927 lines
36 KiB
JSON
927 lines
36 KiB
JSON
{
|
||
"schema_version": "security_supply_chain_contract_manifest_v1",
|
||
"status": "draft",
|
||
"default_enforcement_level": "mirror_only",
|
||
"contract_count": 35,
|
||
"contracts": [
|
||
{
|
||
"contract": "security_rollout_policy_v1",
|
||
"schema_path": "docs/schemas/security_rollout_policy_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-rollout-policy.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
|
||
],
|
||
"consumer": "AwoooP read-only policy / Operator Console",
|
||
"consumption_mode": "read_only_policy",
|
||
"allowed_actions": [
|
||
"mirror_policy",
|
||
"display_mode",
|
||
"recommend_observe_warn_approval"
|
||
],
|
||
"forbidden_actions": [
|
||
"runtime_enforcement",
|
||
"auto_block_low_medium_observation"
|
||
],
|
||
"notes": "初期 observe-first / mirror-only,不把資安網變成流程負擔。"
|
||
},
|
||
{
|
||
"contract": "security_finding_v1",
|
||
"schema_path": "docs/schemas/security_finding_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-finding-kali-sample.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-FINDING-CONTRACT.md",
|
||
"docs/security/KALI-SECURITY-MESH-BLUEPRINT.md"
|
||
],
|
||
"consumer": "AwoooP Runtime State / Channel Event / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_redacted_finding",
|
||
"display_security_posture"
|
||
],
|
||
"forbidden_actions": [
|
||
"active_scan",
|
||
"store_raw_secret",
|
||
"store_exploit_payload"
|
||
],
|
||
"notes": "承接 Kali / Trivy / ZAP / Semgrep / detect-secrets 類 findings。"
|
||
},
|
||
{
|
||
"contract": "kali_integration_status_v1",
|
||
"schema_path": "docs/schemas/kali_integration_status_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/kali-integration-status.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/KALI-INTEGRATION-STATUS.md"
|
||
],
|
||
"consumer": "AwoooP security posture / Operator Console",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_kali_health",
|
||
"display_update_status",
|
||
"display_integration_gaps",
|
||
"create_approval_candidate_for_active_scan_or_full_upgrade"
|
||
],
|
||
"forbidden_actions": [
|
||
"run_active_scan",
|
||
"run_execute_endpoint",
|
||
"store_api_key_or_password",
|
||
"full_upgrade_or_reboot_without_window"
|
||
],
|
||
"notes": "112 已有 live scanner health 與低風險更新;finding ingestion / AwoooP runtime mirror 尚未接通。"
|
||
},
|
||
{
|
||
"contract": "kali_scan_scope_approval_v1",
|
||
"schema_path": "docs/schemas/kali_scan_scope_approval_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/kali-scan-scope-approval.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
|
||
],
|
||
"consumer": "AwoooP approval queue / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_scan_scope",
|
||
"display_approval_gate",
|
||
"create_approval_candidate"
|
||
],
|
||
"forbidden_actions": [
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"store_secret_value",
|
||
"auto_block_deploy",
|
||
"full_upgrade_or_reboot_without_window"
|
||
],
|
||
"notes": "定義 Kali 112、111/168 dev hosts、核心 runtime hosts 與 web perimeter 的掃描深度;高風險動作 blocked_until_approved。"
|
||
},
|
||
{
|
||
"contract": "security_approval_queue_v1",
|
||
"schema_path": "docs/schemas/security_approval_queue_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-approval-queue.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-APPROVAL-QUEUE.md"
|
||
],
|
||
"consumer": "AwoooP approval queue / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_queue_item",
|
||
"display_review_order",
|
||
"create_approval_candidate",
|
||
"record_human_decision"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_queue_item",
|
||
"start_scan",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"switch_github_primary",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "集中整理 Kali、Gitea/GitHub、refs truth classification 等 pending approval / block candidate;不授權執行。"
|
||
},
|
||
{
|
||
"contract": "security_approval_gate_v1",
|
||
"schema_path": "docs/schemas/security_approval_gate_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-approval-gate.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-APPROVAL-GATE.md"
|
||
],
|
||
"consumer": "AwoooP approval queue / Audit / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_approval_gate",
|
||
"record_human_decision",
|
||
"display_followup_runtime_gate"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_gate_item",
|
||
"auto_approve",
|
||
"execute_after_approval_without_runtime_gate",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3 人工批准 gate 的決策語言與留痕格式;批准後仍不得自動執行,必須有後續 runtime gate。"
