Files
awoooi/docs/security/github-target-owner-decision-response.snapshot.json
Your Name 9e15fd08b3
All checks were successful
CD Pipeline / tests (push) Successful in 1m39s
Code Review / ai-code-review (push) Successful in 15s
CD Pipeline / build-and-deploy (push) Successful in 5m19s
CD Pipeline / post-deploy-checks (push) Successful in 2m11s
feat(web): land iwooos security posture surfaces
2026-05-25 20:35:52 +08:00

1118 lines
47 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "github_target_owner_decision_response_v1",
"status": "draft_waiting_owner_response",
"date": "2026-05-17",
"mode": "owner_decision_response_intake_only",
"runtime_execution_authorized": false,
"source_contract": "github_target_decision_v1",
"target_contract": "github_target_repo_approval_package_v1",
"source_indexes": [
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-repo-approval-package.snapshot.json",
"docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md",
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"owner_response_status": "waiting_owner_response",
"target_decision_count": 8,
"approval_required_target_count": 7,
"owner_response_request_packet_count": 1,
"owner_response_template_status_count": 7,
"owner_response_audit_event_template_count": 3,
"owner_response_redaction_example_count": 5,
"owner_response_collection_check_count": 6,
"intake_preflight_check_count": 6,
"response_template_count": 7,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"repo_creation_authorized": false,
"visibility_change_authorized": false,
"refs_sync_authorized": false,
"github_primary_switch_authorized": false,
"secret_value_collection_allowed": false,
"action_buttons_allowed": false
},
"owner_response_request_packet": {
"request_id": "s4_10_github_target_owner_decision_response_request",
"display_status": "ready_to_request_owner_response",
"requested_packet": "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
"required_response_item_count": 7,
"requested_template_ids": [
"target-awoooi-refs-blocked",
"target-clawbot-v5-refs-blocked",
"target-wooo-aiops-refs-blocked",
"target-wooo-infra-config-internal-remote",
"target-ewoooc-private-or-new",
"target-bitan-pharmacy-private-or-new",
"target-tsenyang-website-private-or-new"
],
"owner_instruction_summary": "請 owner 只依 S4.10 七個 templates 回覆 GitHub target 的 owner / visibility / canonical / target disposition並只引用脫敏 evidence refs不要貼 token、secret、private clone URL credential、repo archive、git object、API request body 或任何可執行 payload。",
"allowed_response_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"canonical_source",
"github_target_disposition",
"visibility_review_owner",
"refs_truth_review_owner",
"tag_disposition_owner",
"github_only_refs_owner",
"internal_remote_disposition",
"secret_name_inventory_owner",
"server_side_refs_diff_owner",
"active_status",
"evidence_refs",
"followup_owner"
],
"evidence_ref_rules": [
"只允許 repo 內既有文件、snapshot 或已脫敏 owner metadata pointer",
"not_found_or_private 只能作為需補證或 private access request 的 evidence不得自動視為 repo 不存在",
"canonical_source 未知時必須明確選 unknown_requires_more_evidence 或指定補證 owner",
"不得提供 token value、secret value、private clone URL credential、cookie、session、deploy key value 或截圖中的敏感值",
"不確定是否含敏感值時先走 mirror quarantine不得直接貼入 response"
],
"forbidden_payloads": [
"token_value",
"secret_value",
"private_key",
"cookie_or_session",
"private_clone_url_credential",
"repo_creation_command",
"visibility_change_command",
"write_or_admin_api_request",
"refs_sync_or_delete_request",
"force_push_or_tag_rewrite_request",
"github_primary_switch_request",
"repo_archive",
"git_object_pack",
"db_dump",
"unrelated_history_merge_request"
],
"allowed_submission_modes": [
"read_only_markdown_response",
"redacted_metadata_pointer",
"request_more_evidence",
"out_of_scope_disposition"
],
"awooop_display_mode": "display_owner_response_request_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
