516 lines
24 KiB
JSON
516 lines
24 KiB
JSON
{
|
||
"schema_version": "security_supply_chain_contract_manifest_v1",
|
||
"status": "draft",
|
||
"default_enforcement_level": "mirror_only",
|
||
"contract_count": 30,
|
||
"contracts": [
|
||
{
|
||
"contract": "security_rollout_policy_v1",
|
||
"schema_path": "docs/schemas/security_rollout_policy_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-rollout-policy.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"],
|
||
"consumer": "AwoooP read-only policy / Operator Console",
|
||
"consumption_mode": "read_only_policy",
|
||
"allowed_actions": ["mirror_policy", "display_mode", "recommend_observe_warn_approval"],
|
||
"forbidden_actions": ["runtime_enforcement", "auto_block_low_medium_observation"],
|
||
"notes": "初期 observe-first / mirror-only,不把資安網變成流程負擔。"
|
||
},
|
||
{
|
||
"contract": "security_finding_v1",
|
||
"schema_path": "docs/schemas/security_finding_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-finding-kali-sample.snapshot.json"],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-FINDING-CONTRACT.md",
|
||
"docs/security/KALI-SECURITY-MESH-BLUEPRINT.md"
|
||
],
|
||
"consumer": "AwoooP Runtime State / Channel Event / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_redacted_finding", "display_security_posture"],
|
||
"forbidden_actions": ["active_scan", "store_raw_secret", "store_exploit_payload"],
|
||
"notes": "承接 Kali / Trivy / ZAP / Semgrep / detect-secrets 類 findings。"
|
||
},
|
||
{
|
||
"contract": "kali_integration_status_v1",
|
||
"schema_path": "docs/schemas/kali_integration_status_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/kali-integration-status.snapshot.json"],
|
||
"human_docs": ["docs/security/KALI-INTEGRATION-STATUS.md"],
|
||
"consumer": "AwoooP security posture / Operator Console",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_kali_health",
|
||
"display_update_status",
|
||
"display_integration_gaps",
|
||
"create_approval_candidate_for_active_scan_or_full_upgrade"
|
||
],
|
||
"forbidden_actions": [
|
||
"run_active_scan",
|
||
"run_execute_endpoint",
|
||
"store_api_key_or_password",
|
||
"full_upgrade_or_reboot_without_window"
|
||
],
|
||
"notes": "112 已有 live scanner health 與低風險更新;finding ingestion / AwoooP runtime mirror 尚未接通。"
|
||
},
|
||
{
|
||
"contract": "kali_scan_scope_approval_v1",
|
||
"schema_path": "docs/schemas/kali_scan_scope_approval_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/kali-scan-scope-approval.snapshot.json"],
|
||
"human_docs": ["docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"],
|
||
"consumer": "AwoooP approval queue / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["mirror_scan_scope", "display_approval_gate", "create_approval_candidate"],
|
||
"forbidden_actions": [
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"store_secret_value",
|
||
"auto_block_deploy",
|
||
"full_upgrade_or_reboot_without_window"
|
||
],
|
||
"notes": "定義 Kali 112、111/168 dev hosts、核心 runtime hosts 與 web perimeter 的掃描深度;高風險動作 blocked_until_approved。"
|
||
},
|
||
{
|
||
"contract": "security_approval_queue_v1",
|
||
"schema_path": "docs/schemas/security_approval_queue_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-approval-queue.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-APPROVAL-QUEUE.md"],
|
||
"consumer": "AwoooP approval queue / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["mirror_queue_item", "display_review_order", "create_approval_candidate", "record_human_decision"],
|
||
"forbidden_actions": [
|
||
"execute_queue_item",
|
||
"start_scan",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"switch_github_primary",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "集中整理 Kali、Gitea/GitHub、refs truth classification 等 pending approval / block candidate;不授權執行。"
|
||
},
|
||
{
|
||
"contract": "security_approval_gate_v1",
|
||
"schema_path": "docs/schemas/security_approval_gate_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-approval-gate.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-APPROVAL-GATE.md"],
|
||
"consumer": "AwoooP approval queue / Audit / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["mirror_approval_gate", "record_human_decision", "display_followup_runtime_gate"],
|
||
"forbidden_actions": [
|
||
"execute_gate_item",
|
||
"auto_approve",
|
||
"execute_after_approval_without_runtime_gate",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3 人工批准 gate 的決策語言與留痕格式;批准後仍不得自動執行,必須有後續 runtime gate。"
|
||
},
|
||
{
|
||
"contract": "security_approval_decision_record_v1",
|
||
"schema_path": "docs/schemas/security_approval_decision_record_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-approval-decision-record.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-APPROVAL-DECISION-RECORD.md"],
|
||
"consumer": "AwoooP Audit / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["record_human_decision", "display_decision_scope", "display_followup_runtime_gate"],
|
||
"forbidden_actions": [
|
||
