Files
awoooi/docs/security/security-supply-chain-contract-manifest.snapshot.json
2026-05-19 11:04:34 +08:00

927 lines
36 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_supply_chain_contract_manifest_v1",
"status": "draft",
"default_enforcement_level": "mirror_only",
"contract_count": 35,
"contracts": [
{
"contract": "security_rollout_policy_v1",
"schema_path": "docs/schemas/security_rollout_policy_v1.schema.json",
"snapshot_paths": [
"docs/security/security-rollout-policy.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
],
"consumer": "AwoooP read-only policy / Operator Console",
"consumption_mode": "read_only_policy",
"allowed_actions": [
"mirror_policy",
"display_mode",
"recommend_observe_warn_approval"
],
"forbidden_actions": [
"runtime_enforcement",
"auto_block_low_medium_observation"
],
"notes": "初期 observe-first / mirror-only不把資安網變成流程負擔。"
},
{
"contract": "security_finding_v1",
"schema_path": "docs/schemas/security_finding_v1.schema.json",
"snapshot_paths": [
"docs/security/security-finding-kali-sample.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-FINDING-CONTRACT.md",
"docs/security/KALI-SECURITY-MESH-BLUEPRINT.md"
],
"consumer": "AwoooP Runtime State / Channel Event / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_redacted_finding",
"display_security_posture"
],
"forbidden_actions": [
"active_scan",
"store_raw_secret",
"store_exploit_payload"
],
"notes": "承接 Kali / Trivy / ZAP / Semgrep / detect-secrets 類 findings。"
},
{
"contract": "kali_integration_status_v1",
"schema_path": "docs/schemas/kali_integration_status_v1.schema.json",
"snapshot_paths": [
"docs/security/kali-integration-status.snapshot.json"
],
"human_docs": [
"docs/security/KALI-INTEGRATION-STATUS.md"
],
"consumer": "AwoooP security posture / Operator Console",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_kali_health",
"display_update_status",
"display_integration_gaps",
"create_approval_candidate_for_active_scan_or_full_upgrade"
],
"forbidden_actions": [
"run_active_scan",
"run_execute_endpoint",
"store_api_key_or_password",
"full_upgrade_or_reboot_without_window"
],
"notes": "112 已有 live scanner health 與低風險更新finding ingestion / AwoooP runtime mirror 尚未接通。"
},
{
"contract": "kali_scan_scope_approval_v1",
"schema_path": "docs/schemas/kali_scan_scope_approval_v1.schema.json",
"snapshot_paths": [
"docs/security/kali-scan-scope-approval.snapshot.json"
],
"human_docs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
],
"consumer": "AwoooP approval queue / Operator Console",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_scan_scope",
"display_approval_gate",
"create_approval_candidate"
],
"forbidden_actions": [
"start_scan",
"call_execute_endpoint",
"store_secret_value",
"auto_block_deploy",
"full_upgrade_or_reboot_without_window"
],
"notes": "定義 Kali 112、111/168 dev hosts、核心 runtime hosts 與 web perimeter 的掃描深度;高風險動作 blocked_until_approved。"
},
{
"contract": "security_approval_queue_v1",
"schema_path": "docs/schemas/security_approval_queue_v1.schema.json",
"snapshot_paths": [
"docs/security/security-approval-queue.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-QUEUE.md"
],
"consumer": "AwoooP approval queue / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_queue_item",
"display_review_order",
"create_approval_candidate",
"record_human_decision"
],
"forbidden_actions": [
"execute_queue_item",
"start_scan",
"create_repo",
"sync_refs",
"switch_github_primary",
"store_secret_value"
],
"notes": "集中整理 Kali、Gitea/GitHub、refs truth classification 等 pending approval / block candidate不授權執行。"
},
{
"contract": "security_approval_gate_v1",
"schema_path": "docs/schemas/security_approval_gate_v1.schema.json",
"snapshot_paths": [
"docs/security/security-approval-gate.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-GATE.md"
],
"consumer": "AwoooP approval queue / Audit / Operator Console",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_approval_gate",
"record_human_decision",
"display_followup_runtime_gate"
],
"forbidden_actions": [
"execute_gate_item",
"auto_approve",
"execute_after_approval_without_runtime_gate",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 S3 人工批准 gate 的決策語言與留痕格式;批准後仍不得自動執行,必須有後續 runtime gate。"
},
{
"contract": "security_approval_decision_record_v1",
"schema_path": "docs/schemas/security_approval_decision_record_v1.schema.json",
"snapshot_paths": [