"owner_response_template_statuses": [
{
"template_id": "target-awoooi-refs-blocked",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"display_order": 1,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/awoooi` 的 canonical source、visibility review owner 與 refs truth owner不得把既有 GitHub target 視為可直接 primary。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
{
"template_id": "target-clawbot-v5-refs-blocked",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"display_order": 2,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/clawbot-v5` 的 main SHA / tag 真相來源與 tag disposition owner不得用單一句話批准 refs sync。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
{
"template_id": "target-wooo-aiops-refs-blocked",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"display_order": 3,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/wooo-aiops` 的 GitHub-only refs owner 與 disposition不得刪除 GitHub-only refs。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
{
"template_id": "target-wooo-infra-config-internal-remote",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"display_order": 4,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/wooo-infra-config` 的 110 internal remote 用途與 secret name inventory owner不得刪除 remote 或搬移 secret value。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
{
"template_id": "target-ewoooc-private-or-new",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"display_order": 5,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/ewoooc` 與 momo-pro-system 的 canonical 關係、private access request 或 new target candidate disposition不得自動建立 repo 或合併 unrelated histories。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
{
"template_id": "target-bitan-pharmacy-private-or-new",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"display_order": 6,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/bitan-pharmacy` 是否仍 active、GitHub target disposition 與 visibility review owner不得把 not_found_or_private 當成可直接建立 repo。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
},
{
"template_id": "target-tsenyang-website-private-or-new",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"display_order": 7,
"collection_status": "waiting_owner_response",
"request_status": "request_ready_not_sent",
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"latest_outcome_lane": "keep_waiting_owner_response",
"next_owner_action": "Owner 需回覆 `owenhytsai/tsenyang-website` 是否仍 active、GitHub target disposition 與 visibility review owner不得把 not_found_or_private 當成可直接建立 repo。",
"awooop_display_mode": "display_template_status_only",
"execution_authorized": false,
"not_approval": true,
"still_forbidden": [
"create_github_repo",
"change_repo_visibility",
"push_refs",
"delete_refs",
"force_push",
"switch_github_primary",
"store_secret_value",
"store_token_value"
]
}
],
"owner_response_audit_event_templates": [
{
"event_template_id": "audit-github-target-response-request-shown",
"display_order": 1,
"event_status": "template_only_not_emitted",
"trigger": "AwoooP 顯示 S4.10 owner response request packet 時。",
"purpose": "只記錄 request packet 已可顯示或已顯示的 metadata不代表 owner response 已收到。",
"allowed_metadata_fields": [
"event_template_id",
"request_id",
"requested_template_ids",
"target_contract",
"displayed_by_role",
"displayed_at_taipei",
"source_document_ref"
],
"forbidden_payloads": [
"owner_response_raw_body",
"token_value",
"secret_value",
"private_key",
"cookie_or_session",
"private_clone_url_credential",
"repo_creation_command",
"visibility_change_command",
"write_or_admin_api_request",
"refs_sync_or_delete_request",
"force_push_or_tag_rewrite_request",
"github_primary_switch_request",
"repo_archive",
"git_object_pack",
"db_dump",
"execution_request_payload"
],
"emitted_event_count": 0,
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_audit_template_only",
"execution_authorized": false,
"not_approval": true
},
{
"event_template_id": "audit-github-target-response-received-metadata",
