Files
awoooi/docs/security/source-control-workflow-secret-name-owner-response.snapshot.json
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / build-and-deploy (push) Successful in 4m31s
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

1226 lines
55 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
"status": "draft_waiting_owner_response",
"date": "2026-06-11",
"mode": "owner_workflow_secret_name_response_intake_only",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"target_contract": "source_control_workflow_secret_name_export_request_v1",
"source_indexes": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"owner_response_status": "waiting_owner_response",
"candidate_repo_count": 10,
"in_scope_repo_count": 9,
"export_request_count": 9,
"export_lane_count": 5,
"local_evidence_repo_count": 5,
"local_workflow_file_count": 33,
"local_referenced_secret_name_count": 42,
"owner_response_request_packet_count": 1,
"owner_response_template_status_count": 5,
"owner_response_audit_event_template_count": 3,
"owner_response_redaction_example_count": 5,
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"secret_value_collection_allowed": false,
"write_token_allowed": false,
"workflow_modification_authorized": false,
"webhook_modification_authorized": false,
"runner_change_authorized": false,
"deploy_key_change_authorized": false,
"branch_protection_change_authorized": false,
"repo_secret_change_authorized": false,
"github_hosted_runner_enable_authorized": false,
"refs_sync_authorized": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false,
"owner_response_collection_check_count": 6,
"intake_preflight_check_count": 6,
"workflow_secret_owner_handoff_package_ready": true,
"workflow_secret_owner_handoff_completion_percent": 100,
"workflow_secret_owner_handoff_check_count": 6,
"workflow_secret_owner_handoff_packet_field_count": 9,
"workflow_secret_owner_request_dispatch_authorized": false,
"secret_name_parity_complete": false,
"secret_value_or_hash_collection_allowed": false,
"workflow_secret_owner_response_handoff_not_approval": true
},
"workflow_secret_owner_handoff_preflight_checks": [
{
"check_id": "p1-4-baseline-sync",
"display_order": 1,
"check": "送件前確認 gitea/main、local evidence、S4.9-S4.12 source packets 最新狀態。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-4-local-evidence-freshness",
"display_order": 2,
"check": "以 2026-06-04 local evidence 的 31 個 workflow files、42 個 unique secret names、5 個 runner labels 為基準。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-4-five-response-lanes",
"display_order": 3,
"check": "webhook、runner、deploy key、branch protection / CODEOWNERS、repository secret name parity 逐項追蹤。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-4-metadata-only",
"display_order": 4,
"check": "只收 redacted host、runner label、key name、ruleset / CODEOWNERS metadata、secret name / scope / present-absent。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-4-secret-material-rejected",
"display_order": 5,
"check": "secret value、hash、masked token、partial token、private key、runner token、webhook secret 全部拒收或隔離。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
},
{
"check_id": "p1-4-execution-request-rejected",
"display_order": 6,
"check": "workflow / webhook / runner / deploy key / branch protection / repository secret 修改、hosted runner enable、refs sync、primary switch 全部 hard reject。",
"current_status": "defined_not_dispatched",
"execution_authorized": false
}
],
"workflow_secret_owner_handoff_packet": {
"request_id": "p1_4_workflow_secret_owner_response_handoff",
"stage_id": "S4.12",
"source_evidence_summary": {
"local_evidence_repo_count": 5,
"local_workflow_file_count": 33,
"local_referenced_secret_name_count": 42,
"runner_label_count": 5
},
"requested_templates": [
"response-webhook-redacted-export",
"response-runner-label-owner",
"response-deploy-key-redacted-export",
"response-branch-protection-codeowners",
"response-repository-secret-name-parity"
],
"recipient_role_or_team_required": true,
"required_response_fields": [
"owner_role_or_team",
"decision",
"repo",
"provider",
"lane",
"lane_specific_owner",
"lane_specific_metadata",
"redacted_evidence_refs",
"followup_owner"
],
"allowed_metadata": [
"redacted_host",
"event_types",
"runner_label",
"key_name",
"required_checks",
"codeowners_path",
"secret_name",
"scope",
"present_absent"
],
"forbidden_inputs": [
"secret_value",
"secret_hash",
"masked_token",
"partial_token",
"token_value",
"runner_registration_token",
"webhook_secret",
"private_key",
"deploy_key_private_key",
"authorization_header",
"workflow_modification_request",
"runner_enablement_request",
