From 41f5ff1a38ad6ff66ea458526a82be56abb4e78e Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 15 Jun 2026 14:48:52 +0800 Subject: [PATCH] =?UTF-8?q?feat(iwooos):=20=E5=BC=B7=E5=8C=96=E4=B8=BB?= =?UTF-8?q?=E6=A9=9F=E6=9C=8D=E5=8B=99=E4=BA=8B=E6=95=85=E5=9B=9E=E8=A3=9C?= =?UTF-8?q?=20gate?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/web/messages/en.json | 2 +- apps/web/messages/zh-TW.json | 2 +- apps/web/src/app/[locale]/iwooos/page.tsx | 9 +- .../HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md | 8 +- .../security/HOST-SERVICE-CONFIG-INVENTORY.md | 2 +- .../HOST-SERVICE-OWNER-REQUEST-DRAFT.md | 2 +- .../HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md | 31 +- .../IWOOOS-CONFIG-CONTROL-INVENTORY.md | 4 +- docs/security/IWOOOS-POSTURE-PROJECTION.md | 2 +- .../SECURITY-SUPPLY-CHAIN-PROGRESS.md | 4 +- ...alue-config-control-coverage.snapshot.json | 20 +- ...ce-owner-response-acceptance.snapshot.json | 438 +++++++++++++++++- .../iwooos-posture-projection.snapshot.json | 4 +- .../high-value-config-control-coverage.py | 9 +- .../host-service-owner-response-acceptance.py | 56 ++- .../security/iwooos-config-control-guard.py | 12 +- .../security-mirror-progress-guard.py | 66 ++- 17 files changed, 588 insertions(+), 83 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 94555a12..b41a3342 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -17934,7 +17934,7 @@ }, "dockerSystemd": { "title": "Docker / systemd 主機服務", - "body": "repo-only 清冊、owner request draft 與 owner response acceptance 只讀帳本已納入 9 個 surface;下一步仍需 live hash metadata、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。" + "body": "repo-only 清冊、owner request draft 與 owner response acceptance 只讀帳本已納入 9 個 surface,並加入事故恢復、服務依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補;下一步仍需 live hash metadata、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。" }, "sshNetwork": { "title": "SSH / network / firewall", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 94555a12..b41a3342 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -17934,7 +17934,7 @@ }, "dockerSystemd": { "title": "Docker / systemd 主機服務", - "body": "repo-only 清冊、owner request draft 與 owner response acceptance 只讀帳本已納入 9 個 surface;下一步仍需 live hash metadata、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。" + "body": "repo-only 清冊、owner request draft 與 owner response acceptance 只讀帳本已納入 9 個 surface,並加入事故恢復、服務依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補;下一步仍需 live hash metadata、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。" }, "sshNetwork": { "title": "SSH / network / firewall", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index 6f856149..f2849050 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -2092,7 +2092,7 @@ const highValueConfigControlCoverageSummary = [ ] as const const highValueConfigControlCoverageItems: HighValueConfigControlCoverageItem[] = [ - { key: 'dockerSystemd', rank: 'P1-1', value: '54%', icon: Server, tone: 'warn' }, + { key: 'dockerSystemd', rank: 'P1-1', value: '58%', icon: Server, tone: 'warn' }, { key: 'sshNetwork', rank: 'P1-2', value: '62%', icon: Network, tone: 'warn' }, { key: 'backupRestore', rank: 'P1-3', value: '62%', icon: Database, tone: 'warn' }, { key: 'monitoring', rank: 'P1-4', value: '62%', icon: Radar, tone: 'warn' }, @@ -2105,7 +2105,7 @@ const highValueConfigControlCoverageBoundaries = [ 'high_value_config_control_coverage_c0_category_count=8', 'high_value_config_control_coverage_c1_category_count=4', 'high_value_config_control_coverage_average_percent=69', - 'high_value_config_control_coverage_needs_live_evidence_count=9', + 'high_value_config_control_coverage_needs_live_evidence_count=10', 'high_value_config_control_coverage_owner_response_required_count=14', 'high_value_config_control_coverage_owner_response_received_count=0', 'high_value_config_control_coverage_owner_response_accepted_count=0', @@ -2189,7 +2189,10 @@ const highValueConfigControlCoverageBoundaries = [ 'host_service_config_inventory_runtime_gate_count=0', 'host_service_owner_response_acceptance_candidate_count=9', 'host_service_owner_response_acceptance_write_capable_candidate_count=3', - 'host_service_owner_response_acceptance_reviewer_check_count=14', + 'host_service_owner_response_acceptance_required_owner_field_count=18', + 'host_service_owner_response_acceptance_reviewer_check_count=21', + 'host_service_owner_response_acceptance_outcome_lane_count=8', + 'host_service_owner_response_acceptance_blocked_action_count=27', 'host_service_owner_response_acceptance_runtime_gate_count=0', 'ssh_network_access_inventory_surface_count=16', 'ssh_network_access_inventory_write_capable_surface_count=6', diff --git a/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md b/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md index 795d9659..05d802b6 100644 --- a/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md +++ b/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md @@ -78,7 +78,7 @@ 已新增 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md` 與 `docs/security/host-service-owner-response-acceptance.snapshot.json`,將 9 份 Docker / systemd / host service owner request draft 轉成 metadata-only owner response acceptance 只讀帳本。 -固定數字為 `acceptance_candidate_count=9`、`write_capable_acceptance_candidate_count=3`、`live_evidence_required_candidate_count=8`、`acceptance_field_count=28`、`required_owner_field_count=12`、`reviewer_check_count=14`、`outcome_lane_count=7`、`blocked_action_count=20`、`owner_response_received_count=0`、`owner_response_accepted_count=0`、`live_host_read_authorized_count=0`、`docker_compose_action_authorized_count=0`、`systemctl_action_authorized_count=0`、`repair_bot_execution_authorized_count=0`、`ansible_apply_authorized_count=0`、`runtime_gate_count=0`。此更新讓 `docker_compose_systemd_host_config` 從 `50%` 推進到 `54%`,也讓高價值配置平均只讀成熟度從 `67%` 推進到 `68%`;它不代表 live host read、restart、repair-bot、Ansible、sudo、host write 或 runtime gate 已授權。 +固定數字為 `acceptance_candidate_count=9`、`write_capable_acceptance_candidate_count=3`、`live_evidence_required_candidate_count=8`、`acceptance_field_count=34`、`required_owner_field_count=18`、`reviewer_check_count=21`、`outcome_lane_count=8`、`blocked_action_count=27`、`owner_response_received_count=0`、`owner_response_accepted_count=0`、`live_host_read_authorized_count=0`、`docker_compose_action_authorized_count=0`、`systemctl_action_authorized_count=0`、`repair_bot_execution_authorized_count=0`、`ansible_apply_authorized_count=0`、`runtime_gate_count=0`。此更新讓 `docker_compose_systemd_host_config` 從 `54%` 推進到 `58%`;它不代表 live host read、restart、repair-bot、Ansible、sudo、host write 或 runtime gate 已授權。 ## 1.7 2026-06-15 端口 / 防火牆變更證據驗收只讀帳本 @@ -113,7 +113,7 @@ | 優先 | 類別 | 目前成熟度 | 下一步 | |------|------|------------|--------| -| P1-1 | Docker Compose / systemd / host service config | `54%` | repo-only 清冊已納入 9 個 surface,owner request draft 與 owner response acceptance ledger 已完成;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence | +| P1-1 | Docker Compose / systemd / host service config | `58%` | repo-only 清冊已納入 9 個 surface,owner request draft 與 owner response acceptance ledger 已完成;事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補已納入;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence | | P1-2 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort | `62%` | repo-only 清冊已納入 16 個 SSH / network access surface,owner request draft、owner response acceptance 與事故型端口 / 防火牆變更證據驗收 ledger 已完成;仍缺 owner-provided change / incident ref、actor、before / after state、health impact、notification、cross-project sync、maintenance window、rollback owner 與 post-check evidence | | P1-3 | Backup / restore / escrow / retention | `62%` | repo-only 清冊已納入 38 個 surface,owner request draft 與 owner response acceptance ledger 已完成;仍缺 owner response、restore drill approval package、offsite / escrow