"display_order": 2,
"event_status": "template_only_not_emitted",
"trigger": "Owner 提供 S4.10 GitHub target response metadata pointer 時。",
"purpose": "只記錄 response 已收到的脫敏 metadata pointer不得保存 response 原文、repo archive、git object 或敏感 payload。",
"allowed_metadata_fields": [
"event_template_id",
"template_id",
"github_repo",
"owner_role_or_team",
"received_at_taipei",
"redacted_evidence_refs",
"source_document_ref"
],
"forbidden_payloads": [
"owner_response_raw_body",
"token_value",
"secret_value",
"private_key",
"cookie_or_session",
"private_clone_url_credential",
"repo_creation_command",
"visibility_change_command",
"write_or_admin_api_request",
"refs_sync_or_delete_request",
"force_push_or_tag_rewrite_request",
"github_primary_switch_request",
"repo_archive",
"git_object_pack",
"db_dump",
"execution_request_payload"
],
"emitted_event_count": 0,
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_audit_template_only",
"execution_authorized": false,
"not_approval": true
},
{
"event_template_id": "audit-github-target-response-outcome-classified",
"display_order": 3,
"event_status": "template_only_not_emitted",
"trigger": "AwoooP 依 S4.10 acceptance checks 與 rejection rules 分類 GitHub target owner response 時。",
"purpose": "只記錄分類結果與下一步提示;不得把 outcome、owner wording 或單項 response 當成 repo / refs / primary 執行授權。",
"allowed_metadata_fields": [
"event_template_id",
"template_id",
"github_repo",
"collection_status",
"latest_outcome_lane",
"next_owner_action",
"classified_at_taipei",
"classified_by_role"
],
"forbidden_payloads": [
"owner_response_raw_body",
"token_value",
"secret_value",
"private_key",
"cookie_or_session",
"private_clone_url_credential",
"repo_creation_command",
"visibility_change_command",
"write_or_admin_api_request",
"refs_sync_or_delete_request",
"force_push_or_tag_rewrite_request",
"github_primary_switch_request",
"repo_archive",
"git_object_pack",
"db_dump",
"execution_request_payload"
],
"emitted_event_count": 0,
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_audit_template_only",
"execution_authorized": false,
"not_approval": true
}
],
"owner_response_redaction_examples": [
{
"example_id": "redaction-github-target-doc-ref",
"display_order": 1,
"example_status": "template_example_only",
"category": "github_target_existing_document_reference",
"safe_response_shape": [
"template_id=target-awoooi-refs-blocked",
"decision=hold_pending_refs_truth",
"canonical_source=wooo/awoooi",
"evidence_refs=[docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md, docs/security/source-control-ref-detail-diff.snapshot.json]",
"decision_reason=引用既有 snapshot 與決策表,不貼 API raw body 或 repo archive"
],
"required_redactions": [
"外部 evidence 只保留 repo 內文件路徑、snapshot 路徑或已脫敏 metadata pointer",
"GitHub API 查詢結果只能摘要為 repo slug、status、review owner 與 evidence ref",
"不得貼完整 API request/response body、header 或 private clone URL"
],
"forbidden_raw_values": [
"token_value",
"secret_value",
"private_clone_url_credential",
"api_request_header",
"api_response_raw_body",
"repo_archive"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-owner-visibility-canonical-metadata",
"display_order": 2,
"example_status": "template_example_only",
"category": "owner_visibility_canonical_metadata",
"safe_response_shape": [
"owner_role_or_team=repo-owner-or-platform-team",
"visibility_review_owner=security-commander",
"canonical_source=unknown_requires_more_evidence",
"decision=unknown_requires_more_evidence",
"followup_owner=source-control-owner"
],
"required_redactions": [
"只寫角色或團隊不寫個人密碼、session、one-time code 或 API token",
"visibility decision reason 不得包含可重播的管理操作步驟或憑證",
"followup_owner 只代表責任 owner不代表 repo creation、visibility change 或 primary approval"
],
"forbidden_raw_values": [
"password",
"cookie",
"session",
"one_time_code",
"approval_phrase_as_execution_authorization",
"admin_console_screenshot_with_secret"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-private-target-access-metadata",