|
||
},
|
||
{
|
||
"contract": "security_approval_decision_record_v1",
|
||
"schema_path": "docs/schemas/security_approval_decision_record_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-approval-decision-record.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-APPROVAL-DECISION-RECORD.md"
|
||
],
|
||
"consumer": "AwoooP Audit / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"record_human_decision",
|
||
"display_decision_scope",
|
||
"display_followup_runtime_gate"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_decision_record",
|
||
"auto_approve",
|
||
"execute_after_decision_without_runtime_gate",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3 人工決策紀錄格式;記錄 approve/reject/defer/request_more_evidence/keep_blocked,但不授權執行。"
|
||
},
|
||
{
|
||
"contract": "security_approval_review_packet_v1",
|
||
"schema_path": "docs/schemas/security_approval_review_packet_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-approval-review-packet.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md"
|
||
],
|
||
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_review_packet",
|
||
"display_review_lane",
|
||
"display_required_reviewers",
|
||
"prepare_human_decision"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_review_packet",
|
||
"treat_review_packet_as_approval",
|
||
"auto_approve",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3.2 人工審查封包格式;把 queue/gate 轉成可審查資料,但不代表批准或執行授權。"
|
||
},
|
||
{
|
||
"contract": "security_approval_state_transition_v1",
|
||
"schema_path": "docs/schemas/security_approval_state_transition_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-approval-state-transition.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md"
|
||
],
|
||
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_transition_rules",
|
||
"display_next_state",
|
||
"display_followup_runtime_gate",
|
||
"record_decision_transition"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_transition_rule",
|
||
"execute_after_approve_scope_without_runtime_gate",
|
||
"auto_approve",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3.3 人工決策狀態轉移語義;approve_scope 仍只進入 waiting runtime gate,不授權執行。"
|
||
},
|
||
{
|
||
"contract": "security_followup_runtime_gate_v1",
|
||
"schema_path": "docs/schemas/security_followup_runtime_gate_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-followup-runtime-gate.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"
|
||
],
|
||
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_runtime_gate_template",
|
||
"display_preflight_checks",
|
||
"display_rollback_or_disable_requirement"
|
||
],
|
||
"forbidden_actions": [
|
||
"activate_runtime_gate",
|
||
"execute_runtime_gate_template",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 S3.4 後續 runtime gate 準備資料;目前 active_runtime_gates=0,不授權任何執行。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_readiness_v1",
|
||
"schema_path": "docs/schemas/security_mirror_readiness_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-readiness.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-READINESS.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_readiness_index",
|
||
"display_contract_readiness",
|
||
"display_partial_or_contract_only_reason"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_mirror_item",
|
||
"start_scan",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"switch_github_primary",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "整理 35 個 Security Supply Chain contracts 的 mirror readiness,供 AwoooP 安全消費。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_intake_plan_v1",
|
||
"schema_path": "docs/schemas/security_mirror_intake_plan_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-intake-plan.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-INTAKE-PLAN.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit / Approval Queue",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_intake_wave",
|
||
"display_acceptance_gate",
|
||
"display_blocked_processing"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_intake_wave",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"production_deploy",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only intake waves、destinations、allowed/blocked processing 與 acceptance gates。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_event_v1",
|
||
"schema_path": "docs/schemas/security_mirror_event_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-event-sample.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