"github_hosted_runner_enable_request",
"repository_secret_change_request",
"github_primary_switch_request"
],
"not_approval": true,
"execution_authorized": false
},
"post_dispatch_invariants": [
"Owner response 到來後仍需先進 S4.12 intake preflight 與 reviewer validation。",
"通過後只可更新 read-only workflow / secret name inventory、export request、primary readiness blocker wording 與 status rollup。",
"不得建立、複製、rotate、修改或刪除 secret。",
"不得改 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS不得啟用 GitHub hosted runner。",
"不得 sync refs、切 GitHub primary 或停用 Gitea。"
],
"owner_response_request_packet": {
"request_id": "s4_12_workflow_secret_name_owner_response_request",
"display_status": "ready_to_request_owner_response",
"requested_packet": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"required_response_item_count": 5,
"requested_template_ids": [
"response-webhook-redacted-export",
"response-runner-label-owner",
"response-deploy-key-redacted-export",
"response-branch-protection-codeowners",
"response-repository-secret-name-parity"
],
"owner_instruction_summary": "請 owner 只依 S4.12 五個 templates 回覆 webhook、runner、deploy key、branch protection / CODEOWNERS 與 repository secret name parity 的脫敏 metadata不要貼 secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、header、未脫敏截圖或任何 workflow / secret / runner 執行要求。",
"allowed_response_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"lane",
"webhook_name_or_none",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"webhook_owner",
"runner_label_or_none",
"runner_scope",
"executor_type",
"hosted_or_self_hosted",
"runner_owner",
"github_hosted_minutes_risk",
"maintenance_window",
"key_name_or_none",
"read_only_flag",
"repo_scope",
"key_owner",
"rotation_owner",
"protected_branch_name_or_none",
"required_review_count",
"required_status_check_names",
"codeowners_path_or_none",
"owner_team_names",
"ruleset_owner",
"secret_name_list_or_none",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"present_in_gitea",
"present_in_github",
"evidence_refs",
"followup_owner"
],
"evidence_ref_rules": [
"只允許 repo 內既有文件、snapshot、workflow 檔名、job 名稱、secret 名稱、runner label、redacted host 或已脫敏 owner metadata pointer。",
"secret parity 只能保存 secret name / scope / present-absent metadata / owner不得保存 value、hash、masked token 或 partial token。",
"runner 回覆只能標示 self-hosted / hosted 風險 review candidate不得視為 GitHub hosted runner 啟用批准。",
"webhook 回覆只能保存 redacted host、event types、enabled flag 與 owner不得保存 webhook secret、tokenized URL、header 或 payload body。",
"deploy key 回覆只能保存 key 名稱、read-only flag、repo scope 與 owner不得保存 private key、完整 public key 或 credential material。",
"不確定是否含敏感值時先走 mirror quarantine不得直接貼入 response。"
],
"forbidden_payloads": [
"secret_value",
"token_value",
"private_key",
"deploy_key_value",
"runner_registration_token",
"runner_admin_token",
"webhook_secret",
"cookie_or_session",
"authorization_header",
"private_clone_url_credential",
"complete_webhook_payload_url",
"query_token",
"request_body",
"response_body",
"secret_hash",
"masked_token",
"partial_credential",
"workflow_modification_request",
"webhook_modification_request",
"runner_enablement_request",
"deploy_key_rotation_request",
"branch_protection_change_request",
"repository_secret_change_request",
"github_hosted_runner_enable_request",
"refs_sync_request",
"github_primary_switch_request",
"execution_request_payload"
],
"allowed_submission_modes": [
"markdown_table_redacted_metadata",
"json_redacted_metadata_pointer",
"existing_repo_doc_reference",
"awooop_manual_review_note"
],
"awooop_display_mode": "display_owner_response_request_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"不收集或保存 secret value、token value、runner token、webhook secret、private key、deploy key value、cookie 或 session",
"不使用 write token 或 write API",
"不修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret",
"不 rotate、建立、複製或刪除 secret",
"不啟用 GitHub hosted runner 或消耗 GitHub Actions 額度",
"不 sync refs、不建立 repo、不修改 visibility、不切 GitHub primary",
"不停用、刪除、封存或降級 Gitea repo",
"不新增 AwoooP execution action button"
]
},
"owner_response_template_statuses": [
{
"template_id": "response-webhook-redacted-export",
"lane": "webhook_redacted_export_request",
"display_order": 1,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 webhook 名稱、redacted host、event types、enabled flag 與 webhook owner不得貼 webhook secret、tokenized URL、header、cookie 或 payload body。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"不建立、修改、停用或刪除 webhook",
"不保存 webhook secret、完整 payload URL、query token、header、cookie 或 request body",
"不把 request_ready_not_sent 當成 webhook inventory complete"
]
},
{
"template_id": "response-runner-label-owner",
"lane": "runner_label_owner_export_request",
