824 lines
47 KiB
Markdown
824 lines
47 KiB
Markdown
# AwoooP x Security Supply Chain 整合 Handoff
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-05-06 |
|
||
| 狀態 | 已同步給 AwoooP 主線,僅文件與契約整合,尚未做 runtime 變更;2026-05-12 開始第一波 read-only 工具化 |
|
||
| 目的 | 讓 AwoooP Session 與 Kali/GitHub/Codex/Gitea 資安供應鏈 Session 在同一條治理主線上推進 |
|
||
| 低摩擦 policy | `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md` |
|
||
| Contract manifest | `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md` |
|
||
| 原則 | 低摩擦分階段、雙 Session 推進、共享契約、AwoooP 做治理控制面,資安供應鏈做 evidence 與執行來源 |
|
||
|
||
## 0. 給 AwoooP Session 的立即同步訊息
|
||
|
||
統帥已批准本支線開始推進,並要求以下工作納入同一個資安工作項目:
|
||
|
||
1. Kali `192.168.0.112` 建置完整資訊安全網。
|
||
2. 開發主機 `192.168.0.111`、`192.168.0.168` 納入 observe-only 資安資產。
|
||
3. Code Review 後需要 coding 的工作串接 Codex。
|
||
4. 長期改為 GitHub primary,Gitea 降級為本地 mirror / fallback。
|
||
5. Gitea 目前所有專案版本都必須完整盤點並轉移/同步到 GitHub。
|
||
6. 上述事項必須與 AwoooP 治理控制面整合,不可形成第二套資安流程。
|
||
|
||
本文件是給 AwoooP Session 的同步入口。請先把這份 handoff 視為共享契約,不要直接把 Kali 掃描、Codex patch 或 GitHub 遷移邏輯塞進 AwoooP runtime。
|
||
|
||
統帥補充原則:初期不要把資安等級一次拉太高。AwoooP 初期應先支援 mirror / observe / warn / approval candidate,而不是把所有 findings、repo 狀態或流程差異都變成阻擋條件。
|
||
|
||
## 1. Session 分工
|
||
|
||
### AwoooP 主線 Session
|
||
|
||
負責:
|
||
|
||
- Policy / EffectivePolicy。
|
||
- Approval gate。
|
||
- Channel Event。
|
||
- Operator Console。
|
||
- MCP Gateway。
|
||
- Run State / Audit Sink。
|
||
- Contract packages / validators。
|
||
- Governance event 與 exception policy。
|
||
|
||
不得直接接手:
|
||
|
||
- Kali scan 執行。
|
||
- exploit verification。
|
||
- production deploy。
|
||
- secret rotation。
|
||
- firewall / RBAC / NetworkPolicy 修改。
|
||
- GitHub/Gitea 主控切換。
|
||
|
||
### Security Supply Chain Session
|
||
|
||
負責:
|
||
|
||
- Kali findings 與 `security_finding_v1`。
|
||
- Code Review findings 與 `coding_task_v1`。
|
||
- GitHub primary / Gitea mirror 遷移盤點。
|
||
- Gitea 全量版本轉移 inventory。
|
||
- Source control / CI/CD supply chain evidence。
|
||
- Codex patch-only / suggest-only 接力設計。
|
||
- 112/111/168 asset seed 與 observe-only scope。
|
||
|
||
不得直接接手:
|
||
|
||
- AwoooP DB migration。
|
||
- EffectivePolicy runtime enforcement。
|
||
- MCP Gateway runtime gate。
|
||
- Channel Hub runtime 實作。
|
||
- Operator Console 主線 UI。
|
||
|
||
## 2. 共享目標架構
|
||
|
||
```text
|
||
Kali / Code Review / GitHub / Gitea / Codex
|
||
-> security_supply_chain_contract_manifest_v1
|
||
-> security_mirror_readiness_v1 / security_mirror_intake_plan_v1 / security_mirror_event_v1 / security_mirror_route_v1 / security_mirror_acceptance_v1 / security_mirror_quarantine_v1 / security_mirror_dry_run_v1 / security_mirror_status_rollup_v1 / security_finding_v1 / kali_scan_scope_approval_v1 / security_approval_queue_v1 / security_approval_gate_v1 / security_approval_decision_record_v1 / security_approval_review_packet_v1 / coding_task_v1 / source_control_migration_event_v1 / gitea_repo_inventory_v1 / local_git_remote_inventory_v1 / github_target_probe_v1 / github_target_decision_v1 / github_target_repo_approval_package_v1 / security_rollout_policy_v1
|
||
-> AWOOOI ingestion / asset_inventory / AIOps KPI / AOL
|
||
-> mirror 到 AwoooP Runtime State / Channel Event / Audit
|
||
-> AwoooP Policy / Approval / Exception / Operator Console
|
||
-> 人工批准後才進本地 deployment plane
|
||
```
|
||
|
||
初期只允許 mirror / read-only / suggest-only,不允許 AwoooP 直接觸發高風險執行。
|
||
|
||
## 3. 必須共享的事件契約
|
||
|
||
### `security_finding_v1`
|
||
|
||
用途:承接 Kali、Trivy、ZAP、Semgrep、detect-secrets、kube posture 等 findings。
|
||
|
||
Schema:`docs/schemas/security_finding_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "security_finding_v1",
|
||
"finding_id": "stable fingerprint",
|
||
"scan_run_id": "string",
|
||
"scanner": "kali|trivy|zap|semgrep|detect-secrets|kube-bench",
|
||
"asset_key": "string",
|
||
"target_type": "host|website|api_endpoint|container|package|repo|k8s_resource|tool",
|
||
"target": "redacted identifier",
|
||
"category": "exposure|cve|secret|misconfig|auth|tls|web|code|supply_chain|network",
|
||
"severity": "LOW|MEDIUM|HIGH|CRITICAL",
|
||
"confidence": "LOW|MEDIUM|HIGH",
|
||
"recommended_mode": "observe|warn|approve_required|block_candidate",
|
||
"evidence_ref": "redacted evidence pointer",
|
||
"summary": "繁體中文摘要",
|
||
"recommended_action": "繁體中文建議"
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:mirror 成 Runtime State / Channel Event,不 enforcement。
|
||
|
||
### `kali_scan_scope_approval_v1`
|
||
|
||
用途:定義 Kali 112、111/168 dev hosts、核心 runtime hosts、公開網站與 Kali high-risk path 的 scan scope、掃描深度與 approval gate。
|
||
|
||
Schema:`docs/schemas/kali_scan_scope_approval_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/kali-scan-scope-approval.snapshot.json`
|
||
|
||
AwoooP 初期處理方式:只顯示 scope group 與 approval gate,可建立 approval candidate,但不得啟動 scan、不得呼叫 `/execute`、不得把 LOW / MEDIUM observation 變成 blocking gate。
|
||
|
||
### `security_approval_queue_v1`
|
||
|
||
用途:集中整理 Security Supply Chain 現階段需要 AwoooP 顯示、排隊、等待人工決策的 pending approval / block candidate。
|
||
|
||
Schema:`docs/schemas/security_approval_queue_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-approval-queue.snapshot.json`
|
||
|
||
目前 queue:8 items,7 個 pending approval,1 個 block candidate。建議先 review redacted Kali finding ingestion,再 review safe web crawl 與 Gitea read-only inventory。
|
||
|
||
AwoooP 初期處理方式:只顯示 review order、blocked reason、required reviewers 與 evidence refs,可建立 approval candidate,但不得執行 queue item。
|
||
|
||
### `security_approval_gate_v1`
|