"execute_decision_record",
|
||
"auto_approve",
|
||
"execute_after_decision_without_runtime_gate",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3 人工決策紀錄格式;記錄 approve/reject/defer/request_more_evidence/keep_blocked,但不授權執行。"
|
||
},
|
||
{
|
||
"contract": "security_approval_review_packet_v1",
|
||
"schema_path": "docs/schemas/security_approval_review_packet_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-approval-review-packet.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md"],
|
||
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["mirror_review_packet", "display_review_lane", "display_required_reviewers", "prepare_human_decision"],
|
||
"forbidden_actions": [
|
||
"execute_review_packet",
|
||
"treat_review_packet_as_approval",
|
||
"auto_approve",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3.2 人工審查封包格式;把 queue/gate 轉成可審查資料,但不代表批准或執行授權。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_readiness_v1",
|
||
"schema_path": "docs/schemas/security_mirror_readiness_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-readiness.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-READINESS.md"],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_readiness_index", "display_contract_readiness", "display_partial_or_contract_only_reason"],
|
||
"forbidden_actions": [
|
||
"execute_mirror_item",
|
||
"start_scan",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"switch_github_primary",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "整理 30 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_intake_plan_v1",
|
||
"schema_path": "docs/schemas/security_mirror_intake_plan_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-intake-plan.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-INTAKE-PLAN.md"],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit / Approval Queue",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_intake_wave", "display_acceptance_gate", "display_blocked_processing"],
|
||
"forbidden_actions": [
|
||
"execute_intake_wave",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"production_deploy",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only intake waves、destinations、allowed/blocked processing 與 acceptance gates。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_event_v1",
|
||
"schema_path": "docs/schemas/security_mirror_event_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-event-sample.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"],
|
||
"consumer": "AwoooP Runtime State / Channel Event / Audit / Operator Console",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_event_envelope", "display_redaction_status", "display_blocked_actions"],
|
||
"forbidden_actions": [
|
||
"execute_event",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only 事件 envelope,所有事件都必須標示 execution_authorized=false 與 action_buttons_allowed=false。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_route_v1",
|
||
"schema_path": "docs/schemas/security_mirror_route_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-route.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-ROUTE.md"],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit / Approval Queue",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_route_matrix", "display_route_group", "display_channel_policy", "display_review_lane"],
|
||
"forbidden_actions": [
|
||
"execute_route_group",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only route groups、destination、channel policy 與 review lane;不作 execution router。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_acceptance_v1",
|
||
"schema_path": "docs/schemas/security_mirror_acceptance_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-acceptance.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-ACCEPTANCE.md"],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_acceptance_checks", "display_acceptance_result", "display_blocking_check_failure"],
|
||
"forbidden_actions": [
|
||
"execute_acceptance_check",
|
||
"runtime_block_product_flow",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only ingestion 驗收 checks;只阻擋不完整或未脫敏的鏡像資料,不作 runtime blocker。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_quarantine_v1",
|
||
"schema_path": "docs/schemas/security_mirror_quarantine_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-quarantine.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-QUARANTINE.md"],
|
||
"consumer": "AwoooP Operator Console / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_quarantine_lane", "display_recovery_request", "display_retry_gate"],
|
||
"forbidden_actions": [
|
||
"auto_retry_failed_payload",
|
||
"runtime_block_product_flow",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only 驗收失敗隔離、修復回報與 retry gate;不作 runtime blocker。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_dry_run_v1",
|
||
"schema_path": "docs/schemas/security_mirror_dry_run_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-dry-run.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-DRY-RUN.md"],
