Files
awoooi/docs/security/security-approval-queue.snapshot.json
Your Name 58e760fae2
All checks were successful
CD Pipeline / tests (push) Successful in 1m25s
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / build-and-deploy (push) Successful in 4m2s
CD Pipeline / post-deploy-checks (push) Successful in 1m48s
feat(security): 擴充 S4.10 target owner response
2026-06-11 20:30:41 +08:00

301 lines
14 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "security_approval_queue_v1",
"status": "draft",
"date": "2026-05-17",
"default_mode": "approval_only",
"execution_authorized": false,
"runtime_changes_authorized": false,
"raw_secret_storage_authorized": false,
"summary": {
"total_items": 8,
"pending_approval_count": 7,
"block_candidate_count": 1,
"observe_or_warn_count": 0
},
"queue_items": [
{
"queue_item_id": "kali-finding-runtime-ingestion-approval-20260513",
"source_contract": "kali_scan_scope_approval_v1",
"source_event_id": "kali-finding-runtime-ingestion-approval-20260513",
"title": "Kali redacted finding runtime ingestion",
"risk": "MEDIUM",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": "是否批准先建立 redacted security_finding_v1 ingestion adapter 或 endpoint批准前只能使用 sample snapshot 與 mirror-only 文件。",
"blocked_until_approved": true,
"required_reviewers": [
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/SECURITY-FINDING-CONTRACT.md",
"docs/security/security-finding-kali-sample.snapshot.json",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
],
"allowed_after_approval": [
"設計或實作 redacted finding ingestion adapter",
"只接收 security_finding_v1 摘要與 evidence_ref",
"mirror 到 AwoooP Runtime State / Channel Event / Audit"
],
"still_forbidden": [
"保存 raw secret/token/cookie/private key/exploit payload",
"讓 AwoooP 直接啟動 scan",
"自動封鎖 deploy",
"自動修復"
]
},
{
"queue_item_id": "kali-safe-web-crawl-approval-20260513",
"source_contract": "kali_scan_scope_approval_v1",
"source_event_id": "kali-safe-web-crawl-approval-20260513",
"title": "Public web perimeter TLS/header/basic crawl",
"risk": "MEDIUM",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": "是否批准對公開產品 domains 執行 TLS、security header 與 basic crawl 類低噪音檢查。",
"blocked_until_approved": true,
"required_reviewers": [
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/KALI-SECURITY-MESH-BLUEPRINT.md"
],
"allowed_after_approval": [
"執行 TLS/header/basic crawl 類 safe scan",
"只產出 redacted findings",
"LOW/MEDIUM finding 只走 observe/warn"
],
"still_forbidden": [
"active DAST fuzz",
"auth flow 改狀態測試",
"credentialed scan",
"阻擋 release"
]
},
{
"queue_item_id": "gitea-private-internal-server-side-inventory-2026-05-12",
"source_contract": "approval_required_event_v1",
"source_event_id": "gitea-private-internal-server-side-inventory-2026-05-12",
"title": "Gitea private/internal read-only inventory",
"risk": "MEDIUM",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": "是否先要求 owner 依 S4.9 owner response request packet / template status ledger / audit event templates / redaction examples / display sections / response 收件包完成 S4.7 coverage attestation並在 scope decision 被接受後,批准使用 read-only token 或 redacted admin export 補齊 Gitea private/internal 全量 repo list。",
"blocked_until_approved": true,
"required_reviewers": [
"migration-engineer",
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/GITEA-READONLY-INVENTORY-APPROVAL-PACKAGE.md",
"docs/security/gitea-readonly-inventory-approval.snapshot.json",
"docs/security/GITEA-ORG-REPO-INVENTORY-BLOCKED-SNAPSHOT.md",
"docs/security/GITEA-INVENTORY-COVERAGE-ATTESTATION.md",
"docs/security/gitea-inventory-coverage-attestation.snapshot.json",
"docs/security/GITEA-INVENTORY-OWNER-ATTESTATION-RESPONSE.md",
"docs/security/gitea-inventory-owner-attestation-response.snapshot.json",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-EXPORT-REQUEST.md",
"docs/security/GITEA-AUTHENTICATED-INVENTORY-IMPORT-ACCEPTANCE.md"
],
"allowed_after_approval": [
"先依 S4.9 request packet 要求 owner 回覆,用 template status ledger / audit event templates / redaction examples / display sections / collection checks 維持 request / received / accepted 分離,並完成 preflight / outcome lane 判定 / 驗收 S4.7 owner coverage attestation response更新 migration matrix 與 decision table",
"使用 read-only token 或 redacted admin export 執行一次 inventory",
"只保存 token_present=true/false",
"更新 migration matrix 與 repo decision table"
],
"still_forbidden": [
"保存 token value",
"使用 write-capable token",
"未完成 S4.7 owner attestation 就標記 inventory complete",
"把 S4.7 owner attestation 當成 repo migration approval",
"把 S4.9 owner response request packet、template status ledger、audit event templates、redaction examples、display sections 或 response packet 當成 inventory 執行授權",
"建立 GitHub repo",
"sync refs",
"切 GitHub primary"
],
"expires_at": "2026-05-19T23:59:59+08:00"
},
{
"queue_item_id": "source-control-target-repo-approval-bundle-20260513",
"source_contract": "source_control_approval_board_v1",
"source_event_id": "source-control-approval-board-20260512",
"title": "9 個 GitHub target / owner / visibility / canonical 決策",
"risk": "HIGH",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": " S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks repo GitHub targetownervisibilitycanonical response S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks workflow / secret owner response bundle ",