"display_order": 3,
"example_status": "template_example_only",
"category": "private_or_new_target_metadata",
"safe_response_shape": [
"template_id=target-ewoooc-private-or-new",
"github_repo=owenhytsai/ewoooc",
"decision=approve_private_target_access_request",
"github_target_disposition=private_access_request_only",
"credential_value_stored=false"
],
"required_redactions": [
"private target 只能寫 repo slug、access request status 與 owner metadata",
"完整 clone URL 只能保留 host、namespace、repo slug若含 userinfo、query token 或 header 必須移除值",
"不得把 private access request 當成可建立 repo、可 fetch、可 push 或可改 visibility 的指令"
],
"forbidden_raw_values": [
"https_userinfo_credential",
"query_token",
"authorization_header",
"ssh_private_key",
"deploy_key_value",
"git_remote_with_secret"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-refs-truth-dependency-summary",
"display_order": 4,
"example_status": "template_example_only",
"category": "refs_truth_dependency_summary",
"safe_response_shape": [
"template_id=target-clawbot-v5-refs-blocked",
"decision=hold_pending_refs_truth",
"refs_truth_review_owner=source-control-owner",
"server_side_refs_diff_owner=platform-ops",
"blocked_until=[S4.11 refs truth owner response, S4.12 workflow secret name owner response]"
],
"required_redactions": [
"只保留 refs truth 責任 owner、blocking contract 與 evidence ref",
"若引用外部 diff必須先轉成 repo 內 snapshot 或 redacted metadata pointer",
"不得貼 git object pack、repo archive、可執行 sync/delete/force-push 指令或 unrelated history merge request"
],
"forbidden_raw_values": [
"git_object_pack",
"repo_archive",
"refs_sync_command",
"delete_refs_command",
"force_push_command",
"unrelated_history_merge_request"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
},
{
"example_id": "redaction-github-target-quarantine-pointer",
"display_order": 5,
"example_status": "template_example_only",
"category": "uncertain_sensitive_payload",
"safe_response_shape": [
"collection_status=quarantine_sensitive_payload",
"quarantine_reason=疑似含 GitHub token、private URL credential、repo archive 或未脫敏截圖",
"raw_payload_stored_in_repo=false",
"next_owner_action=request_redacted_metadata_pointer"
],
"required_redactions": [
"不確定是否含敏感值時先產生 quarantine pointer",
"只留下原因、來源類型、責任 owner 與下一步,不留下原文",
"解除 quarantine 前不得更新 received / accepted count 或 target decision wording"
],
"forbidden_raw_values": [
"owner_response_raw_body",
"github_token_or_pat",
"secret_screenshot",
"private_clone_url_credential",
"credential_file",
"repo_archive",
"execution_request_payload"
],
"stored_raw_payload_allowed": false,
"awooop_display_mode": "display_redaction_example_only",
"execution_authorized": false,
"not_approval": true
}
],
"owner_response_collection_checks": [
{
"check_id": "collection-github-target-request-packet-displayed",
"display_order": 1,
"title": "已顯示 GitHub target owner response request packet",
"required": true,
"pass_condition": "AwoooP 必須只顯示 `owner_response_request_packet` 的 7 個 target templates、允許欄位、脫敏 evidence 規則與禁止 payload不得附加 repo creation、visibility change、refs sync 或 primary switch 要求。",
"failure_lane": "keep_waiting_owner_response",
"awooop_display": "display_request_packet_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-github-target-read-only-submission-mode",
"display_order": 2,
"title": "GitHub target 收件模式維持 read-only",
"required": true,
"pass_condition": "owner 只能用 read-only markdown response、redacted metadata pointer、request_more_evidence 或 out_of_scope_disposition不得提交 token、repo archive、git object pack、API write request 或 execution request。",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "display_read_only_submission_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-seven-target-template-tracking",
"display_order": 3,
"title": "七個 GitHub targets 分開追蹤",
"required": true,
"pass_condition": "S4.10 七個 requested_template_ids 必須逐 target 追蹤 received / accepted / rejected 狀態;不可用單一整體同意取代逐 repo owner / visibility / canonical response。",