|
||
],
|
||
"consumer": "AwoooP Runtime State / Channel Event / Audit / Operator Console",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_event_envelope",
|
||
"display_redaction_status",
|
||
"display_blocked_actions"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_event",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only 事件 envelope,所有事件都必須標示 execution_authorized=false 與 action_buttons_allowed=false。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_route_v1",
|
||
"schema_path": "docs/schemas/security_mirror_route_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-route.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-ROUTE.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit / Approval Queue",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_route_matrix",
|
||
"display_route_group",
|
||
"display_channel_policy",
|
||
"display_review_lane"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_route_group",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only route groups、destination、channel policy 與 review lane;不作 execution router。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_acceptance_v1",
|
||
"schema_path": "docs/schemas/security_mirror_acceptance_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-acceptance.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-ACCEPTANCE.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_acceptance_checks",
|
||
"display_acceptance_result",
|
||
"display_blocking_check_failure"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_acceptance_check",
|
||
"runtime_block_product_flow",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only ingestion 驗收 checks;只阻擋不完整或未脫敏的鏡像資料,不作 runtime blocker。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_quarantine_v1",
|
||
"schema_path": "docs/schemas/security_mirror_quarantine_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-quarantine.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-QUARANTINE.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_quarantine_lane",
|
||
"display_recovery_request",
|
||
"display_retry_gate"
|
||
],
|
||
"forbidden_actions": [
|
||
"auto_retry_failed_payload",
|
||
"runtime_block_product_flow",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only 驗收失敗隔離、修復回報與 retry gate;不作 runtime blocker。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_dry_run_v1",
|
||
"schema_path": "docs/schemas/security_mirror_dry_run_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-dry-run.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-DRY-RUN.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_dry_run_report",
|
||
"display_dry_run_step",
|
||
"display_no_runtime_action_evidence"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_dry_run_step",
|
||
"production_ingestion",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP mirror-only 接入演練回報格式;本 snapshot 只表示契約已定義,尚未代表 AwoooP 已執行 dry-run。"
|
||
},
|
||
{
|
||
"contract": "security_mirror_status_rollup_v1",
|
||
"schema_path": "docs/schemas/security_mirror_status_rollup_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/security-mirror-status-rollup.snapshot.json",
|
||
"docs/security/source-control-owner-response-validation-rollup.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md",
|
||
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md"
|
||
],
|
||
"consumer": "AwoooP Operator Console / Runtime State / Audit",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_status_rollup",
|
||
"display_phase_status",
|
||
"display_progress_delta_ledger",
|
||
"display_next_safe_gate"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_rollup_action",
|
||
"runtime_authorization",
|
||
"add_action_button",
|
||
"start_scan",
|
||
"call_execute_endpoint",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"store_secret_value"
|
||
],
|
||
"notes": "定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要;目前顯示 58% headline progress、progress display policy 與 micro progress delta ledger,說明近期 S4.10 / S4.11 / S4.12 / S4.13 framework detail 不會推高 headline;S4.13 已補 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes 與 4 個 reviewer audit event templates,彙整 S4.9/S4.10/S4.11/S4.12 共 22 個 response templates、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;只顯示階段、下一個 gate、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates 與禁止事項,不授權執行。"
|
||
},
|
||
{
|
||
"contract": "coding_task_v1",
|
||
"schema_path": "docs/schemas/coding_task_v1.schema.json",