||
|
||
用途:定義 S3 人工批准 gate 的決策語言、批准範圍、required reviewers、仍然禁止事項與 follow-up runtime gate。
|
||
|
||
Schema:`docs/schemas/security_approval_gate_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-approval-gate.snapshot.json`
|
||
|
||
目前 gate:8 items,7 個 pending human decision,1 個 block candidate,0 個 approved。批准後仍不得自動執行。
|
||
|
||
AwoooP 初期處理方式:只記錄人工決策、audit evidence 與批准範圍;不得把 gate item 接成 runner,不得在批准後自動啟動 scan、repo、refs、deploy 或 secret 類動作。
|
||
|
||
### `security_approval_decision_record_v1`
|
||
|
||
用途:定義 S3 人工決策紀錄格式,保存 approve / reject / defer / request more evidence / keep blocked 的稽核資料。
|
||
|
||
Schema:`docs/schemas/security_approval_decision_record_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-approval-decision-record.snapshot.json`
|
||
|
||
目前 decision records:0 筆;所有紀錄都必須維持 `execution_authorized=false`,且批准後仍需 follow-up runtime gate。
|
||
|
||
AwoooP 初期處理方式:只保存 reviewer、時間、evidence refs、批准範圍與決策結果;不得把 decision record 當成執行命令。
|
||
|
||
### `security_approval_review_packet_v1`
|
||
|
||
用途:定義 S3 人工審查封包,將 approval queue 與 approval gate 包成 AwoooP 可顯示的 review packet。
|
||
|
||
Schema:`docs/schemas/security_approval_review_packet_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-approval-review-packet.snapshot.json`
|
||
|
||
目前 review packets:8 筆;7 個 ready for human review、1 個 block candidate。所有 packet 都必須維持 `execution_authorized=false`,且 `action_buttons_allowed=false`。
|
||
|
||
AwoooP 初期處理方式:只顯示 review order、review lane、required reviewers、requested decision、evidence refs 與 still forbidden;不得把 review packet 視為批准或執行授權。
|
||
|
||
### `security_mirror_readiness_v1`
|
||
|
||
用途:集中整理 Security Supply Chain contracts 的 mirror readiness,讓 AwoooP 先知道哪些可 mirror、哪些 partial、哪些 contract-only。
|
||
|
||
Schema:`docs/schemas/security_mirror_readiness_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-readiness.snapshot.json`
|
||
|
||
目前 readiness:30 個 contracts,27 個 ready for mirror,2 個 partial ready,1 個 contract-only,0 個 blocked。所有 contract 都是 `execution_allowed=false`。
|
||
|
||
AwoooP 初期處理方式:先 mirror readiness index,再依 readiness 分批 mirror 其他 snapshots;不得把 readiness 當 execution authorization。
|
||
|
||
### `security_mirror_intake_plan_v1`
|
||
|
||
用途:定義 AwoooP 初期 mirror-only intake waves、destinations、allowed / blocked processing 與 acceptance gates。
|
||
|
||
Schema:`docs/schemas/security_mirror_intake_plan_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-intake-plan.snapshot.json`
|
||
|
||
目前 intake plan:5 個 waves,從 index bootstrap、Kali visibility、source-control visibility、approval candidates 到 Codex patch-only backlog。所有 waves 都是 `runtime_execution_authorized=false`。
|
||
|
||
AwoooP 初期處理方式:照 wave 顯示與 mirror,不新增 scan / execute / repo / refs / deploy / secret 類執行按鈕。
|
||
|
||
### `security_mirror_event_v1`
|
||
|
||
用途:AwoooP 鏡像資安供應鏈 contracts 時使用的統一事件信封,避免鏡像 evidence 被誤解成 execution authorization。
|
||
|
||
Schema:`docs/schemas/security_mirror_event_v1.schema.json`
|
||
|
||
範例:`docs/security/security-mirror-event-sample.snapshot.json`
|
||
|
||
必要邊界:每筆 event 都必須是 `execution_authorized=false`、`action_buttons_allowed=false`,並標示 `redaction_status`、`source_contract`、`source_snapshot_path`、`destinations` 與 `blocked_actions`。
|
||
|
||
AwoooP 初期處理方式:只把 mirror event 寫入 Operator Console / Runtime State / Channel Event / Audit / Approval Queue,不新增任何執行按鈕。
|
||
|
||
### `security_mirror_route_v1`
|
||
|
||
用途:定義 AwoooP 消費資安供應鏈 contracts 時的只讀分流矩陣,包含目的地、channel policy 與 review lane。
|
||
|
||
Schema:`docs/schemas/security_mirror_route_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-route.snapshot.json`
|
||
|
||
目前 route:5 個 route groups,涵蓋 30 個 contracts;所有 route 都是 `runtime_execution_authorized=false`。
|
||
|
||
AwoooP 初期處理方式:只依 route group 顯示 Operator Console / Runtime State / Channel Event / Audit / Approval Queue,不把 route 轉成 execution router。
|
||
|
||
### `security_mirror_acceptance_v1`
|
||
|
||
用途:定義 AwoooP 接收 mirror-only 資安資料時的驗收 checks,避免 contract count、event envelope、route coverage 或 redaction 不一致。
|
||
|
||
Schema:`docs/schemas/security_mirror_acceptance_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-acceptance.snapshot.json`
|
||
|
||
目前 acceptance:7 個 checks;其中 blocking checks 只阻擋不完整或未脫敏的鏡像資料,不阻擋 runtime。
|
||
|
||
AwoooP 初期處理方式:顯示驗收結果與失敗原因;不得把 acceptance contract 轉成 runtime blocker 或 execution queue。
|
||
|
||
### `security_mirror_quarantine_v1`
|
||
|
||
用途:定義 AwoooP mirror-only 資安資料驗收失敗時的隔離 lane、recovery request 與 retry gate。
|
||
|
||
Schema:`docs/schemas/security_mirror_quarantine_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-quarantine.snapshot.json`
|
||
|
||
目前 quarantine:5 個 lanes;同一份失敗 payload 不自動 retry,必須等新的 snapshot commit 後重新驗收。
|
||
|
||
AwoooP 初期處理方式:只隔離壞的 mirror payload、顯示原因與修復要求;不得轉成 runtime blocker 或 execution queue。
|
||
|
||
### `security_mirror_dry_run_v1`
|
||
|
||
用途:定義 AwoooP mirror-only 接入演練時應回報的 dry-run 結果格式。
|
||
|
||
Schema:`docs/schemas/security_mirror_dry_run_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-dry-run.snapshot.json`
|
||
|
||
目前 dry-run:6 個 steps;`dry_run_status=contract_defined_not_executed`,尚未代表 AwoooP 已實際執行 dry-run。
|
||
|
||
AwoooP 初期處理方式:只顯示 dry-run 報告與各 step 狀態;不得轉成 production ingestion 或任何 runtime action。
|
||
|
||
### `security_mirror_status_rollup_v1`
|
||
|
||
用途:定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要,彙整 S0-S4、contract readiness、approval queue summary、dry-run 狀態與下一個安全 gate。
|
||
|
||
Schema:`docs/schemas/security_mirror_status_rollup_v1.schema.json`
|
||
|
||
