5" + "line": 6138, + "line_hash": "fcb7c764d12ed4ad" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 5667, - "line_hash": "4b46eec88f95b7fc" + "line": 6141, + "line_hash": "d7865613da2925eb" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 5725, - "line_hash": "435e4b8871b9ea20" + "line": 6199, + "line_hash": "7ce4aec16700add3" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 5784, - "line_hash": "d67a07fbc4e8e104" + "line": 6258, + "line_hash": "c38b1044dc1936ed" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6107, - "line_hash": "57dff0f99cd63bb4" + "line": 6581, + "line_hash": "a2b428c7cd26f6df" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6165, - "line_hash": "2cf36365a86d725d" + "line": 6639, + "line_hash": "940568cc70f135da" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6221, - "line_hash": "9724fba690e79a29" + "line": 6695, + "line_hash": "dc4975526f170c4b" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6278, - "line_hash": "c1481223ca6712a7" + "line": 6752, + "line_hash": "4431802f09177793" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6341, - "line_hash": "171855265b7f7b5f" + "line": 6815, + "line_hash": "3b403ecc07e58580" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6416, - "line_hash": "f92bfa489791754e" + "line": 6890, + "line_hash": "217eddafb1892d3f" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6459, - "line_hash": "a7c1d96474e5004c" + "line": 6933, + "line_hash": "5d3959b2a3a6ef6b" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 6727, - "line_hash": "1b52a7acba5f263d" + "line": 7201, + "line_hash": "ae305742e8413fb9" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7058, - "line_hash": "e4d15cc17412e1df" + "line": 7532, + "line_hash": "f8e757b0b1940dfd" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7075, - "line_hash": "ef392666ead2a935" + "line": 7549, + "line_hash": "6aa3d0c6f294c9db" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7131, - "line_hash": "b01759a295fe888d" + "line": 7605, + "line_hash": "edce43618980911d" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7476, - "line_hash": "6de51111c3b3effb" + "line": 7950, + "line_hash": "040c55f344e63e2e" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7633, - "line_hash": "3ae60919d622d66a" + "line": 8107, + "line_hash": "46d66b2145372dd8" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7778, - "line_hash": "098e96b906782f66" + "line": 8252, + "line_hash": "8ebe1f28478b8b11" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7852, - "line_hash": "cd2982fc71f17ded" + "line": 8326, + "line_hash": "91d2ca0efcac21ee" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 7946, - "line_hash": "e3c7a73810453996" + "line": 8420, + "line_hash": "6eb41eedd8070d91" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8566, - "line_hash": "60fee84eb559944b" + "line": 9040, + "line_hash": "bc576b6fda533964" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8573, - "line_hash": "d7d36ac583acec88" + "line": 9047, + "line_hash": "e4b078f7815ac3db" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8700, - "line_hash": "eef16286b46db389" + "line": 9174, + "line_hash": "8dbb002e7811389c" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8718, - "line_hash": "145af1001d016aef" + "line": 9199, + "line_hash": "54e1ad827084af7d" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8732, - "line_hash": "71d1eae60f8d1eea" + "line": 9213, + "line_hash": "12d58f7f2fbb2a64" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8757, - "line_hash": "891f75aab51d14ce" + "line": 9238, + "line_hash": "9394a79d9cfe4020" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8783, - "line_hash": "3d838580c426d3f3" + "line": 9344, + "line_hash": "9ffceb53c73f29e2" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 8819, - "line_hash": "85016472bc808598" + "line": 9370, + "line_hash": "e987f2b54961d32c" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 9810, - "line_hash": "94c427fd9136122f" + "line": 9406, + "line_hash": "766c1cf3c2e7b37c" }, { "path": "apps/api/src/services/telegram_gateway.py", - "line": 9907, - "line_hash": "b57f776b5430f121" + "line": 10423, + "line_hash": "f47ba2d2e8f18e9b" + }, + { + "path": "apps/api/src/services/telegram_gateway.py", + "line": 10527, + "line_hash": "b058b22806044d84" }, { "path": "apps/api/src/services/weekly_report_service.py", - "line": 277, - "line_hash": "aa0200c41090d012" + "line": 457, + "line_hash": "c2a061a65eade81f" } ], "operator_interpretation": [ diff --git a/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json b/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json index e152b0e7..270d6495 100644 --- a/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json +++ b/docs/security/telegram-notification-egress-migration-plan-draft.snapshot.json @@ -1,29 +1,29 @@ { "schema_version": "telegram_notification_egress_migration_plan_draft_v1", - "generated_at": "2026-06-18T23:00:00+08:00", - "git_commit": "f171ffc2", + "generated_at": "2026-07-02T14:24:46+08:00", + "git_commit": "f9469bcc2", "status": "migration_plan_draft_ready_no_runtime_action", "mode": "metadata_only_no_workflow_script_api_change_no_telegram_send", "source_snapshot": "docs/security/telegram-notification-egress-owner-request-draft.snapshot.json", "source_schema_version": "telegram_notification_egress_owner_request_draft_v1", "source_status": "owner_request_draft_ready_no_dispatch_no_runtime_action", "summary": { - "source_request_draft_count": 11, - "source_direct_bot_api_call_count": 18, - "migration_candidate_count": 11, - "workflow_migration_candidate_count": 6, + "source_request_draft_count": 5, + "source_direct_bot_api_call_count": 5, + "migration_candidate_count": 5, + "workflow_migration_candidate_count": 0, "ops_script_migration_candidate_count": 4, "api_direct_migration_candidate_count": 1, - "proposed_wave_count": 3, + "proposed_wave_count": 2, "plan_field_count": 17, "reviewer_check_count": 15, "outcome_lane_count": 9, "blocked_action_count": 21, - "owner_response_required_count": 11, - "maintenance_window_required_count": 11, - "rollback_owner_required_count": 11, - "postcheck_required_count": 11, - "delivery_receipt_required_count": 11, + "owner_response_required_count": 5, + "maintenance_window_required_count": 5, + "rollback_owner_required_count": 5, + "postcheck_required_count": 5, + "delivery_receipt_required_count": 5, "owner_response_received_count": 0, "owner_response_accepted_count": 0, "migration_authorized_count": 0, @@ -52,605 +52,10 @@ "not_authorization": true }, "proposed_waves": [ - "wave_1_workflow_notification_wrapper", "wave_2_ops_notification_wrapper", "wave_3_api_sender_gateway" ], "migration_candidates": [ - { - "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd-dev.yaml", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_dev_yaml", - "source_path": ".gitea/workflows/cd-dev.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 3, - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "plan_fields": [ - "migration_candidate_id", - "source_request_draft_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "proposed_change_summary", - "required_owner_response_ref", - "required_maintenance_window", - "required_rollback_owner", - "required_postcheck_ref", - "required_delivery_receipt_ref", - "required_no_secret_value_attestation", - "required_no_raw_payload_attestation", - "required_no_false_green_attestation", - "not_authorization" - ], - "reviewer_checks": [ - "source_owner_request_draft_current", - "owner_response_required_before_change", - "maintenance_window_required_before_change", - "rollback_owner_required_before_change", - "delivery_receipt_plan_required", - "postcheck_plan_required", - "redaction_contract_required", - "break_glass_fallback_explicit", - "no_secret_value_required", - "no_raw_payload_required", - "no_false_green_required", - "workflow_changes_separate_from_docs", - "script_changes_separate_from_docs", - "api_sender_refactor_separate_from_docs", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_response", - "ready_for_workflow_migration_review", - "ready_for_ops_script_migration_review", - "ready_for_api_sender_migration_review", - "request_missing_owner_response", - "request_missing_maintenance_or_rollback", - "reject_secret_or_raw_payload", - "reject_false_green_claim", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "send_telegram", - "call_bot_api", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "store_raw_payload", - "store_unredacted_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_required": true, - "maintenance_window_required": true, - "rollback_owner_required": true, - "postcheck_required": true, - "delivery_receipt_required": true, - "owner_response_received": false, - "owner_response_accepted": false, - "migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd.yaml", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_yaml", - "source_path": ".gitea/workflows/cd.