Files
awoooi/docs/security/source-control-workflow-secret-name-owner-response.snapshot.json

419 lines
19 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "source_control_workflow_secret_name_owner_response_v1",
"status": "draft_waiting_owner_response",
"date": "2026-05-17",
"mode": "owner_workflow_secret_name_response_intake_only",
"runtime_execution_authorized": false,
"source_contract": "source_control_workflow_secret_name_inventory_v1",
"target_contract": "source_control_workflow_secret_name_export_request_v1",
"source_indexes": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-approval-review-packet.snapshot.json",
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"summary": {
"owner_response_status": "waiting_owner_response",
"candidate_repo_count": 8,
"in_scope_repo_count": 7,
"export_request_count": 7,
"export_lane_count": 5,
"local_evidence_repo_count": 4,
"local_workflow_file_count": 31,
"local_referenced_secret_name_count": 43,
"response_template_count": 5,
"received_response_count": 0,
"accepted_response_count": 0,
"rejected_response_count": 0,
"acceptance_check_count": 8,
"rejection_rule_count": 10,
"secret_value_collection_allowed": false,
"write_token_allowed": false,
"workflow_modification_authorized": false,
"webhook_modification_authorized": false,
"runner_change_authorized": false,
"deploy_key_change_authorized": false,
"branch_protection_change_authorized": false,
"repo_secret_change_authorized": false,
"github_hosted_runner_enable_authorized": false,
"refs_sync_authorized": false,
"github_primary_switch_authorized": false,
"action_buttons_allowed": false
},
"response_templates": [
{
"template_id": "response-webhook-redacted-export",
"lane": "webhook_redacted_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/wooo-aiops"
],
"risk": "MEDIUM",
"covered_repo_count": 2,
"requested_owner_decision": "回覆 webhook 名稱、redacted host、事件類型、enabled flag 與 owner不得包含 webhook secret、token URL、header、cookie 或 payload body。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"webhook_name_or_none",
"destination_host_redacted",
"event_types",
"active_enabled_flag",
"webhook_owner",
"evidence_refs"
],
"acceptable_decisions": [
"provide_redacted_webhook_inventory_candidate",
"mark_no_webhook_candidate",
"hold_pending_webhook_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"acceptance_criteria": [
"只允許保存 redacted host、event types、enabled flag 與 owner。",
"必須標示 primary cutover 後哪一端負責發 webhook或明確要求補證。",
"必須承認 response 通過後只更新 read-only inventory / readiness wording不修改 webhook。"
],
"rejection_conditions": [
"含 webhook secret、完整 payload URL、query token、header、cookie 或 request body。",
"要求立即建立、停用或修改 webhook。",
"缺 repo、provider、webhook owner 或 no-webhook disposition。"
],
"allowed_outputs": [
"更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 webhook read-only owner response 欄位。",
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow/webhook blocker wording。",
"建立 request_more_evidence / quarantine lane。"
],
"execution_authorized": false
},
{
"template_id": "response-runner-label-owner",
"lane": "runner_label_owner_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/wooo-aiops",
"owenhytsai/wooo-infra-config",
"owenhytsai/ewoooc"
],
"risk": "HIGH",
"covered_repo_count": 4,
"requested_owner_decision": "回覆 runner label、executor type、hosted/self-hosted、owner 與 GitHub hosted minutes 風險;不得包含 runner registration token、admin token、SSH key 或 host password。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"runner_label_or_none",
"runner_scope",
"executor_type",
"hosted_or_self_hosted",
"runner_owner",
"github_hosted_minutes_risk",
"maintenance_window",
"evidence_refs"
],
"acceptable_decisions": [
"keep_self_hosted_runner_candidate",
"approve_hosted_runner_risk_review_candidate",
"mark_no_runner_candidate",
"hold_pending_runner_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
"必須標示 runner 是 self-hosted 或 hosted若 hosted必須列入額度風險 review而不是啟用批准。",
"必須指定 runner owner 與維護窗口,或明確要求補證。",
"必須承認 response 不授權新增 runner、不授權改 workflow、不授權消耗 GitHub hosted minutes。"
],
"rejection_conditions": [
"含 runner registration token、admin token、SSH private key、host password 或 API token。",
"要求立即啟用 GitHub hosted runner 或改 runner label。",
"把 hosted runner risk review candidate 當成使用 GitHub Actions 額度的批准。"
],
"allowed_outputs": [
"更新 runner label owner review lane。",
"更新 GitHub hosted runner 額度風險 wording。",
"維持 workflow / runner execution disabled。"
],
"execution_authorized": false
