Files
awoooi/docs/security/gitea-authenticated-inventory-export-request.snapshot.json

251 lines
11 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "gitea_authenticated_inventory_export_request_v1",
"status": "draft_waiting_owner_export",
"date": "2026-06-04",
"mode": "redacted_export_request_only",
"runtime_execution_authorized": false,
"source_contract": "gitea_repo_inventory_v1",
"source_indexes": [
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/local-git-remote-inventory.snapshot.json",
"docs/security/gitea-readonly-inventory-approval.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"gitea_base_url": "http://192.168.0.110:3001",
"org_or_user": "wooo",
"public_only_repo_count": 2,
"local_gitea_unique_repo_count": 4,
"local_gitea_gap_count": 2,
"export_source_option_count": 2,
"target_inventory_status": "gitea_repo_inventory_v1.status=ok",
"token_value_collection_allowed": false,
"write_token_allowed": false,
"repo_write_allowed": false,
"refs_sync_allowed": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false,
"s4_9_owner_response_gate_required": true,
"request_handoff_package_ready": true,
"request_dispatch_handoff_completion_percent": 100,
"request_packet_field_count": 8,
"request_dispatch_authorized": false,
"admin_export_payload_received_count": 0,
"admin_export_payload_accepted_count": 0,
"inventory_imported_count": 0,
"runtime_inventory_execution_authorized": false
},
"export_source_options": [
{
"option_id": "gitea_readonly_token_api_inventory",
"title": "Gitea read-only token API inventory",
"request_status": "waiting_human_approval_or_owner_export",
"producer": "repo owner or security commander runs existing read-only inventory tool",
"allowed_processing": [
"使用 `GITEA_READONLY_TOKEN` 環境變數執行 `scripts/security/gitea-repo-inventory.py`",
"輸出只保存 `token_present=true`,不保存 token value",
"只查 repo metadatafull name、owner、private、archived、empty、default branch、redacted clone / ssh URL",
"產出 `gitea_repo_inventory_v1.status=ok` snapshot 等待人工 review"
],
"blocked_processing": [
"把 token value 寫入文件、LOGBOOK、shell script、snapshot 或對話",
"使用 write-capable token",
"建立、刪除、封存或修改 Gitea repo",
"sync refs 或切 GitHub primary"
],
"acceptance_gate": [
"`visibility_scope=authenticated`",
"`status=ok`",
"`repo_count` 大於或等於 public-only repo count",
"owner 必須確認 read-only token 沒有 write / admin / secret scope",
"敏感字串掃描不得出現 token、password、private key、webhook secret 或 repository secret value"
],
"execution_authorized": false
},
{
"option_id": "gitea_redacted_admin_export_inventory",
"title": "Gitea redacted admin export inventory",
"request_status": "waiting_human_approval_or_owner_export",
"producer": "Gitea administrator exports repo metadata and redacts before import",
"allowed_processing": [
"匯入已脫敏的 repo list JSON",
"只保留 repo metadata不保留 secret、webhook、deploy key 或 token material",
"產出 `visibility_scope=admin_export` 與 `status=ok` 的 inventory snapshot",
"將 export 與 local remote inventory 做 coverage review"
],
"blocked_processing": [
"匯入 Gitea DB dump、完整 git object pack、private key 或 webhook secret",
"保存 API token、PAT、cookie、session、CSRF token",
"用管理匯出直接建立 GitHub repo 或同步 refs",
"把 admin export 當成 primary cutover approval"
],
"acceptance_gate": [
"`visibility_scope=admin_export`",
"`status=ok`",
"每筆 repo 都可識別 `full_name` 或 `owner.login + name`",
"每筆 repo 都有 `private`、`archived`、`empty` 與 `default_branch` metadata",
"所有 URL 必須 redacted且不含 username、password 或 token"
],
"execution_authorized": false
}
],
"required_inventory_fields": [
"full_name or owner.login + name",
"name",
"owner.login",
"private",
"archived",
"empty",
"default_branch",
"clone_url_redacted",
"ssh_url_redacted",
"github_repo_candidate"
],
"coverage_gap_hints": [
{
"gap_id": "public_only_vs_local_gitea_gap",
"title": "Public-only API 與本機 Gitea remote 覆蓋差異",
"current_evidence": [
"Public-only Gitea API 目前只看到 `wooo/awoooi` 與 `wooo/ewoooc`",
"本機 remote inventory 看到 4 個 unique Gitea repos`wooo/awoooi`、`wooo/clawbot-v5`、`wooo/ewoooc`、`wooo/wooo-aiops`",
"至少 `wooo/clawbot-v5` 與 `wooo/wooo-aiops` 需要 authenticated inventory 或 owner attestation 解釋"
