feat(security): 新增主機服務配置只讀清冊

scripts/security/high-value-config-control-coverage.py

@@ -119,14 +119,16 @@ CONTROL_STATUS_BY_CATEGORY = {
         "next_owner_action": "補 rule diff、receiver diff、reload owner、failure-only notification policy 與 route smoke。",
     },
     "docker_compose_systemd_host_config": {
-        "coverage_status": "inventory_needed",
-        "coverage_percent": 42,
+        "coverage_status": "repo_only_inventory_ready_needs_live_owner_evidence",
+        "coverage_percent": 50,
         "evidence_refs": [
             "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
+            "docs/security/HOST-SERVICE-CONFIG-INVENTORY.md",
+            "docs/security/host-service-config-inventory.snapshot.json",
             "docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md",
         ],
-        "current_gap": "110 / 188 Docker Compose、systemd、port / volume / env 差異仍需只讀 inventory。",
-        "next_owner_action": "補 compose / systemd owner、restart window、rollback owner 與 post-check 指標。",
+        "current_gap": "repo-only 清冊已納入 9 個 surface；仍缺 110 / 188 live hash、restart window、rollback owner 與 post-check 指標。",
+        "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、restart window、rollback owner 與 post-check 指標。",
     },
     "ssh_firewall_network_access": {
         "coverage_status": "policy_ready_needs_network_matrix",
@@ -254,6 +256,7 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
             "policy_defined_needs_restore_drill_owner",
             "policy_ready_needs_drift_evidence",
             "inventory_needed",
+            "repo_only_inventory_ready_needs_live_owner_evidence",
             "policy_ready_needs_network_matrix",
             "policy_ready_needs_dry_run_pack",
         }