owner、retention owner、rollback owner、validation plan 與 no-secret-value evidence | | P1-4 | Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse | `62%` | repo-only 清冊已納入 60 個 monitoring / alerting / observability surface,owner request draft 已轉成 60 份草稿;仍缺 owner response、live drift evidence、reload owner、receiver owner、route smoke 與 receipt proof | @@ -245,7 +245,7 @@ python3 scripts/security/iwooos-config-control-guard.py --root . | 覆蓋 snapshot / schema | `100%` | 已新增可重跑 snapshot 與 JSON schema | | 高價值配置集中 guard | `100%` | 已新增 `scripts/security/iwooos-config-control-guard.py`,並串接 `security-mirror-progress-guard.py`;14 類配置、主要 owner / change evidence 帳本、supply-chain manifest 與 `0 / false` 邊界可集中驗證 | | DNS / TLS / certbot owner response acceptance | `100%` | 已新增 `domain_tls_certbot_owner_response_acceptance_v1`,4 個 C0 candidate、13 個 owner 必填欄位、13 個 reviewer checks、7 條 outcome lanes、20 類 blocked action;成熟度 `74% -> 78%` | -| Docker / systemd / host service owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`,9 個 candidate、3 個 write-capable、14 個 reviewer checks、7 條 outcome lanes、20 類 blocked action;成熟度 `50% -> 54%` | +| Docker / systemd / host service owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`,9 個 candidate、3 個 write-capable、21 個 reviewer checks、8 條 outcome lanes、27 類 blocked action;成熟度 `54% -> 58%` | | CD / Runner / Secret injection change evidence acceptance | `100%` | 已新增 `cd_runner_secret_injection_change_evidence_acceptance_v1`,5 個 candidate、4 個 C0、19 個 reviewer checks、8 條 outcome lanes、32 類 blocked action;secret metadata 成熟度 `66% -> 68%`,workflow / runner 成熟度 `70% -> 72%` | | Public / Admin / API runtime config 變更證據驗收 | `100%` | 已新增 `public_runtime_config_change_evidence_acceptance_v1`,6 個 candidate、5 個 C0、21 個 reviewer checks、8 條 outcome lanes、32 類 blocked action;public/admin/API runtime config 成熟度 `62% -> 64%`,raw namespace / repo slug / 內部狀態碼 / 內部協作內容外洩列為拒收或隔離條件 | | owner response 收件 | `0%` | 尚未收到或接受任何 owner response | @@ -258,7 +258,7 @@ python3 scripts/security/iwooos-config-control-guard.py --root . 2026-06-14 再新增 `host_service_owner_request_draft_v1`,把 9 個 surface 轉成 `request_draft_count=9`、`write_capable_request_draft_count=3`、`live_evidence_required_request_count=8`、`required_owner_field_count=12`、`blocked_action_count=14` 的人工送件前草稿。此更新仍不調高類別成熟度,因為 request sent、owner response received / accepted、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`。 -2026-06-14 再新增 `host_service_owner_response_acceptance_v1`,把 9 份 request draft 轉成 `acceptance_candidate_count=9`、`write_capable_acceptance_candidate_count=3`、`live_evidence_required_candidate_count=8`、`required_owner_field_count=12`、`reviewer_check_count=14`、`outcome_lane_count=7`、`blocked_action_count=20` 的 owner response acceptance 只讀帳本。此更新讓 `docker_compose_systemd_host_config` 從 `50%` 推進到 `54%`,但 owner response received / accepted、live hash、maintenance / restart window、rollback owner、post-check plan、disable switch、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 與 action button 仍全部為 `0`。 +2026-06-15 追加事故回補欄位,將 `host_service_owner_response_acceptance_v1` 固定為 `acceptance_field_count=34`、`required_owner_field_count=18`、`reviewer_check_count=21`、`outcome_lane_count=8`、`blocked_action_count=27`。新增要求包含 source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。此更新讓 `docker_compose_systemd_host_config` 從 `54%` 推進到 `58%`,但 owner response received / accepted、live hash、maintenance / restart window、rollback owner、post-check plan、disable switch、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 與 action button 仍全部為 `0`。 ## 9. P1-2 SSH / network access 清冊更新 diff --git a/docs/security/HOST-SERVICE-CONFIG-INVENTORY.md b/docs/security/HOST-SERVICE-CONFIG-INVENTORY.md index eb11a035..324360f8 100644 --- a/docs/security/HOST-SERVICE-CONFIG-INVENTORY.md +++ b/docs/security/HOST-SERVICE-CONFIG-INVENTORY.md @@ -19,7 +19,7 @@ 此 artifact 只表示 owner request 的 required shape,不代表 request sent、recipient confirmed、owner response received / accepted、live host read、Docker Compose action、systemctl action、repair-bot execution、Ansible apply、secret collection、host write、production write 或 runtime gate。 -2026-06-14 再新增 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md` 與 `docs/security/host-service-owner-response-acceptance.snapshot.json`,將 9 份 request draft 轉成 owner response acceptance 只讀帳本。固定 `acceptance_candidate_count=9`、`write_capable_acceptance_candidate_count=3`、`live_evidence_required_candidate_count=8`、`required_owner_field_count=12`、`reviewer_check_count=14`、`outcome_lane_count=7`、`blocked_action_count=20`、`owner_response_received_count=0`、`owner_response_accepted_count=0`、`runtime_gate_count=0`。 +2026-06-15 再更新 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md` 與 `docs/security/host-service-owner-response-acceptance.snapshot.json`,將 9 份 request draft 轉成 owner response acceptance 只讀帳本並追加事故回補。固定 `acceptance_candidate_count=9`、`write_capable_acceptance_candidate_count=3`、`live_evidence_required_candidate_count=8`、`required_owner_field_count=18`、`reviewer_check_count=21`、`outcome_lane_count=8`、`blocked_action_count=27`、`owner_response_received_count=0`、`owner_response_accepted_count=0`、`runtime_gate_count=0`。 此 artifact 只表示未來 owner 回覆可被收件、補件、隔離、拒收或進 reviewer review,不代表 live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、production write 或 runtime gate。 diff --git a/docs/security/HOST-SERVICE-OWNER-REQUEST-DRAFT.md b/docs/security/HOST-SERVICE-OWNER-REQUEST-DRAFT.md index 3f5bd7ac..be91fbe9 100644 --- a/docs/security/HOST-SERVICE-OWNER-REQUEST-DRAFT.md +++ b/docs/security/HOST-SERVICE-OWNER-REQUEST-DRAFT.md @@ -15,7 +15,7 @@ 這不是主機真相、不是 live hash 收件、不是 restart window 已接受,也不是 `docker compose`、`systemctl`、repair-bot、Ansible 或 SSH 授權。 -2026-06-14 已新增 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md` 與 `docs/security/host-service-owner-response-acceptance.snapshot.json`,把本文件 9 份 request draft 轉成 owner response acceptance 只讀帳本。固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`reviewer_checks=14`、`outcome_lanes=7`、`blocked_actions=20`,但 owner response received / accepted、live host read、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write 與 runtime gate 仍全部為 `0 / false`。 +2026-06-15 已更新 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md` 與 `docs/security/host-service-owner-response-acceptance.snapshot.json`,把本文件 9 份 request draft 轉成 owner response acceptance 只讀帳本並追加事故回補。固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`owner_fields=18`、`reviewer_checks=21`、`outcome_lanes=8`、`blocked_actions=27`,但 owner response received / accepted、live host read、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write 與 runtime gate 仍全部為 `0 / false`。 ## 2. 摘要 diff --git a/docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md b/docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md index 4fc2a285..2407c221 100644 --- a/docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md +++ b/docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md @@ -22,11 +22,11 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta | acceptance candidate count | `9` | 9 個 host service surface | | write-capable candidate count | `3` | Ansible role、110 repair-bot、188 repair-bot | | live evidence required candidate count | `8` | local dev compose 之外都需 owner-provided live hash / disposition | -| acceptance field count | `28` | 每份 candidate 的 metadata-only 欄位 | -| required owner field count | `12` | owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch | -| reviewer check count | `14` | owner、scope、redaction、secret、live hash、restart window、rollback、post-check、runtime request 檢查 | -| outcome lane count | `7` | waiting、quarantine、reject、supplement、host service review、read-only update、waiting runtime gate | -| blocked action count | `20` | SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、active