},
{
"template_id": "response-deploy-key-redacted-export",
"lane": "deploy_key_redacted_export_request",
"affected_repos": [
"owenhytsai/wooo-infra-config"
],
"risk": "HIGH",
"covered_repo_count": 1,
"requested_owner_decision": "回覆 deploy key / machine key 名稱、read-only flag、repo scope 與 owner不得包含 private key、完整 public key、token value 或 password。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"key_name_or_none",
"read_only_flag",
"repo_scope",
"key_owner",
"rotation_owner",
"evidence_refs"
],
"acceptable_decisions": [
"provide_deploy_key_name_scope_candidate",
"mark_no_deploy_key_candidate",
"mark_write_capable_key_risk_candidate",
"hold_pending_key_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"acceptance_criteria": [
"只允許 key 名稱、read-only flag、repo scope、owner 與 rotation owner。",
"write-capable key 只能列為風險 candidate不得自動 rotate 或刪除。",
"必須承認 response 不授權搬移 key、不授權貼 private key、不授權修改 deploy key。"
],
"rejection_conditions": [
"含 private key、完整 public key、token value、password 或 credential value。",
"要求立即 rotate、刪除或新增 deploy key。",
"缺 key owner / rotation owner 或 no-key disposition。"
],
"allowed_outputs": [
"更新 deploy key read-only risk lane。",
"更新 primary readiness key blocker wording。",
"建立 key_owner request_more_evidence lane。"
],
"execution_authorized": false
},
{
"template_id": "response-branch-protection-codeowners",
"lane": "branch_protection_codeowners_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/clawbot-v5",
"owenhytsai/wooo-infra-config",
"owenhytsai/ewoooc"
],
"risk": "MEDIUM",
"covered_repo_count": 4,
"requested_owner_decision": "回覆 protected branch、required checks、required review count、CODEOWNERS path 與 owner teams不得包含 team secret、PAT、admin override token 或 session cookie。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"protected_branch_name_or_none",
"required_review_count",
"required_status_check_names",
"codeowners_path_or_none",
"owner_team_names",
"ruleset_owner",
"evidence_refs"
],
"acceptable_decisions": [
"provide_branch_protection_codeowners_candidate",
"mark_no_branch_protection_candidate",
"hold_pending_ruleset_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"acceptance_criteria": [
"必須列出 required status check names並標示與 workflow / runner label 對應狀態。",
"缺 CODEOWNERS 或 branch protection 只能形成 readiness gap不代表可修改規則。",
"必須指定 ruleset owner 或 request_more_evidence owner。"
],
"rejection_conditions": [
"含 PAT、admin override token、session cookie、team secret 或未脫敏截圖。",
"要求立即修改 branch protection、ruleset、required checks 或 CODEOWNERS。",
"把 branch protection response 當成 primary readiness complete。"
],
"allowed_outputs": [
"更新 branch protection / CODEOWNERS owner review lane。",
"更新 required status check parity wording。",
"維持 primary_ready_count=0。"
],
"execution_authorized": false
},
{
"template_id": "response-repository-secret-name-parity",
"lane": "repository_secret_name_parity_export_request",
"affected_repos": [
"owenhytsai/awoooi",
"owenhytsai/clawbot-v5",
"owenhytsai/wooo-aiops",
"owenhytsai/wooo-infra-config",
"owenhytsai/ewoooc",
"owenhytsai/bitan-pharmacy",
"owenhytsai/tsenyang-website"
],
"risk": "HIGH",
"covered_repo_count": 7,
"requested_owner_decision": "回覆 repository secret 名稱 parity、scope、owning team、used-by workflow 與 present_in_gitea / present_in_github metadata不得包含 value、hash、partial token 或可還原片段。",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"repo",
"provider",
"secret_name_list_or_none",
"secret_scope",
"owning_team",
"used_by_workflow_name",
"rotation_owner",
"present_in_gitea",
"present_in_github",
"evidence_refs"
],
"acceptable_decisions": [
"provide_secret_name_presence_map_candidate",
"mark_no_repository_secret_candidate",
"hold_pending_secret_owner",
"unknown_requires_more_evidence"
],
"minimum_evidence_refs": [
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/security-mirror-quarantine.snapshot.json"
],
"acceptance_criteria": [
"只允許保存 secret name、scope、owner、used-by workflow、present/absent metadata。",
"不得保存 value、hash、partial token、masked token 或任何可還原片段。",
"缺漏 secret 只建立 owner review lane不自動建立、複製、rotate 或刪除 secret。"
],
"rejection_conditions": [
"含 secret value、plaintext、hash、partial token、private key、credential value 或未脫敏截圖。",
"要求立即建立、複製、修改、rotate 或刪除 repository secret。",
"把 secret name parity response 當成 workflow 已可執行或 primary ready。"
],
"allowed_outputs": [
"更新 repository secret name parity owner review lane。",
"更新 workflow / secret name inventory gap wording。",