"failure_lane": "request_more_evidence",
"awooop_display": "display_per_target_tracking",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-github-target-redacted-evidence-only",
"display_order": 4,
"title": "只收 GitHub target 脫敏 evidence refs",
"required": true,
"pass_condition": "收件內容只能包含 repo 內路徑、snapshot path 或已脫敏 metadata pointer任何不確定是否含 token、private URL credential、secret、repo archive 或 git object 的資料都先進 quarantine。",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "display_redacted_evidence_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-github-target-no-approval-language",
"display_order": 5,
"title": "不得把 GitHub target 回覆語意升級成批准",
"required": true,
"pass_condition": "即使 owner response 文字包含同意、OK、可進行或批准也只能視為 owner / visibility / canonical disposition response不得視為 repo creation、visibility change、refs sync、delete refs、force push 或 GitHub primary approval。",
"failure_lane": "reject_execution_request",
"awooop_display": "display_scope_response_only",
"execution_authorized": false,
"not_approval": true
},
{
"check_id": "collection-github-target-audit-metadata-only",
"display_order": 6,
"title": "只記錄 GitHub target audit metadata",
"required": true,
"pass_condition": "AwoooP 只能記錄 request shown、response received metadata、template id、github repo、owner role/team、redacted evidence refs 與 outcome lane不得保存 token value、secret value、private clone URL credential、repo archive、git object pack 或可執行 payload。",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "display_audit_metadata_only",
"execution_authorized": false,
"not_approval": true
}
],
"intake_preflight_checks": [
{
"check_id": "preflight-known-github-target",
"display_order": 1,
"title": "回覆必須對應已知 GitHub target",
"required": true,
"pass_condition": "`github_repo` 或 `template_id` 必須對應 S4.10 七個 approval-required targets 之一,不得新增未盤點 repo 或把 not_found_or_private 自動視為可建立。",
"failure_lane": "request_owner_correction",
"awooop_display": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "preflight-required-github-target-owner-fields",
"display_order": 2,
"title": "GitHub target 必填欄位完整",
"required": true,
"pass_condition": "每筆 response 必須有 owner role/team、decision、decision_reason、canonical_source、target disposition 或 out-of-scope disposition、visibility review owner 與 evidence_refs。",
"failure_lane": "request_more_evidence",
"awooop_display": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "preflight-allowed-github-target-decision",
"display_order": 3,
"title": "GitHub target decision 在模板允許值內",
"required": true,
"pass_condition": "`decision` 必須落在對應 response template 的 acceptable_decisions口頭同意、整體 OK 或未列出的執行語句都不得進入 accepted。",
"failure_lane": "request_owner_correction",
"awooop_display": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "preflight-github-target-redacted-evidence-only",
"display_order": 4,
"title": "只接受 GitHub target 脫敏 evidence refs",
"required": true,
"pass_condition": "`evidence_refs` 只能指向 repo 內文件、snapshot 或 owner 提供的脫敏 metadata pointer不得含 token、secret、cookie、session、private key、private clone URL credential、repo archive 或 git object。",
"failure_lane": "quarantine_sensitive_payload",
"awooop_display": "quarantine_sensitive_payload",
"execution_authorized": false
},
{
"check_id": "preflight-no-source-control-execution-request",
"display_order": 5,
"title": "不得夾帶 source-control 執行要求",
"required": true,
"pass_condition": "response 不得要求 repo 建立、visibility 修改、refs sync/delete/force-push、workflow/secret/runner 變更、GitHub primary switch、Gitea 停用、Kali scan 或任何 runtime action。",
"failure_lane": "reject_execution_request",
"awooop_display": "reject_execution_request",
"execution_authorized": false
},
{
"check_id": "preflight-all-seven-targets-before-accepted",
"display_order": 6,
"title": "接受前需覆蓋七個 GitHub targets",
"required": true,
"pass_condition": "S4.10 要被標示 accepted 前,七個 response templates 都必須收到可驗收 owner / visibility / canonical response部分回覆只能維持 waiting 或 request_more_evidence。",
