Files
awoooi/docs/security/source-control-workflow-secret-name-inventory.snapshot.json
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / build-and-deploy (push) Successful in 4m31s
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

509 lines
17 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_inventory_v1",
"status": "draft_missing_evidence",
"date": "2026-06-11",
"mode": "inventory_contract_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/github-target-decision.snapshot.json",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/security-rollout-policy.snapshot.json"
],
"summary": {
"candidate_repo_count": 10,
"in_scope_repo_count": 9,
"external_scope_count": 1,
"inventory_complete_count": 0,
"missing_inventory_count": 9,
"owner_response_template_count": 5,
"owner_response_received_count": 0,
"owner_response_accepted_count": 0,
"secret_value_collection_allowed": false,
"runtime_actions_authorized": false,
"action_buttons_allowed": false
},
"owner_response_packet": {
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
"snapshot_path": "docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"human_doc": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"execution_authorized": false
},
"inventory_lanes": [
{
"lane_id": "workflow_file_inventory",
"title": "workflow 名稱與觸發條件 inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"workflow_file_path",
"workflow_display_name",
"trigger_names",
"runner_label_names",
"environment_names",
"referenced_secret_names"
],
"forbidden_fields": [
"secret_value",
"token_value",
"private_key",
"webhook_secret",
"deploy_key_private_material"
],
"required_before_primary": [
"列出 Gitea/GitHub workflow 名稱與觸發條件差異",
"確認 self-hosted runner label 是否一致",
"確認 deployment marker / production deploy workflow 真相來源"
],
"execution_authorized": false
},
{
"lane_id": "webhook_inventory",
"title": "webhook 名稱、目的地與事件類型 inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"webhook_name",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"owner"
],
"forbidden_fields": [
"webhook_secret",
"full_payload_url_with_token",
"authorization_header",
"cookie"
],
"required_before_primary": [
"列出 Gitea/GitHub webhook 目的地與事件類型差異",
"確認 primary cutover 後哪一端發 webhook",
"確認不重複觸發 deploy 或 notification"
],
"execution_authorized": false
},
{
"lane_id": "runner_inventory",
"title": "runner label 與 executor inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"runner_label",
"runner_scope",
"executor_type",
"host_alias",
"owner"
],
"forbidden_fields": [
"runner_registration_token",
"ssh_private_key",
"host_password",
"api_token"
],
"required_before_primary": [
"確認 GitHub primary 後使用 self-hosted runner不消耗 GitHub hosted 額度",
"確認 runner label 與 workflow expectations 一致",
"確認 runner owner 與維護窗口"
],
"execution_authorized": false
},
{
"lane_id": "deploy_key_inventory",
"title": "deploy key / machine key 名稱 inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"key_name",
"read_only_flag",
"repo_scope",
"owner",
"last_seen_metadata"
],
"forbidden_fields": [
"private_key",
"public_key_full_value_if_sensitive",
"token_value",
"password"
],
"required_before_primary": [
"確認 deploy key 是否 read-only",
"確認 key owner 與 repo scope",
"確認 primary cutover 不需要搬移 private key value"
],
"execution_authorized": false
},
{
"lane_id": "branch_protection_codeowners_inventory",
"title": "branch protection / CODEOWNERS inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"protected_branch_name",
"required_review_count",
"required_status_check_names",
"codeowners_path",
"owner_team_names"
],
"forbidden_fields": [
"team_secret",
"personal_access_token",
"admin_override_token"
],
"required_before_primary": [
"確認 main/dev branch protection 差異",
"確認 required status checks 名稱與 CI provider 對齊",