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 5, - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "plan_fields": [ - "migration_candidate_id", - "source_request_draft_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "proposed_change_summary", - "required_owner_response_ref", - "required_maintenance_window", - "required_rollback_owner", - "required_postcheck_ref", - "required_delivery_receipt_ref", - "required_no_secret_value_attestation", - "required_no_raw_payload_attestation", - "required_no_false_green_attestation", - "not_authorization" - ], - "reviewer_checks": [ - "source_owner_request_draft_current", - "owner_response_required_before_change", - "maintenance_window_required_before_change", - "rollback_owner_required_before_change", - "delivery_receipt_plan_required", - "postcheck_plan_required", - "redaction_contract_required", - "break_glass_fallback_explicit", - "no_secret_value_required", - "no_raw_payload_required", - "no_false_green_required", - "workflow_changes_separate_from_docs", - "script_changes_separate_from_docs", - "api_sender_refactor_separate_from_docs", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_response", - "ready_for_workflow_migration_review", - "ready_for_ops_script_migration_review", - "ready_for_api_sender_migration_review", - "request_missing_owner_response", - "request_missing_maintenance_or_rollback", - "reject_secret_or_raw_payload", - "reject_false_green_claim", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "send_telegram", - "call_bot_api", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "store_raw_payload", - "store_unredacted_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_required": true, - "maintenance_window_required": true, - "rollback_owner_required": true, - "postcheck_required": true, - "delivery_receipt_required": true, - "owner_response_received": false, - "owner_response_accepted": false, - "migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/code-review.yaml", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_code_review_yaml", - "source_path": ".gitea/workflows/code-review.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 2, - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "plan_fields": [ - "migration_candidate_id", - "source_request_draft_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "proposed_change_summary", - "required_owner_response_ref", - "required_maintenance_window", - "required_rollback_owner", - "required_postcheck_ref", - "required_delivery_receipt_ref", - "required_no_secret_value_attestation", - "required_no_raw_payload_attestation", - "required_no_false_green_attestation", - "not_authorization" - ], - "reviewer_checks": [ - "source_owner_request_draft_current", - "owner_response_required_before_change", - "maintenance_window_required_before_change", - "rollback_owner_required_before_change", - "delivery_receipt_plan_required", - "postcheck_plan_required", - "redaction_contract_required", - "break_glass_fallback_explicit", - "no_secret_value_required", - "no_raw_payload_required", - "no_false_green_required", - "workflow_changes_separate_from_docs", - "script_changes_separate_from_docs", - "api_sender_refactor_separate_from_docs", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_response", - "ready_for_workflow_migration_review", - "ready_for_ops_script_migration_review", - "ready_for_api_sender_migration_review", - "request_missing_owner_response", - "request_missing_maintenance_or_rollback", - "reject_secret_or_raw_payload", - "reject_false_green_claim", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "send_telegram", - "call_bot_api", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "store_raw_payload", - "store_unredacted_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_required": true, - "maintenance_window_required": true, - "rollback_owner_required": true, - "postcheck_required": true, - "delivery_receipt_required": true, - "owner_response_received": false, - "owner_response_accepted": false, - "migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/deploy-alerts.yaml", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_deploy_alerts_yaml", - "source_path": ".gitea/workflows/deploy-alerts.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "plan_fields": [ - "migration_candidate_id", - "source_request_draft_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "proposed_change_summary", - "required_owner_response_ref", - "required_maintenance_window", - "required_rollback_owner", - "required_postcheck_ref", - "required_delivery_receipt_ref", - "required_no_secret_value_attestation", - "required_no_raw_payload_attestation", - "required_no_false_green_attestation", - "not_authorization" - ], - "reviewer_checks": [ - "source_owner_request_draft_current", - "owner_response_required_before_change", - "maintenance_window_required_before_change", - "rollback_owner_required_before_change", - "delivery_receipt_plan_required", - "postcheck_plan_required", - "redaction_contract_required", - "break_glass_fallback_explicit", - "no_secret_value_required", - "no_raw_payload_required", - "no_false_green_required", - "workflow_changes_separate_from_docs", - "script_changes_separate_from_docs", - "api_sender_refactor_separate_from_docs", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_response", - "ready_for_workflow_migration_review", - "ready_for_ops_script_migration_review", - "ready_for_api_sender_migration_review", - "request_missing_owner_response", - "request_missing_maintenance_or_rollback", - "reject_secret_or_raw_payload", - "reject_false_green_claim", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "send_telegram", - "call_bot_api", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "store_raw_payload", - "store_unredacted_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_required": true, - "maintenance_window_required": true, - "rollback_owner_required": true, - "postcheck_required": true, - "delivery_receipt_required": true, - "owner_response_received": false, - "owner_response_accepted": false, - "migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/e2e-health.yaml", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_e2e_health_yaml", - "source_path": ".gitea/workflows/e2e-health.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "plan_fields": [ - "migration_candidate_id", - "source_request_draft_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "proposed_change_summary", - "required_owner_response_ref", - "required_maintenance_window", - "required_rollback_owner", - "required_postcheck_ref", - "required_delivery_receipt_ref", - "required_no_secret_value_attestation", - "required_no_raw_payload_attestation", - "required_no_false_green_attestation", - "not_authorization" - ], - "reviewer_checks": [ - "source_owner_request_draft_current", - "owner_response_required_before_change", - "maintenance_window_required_before_change", - "rollback_owner_required_before_change", - "delivery_receipt_plan_required", - "postcheck_plan_required", - "redaction_contract_required", - "break_glass_fallback_explicit", - "no_secret_value_required", - "no_raw_payload_required", - "no_false_green_required", - "workflow_changes_separate_from_docs", - "script_changes_separate_from_docs", - "api_sender_refactor_separate_from_docs", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_response", - "ready_for_workflow_migration_review", - "ready_for_ops_script_migration_review", - "ready_for_api_sender_migration_review", - "request_missing_owner_response", - "request_missing_maintenance_or_rollback", - "reject_secret_or_raw_payload", - "reject_false_green_claim", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "send_telegram", - "call_bot_api", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "store_raw_payload", - "store_unredacted_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_required": true, - "maintenance_window_required": true, - "rollback_owner_required": true, - "postcheck_required": true, - "delivery_receipt_required": true, - "owner_response_received": false, - "owner_response_accepted": false, - "migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/run-migration.yml", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_run_migration_yml", - "source_path": ".gitea/workflows/run-migration.yml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "plan_fields": [ - "migration_candidate_id", - "source_request_draft_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "proposed_change_summary", - "required_owner_response_ref", - "required_maintenance_window", - "required_rollback_owner", - "required_postcheck_ref", - "required_delivery_receipt_ref", - "required_no_secret_value_attestation", - "required_no_raw_payload_attestation", - "required_no_false_green_attestation", - "not_authorization" - ], - "reviewer_checks": [ - "source_owner_request_draft_current", - "owner_response_required_before_change", - "maintenance_window_required_before_change", - "rollback_owner_required_before_change", - "delivery_receipt_plan_required", - "postcheck_plan_required", - "redaction_contract_required", - "break_glass_fallback_explicit", - "no_secret_value_required", - "no_raw_payload_required", - "no_false_green_required", - "workflow_changes_separate_from_docs", - "script_changes_separate_from_docs", - "api_sender_refactor_separate_from_docs", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_response", - "ready_for_workflow_migration_review", - "ready_for_ops_script_migration_review", - "ready_for_api_sender_migration_review", - "request_missing_owner_response", - "request_missing_maintenance_or_rollback", - "reject_secret_or_raw_payload", - "reject_false_green_claim", - "waiting_runtime_gate" - ], - "blocked_actions": [ - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "send_telegram", - "call_bot_api", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "store_raw_payload", - "store_unredacted_log", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "open_runtime_gate", - "add_action_button" - ], - "owner_response_required": true, - "maintenance_window_required": true, - "rollback_owner_required": true, - "postcheck_required": true, - "delivery_receipt_required": true, - "owner_response_received": false, - "owner_response_accepted": false, - "migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, { "migration_candidate_id": "telegram_notification_egress_migration:apps/api/src/services/channel_hub.py", "source_request_draft_id": "telegram_notification_egress_owner_request:apps_api_src_services_channel_hub_py", diff --git a/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json b/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json index 7e976dcc..447a89e2 100644 --- a/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json +++ b/docs/security/telegram-notification-egress-no-new-bypass-guard.snapshot.json @@ -1,96 +1,5 @@ { "current_direct_bot_api_calls": [ - { - "line": 54, - "method": "sendMessage", - "path": ".gitea/workflows/cd-dev.yaml", - "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd-dev.yaml::sendmessage::printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 241, - "method": "sendMessage", - "path": ".gitea/workflows/cd-dev.yaml", - "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd-dev.yaml::sendmessage::printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 262, - "method": "sendMessage", - "path": ".gitea/workflows/cd-dev.yaml", - "sanitized_excerpt": "printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd-dev.yaml::sendmessage::printf '%b' \"$MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 113, - "method": "sendMessage", - "path": ".gitea/workflows/cd.yaml", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 305, - "method": "sendMessage", - "path": ".gitea/workflows/cd.yaml", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 1203, - "method": "sendMessage", - "path": ".gitea/workflows/cd.yaml", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 1552, - "method": "sendMessage", - "path": ".gitea/workflows/cd.yaml", - "sanitized_excerpt": "printf '%b' \"$TG_MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd.yaml::sendmessage::printf '%b' \"$TG_MSG\" | curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 1575, - "method": "sendMessage", - "path": ".gitea/workflows/cd.yaml", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/cd.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 137, - "method": "sendMessage", - "path": ".gitea/workflows/code-review.yaml", - "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/code-review.yaml::sendmessage::curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 216, - "method": "sendMessage", - "path": ".gitea/workflows/code-review.yaml", - "sanitized_excerpt": "curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/code-review.yaml::sendmessage::curl -fsS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 69, - "method": "sendMessage", - "path": ".gitea/workflows/deploy-alerts.yaml", - "sanitized_excerpt": "curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/deploy-alerts.yaml::sendmessage::curl -fS -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 98, - "method": "sendMessage", - "path": ".gitea/workflows/e2e-health.yaml", - "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/e2e-health.yaml::sendmessage::curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, - { - "line": 210, - "method": "sendMessage", - "path": ".gitea/workflows/run-migration.yml", - "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\", - "signature": ".gitea/workflows/run-migration.yml::sendmessage::curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\" - }, { "line": 1138, "method": "sendMessage", @@ -106,7 +15,7 @@ "signature": "scripts/ops/backup-from-110.sh::sendmessage::curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\" }, { - "line": 90, + "line": 120, "method": "sendMessage", "path": "scripts/ops/docker-health-monitor.sh", "sanitized_excerpt": "curl -s -X POST \"https://api.telegram.org/bot/sendMessage\" \\", @@ -144,8 +53,8 @@ "telegram_send_authorized": false, "workflow_modification_authorized": false }, - "generated_at": "2026-06-19T09:40:00+08:00", - "git_commit": "4d0150e1", + "generated_at": "2026-07-02T14:24:46+08:00", + "git_commit": "f9469bcc2", "guarded_bot_methods": [ "sendMessage", "sendDocument", @@ -177,9 +86,9 @@ "status": "pass_no_new_bypass", "summary": { "action_button_count": 0, - "baseline_signature_count": 18, - "current_direct_bot_api_call_count": 18, - "current_direct_bot_api_file_count": 11, + "baseline_signature_count": 5, + "current_direct_bot_api_call_count": 5, + "current_direct_bot_api_file_count": 5, "editMessageText_call_count": 0, "guarded_method_count": 9, "new_bypass_count": 0, @@ -189,9 +98,9 @@ "runtime_gate_count": 0, "sendDocument_call_count": 0, "sendMediaGroup_call_count": 0, - "sendMessage_call_count": 18, + "sendMessage_call_count": 5, "sendPhoto_call_count": 0, - "source_direct_bot_api_call_count": 18, - "source_direct_bot_api_file_count": 11 + "source_direct_bot_api_call_count": 5, + "source_direct_bot_api_file_count": 5 } } diff --git a/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json b/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json index ec03a94c..ff772ec7 100644 --- a/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json +++ b/docs/security/telegram-notification-egress-owner-request-draft.snapshot.json @@ -1,17 +1,17 @@ { "schema_version": "telegram_notification_egress_owner_request_draft_v1", - "generated_at": "2026-06-18T22:45:00+08:00", - "git_commit": "8cbedfe4", + "generated_at": "2026-07-02T14:24:46+08:00", + "git_commit": "f9469bcc2", "status": "owner_request_draft_ready_no_dispatch_no_runtime_action", "mode": "metadata_only_no_secret_value_no_telegram_send_no_workflow_change", "source_snapshot": "docs/security/telegram-notification-egress-inventory.snapshot.json", "source_schema_version": "telegram_notification_egress_inventory_v1", "source_status": "inventory_ready_no_runtime_action", "summary": { - "source_direct_bot_api_call_count": 18, - "source_direct_bot_api_file_count": 11, - "request_draft_count": 11, - "workflow_request_draft_count": 6, + "source_direct_bot_api_call_count": 5, + "source_direct_bot_api_file_count": 5, + "request_draft_count": 5, + "workflow_request_draft_count": 0, "ops_script_request_draft_count": 4, "ci_script_request_draft_count": 0, "api_direct_request_draft_count": 1, @@ -59,962 +59,6 @@ "not_authorization": true }, "request_drafts": [ - { - "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_dev_yaml", - "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", - "source_path": ".gitea/workflows/cd-dev.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 3, - "line_refs": [ - 54, - 241, - 262 - ], - "line_hash_refs": [ - "f503c2c0f61100a9", - "c41f88fbca91a4b9", - "eaa9a6cb8326dc79" - ], - "request_fields": [ - "request_draft_id", - "source_inventory_schema_version", - "source_path", - "surface_kind", - "direct_call_count", - "line_refs", - "line_hash_refs", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "preflight_checks": [ - "source_inventory_current", - "owner_role_present", - "route_purpose_present", - "message_shape_contract_present", - "redaction_contract_present", - "formatter_convergence_decision_present", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_present", - "dedup_or_fingerprint_present", - "maintenance_window_present_for_change", - "rollback_owner_present", - "postcheck_evidence_present", - "no_secret_value_attested", - "no_raw_payload_attested", - "no_false_green_attested", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_dispatch", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_break_glass_fallback_supplement", - "request_redaction_or_receipt_supplement", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_manual_dispatch", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "send_owner_request", - "confirm_recipient", - "emit_audit_event", - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification", - "api_sender_refactor", - "change_chat_route", - "change_bot_token", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "workflow_dispatch", - "production_deploy", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_contract", - "open_runtime_gate", - "add_action_button" - ], - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_yaml", - "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", - "source_path": ".gitea/workflows/cd.