Files
awoooi/docs/security/security-approval-decision-record.snapshot.json

47 lines
1.8 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_approval_decision_record_v1",
"status": "draft",
"date": "2026-05-13",
"mode": "decision_record_only",
"runtime_execution_authorized": false,
"source_indexes": [
"docs/security/security-approval-gate.snapshot.json",
"docs/security/security-approval-queue.snapshot.json",
"docs/security/security-mirror-status-rollup.snapshot.json"
],
"summary": {
"total_decision_records": 0,
"approve_scope_count": 0,
"reject_count": 0,
"defer_count": 0,
"request_more_evidence_count": 0,
"keep_blocked_count": 0,
"pending_runtime_gate_count": 0,
"runtime_actions_authorized": false,
"raw_secret_storage_authorized": false
},
"decision_records": [],
"recording_rules": [
"每筆人工決策都必須引用 security_approval_gate_v1 的 gate_id 與 source_queue_item_id。",
"approve_scope 只代表批准該 scope 進下一步設計、草案、只讀 inventory、低噪音 scope 或人工 exception不代表可立即執行。",
"所有 decision record 都必須維持 execution_authorized=false。",
"任何批准後的 scan、/execute、repo、refs、deploy、secret、RBAC、NetworkPolicy、firewall 變更都必須另有 follow-up runtime gate。",
"決策紀錄不得保存 raw secret、token、cookie、private key、credential value 或 exploit payload。"
],
"forbidden_actions": [
"execute_decision_record",
"auto_approve",
"execute_after_decision_without_runtime_gate",
"start_kali_scan",
"call_kali_execute_endpoint",
"run_credentialed_scan",
"create_github_repo",
"change_repo_visibility",
"sync_git_refs",
"switch_github_primary",
"auto_merge",
"production_deploy",
"store_secret_token_cookie_private_key_or_exploit_payload"
]
}