|
||
"snapshot_paths": [],
|
||
"human_docs": [
|
||
"docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md"
|
||
],
|
||
"consumer": "AwoooP Approval candidate / Codex patch-only handoff",
|
||
"consumption_mode": "suggest_only",
|
||
"allowed_actions": [
|
||
"create_patch_backlog",
|
||
"request_reviewers",
|
||
"open_draft_plan"
|
||
],
|
||
"forbidden_actions": [
|
||
"auto_merge",
|
||
"production_deploy",
|
||
"secret_rotation"
|
||
],
|
||
"notes": "Code Review 後需要 coding 的工作只能進 patch-only / draft PR lane。"
|
||
},
|
||
{
|
||
"contract": "source_control_migration_event_v1",
|
||
"schema_path": "docs/schemas/source_control_migration_event_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
|
||
"docs/security/source-control-clawbot-v5.snapshot.json",
|
||
"docs/security/source-control-wooo-aiops.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md",
|
||
"docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md"
|
||
],
|
||
"consumer": "AwoooP migration matrix evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_diff_summary",
|
||
"display_blocking_reason"
|
||
],
|
||
"forbidden_actions": [
|
||
"sync_refs",
|
||
"switch_github_primary",
|
||
"delete_gitea_repo"
|
||
],
|
||
"notes": "目前 mapped repos 仍 blocked,不可切 primary。"
|
||
},
|
||
{
|
||
"contract": "gitea_repo_inventory_v1",
|
||
"schema_path": "docs/schemas/gitea_repo_inventory_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/gitea-repo-inventory.snapshot.json",
|
||
"docs/security/gitea-public-repo-search.snapshot.json",
|
||
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
|
||
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
|
||
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
|
||
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
|
||
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
|
||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
|
||
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md",
|
||
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
|
||
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md"
|
||
],
|
||
"consumer": "AwoooP migration matrix evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_public_only_inventory",
|
||
"create_readonly_inventory_approval_candidate",
|
||
"display_authenticated_inventory_export_request",
|
||
"display_redacted_inventory_import_acceptance",
|
||
"display_coverage_attestation_request",
|
||
"display_owner_response_audit_event_templates",
|
||
"display_owner_response_redaction_examples",
|
||
"display_owner_response_display_sections",
|
||
"display_owner_attestation_response_packet"
|
||
],
|
||
"forbidden_actions": [
|
||
"store_token_value",
|
||
"write_to_gitea",
|
||
"delete_or_archive_repo"
|
||
],
|
||
"notes": "目前是 partial/public_only;S4.5 已補 authenticated/admin export request,S4.6 已補 redacted import acceptance,S4.7 已補 owner coverage attestation request,S4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanes;private/internal 全量仍需批准後補齊,audit templates 仍為 0 emitted。"
|
||
},
|
||
{
|
||
"contract": "local_git_remote_inventory_v1",
|
||
"schema_path": "docs/schemas/local_git_remote_inventory_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/local-git-remote-inventory.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md"
|
||
],
|
||
"consumer": "AwoooP source-control coverage evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_remote_coverage",
|
||
"display_internal_110_risk"
|
||
],
|
||
"forbidden_actions": [
|
||
"modify_remote",
|
||
"treat_as_server_full_inventory"
|
||
],
|
||
"notes": "本機可見 working tree 只能作輔助 evidence。"
|
||
},
|
||
{
|
||
"contract": "github_target_probe_v1",
|
||
"schema_path": "docs/schemas/github_target_probe_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/github-target-probe.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md"
|
||
],
|
||
"consumer": "AwoooP migration target evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_target_visibility",
|
||
"display_not_found_or_private"
|
||
],
|
||
"forbidden_actions": [
|
||
"auto_create_repo",
|
||
"assume_not_found_means_absent"
|
||
],
|
||
"notes": "not_found_or_private 只代表未授權 probe 看不到。"
|
||
},
|
||
{
|
||
"contract": "github_target_decision_v1",
|
||
"schema_path": "docs/schemas/github_target_decision_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/github-target-decision.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md",
|
||
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
|
||
],
|