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 5, - "line_refs": [ - 113, - 305, - 1203, - 1552, - 1575 - ], - "line_hash_refs": [ - "b57e6587a106976b", - "19c1de8d67af874a", - "6ef020c2b6eac91f", - "d029b95242f39c03", - "d62c45a8595984fc" - ], - "request_fields": [ - "request_draft_id", - "source_inventory_schema_version", - "source_path", - "surface_kind", - "direct_call_count", - "line_refs", - "line_hash_refs", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "preflight_checks": [ - "source_inventory_current", - "owner_role_present", - "route_purpose_present", - "message_shape_contract_present", - "redaction_contract_present", - "formatter_convergence_decision_present", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_present", - "dedup_or_fingerprint_present", - "maintenance_window_present_for_change", - "rollback_owner_present", - "postcheck_evidence_present", - "no_secret_value_attested", - "no_raw_payload_attested", - "no_false_green_attested", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_dispatch", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_break_glass_fallback_supplement", - "request_redaction_or_receipt_supplement", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_manual_dispatch", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "send_owner_request", - "confirm_recipient", - "emit_audit_event", - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification", - "api_sender_refactor", - "change_chat_route", - "change_bot_token", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "workflow_dispatch", - "production_deploy", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_contract", - "open_runtime_gate", - "add_action_button" - ], - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_code_review_yaml", - "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", - "source_path": ".gitea/workflows/code-review.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 2, - "line_refs": [ - 137, - 216 - ], - "line_hash_refs": [ - "a7ebbd735dad5ab2", - "f10f7782dc7c8125" - ], - "request_fields": [ - "request_draft_id", - "source_inventory_schema_version", - "source_path", - "surface_kind", - "direct_call_count", - "line_refs", - "line_hash_refs", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "preflight_checks": [ - "source_inventory_current", - "owner_role_present", - "route_purpose_present", - "message_shape_contract_present", - "redaction_contract_present", - "formatter_convergence_decision_present", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_present", - "dedup_or_fingerprint_present", - "maintenance_window_present_for_change", - "rollback_owner_present", - "postcheck_evidence_present", - "no_secret_value_attested", - "no_raw_payload_attested", - "no_false_green_attested", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_dispatch", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_break_glass_fallback_supplement", - "request_redaction_or_receipt_supplement", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_manual_dispatch", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "send_owner_request", - "confirm_recipient", - "emit_audit_event", - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification", - "api_sender_refactor", - "change_chat_route", - "change_bot_token", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "workflow_dispatch", - "production_deploy", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_contract", - "open_runtime_gate", - "add_action_button" - ], - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_deploy_alerts_yaml", - "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", - "source_path": ".gitea/workflows/deploy-alerts.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "line_refs": [ - 69 - ], - "line_hash_refs": [ - "79e83190f68f27c9" - ], - "request_fields": [ - "request_draft_id", - "source_inventory_schema_version", - "source_path", - "surface_kind", - "direct_call_count", - "line_refs", - "line_hash_refs", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "preflight_checks": [ - "source_inventory_current", - "owner_role_present", - "route_purpose_present", - "message_shape_contract_present", - "redaction_contract_present", - "formatter_convergence_decision_present", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_present", - "dedup_or_fingerprint_present", - "maintenance_window_present_for_change", - "rollback_owner_present", - "postcheck_evidence_present", - "no_secret_value_attested", - "no_raw_payload_attested", - "no_false_green_attested", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_dispatch", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_break_glass_fallback_supplement", - "request_redaction_or_receipt_supplement", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_manual_dispatch", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "send_owner_request", - "confirm_recipient", - "emit_audit_event", - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification", - "api_sender_refactor", - "change_chat_route", - "change_bot_token", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "workflow_dispatch", - "production_deploy", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_contract", - "open_runtime_gate", - "add_action_button" - ], - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_e2e_health_yaml", - "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", - "source_path": ".gitea/workflows/e2e-health.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "line_refs": [ - 98 - ], - "line_hash_refs": [ - "d73ce94678f970a9" - ], - "request_fields": [ - "request_draft_id", - "source_inventory_schema_version", - "source_path", - "surface_kind", - "direct_call_count", - "line_refs", - "line_hash_refs", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "preflight_checks": [ - "source_inventory_current", - "owner_role_present", - "route_purpose_present", - "message_shape_contract_present", - "redaction_contract_present", - "formatter_convergence_decision_present", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_present", - "dedup_or_fingerprint_present", - "maintenance_window_present_for_change", - "rollback_owner_present", - "postcheck_evidence_present", - "no_secret_value_attested", - "no_raw_payload_attested", - "no_false_green_attested", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_dispatch", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_break_glass_fallback_supplement", - "request_redaction_or_receipt_supplement", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_manual_dispatch", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "send_owner_request", - "confirm_recipient", - "emit_audit_event", - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification", - "api_sender_refactor", - "change_chat_route", - "change_bot_token", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "workflow_dispatch", - "production_deploy", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_contract", - "open_runtime_gate", - "add_action_button" - ], - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, - { - "request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_run_migration_yml", - "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", - "source_path": ".gitea/workflows/run-migration.yml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "line_refs": [ - 210 - ], - "line_hash_refs": [ - "934a8dd69fca99b3" - ], - "request_fields": [ - "request_draft_id", - "source_inventory_schema_version", - "source_path", - "surface_kind", - "direct_call_count", - "line_refs", - "line_hash_refs", - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "preflight_checks": [ - "source_inventory_current", - "owner_role_present", - "route_purpose_present", - "message_shape_contract_present", - "redaction_contract_present", - "formatter_convergence_decision_present", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_present", - "dedup_or_fingerprint_present", - "maintenance_window_present_for_change", - "rollback_owner_present", - "postcheck_evidence_present", - "no_secret_value_attested", - "no_raw_payload_attested", - "no_false_green_attested", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "draft_waiting_owner_dispatch", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_break_glass_fallback_supplement", - "request_redaction_or_receipt_supplement", - "quarantine_secret_or_raw_payload", - "reject_false_green_claim", - "ready_for_manual_dispatch", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "send_owner_request", - "confirm_recipient", - "emit_audit_event", - "telegram_send", - "bot_api_call", - "workflow_modification", - "script_modification", - "api_sender_refactor", - "change_chat_route", - "change_bot_token", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "workflow_dispatch", - "production_deploy", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "skip_formatter_convergence", - "skip_redaction_contract", - "open_runtime_gate", - "add_action_button" - ], - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "direct_bot_api_migration_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false, - "not_authorization": true - }, { "request_draft_id": "telegram_notification_egress_owner_request:apps_api_src_services_channel_hub_py", "source_inventory_schema_version": "telegram_notification_egress_inventory_v1", @@ -1336,10 +380,10 @@ "surface_kind": "ops_script_direct_bot_api", "direct_call_count": 1, "line_refs": [ - 90 + 120 ], "line_hash_refs": [ - "6611406903bc7d65" + "283499ad28d35d6a" ], "request_fields": [ "request_draft_id", diff --git a/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json b/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json index 66c337d6..14f0f2f7 100644 --- a/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json +++ b/docs/security/telegram-notification-egress-owner-response-acceptance.snapshot.json @@ -1,7 +1,7 @@ { "schema_version": "telegram_notification_egress_owner_response_acceptance_v1", - "generated_at": "2026-06-19T02:05:13+08:00", - "git_commit": "1eaa51e6", + "generated_at": "2026-07-02T14:24:46+08:00", + "git_commit": "f9469bcc2", "status": "owner_response_acceptance_ledger_ready_no_runtime_action", "mode": "metadata_only_no_secret_value_no_telegram_send_no_workflow_script_api_change", "source_owner_request_snapshot": "docs/security/telegram-notification-egress-owner-request-draft.snapshot.json", @@ -12,11 +12,11 @@ "source_migration_plan_status": "migration_plan_draft_ready_no_runtime_action", "message_readability_guard_snapshot": "docs/security/telegram-alert-readability-guard.snapshot.json", "summary": { - "source_request_draft_count": 11, - "source_migration_candidate_count": 11, - "source_direct_bot_api_call_count": 18, - "acceptance_candidate_count": 11, - "workflow_acceptance_candidate_count": 6, + "source_request_draft_count": 5, + "source_migration_candidate_count": 5, + "source_direct_bot_api_call_count": 5, + "acceptance_candidate_count": 5, + "workflow_acceptance_candidate_count": 0, "ops_script_acceptance_candidate_count": 4, "api_direct_acceptance_candidate_count": 1, "acceptance_field_count": 33, @@ -75,1334 +75,6 @@ "not_authorization": true }, "acceptance_candidates": [ - { - "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/cd-dev.yaml", - "status": "waiting_owner_response", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_dev_yaml", - "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd-dev.yaml", - "source_path": ".gitea/workflows/cd-dev.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 3, - "line_refs": [ - 54, - 241, - 262 - ], - "line_hash_refs": [ - "f503c2c0f61100a9", - "c41f88fbca91a4b9", - "eaa9a6cb8326dc79" - ], - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "owner_response_ref": null, - "owner_role_or_team": "pending_owner_response", - "decision": "pending_owner_response", - "decision_reason": "pending_owner_response", - "affected_scope": "pending_owner_response", - "redacted_evidence_refs": [], - "message_shape_contract_ref": null, - "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json", - "redaction_contract_ref": null, - "formatter_convergence_decision": "pending_owner_response", - "gateway_or_alertmanager_target": "pending_owner_response", - "break_glass_fallback_decision": "pending_owner_response", - "delivery_receipt_ref": null, - "dedup_or_fingerprint_plan": "pending_owner_response", - "fallback_or_degraded_mode": "pending_owner_response", - "migration_or_exception_reason": "pending_owner_response", - "maintenance_window": "pending_owner_response", - "rollback_owner": "pending_owner_response", - "postcheck_evidence_ref": null, - "no_secret_value_attestation": "pending_owner_response", - "no_raw_payload_attestation": "pending_owner_response", - "no_false_green_attestation": "pending_owner_response", - "reviewer_outcome": "waiting_owner_response", - "followup_owner": "pending_owner_response", - "acceptance_fields": [ - "acceptance_candidate_id", - "source_request_draft_id", - "source_migration_candidate_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "owner_response_ref", - "owner_role_or_team", - "decision", - "decision_reason", - "affected_scope", - "redacted_evidence_refs", - "message_shape_contract_ref", - "message_readability_guard_ref", - "redaction_contract_ref", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "reviewer_outcome", - "followup_owner", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "source_owner_request_current", - "source_migration_plan_current", - "owner_identity_present", - "decision_reason_present", - "affected_scope_matches_source", - "redacted_refs_only", - "no_secret_or_token_value", - "no_raw_message_payload", - "message_shape_contract_present", - "message_readability_guard_present", - "redaction_contract_present", - "formatter_convergence_explicit", - "gateway_or_alertmanager_target_valid", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "maintenance_window_present", - "rollback_owner_present", - "postcheck_evidence_present", - "no_false_green_attested", - "migration_authorization_separate", - "counts_transition_safe", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "quarantine_secret_or_raw_payload", - "reject_execution_request", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_redaction_or_receipt_supplement", - "request_maintenance_or_rollback_supplement", - "ready_for_migration_review", - "owner_review_only_update", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "mark_owner_response_received_without_record", - "mark_owner_response_accepted_without_reviewer_record", - "send_telegram", - "call_bot_api", - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "store_internal_work_window_transcript", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "accept_telegram_sent_without_delivery_receipt", - "skip_formatter_convergence", - "skip_redaction_contract", - "skip_dedup_or_fingerprint_review", - "skip_break_glass_fallback_review", - "authorize_migration", - "authorize_workflow_modification", - "authorize_script_modification", - "authorize_api_sender_refactor", - "open_runtime_gate", - "add_action_button" - ], - "not_authorization": true, - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "owner_response_rejected": false, - "owner_response_quarantined": false, - "supplement_requested": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "maintenance_window_accepted": false, - "rollback_owner_accepted": false, - "postcheck_evidence_accepted": false, - "dedup_or_fingerprint_accepted": false, - "no_false_green_accepted": false, - "direct_bot_api_migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_dispatch_authorized": false, - "production_deploy_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false - }, - { - "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/cd.yaml", - "status": "waiting_owner_response", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_cd_yaml", - "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/cd.yaml", - "source_path": ".gitea/workflows/cd.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 5, - "line_refs": [ - 113, - 305, - 1203, - 1552, - 1575 - ], - "line_hash_refs": [ - "b57e6587a106976b", - "19c1de8d67af874a", - "6ef020c2b6eac91f", - "d029b95242f39c03", - "d62c45a8595984fc" - ], - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "owner_response_ref": null, - "owner_role_or_team": "pending_owner_response", - "decision": "pending_owner_response", - "decision_reason": "pending_owner_response", - "affected_scope": "pending_owner_response", - "redacted_evidence_refs": [], - "message_shape_contract_ref": null, - "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json", - "redaction_contract_ref": null, - "formatter_convergence_decision": "pending_owner_response", - "gateway_or_alertmanager_target": "pending_owner_response", - "break_glass_fallback_decision": "pending_owner_response", - "delivery_receipt_ref": null, - "dedup_or_fingerprint_plan": "pending_owner_response", - "fallback_or_degraded_mode": "pending_owner_response", - "migration_or_exception_reason": "pending_owner_response", - "maintenance_window": "pending_owner_response", - "rollback_owner": "pending_owner_response", - "postcheck_evidence_ref": null, - "no_secret_value_attestation": "pending_owner_response", - "no_raw_payload_attestation": "pending_owner_response", - "no_false_green_attestation": "pending_owner_response", - "reviewer_outcome": "waiting_owner_response", - "followup_owner": "pending_owner_response", - "acceptance_fields": [ - "acceptance_candidate_id", - "source_request_draft_id", - "source_migration_candidate_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "owner_response_ref", - "owner_role_or_team", - "decision", - "decision_reason", - "affected_scope", - "redacted_evidence_refs", - "message_shape_contract_ref", - "message_readability_guard_ref", - "redaction_contract_ref", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "reviewer_outcome", - "followup_owner", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "source_owner_request_current", - "source_migration_plan_current", - "owner_identity_present", - "decision_reason_present", - "affected_scope_matches_source", - "redacted_refs_only", - "no_secret_or_token_value", - "no_raw_message_payload", - "message_shape_contract_present", - "message_readability_guard_present", - "redaction_contract_present", - "formatter_convergence_explicit", - "gateway_or_alertmanager_target_valid", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "maintenance_window_present", - "rollback_owner_present", - "postcheck_evidence_present", - "no_false_green_attested", - "migration_authorization_separate", - "counts_transition_safe", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "quarantine_secret_or_raw_payload", - "reject_execution_request", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_redaction_or_receipt_supplement", - "request_maintenance_or_rollback_supplement", - "ready_for_migration_review", - "owner_review_only_update", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "mark_owner_response_received_without_record", - "mark_owner_response_accepted_without_reviewer_record", - "send_telegram", - "call_bot_api", - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "store_internal_work_window_transcript", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "accept_telegram_sent_without_delivery_receipt", - "skip_formatter_convergence", - "skip_redaction_contract", - "skip_dedup_or_fingerprint_review", - "skip_break_glass_fallback_review", - "authorize_migration", - "authorize_workflow_modification", - "authorize_script_modification", - "authorize_api_sender_refactor", - "open_runtime_gate", - "add_action_button" - ], - "not_authorization": true, - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "owner_response_rejected": false, - "owner_response_quarantined": false, - "supplement_requested": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "maintenance_window_accepted": false, - "rollback_owner_accepted": false, - "postcheck_evidence_accepted": false, - "dedup_or_fingerprint_accepted": false, - "no_false_green_accepted": false, - "direct_bot_api_migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_dispatch_authorized": false, - "production_deploy_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false - }, - { - "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/code-review.yaml", - "status": "waiting_owner_response", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_code_review_yaml", - "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/code-review.yaml", - "source_path": ".gitea/workflows/code-review.