16 KiB
Source Control Owner Response Validation Rollup
| 項目 | 內容 |
|---|---|
| 日期 | 2026-05-19 |
| 狀態 | 草案,等待 owner responses |
| 資料契約 | docs/schemas/source_control_owner_response_validation_rollup_v1.schema.json |
| 快照 | docs/security/source-control-owner-response-validation-rollup.snapshot.json |
| 模式 | owner_response_validation_rollup_only |
| 執行面授權 | false |
0. 核心結論
S4.13 補的是「四個 owner response 收件包的只讀驗收彙整」。
它彙整 S4.9 Gitea owner attestation response、S4.10 GitHub target owner decision response、S4.11 refs truth owner response、S4.12 workflow / secret name owner response。目的只是讓 AwoooP 有單一入口看到哪些 owner response 尚未收到、哪些可驗收、哪些必須拒收或隔離。
S4.13 不新增第 36 個主 contract,不新增 approval item,不啟用 runtime gate,不新增 action button,也不把任何 response 當成 repo creation、visibility change、refs sync、workflow 修改、secret 搬移、runner 啟用或 GitHub primary approval。
1. Rollup 摘要
| 指標 | 值 |
|---|---|
| response packets | 4 |
| validation lanes | 4 |
| response templates | 22 |
| 已收到 response | 0 |
| 已接受 response | 0 |
| 已拒收 response | 0 |
| acceptance checks | 32 |
| rejection rules | 40 |
| cross-packet checks | 10 |
| evidence routing rules | 6 |
| display sections | 8 |
| state transition rules | 7 |
| reviewer checklist | 9 |
| quarantine required | true |
| primary ready count | 0 |
| runtime execution authorized | false |
| action buttons allowed | false |
1.1 最新本機只讀驗證
| 項目 | 結果 |
|---|---|
| 日期 | 2026-05-19 |
| 範圍 | repo_snapshot_only |
| 指令 | python3 scripts/security/source-control-owner-response-guard.py |
| 結果 | SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK |
| 已收到 response | 0 |
| 已接受 response | 0 |
| runtime actions authorized | false |
| repo / refs actions authorized | false |
| workflow / secret actions authorized | false |
這表示四包 owner response snapshot 與 S4.13 rollup 的只讀 guard 已通過;不表示 owner response 已收到,也不授權 repo、refs、workflow、secret、runner、GitHub primary 或任何 runtime 動作。
2. 四條驗收 Lane
| Lane | 來源 | Templates | 目前狀態 |
|---|---|---|---|
| S4.9 Gitea owner attestation response | GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md |
5 | 等待 response |
| S4.10 GitHub target owner decision response | GITHUB-TARGET-OWNER-DECISION-RESPONSE.md |
7 | 等待 response |
| S4.11 refs truth owner response | SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md |
5 | 等待 response |
| S4.12 workflow / secret name owner response | SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md |
5 | request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks 已定義,等待 response |
2.1 AwoooP 可顯示的缺口摘要
| Lane | 缺口 | 下一步 | 仍禁止 |
|---|---|---|---|
| S4.9 Gitea owner attestation | 5 個 response templates 尚未收到 | Owner 回覆 5 個 Gitea coverage attestation items,只引用脫敏 evidence refs | 不收 token value、不寫 Gitea、不 sync refs、不切 primary |
| S4.10 GitHub target decision | 7 個 response templates 尚未收到 | Owner 依 S4.10 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 7 個 GitHub target 的 owner / visibility / canonical disposition | 不建 repo、不改 visibility、不 sync refs、不切 primary |