|
||
"consumer": "AwoooP Operator Console / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_dry_run_report", "display_dry_run_step", "display_no_runtime_action_evidence"],
|
||
"forbidden_actions": [
|
||
"execute_dry_run_step",
|
||
"production_ingestion",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only 接入演練回報格式;本 snapshot 只表示契約已定義,尚未代表 AwoooP 已執行 dry-run。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_status_rollup_v1",
|
||
"schema_path": "docs/schemas/security_mirror_status_rollup_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/security-mirror-status-rollup.snapshot.json"],
|
||
"human_docs": ["docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md"],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_status_rollup", "display_phase_status", "display_next_safe_gate"],
|
||
"forbidden_actions": [
|
||
"execute_rollup_action",
|
||
"runtime_authorization",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要;只顯示階段、下一個 gate 與禁止事項,不授權執行。"
|
||
},
|
||
{
|
||
"contract": "coding_task_v1",
|
||
"schema_path": "docs/schemas/coding_task_v1.schema.json",
|
||
"snapshot_paths": [],
|
||
"human_docs": ["docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md"],
|
||
"consumer": "AwoooP Approval candidate / Codex patch-only handoff",
|
||
"consumption_mode": "suggest_only",
|
||
"allowed_actions": ["create_patch_backlog", "request_reviewers", "open_draft_plan"],
|
||
"forbidden_actions": ["auto_merge", "production_deploy", "secret_rotation"],
|
||
"notes": "Code Review 後需要 coding 的工作只能進 patch-only / draft PR lane。"
|
||
},
|
||
{
|
||
"contract": "source_control_migration_event_v1",
|
||
"schema_path": "docs/schemas/source_control_migration_event_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
|
||
"docs/security/source-control-clawbot-v5.snapshot.json",
|
||
"docs/security/source-control-wooo-aiops.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md",
|
||
"docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md"
|
||
],
|
||
"consumer": "AwoooP migration matrix evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_diff_summary", "display_blocking_reason"],
|
||
"forbidden_actions": ["sync_refs", "switch_github_primary", "delete_gitea_repo"],
|
||
"notes": "目前 mapped repos 仍 blocked,不可切 primary。"
|
||
},
|
||
{
|
||
"contract": "gitea_repo_inventory_v1",
|
||
"schema_path": "docs/schemas/gitea_repo_inventory_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||
"docs/security/gitea-public-repo-search.snapshot.json",
|
||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
|
||
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md"
|
||
],
|
||
"consumer": "AwoooP migration matrix evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_public_only_inventory", "create_readonly_inventory_approval_candidate"],
|
||
"forbidden_actions": ["store_token_value", "write_to_gitea", "delete_or_archive_repo"],
|
||
"notes": "目前是 partial/public_only,private/internal 全量需批准後補齊。"
|
||
},
|
||
{
|
||
"contract": "local_git_remote_inventory_v1",
|
||
"schema_path": "docs/schemas/local_git_remote_inventory_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/local-git-remote-inventory.snapshot.json"],
|
||
"human_docs": ["docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md"],
|
||
"consumer": "AwoooP source-control coverage evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_remote_coverage", "display_internal_110_risk"],
|
||
"forbidden_actions": ["modify_remote", "treat_as_server_full_inventory"],
|
||
"notes": "本機可見 working tree 只能作輔助 evidence。"
|
||
},
|
||
{
|
||
"contract": "github_target_probe_v1",
|
||
"schema_path": "docs/schemas/github_target_probe_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/github-target-probe.snapshot.json"],
|
||
"human_docs": ["docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md"],
|
||
"consumer": "AwoooP migration target evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_target_visibility", "display_not_found_or_private"],
|
||
"forbidden_actions": ["auto_create_repo", "assume_not_found_means_absent"],
|
||
"notes": "not_found_or_private 只代表未授權 probe 看不到。"
|
||
},
|
||
{
|
||
"contract": "github_target_decision_v1",
|
||
"schema_path": "docs/schemas/github_target_decision_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/github-target-decision.snapshot.json"],
|
||
"human_docs": ["docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md"],
|
||
"consumer": "AwoooP approval candidate / migration target evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_target_decision", "create_approval_candidate"],
|
||
"forbidden_actions": ["change_visibility", "create_repo", "sync_refs"],
|
||
"notes": "8 個 targets 中 7 個需要人工批准。"
|
||
},
|
||
{
|
||
"contract": "github_target_repo_approval_package_v1",
|
||
"schema_path": "docs/schemas/github_target_repo_approval_package_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/github-target-repo-approval-package.snapshot.json"],
|
||