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 2, - "line_refs": [ - 137, - 216 - ], - "line_hash_refs": [ - "a7ebbd735dad5ab2", - "f10f7782dc7c8125" - ], - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "owner_response_ref": null, - "owner_role_or_team": "pending_owner_response", - "decision": "pending_owner_response", - "decision_reason": "pending_owner_response", - "affected_scope": "pending_owner_response", - "redacted_evidence_refs": [], - "message_shape_contract_ref": null, - "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json", - "redaction_contract_ref": null, - "formatter_convergence_decision": "pending_owner_response", - "gateway_or_alertmanager_target": "pending_owner_response", - "break_glass_fallback_decision": "pending_owner_response", - "delivery_receipt_ref": null, - "dedup_or_fingerprint_plan": "pending_owner_response", - "fallback_or_degraded_mode": "pending_owner_response", - "migration_or_exception_reason": "pending_owner_response", - "maintenance_window": "pending_owner_response", - "rollback_owner": "pending_owner_response", - "postcheck_evidence_ref": null, - "no_secret_value_attestation": "pending_owner_response", - "no_raw_payload_attestation": "pending_owner_response", - "no_false_green_attestation": "pending_owner_response", - "reviewer_outcome": "waiting_owner_response", - "followup_owner": "pending_owner_response", - "acceptance_fields": [ - "acceptance_candidate_id", - "source_request_draft_id", - "source_migration_candidate_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "owner_response_ref", - "owner_role_or_team", - "decision", - "decision_reason", - "affected_scope", - "redacted_evidence_refs", - "message_shape_contract_ref", - "message_readability_guard_ref", - "redaction_contract_ref", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "reviewer_outcome", - "followup_owner", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "source_owner_request_current", - "source_migration_plan_current", - "owner_identity_present", - "decision_reason_present", - "affected_scope_matches_source", - "redacted_refs_only", - "no_secret_or_token_value", - "no_raw_message_payload", - "message_shape_contract_present", - "message_readability_guard_present", - "redaction_contract_present", - "formatter_convergence_explicit", - "gateway_or_alertmanager_target_valid", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "maintenance_window_present", - "rollback_owner_present", - "postcheck_evidence_present", - "no_false_green_attested", - "migration_authorization_separate", - "counts_transition_safe", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "quarantine_secret_or_raw_payload", - "reject_execution_request", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_redaction_or_receipt_supplement", - "request_maintenance_or_rollback_supplement", - "ready_for_migration_review", - "owner_review_only_update", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "mark_owner_response_received_without_record", - "mark_owner_response_accepted_without_reviewer_record", - "send_telegram", - "call_bot_api", - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "store_internal_work_window_transcript", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "accept_telegram_sent_without_delivery_receipt", - "skip_formatter_convergence", - "skip_redaction_contract", - "skip_dedup_or_fingerprint_review", - "skip_break_glass_fallback_review", - "authorize_migration", - "authorize_workflow_modification", - "authorize_script_modification", - "authorize_api_sender_refactor", - "open_runtime_gate", - "add_action_button" - ], - "not_authorization": true, - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "owner_response_rejected": false, - "owner_response_quarantined": false, - "supplement_requested": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "maintenance_window_accepted": false, - "rollback_owner_accepted": false, - "postcheck_evidence_accepted": false, - "dedup_or_fingerprint_accepted": false, - "no_false_green_accepted": false, - "direct_bot_api_migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_dispatch_authorized": false, - "production_deploy_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false - }, - { - "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/deploy-alerts.yaml", - "status": "waiting_owner_response", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_deploy_alerts_yaml", - "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/deploy-alerts.yaml", - "source_path": ".gitea/workflows/deploy-alerts.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "line_refs": [ - 69 - ], - "line_hash_refs": [ - "79e83190f68f27c9" - ], - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "owner_response_ref": null, - "owner_role_or_team": "pending_owner_response", - "decision": "pending_owner_response", - "decision_reason": "pending_owner_response", - "affected_scope": "pending_owner_response", - "redacted_evidence_refs": [], - "message_shape_contract_ref": null, - "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json", - "redaction_contract_ref": null, - "formatter_convergence_decision": "pending_owner_response", - "gateway_or_alertmanager_target": "pending_owner_response", - "break_glass_fallback_decision": "pending_owner_response", - "delivery_receipt_ref": null, - "dedup_or_fingerprint_plan": "pending_owner_response", - "fallback_or_degraded_mode": "pending_owner_response", - "migration_or_exception_reason": "pending_owner_response", - "maintenance_window": "pending_owner_response", - "rollback_owner": "pending_owner_response", - "postcheck_evidence_ref": null, - "no_secret_value_attestation": "pending_owner_response", - "no_raw_payload_attestation": "pending_owner_response", - "no_false_green_attestation": "pending_owner_response", - "reviewer_outcome": "waiting_owner_response", - "followup_owner": "pending_owner_response", - "acceptance_fields": [ - "acceptance_candidate_id", - "source_request_draft_id", - "source_migration_candidate_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "owner_response_ref", - "owner_role_or_team", - "decision", - "decision_reason", - "affected_scope", - "redacted_evidence_refs", - "message_shape_contract_ref", - "message_readability_guard_ref", - "redaction_contract_ref", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "reviewer_outcome", - "followup_owner", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "source_owner_request_current", - "source_migration_plan_current", - "owner_identity_present", - "decision_reason_present", - "affected_scope_matches_source", - "redacted_refs_only", - "no_secret_or_token_value", - "no_raw_message_payload", - "message_shape_contract_present", - "message_readability_guard_present", - "redaction_contract_present", - "formatter_convergence_explicit", - "gateway_or_alertmanager_target_valid", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "maintenance_window_present", - "rollback_owner_present", - "postcheck_evidence_present", - "no_false_green_attested", - "migration_authorization_separate", - "counts_transition_safe", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "quarantine_secret_or_raw_payload", - "reject_execution_request", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_redaction_or_receipt_supplement", - "request_maintenance_or_rollback_supplement", - "ready_for_migration_review", - "owner_review_only_update", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "mark_owner_response_received_without_record", - "mark_owner_response_accepted_without_reviewer_record", - "send_telegram", - "call_bot_api", - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "store_internal_work_window_transcript", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "accept_telegram_sent_without_delivery_receipt", - "skip_formatter_convergence", - "skip_redaction_contract", - "skip_dedup_or_fingerprint_review", - "skip_break_glass_fallback_review", - "authorize_migration", - "authorize_workflow_modification", - "authorize_script_modification", - "authorize_api_sender_refactor", - "open_runtime_gate", - "add_action_button" - ], - "not_authorization": true, - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "owner_response_rejected": false, - "owner_response_quarantined": false, - "supplement_requested": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "maintenance_window_accepted": false, - "rollback_owner_accepted": false, - "postcheck_evidence_accepted": false, - "dedup_or_fingerprint_accepted": false, - "no_false_green_accepted": false, - "direct_bot_api_migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_dispatch_authorized": false, - "production_deploy_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false - }, - { - "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/e2e-health.yaml", - "status": "waiting_owner_response", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_e2e_health_yaml", - "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/e2e-health.yaml", - "source_path": ".gitea/workflows/e2e-health.yaml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "line_refs": [ - 98 - ], - "line_hash_refs": [ - "d73ce94678f970a9" - ], - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "owner_response_ref": null, - "owner_role_or_team": "pending_owner_response", - "decision": "pending_owner_response", - "decision_reason": "pending_owner_response", - "affected_scope": "pending_owner_response", - "redacted_evidence_refs": [], - "message_shape_contract_ref": null, - "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json", - "redaction_contract_ref": null, - "formatter_convergence_decision": "pending_owner_response", - "gateway_or_alertmanager_target": "pending_owner_response", - "break_glass_fallback_decision": "pending_owner_response", - "delivery_receipt_ref": null, - "dedup_or_fingerprint_plan": "pending_owner_response", - "fallback_or_degraded_mode": "pending_owner_response", - "migration_or_exception_reason": "pending_owner_response", - "maintenance_window": "pending_owner_response", - "rollback_owner": "pending_owner_response", - "postcheck_evidence_ref": null, - "no_secret_value_attestation": "pending_owner_response", - "no_raw_payload_attestation": "pending_owner_response", - "no_false_green_attestation": "pending_owner_response", - "reviewer_outcome": "waiting_owner_response", - "followup_owner": "pending_owner_response", - "acceptance_fields": [ - "acceptance_candidate_id", - "source_request_draft_id", - "source_migration_candidate_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "owner_response_ref", - "owner_role_or_team", - "decision", - "decision_reason", - "affected_scope", - "redacted_evidence_refs", - "message_shape_contract_ref", - "message_readability_guard_ref", - "redaction_contract_ref", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "reviewer_outcome", - "followup_owner", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "source_owner_request_current", - "source_migration_plan_current", - "owner_identity_present", - "decision_reason_present", - "affected_scope_matches_source", - "redacted_refs_only", - "no_secret_or_token_value", - "no_raw_message_payload", - "message_shape_contract_present", - "message_readability_guard_present", - "redaction_contract_present", - "formatter_convergence_explicit", - "gateway_or_alertmanager_target_valid", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "maintenance_window_present", - "rollback_owner_present", - "postcheck_evidence_present", - "no_false_green_attested", - "migration_authorization_separate", - "counts_transition_safe", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "quarantine_secret_or_raw_payload", - "reject_execution_request", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_redaction_or_receipt_supplement", - "request_maintenance_or_rollback_supplement", - "ready_for_migration_review", - "owner_review_only_update", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "mark_owner_response_received_without_record", - "mark_owner_response_accepted_without_reviewer_record", - "send_telegram", - "call_bot_api", - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "store_internal_work_window_transcript", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "accept_telegram_sent_without_delivery_receipt", - "skip_formatter_convergence", - "skip_redaction_contract", - "skip_dedup_or_fingerprint_review", - "skip_break_glass_fallback_review", - "authorize_migration", - "authorize_workflow_modification", - "authorize_script_modification", - "authorize_api_sender_refactor", - "open_runtime_gate", - "add_action_button" - ], - "not_authorization": true, - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "owner_response_rejected": false, - "owner_response_quarantined": false, - "supplement_requested": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "maintenance_window_accepted": false, - "rollback_owner_accepted": false, - "postcheck_evidence_accepted": false, - "dedup_or_fingerprint_accepted": false, - "no_false_green_accepted": false, - "direct_bot_api_migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_dispatch_authorized": false, - "production_deploy_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false - }, - { - "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:.gitea/workflows/run-migration.yml", - "status": "waiting_owner_response", - "source_request_draft_id": "telegram_notification_egress_owner_request:_gitea_workflows_run_migration_yml", - "source_migration_candidate_id": "telegram_notification_egress_migration:.gitea/workflows/run-migration.yml", - "source_path": ".gitea/workflows/run-migration.yml", - "surface_kind": "gitea_workflow_direct_bot_api", - "direct_call_count": 1, - "line_refs": [ - 210 - ], - "line_hash_refs": [ - "934a8dd69fca99b3" - ], - "proposed_wave": "wave_1_workflow_notification_wrapper", - "proposed_target": "scripts/ci/notify-awoooi-cicd.sh or AWOOI Alertmanager webhook", - "proposed_change_summary": "Replace direct workflow Bot API send with normalized CI/CD notification wrapper after owner approval.", - "owner_response_ref": null, - "owner_role_or_team": "pending_owner_response", - "decision": "pending_owner_response", - "decision_reason": "pending_owner_response", - "affected_scope": "pending_owner_response", - "redacted_evidence_refs": [], - "message_shape_contract_ref": null, - "message_readability_guard_ref": "docs/security/telegram-alert-readability-guard.snapshot.json", - "redaction_contract_ref": null, - "formatter_convergence_decision": "pending_owner_response", - "gateway_or_alertmanager_target": "pending_owner_response", - "break_glass_fallback_decision": "pending_owner_response", - "delivery_receipt_ref": null, - "dedup_or_fingerprint_plan": "pending_owner_response", - "fallback_or_degraded_mode": "pending_owner_response", - "migration_or_exception_reason": "pending_owner_response", - "maintenance_window": "pending_owner_response", - "rollback_owner": "pending_owner_response", - "postcheck_evidence_ref": null, - "no_secret_value_attestation": "pending_owner_response", - "no_raw_payload_attestation": "pending_owner_response", - "no_false_green_attestation": "pending_owner_response", - "reviewer_outcome": "waiting_owner_response", - "followup_owner": "pending_owner_response", - "acceptance_fields": [ - "acceptance_candidate_id", - "source_request_draft_id", - "source_migration_candidate_id", - "source_path", - "surface_kind", - "direct_call_count", - "proposed_wave", - "proposed_target", - "owner_response_ref", - "owner_role_or_team", - "decision", - "decision_reason", - "affected_scope", - "redacted_evidence_refs", - "message_shape_contract_ref", - "message_readability_guard_ref", - "redaction_contract_ref", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation", - "reviewer_outcome", - "followup_owner", - "not_authorization" - ], - "required_owner_fields": [ - "owner_role_or_team", - "routing_purpose", - "current_sender", - "target_chat_route", - "message_shape_contract", - "redaction_contract", - "formatter_convergence_decision", - "gateway_or_alertmanager_target", - "break_glass_fallback_decision", - "delivery_receipt_ref", - "dedup_or_fingerprint_plan", - "fallback_or_degraded_mode", - "migration_or_exception_reason", - "maintenance_window", - "rollback_owner", - "postcheck_evidence_ref", - "no_secret_value_attestation", - "no_raw_payload_attestation", - "no_false_green_attestation" - ], - "reviewer_checks": [ - "source_owner_request_current", - "source_migration_plan_current", - "owner_identity_present", - "decision_reason_present", - "affected_scope_matches_source", - "redacted_refs_only", - "no_secret_or_token_value", - "no_raw_message_payload", - "message_shape_contract_present", - "message_readability_guard_present", - "redaction_contract_present", - "formatter_convergence_explicit", - "gateway_or_alertmanager_target_valid", - "break_glass_fallback_explicit", - "delivery_receipt_metadata_only", - "dedup_or_fingerprint_present", - "maintenance_window_present", - "rollback_owner_present", - "postcheck_evidence_present", - "no_false_green_attested", - "migration_authorization_separate", - "counts_transition_safe", - "runtime_gate_stays_zero" - ], - "outcome_lanes": [ - "waiting_owner_response", - "quarantine_secret_or_raw_payload", - "reject_execution_request", - "request_owner_route_supplement", - "request_formatter_convergence_supplement", - "request_redaction_or_receipt_supplement", - "request_maintenance_or_rollback_supplement", - "ready_for_migration_review", - "owner_review_only_update", - "waiting_runtime_gate" - ], - "forbidden_payloads": [ - "bot_token_value", - "chat_secret_value", - "secret_hash", - "partial_token", - "masked_token", - "authorization_header", - "raw_message_payload", - "raw_workflow_log", - "raw_action_log", - "raw_screenshot_with_secret", - "internal_work_window_transcript", - "private_namespace", - "unredacted_internal_path", - "unredacted_private_ip" - ], - "blocked_actions": [ - "mark_owner_response_received_without_record", - "mark_owner_response_accepted_without_reviewer_record", - "send_telegram", - "call_bot_api", - "modify_workflow", - "modify_ops_script", - "refactor_api_sender", - "dispatch_workflow", - "trigger_cd", - "deploy_production", - "change_chat_route", - "change_bot_token", - "rotate_secret", - "read_secret_store", - "collect_secret_value", - "collect_secret_hash", - "collect_partial_token", - "collect_chat_id_secret", - "store_raw_message_payload", - "store_unredacted_log", - "store_internal_work_window_transcript", - "accept_cd_success_as_delivery_receipt", - "accept_route_200_as_notification_delivery", - "accept_ui_visible_as_notification_acceptance", - "accept_telegram_sent_without_delivery_receipt", - "skip_formatter_convergence", - "skip_redaction_contract", - "skip_dedup_or_fingerprint_review", - "skip_break_glass_fallback_review", - "authorize_migration", - "authorize_workflow_modification", - "authorize_script_modification", - "authorize_api_sender_refactor", - "open_runtime_gate", - "add_action_button" - ], - "not_authorization": true, - "request_sent": false, - "recipient_confirmed": false, - "audit_event_emitted": false, - "owner_response_received": false, - "owner_response_accepted": false, - "owner_response_rejected": false, - "owner_response_quarantined": false, - "supplement_requested": false, - "formatter_convergence_accepted": false, - "redaction_contract_accepted": false, - "delivery_receipt_accepted": false, - "break_glass_fallback_accepted": false, - "maintenance_window_accepted": false, - "rollback_owner_accepted": false, - "postcheck_evidence_accepted": false, - "dedup_or_fingerprint_accepted": false, - "no_false_green_accepted": false, - "direct_bot_api_migration_authorized": false, - "workflow_modification_authorized": false, - "script_modification_authorized": false, - "api_sender_refactor_authorized": false, - "telegram_send_authorized": false, - "bot_api_call_authorized": false, - "workflow_dispatch_authorized": false, - "production_deploy_authorized": false, - "secret_value_collection_allowed": false, - "raw_payload_storage_allowed": false, - "production_write_authorized": false, - "runtime_gate": false, - "action_buttons_allowed": false - }, { "acceptance_candidate_id": "telegram_notification_egress_owner_response_acceptance:apps/api/src/services/channel_hub.py", "status": "waiting_owner_response", @@ -1850,10 +522,10 @@ "surface_kind": "ops_script_direct_bot_api", "direct_call_count": 1, "line_refs": [ - 90 + 120 ], "line_hash_refs": [ - "6611406903bc7d65" + "283499ad28d35d6a" ], "proposed_wave": "wave_2_ops_notification_wrapper", "proposed_target": "scripts/ops/notify-awoooi-ops.sh or AWOOI Alertmanager webhook", diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 82f6274e..79ba3c66 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -21645,13 +21645,13 @@ def validate(root: Path) -> None: "repo_only_scan_no_secret_value_no_telegram_send", ) expected_telegram_notification_egress_summary = { - "direct_bot_api_file_count": 11, - "direct_bot_api_call_count": 18, - "workflow_direct_bot_api_call_count": 13, + "direct_bot_api_file_count": 5, + "direct_bot_api_call_count": 5, + "workflow_direct_bot_api_call_count": 0, "ops_script_direct_bot_api_call_count": 4, "ci_script_direct_bot_api_call_count": 0, "api_direct_bot_api_call_count": 1, - "gateway_normalized_callsite_count": 56, + "gateway_normalized_callsite_count": 57, "gateway_final_exit_formatter_present_count": 1, "required_owner_field_count": 18, "reviewer_check_count": 14, @@ -21680,12 +21680,6 @@ def validate(root: Path) -> None: expected, ) expected_telegram_direct_path_counts = { - ".gitea/workflows/cd-dev.yaml": 3, - ".gitea/workflows/cd.yaml": 5, - ".gitea/workflows/code-review.yaml": 2, - ".gitea/workflows/deploy-alerts.yaml": 1, - ".gitea/workflows/e2e-health.yaml": 1, - ".gitea/workflows/run-migration.yml": 1, "apps/api/src/services/channel_hub.py": 1, "scripts/ops/backup-from-110.sh": 1, "scripts/ops/docker-health-monitor.sh": 1, @@ -21767,10 +21761,10 @@ def validate(root: Path) -> None: "metadata_only_no_secret_value_no_telegram_send_no_workflow_change", ) expected_telegram_egress_owner_request_summary = { - "source_direct_bot_api_call_count": 18, - "source_direct_bot_api_file_count": 11, - "request_draft_count": 11, - "workflow_request_draft_count": 6, + "source_direct_bot_api_call_count": 5, + "source_direct_bot_api_file_count": 5, + "request_draft_count": 5, + "workflow_request_draft_count": 0, "ops_script_request_draft_count": 4, "ci_script_request_draft_count": 0, "api_direct_request_draft_count": 1, @@ -21808,12 +21802,6 @@ def validate(root: Path) -> None: expected, ) expected_telegram_egress_request_paths = [ - ".gitea/workflows/cd-dev.yaml", - ".gitea/workflows/cd.yaml", - ".gitea/workflows/code-review.yaml", - ".gitea/workflows/deploy-alerts.yaml", - ".gitea/workflows/e2e-health.yaml", - ".gitea/workflows/run-migration.yml", "apps/api/src/services/channel_hub.py", "scripts/ops/backup-from-110.sh", "scripts/ops/docker-health-monitor.sh", @@ -21907,22 +21895,22 @@ def validate(root: Path) -> None: "metadata_only_no_workflow_script_api_change_no_telegram_send", ) expected_telegram_egress_migration_plan_summary = { - "source_request_draft_count": 11, - "source_direct_bot_api_call_count": 18, - "migration_candidate_count": 11, - "workflow_migration_candidate_count": 6, + "source_request_draft_count": 5, + "source_direct_bot_api_call_count": 5, + "migration_candidate_count": 5, + "workflow_migration_candidate_count": 0, "ops_script_migration_candidate_count": 4, "api_direct_migration_candidate_count": 1, - "proposed_wave_count": 3, + "proposed_wave_count": 2, "plan_field_count": 17, "reviewer_check_count": 15, "outcome_lane_count": 9, "blocked_action_count": 21, - "owner_response_required_count": 11, - "maintenance_window_required_count": 11, - "rollback_owner_required_count": 11, - "postcheck_required_count": 11, - "delivery_receipt_required_count": 11, + "owner_response_required_count": 5, + "maintenance_window_required_count": 5, + "rollback_owner_required_count": 5, + "postcheck_required_count": 5, + "delivery_receipt_required_count": 5, "owner_response_received_count": 0, "owner_response_accepted_count": 0, "migration_authorized_count": 0, @@ -21947,7 +21935,6 @@ def validate(root: Path) -> None: "telegram_notification_egress_migration_plan_draft.proposed_waves", telegram_notification_egress_migration_plan_draft["proposed_waves"], [ - "wave_1_workflow_notification_wrapper", "wave_2_ops_notification_wrapper", "wave_3_api_sender_gateway", ], @@ -22025,13 +22012,13 @@ def validate(root: Path) -> None: "repo_source_scan_no_secret_value_no_telegram_send", ) expected_telegram_egress_no_new_bypass_summary = { - "source_direct_bot_api_call_count": 18, - "source_direct_bot_api_file_count": 11, - "baseline_signature_count": 18, - "current_direct_bot_api_call_count": 18, - "current_direct_bot_api_file_count": 11, + "source_direct_bot_api_call_count": 5, + "source_direct_bot_api_file_count": 5, + "baseline_signature_count": 5, + "current_direct_bot_api_call_count": 5, + "current_direct_bot_api_file_count": 5, "guarded_method_count": 9, - "sendMessage_call_count": 18, + "sendMessage_call_count": 5, "sendDocument_call_count": 0, "sendPhoto_call_count": 0, "sendMediaGroup_call_count": 0, @@ -22053,19 +22040,6 @@ def validate(root: Path) -> None: "telegram_notification_egress_no_new_bypass_guard.current_paths", [item["path"] for item in telegram_notification_egress_no_new_bypass_guard["current_direct_bot_api_calls"]], [ - ".gitea/workflows/cd-dev.yaml", - ".gitea/workflows/cd-dev.yaml", - ".gitea/workflows/cd-dev.yaml", - ".gitea/workflows/cd.yaml", - ".gitea/workflows/cd.yaml", - ".gitea/workflows/cd.yaml", - ".gitea/workflows/cd.yaml", - ".gitea/workflows/cd.yaml", - ".gitea/workflows/code-review.yaml", - ".gitea/workflows/code-review.yaml", - ".gitea/workflows/deploy-alerts.yaml", - ".gitea/workflows/e2e-health.yaml", - ".gitea/workflows/run-migration.yml", "apps/api/src/services/channel_hub.py", "scripts/ops/backup-from-110.sh", "scripts/ops/docker-health-monitor.sh", @@ -22104,11 +22078,11 @@ def validate(root: Path) -> None: "metadata_only_no_secret_value_no_telegram_send_no_workflow_script_api_change", ) expected_telegram_egress_owner_response_acceptance_summary = { - "source_request_draft_count": 11, - "source_migration_candidate_count": 11, - "source_direct_bot_api_call_count": 18, - "acceptance_candidate_count": 11, - "workflow_acceptance_candidate_count": 6, + "source_request_draft_count": 5, + "source_migration_candidate_count": 5, + "source_direct_bot_api_call_count": 5, + "acceptance_candidate_count": 5, + "workflow_acceptance_candidate_count": 0, "ops_script_acceptance_candidate_count": 4, "api_direct_acceptance_candidate_count": 1, "acceptance_field_count": 33,