"failure_lane": "keep_waiting_owner_response",
"awooop_display": "ready_for_owner_review",
"execution_authorized": false
}
],
"response_templates": [
{
"template_id": "target-awoooi-refs-blocked",
"github_repo": "owenhytsai/awoooi",
"source_key": "wooo/awoooi",
"target_state": "exists_refs_blocked",
"risk": "HIGH",
"requested_owner_decision": "指定 owner、canonical source、visibility review owner 與 refs truth review owner維持 refs action disabled。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"canonical_source",
"github_target_disposition",
"visibility_review_owner",
"refs_truth_review_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_existing_target_as_candidate",
"hold_pending_refs_truth",
"hold_pending_canonical_review",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/GITEA-GITHUB-MIGRATION-SNAPSHOT.md",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json"
],
"acceptance_criteria": [
"必須明確指定 `wooo/awoooi` 的 canonical source 與 owner review 責任人。",
"必須承認 refs truth / workflow-secret parity / rollback ADR 未完成前不得推 refs 或切 primary。",
"若 decision 是 hold必須說明下一個 evidence owner。"
],
"rejection_conditions": [
"把既有 GitHub repo 視為可直接 primary。",
"要求 push、delete、force push refs 或修改 visibility。",
"缺 canonical source、visibility review owner 或 refs truth review owner。"
],
"allowed_outputs": [
"更新 GitHub target decision table 的 owner / canonical / visibility read-only 欄位。",
"更新 repo approval package 的 blocked_until 說明。",
"維持 primary readiness blocked。"
],
"execution_authorized": false
},
{
"template_id": "target-clawbot-v5-refs-blocked",
"github_repo": "owenhytsai/clawbot-v5",
"source_key": "wooo/clawbot-v5",
"target_state": "exists_refs_blocked",
"risk": "MEDIUM",
"requested_owner_decision": "指定 main SHA / tag 真相來源與 owner維持 refs action disabled。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"canonical_source",
"tag_disposition_owner",
"visibility_review_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_existing_target_as_candidate",
"hold_pending_refs_truth",
"mark_external_or_out_of_scope",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/SOURCE-CONTROL-CLAWBOT-V5-SNAPSHOT.md",
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json"
],
"acceptance_criteria": [
"必須說明 main SHA 與 tag 差異要由哪個 owner 判定。",
"若仍 active必須保留 refs review lane。",
"若排除 scope必須附 owner 理由與後續 disposition。"
],
"rejection_conditions": [
"用單一句話批准 refs sync。",
"未處理 GitHub 缺 Gitea tag 的 disposition。",
"要求刪除任一端 repo 或 refs。"
],
"allowed_outputs": [
"更新 refs truth review lane。",
"更新 approval package 的 owner decision 欄位。",
"維持 refs action disabled。"
],
"execution_authorized": false
},
{
"template_id": "target-wooo-aiops-refs-blocked",
"github_repo": "owenhytsai/wooo-aiops",
"source_key": "wooo/wooo-aiops",
"target_state": "exists_refs_blocked",
"risk": "MEDIUM",
"requested_owner_decision": "指定 GitHub-only branch / tags 的來源 owner 與 disposition維持 refs action disabled。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"canonical_source",
"github_only_refs_owner",
"visibility_review_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_existing_target_as_candidate",
"hold_pending_refs_truth",
"mark_external_or_out_of_scope",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/SOURCE-CONTROL-WOOO-AIOPS-SNAPSHOT.md",
"docs/security/source-control-ref-detail-diff.snapshot.json",
"docs/security/source-control-ref-truth-classification.snapshot.json"
],
"acceptance_criteria": [
"必須指定 GitHub-only branch / tags 的 owner 或補證 owner。",
"必須說明 main SHA truth source 尚未判定時要維持 blocked。",
"若標為 out_of_scope必須說明與 AwoooP / AWOOOI scope 的關係。"
],
"rejection_conditions": [
"要求刪除 GitHub-only refs。",
"未指定 GitHub-only refs owner。",
"把 refs classification 當成已批准 sync。"
],
"allowed_outputs": [
"更新 refs truth classification 的 owner review 欄位。",
"更新 GitHub target decision table。",
"維持 GitHub primary readiness blocked。"
],
"execution_authorized": false
},
{
"template_id": "target-wooo-infra-config-internal-remote",