| S4.11 refs truth | 5 個 response templates 尚未收到 | Owner 依 S4.11 request packet、template status ledger、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 refs truth、deprecated drift、release tags 與 GitHub-only refs disposition | 不 fetch / push / delete refs、不 force push、不切 primary |
| S4.12 workflow / secret name | 1 個 request packet 已定義、5 個 template statuses 仍 waiting、3 個 audit event templates 仍 0 emitted、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 已定義、5 個 response templates 尚未收到 | Owner 依 request packet、audit event templates、redaction examples、collection checks 與 intake preflight checks 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS、secret name parity 的脫敏狀態 | 不收 secret value、不改 workflow、不啟用 runner、不切 primary |
2.2 建議收件順序
| 順序 | Lane | 為什麼先後這樣排 |
|---|---|---|
| 1 | S4.9 Gitea owner attestation | 先確認 Gitea 覆蓋範圍與 canonical owner,避免後續 GitHub target / refs 判定建立在不完整 inventory 上 |
| 2 | S4.10 GitHub target decision | 再確認 GitHub target owner / visibility / canonical,避免 not_found_or_private 被誤解成可直接建立 repo |
| 3 | S4.11 refs truth | GitHub target owner / visibility 明確後,再判定 branch / tag 真相來源,避免 refs sync 或 delete 被提前誤用 |
| 4 | S4.12 workflow / secret name | 最後補 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 parity,避免 secret 或 runner 變更早於 source truth |
這個順序只讓 AwoooP 顯示下一個建議收件項目,不是 approval queue、不是 execution queue,也不授權任何 repo、refs、workflow、secret、runner 或 primary 動作。
2.3 下一個建議收件項目
| 欄位 | 內容 |
|---|---|
| 下一步 | S4.9 Gitea owner attestation response |
| 需要回覆 | 5 個 Gitea coverage attestation items |
| 顯示模式 | display_next_collection_item_only |
| 目前 received / accepted | 0 / 0 |
| 仍禁止 | 不收 token value、不寫 Gitea、不 sync refs、不切 GitHub primary |
next_collection_candidate 只讓 AwoooP Operator Console 顯示「現在先收 S4.9」。它不是批准、不是執行排程,也不是後續 S4.10 / S4.11 / S4.12 已可接受的訊號。
AwoooP 顯示 S4.9 時,應同步讀取 gitea-inventory-owner-attestation-response.snapshot.json 的 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、6 個 intake preflight checks 與 5 個 outcome lanes;request packet 只提示 owner 要填什麼與不得貼什麼,template statuses 只逐項顯示 waiting / request ready,audit event templates 只定義 request shown / response received metadata / outcome classified 的脫敏 metadata 欄位且目前 0 emitted,redaction examples 只提供安全回覆形狀,display sections 只固定只讀 UI 順序,collection checks 只維持 request / received / accepted 狀態分離,preflight / outcome 只分類可審、補證、隔離、拒收或等待,不代表 owner response accepted 或 AwoooP production ingestion 已啟用。
3. Cross-Packet 驗收規則
- 四個 source response packets 都必須可解析,且 summary 欄位存在。
- response template count 必須對齊來源:
5 + 7 + 5 + 5 = 22。 - received / accepted / rejected count 必須明確列出;目前皆為
0 / 0 / 0。 - 即使未來 response 通過,也只能更新 read-only wording、matrix 或 readiness 欄位。
- 四個 packets 都必須保留 rejection rules;總數 40。
- 不得收 token、secret、private key、cookie、session、partial credential 或未脫敏 payload。
- 不得夾帶 write token、admin API、repo write、workflow 修改、runner 啟用或 secret rotate。
- 不得把 response 當成 refs sync、delete refs、force push 或 GitHub primary approval。
- 任何不確定是否含敏感值的 response 都先 quarantine。
- 接受 response 後必須同步更新 source packet、validation rollup、security mirror rollup、primary readiness gate 與 LOGBOOK。
3.1 Evidence Routing Rules
| 順序 | Rule | 只讀路由 | 禁止誤用 |
|---|---|---|---|