||
"consumer": "AwoooP approval candidate / migration target evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_target_decision",
|
||
"create_approval_candidate"
|
||
],
|
||
"forbidden_actions": [
|
||
"change_visibility",
|
||
"create_repo",
|
||
"sync_refs"
|
||
],
|
||
"notes": "8 個 targets 中 7 個需要人工批准;S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response 收件包,owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、received_response_count=0,不授權 repo / visibility / refs / primary 動作。"
|
||
},
|
||
{
|
||
"contract": "github_target_repo_approval_package_v1",
|
||
"schema_path": "docs/schemas/github_target_repo_approval_package_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/github-target-repo-approval-package.snapshot.json",
|
||
"docs/security/github-target-owner-decision-response.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
|
||
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
|
||
],
|
||
"consumer": "AwoooP approval queue draft",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"display_repo_approval_queue",
|
||
"request_owner_decision"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_approval_item",
|
||
"push_refs",
|
||
"change_visibility"
|
||
],
|
||
"notes": "7 個 pending packages,逐 repo 低摩擦批准;S4.10 只定義 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與驗收 / 拒收格式,不代表任何執行批准。"
|
||
},
|
||
{
|
||
"contract": "source_control_approval_board_v1",
|
||
"schema_path": "docs/schemas/source_control_approval_board_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-approval-board.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md"
|
||
],
|
||
"consumer": "AwoooP approval board / PR reviewer",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_repo_decision_board",
|
||
"display_pending_owner_visibility_canonical_decisions",
|
||
"request_human_approval"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_board_item",
|
||
"sync_refs",
|
||
"create_repo",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "彙整 8 個 target,其中 7 個 pending approval;authenticated inventory gate 仍 blocked。"
|
||
},
|
||
{
|
||
"contract": "source_control_reconcile_plan_v1",
|
||
"schema_path": "docs/schemas/source_control_reconcile_plan_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-reconcile-plan.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md",
|
||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
|
||
],
|
||
"consumer": "AwoooP approval candidate / migration reviewer",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_draft_reconcile_plan",
|
||
"display_refs_blocking_reason",
|
||
"request_single_repo_approval"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_reconcile_plan",
|
||
"push_refs",
|
||
"force_push",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "只針對 3 個 refs-blocked mapped repos 產生 draft plan;S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response 通過前只能更新 draft wording,inventory gate 仍 blocked,不可執行。"
|
||
},
|
||
{
|
||
"contract": "source_control_ref_detail_diff_v1",
|
||
"schema_path": "docs/schemas/source_control_ref_detail_diff_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-ref-detail-diff.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
|
||
],
|
||
"consumer": "AwoooP migration reviewer / PR reviewer",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_branch_tag_diff",
|
||
"display_ref_counts",
|
||
"support_single_repo_reconcile_review"
|
||
],
|
||
"forbidden_actions": [
|
||
"fetch_refs",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "只保存 branch/tag 明細 diff;忽略本 PR 分支避免 evidence 自我污染。"
|
||
},
|
||
{
|
||
"contract": "source_control_ref_truth_classification_v1",
|
||
"schema_path": "docs/schemas/source_control_ref_truth_classification_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-ref-truth-classification.snapshot.json",
|
||
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
|
||
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
|
||
],
|
||
"consumer": "AwoooP migration reviewer / repo owner approval queue",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_ref_truth_classification",
|
||
"display_truth_source_candidates",
|
||
"request_single_ref_human_review"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_classification",
|
||
"push_refs",
|
||
"delete_refs",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review lane;S4.11 只定義 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、received_response_count=0、audit_events_emitted=0,仍不授權 sync/delete/force push。"
|
||
},
|
||
{
|