"github_repo": "owenhytsai/wooo-infra-config",
"source_key": "wooo/wooo-infra-config",
"target_state": "exists_aligned",
"risk": "MEDIUM",
"requested_owner_decision": "判定 110 internal remote 用途、infra owner 與 secret name inventory owner。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"canonical_source",
"internal_remote_disposition",
"secret_name_inventory_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_existing_target_as_candidate",
"hold_pending_canonical_review",
"mark_external_or_out_of_scope",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json"
],
"acceptance_criteria": [
" 110 internal remote active sourcemirrorlegacy ",
" infra secret inventory owner",
" internal remote disposition remote "
],
"rejection_conditions": [
" remote remote URL",
" secret value",
" 110 internal remote "
],
"allowed_outputs": [
" canonical decision table remote disposition",
" workflow / secret name inventory owner gap",
" repo / secret / refs disabled"
],
"execution_authorized": false
},
{
"template_id": "target-ewoooc-private-or-new",
"github_repo": "owenhytsai/ewoooc",
"source_key": "wooo/ewoooc / root/momo-pro-system / momo working trees",
"target_state": "not_found_or_private",
"risk": "HIGH",
"requested_owner_decision": " ewoooc / momo-pro-system canonical GitHub target private repo repo ",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"canonical_source",
"github_target_disposition",
"visibility_review_owner",
"server_side_refs_diff_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_private_target_access_request",
"approve_new_target_creation_candidate",
"hold_pending_canonical_review",
"mark_external_or_out_of_scope",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/GITEA-PUBLIC-REPO-SEARCH-SNAPSHOT.md",
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json"
],
"acceptance_criteria": [
" `not_found_or_private` ",
" ewoooc / momo-pro-system canonical owner",
" repo repo migration plan"
],
"rejection_conditions": [
" `not_found_or_private` repo ",
" unrelated histories",
" momo / ewoooc working tree"
],
"allowed_outputs": [
" target decision table disposition",
" approval package canonical blocker",
" request_more_evidence lane"
],
"execution_authorized": false
},
{
"template_id": "target-bitan-pharmacy-private-or-new",
"github_repo": "owenhytsai/bitan-pharmacy",
"source_key": "bitan-pharmacy",
"target_state": "not_found_or_private",
"risk": "MEDIUM",
"requested_owner_decision": " repo activeGitHub target dispositionowner visibility review owner",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"active_status",
"canonical_source",
"github_target_disposition",
"visibility_review_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_private_target_access_request",
"approve_new_target_creation_candidate",
"hold_pending_canonical_review",
"mark_external_or_out_of_scope",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
" repo active",
" GitHub target private repoout-of-scope ",
" active workflow / secret name parity gate"
],
"rejection_conditions": [
" target repo",
" active_status visibility review owner",
" push refs 110 remote"
],
"allowed_outputs": [
" target decision table active / disposition ",
" approval package blocked_until",
" repo creation refs action disabled"
],
"execution_authorized": false
},
{
"template_id": "target-tsenyang-website-private-or-new",
"github_repo": "owenhytsai/tsenyang-website",
"source_key": "tsenyang-website",
"target_state": "not_found_or_private",
"risk": "MEDIUM",
"requested_owner_decision": " repo activeGitHub target dispositionowner visibility review owner",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"active_status",
"canonical_source",
"github_target_disposition",
"visibility_review_owner",
"evidence_refs"
],
"acceptable_decisions": [
"approve_private_target_access_request",
"approve_new_target_creation_candidate",
"hold_pending_canonical_review",
