419 lines
19 KiB
JSON
419 lines
19 KiB
JSON
{
|
||
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
|
||
"status": "draft_waiting_owner_response",
|
||
"date": "2026-05-17",
|
||
"mode": "owner_workflow_secret_name_response_intake_only",
|
||
"runtime_execution_authorized": false,
|
||
"source_contract": "source_control_workflow_secret_name_inventory_v1",
|
||
"target_contract": "source_control_workflow_secret_name_export_request_v1",
|
||
"source_indexes": [
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/security-approval-review-packet.snapshot.json",
|
||
"docs/security/security-followup-runtime-gate.snapshot.json"
|
||
],
|
||
"summary": {
|
||
"owner_response_status": "waiting_owner_response",
|
||
"candidate_repo_count": 8,
|
||
"in_scope_repo_count": 7,
|
||
"export_request_count": 7,
|
||
"export_lane_count": 5,
|
||
"local_evidence_repo_count": 4,
|
||
"local_workflow_file_count": 31,
|
||
"local_referenced_secret_name_count": 43,
|
||
"response_template_count": 5,
|
||
"received_response_count": 0,
|
||
"accepted_response_count": 0,
|
||
"rejected_response_count": 0,
|
||
"acceptance_check_count": 8,
|
||
"rejection_rule_count": 10,
|
||
"secret_value_collection_allowed": false,
|
||
"write_token_allowed": false,
|
||
"workflow_modification_authorized": false,
|
||
"webhook_modification_authorized": false,
|
||
"runner_change_authorized": false,
|
||
"deploy_key_change_authorized": false,
|
||
"branch_protection_change_authorized": false,
|
||
"repo_secret_change_authorized": false,
|
||
"github_hosted_runner_enable_authorized": false,
|
||
"refs_sync_authorized": false,
|
||
"github_primary_switch_authorized": false,
|
||
"action_buttons_allowed": false
|
||
},
|
||
"response_templates": [
|
||
{
|
||
"template_id": "response-webhook-redacted-export",
|
||
"lane": "webhook_redacted_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/wooo-aiops"
|
||
],
|
||
"risk": "MEDIUM",
|
||
"covered_repo_count": 2,
|
||
"requested_owner_decision": "回覆 webhook 名稱、redacted host、事件類型、enabled flag 與 owner;不得包含 webhook secret、token URL、header、cookie 或 payload body。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"webhook_name_or_none",
|
||
"destination_host_redacted",
|
||
"event_types",
|
||
"active_enabled_flag",
|
||
"webhook_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_redacted_webhook_inventory_candidate",
|
||
"mark_no_webhook_candidate",
|
||
"hold_pending_webhook_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"只允許保存 redacted host、event types、enabled flag 與 owner。",
|
||
"必須標示 primary cutover 後哪一端負責發 webhook,或明確要求補證。",
|
||
"必須承認 response 通過後只更新 read-only inventory / readiness wording,不修改 webhook。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 webhook secret、完整 payload URL、query token、header、cookie 或 request body。",
|
||
"要求立即建立、停用或修改 webhook。",
|
||
"缺 repo、provider、webhook owner 或 no-webhook disposition。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 webhook read-only owner response 欄位。",
|
||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow/webhook blocker wording。",
|
||
"建立 request_more_evidence / quarantine lane。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-runner-label-owner",
|
||
"lane": "runner_label_owner_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/wooo-aiops",
|
||
"owenhytsai/wooo-infra-config",
|
||
"owenhytsai/ewoooc"
|
||
],
|
||
"risk": "HIGH",
|
||
"covered_repo_count": 4,
|
||
"requested_owner_decision": "回覆 runner label、executor type、hosted/self-hosted、owner 與 GitHub hosted minutes 風險;不得包含 runner registration token、admin token、SSH key 或 host password。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"runner_label_or_none",
|
||
"runner_scope",
|
||
"executor_type",
|
||
"hosted_or_self_hosted",
|
||
"runner_owner",
|
||
"github_hosted_minutes_risk",
|
||
"maintenance_window",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"keep_self_hosted_runner_candidate",
|
||
"approve_hosted_runner_risk_review_candidate",
|
||
"mark_no_runner_candidate",
|
||
"hold_pending_runner_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須標示 runner 是 self-hosted 或 hosted;若 hosted,必須列入額度風險 review,而不是啟用批准。",
|
||
"必須指定 runner owner 與維護窗口,或明確要求補證。",
|
||
"必須承認 response 不授權新增 runner、不授權改 workflow、不授權消耗 GitHub hosted minutes。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 runner registration token、admin token、SSH private key、host password 或 API token。",
|
||
"要求立即啟用 GitHub hosted runner 或改 runner label。",
|
||
"把 hosted runner risk review candidate 當成使用 GitHub Actions 額度的批准。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 runner label owner review lane。",
|
||
"更新 GitHub hosted runner 額度風險 wording。",
|
||
"維持 workflow / runner execution disabled。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-deploy-key-redacted-export",