"display_order": 2,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 runner label、executor type、self-hosted / hosted、runner owner、GitHub hosted minutes 風險與 maintenance window不得貼 runner token、host password、SSH key 或 admin token。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"不新增、啟用、停用或改 runner label",
"不啟用 GitHub hosted runner 或消耗 GitHub Actions 額度",
"不保存 runner registration token、admin token、SSH private key 或 host password"
]
},
{
"template_id": "response-deploy-key-redacted-export",
"lane": "deploy_key_redacted_export_request",
"display_order": 3,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 deploy key / machine key 名稱、read-only flag、repo scope、key owner 與 rotation owner不得貼 private key、完整 public key、token value 或 password。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"不新增、刪除、rotate 或修改 deploy key",
"不保存 private key、完整 public key、token value、password 或 credential value",
"不把 write-capable key 風險 candidate 當成 rotation approval"
]
},
{
"template_id": "response-branch-protection-codeowners",
"lane": "branch_protection_codeowners_export_request",
"display_order": 4,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 protected branch、required checks、required review count、CODEOWNERS path、owner teams 與 ruleset owner不得要求立即修改 branch protection、ruleset 或 CODEOWNERS。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"不修改 branch protection、ruleset、required checks 或 CODEOWNERS",
"不保存 PAT、admin override token、team secret、session cookie 或未脫敏截圖",
"不把 branch protection response 當成 primary readiness complete"
]
},
{
"template_id": "response-repository-secret-name-parity",
"lane": "repository_secret_name_parity_export_request",
"display_order": 5,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 repository secret 名稱、scope、owning team、used-by workflow、present_in_gitea / present_in_github 與 rotation owner不得貼 value、hash、masked token、partial token 或任何可還原片段。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"不建立、複製、rotate、修改或刪除 repository secret",
"不保存 secret value、hash、masked token、partial token、private key 或 credential value",
"不把 secret name parity response 當成 workflow ready 或 primary ready"
]
}
],
"owner_response_audit_event_templates": [
{
"event_template_id": "audit-workflow-secret-response-request-shown",
"display_order": 1,
"event_status": "template_only_not_emitted",
"trigger": "AwoooP 顯示 S4.12 workflow / secret name owner response request packet 時。",
"purpose": "只記錄 request packet 顯示 metadata不代表 request 已送出、owner response 已收到、secret value collection、workflow / webhook / runner / deploy key / branch protection / repository secret 修改或 GitHub primary 授權。",
"allowed_metadata_fields": [
"event_id",
"event_time_taipei",
"event_template_id",
"source_contract",
"target_contract",
"request_id",
"requested_template_ids",
"displayed_by_role",
"displayed_to_owner_role_or_team",
"repo_count",
"lane_count",
"source_document_ref",
"redaction_status"
],
"forbidden_payloads": [
"secret_value",
"token_value",
"private_key",
"deploy_key_value",
"runner_registration_token",
"runner_admin_token",
"webhook_secret",
"cookie_or_session",
"authorization_header",
"complete_webhook_payload_url",
"query_token",
"request_body",
"response_body",
"secret_hash",
"masked_token",
"partial_credential",
"workflow_modification_request",
"webhook_modification_request",
"runner_enablement_request",
"deploy_key_rotation_request",
"branch_protection_change_request",
"repository_secret_change_request",
"github_hosted_runner_enable_request",
"refs_sync_request",
"github_primary_switch_request",
"execution_request_payload",
"unredacted_screenshot"
],
"emitted_event_count": 0,
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_audit_template_only",
"execution_authorized": false,
"not_approval": true
},
{
"event_template_id": "audit-workflow-secret-response-received-metadata",
"display_order": 2,
"event_status": "template_only_not_emitted",
"trigger": "Owner 提供 S4.12 workflow / secret name response metadata pointer 時。",
"purpose": "只記錄已收到脫敏 metadata pointer不得保存 owner response raw body、secret value、token、runner token、webhook secret、private key、deploy key value、完整 URL credential、request body、response body 或未脫敏截圖。",
"allowed_metadata_fields": [
"event_id",
"event_time_taipei",
"event_template_id",
"source_contract",
"request_id",
"template_id",
"lane",
"repo",
"provider",
"owner_role_or_team",
"decision",
"decision_reason_summary",
"evidence_refs",
"redaction_status",
"quarantine_lane",
"next_owner_action"
],
"forbidden_payloads": [
"secret_value",
"token_value",
"private_key",
"deploy_key_value",
"runner_registration_token",
"runner_admin_token",