"blocked_until_approved": true,
"required_reviewers": [
"migration-engineer",
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md",
"docs/security/source-control-approval-board.snapshot.json",
"docs/security/GITHUB-TARGET-REPO-APPROVAL-PACKAGE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
"docs/security/github-target-owner-decision-response.snapshot.json",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json"
],
"allowed_after_approval": [
" S4.10 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks owner decision response",
" S4.12 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks workflow / secret owner response",
" repo owner/visibility/canonical decision",
" workflow / secret name parity read-only wording",
" draft reconcile plan ADR",
" GitHub target decision snapshot"
],
"still_forbidden": [
" repo",
" visibility",
" S4.10 request packettemplate status ledgeraudit event templatesredaction examplescollection checksintake preflight checks response packet repo creation visibility approval",
" S4.12 request packettemplate status ledgeraudit event templatesredaction examplescollection checksintake preflight checks response packet secret value collectionworkflow modification runner enablement approval",
"push refs",
"delete refs",
" GitHub primary"
]
},
{
"queue_item_id": "source-control-ref-truth-review-bundle-20260513",
"source_contract": "source_control_ref_truth_classification_v1",
"source_event_id": "source-control-ref-truth-classification-20260513",
"title": "194 refs truth / deprecated / release tag review items",
"risk": "HIGH",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": " repo / ref deprecated release tag GitHub-only refs S4.11 owner response",
"blocked_until_approved": true,
"required_reviewers": [
"migration-engineer",
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-REF-TRUTH-CLASSIFICATION.md",
"docs/security/source-control-ref-truth-classification.snapshot.json",
"docs/security/SOURCE-CONTROL-REF-TRUTH-OWNER-RESPONSE.md",
"docs/security/source-control-ref-truth-owner-response.snapshot.json",
"docs/security/SOURCE-CONTROL-REF-DETAIL-DIFF.md"
],
"allowed_after_approval": [
" S4.11 request packet / template status ledger / audit event templates / redaction examples / collection checks / intake preflight checks owner response",
" ref ",
" source control reconcile plan",
" review checklist"
],
"still_forbidden": [
" S4.11 request packettemplate status ledgeraudit event templatesredaction examplescollection checksintake preflight checks response packet refs sync/delete/force push approval",
"push refs",
"delete refs",
"force push",
" GitHub primary"
]
},
{
"queue_item_id": "kali-credentialed-scan-approval-20260513",
"source_contract": "kali_scan_scope_approval_v1",
"source_event_id": "kali-credentialed-scan-approval-20260513",
"title": "Kali credentialed host/API scan",
"risk": "HIGH",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": " API 使 credential sourcescopeaudit trail ",
"blocked_until_approved": true,
"required_reviewers": [
"security-commander",
"vuln-verifier",
"human-owner"
],
"evidence_refs": [
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md"
],
"allowed_after_approval": [
" asset credentialed scan",
" redacted finding summary",
" audit evidence"
],
"still_forbidden": [
" credential value",
"",
"",
" firewall/RBAC/NetworkPolicy"
]
},
{
"queue_item_id": "kali-full-upgrade-reboot-approval-20260513",
"source_contract": "kali_scan_scope_approval_v1",
"source_event_id": "kali-full-upgrade-reboot-approval-20260513",
"title": "Kali rolling full-upgrade / autoremove / reboot",
"risk": "HIGH",
"state": "pending_approval",
"recommended_awooop_mode": "approve_required",
"requested_decision": " Kali 112 full-upgrade autoremove reboot snapshotrollback post-health gate",
"blocked_until_approved": true,
"required_reviewers": [
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
],
"allowed_after_approval": [
" full-upgrade",
" reboot",
" ssh/cron/docker/kali-scanner health "
],
"still_forbidden": [
" reboot",
" snapshot full-upgrade",
" scanner health "
]
},
{
"queue_item_id": "kali-execute-endpoint-approval-20260513",
"source_contract": "kali_scan_scope_approval_v1",
"source_event_id": "kali-execute-endpoint-approval-20260513",
"title": "Kali /execute endpoint high-risk command path",
"risk": "CRITICAL",
"state": "block_candidate",
"recommended_awooop_mode": "block_candidate",
"requested_decision": " Kali /execute AwoooP runtime high-risk approvalallowlistauditdisable gate",
"blocked_until_approved": true,
"required_reviewers": [
"critic",
"security-commander",
"human-owner"
],
"evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md"
],
"allowed_after_approval": [
" disable/allowlist/audit gate",
" exception "
],
"still_forbidden": [
"AwoooP runtime /execute",
" /execute MCP action",
" shell command ",
" command "
]
}
],
"next_recommended_review_order": [
"kali-finding-runtime-ingestion-approval-20260513",
"kali-safe-web-crawl-approval-20260513",
"gitea-private-internal-server-side-inventory-2026-05-12",
"source-control-target-repo-approval-bundle-20260513",
"source-control-ref-truth-review-bundle-20260513",
"kali-credentialed-scan-approval-20260513",
"kali-full-upgrade-reboot-approval-20260513",
"kali-execute-endpoint-approval-20260513"
]
}