Snapshot:`docs/security/security-mirror-status-rollup.snapshot.json`
|
||
|
||
目前 rollup:`framework_ready_waiting_approval`;30 個 contracts、27 ready、2 partial、1 contract-only、0 blocked;approval queue 仍為 8 items,其中 7 pending approval、1 block candidate;review packets 8 筆,decision records 目前 0 筆。
|
||
|
||
AwoooP 初期處理方式:只顯示階段狀態、下一個 gate 與禁止事項,可寫入 Audit evidence;不得把 rollup 當 runtime authorization。
|
||
|
||
### `security_rollout_policy_v1`
|
||
|
||
用途:定義 Security Supply Chain 初期的低摩擦 rollout policy,避免把 observation 全部變成 blocking controls。
|
||
|
||
Schema:`docs/schemas/security_rollout_policy_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "security_rollout_policy_v1",
|
||
"status": "draft",
|
||
"default_mode": "observe",
|
||
"enforcement_level": "mirror_only"
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:只作為 read-only policy 與 Operator Console 顯示,不做 runtime enforcement。
|
||
|
||
### `security_supply_chain_contract_manifest_v1`
|
||
|
||
用途:集中列出 Security Supply Chain 初期可供 AwoooP 消費的 schema、snapshot、人讀文件、允許動作與禁止動作。
|
||
|
||
Schema:`docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "security_supply_chain_contract_manifest_v1",
|
||
"status": "draft",
|
||
"default_enforcement_level": "mirror_only",
|
||
"contract_count": 30
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:作為 contract registry 與 Operator Console 入口,只路由 mirror/read-only/approval queue,不作 execution router。
|
||
|
||
### `coding_task_v1`
|
||
|
||
用途:承接 Code Review 後需要 Codex coding 的項目。
|
||
|
||
Schema:`docs/schemas/coding_task_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "coding_task_v1",
|
||
"source": "github_code_review|gitea_code_review|codex_security|manual_review",
|
||
"repo": "string",
|
||
"branch": "string",
|
||
"base_sha": "string",
|
||
"head_sha": "string",
|
||
"risk": "LOW|MEDIUM|HIGH|CRITICAL",
|
||
"summary": "繁體中文摘要",
|
||
"allowed_actions": ["create_patch", "add_tests", "open_draft_pr"],
|
||
"blocked_actions": ["auto_merge", "production_deploy", "force_push", "secret_rotation", "network_policy_change"],
|
||
"required_reviewers": ["critic", "vuln-verifier"]
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:作為 approval-ready work item,不自動執行。
|
||
|
||
### `source_control_migration_event_v1`
|
||
|
||
用途:追蹤 Gitea 全量版本轉移到 GitHub 的供應鏈安全證據。
|
||
|
||
Schema:`docs/schemas/source_control_migration_event_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "source_control_migration_event_v1",
|
||
"gitea_repo": "string",
|
||
"github_repo": "string",
|
||
"branch_count_gitea": 0,
|
||
"branch_count_github": 0,
|
||
"tag_count_gitea": 0,
|
||
"tag_count_github": 0,
|
||
"latest_sha_gitea": "string",
|
||
"latest_sha_github": "string",
|
||
"workflows_mapped": true,
|
||
"webhooks_mapped": true,
|
||
"secrets_inventory_only": true,
|
||
"status": "inventory|mirrored|verified|blocked",
|
||
"blocking_reason": "繁體中文說明"
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:作為 supply chain governance evidence,不觸發 deploy。
|
||
|
||
### `gitea_repo_inventory_v1`
|
||
|
||
用途:追蹤 Gitea org/user repo list 的全量盤點,作為「所有 Gitea 專案版本轉移到 GitHub」的前置 evidence。
|
||
|
||
Schema:`docs/schemas/gitea_repo_inventory_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "gitea_repo_inventory_v1",
|
||
"base_url": "http://192.168.0.110:3001",
|
||
"org": "wooo",
|
||
"query_mode": "user",
|
||
"visibility_scope": "public_only",
|
||
"github_owner": "owenhytsai",
|
||
"token_present": false,
|
||
"http_status": 200,
|
||
"status": "partial",
|
||
"repo_count": 2,
|
||
"repos": [
|
||
{
|
||
"gitea_repo": "wooo/awoooi",
|
||
"name": "awoooi",
|
||
"owner": "wooo",
|
||
"private": false,
|
||
"empty": false,
|
||
"archived": false,
|
||
"default_branch": "main",
|
||
"clone_url_redacted": "http://192.168.0.110:3001/wooo/awoooi.git",
|
||
"ssh_url_redacted": "ssh://localhost:2222/wooo/awoooi.git",
|
||
"github_repo_candidate": "owenhytsai/awoooi"
|
||
},
|
||
{
|
||
"gitea_repo": "wooo/ewoooc",
|
||
"name": "ewoooc",
|
||
"owner": "wooo",
|
||
"private": false,
|
||
"empty": false,
|
||
"archived": false,
|
||
"default_branch": "main",
|
||
"clone_url_redacted": "http://192.168.0.110:3001/wooo/ewoooc.git",
|
||
"ssh_url_redacted": "ssh://localhost:2222/wooo/ewoooc.git",
|
||
"github_repo_candidate": "owenhytsai/ewoooc"
|
||
}
|
||
]
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:作為 migration matrix 的 read-only evidence;`partial` 只代表 public-only 可見範圍,不得觸發 repo 建立、刪除、封存或 GitHub primary 切換。
|
||
|
||
### `local_git_remote_inventory_v1`
|
||
|
||
用途:在 Gitea API 受阻時,盤點本機可見 Git working tree 的 remote URL,找出仍指向 Gitea、GitHub、110 內部 Git 或 GitLab 類 remote 的專案。
|
||
|
||
Schema:`docs/schemas/local_git_remote_inventory_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "local_git_remote_inventory_v1",
|
||
"status": "partial",
|
||
"repo_count": 13,
|
||
"gitea_linked_count": 6,
|
||
"github_linked_count": 6,
|
||
"internal_110_only_count": 3
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:作為 migration matrix 的輔助 evidence;不得把它視為 Gitea server 全量清單。
|
||
|
||
### `local_repo_canonical_probe_v1`
|
||
|
||
用途:在多個本機 working tree 名稱相近但 remote/HEAD 不一致時,提供 read-only lineage evidence,避免自動把不同歷史誤合併。
|
||
|
||
Schema:`docs/schemas/local_repo_canonical_probe_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "local_repo_canonical_probe_v1",
|
||
"group_name": "ewoooc-momo-pro-system",
|
||
"status": "unrelated",
|
||
"repo_count": 3,
|
||
"comparison_count": 3
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:只作為 canonical decision evidence;不得觸發 merge、repo creation、repo deletion 或 mirror。