"webhook_secret",
"cookie_or_session",
"authorization_header",
"complete_webhook_payload_url",
"query_token",
"request_body",
"response_body",
"secret_hash",
"masked_token",
"partial_credential",
"workflow_modification_request",
"webhook_modification_request",
"runner_enablement_request",
"deploy_key_rotation_request",
"branch_protection_change_request",
"repository_secret_change_request",
"github_hosted_runner_enable_request",
"refs_sync_request",
"github_primary_switch_request",
"execution_request_payload",
"unredacted_screenshot"
],
"emitted_event_count": 0,
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_audit_template_only",
"execution_authorized": false,
"not_approval": true
},
{
"event_template_id": "audit-workflow-secret-response-outcome-classified",
"display_order": 3,
"event_status": "template_only_not_emitted",
"trigger": "AwoooP 依 S4.12 acceptance checks 與 rejection rules 分類 workflow / secret name owner response 時。",
"purpose": "只記錄分類結果、reviewer role 與下一步 owner action不得把 outcome、owner wording 或單項 response 當成 secret value collection、workflow 修改、webhook 修改、runner 啟用、deploy key rotation、branch protection change、repository secret change、refs sync 或 GitHub primary 授權。",
"allowed_metadata_fields": [
"event_id",
"event_time_taipei",
"event_template_id",
"source_contract",
"request_id",
"template_id",
"lane",
"repo",
"provider",
"owner_role_or_team",
"decision",
"decision_reason_summary",
"latest_outcome_lane",
"evidence_refs",
"redaction_status",
"quarantine_lane",
"next_owner_action",
"reviewer_role"
],
"forbidden_payloads": [
"secret_value",
"token_value",
"private_key",
"deploy_key_value",
"runner_registration_token",
"runner_admin_token",
"webhook_secret",
"cookie_or_session",
"authorization_header",
"complete_webhook_payload_url",
"query_token",
"request_body",
"response_body",
"secret_hash",
"masked_token",
"partial_credential",
"workflow_modification_request",
"webhook_modification_request",
"runner_enablement_request",
"deploy_key_rotation_request",
"branch_protection_change_request",
"repository_secret_change_request",
"github_hosted_runner_enable_request",
"refs_sync_request",
"github_primary_switch_request",
"execution_request_payload",
"unredacted_screenshot"
],
"emitted_event_count": 0,
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_audit_template_only",
"execution_authorized": false,
"not_approval": true
}
],
"owner_response_redaction_examples": [
{
"example_id": "redaction-webhook-redacted-host-metadata",
"display_order": 1,
"example_status": "template_example_only",
"category": "webhook_redacted_host_metadata",
"safe_response_shape": [
"template_id=response-webhook-redacted-export",
"repo=owenhytsai/awoooi",
"webhook_name_or_none=deployment-status-webhook",
"destination_host_redacted=hooks.example.internal",
"event_types=[push, pull_request]",
"active_enabled_flag=true",
"webhook_owner=platform-ops"
],
"required_redactions": [
"只保留 host 或 domain 類 metadata不保留完整 payload URL、query string、header、cookie 或 body",
"webhook secret 必須以 absent / managed_by_owner / rotate_required_candidate 類 metadata 表示,不得保存值",
"enabled flag 只代表 inventory metadata不代表可建立、停用或修改 webhook"
],
"forbidden_raw_values": [
"webhook_secret",
"complete_webhook_payload_url",
"query_token",
"authorization_header",
"request_body",
"response_body",
"cookie_or_session"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-runner-label-owner-metadata",
"display_order": 2,
"example_status": "template_example_only",
"category": "runner_label_owner_metadata",
"safe_response_shape": [
"template_id=response-runner-label-owner",
"repo=owenhytsai/wooo-aiops",
"runner_label_or_none=self-hosted-linux-110",
"executor_type=self_hosted",
"hosted_or_self_hosted=self_hosted",
"runner_owner=platform-ops",
"github_hosted_minutes_risk=not_enabled"
],
"required_redactions": [
"runner label 只能保存名稱、scope、executor type、owner 與額度風險 metadata",
"hosted runner 只能標成 risk review candidate不得視為啟用或消耗 GitHub Actions 額度批准",
"不得貼 runner registration token、admin token、host password、SSH private key 或 machine credential"
],
"forbidden_raw_values": [
"runner_registration_token",
"runner_admin_token",
"host_password",
"ssh_private_key",
"machine_credential",
"github_hosted_runner_enable_request"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-deploy-key-name-scope-metadata",
"display_order": 3,
"example_status": "template_example_only",
"category": "deploy_key_name_scope_metadata",
"safe_response_shape": [
"template_id=response-deploy-key-redacted-export",
"repo=owenhytsai/wooo-infra-config",
"key_name_or_none=infra-readonly-deploy-key",
"read_only_flag=true",
"repo_scope=single_repo",