"human_docs": ["docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md"],
|
||
"consumer": "AwoooP approval queue draft",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["display_repo_approval_queue", "request_owner_decision"],
|
||
"forbidden_actions": ["execute_approval_item", "push_refs", "change_visibility"],
|
||
"notes": "7 個 pending packages,逐 repo 低摩擦批准。"
|
||
},
|
||
{
|
||
"contract": "source_control_approval_board_v1",
|
||
"schema_path": "docs/schemas/source_control_approval_board_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/source-control-approval-board.snapshot.json"],
|
||
"human_docs": ["docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md"],
|
||
"consumer": "AwoooP approval board / PR reviewer",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_repo_decision_board",
|
||
"display_pending_owner_visibility_canonical_decisions",
|
||
"request_human_approval"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_board_item",
|
||
"sync_refs",
|
||
"create_repo",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "彙整 8 個 target,其中 7 個 pending approval;authenticated inventory gate 仍 blocked。"
|
||
},
|
||
{
|
||
"contract": "source_control_reconcile_plan_v1",
|
||
"schema_path": "docs/schemas/source_control_reconcile_plan_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/source-control-reconcile-plan.snapshot.json"],
|
||
"human_docs": ["docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md"],
|
||
"consumer": "AwoooP approval candidate / migration reviewer",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_draft_reconcile_plan",
|
||
"display_refs_blocking_reason",
|
||
"request_single_repo_approval"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_reconcile_plan",
|
||
"push_refs",
|
||
"force_push",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "只針對 3 個 refs-blocked mapped repos 產生 draft plan;inventory gate 仍 blocked,不可執行。"
|
||
},
|
||
{
|
||
"contract": "source_control_ref_detail_diff_v1",
|
||
"schema_path": "docs/schemas/source_control_ref_detail_diff_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/source-control-ref-detail-diff.snapshot.json"],
|
||
"human_docs": ["docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"],
|
||
"consumer": "AwoooP migration reviewer / PR reviewer",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_branch_tag_diff",
|
||
"display_ref_counts",
|
||
"support_single_repo_reconcile_review"
|
||
],
|
||
"forbidden_actions": [
|
||
"fetch_refs",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "只保存 branch/tag 明細 diff;忽略本 PR 分支避免 evidence 自我污染。"
|
||
},
|
||
{
|
||
"contract": "source_control_ref_truth_classification_v1",
|
||
"schema_path": "docs/schemas/source_control_ref_truth_classification_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/source-control-ref-truth-classification.snapshot.json"],
|
||
"human_docs": ["docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md"],
|
||
"consumer": "AwoooP migration reviewer / repo owner approval queue",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_ref_truth_classification",
|
||
"display_truth_source_candidates",
|
||
"request_single_ref_human_review"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_classification",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review lane;仍不授權 sync。"
|
||
},
|
||
{
|
||
"contract": "local_repo_canonical_probe_v1",
|
||
"schema_path": "docs/schemas/local_repo_canonical_probe_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/local-repo-canonical-ewoooc-momo.snapshot.json"],
|
||
"human_docs": ["docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md"],
|
||
"consumer": "AwoooP canonical decision evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_lineage_summary", "display_unrelated_warning"],
|
||
"forbidden_actions": ["auto_merge_histories", "delete_working_tree"],
|
||
"notes": "momo/ewoooc 目前 sample 無共同 commit,不可自動合併。"
|
||
},
|
||
{
|
||
"contract": "git_remote_refs_probe_v1",
|
||
"schema_path": "docs/schemas/git_remote_refs_probe_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
|
||
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md"
|
||
],
|
||
"consumer": "AwoooP source readiness evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": ["mirror_refs_readiness", "display_unreachable_remote"],
|
||
"forbidden_actions": ["fetch", "push", "sync_refs"],
|
||
"notes": "只做 ls-remote 類 read-only refs evidence。"
|
||
},
|
||
{
|
||
"contract": "approval_required_event_v1",
|
||
"schema_path": "docs/schemas/approval_required_event_v1.schema.json",
|
||
"snapshot_paths": ["docs/security/gitea-readonly-inventory-approval.snapshot.json"],
|
||
"human_docs": ["docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md"],
|
||
"consumer": "AwoooP approval queue / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": ["display_approval_candidate", "record_human_decision"],
|
||
"forbidden_actions": ["auto_approve", "store_token_value", "execute_without_approval"],
|
||
"notes": "高風險或敏感邊界的唯一升級入口。"
|
||
}
|
||
]
|
||
}
|