|
||
|
||
### `git_remote_refs_probe_v1`
|
||
|
||
用途:對指定本機 repo 的 remote refs 做 read-only 探測,確認本機 HEAD 是否與 remote branch 對齊。
|
||
|
||
Schema:`docs/schemas/git_remote_refs_probe_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "git_remote_refs_probe_v1",
|
||
"group_name": "internal-110-bitan-tsenyang",
|
||
"status": "ok",
|
||
"repo_count": 2,
|
||
"aligned_current_branch_count": 2
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:只作為 source-control readiness evidence;不得觸發 fetch、push、mirror、repo creation 或 primary switch。
|
||
|
||
### `github_target_probe_v1`
|
||
|
||
用途:對候選 GitHub repo 做 read-only 可見性與 refs probe,區分已存在、不可見、或外部 scope。
|
||
|
||
Schema:`docs/schemas/github_target_probe_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "github_target_probe_v1",
|
||
"status": "ok",
|
||
"candidate_count": 8,
|
||
"exists_count": 5,
|
||
"not_found_or_private_count": 3
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:只作為 migration target evidence;`not_found_or_private` 不等同確認不存在,不得自動建立 repo。
|
||
|
||
### `github_target_decision_v1`
|
||
|
||
用途:追蹤候選 GitHub repo 的建立、可見性、封存或待判定決策,讓 target ownership 與 approval 狀態可被 AwoooP mirror。
|
||
|
||
Schema:`docs/schemas/github_target_decision_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "github_target_decision_v1",
|
||
"status": "draft",
|
||
"decision_count": 8,
|
||
"approval_required_count": 7
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:作為 approval candidate 與 migration target evidence;不得直接建立 GitHub repo、修改 visibility、同步 refs 或切 GitHub primary。
|
||
|
||
### `github_target_repo_approval_package_v1`
|
||
|
||
用途:把 `github_target_decision_v1` 中需要人工批准的 target 拆成逐 repo approval package,降低一次性審批的複雜度。
|
||
|
||
Schema:`docs/schemas/github_target_repo_approval_package_v1.schema.json`
|
||
|
||
最小欄位:
|
||
|
||
```json
|
||
{
|
||
"schema_version": "github_target_repo_approval_package_v1",
|
||
"status": "draft",
|
||
"package_count": 7,
|
||
"approval_items": []
|
||
}
|
||
```
|
||
|
||
AwoooP 初期處理方式:mirror 成 approval queue draft。低摩擦原則下,read-only evidence 不被阻擋;只有 repo creation、visibility change、refs sync、primary switch 等高風險執行才需要 approval。
|
||
|
||
### `approval_required_event_v1`
|
||
|
||
用途:把高風險資安修補、Codex patch、source control 主控切換送進 AwoooP approval。
|
||
|
||
Schema:`docs/schemas/approval_required_event_v1.schema.json`
|
||
|
||
必須進 approval 的情況:
|
||
|
||
- `severity=HIGH|CRITICAL`。
|
||
- 會改 secrets、RBAC、NetworkPolicy、firewall、CORS。
|
||
- 會改 production deploy controller。
|
||
- 會切換 GitHub primary / Gitea mirror 主控面。
|
||
- 會啟用 credentialed scan 或 active DAST。
|
||
- 會使用 Gitea read-only token 或匯入管理匯出補 private/internal repo list。
|
||
- 會讓 Codex patch 自動合併或自動部署。
|
||
|
||
## 4. AwoooP 整合順序
|
||
|
||
### Phase S0:文件與契約同步
|
||
|
||
狀態:本文件建立後即完成第一步同步。
|
||
|
||
交付:
|
||
|
||
- 本 handoff。
|
||
- LOGBOOK 條目。
|
||
- `security_supply_chain_contract_manifest_v1`、`security_finding_v1`、`coding_task_v1`、`source_control_migration_event_v1`、`gitea_repo_inventory_v1`、`local_git_remote_inventory_v1`、`github_target_probe_v1`、`github_target_decision_v1`、`github_target_repo_approval_package_v1`、`security_rollout_policy_v1`、`local_repo_canonical_probe_v1`、`git_remote_refs_probe_v1`、`approval_required_event_v1` JSON Schema 草案。
|
||
|
||
### Phase S1:Mirror-only
|
||
|
||
目標:讓 AwoooP 看見事件,但不改變行為。
|
||
|
||
允許:
|
||
|
||
- 將 security findings mirror 成 Runtime State。
|
||
- 將 coding tasks mirror 成 approval candidate。
|
||
- 將 source control migration inventory mirror 成 supply chain evidence。
|
||
- 將 Gitea repo inventory mirror 成 migration matrix evidence。
|
||
- 將本機 Git remote inventory mirror 成 source-control coverage evidence。
|
||
- 將 GitHub target 決策 mirror 成 approval candidate。
|
||
- 將 GitHub target repo-by-repo package mirror 成 approval queue draft。
|
||
- 將低摩擦 rollout policy mirror 成 read-only policy。
|
||
- 將 contract manifest mirror 成 contract registry。
|
||
- 將 status rollup mirror 成跨 Session 共同狀態入口。
|
||
|
||
禁止:
|
||
|
||
- 直接 enforcement。
|
||
- 直接啟動 scan。
|
||
- 直接呼叫 Codex patch runner。
|
||
- 直接切 GitHub/Gitea 主控。
|
||
- 直接刪除、封存或建立 repo。
|
||
- 直接修改 GitHub repo visibility。
|
||
|
||
### Phase S2:Read-only Policy
|
||
|
||
目標:AwoooP 只計算 policy,不執行。
|
||
|
||
範例:
|
||
|
||
- `security_finding_v1` 進來後,AwoooP 回傳 `observe|warn|approve_required` 建議。
|
||
- `coding_task_v1` 進來後,AwoooP 回傳是否需要 `critic` / `vuln-verifier`。
|
||
- `source_control_migration_event_v1` 進來後,AwoooP 回傳是否缺 branch/tag/workflow/webhook/permission evidence。
|
||
- `local_git_remote_inventory_v1` 進來後,AwoooP 回傳是否仍有 local-only / internal-110-only source-control risk。
|
||
- `github_target_decision_v1` 進來後,AwoooP 回傳是否需要 owner / visibility / canonical approval。
|
||
- `github_target_repo_approval_package_v1` 進來後,AwoooP 回傳逐 repo approval queue draft,不阻擋 read-only evidence。
|
||
- `security_rollout_policy_v1` 進來後,AwoooP 回傳 observe / warn / approve_required 建議,不做 enforcement。
|
||
- `security_supply_chain_contract_manifest_v1` 進來後,AwoooP 回傳可消費 contract 清單,不新增 execution router。
|
||
|
||
### Phase S3:Approval Gate
|
||
|
||
目標:高風險行為必須經 AwoooP approval。
|
||
|
||
先納入:
|
||
|
||
- Codex patch 合併前。
|
||
- HIGH/CRITICAL findings 修補前。
|
||
- GitHub primary 切換前。
|
||
- credentialed scan 前。
|
||
|
||
### Phase S4:Operator Console
|
||
|
||
目標:讓操作者在 AwoooP Console 看見:
|
||
|
||
- 資安 posture。
|
||
- open findings。
|
||
- coding task 狀態。
|
||
- GitHub/Gitea migration matrix。
|
||
- approval queue。
|
||
- accepted risk / false positive / exception。