|
||
"lane": "deploy_key_redacted_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/wooo-infra-config"
|
||
],
|
||
"risk": "HIGH",
|
||
"covered_repo_count": 1,
|
||
"requested_owner_decision": "回覆 deploy key / machine key 名稱、read-only flag、repo scope 與 owner;不得包含 private key、完整 public key、token value 或 password。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"key_name_or_none",
|
||
"read_only_flag",
|
||
"repo_scope",
|
||
"key_owner",
|
||
"rotation_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_deploy_key_name_scope_candidate",
|
||
"mark_no_deploy_key_candidate",
|
||
"mark_write_capable_key_risk_candidate",
|
||
"hold_pending_key_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"只允許 key 名稱、read-only flag、repo scope、owner 與 rotation owner。",
|
||
"write-capable key 只能列為風險 candidate,不得自動 rotate 或刪除。",
|
||
"必須承認 response 不授權搬移 key、不授權貼 private key、不授權修改 deploy key。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 private key、完整 public key、token value、password 或 credential value。",
|
||
"要求立即 rotate、刪除或新增 deploy key。",
|
||
"缺 key owner / rotation owner 或 no-key disposition。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 deploy key read-only risk lane。",
|
||
"更新 primary readiness key blocker wording。",
|
||
"建立 key_owner request_more_evidence lane。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-branch-protection-codeowners",
|
||
"lane": "branch_protection_codeowners_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/clawbot-v5",
|
||
"owenhytsai/wooo-infra-config",
|
||
"owenhytsai/ewoooc"
|
||
],
|
||
"risk": "MEDIUM",
|
||
"covered_repo_count": 4,
|
||
"requested_owner_decision": "回覆 protected branch、required checks、required review count、CODEOWNERS path 與 owner teams;不得包含 team secret、PAT、admin override token 或 session cookie。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"protected_branch_name_or_none",
|
||
"required_review_count",
|
||
"required_status_check_names",
|
||
"codeowners_path_or_none",
|
||
"owner_team_names",
|
||
"ruleset_owner",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_branch_protection_codeowners_candidate",
|
||
"mark_no_branch_protection_candidate",
|
||
"hold_pending_ruleset_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"必須列出 required status check names,並標示與 workflow / runner label 對應狀態。",
|
||
"缺 CODEOWNERS 或 branch protection 只能形成 readiness gap,不代表可修改規則。",
|
||
"必須指定 ruleset owner 或 request_more_evidence owner。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 PAT、admin override token、session cookie、team secret 或未脫敏截圖。",
|
||
"要求立即修改 branch protection、ruleset、required checks 或 CODEOWNERS。",
|
||
"把 branch protection response 當成 primary readiness complete。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 branch protection / CODEOWNERS owner review lane。",
|
||
"更新 required status check parity wording。",
|
||
"維持 primary_ready_count=0。"
|
||
],
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"template_id": "response-repository-secret-name-parity",
|
||
"lane": "repository_secret_name_parity_export_request",
|
||
"affected_repos": [
|
||
"owenhytsai/awoooi",
|
||
"owenhytsai/clawbot-v5",
|
||
"owenhytsai/wooo-aiops",
|
||
"owenhytsai/wooo-infra-config",
|
||
"owenhytsai/ewoooc",
|
||
"owenhytsai/bitan-pharmacy",
|
||
"owenhytsai/tsenyang-website"
|
||
],
|
||
"risk": "HIGH",
|
||
"covered_repo_count": 7,
|
||
"requested_owner_decision": "回覆 repository secret 名稱 parity、scope、owning team、used-by workflow 與 present_in_gitea / present_in_github metadata;不得包含 value、hash、partial token 或可還原片段。",
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"repo",
|
||
"provider",
|
||
"secret_name_list_or_none",
|
||
"secret_scope",
|
||
"owning_team",
|
||
"used_by_workflow_name",
|
||
"rotation_owner",
|
||
"present_in_gitea",
|
||
"present_in_github",
|
||
"evidence_refs"
|
||
],
|
||
"acceptable_decisions": [
|
||
"provide_secret_name_presence_map_candidate",
|
||
"mark_no_repository_secret_candidate",
|
||
"hold_pending_secret_owner",
|
||
"unknown_requires_more_evidence"
|
||
],
|
||
"minimum_evidence_refs": [
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"acceptance_criteria": [
|
||
"只允許保存 secret name、scope、owner、used-by workflow、present/absent metadata。",
|
||
"不得保存 value、hash、partial token、masked token 或任何可還原片段。",
|
||
"缺漏 secret 只建立 owner review lane,不自動建立、複製、rotate 或刪除 secret。"
|
||
],
|
||
"rejection_conditions": [
|
||
"含 secret value、plaintext、hash、partial token、private key、credential value 或未脫敏截圖。",
|
||
"要求立即建立、複製、修改、rotate 或刪除 repository secret。",
|
||
"把 secret name parity response 當成 workflow 已可執行或 primary ready。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 repository secret name parity owner review lane。",
|
||
"更新 workflow / secret name inventory gap wording。",
