7.6 KiB
7.6 KiB
S4.9 Owner Response Dispatch Package
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-13 |
| 狀態 | dispatch_package_ready_not_sent |
| 對應 envelope | docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md |
| 對應 intake form | docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md |
| 對應 validation | docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md |
| Snapshot | docs/security/s4-9-owner-response-dispatch-package.snapshot.json |
| runtime gate | 0 |
1. 核心結論
本包把 S4.9 owner response 從「表單與驗收規則已定義」推進到「可交給 owner 填寫的送件包」。它固定 owner 要回覆哪些題目、每題必填欄位、哪些 evidence 只能用脫敏參照,以及 reviewer 收件後如何分流。
本包仍不是正式送件紀錄,不是 owner response received,不是 accepted,不是 repo / refs / workflow / secret / runner / host / runtime 授權。
2. 必填 Canonical Envelope
每一題回覆都必須映射回六欄。缺任一欄,只能補件,不得增加 received / accepted count。
| 欄位 | 填寫要求 | 禁止誤用 |
|---|---|---|
owner_role_or_team |
填角色、團隊或責任單位 | 不填私人帳密、token、session 或私人聯絡資訊 |
decision |
只能填 confirm、defer、reject、request_more_evidence |
confirm 不代表 runtime action approval |
decision_reason |
填脫敏理由摘要 | 不貼 raw log、raw API body、未脫敏截圖或內部聊天原文 |
affected_scope |
填 repo 群、namespace、endpoint、host scope、legacy disposition 或 canonical owner 範圍 | 不夾帶 repo create、refs sync、visibility change 或 workflow 修改要求 |
redacted_evidence_refs |
填文件路徑、snapshot id、ticket id、hash 或脫敏 metadata pointer | 不收 secret value、partial token、private key、authorization header、runner token |
followup_owner |
填後續補證、審查或決策負責角色 / 團隊 | 不等於執行批准人,也不等於 runtime operator |
3. S4.9 五題送件內容
| 順序 | Template | Owner 必須回答 | 合格 evidence refs |
|---|---|---|---|
| 1 | response-public-only-vs-local-gitea-gap |
判定 wooo/clawbot-v5、wooo/wooo-aiops 是否屬本輪 inventory / migration scope |
public probe snapshot、local inventory ref、owner note id |
| 2 | response-org-user-endpoint-identity |
判定 wooo 應以 user、org 或兩者盤點,並指定 canonical endpoint |
endpoint probe summary、HTTP status metadata、owner note id |
| 3 | response-internal-110-adjacent-scope |
逐項判定 bitan-pharmacy、root/momo-pro-system、tsenyang-website、wooo/wooo-infra-config 是否納入本輪 scope |
local repo / host scope snapshot、redacted owner note |
| 4 | response-repo-owner-canonical-scope |
指定 in-scope repo 的 owner、canonical source、GitHub target candidate 與 visibility review owner | refs truth summary、target probe summary、owner note id |
| 5 | response-legacy-or-inaccessible-disposition |
指定 legacy / inaccessible / external repo 的 disposition、理由與後續 owner | disposition note、archive candidate summary、ticket id |
4. Owner 可回覆的形狀
template_id:
owner_role_or_team:
decision:
decision_reason:
affected_scope:
redacted_evidence_refs:
followup_owner:
若 owner 需要更多資訊,decision 應填 request_more_evidence,並在 decision_reason 說明缺哪一種脫敏 evidence。不得用口頭「同意」、「可以」、「批准」取代六欄回覆。
5. Reviewer 收件分流
| Outcome | 使用時機 | Count 影響 |
|---|---|---|
keep_waiting_owner_response |
尚未收到完整六欄,或只有空白 / 口頭同意 | received / accepted 維持 0 |
request_more_evidence |
欄位缺漏、scope 不清、evidence refs 不足 | accepted 維持 0 |
quarantine_sensitive_payload |
疑似含 token、secret、private key、cookie、session、authorization header、runner token、未脫敏截圖或 private URL credential | 不保存 raw payload |
reject_execution_request |
夾帶 repo / refs / workflow / secret / runner / Kali / host / runtime 執行要求 | 不建立 action button |
ready_for_reviewer_validation |
五題完整、evidence refs 已脫敏、無執行要求 | 只進 reviewer checklist,仍非 accepted |
6. 高價值配置控管對齊
S4.9 owner response 是 source-control owner gate 的第一步。高價值配置控管仍需要獨立 owner response,但應共用同一個六欄 envelope 與拒收邊界。
| 優先 | 類別 | 對應 owner lane | 送件前仍缺 |
|---|---|---|---|
| P0-1 | Nginx / public gateway | public_gateway_owner_response_required |
rendered diff、nginx -t evidence、route smoke、maintenance window、rollback owner |
| P0-2 | K8s manifest / ArgoCD app | gitops_owner_response_required |
GitOps diff、ArgoCD health readback、sync authorization、rollback revision |
| P0-3 | Gitea workflow / runner / deploy key / webhook | workflow_source_control_owner_response_required |
workflow diff、runner label owner、deploy key metadata only、webhook metadata only |
| P0-4 | Registry / Harbor / TLS / certbot | domain_tls_owner_response_required |
certificate path check、renewal window、ACME smoke、public HTTPS smoke |
| P0-5 | Sentry / SigNoz / Alertmanager / Prometheus | monitoring_owner_response_required |
live drift evidence、receiver owner、reload owner、route smoke、receipt proof |
| P0-6 | Public gateway / frontend runtime config | public_runtime_config_owner_response_required |
public URL check、frontend internal IP ban、CORS boundary、desktop / mobile smoke |
| P0-7 | AI provider route | ai_provider_route_owner_response_required |
provider route owner、fallback order evidence、cost boundary、rollback owner |
| P0-8 | DB migration | database_migration_owner_response_required |
migration diff、backup / rollback owner、post-migration verification plan |
| P0-9 | Secrets injection / redaction | secret_metadata_owner_response_required |
secret name parity、metadata-only check、rotation owner、no secret value check |
這些 lane 可以共用 S4.9 的欄位與 quarantine-first 規則,但不能把 S4.9 回覆直接升級成 Nginx reload、ArgoCD sync、workflow 修改、registry change、alert reload、AI route switch、DB migration 或 secret rotation 授權。
7. 固定 0 / false 邊界
dispatch_authorized=false
request_sent=false
request_sent_count=0
received_response_count=0
accepted_response_count=0
rejected_response_count=0
owner_response_received_count=0
owner_response_accepted_count=0
redacted_payload_ingested=false
active_runtime_gate_count=0
runtime_execution_authorized=false
action_buttons_allowed=false
repo_creation_authorized=false
refs_sync_authorized=false
workflow_modification_authorized=false
github_primary_switch_authorized=false
host_update_authorized=false
active_scan_authorized=false
secret_value_collection_authorized=false
nginx_reload_authorized=false
argocd_sync_authorized=false
database_migration_authorized=false
ai_provider_route_change_authorized=false
8. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| S4.9 dispatch package | 70% |
可送 owner 填寫的資料包已固定;尚未正式送件 |
| S4.9 owner response gate | 0% |
尚未收到或接受 owner response |
| 高價值配置 owner lane 對齊 | 55% |
已共用六欄 envelope 與 P0 lane;仍需各 lane owner 實際回覆 |
| IwoooS overall | 維持 64% |
文件與資料包不調高整體進度 |
| active runtime gate | 0 |
不變 |