|
||
|
||
Console 初期不提供高風險執行按鈕。
|
||
|
||
## 5. 兩邊 Session 的衝突邊界
|
||
|
||
| 區域 | AwoooP Session | Security Supply Chain Session | 衝突避免 |
|
||
|------|----------------|-------------------------------|----------|
|
||
| Contract schema | 主責 | 提供草案與需求 | AwoooP 決定 canonical package |
|
||
| DB migration | 主責 | 不碰 | findings 先文件化,不建表 |
|
||
| Runtime enforcement | 主責 | 不碰 | 先 mirror/read-only |
|
||
| Kali scan | 不直接執行 | 主責規劃 | AwoooP 只管 approval/policy |
|
||
| Codex patch | 不直接執行 | 主責規劃 | AwoooP 只管 approval/audit |
|
||
| GitHub/Gitea 遷移 | 治理 gate | inventory 與遷移設計 | 主控切換需雙方 handoff |
|
||
| MCP Gateway | 主責 | 只提出 access needs | 不新增 direct tool bypass |
|
||
| Channel Event | 主責 | 提供事件需求 | Channel adapter 不做 policy |
|
||
|
||
## 6. AwoooP Session 需要消費的工作項
|
||
|
||
請 AwoooP 主線在後續規劃時預留:
|
||
|
||
1. Runtime State 可容納 `security_finding_v1` mirror。
|
||
2. Approval model 可容納 `coding_task_v1` 與 `source_control_migration_event_v1`。
|
||
3. EffectivePolicy 可判斷 `observe|warn|approve_required|block_candidate`。
|
||
4. Channel Event 可承載資安 findings 與供應鏈遷移事件。
|
||
5. Audit Sink 必須脫敏,不可儲存 raw secret、token、cookie、exploit payload。
|
||
6. Operator Console 需要 supply chain / security posture 視圖,但初期不要高風險 action。
|
||
7. MCP Gateway 後續要能限制 Codex/Kali/GitHub 工具權限。
|
||
8. Migration matrix 可容納 `gitea_repo_inventory_v1`,但初期只讀。
|
||
9. Migration matrix 可容納 `local_git_remote_inventory_v1`,但不得視為 server 全量。
|
||
10. Approval queue 可容納 `github_target_decision_v1` 與 `github_target_repo_approval_package_v1`,但不得直接建立 repo 或改 visibility。
|
||
11. Read-only policy 可容納 `security_rollout_policy_v1`,但初期不得把它變成 runtime blocking rule。
|
||
12. Contract registry 可容納 `security_supply_chain_contract_manifest_v1`,但初期不得把它變成 direct tool router。
|
||
|
||
## 7. Security Supply Chain Session 下一步
|
||
|
||
已批准開始推進後,本支線第一波只做:
|
||
|
||
1. Gitea/GitHub 全量版本盤點設計。
|
||
2. `coding_task_v1` schema 文件化。
|
||
3. `security_finding_v1` schema 文件化。
|
||
4. `source_control_migration_event_v1` schema 文件化。
|
||
5. `gitea_repo_inventory_v1` schema 文件化。
|
||
6. `local_git_remote_inventory_v1` schema 文件化。
|
||
7. `github_target_probe_v1` schema 文件化。
|
||
8. `local_repo_canonical_probe_v1` schema 文件化。
|
||
9. `git_remote_refs_probe_v1` schema 文件化。
|
||
10. `github_target_decision_v1` schema 文件化。
|
||
11. `approval_required_event_v1` schema 文件化。
|
||
12. 112/111/168 observe-only asset mapping。
|
||
13. Codex patch-only handoff prompt。
|
||
14. AwoooP mirror-only integration notes。
|
||
|
||
第一版 inventory 已建立於 `docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md`。目前只完成 `awoooi` repo read-only 初步盤點,已確認 GitHub / Gitea 存在 branches、tags 與 `main` SHA 差異,因此主控切換必須保持 blocked,直到全量同步驗證完成。
|
||
|
||
第一版 observe-only host mapping 已建立於 `docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md`。第一版 Codex patch-only handoff prompt 已建立於 `docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md`。
|
||
|
||
2026-05-12 更新:已新增 `scripts/security/source-control-migration-inventory.py`,並產出 `docs/security/gitea-github-awoooi-inventory.snapshot.json`。目前 `source_control_migration_event_v1.status=blocked`,因 Gitea heads 117、GitHub heads 2、Gitea tags 2、GitHub tags 0,且 `main` SHA 不一致。AwoooP Session 應將此視為 supply-chain evidence,不得視為可切 GitHub primary。
|
||
|
||
2026-05-12 追加:已新增 `scripts/security/gitea-repo-inventory.py`、`docs/schemas/gitea_repo_inventory_v1.schema.json`,並產出 `docs/security/gitea-repo-inventory.snapshot.json`。目前 `gitea_repo_inventory_v1.status=partial`,因未提供 token 時只能取得 public-only `wooo/awoooi` 與 `wooo/ewoooc`;完整全量仍需只讀 token 或管理匯出。
|
||
|
||
2026-05-12 Gitea endpoint 判定追加:已新增 `docs/security/gitea-org-repo-inventory-blocked.snapshot.json` 與 `docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md`,保留 `orgs/wooo/repos` 未認證 404 evidence;後續 server-side inventory 以 `users/wooo/repos`、只讀 token 或管理匯出為主。
|
||
|
||
2026-05-12 server-side inventory runbook 追加:已新增 `docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md`,定義 public-only、只讀 token、管理匯出 JSON 三種路徑。AwoooP 可 mirror runbook 狀態,但不得要求 Security Supply Chain Session 提供 token value。
|
||
|
||
2026-05-12 Gitea approval package 追加:已新增 `docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md` 與 `docs/security/gitea-readonly-inventory-approval.snapshot.json`,用 `approval_required_event_v1` 描述 `run_gitea_readonly_inventory` 的人工 gate。AwoooP 可建立 approval candidate,但不得保存 token value 或觸發任何 repo 建立、visibility 修改、refs sync。
|
||
|
||
2026-05-12 再追加:已新增 `scripts/security/local-git-remote-inventory.py`、`docs/schemas/local_git_remote_inventory_v1.schema.json`,並產出 `docs/security/local-git-remote-inventory.snapshot.json`。目前 `local_git_remote_inventory_v1.status=partial`,找到本機可見 working trees 13 個,其中 Gitea linked 6、GitHub linked 6、110 internal-only 3;此結果只作為 Gitea API 受阻時的輔助 evidence。
|
||
|
||
2026-05-12 矩陣追加:已新增 `docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md`,將本機可見 source-control targets 拆成 P0/P1/P2。AwoooP 可 mirror 此矩陣作為 migration planning evidence,但不得依此自動建立、刪除、同步 repo 或切換 primary。
|
||
|
||
2026-05-12 refs diff 追加:已新增 `docs/security/source-control-clawbot-v5.snapshot.json`、`docs/security/source-control-wooo-aiops.snapshot.json`。`wooo/clawbot-v5` 與 `wooo/wooo-aiops` 目前都為 `source_control_migration_event_v1.status=blocked`,不得視為 GitHub primary ready。
|
||
|
||
2026-05-12 draft reconcile plan 追加:已新增 `scripts/security/source-control-reconcile-plan.py`、`docs/schemas/source_control_reconcile_plan_v1.schema.json`,並產出 `docs/security/source-control-reconcile-plan.snapshot.json` 與 `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md`。此 plan 只涵蓋 `awoooi`、`clawbot-v5`、`wooo-aiops` 三個 refs-blocked mapped repos,狀態為 `draft_blocked`;AwoooP 可 mirror 成 approval candidate,但不得 push refs、force push、刪 refs、切 GitHub primary。