|
||
"維持 inventory_complete_count=0 與 primary_ready_count=0。"
|
||
],
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"acceptance_checks": [
|
||
{
|
||
"check_id": "maps_to_known_export_lane",
|
||
"title": "回覆對應既有 export lane",
|
||
"required": true,
|
||
"pass_condition": "`lane` 必須對應 S4.3 既有 export lanes:webhook、runner、deploy key、branch protection / CODEOWNERS 或 repository secret name parity。",
|
||
"failure_lane": "reject_unknown_export_lane",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "decision_value_allowed",
|
||
"title": "決策值在允許範圍內",
|
||
"required": true,
|
||
"pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。",
|
||
"failure_lane": "request_owner_correction",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "repo_scope_present",
|
||
"title": "repo scope 已標示",
|
||
"required": true,
|
||
"pass_condition": "每筆回覆必須有 repo、provider 與 lane;批次 secret name parity 必須有可重現 repo list。",
|
||
"failure_lane": "request_more_evidence",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "owner_present",
|
||
"title": "owner 或補證 owner 已標示",
|
||
"required": true,
|
||
"pass_condition": "每筆回覆必須有 owner role/team,且 lane-specific owner 不得空白;未知時必須選 hold/unknown。",
|
||
"failure_lane": "request_owner_assignment",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "allowed_fields_only",
|
||
"title": "只含允許欄位",
|
||
"required": true,
|
||
"pass_condition": "回覆只能包含 lane allowed_fields 與 owner/evidence metadata,不得加入 request body、header、credential 或 raw config。",
|
||
"failure_lane": "quarantine_unexpected_payload",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "secret_values_absent",
|
||
"title": "未包含 secret value",
|
||
"required": true,
|
||
"pass_condition": "不得包含 secret/token/cookie/private key/deploy key/runner token/webhook secret/password、hash、masked token 或 partial credential。",
|
||
"failure_lane": "quarantine_sensitive_payload",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "no_write_or_rotation_requested",
|
||
"title": "不含 write 或 rotation 要求",
|
||
"required": true,
|
||
"pass_condition": "回覆不得要求 write API、rotate secret、修改 workflow、修改 webhook、修改 runner、修改 deploy key 或修改 branch protection。",
|
||
"failure_lane": "reject_runtime_change_request",
|
||
"execution_authorized": false
|
||
},
|
||
{
|
||
"check_id": "no_primary_or_refs_action_requested",
|
||
"title": "不含 primary 或 refs action",
|
||
"required": true,
|
||
"pass_condition": "回覆不得要求建立 repo、sync refs、切 GitHub primary、停用 Gitea 或把 inventory 視為 primary ready。",
|
||
"failure_lane": "reject_primary_or_refs_action",
|
||
"execution_authorized": false
|
||
}
|
||
],
|
||
"rejection_rules": [
|
||
"回覆含 secret value、PAT、cookie、session、CSRF token、private key、deploy key value、runner token、webhook secret 或 partial credential 時必須拒收。",
|
||
"回覆含完整 webhook payload URL、query token、authorization header、request body 或未脫敏截圖時必須拒收。",
|
||
"回覆含 runner registration token、runner admin token、SSH private key、host password 或 API token 時必須拒收。",
|
||
"回覆含 deploy key private material、完整 public key、token value、password 或 credential value 時必須拒收。",
|
||
"回覆含 secret value、secret hash、partial token、masked token 或任何可還原片段時必須拒收。",
|
||
"回覆要求 write API、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS 或 rotate secret 時必須拒收。",
|
||
"回覆要求建立 repo、sync refs、切 GitHub primary、停用或封存 Gitea 時必須拒收。",
|
||
"回覆缺 repo、provider、lane owner 或 no-data disposition 時不得標記 accepted。",
|
||
"回覆把 owner response 當成 inventory complete、workflow ready、secret parity complete 或 GitHub primary ready 時必須拒收。",
|
||
"任何不確定是否含敏感值、私有 URL 憑證、完整 key material 或未脫敏截圖的回覆必須先進 mirror quarantine。"
|
||
],
|
||
"allowed_outputs": [
|
||
"更新 `source-control-workflow-secret-name-inventory.snapshot.json` 的 read-only owner response 欄位。",
|
||
"更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 response status wording。",
|
||
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow / webhook / runner / secret name blocker wording。",
|
||
"更新 `security-mirror-status-rollup.snapshot.json` 的 workflow_secret owner response summary。",
|
||
"建立 request_more_evidence / quarantine lane。",
|
||
"維持 `inventory_complete_count=0`、`github_primary_ready_count=0` 與所有 workflow / secret / repo / refs / primary execution flags false。"
|
||
],
|
||
"forbidden_actions": [
|
||
"收集或保存 secret value、token value、cookie、session、private key、deploy key value、runner token 或 webhook secret。",
|
||
"使用 write token 或 write API。",
|
||
"修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret。",
|
||
"rotate secret、建立 secret、複製 secret 或刪除 secret。",
|
||
"啟用 GitHub hosted runner 或消耗 GitHub Actions 額度。",
|
||
"建立 GitHub repo 或修改 visibility。",
|
||
"sync refs、push refs、delete refs 或 force push。",
|
||
"切 GitHub primary。",
|
||
"停用、刪除、封存或降級 Gitea repo。",
|
||
"新增 AwoooP execution action button。"
|
||
]
|
||
}
|