"docs/security/security-approval-decision-record.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-DECISION-RECORD.md"
],
"consumer": "AwoooP Audit / Operator Console",
"consumption_mode": "approval_only",
"allowed_actions": [
"record_human_decision",
"display_decision_scope",
"display_followup_runtime_gate"
],
"forbidden_actions": [
"execute_decision_record",
"auto_approve",
"execute_after_decision_without_runtime_gate",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 S3 人工決策紀錄格式;記錄 approve/reject/defer/request_more_evidence/keep_blocked但不授權執行。"
},
{
"contract": "security_approval_review_packet_v1",
"schema_path": "docs/schemas/security_approval_review_packet_v1.schema.json",
"snapshot_paths": [
"docs/security/security-approval-review-packet.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-REVIEW-PACKET.md"
],
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_review_packet",
"display_review_lane",
"display_required_reviewers",
"prepare_human_decision"
],
"forbidden_actions": [
"execute_review_packet",
"treat_review_packet_as_approval",
"auto_approve",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 S3.2 人工審查封包格式;把 queue/gate 轉成可審查資料,但不代表批准或執行授權。"
},
{
"contract": "security_approval_state_transition_v1",
"schema_path": "docs/schemas/security_approval_state_transition_v1.schema.json",
"snapshot_paths": [
"docs/security/security-approval-state-transition.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-APPROVAL-STATE-TRANSITION.md"
],
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_transition_rules",
"display_next_state",
"display_followup_runtime_gate",
"record_decision_transition"
],
"forbidden_actions": [
"execute_transition_rule",
"execute_after_approve_scope_without_runtime_gate",
"auto_approve",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 S3.3 人工決策狀態轉移語義approve_scope 仍只進入 waiting runtime gate不授權執行。"
},
{
"contract": "security_followup_runtime_gate_v1",
"schema_path": "docs/schemas/security_followup_runtime_gate_v1.schema.json",
"snapshot_paths": [
"docs/security/security-followup-runtime-gate.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-FOLLOWUP-RUNTIME-GATE.md"
],
"consumer": "AwoooP Approval Queue / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_runtime_gate_template",
"display_preflight_checks",
"display_rollback_or_disable_requirement"
],
"forbidden_actions": [
"activate_runtime_gate",
"execute_runtime_gate_template",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 S3.4 後續 runtime gate 準備資料;目前 active_runtime_gates=0不授權任何執行。"
},
{
"contract": "security_mirror_readiness_v1",
"schema_path": "docs/schemas/security_mirror_readiness_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-readiness.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-READINESS.md"
],
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_readiness_index",
"display_contract_readiness",
"display_partial_or_contract_only_reason"
],
"forbidden_actions": [
"execute_mirror_item",
"start_scan",
"create_repo",
"sync_refs",
"switch_github_primary",
"store_secret_value"
],
"notes": "整理 35 個 Security Supply Chain contracts 的 mirror readiness供 AwoooP 安全消費。"
},
{
"contract": "security_mirror_intake_plan_v1",
"schema_path": "docs/schemas/security_mirror_intake_plan_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-intake-plan.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-INTAKE-PLAN.md"
],
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit / Approval Queue",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_intake_wave",
"display_acceptance_gate",
"display_blocked_processing"
],
"forbidden_actions": [
"execute_intake_wave",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"production_deploy",
"store_secret_value"
],
"notes": "定義 AwoooP mirror-only intake waves、destinations、allowed/blocked processing 與 acceptance gates。"
},
{
"contract": "security_mirror_event_v1",
"schema_path": "docs/schemas/security_mirror_event_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-event-sample.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-EVENT-CONTRACT.md"
],
"consumer": "AwoooP Runtime State / Channel Event / Audit / Operator Console",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_event_envelope",
"display_redaction_status",
"display_blocked_actions"
],
"forbidden_actions": [
