Files
awoooi/docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md
Your Name e8e15faf28
All checks were successful
CD Pipeline / tests (push) Successful in 1m26s
Code Review / ai-code-review (push) Successful in 12s
CD Pipeline / build-and-deploy (push) Successful in 4m31s
CD Pipeline / post-deploy-checks (push) Successful in 1m32s
feat(security): 擴充 source-control 納管範圍
2026-06-11 19:23:40 +08:00

94 lines
6.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Workflow / Secret 名稱 Redacted Export Request
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | 草案,等待 owner / read-only export |
| Schema | `docs/schemas/source_control_workflow_secret_name_export_request_v1.schema.json` |
| Snapshot | `docs/security/source-control-workflow-secret-name-export-request.snapshot.json` |
| 來源契約 | `source_control_workflow_secret_name_inventory_v1` |
| Owner response 收件包 | `docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md` / `docs/security/source-control-workflow-secret-name-owner-response.snapshot.json` |
| 模式 | `redacted_export_request_only` |
| runtime 執行授權 | `false` |
## 0. 核心結論
S4.3 把 S4.2 還缺的控制面 evidence 拆成可交接的 redacted export request。
這不是 API 執行、不是 GitHub primary cutover、也不是 workflow / secret 修改。它只是告訴 repo owner 或未來只讀匯出工具:每個 repo 要補哪些欄位、哪些欄位可以保存、哪些敏感值必須拒收。S4.12 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包讓請求、等待狀態、0 emitted 脫敏 audit metadata、安全回覆範例與回覆可審、可驗收、可拒收但仍不授權任何變更。
## 1. 摘要
| 指標 | 數量 |
|------|------|
| Candidate repos | 10 |
| In-scope export requests | 9 |
| External scope review | 1 |
| Export lanes | 5 |
| S4.12 request packet | 1 |
| S4.12 template statuses | 5 |
| S4.12 audit event templates | 3 |
| S4.12 redaction examples | 5 |
| S4.12 collection checks | 6 |
| S4.12 intake preflight checks | 6 |
| S4.12 response templates | 5 |
| S4.12 received / accepted / rejected | `0 / 0 / 0` |
| Webhook export request repos | 2 |
| Runner export request repos | 5 |
| Deploy key export request repos | 1 |
| Branch protection / CODEOWNERS export request repos | 6 |
| Repository secret name parity export request repos | 9 |
| Secret value collection allowed | `false` |
| Write token allowed | `false` |
| Runtime actions authorized | `false` |
## 2. Export Lanes
| Lane | 可保存 | 禁止保存 |
|------|--------|----------|
| Webhook | provider、webhook name、redacted host、event types、enabled flag、owner | webhook secret、含 token URL、header、cookie、body |
| Runner | runner label、scope、executor type、host alias、self-hosted / hosted、owner | registration token、admin token、SSH key、host password |
| Deploy key | key name、read-only flag、repo scope、owner、last seen metadata | private key、完整 public key、token、password |
| Branch protection / CODEOWNERS | protected branch、required checks、review count、CODEOWNERS path、owner teams | team secret、PAT、admin override token |
| Repository secret names | secret name、scope、owner、used by workflow、present in Gitea / GitHub | secret value、plaintext、token、private key、credential value |
## 3. Repo Request
| Repo | Request state | Requested lanes |
|------|---------------|-----------------|
| `owenhytsai/awoooi` | waiting owner export | webhook、runner、branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/clawbot-v5` | waiting owner export | branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/wooo-aiops` | waiting owner export | webhook、runner、repository secret name parity |
| `owenhytsai/wooo-infra-config` | waiting owner export | runner、deploy key、branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/ewoooc` | waiting owner export | runner、branch protection / CODEOWNERS、repository secret name parity |
| `owenhytsai/bitan-pharmacy` | waiting owner export | repository secret name parity |
| `owenhytsai/tsenyang-website` | waiting owner export | repository secret name parity |
| `nexu-io/open-design` | waiting scope review | 不進 AWOOOI primary cutover queue |
| `owenhytsai/VibeWork` | waiting owner export | branch protection / CODEOWNERS、repository secret name parity保留獨立產品邊界 |
| `owenhytsai/agent-bounty-protocol` | waiting owner export | runner、branch protection / CODEOWNERS、repository secret name parity補 agent / bounty / treasury / execution surface 邊界 |
## 4. AwoooP 可做
1. 顯示每個 repo 等待哪一類 redacted export。
2. 顯示 owner export / read-only API export 的 acceptance gate。
3. 顯示 GitHub hosted runner 可能造成額度消耗的 review lane。
4. 把完成的 redacted export 作為 Audit evidence 等待人工審查。
5. 若 payload 含敏感值,送進 mirror quarantine。
6. 顯示 S4.12 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks、templates、acceptance checks 與 rejection rules。
## 5. AwoooP 不可做
1. 不呼叫 write API。
2. 不顯示或保存 secret value、token value、cookie、private key、webhook secret、runner registration token。
3. 不修改 workflow、webhook、runner、deploy key、branch protection 或 secret。
4. 不建立 GitHub repo、不 sync refs、不切 GitHub primary。
5. 不把 export request 當成已批准或已完成的 evidence。
## 6. 階段定位
S4.1 建立 inventory gateS4.2 補本機 workflow / CODEOWNERS / referenced secret name evidenceS4.3 補「下一步匯出請求包」。
S4.12 補「owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與收件包」,固定 5 類 export lanes 的請求欄位、等待狀態、0 emitted 脫敏 audit metadata、安全回覆範例、只讀收件檢查、只讀 preflight、回覆欄位與拒收規則避免後續誤收 secret value、誤用 write token、誤啟 GitHub hosted runner 或誤改 workflow。
這仍然是低摩擦框架期:先把資料責任、欄位邊界與拒收規則定清楚,避免後續真的接 owner export 或只讀 API 時誤收秘密值、誤用 write token或誤把資料補齊當成主控切換批准。