服务账号与工作负载身份
开放平台 · 组织 · /console/service-accounts
REGISTRY POLICY
设计契约检查全部通过,不等于产品证据通过
stable-idf4-targetnine-stateinteractioncontractsguardsevidence-planNINE-STATE FIXTURE MAP
九个状态都有产品语义,但 fixture 文件尚待实现
状态名称来自该 Screen Contract;K16 canonical key 用于跨仓聚合。产品仓必须提交确定性数据,而不是让 CI 依赖线上随机状态。
READY服务主体目录就绪
FIXTURE MISSINGLOADING主体和授权加载
FIXTURE MISSINGEMPTY尚无服务账号
FIXTURE MISSINGPARTIAL_ERROR令牌活动部分失败
FIXTURE MISSINGERROR服务账号变更失败
FIXTURE MISSINGOFFLINE_STALE离线只读目录
FIXTURE MISSINGFORBIDDEN缺少 service_account:manage
FIXTURE MISSINGDESTRUCTIVE_CONFIRM暂停/撤销确认
FIXTURE MISSINGSUCCESS_RECEIPT服务主体变更已记录
FIXTURE MISSINGG1–G8 EVIDENCE
缺一项就保持阻断
路径是跨仓约定,不表示文件已经存在。上传凭证、token、PII、signed URL 与原始敏感 payload 永远不能成为证据内容。
Task packet
scope、owner paths、依赖、non-goals 与 rollback
ui-ci/target-open-service-accounts/task-packet.yamlScreen contract
稳定 Screen ID、route、regions、actions、states、contracts 与 risks
/api/ui-ci/target-open-service-accountsStatic report
format、lint、typecheck、schema 与 secret scan
ui-ci/target-open-service-accounts/static/report.jsonState fixture pack
九态确定性 fixture、long/large/locale 与错误注入
ui-ci/target-open-service-accounts/fixtures/manifest.jsonConsumer contract
producer schema、consumer fixtures、compatibility 与 migration window
ui-ci/target-open-service-accounts/contracts/results.jsonExperience bundle
visual、a11y、interaction、responsive 与 native device matrix
ui-ci/target-open-service-accounts/experience/manifest.jsonSecurity negative
authz、resource binding、abuse、privacy、redaction 与 artifact integrity
ui-ci/target-open-service-accounts/security/results.jsonRelease manifest
exact commit、artifact digest、SBOM、config、migration 与 rollback drill
ui-ci/target-open-service-accounts/release/manifest.jsonProduction proof
external synthetic、telemetry、error budget、owner ack 与 incident link
ui-ci/target-open-service-accounts/production/evidence.jsonCONTRACTS & ACTIONS
实现输入
- ServicePrincipal
- WorkloadTrustPolicy
- TokenExchange
- ResourceGrant
- CredentialException
- ServicePrincipalActivity
- UnusedAccessRecommendation
- AuditReceipt
- 创建服务账号
- 配置 OIDC 信任
- 授予应用资源
- 查看令牌交换
- 调查异常来源
- 暂停主体
- 撤销全部授权
- 清理长期密钥