"key_owner=platform-ops",
"rotation_owner=security-commander"
],
"required_redactions": [
"deploy key 只能保存 key name、read-only flag、repo scope、owner 與 rotation owner metadata",
"public key 若需要補證,必須改成既有文件引用或 owner metadata pointer不保存完整 key material",
"rotation owner 只代表後續責任人,不代表本階段可 rotate、建立、刪除或修改 key"
],
"forbidden_raw_values": [
"private_key",
"deploy_key_value",
"complete_public_key",
"token_value",
"credential_value",
"deploy_key_rotation_request"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-branch-protection-codeowners-metadata",
"display_order": 4,
"example_status": "template_example_only",
"category": "branch_protection_codeowners_metadata",
"safe_response_shape": [
"template_id=response-branch-protection-codeowners",
"repo=owenhytsai/awoooi",
"protected_branch_name_or_none=main",
"required_review_count=1",
"required_status_check_names=[lint, test]",
"codeowners_path_or_none=.github/CODEOWNERS",
"ruleset_owner=source-control-owner"
],
"required_redactions": [
"只保存 branch/ruleset/CODEOWNERS metadata 與 required check names不保存 admin override token 或 session",
"若引用 UI screenshot必須先脫敏 owner、token、cookie、email、完整 URL credential 與個資",
"不得把 required check 或 reviewer wording 當成可立即修改 branch protection / ruleset / CODEOWNERS 的授權"
],
"forbidden_raw_values": [
"admin_override_token",
"session_cookie",
"authorization_header",
"unredacted_screenshot",
"branch_protection_change_request",
"codeowners_write_request"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-secret-name-parity-quarantine-pointer",
"display_order": 5,
"example_status": "template_example_only",
"category": "repository_secret_name_parity_or_quarantine",
"safe_response_shape": [
"template_id=response-repository-secret-name-parity",
"repo=owenhytsai/awoooi",
"secret_name_list_or_none=[DATABASE_URL, OPENAI_API_KEY]",
"present_in_gitea=unknown_requires_more_evidence",
"present_in_github=unknown_requires_more_evidence",
"owning_team=platform-ops",
"collection_status=quarantine_sensitive_payload_if_value_seen"
],
"required_redactions": [
"secret parity 只能保存 secret name、scope、present / absent / unknown metadata、owner 與 evidence refs",
"任何 value、hash、masked token、partial token、可還原片段或未脫敏截圖都必須改走 quarantine pointer",
"secret name parity 通過也只更新 read-only wording不代表可建立、複製、rotate、修改或刪除 secret"
],
"forbidden_raw_values": [
"secret_value",
"secret_hash",
"masked_token",
"partial_credential",
"repository_secret_change_request",
"execution_request_payload",
"owner_response_raw_body"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
}
],
"owner_response_collection_checks": [
{
"check_id": "collection-workflow-secret-request-packet-displayed",
"display_order": 1,
"title": " workflow / secret owner response request packet",
"required": true,
"pass_condition": "AwoooP owner_response_request_packet 5 workflow / secret templates evidence payload secret value collectionworkflow/webhook/runner/deploy key/branch protection/secret refs sync primary switch ",
"failure_lane": "keep_waiting_owner_response",
"awooop_display": "display_request_packet_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-workflow-secret-read-only-submission-mode",
"display_order": 2,
"title": "workflow / secret read-only",
"required": true,
"pass_condition": "owner read-only markdown responseredacted metadata pointerexisting repo doc reference AwoooP manual review note secret valuewebhook secretrunner tokendeploy key materialprivate keyauthorization header execution request",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "display_read_only_submission_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-five-workflow-secret-template-tracking",
"display_order": 3,
"title": " workflow / secret templates ",
"required": true,
"pass_condition": "S4.12 requested_template_ids lane received / accepted / rejected webhookrunnerdeploy keybranch protection / CODEOWNERS repository secret name parity ",
"failure_lane": "request_more_evidence",
"awooop_display": "display_per_workflow_secret_lane_tracking",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-workflow-secret-redacted-evidence-only",
"display_order": 4,
"title": " workflow / secret evidence refs",
"required": true,
"pass_condition": " repo snapshot pathsecret name metadataredacted hostrunner labelkey nameruleset/CODEOWNERS metadata evidence refs secret valuetokenprivate keydeploy key material URL credentialrequest bodyheader quarantine",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "display_redacted_evidence_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-workflow-secret-no-approval-language",
"display_order": 5,
"title": " workflow / secret ",
"required": true,