"execute_event",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP mirror-only 事件 envelope所有事件都必須標示 execution_authorized=false 與 action_buttons_allowed=false。"
},
{
"contract": "security_mirror_route_v1",
"schema_path": "docs/schemas/security_mirror_route_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-route.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-ROUTE.md"
],
"consumer": "AwoooP Operator Console / Runtime State / Channel Event / Audit / Approval Queue",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_route_matrix",
"display_route_group",
"display_channel_policy",
"display_review_lane"
],
"forbidden_actions": [
"execute_route_group",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP mirror-only route groups、destination、channel policy 與 review lane不作 execution router。"
},
{
"contract": "security_mirror_acceptance_v1",
"schema_path": "docs/schemas/security_mirror_acceptance_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-acceptance.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-ACCEPTANCE.md"
],
"consumer": "AwoooP Operator Console / Runtime State / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_acceptance_checks",
"display_acceptance_result",
"display_blocking_check_failure"
],
"forbidden_actions": [
"execute_acceptance_check",
"runtime_block_product_flow",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP mirror-only ingestion 驗收 checks只阻擋不完整或未脫敏的鏡像資料不作 runtime blocker。"
},
{
"contract": "security_mirror_quarantine_v1",
"schema_path": "docs/schemas/security_mirror_quarantine_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-quarantine.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-QUARANTINE.md"
],
"consumer": "AwoooP Operator Console / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_quarantine_lane",
"display_recovery_request",
"display_retry_gate"
],
"forbidden_actions": [
"auto_retry_failed_payload",
"runtime_block_product_flow",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP mirror-only 驗收失敗隔離、修復回報與 retry gate不作 runtime blocker。"
},
{
"contract": "security_mirror_dry_run_v1",
"schema_path": "docs/schemas/security_mirror_dry_run_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-dry-run.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-DRY-RUN.md"
],
"consumer": "AwoooP Operator Console / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_dry_run_report",
"display_dry_run_step",
"display_no_runtime_action_evidence"
],
"forbidden_actions": [
"execute_dry_run_step",
"production_ingestion",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP mirror-only 接入演練回報格式;本 snapshot 只表示契約已定義,尚未代表 AwoooP 已執行 dry-run。"
},
{
"contract": "security_mirror_status_rollup_v1",
"schema_path": "docs/schemas/security_mirror_status_rollup_v1.schema.json",
"snapshot_paths": [
"docs/security/security-mirror-status-rollup.snapshot.json",
"docs/security/source-control-owner-response-validation-rollup.snapshot.json"
],
"human_docs": [
"docs/security/SECURITY-MIRROR-STATUS-ROLLUP.md",
"docs/security/SOURCE-CONTROL-OWNER-RESPONSE-VALIDATION-ROLLUP.md"
],
"consumer": "AwoooP Operator Console / Runtime State / Audit",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_status_rollup",
"display_phase_status",
"display_progress_delta_ledger",
"display_next_safe_gate"
],
"forbidden_actions": [
"execute_rollup_action",
"runtime_authorization",
"add_action_button",
"start_scan",
"call_execute_endpoint",
"create_repo",
"sync_refs",
"store_secret_value"
],
"notes": "定義 AwoooP 與 Security Supply Chain Session 的共同狀態摘要;目前顯示 58% headline progress、progress display policy 與 micro progress delta ledger說明近期 S4.10 / S4.11 / S4.12 / S4.13 framework detail 不會推高 headlineS4.13 已補 owner response validation rollup、6 條 evidence routing rules、8 個 display sections、7 條 state transition rules、9 個 reviewer checklist items、7 條 reviewer outcome lanes 與 4 個 reviewer audit event templates彙整 S4.9/S4.10/S4.11/S4.12 共 22 個 response templates、received=0、accepted=0、reviewer audit emitted=0、next_collection_candidate=S4.9;只顯示階段、下一個 gate、evidence routing、display sections、state transition rules、reviewer checklist、reviewer outcome lanes、reviewer audit templates 與禁止事項,不授權執行。"
},
{
"contract": "coding_task_v1",
"schema_path": "docs/schemas/coding_task_v1.schema.json",
"snapshot_paths": [],
"human_docs": [
"docs/security/CODEX-PATCH-ONLY-HANDOFF-PROMPT.md"
],
"consumer": "AwoooP Approval candidate / Codex patch-only handoff",