"mark_external_or_out_of_scope",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/github-target-decision.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
" repo active",
" GitHub target private repoout-of-scope ",
" active workflow / secret name parity gate"
],
"rejection_conditions": [
" target repo",
" active_status visibility review owner",
" push refs 110 remote"
],
"allowed_outputs": [
" target decision table active / disposition ",
" approval package blocked_until",
" repo creation refs action disabled"
],
"execution_authorized": false
}
],
"acceptance_checks": [
{
"check_id": "maps_to_known_github_target",
"title": " GitHub target",
"required": true,
"pass_condition": "`github_repo` github_target_decision_v1 7 approval-required targets ",
"failure_lane": "reject_unknown_target",
"execution_authorized": false
},
{
"check_id": "decision_value_allowed",
"title": "",
"required": true,
"pass_condition": "`decision` target template acceptable_decisions ",
"failure_lane": "request_owner_correction",
"execution_authorized": false
},
{
"check_id": "owner_and_visibility_present",
"title": "owner visibility review ",
"required": true,
"pass_condition": " owner role/teamvisibility review owner out-of-scope disposition",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "canonical_source_present",
"title": "canonical source ",
"required": true,
"pass_condition": "in-scope candidate target canonical source unknown_requires_more_evidence",
"failure_lane": "keep_primary_blocked",
"execution_authorized": false
},
{
"check_id": "blocked_until_respected",
"title": "blocked_until ",
"required": true,
"pass_condition": " refs truthworkflow-secret parityGitea inventoryrollback ADR server-side diff ",
"failure_lane": "reject_scope_jump",
"execution_authorized": false
},
{
"check_id": "no_repo_creation_or_visibility_change",
"title": " repo creation visibility change ",
"required": true,
"pass_condition": " repo visibility ",
"failure_lane": "reject_runtime_source_control_action",
"execution_authorized": false
},
{
"check_id": "no_refs_or_primary_action",
"title": " refs primary action",
"required": true,
"pass_condition": " pushdeleteforce pushmirror syncprimary switch disable Gitea",
"failure_lane": "reject_refs_or_primary_action",
"execution_authorized": false
},
{
"check_id": "secret_values_absent",
"title": " secret value",
"required": true,
"pass_condition": "`evidence_refs` repo snapshot owner metadata tokencredentialsecret valueprivate key deploy key value",
"failure_lane": "quarantine_sensitive_payload",
"execution_authorized": false
}
],
"rejection_rules": [
" token valuePATcookiesessionCSRF tokenprivate key partial credential ",
" repo creation commandAPI request bodyCLI command automation payload ",
" visibility change command public/private/internal visibility ",
" push refsdelete refsforce pushmirror synctag rewrite branch rewrite ",
" GitHub primary Gitea Gitea Gitea fallback ",
" ownervisibility review ownercanonical source out-of-scope disposition accepted",
" `not_found_or_private` repo ",
" unrelated histories momo / ewoooc working tree ",
" owner decision response repo migration approvalrefs sync approval primary approval ",
" URL mirror quarantine"
],
"allowed_outputs": [
" `github-target-decision.snapshot.json` read-only owner / visibility / canonical decision ",
" `github-target-repo-approval-package.snapshot.json` blocked_untilreview owner evidence refs",
" `source-control-primary-readiness-gate.snapshot.json` blocker wording",
" `source-control-approval-board.snapshot.json` review lane",
" request_more_evidence / quarantine lane",
" `github_primary_ready_count=0` execution flags false"
],
"forbidden_actions": [
" GitHub repo",
" GitHub repo visibility",
"pushdeleteforce pushmirror sync rewrite refs",
" GitHub primary",
" Gitea repo",
" secret valuetoken valueprivate keycookiesession deploy key value",
" response packet migration execution approval",
" AwoooP execution action button"
]
}