"pass_condition": "使 owner response OK workflow / secret inventory disposition secret rotateworkflow runner deploy key rotationbranch protection changerefs sync GitHub primary approval",
"failure_lane": "reject_execution_request",
"awooop_display": "display_scope_response_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-workflow-secret-audit-metadata-only",
"display_order": 6,
"title": " workflow / secret audit metadata",
"required": true,
"pass_condition": "AwoooP request shownresponse received metadatatemplate idlanerepoowner role/teamredacted hostrunner labelkey namesecret name metadataevidence refs outcome lane secret valuehashmasked tokenpartial credentialwebhook secretrunner tokenprivate keyauthorization header payload",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "display_audit_metadata_only",
"execution_authorized": false,
"not_approval": true
}
],
"intake_preflight_checks": [
{
"check_id": "preflight-known-workflow-secret-lane",
"display_order": 1,
"title": " workflow / secret lane",
"required": true,
"pass_condition": "`template_id` `lane` S4.12 workflow / secret name templates repo workflow / secret out-of-scope repo secret / workflow",
"failure_lane": "request_owner_correction",
"awooop_display": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "preflight-required-workflow-secret-owner-fields",
"display_order": 2,
"title": "workflow / secret ",
"required": true,
"pass_condition": " response owner role/teamdecisiondecision_reasonrepoproviderlanelane-specific owner redacted metadata evidence_refssecret name parity repo list scope",
"failure_lane": "request_more_evidence",
"awooop_display": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "preflight-allowed-workflow-secret-decision",
"display_order": 3,
"title": "workflow / secret decision ",
"required": true,
"pass_condition": "`decision` response template acceptable_decisions OK secret accepted",
"failure_lane": "request_owner_correction",
"awooop_display": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "preflight-workflow-secret-redacted-evidence-only",
"display_order": 4,
"title": " workflow / secret evidence refs",
"required": true,
"pass_condition": "`evidence_refs` repo snapshotredacted metadata pointersecret name listredacted hostrunner labelkey nameruleset / CODEOWNERS metadata secret valuehashmasked tokenpartial credentialwebhook secretrunner tokenprivate keydeploy key valueauthorization headercookiesessionrequest body ",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "quarantine_sensitive_payload",
"execution_authorized": false
},
{
"check_id": "preflight-no-workflow-secret-execution-request",
"display_order": 5,
"title": " workflow / secret ",
"required": true,
"pass_condition": "response / / rotate secret workflow/webhook/runner/deploy key/branch protection/CODEOWNERS GitHub hosted runner使 write token reposync refsGitHub primary switchKali scan runtime action",
"failure_lane": "reject_execution_request",
"awooop_display": "reject_execution_request",
"execution_authorized": false
},
{
"check_id": "preflight-all-five-workflow-secret-lanes-before-accepted",
"display_order": 6,
"title": " workflow / secret templates",
"required": true,
"pass_condition": "S4.12 accepted response templates owner response waitingready_for_owner_reviewrequest_more_evidence quarantine",
"failure_lane": "keep_waiting_owner_response",
"awooop_display": "ready_for_owner_review",
"execution_authorized": false
}
],
"response_templates": [
{
"template_id": "response-webhook-redacted-export",
"lane": "webhook_redacted_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/wooo-aiops"
],
"risk": "MEDIUM",
"covered_repo_count": 2,
"requested_owner_decision": " webhook redacted hostenabled flag owner webhook secrettoken URLheadercookie payload body",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"webhook_name_or_none",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"webhook_owner",
"evidence_refs"
],
"acceptable_decisions": [
"provide_redacted_webhook_inventory_candidate",
"mark_no_webhook_candidate",
"hold_pending_webhook_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"acceptance_criteria": [
" redacted hostevent typesenabled flag owner",
" primary cutover webhook",
" response read-only inventory / readiness wording webhook"
],
"rejection_conditions": [
" webhook secret payload URLquery tokenheadercookie request body",
" webhook",
" repoproviderwebhook owner no-webhook disposition"
],
"allowed_outputs": [
" `source-control-workflow-secret-name-export-request.snapshot.json` webhook read-only owner response ",
" `source-control-primary-readiness-gate.snapshot.json` workflow/webhook blocker wording",