"consumption_mode": "suggest_only",
"allowed_actions": [
"create_patch_backlog",
"request_reviewers",
"open_draft_plan"
],
"forbidden_actions": [
"auto_merge",
"production_deploy",
"secret_rotation"
],
"notes": "Code Review 後需要 coding 的工作只能進 patch-only / draft PR lane。"
},
{
"contract": "source_control_migration_event_v1",
"schema_path": "docs/schemas/source_control_migration_event_v1.schema.json",
"snapshot_paths": [
"docs/security/gitea-github-awoooi-inventory.snapshot.json",
"docs/security/source-control-clawbot-v5.snapshot.json",
"docs/security/source-control-wooo-aiops.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md",
"docs/security/SOURCE-CONTROL-MIGRATION-MATRIX.md"
],
"consumer": "AwoooP migration matrix evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_diff_summary",
"display_blocking_reason"
],
"forbidden_actions": [
"sync_refs",
"switch_github_primary",
"delete_gitea_repo"
],
"notes": "目前 mapped repos 仍 blocked不可切 primary。"
},
{
"contract": "gitea_repo_inventory_v1",
"schema_path": "docs/schemas/gitea_repo_inventory_v1.schema.json",
"snapshot_paths": [
"docs/security/gitea-repo-inventory.snapshot.json",
"docs/security/gitea-public-repo-search.snapshot.json",
"docs/security/gitea-org-repo-inventory-blocked.snapshot.json",
"docs/security/gitea-authenticated-inventory-export-request.snapshot.json",
"docs/security/gitea-authenticated-inventory-import-acceptance.snapshot.json",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-SERVER-SIDE-INVENTORY-RUNBOOK.md",
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md",
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md"
],
"consumer": "AwoooP migration matrix evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_public_only_inventory",
"create_readonly_inventory_approval_candidate",
"display_authenticated_inventory_export_request",
"display_redacted_inventory_import_acceptance",
"display_coverage_attestation_request",
"display_owner_response_audit_event_templates",
"display_owner_response_redaction_examples",
"display_owner_response_display_sections",
"display_owner_attestation_response_packet"
],
"forbidden_actions": [
"store_token_value",
"write_to_gitea",
"delete_or_archive_repo"
],
"notes": "目前是 partial/public_onlyS4.5 已補 authenticated/admin export requestS4.6 已補 redacted import acceptanceS4.7 已補 owner coverage attestation requestS4.9 已補 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、8 個 display sections、6 個 collection checks、owner response intake packet、6 個 intake preflight checks 與 5 個 outcome lanesprivate/internal 全量仍需批准後補齊audit templates 仍為 0 emitted。"
},
{
"contract": "local_git_remote_inventory_v1",
"schema_path": "docs/schemas/local_git_remote_inventory_v1.schema.json",
"snapshot_paths": [
"docs/security/local-git-remote-inventory.snapshot.json"
],
"human_docs": [
"docs/security/LOCAL-GIT-REMOTE-INVENTORY-SNAPSHOT.md"
],
"consumer": "AwoooP source-control coverage evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_remote_coverage",
"display_internal_110_risk"
],
"forbidden_actions": [
"modify_remote",
"treat_as_server_full_inventory"
],
"notes": "本機可見 working tree 只能作輔助 evidence。"
},
{
"contract": "github_target_probe_v1",
"schema_path": "docs/schemas/github_target_probe_v1.schema.json",
"snapshot_paths": [
"docs/security/github-target-probe.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-PROBE-SNAPSHOT.md"
],
"consumer": "AwoooP migration target evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_target_visibility",
"display_not_found_or_private"
],
"forbidden_actions": [
"auto_create_repo",
"assume_not_found_means_absent"
],
"notes": "not_found_or_private 只代表未授權 probe 看不到。"
},
{
"contract": "github_target_decision_v1",
"schema_path": "docs/schemas/github_target_decision_v1.schema.json",
"snapshot_paths": [
"docs/security/github-target-decision.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-VISIBILITY-DECISION-TABLE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"consumer": "AwoooP approval candidate / migration target evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_target_decision",
"create_approval_candidate"
],
"forbidden_actions": [
"change_visibility",
"create_repo",
"sync_refs"
],