|
||
|
||
2026-05-13 branch/tag detail diff 追加:已新增 `scripts/security/source-control-ref-detail-diff.py`、`docs/schemas/source_control_ref_detail_diff_v1.schema.json`,並產出 `docs/security/source-control-ref-detail-diff.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md`。最新 read-only diff 忽略本 PR 分支後,`awoooi` 仍有 Gitea-only branches 115、Gitea-only tags 2、main SHA 不一致;`clawbot-v5` main SHA 不一致且 GitHub 缺 Gitea tag;`wooo-aiops` GitHub 有 1 條額外 branch 與 19 個 GitHub-only tags。AwoooP 可 mirror 此 evidence,但不得 fetch、push、delete refs 或切 primary。
|
||
|
||
2026-05-13 ref truth classification 追加:已新增 `scripts/security/source-control-ref-truth-classification.py`、`docs/schemas/source_control_ref_truth_classification_v1.schema.json`,並產出 `docs/security/source-control-ref-truth-classification.snapshot.json` 與 `docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md`。目前 141 個 refs review items 已拆成 4 個 `manual_truth_required`、114 個 `manual_review_deprecated_candidate`、3 個 `manual_review_release_tag`、20 個 `manual_review_github_only`。AwoooP 可建立 repo owner review queue,但不得把分類結果直接執行成 refs sync、delete、force push 或 GitHub primary switch。
|
||
|
||
2026-05-12 public search / canonical 追加:Gitea public search 在未提供 token 時可見 `wooo/awoooi`、`wooo/ewoooc`。已新增 `docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md`,其中 `wooo/ewoooc`、`root/momo-pro-system`、`momo-pro-system`、`momo_pro_system` 仍需人工判定 canonical 關係,不得自動合併。
|
||
|
||
2026-05-12 GitHub target probe 追加:已新增 `scripts/security/github-target-probe.py`、`docs/schemas/github_target_probe_v1.schema.json` 與 `docs/security/github-target-probe.snapshot.json`。8 個候選中 5 個可讀,`owenhytsai/ewoooc`、`owenhytsai/bitan-pharmacy`、`owenhytsai/tsenyang-website` 為 `not_found_or_private`。
|
||
|
||
2026-05-12 canonical lineage 追加:已新增 `scripts/security/local-repo-canonical-probe.py`、`docs/schemas/local_repo_canonical_probe_v1.schema.json` 與 `docs/security/local-repo-canonical-ewoooc-momo.snapshot.json`。`ewoooc-momo-pro-system` 群組目前為 `unrelated`,三個本機 working tree 在 sample 內沒有共同 commit,不得自動合併。
|
||
|
||
2026-05-12 internal refs 追加:已新增 `scripts/security/git-remote-refs-probe.py`、`docs/schemas/git_remote_refs_probe_v1.schema.json` 與 `docs/security/git-remote-refs-bitan-tsenyang.snapshot.json`。`bitan-pharmacy`、`tsenyang-website` 的本機 `main` 與 110 remote `main` 對齊,但 GitHub target 仍未確認。另新增 `docs/security/git-remote-refs-wooo-infra-config.snapshot.json`;`wooo-infra-config` 的 GitHub remote 與本機 `main` 對齊,110 internal remote 目前不可讀。
|
||
|
||
2026-05-12 GitHub target 決策追加:已新增 `docs/schemas/github_target_decision_v1.schema.json`、`docs/security/github-target-decision.snapshot.json` 與 `docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md`。8 個 target 候選中 7 個需人工批准;AwoooP 只能 mirror 為 approval candidate,不得自動建立 repo、修改 visibility、同步 refs 或切 GitHub primary。
|
||
|
||
2026-05-12 GitHub target repo-by-repo approval package 追加:已新增 `docs/schemas/github_target_repo_approval_package_v1.schema.json`、`docs/security/github-target-repo-approval-package.snapshot.json` 與 `docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md`。7 個 approval-required targets 已拆成逐 repo pending package;依統帥提醒採低摩擦分階段,不把 read-only evidence 變成阻擋條件。
|
||
|
||
2026-05-12 低摩擦 rollout policy 追加:已新增 `docs/schemas/security_rollout_policy_v1.schema.json`、`docs/security/security-rollout-policy.snapshot.json` 與 `docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md`。AwoooP 初期應採 observe-first / mirror-only,不把 LOW / MEDIUM observation 變成 blocking controls。
|
||
|
||
2026-05-12 contract manifest 追加:已新增 `docs/schemas/security_supply_chain_contract_manifest_v1.schema.json`、`docs/security/security-supply-chain-contract-manifest.snapshot.json` 與 `docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md`。AwoooP 應先讀 manifest 作為 mirror-only contract registry,不把 manifest 當 execution router。
|
||
|
||
2026-05-13 mirror route 追加:已新增 `docs/schemas/security_mirror_route_v1.schema.json`、`docs/security/security-mirror-route.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ROUTE.md`。AwoooP 可依 5 個 route groups 將 30 個 contracts 分流到 Operator Console、Runtime State、Channel Event、Audit evidence 與 Approval Queue;route 只決定目的地、channel policy 與 review lane,不是 execution router。
|
||
|
||
2026-05-13 mirror acceptance 追加:已新增 `docs/schemas/security_mirror_acceptance_v1.schema.json`、`docs/security/security-mirror-acceptance.snapshot.json` 與 `docs/security/SECURITY-MIRROR-ACCEPTANCE.md`。AwoooP 可用 7 個 acceptance checks 驗收 mirror ingestion;blocking checks 只針對 contract count mismatch、缺 event envelope、route coverage 不完整或未脫敏 evidence,不得阻擋 runtime 流程。
|
||
|
||
2026-05-13 mirror quarantine 追加:已新增 `docs/schemas/security_mirror_quarantine_v1.schema.json`、`docs/security/security-mirror-quarantine.snapshot.json` 與 `docs/security/SECURITY-MIRROR-QUARANTINE.md`。AwoooP 可用 5 個 quarantine lanes 隔離驗收失敗 payload,顯示 owner、recovery request 與 retry gate;不得自動重試、不得猜測缺漏 contract、不得阻擋 runtime 流程。
|
||
|
||
2026-05-13 mirror dry-run 追加:已新增 `docs/schemas/security_mirror_dry_run_v1.schema.json`、`docs/security/security-mirror-dry-run.snapshot.json` 與 `docs/security/SECURITY-MIRROR-DRY-RUN.md`。AwoooP 未來可用 6 個 dry-run steps 回報接入演練結果;本 snapshot 狀態為 `contract_defined_not_executed`,不得視為 production ingestion 已啟用。
|
||
|
||