" request_more_evidence / quarantine lane"
],
"execution_authorized": false
},
{
"template_id": "response-runner-label-owner",
"lane": "runner_label_owner_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/wooo-aiops",
"owenhytsai/wooo-infra-config",
"owenhytsai/ewoooc"
],
"risk": "HIGH",
"covered_repo_count": 4,
"requested_owner_decision": " runner labelexecutor typehosted/self-hostedowner GitHub hosted minutes runner registration tokenadmin tokenSSH key host password",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"runner_label_or_none",
"runner_scope",
"executor_type",
"hosted_or_self_hosted",
"runner_owner",
"github_hosted_minutes_risk",
"maintenance_window",
"evidence_refs"
],
"acceptable_decisions": [
"keep_self_hosted_runner_candidate",
"approve_hosted_runner_risk_review_candidate",
"mark_no_runner_candidate",
"hold_pending_runner_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
" runner self-hosted hosted hosted review",
" runner owner ",
" response runner workflow GitHub hosted minutes"
],
"rejection_conditions": [
" runner registration tokenadmin tokenSSH private keyhost password API token",
" GitHub hosted runner runner label",
" hosted runner risk review candidate 使 GitHub Actions "
],
"allowed_outputs": [
" runner label owner review lane",
" GitHub hosted runner wording",
" workflow / runner execution disabled"
],
"execution_authorized": false
},
{
"template_id": "response-deploy-key-redacted-export",
"lane": "deploy_key_redacted_export_request",
"affected_repos": [
"owenhytsai/wooo-infra-config"
],
"risk": "HIGH",
"covered_repo_count": 1,
"requested_owner_decision": " deploy key / machine key read-only flagrepo scope owner private key public keytoken value password",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"key_name_or_none",
"read_only_flag",
"repo_scope",
"key_owner",
"rotation_owner",
"evidence_refs"
],
"acceptable_decisions": [
"provide_deploy_key_name_scope_candidate",
"mark_no_deploy_key_candidate",
"mark_write_capable_key_risk_candidate",
"hold_pending_key_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"acceptance_criteria": [
" key read-only flagrepo scopeowner rotation owner",
"write-capable key candidate rotate ",
" response key private key deploy key"
],
"rejection_conditions": [
" private key public keytoken valuepassword credential value",
" rotate deploy key",
" key owner / rotation owner no-key disposition"
],
"allowed_outputs": [
" deploy key read-only risk lane",
" primary readiness key blocker wording",
" key_owner request_more_evidence lane"
],
"execution_authorized": false
},
{
"template_id": "response-branch-protection-codeowners",
"lane": "branch_protection_codeowners_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/clawbot-v5",
"owenhytsai/wooo-infra-config",
"owenhytsai/ewoooc"
],
"risk": "MEDIUM",
"covered_repo_count": 4,
"requested_owner_decision": " protected branchrequired checksrequired review countCODEOWNERS path owner teams team secretPATadmin override token session cookie",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"protected_branch_name_or_none",
"required_review_count",
"required_status_check_names",
"codeowners_path_or_none",
"owner_team_names",
"ruleset_owner",
"evidence_refs"
],
"acceptable_decisions": [
"provide_branch_protection_codeowners_candidate",
"mark_no_branch_protection_candidate",
"hold_pending_ruleset_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
" required status check names workflow / runner label ",
" CODEOWNERS branch protection readiness gap",
" ruleset owner request_more_evidence owner"
],
"rejection_conditions": [
" PATadmin override tokensession cookieteam secret ",
" branch protectionrulesetrequired checks CODEOWNERS",
" branch protection response primary readiness complete"
],
"allowed_outputs": [
" branch protection / CODEOWNERS owner review lane",
" required status check parity wording",
" primary_ready_count=0"
],
"execution_authorized": false
},
{
"template_id": "response-repository-secret-name-parity",
"lane": "repository_secret_name_parity_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/clawbot-v5",
"owenhytsai/wooo-aiops",
"owenhytsai/wooo-infra-config",
"owenhytsai/ewoooc",
"owenhytsai/bitan-pharmacy",
"owenhytsai/tsenyang-website"
],
"risk": "HIGH",
"covered_repo_count": 7,
"requested_owner_decision": " repository secret parityscopeowning teamused-by workflow present_in_gitea / present_in_github metadata valuehashpartial token ",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"secret_name_list_or_none",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"rotation_owner",