"notes": "8 個 targets 中 7 個需要人工批准S4.10 已補 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與 owner decision response 收件包owner_response_request_packet_count=1、owner_response_template_status_count=7、owner_response_audit_event_template_count=3、owner_response_redaction_example_count=5、owner_response_collection_check_count=6、intake_preflight_check_count=6、received_response_count=0不授權 repo / visibility / refs / primary 動作。"
},
{
"contract": "github_target_repo_approval_package_v1",
"schema_path": "docs/schemas/github_target_repo_approval_package_v1.schema.json",
"snapshot_paths": [
"docs/security/github-target-repo-approval-package.snapshot.json",
"docs/security/github-target-owner-decision-response.snapshot.json"
],
"human_docs": [
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"consumer": "AwoooP approval queue draft",
"consumption_mode": "approval_only",
"allowed_actions": [
"display_repo_approval_queue",
"request_owner_decision"
],
"forbidden_actions": [
"execute_approval_item",
"push_refs",
"change_visibility"
],
"notes": "7 個 pending packages逐 repo 低摩擦批准S4.10 只定義 owner response request packet、template status ledger、audit event templates、redaction examples、collection checks、intake preflight checks 與驗收 / 拒收格式,不代表任何執行批准。"
},
{
"contract": "source_control_approval_board_v1",
"schema_path": "docs/schemas/source_control_approval_board_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-approval-board.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md"
],
"consumer": "AwoooP approval board / PR reviewer",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_repo_decision_board",
"display_pending_owner_visibility_canonical_decisions",
"request_human_approval"
],
"forbidden_actions": [
"execute_board_item",
"sync_refs",
"create_repo",
"switch_github_primary"
],
"notes": "彙整 8 個 target其中 7 個 pending approvalauthenticated inventory gate 仍 blocked。"
},
{
"contract": "source_control_reconcile_plan_v1",
"schema_path": "docs/schemas/source_control_reconcile_plan_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-reconcile-plan.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
],
"consumer": "AwoooP approval candidate / migration reviewer",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_draft_reconcile_plan",
"display_refs_blocking_reason",
"request_single_repo_approval"
],
"forbidden_actions": [
"execute_reconcile_plan",
"push_refs",
"force_push",
"switch_github_primary"
],
"notes": "只針對 3 個 refs-blocked mapped repos 產生 draft planS4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks / owner response 通過前只能更新 draft wordinginventory gate 仍 blocked不可執行。"
},
{
"contract": "source_control_ref_detail_diff_v1",
"schema_path": "docs/schemas/source_control_ref_detail_diff_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-ref-detail-diff.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
],
"consumer": "AwoooP migration reviewer / PR reviewer",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_branch_tag_diff",
"display_ref_counts",
"support_single_repo_reconcile_review"
],
"forbidden_actions": [
"fetch_refs",
"push_refs",
"delete_refs",
"switch_github_primary"
],
"notes": "只保存 branch/tag 明細 diff忽略本 PR 分支避免 evidence 自我污染。"
},
{
"contract": "source_control_ref_truth_classification_v1",
"schema_path": "docs/schemas/source_control_ref_truth_classification_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/source-control-ref-truth-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md"
],
"consumer": "AwoooP migration reviewer / repo owner approval queue",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_ref_truth_classification",
"display_truth_source_candidates",
"request_single_ref_human_review"
],
"forbidden_actions": [
"execute_classification",
"push_refs",
"delete_refs",
"switch_github_primary"
],
"notes": "把 refs diff 分成 main/dev 真相來源、drift deprecated 候選、release tag 與 GitHub-only review laneS4.11 只定義 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks、5 個 owner response templates、received_response_count=0、audit_events_emitted=0仍不授權 sync/delete/force push。"
},
{
"contract": "source_control_primary_readiness_gate_v1",
"schema_path": "docs/schemas/source_control_primary_readiness_gate_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
],
"consumer": "AwoooP source-control review / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_primary_readiness_gate",
"display_primary_blockers",
"request_owner_parity_rollback_review"
],
"forbidden_actions": [
"execute_primary_cutover",
"create_repo",
"change_visibility",