||
"contract": "source_control_primary_readiness_gate_v1",
|
||
"schema_path": "docs/schemas/source_control_primary_readiness_gate_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
|
||
],
|
||
"consumer": "AwoooP source-control review / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_primary_readiness_gate",
|
||
"display_primary_blockers",
|
||
"request_owner_parity_rollback_review"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_primary_cutover",
|
||
"create_repo",
|
||
"change_visibility",
|
||
"sync_refs",
|
||
"switch_github_primary",
|
||
"disable_gitea"
|
||
],
|
||
"notes": "定義 S4.0 GitHub primary readiness gate;7 個 in-scope repos 仍 blocked,primary_ready_count=0。"
|
||
},
|
||
{
|
||
"contract": "source_control_primary_rollback_adr_v1",
|
||
"schema_path": "docs/schemas/source_control_primary_rollback_adr_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-primary-rollback-adr.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"
|
||
],
|
||
"consumer": "AwoooP source-control review / Operator Console / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_rollback_adr_draft",
|
||
"display_rollback_owner_review",
|
||
"display_validation_windows",
|
||
"request_owner_rollback_approval"
|
||
],
|
||
"forbidden_actions": [
|
||
"execute_rollback",
|
||
"switch_github_primary",
|
||
"sync_refs",
|
||
"modify_webhook",
|
||
"disable_gitea",
|
||
"add_action_button"
|
||
],
|
||
"notes": "定義 S4.4 GitHub primary rollback ADR 草案;7 個 in-scope repos 有 rollback draft,owner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0。"
|
||
},
|
||
{
|
||
"contract": "source_control_workflow_secret_name_inventory_v1",
|
||
"schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
|
||
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
|
||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md"
|
||
],
|
||
"consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"mirror_workflow_secret_name_inventory_gap",
|
||
"display_missing_inventory_lanes",
|
||
"request_redacted_workflow_secret_snapshot",
|
||
"display_redacted_export_request_lanes"
|
||
],
|
||
"forbidden_actions": [
|
||
"collect_secret_value",
|
||
"modify_workflow",
|
||
"rotate_secret",
|
||
"create_repo",
|
||
"sync_refs",
|
||
"switch_github_primary"
|
||
],
|
||
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約;S4.2 已補 local evidence:4 repos、31 workflow files、43 個 referenced secret names;S4.3 已補 7 repos / 5 lanes 的 redacted export request;S4.12 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templates,received_response_count=0、audit_events_emitted=0;仍不保存 secret value。"
|
||
},
|
||
{
|
||
"contract": "local_repo_canonical_probe_v1",
|
||
"schema_path": "docs/schemas/local_repo_canonical_probe_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/local-repo-canonical-ewoooc-momo.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md"
|
||
],
|
||
"consumer": "AwoooP canonical decision evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_lineage_summary",
|
||
"display_unrelated_warning"
|
||
],
|
||
"forbidden_actions": [
|
||
"auto_merge_histories",
|
||
"delete_working_tree"
|
||
],
|
||
"notes": "momo/ewoooc 目前 sample 無共同 commit,不可自動合併。"
|
||
},
|
||
{
|
||
"contract": "git_remote_refs_probe_v1",
|
||
"schema_path": "docs/schemas/git_remote_refs_probe_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
|
||
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
|
||
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md"
|
||
],
|
||
"consumer": "AwoooP source readiness evidence",
|
||
"consumption_mode": "mirror_only",
|
||
"allowed_actions": [
|
||
"mirror_refs_readiness",
|
||
"display_unreachable_remote"
|
||
],
|
||
"forbidden_actions": [
|
||
"fetch",
|
||
"push",
|
||
"sync_refs"
|
||
],
|
||
"notes": "只做 ls-remote 類 read-only refs evidence。"
|
||
},
|
||
{
|
||
"contract": "approval_required_event_v1",
|
||
"schema_path": "docs/schemas/approval_required_event_v1.schema.json",
|
||
"snapshot_paths": [
|
||
"docs/security/gitea-readonly-inventory-approval.snapshot.json"
|
||
],
|
||
"human_docs": [
|
||
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md"
|
||
],
|
||
"consumer": "AwoooP approval queue / Audit",
|
||
"consumption_mode": "approval_only",
|
||
"allowed_actions": [
|
||
"display_approval_candidate",
|
||
"record_human_decision"
|
||
],
|
||
"forbidden_actions": [
|
||
"auto_approve",
|
||
"store_token_value",
|
||
"execute_without_approval"
|
||
],
|
||
"notes": "高風險或敏感邊界的唯一升級入口。"
|
||
}
|
||
]
|
||
}
|