| 1 | 已知 owner response lane | 已知 S4.9 / S4.10 / S4.11 / S4.12 lane 與 template 才能進入對應 source packet preflight | 不認識的 lane 不得自動新增 template 或標成 received |
| 2 | 必填欄位完整 | 缺 owner、decision、reason、repo/provider metadata 或 evidence refs 時只要求補證 | 不增加 received / accepted count |
| 3 | 敏感 payload 隔離 | 疑似 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header、private URL credential 或未脫敏截圖時送 mirror quarantine | 不保存 raw payload、不渲染敏感材料 |
| 4 | 執行要求拒收 | 夾帶 repo、visibility、refs、workflow、webhook、runner、secret、Kali scan 或 GitHub primary 執行要求時 hard reject | 不建立 runtime gate、不新增 action button |
| 5 | 跨包矛盾進 owner review | owner、repo、visibility、truth source 或 secret 名稱在四包之間矛盾時只進人工 review | 不自動覆蓋 source packet |
| 6 | 通過後只更新只讀 wording | 所有 source preflight、acceptance、cross-packet checks 與 quarantine rules 通過後,只能更新 read-only readiness / matrix wording | 不解鎖 repo、refs、workflow、secret、runner 或 primary 動作 |
這 6 條規則只讓 AwoooP 決定 evidence pointer 應顯示、補證、隔離、拒收或進人工 review;它們不代表 owner response 已收到、已接受、可執行或可切換 GitHub primary。
3.2 Display Sections
| 順序 | Section | 顯示來源 | 邊界 |
|---|---|---|---|
| 1 | Owner response validation 總覽 | summary |
只顯示四包、22 templates、received / accepted / rejected 皆為 0 與 false flags |
| 2 | Missing owner response lanes | missing_response_lanes |
只顯示四條缺口與下一步 owner action,不新增 response |
| 3 | Owner response collection order | owner_response_collection_order |
只顯示建議收件順序,不是 execution queue |
| 4 | Next collection candidate | next_collection_candidate |
只顯示目前先收 S4.9,不代表 S4.10-S4.12 可提前接受 |
| 5 | Cross-packet acceptance checks | cross_packet_acceptance_checks |
只讀驗收檢查,不解鎖 runtime |
| 6 | Evidence routing rules | owner_response_evidence_routing_rules |
只路由補證、隔離、拒收、跨包 review 或只讀更新 |
| 7 | Quarantine 與禁止事項 | quarantine_rules / forbidden_actions |
只顯示敏感 payload、write/admin/action button 與 primary 禁令 |
| 8 | 最新本機只讀驗證 | latest_local_validation |
只顯示 snapshot guard 結果,不代表 production ingestion |
這 8 個 sections 只固定 AwoooP Operator Console 的呈現順序;不新增 approval item、不建立 runtime gate、不新增 action button,也不增加 received / accepted count。
3.3 State Transition Rules
| 順序 | Rule | 狀態轉移 | 邊界 |
|---|---|---|---|
| 1 | Waiting → received pending validation | 已知 lane / template、必填欄位完整、evidence refs 已脫敏時,才可顯示候選收件 | 不增加 accepted count、不建立 runtime gate |
| 2 | Missing fields → request more evidence | 缺 owner、decision、reason、metadata 或 evidence refs 時只補證 | 不增加 received / accepted count、不解鎖 primary readiness |
| 3 | Sensitive payload → mirror quarantine | 疑似 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header、private URL credential 或未脫敏截圖時隔離 | 不保存 raw payload、不渲染敏感材料 |
| 4 | Execution request → hard rejected | 夾帶 repo、visibility、refs、workflow、webhook、runner、secret、Kali scan、GitHub hosted runner 或 GitHub primary 執行要求時拒收 | 不建立 action button、不排入 execution queue |
| 5 | Cross-packet conflict → owner review | S4.9-S4.12 owner、repo、visibility、truth source 或 secret 名稱互相矛盾時進人工 review | 不自動覆蓋 source packet、不自動 merge |
| 6 | Validation pass → read-only update | source packet preflight、acceptance、cross-packet checks 與 quarantine rules 都通過時只更新 wording | 不建 repo、不 sync refs、不改 workflow/secret、不啟用 runner/primary |