2026-05-13 mirror status rollup 追加:已新增 `docs/schemas/security_mirror_status_rollup_v1.schema.json`、`docs/security/security-mirror-status-rollup.snapshot.json` 與 `docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md`。AwoooP 與 Security Supply Chain Session 可用同一份 rollup 同步 S0-S4、30 個 contracts、approval queue summary、review packet summary 與下一個安全 gate;本契約不授權任何 runtime action。
|
||
|
||
2026-05-13 S3 approval gate 追加:已新增 `docs/schemas/security_approval_gate_v1.schema.json`、`docs/security/security-approval-gate.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-GATE.md`。AwoooP 可用 8 個 gate items 記錄人工批准、拒絕、延後或補 evidence;批准後仍需 follow-up runtime gate,不得直接執行。
|
||
|
||
2026-05-13 S3 decision record 追加:已新增 `docs/schemas/security_approval_decision_record_v1.schema.json`、`docs/security/security-approval-decision-record.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-DECISION-RECORD.md`。AwoooP 可保存人工決策稽核紀錄;目前 0 筆 decision records,所有紀錄都必須 `execution_authorized=false`。
|
||
|
||
2026-05-13 S3 review packet 追加:已新增 `docs/schemas/security_approval_review_packet_v1.schema.json`、`docs/security/security-approval-review-packet.snapshot.json` 與 `docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md`。AwoooP 可顯示 8 個人工審查封包、review lane、required reviewers 與 still forbidden;review packet 不代表批准,也不授權執行。
|
||
|
||
2026-05-13 Kali 112 live 整合狀態追加:已在授權下登入 `192.168.0.112` 做 read-only 盤點與低風險更新,並新增 `docs/schemas/kali_integration_status_v1.schema.json`、`docs/security/kali-integration-status.snapshot.json` 與 `docs/security/KALI-INTEGRATION-STATUS.md`。Kali Scanner API `/health` healthy、`kali-scanner.service` active/enabled、node-exporter 與 wg-easy container up;已 targeted update `nmap`、`nikto`、`nuclei`、`curl`、`openssl`、CA 套件,安裝 `jq`,時區改為 `Asia/Taipei`,更新後無 reboot required。AwoooP 可 mirror health / update / gap evidence,但不得直接啟動 scan、credentialed scan 或 `/execute`。
|
||
|
||
本波仍不做:
|
||
|
||
- runtime DB migration。
|
||
- API endpoint。
|
||
- K8s / NetworkPolicy / RBAC / firewall。
|
||
- production deploy。
|
||
- GitHub 主控切換。
|
||
- Gitea 刪除或停用。
|
||
- Codex API 自動長任務。
|
||
|
||
## 8. 參考文件
|
||
|
||
- [Kali 資訊安全網藍圖](/Users/ogt/awoooi/docs/security/KALI-SECURITY-MESH-BLUEPRINT.md)
|
||
- [Kali 資訊安全網開工準備](/Users/ogt/awoooi/docs/security/KALI-SECURITY-MESH-EXECUTION-READINESS.md)
|
||
- [Kali 112 整合狀態與更新紀錄](/Users/ogt/awoooi/docs/security/KALI-INTEGRATION-STATUS.md)
|
||
- [kali_integration_status_v1 snapshot](/Users/ogt/awoooi/docs/security/kali-integration-status.snapshot.json)
|
||
- [Code Review 接 Codex 與 Gitea 推版優化藍圖](/Users/ogt/awoooi/docs/operations/CODE-REVIEW-CODEX-GITEA-OPTIMIZATION.md)
|
||
- [Gitea 到 GitHub 全量版本轉移 Inventory](/Users/ogt/awoooi/docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md)
|
||
- [Gitea / GitHub migration snapshot](/Users/ogt/awoooi/docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md)
|
||
- [source_control_migration_event_v1 snapshot](/Users/ogt/awoooi/docs/security/gitea-github-awoooi-inventory.snapshot.json)
|
||
- [clawbot-v5 source_control_migration_event_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-clawbot-v5.snapshot.json)
|
||
- [wooo-aiops source_control_migration_event_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-wooo-aiops.snapshot.json)
|
||
- [source-control inventory script](/Users/ogt/awoooi/scripts/security/source-control-migration-inventory.py)
|
||
- [Gitea repo inventory snapshot](/Users/ogt/awoooi/docs/security/GITEA-REPO-INVENTORY-SNAPSHOT.md)
|
||
- [gitea_repo_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/gitea-repo-inventory.snapshot.json)
|
||
- [Gitea org endpoint blocked snapshot](/Users/ogt/awoooi/docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md)
|
||
- [Gitea org endpoint blocked JSON](/Users/ogt/awoooi/docs/security/gitea-org-repo-inventory-blocked.snapshot.json)
|
||
- [Gitea server-side inventory runbook](/Users/ogt/awoooi/docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md)
|
||
- [Gitea read-only inventory approval package](/Users/ogt/awoooi/docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md)
|
||
- [Gitea read-only inventory approval snapshot](/Users/ogt/awoooi/docs/security/gitea-readonly-inventory-approval.snapshot.json)
|
||
- [Gitea admin export redaction checklist](/Users/ogt/awoooi/docs/security/GITEA-ADMIN-EXPORT-REDACTION-CHECKLIST.md)
|
||
- [Gitea public repo search snapshot](/Users/ogt/awoooi/docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md)
|
||
- [gitea public repo search JSON](/Users/ogt/awoooi/docs/security/gitea-public-repo-search.snapshot.json)
|
||
- [gitea repo inventory script](/Users/ogt/awoooi/scripts/security/gitea-repo-inventory.py)
|
||
- [本機 Git remote inventory snapshot](/Users/ogt/awoooi/docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md)
|
||
- [local_git_remote_inventory_v1 snapshot](/Users/ogt/awoooi/docs/security/local-git-remote-inventory.snapshot.json)
|
||
- [本機 Git remote inventory script](/Users/ogt/awoooi/scripts/security/local-git-remote-inventory.py)
|
||
- [GitHub target probe snapshot](/Users/ogt/awoooi/docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md)
|
||
- [github_target_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/github-target-probe.snapshot.json)
|
||
- [GitHub target probe script](/Users/ogt/awoooi/scripts/security/github-target-probe.py)
|
||
- [GitHub target 決策表](/Users/ogt/awoooi/docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md)
|
||
- [github_target_decision_v1 snapshot](/Users/ogt/awoooi/docs/security/github-target-decision.snapshot.json)
|
||