"維持 inventory_complete_count=0 與 primary_ready_count=0。"
],
"execution_authorized": false
}
],
"acceptance_checks": [
{
"check_id": "maps_to_known_export_lane",
"title": "回覆對應既有 export lane",
"required": true,
"pass_condition": "`lane` 必須對應 S4.3 既有 export laneswebhook、runner、deploy key、branch protection / CODEOWNERS 或 repository secret name parity。",
"failure_lane": "reject_unknown_export_lane",
"execution_authorized": false
},
{
"check_id": "decision_value_allowed",
"title": "決策值在允許範圍內",
"required": true,
"pass_condition": "`decision` 必須是該 response template 的 acceptable_decisions 之一。",
"failure_lane": "request_owner_correction",
"execution_authorized": false
},
{
"check_id": "repo_scope_present",
"title": "repo scope 已標示",
"required": true,
"pass_condition": "每筆回覆必須有 repo、provider 與 lane批次 secret name parity 必須有可重現 repo list。",
"failure_lane": "request_more_evidence",
"execution_authorized": false
},
{
"check_id": "owner_present",
"title": "owner 或補證 owner 已標示",
"required": true,
"pass_condition": "每筆回覆必須有 owner role/team且 lane-specific owner 不得空白;未知時必須選 hold/unknown。",
"failure_lane": "request_owner_assignment",
"execution_authorized": false
},
{
"check_id": "allowed_fields_only",
"title": "只含允許欄位",
"required": true,
"pass_condition": "回覆只能包含 lane allowed_fields 與 owner/evidence metadata不得加入 request body、header、credential 或 raw config。",
"failure_lane": "quarantine_unexpected_payload",
"execution_authorized": false
},
{
"check_id": "secret_values_absent",
"title": "未包含 secret value",
"required": true,
"pass_condition": "不得包含 secret/token/cookie/private key/deploy key/runner token/webhook secret/password、hash、masked token 或 partial credential。",
"failure_lane": "quarantine_sensitive_payload",
"execution_authorized": false
},
{
"check_id": "no_write_or_rotation_requested",
"title": "不含 write 或 rotation 要求",
"required": true,
"pass_condition": "回覆不得要求 write API、rotate secret、修改 workflow、修改 webhook、修改 runner、修改 deploy key 或修改 branch protection。",
"failure_lane": "reject_runtime_change_request",
"execution_authorized": false
},
{
"check_id": "no_primary_or_refs_action_requested",
"title": "不含 primary 或 refs action",
"required": true,
"pass_condition": "回覆不得要求建立 repo、sync refs、切 GitHub primary、停用 Gitea 或把 inventory 視為 primary ready。",
"failure_lane": "reject_primary_or_refs_action",
"execution_authorized": false
}
],
"rejection_rules": [
"回覆含 secret value、PAT、cookie、session、CSRF token、private key、deploy key value、runner token、webhook secret 或 partial credential 時必須拒收。",
"回覆含完整 webhook payload URL、query token、authorization header、request body 或未脫敏截圖時必須拒收。",
"回覆含 runner registration token、runner admin token、SSH private key、host password 或 API token 時必須拒收。",
"回覆含 deploy key private material、完整 public key、token value、password 或 credential value 時必須拒收。",
"回覆含 secret value、secret hash、partial token、masked token 或任何可還原片段時必須拒收。",
"回覆要求 write API、修改 workflow/webhook/runner/deploy key/branch protection/CODEOWNERS 或 rotate secret 時必須拒收。",
"回覆要求建立 repo、sync refs、切 GitHub primary、停用或封存 Gitea 時必須拒收。",
"回覆缺 repo、provider、lane owner 或 no-data disposition 時不得標記 accepted。",
"回覆把 owner response 當成 inventory complete、workflow ready、secret parity complete 或 GitHub primary ready 時必須拒收。",
"任何不確定是否含敏感值、私有 URL 憑證、完整 key material 或未脫敏截圖的回覆必須先進 mirror quarantine。"
],
"allowed_outputs": [
"更新 `source-control-workflow-secret-name-inventory.snapshot.json` 的 read-only owner response 欄位。",
"更新 `source-control-workflow-secret-name-export-request.snapshot.json` 的 response status wording。",
"更新 `source-control-primary-readiness-gate.snapshot.json` 的 workflow / webhook / runner / secret name blocker wording。",
"更新 `security-mirror-status-rollup.snapshot.json` 的 workflow_secret owner response summary。",
"建立 request_more_evidence / quarantine lane。",
"維持 `inventory_complete_count=0`、`github_primary_ready_count=0` 與所有 workflow / secret / repo / refs / primary execution flags false。"
],
"forbidden_actions": [
"收集或保存 secret value、token value、cookie、session、private key、deploy key value、runner token 或 webhook secret。",
"使用 write token 或 write API。",
"修改 workflow、webhook、runner、deploy key、branch protection、CODEOWNERS 或 repository secret。",
"rotate secret、建立 secret、複製 secret 或刪除 secret。",
"啟用 GitHub hosted runner 或消耗 GitHub Actions 額度。",
"建立 GitHub repo 或修改 visibility。",
"sync refs、push refs、delete refs 或 force push。",
"切 GitHub primary。",
"停用、刪除、封存或降級 Gitea repo。",
"新增 AwoooP execution action button。"
]
}