"present_in_gitea",
"present_in_github",
"evidence_refs"
],
"acceptable_decisions": [
"provide_secret_name_presence_map_candidate",
"mark_no_repository_secret_candidate",
"hold_pending_secret_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"acceptance_criteria": [
" secret namescopeownerused-by workflowpresent/absent metadata",
" valuehashpartial tokenmasked token ",
" secret owner review lanerotate secret"
],
"rejection_conditions": [
" secret valueplaintexthashpartial tokenprivate keycredential value ",
"rotate repository secret",
" secret name parity response workflow primary ready"
],
"allowed_outputs": [
" repository secret name parity owner review lane",
" workflow / secret name inventory gap wording",
" inventory_complete_count=0 primary_ready_count=0"
],
"execution_authorized": false
}
],
"acceptance_checks": [
{
"check_id": "maps_to_known_export_lane",
"title": " export lane",
"required": true,
"pass_condition": "`lane` S4.3 export laneswebhookrunnerdeploy keybranch protection / CODEOWNERS repository secret name parity",
"failure_lane": "reject_unknown_export_lane",
"execution_authorized": false
},
{
"check_id": "decision_value_allowed",
"title": "",
"required": true,
"pass_condition": "`decision` response template acceptable_decisions ",
"failure_lane": "request_owner_correction",
"execution_authorized": false
},
{
"check_id": "repo_scope_present",
"title": "repo scope ",
"required": true,
"pass_condition": " repoprovider lane secret name parity repo list",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "owner_present",
"title": "owner owner ",
"required": true,
"pass_condition": " owner role/team lane-specific owner hold/unknown",
"failure_lane": "request_owner_assignment",
"execution_authorized": false
},
{
"check_id": "allowed_fields_only",
"title": "",
"required": true,
"pass_condition": " lane allowed_fields owner/evidence metadata request bodyheadercredential raw config",
"failure_lane": "quarantine_unexpected_payload",
"execution_authorized": false
},
{
"check_id": "secret_values_absent",
"title": " secret value",
"required": true,
"pass_condition": " secret/token/cookie/private key/deploy key/runner token/webhook secret/passwordhashmasked token partial credential",
"failure_lane": "quarantine_sensitive_payload",
"execution_authorized": false
},
{
"check_id": "no_write_or_rotation_requested",
"title": " write rotation ",
"required": true,
"pass_condition": " write APIrotate secret workflow webhook runner deploy key branch protection",
"failure_lane": "reject_runtime_change_request",
"execution_authorized": false
},
{
"check_id": "no_primary_or_refs_action_requested",
"title": " primary refs action",
"required": true,
"pass_condition": " reposync refs GitHub primary Gitea inventory primary ready",
"failure_lane": "reject_primary_or_refs_action",
"execution_authorized": false
}
],
"rejection_rules": [
" secret valuePATcookiesessionCSRF tokenprivate keydeploy key valuerunner tokenwebhook secret partial credential ",
" webhook payload URLquery tokenauthorization headerrequest body ",
" runner registration tokenrunner admin tokenSSH private keyhost password API token ",
" deploy key private material public keytoken valuepassword credential value ",
" secret valuesecret hashpartial tokenmasked token ",
" write API workflow/webhook/runner/deploy key/branch protection/CODEOWNERS rotate secret ",
" reposync refs GitHub primary Gitea ",
" repoproviderlane owner no-data disposition accepted",
" owner response inventory completeworkflow readysecret parity complete GitHub primary ready ",
" URL key material mirror quarantine"
],
"allowed_outputs": [
" `source-control-workflow-secret-name-inventory.snapshot.json` read-only owner response ",
" `source-control-workflow-secret-name-export-request.snapshot.json` response status wording",
" `source-control-primary-readiness-gate.snapshot.json` workflow / webhook / runner / secret name blocker wording",
" `security-mirror-status-rollup.snapshot.json` workflow_secret owner response summary",
" request_more_evidence / quarantine lane",
" `inventory_complete_count=0``github_primary_ready_count=0` workflow / secret / repo / refs / primary execution flags false"
],
"forbidden_actions": [
" secret valuetoken valuecookiesessionprivate keydeploy key valuerunner token webhook secret",
"使 write token write API",
" workflowwebhookrunnerdeploy keybranch protectionCODEOWNERS repository secret",
"rotate secret secret secret secret",
" GitHub hosted runner GitHub Actions ",
" GitHub repo visibility",
"sync refspush refsdelete refs force push",
" GitHub primary",
" Gitea repo",
" AwoooP execution action button"
]
}