"sync_refs",
"switch_github_primary",
"disable_gitea"
],
"notes": "定義 S4.0 GitHub primary readiness gate7 個 in-scope repos 仍 blockedprimary_ready_count=0。"
},
{
"contract": "source_control_primary_rollback_adr_v1",
"schema_path": "docs/schemas/source_control_primary_rollback_adr_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-primary-rollback-adr.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-PRIMARY-ROLLBACK-ADR.md"
],
"consumer": "AwoooP source-control review / Operator Console / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_rollback_adr_draft",
"display_rollback_owner_review",
"display_validation_windows",
"request_owner_rollback_approval"
],
"forbidden_actions": [
"execute_rollback",
"switch_github_primary",
"sync_refs",
"modify_webhook",
"disable_gitea",
"add_action_button"
],
"notes": "定義 S4.4 GitHub primary rollback ADR 草案7 個 in-scope repos 有 rollback draftowner_approved_count=0、dry_run_completed_count=0、active_cutover_count=0。"
},
{
"contract": "source_control_workflow_secret_name_inventory_v1",
"schema_path": "docs/schemas/source_control_workflow_secret_name_inventory_v1.schema.json",
"snapshot_paths": [
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/source-control-workflow-secret-name-local-evidence.snapshot.json",
"docs/security/source-control-workflow-secret-name-export-request.snapshot.json",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json"
],
"human_docs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-LOCAL-EVIDENCE.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-EXPORT-REQUEST.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md"
],
"consumer": "AwoooP source-control review / Secret hygiene audit / Operator Console",
"consumption_mode": "approval_only",
"allowed_actions": [
"mirror_workflow_secret_name_inventory_gap",
"display_missing_inventory_lanes",
"request_redacted_workflow_secret_snapshot",
"display_redacted_export_request_lanes"
],
"forbidden_actions": [
"collect_secret_value",
"modify_workflow",
"rotate_secret",
"create_repo",
"sync_refs",
"switch_github_primary"
],
"notes": "定義 S4.1 workflow / webhook / runner / deploy key / branch protection / CODEOWNERS / secret 名稱 inventory 契約S4.2 已補 local evidence4 repos、31 workflow files、43 個 referenced secret namesS4.3 已補 7 repos / 5 lanes 的 redacted export requestS4.12 已補 1 個 owner response request packet、5 個 template statuses、3 個 audit event templates、5 個 redaction examples、6 個 collection checks、6 個 intake preflight checks 與 5 個 owner response templatesreceived_response_count=0、audit_events_emitted=0仍不保存 secret value。"
},
{
"contract": "local_repo_canonical_probe_v1",
"schema_path": "docs/schemas/local_repo_canonical_probe_v1.schema.json",
"snapshot_paths": [
"docs/security/local-repo-canonical-ewoooc-momo.snapshot.json"
],
"human_docs": [
"docs/security/LOCAL-REPO-CANONICAL-EWOOOC-MOMO-SNAPSHOT.md"
],
"consumer": "AwoooP canonical decision evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_lineage_summary",
"display_unrelated_warning"
],
"forbidden_actions": [
"auto_merge_histories",
"delete_working_tree"
],
"notes": "momo/ewoooc 目前 sample 無共同 commit不可自動合併。"
},
{
"contract": "git_remote_refs_probe_v1",
"schema_path": "docs/schemas/git_remote_refs_probe_v1.schema.json",
"snapshot_paths": [
"docs/security/git-remote-refs-bitan-tsenyang.snapshot.json",
"docs/security/git-remote-refs-wooo-infra-config.snapshot.json"
],
"human_docs": [
"docs/security/GIT-REMOTE-REFS-BITAN-TSENYANG-SNAPSHOT.md",
"docs/security/GIT-REMOTE-REFS-WOOO-INFRA-CONFIG-SNAPSHOT.md"
],
"consumer": "AwoooP source readiness evidence",
"consumption_mode": "mirror_only",
"allowed_actions": [
"mirror_refs_readiness",
"display_unreachable_remote"
],
"forbidden_actions": [
"fetch",
"push",
"sync_refs"
],
"notes": "只做 ls-remote 類 read-only refs evidence。"
},
{
"contract": "approval_required_event_v1",
"schema_path": "docs/schemas/approval_required_event_v1.schema.json",
"snapshot_paths": [
"docs/security/gitea-readonly-inventory-approval.snapshot.json"
],
"human_docs": [
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md"
],
"consumer": "AwoooP approval queue / Audit",
"consumption_mode": "approval_only",
"allowed_actions": [
"display_approval_candidate",
"record_human_decision"
],
"forbidden_actions": [
"auto_approve",
"store_token_value",
"execute_without_approval"
],
"notes": "高風險或敏感邊界的唯一升級入口。"
}
]
}