"確認 CODEOWNERS 是否存在與 owner team 是否有效"
],
"execution_authorized": false
},
{
"lane_id": "secret_name_inventory",
"title": "secret 名稱與 owner inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"secret_name",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"rotation_owner"
],
"forbidden_fields": [
"secret_value",
"secret_plaintext",
"token_value",
"private_key",
"credential_value"
],
"required_before_primary": [
"只列 secret 名稱與 owner不列 value",
"確認 Gitea/GitHub secret name parity",
"確認缺漏 secret 的 owner 與補證流程"
],
"execution_authorized": false
},
{
"lane_id": "redaction_audit_inventory",
"title": "redaction 與 audit inventory",
"status": "contract_defined_not_collected",
"allowed_fields": [
"redaction_status",
"evidence_ref",
"producer",
"reviewer",
"collection_timestamp"
],
"forbidden_fields": [
"raw_secret",
"raw_token",
"raw_cookie",
"raw_private_key",
"raw_webhook_secret"
],
"required_before_primary": [
"每份 inventory snapshot 都必須標示已脫敏",
"敏感值掃描通過後才可 mirror",
"失敗 payload 必須進 quarantine不得寫入 Runtime State"
],
"execution_authorized": false
}
],
"repo_inventory_readiness": [
{
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "HIGH",
"required_inventory": [
"workflow_file_inventory",
"webhook_inventory",
"runner_inventory",
"secret_name_inventory",
"branch_protection_codeowners_inventory"
],
"current_gap": [
"production deploy workflow / deployment marker 名稱 parity 尚未完成",
"runner label 與 required status checks 尚未整理",
"secret 只能列名稱與 owner尚無 redacted snapshot"
],
"allowed_now": [
"建立 read-only inventory request",
"顯示缺口與 owner",
"等待 redacted snapshot"
],
"still_forbidden": [
"搬移 secret value",
"修改 workflow",
"切 GitHub primary",
"停用 Gitea deploy path"
]
},
{
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "MEDIUM",
"required_inventory": [
"workflow_file_inventory",
"secret_name_inventory",
"branch_protection_codeowners_inventory"
],
"current_gap": [
"workflow / secret 名稱 parity 尚未整理",
"required status checks 尚未確認"
],
"allowed_now": [
"顯示 missing evidence",
"要求 repo owner 補 redacted inventory"
],
"still_forbidden": [
"建立或修改 secrets",
"sync refs",
"切 primary"
]
},
{
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "MEDIUM",
"required_inventory": [
"workflow_file_inventory",
"webhook_inventory",
"secret_name_inventory"
],
"current_gap": [
"GitHub-only refs 與 workflow 來源尚未釐清",
"webhook / secret 名稱 parity 尚未整理"
],
"allowed_now": [
"顯示 source-control review lane",
"要求 owner 補 workflow / webhook 名稱"
],
"still_forbidden": [
"delete GitHub-only refs",
"搬 secret value",
"切 primary"
]
},
{
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "MEDIUM",
"required_inventory": [
"deploy_key_inventory",
"secret_name_inventory",
"branch_protection_codeowners_inventory"
],
"current_gap": [
"infra secret 名稱 inventory 尚未完成",
"deploy key / machine key owner 尚未確認",
"110 internal remote 用途仍需 owner 決策"
],
"allowed_now": [
"只列 key / secret 名稱與 owner",
"顯示 internal remote purpose review"
],
"still_forbidden": [
"搬 infra secret value",
"輸出 private key",
"刪除 remote",
"切 primary"
]
},
{
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "HIGH",
"required_inventory": [
"workflow_file_inventory",
"secret_name_inventory",
"branch_protection_codeowners_inventory"
],
"current_gap": [
"canonical repo 尚未人工確認",
"GitHub target 未授權 probe 看不到",
"workflow / secret 名稱 inventory 尚未建立"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner 補 canonical 與 redacted inventory"
],
"still_forbidden": [
"auto_create_repo",
"auto_merge_unrelated_histories",
"搬 secret value",
"切 primary"
]
},
{
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "MEDIUM",
"required_inventory": [
"workflow_file_inventory",
"secret_name_inventory"
],
"current_gap": [
"GitHub target 未確認",
"repo 是否仍 active 尚未確認",