- [GitHub target repo-by-repo approval package](/Users/ogt/awoooi/docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md)
|
||
- [github_target_repo_approval_package_v1 snapshot](/Users/ogt/awoooi/docs/security/github-target-repo-approval-package.snapshot.json)
|
||
- [低摩擦資安 rollout policy](/Users/ogt/awoooi/docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md)
|
||
- [security_rollout_policy_v1 snapshot](/Users/ogt/awoooi/docs/security/security-rollout-policy.snapshot.json)
|
||
- [Security Supply Chain contract manifest](/Users/ogt/awoooi/docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md)
|
||
- [security_supply_chain_contract_manifest_v1 snapshot](/Users/ogt/awoooi/docs/security/security-supply-chain-contract-manifest.snapshot.json)
|
||
- [資安鏡像狀態彙整契約](/Users/ogt/awoooi/docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md)
|
||
- [security_mirror_status_rollup_v1 snapshot](/Users/ogt/awoooi/docs/security/security-mirror-status-rollup.snapshot.json)
|
||
- [資安人工批准 Gate 契約](/Users/ogt/awoooi/docs/security/SECURITY-APPROVAL-GATE.md)
|
||
- [security_approval_gate_v1 snapshot](/Users/ogt/awoooi/docs/security/security-approval-gate.snapshot.json)
|
||
- [資安人工決策紀錄契約](/Users/ogt/awoooi/docs/security/SECURITY-APPROVAL-DECISION-RECORD.md)
|
||
- [security_approval_decision_record_v1 snapshot](/Users/ogt/awoooi/docs/security/security-approval-decision-record.snapshot.json)
|
||
- [Source Control ref truth classification](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md)
|
||
- [source_control_ref_truth_classification_v1 snapshot](/Users/ogt/awoooi/docs/security/source-control-ref-truth-classification.snapshot.json)
|
||
- [本機 repo canonical lineage snapshot](/Users/ogt/awoooi/docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md)
|
||
- [local_repo_canonical_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/local-repo-canonical-ewoooc-momo.snapshot.json)
|
||
- [本機 repo canonical lineage script](/Users/ogt/awoooi/scripts/security/local-repo-canonical-probe.py)
|
||
- [Internal 110 refs snapshot](/Users/ogt/awoooi/docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md)
|
||
- [git_remote_refs_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/git-remote-refs-bitan-tsenyang.snapshot.json)
|
||
- [wooo-infra-config refs snapshot](/Users/ogt/awoooi/docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md)
|
||
- [wooo-infra-config git_remote_refs_probe_v1 snapshot](/Users/ogt/awoooi/docs/security/git-remote-refs-wooo-infra-config.snapshot.json)
|
||
- [Git remote refs probe script](/Users/ogt/awoooi/scripts/security/git-remote-refs-probe.py)
|
||
- [Source Control 遷移矩陣](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md)
|
||
- [Source Control Canonical Repo 判定表](/Users/ogt/awoooi/docs/security/SOURCE-CONTROL-CANONICAL-DECISION-TABLE.md)
|
||
- [AwoooP Mirror-only 消費清單](/Users/ogt/awoooi/docs/security/AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST.md)
|
||
- [112 / 111 / 168 Observe-only 資產 Mapping](/Users/ogt/awoooi/docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md)
|
||
- [Codex Patch-only Handoff Prompt](/Users/ogt/awoooi/docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md)
|
||
- [AwoooP x Monitoring / Alerting Convergence Map](/Users/ogt/awoooi/docs/awooop/AWOOOP-MONITORING-ALERTING-CONVERGENCE.md)
|
||
- [AwoooP Master Workplan](/Users/ogt/awoooi/docs/awooop/MASTER-WORKPLAN.md)
|
||
- [security_finding_v1 schema](/Users/ogt/awoooi/docs/schemas/security_finding_v1.schema.json)
|
||
- [kali_integration_status_v1 schema](/Users/ogt/awoooi/docs/schemas/kali_integration_status_v1.schema.json)
|
||
- [coding_task_v1 schema](/Users/ogt/awoooi/docs/schemas/coding_task_v1.schema.json)
|
||
- [source_control_migration_event_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_migration_event_v1.schema.json)
|
||
- [gitea_repo_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/gitea_repo_inventory_v1.schema.json)
|
||
- [local_git_remote_inventory_v1 schema](/Users/ogt/awoooi/docs/schemas/local_git_remote_inventory_v1.schema.json)
|
||
- [github_target_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_probe_v1.schema.json)
|
||
- [github_target_decision_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_decision_v1.schema.json)
|
||
- [github_target_repo_approval_package_v1 schema](/Users/ogt/awoooi/docs/schemas/github_target_repo_approval_package_v1.schema.json)
|
||
- [security_rollout_policy_v1 schema](/Users/ogt/awoooi/docs/schemas/security_rollout_policy_v1.schema.json)
|
||
- [security_supply_chain_contract_manifest_v1 schema](/Users/ogt/awoooi/docs/schemas/security_supply_chain_contract_manifest_v1.schema.json)
|
||
- [security_mirror_status_rollup_v1 schema](/Users/ogt/awoooi/docs/schemas/security_mirror_status_rollup_v1.schema.json)
|
||
- [security_approval_gate_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_gate_v1.schema.json)
|
||
- [security_approval_decision_record_v1 schema](/Users/ogt/awoooi/docs/schemas/security_approval_decision_record_v1.schema.json)
|
||
- [source_control_ref_truth_classification_v1 schema](/Users/ogt/awoooi/docs/schemas/source_control_ref_truth_classification_v1.schema.json)
|
||
- [local_repo_canonical_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/local_repo_canonical_probe_v1.schema.json)
|
||
- [git_remote_refs_probe_v1 schema](/Users/ogt/awoooi/docs/schemas/git_remote_refs_probe_v1.schema.json)
|
||
- [approval_required_event_v1 schema](/Users/ogt/awoooi/docs/schemas/approval_required_event_v1.schema.json)
|