| 7 | Read-only update → waiting runtime gate | read-only wording 完成後仍等待獨立人工批准與 runtime gate | 不把文件更新當 runtime approval、不消耗 GitHub hosted runner minutes |
這 7 條 state transition rules 只讓 AwoooP 顯示 owner response validation 的狀態語義;它們不代表 response 已接受、approval 已成立、runtime gate 已啟用或任何 repo / refs / workflow / secret / runner / primary 動作可執行。
3.4 Reviewer Checklist
| 順序 | Checklist | Reviewer 只讀確認 | 失敗路由 |
|---|---|---|---|
| 1 | Lane 與 template 已知 | evidence pointer 屬於 S4.9-S4.12 既有 lane / template | request more evidence |
| 2 | 必填 owner 欄位完整 | owner、decision、reason、repo/provider metadata、evidence refs 都存在 | request more evidence |
| 3 | Evidence refs 已脫敏 | 只接受文件路徑、ticket id、hash 或摘要,不接受 raw payload | mirror quarantine |
| 4 | Source packet preflight 通過 | 對應 S4.9-S4.12 intake preflight checks 已有結果 | source packet preflight failure route |
| 5 | Cross-packet 一致 | owner、repo、visibility、truth source、workflow / secret name parity 無矛盾 | cross-packet owner review |
| 6 | 無敏感 payload | 無 token、secret、private key、cookie、session、runner token、webhook secret、deploy key material、authorization header 或 partial credential | mirror quarantine |
| 7 | 無執行意圖 | 無 repo、refs、workflow、webhook、runner、secret、Kali scan、GitHub hosted runner 或 primary switch 要求 | hard reject |
| 8 | 只更新 read-only wording | 通過後只更新 evidence、matrix、decision table、reconcile wording 或 readiness wording | block candidate |
| 9 | 後續 runtime gate 仍需獨立批准 | active runtime gate、primary ready、action buttons 都仍為 0 / false | block candidate |
這 9 個 checklist items 只提供 reviewer 檢查順序;不會增加 received / accepted count,不會形成 approval,也不會建立 runtime gate、execution queue 或 action button。
4. AwoooP 可做
- 顯示四個 response packets 的總覽與缺口。
- 顯示 22 個 response templates、32 個 acceptance checks、40 個 rejection rules。
- 顯示目前 received / accepted / rejected response 皆為 0。
- 將不完整或可疑 response 導入 mirror quarantine。
- 顯示 6 條 evidence routing rules,讓 reviewer 知道 evidence pointer 應補證、隔離、拒收、送跨包 review 或只讀更新。
- 顯示 8 個 validation display sections,固定總覽、缺口、收件順序、下一個收件、cross-packet checks、routing、quarantine 與本機驗證的只讀區塊。
- 顯示 7 條 state transition rules,固定 waiting、pending validation、補證、隔離、拒收、owner review、read-only update 與 waiting runtime gate 的只讀語義。
- 顯示 9 個 reviewer checklist items,讓人工審查先確認 lane、必填欄位、脫敏、preflight、cross-packet consistency、無敏感 payload、無執行意圖與後續 runtime gate 邊界。
- 在未來 response 通過後,只更新 read-only evidence、matrix、decision table、reconcile wording 或 readiness wording。
5. AwoooP 不可做
- 不要求使用者貼 token、secret、private key、cookie、session、deploy key、runner token 或 webhook secret。
- 不使用 write token。
- 不建立 GitHub repo、不修改 visibility、不寫 Gitea repo。
- 不 sync refs、不 delete refs、不 force push。
- 不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret。
- 不啟用 GitHub hosted runner,不讓此階段消耗 GitHub Actions hosted minutes。
- 不切 GitHub primary。
- 不新增 execution action button。
6. 階段定位
S4.13 是 S4.9 到 S4.12 的彙整驗收入口。
它讓另一個 AwoooP session 可以用一份 rollup 看懂「現在缺哪些 owner response」,但不改變任何 runtime 狀態。真正進入 GitHub primary、refs migration、workflow/secret parity completion 或 Kali runtime ingestion 之前,仍必須等 owner responses、redacted payload、rollback ADR、人工批准與 follow-up runtime gate 全部補齊。