"workflow / secret 名稱 inventory 尚未建立"
],
"allowed_now": [
"顯示 target creation/access review",
"要求 owner 確認 active 狀態"
],
"still_forbidden": [
"auto_create_repo",
"push refs",
"搬 secret value",
"切 primary"
]
},
{
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "MEDIUM",
"required_inventory": [
"workflow_file_inventory",
"secret_name_inventory"
],
"current_gap": [
"GitHub target ",
"repo active ",
"workflow / secret inventory "
],
"allowed_now": [
" target creation/access review",
" owner active "
],
"still_forbidden": [
"auto_create_repo",
"push refs",
" secret value",
" primary"
]
},
{
"github_repo": "nexu-io/open-design",
"source_key": "open-design",
"scope_status": "external_scope_review",
"inventory_state": "scope_review_only",
"risk": "LOW",
"required_inventory": [
"scope ownership only"
],
"current_gap": [
" AWOOOI "
],
"allowed_now": [
" scope review",
" observe-only"
],
"still_forbidden": [
" primary cutover queue",
" repo visibility",
"sync refs"
]
},
{
"github_repo": "owenhytsai/VibeWork",
"source_key": "vibework",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "HIGH",
"required_inventory": [
"workflow_file_inventory",
"secret_name_inventory",
"branch_protection_codeowners_inventory"
],
"current_gap": [
" repo workflow / CODEOWNERS owner workflowrepo secret deploy key",
"VibeWork AWOOOI source-control primary ",
"GitHub / Gitea targetcanonical source secret name parity "
],
"allowed_now": [
" VibeWork ",
" owner repo / product / surface / owner / evidence refs",
" evidence "
],
"still_forbidden": [
"auto_create_repo",
"push_refs",
" secret value",
" primary",
" VibeWork AWOOOI"
]
},
{
"github_repo": "owenhytsai/agent-bounty-protocol",
"source_key": "agent-bounty-protocol",
"scope_status": "in_scope",
"inventory_state": "missing_evidence",
"risk": "HIGH",
"required_inventory": [
"workflow_file_inventory",
"runner_inventory",
"secret_name_inventory",
"branch_protection_codeowners_inventory"
],
"current_gap": [
" 1 Gitea workflow0 referenced secret names ubuntu-latest runner label owner / target / canonical ",
"A2A / MCP / bounty / treasury / agent execution owner response",
"branch protectionCODEOWNERS repository secret name parity export"
],
"allowed_now": [
" agent-bounty-protocol ",
" workflow runner label secret name parity ",
" owner agent / bounty / treasury / execution surface "
],
"still_forbidden": [
"auto_create_repo",
"push_refs",
" workflow",
" runner",
" secret value",
" primary",
" bounty / agent runtime "
]
}
],
"inventory_rules": [
" workflow / runner / webhook / deploy key / secret inventory inventory ",
"secret_name_inventory secret_namescopeowner used_by_workflow_name value",
" raw secrettokencookieprivate keywebhook secret credential value quarantine",
" inventory GitHub primary readiness gate blocked",
"S4.2 workflow / CODEOWNERS / referenced secret name evidence webhookdeploy keybranch protection repository secret parity ",
"S4.3 redacted export request package webhookrunnerdeploy keybranch protection/CODEOWNERS repository secret name parity owner / read-only export acceptance gate API primary cutover ",
"S4.12 owner response request packettemplate status ledgeraudit event templatesredaction examplescollection checksintake preflight checks 5 export lanes request 0 emitted audit metadata response received_response_count=0audit_events_emitted=0 secret value workflow",
"inventory snapshot mirror Operator Console / Audit evidence execution action"
],
"forbidden_actions": [
"collect_secret_value",
"store_secret_token_cookie_private_key_or_exploit_payload",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"delete_git_refs",
"force_push",
"switch_github_primary",
"disable_gitea",
"modify_workflow",
"rotate_secret",
"add_action_button"
]
}