],
"required_resolution": [
"authenticated inventory 或 admin export 必須包含這些 local-gitea repos或由 owner 明確標註為 external / legacy / inaccessible",
"缺口只能進 owner review不得自動建立、刪除或封存 repo"
],
"execution_authorized": false
},
{
"gap_id": "org_endpoint_blocked_gap",
"title": "Gitea org endpoint 未認證查詢 blocked",
"current_evidence": [
"`orgs/wooo/repos` 未認證查詢先前為 blocked / 404 evidence",
"`users/wooo/repos` 與 public search 都只代表 public-only 可見範圍"
],
"required_resolution": [
"用 read-only token 或 redacted admin export 確認 `wooo` 是 user、org 或混合來源",
"不得把未認證 404 解讀為沒有 private/internal repos"
],
"execution_authorized": false
},
{
"gap_id": "internal_110_adjacent_source_gap",
"title": "110 internal git adjacent source-control gap",
"current_evidence": [
"本機 remote inventory 另看到 internal 110 repos`bitan-pharmacy`、`root/momo-pro-system`、`tsenyang-website`、`wooo/wooo-infra-config`",
"這些不等同 Gitea org inventory但會影響完整專案版本遷移"
],
"required_resolution": [
"Gitea authenticated inventory 完成後,仍需 owner 判定 internal 110 repos 是否屬於同一輪 GitHub migration scope",
"不得在 Gitea inventory request 中自動合併 internal 110 source"
],
"execution_authorized": false
}
],
"request_dispatch_preflight_checks": [
{
"check_id": "p1-2-prerequisite-s4-9-owner-response",
"display_order": 1,
"check": "S4.9 五題 owner response request packet 已可交接,且 request / received / accepted 分離。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-2-source-option-selected",
"display_order": 2,
"check": "只讀 token API 清冊或 redacted admin export 清冊二選一,不要求同時提供。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-2-metadata-only-output",
"display_order": 3,
"check": "收件欄位只收 repo metadata、redacted URL、owner/team 與 evidence refs。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-2-forbidden-sensitive-inputs",
"display_order": 4,
"check": "禁止 token value、write token、DB dump、git object pack、secret、webhook、deploy key 或 runner token material。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-2-counts-remain-zero",
"display_order": 5,
"check": "實際收到 payload 前received / accepted / imported count 全部維持 0。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
}
],
"request_handoff_packet": {
"request_id": "p1_2_gitea_authenticated_inventory_request",
"prerequisite_gate": "s4_9_owner_response_gate",
"allowed_source_options": [
"readonly_token_api_inventory",
"redacted_admin_export_inventory"
],
"recipient_role_or_team_required": true,
"requested_outputs": [
"repo_metadata",
"redacted_clone_url",
"redacted_ssh_url",
"visibility_scope",
"coverage_notes",
"redacted_evidence_refs"
],
"forbidden_inputs": [
"token_value",
"write_credential",
"database_dump",
"repo_archive",
"git_object_pack",
"deploy_key_private_key",
"webhook_secret",
"runner_registration_token"
],
"intake_acceptance_ref": "docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md",
"not_approval": true,
"execution_authorized": false
},
"post_dispatch_invariants": [
" payload ",
"S4.6 import acceptance gitea_repo_inventory_v1.status=ok",
"S4.7 / S4.9 owner response coverage gap reviewer",
" repo refs syncworkflow / secret GitHub primary cutoverGitea runtime gate "
],
"acceptance_rules": [
"S4.5 Gitea authenticated inventory export request inventory ",
" gate `gitea_repo_inventory_v1.status=ok` `visibility_scope` `authenticated` `admin_export`",
"export public-only repo count 2 local Gitea unique repo count 4 gap",
" mirror quarantine",
" inventory gate migration matrixdecision tableapproval board readiness gate refs GitHub primary"
],
"redaction_rules": [
"API token `token_present=true|false` value",
"URL usernamepasswordtoken query secret redacted clone / ssh URL",
" webhook secretrepository secret valuedeploy key private keyrunner registration tokencookiesession CSRF token",
" Gitea DB dump git object pack credentials partial token",
" export "
],
"forbidden_actions": [
"store_token_value",
"use_write_capable_token",
"write_to_gitea",
"create_gitea_repo",
"delete_or_archive_gitea_repo",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"delete_git_refs",
"force_push",
"switch_github_primary",
"disable_gitea",
"add_action_button"
]
}