scan 等 | +| acceptance field count | `34` | 每份 candidate 的 metadata-only 欄位 | +| required owner field count | `18` | owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch / source-of-truth / 依賴 / port / cold-start / incident / contention | +| reviewer check count | `21` | owner、scope、redaction、secret、live hash、restart window、rollback、post-check、事故回補、runtime request 檢查 | +| outcome lane count | `8` | waiting、quarantine、reject、supplement、incident backfill、host service review、read-only update、waiting runtime gate | +| blocked action count | `27` | SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、silent restart、active scan 等 | | owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 | | live host read / Docker / systemctl / repair-bot / Ansible | `0 / 0 / 0 / 0 / 0` | 尚未批准且未執行 | | runtime gate / action button | `0 / 0` | 未開啟 | @@ -60,6 +60,12 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta | `rollback_owner` | 未來若進變更的 rollback owner | | `post_check_plan` | 服務健康、route、queue、log、error budget 與 rollback 停止條件 | | `disable_switch` | repair-bot、Ansible role 或 service config 的停用方式 / freeze rule | +| `config_source_of_truth_ref` | repo source、live source、runner source 與 backup source 的脫敏真相來源 ref | +| `service_dependency_map_ref` | 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref | +| `port_binding_inventory_ref` | host port、container port、proxy 與 firewall exposure inventory ref | +| `cold_start_sequence_ref` | Docker daemon、compose stack、systemd unit、runner 與 post-check 的冷啟動 / recovery 順序 ref | +| `incident_recovery_evidence_ref` | 服務異常、重啟或端口事故的恢復時間、服務健康、route health 與 operator notice ref | +| `daemon_runner_contention_ref` | Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 的競爭風險 ref | | `followup_owner` | 後續補證、reviewer 或 runtime gate 負責角色 | ## 5. Reviewer checks @@ -77,6 +83,13 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta | `rollback_owner_present` | rollback owner、rollback ref 或 disable path 必須存在 | | `post_check_plan_present` | post-check 必須列服務健康、route、queue、log 與 rollback 停止條件 | | `disable_switch_present` | repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule | +| `config_source_of_truth_present` | 必須提供 repo / live / runner / backup source-of-truth ref | +| `service_dependency_map_present` | 必須提供服務依賴圖 ref | +| `port_binding_inventory_present` | 必須提供 host / container / proxy / firewall port binding inventory ref | +| `cold_start_sequence_present` | 必須提供 cold-start / recovery sequence ref | +| `incident_recovery_evidence_present` | 涉及服務異常、重啟或端口事故時必須提供恢復與健康證據 ref | +| `daemon_runner_contention_reviewed` | 必須說明 Docker daemon、iptables、runner、repair-bot、backup job 或 compose action 是否競爭 | +| `silent_restart_not_accepted` | 沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的 restart / reload 不可接受 | | `write_capable_requires_extra_review` | write-capable surface 必須進額外 reviewer review | | `no_runtime_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 | | `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected,且不得開 runtime gate | @@ -89,6 +102,7 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta | `quarantine_secret_or_raw_payload` | 收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離 | | `reject_execution_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 | | `request_supplement` | 欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件 | +| `incident_recovery_backfill_required` | 涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補 | | `ready_for_host_service_review` | metadata 合格後,只能進 host service reviewer review | | `owner_review_only_update` | 只允許更新只讀 owner review ledger | | `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 | @@ -104,6 +118,9 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta 7. 不保存 raw live config、env dump、secret value、未脫敏 log 或 shell history。 8. 不把 restart window、maintenance window 或 owner response 當成 runtime approval。 9. 不開 runtime gate,不建立 action button。 +10. 不接受靜默 restart / reload。 +11. 不把服務目前 healthy 當成 config 已驗收。 +12. 不跳過 source-of-truth、服務依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。 ## 8. 指令 @@ -115,7 +132,7 @@ python3 scripts/security/host-service-owner-response-acceptance.py \ --inventory-report docs/security/host-service-config-inventory.snapshot.json \ --owner-request-report docs/security/host-service-owner-request-draft.snapshot.json \ --output docs/security/host-service-owner-response-acceptance.snapshot.json \ - --generated-at 2026-06-14T23:45:00+08:00 + --generated-at 2026-06-15T14:45:00+08:00 ``` 驗證 guard: @@ -129,7 +146,7 @@ python3 scripts/security/security-mirror-progress-guard.py --root . | 工作 | 完成度 | 說明 | |------|--------|------| | owner response acceptance ledger artifact | `100%` | 產生器、snapshot 與文件已固定 | -| Docker / systemd / host service 只讀治理成熟度 | `50% -> 54%` | 收件驗收帳本更完整;不代表 live evidence 或 runtime action | +| Docker / systemd / host service 只讀治理成熟度 | `54% -> 58%` | 事故恢復、依賴圖、port binding、cold-start、source-of-truth 與 daemon / runner 競爭回補已納入;不代表 live evidence 或 runtime action | | owner response received / accepted | `0%` | 尚未收到,尚未驗收 | | live config hash accepted | `0%` | 尚未收到 owner-provided metadata ref | | live host read / SSH | `0%` | 尚未批准且未執行 | diff --git a/docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md b/docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md index 25d9cf0a..7f3dd3ea 100644 --- a/docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md +++ b/docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md @@ -117,7 +117,7 @@ ### 0.8 2026-06-14 Docker / systemd / host service owner response acceptance 只讀帳本 -`host_service_owner_response_acceptance_v1` 已把 9 份 Docker / systemd / host service owner request draft 轉成 owner response acceptance 只讀帳本。固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`owner_fields=12`、`reviewer_checks=14`、`outcome_lanes=7`、`blocked_actions=20`,讓 Docker / systemd / host service 類別成熟度從 `50%` 推進到 `54%`,高價值配置平均只讀成熟度從 `67%` 推進到 `68%`。 +`host_service_owner_response_acceptance_v1` 已把 9 份 Docker / systemd / host service owner request draft 轉成 owner response acceptance 只讀帳本。固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`owner_fields=18`、`reviewer_checks=21`、`outcome_lanes=8`、`blocked_actions=27`,並追加事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補要求,讓 Docker / systemd / host service 類別成熟度從 `54%` 推進到 `58%`。 此更新只表示 live config hash ref、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence 已有收件驗收規則;owner response received / accepted、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 仍全部為 `0 / false`。 @@ -252,7 +252,7 @@ Nginx 是目前必須最先資安控管的配置,原因是它同時控制公 | owner response request / received / accepted | `0%` | Packet 只是草案;尚未送件、尚未收件、尚未 reviewer accepted | | agent-bounty-protocol owner request draft | `100%` | 已將 repo / refs、deployment、data classification、external agent / treasury 與 7 個 product surface 轉成 11 份 owner request draft;claim / submit、payout、cron / daemon、runtime gate 仍為 0 | | Docker / systemd owner request draft | `100%` | 已將 9 個 host service surface 轉成 owner request draft;request sent / received / accepted 仍為 0 | -| Docker / systemd owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`,9 個 candidate、3 個 write-capable、8 個需 live evidence、14 個 reviewer checks、7 條 outcome lanes、20 類 blocked action;成熟度 `50% -> 54%` | +| Docker / systemd owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`,9 個 candidate、3 個 write-capable、8 個需 live evidence、21 個 reviewer checks、8 條 outcome lanes、27 類 blocked action;成熟度 `54% -> 58%` | | SSH / firewall / network owner request draft | `100%` | 已將 16 個 SSH / network access surface 轉成 owner request draft;request sent / received / accepted、port change、firewall change、NetworkPolicy apply、NodePort change、WireGuard change 仍為 0 | | SSH / firewall / network owner response acceptance | `100%` | 已新增 `ssh_network_owner_response_acceptance_v1`,16 個 candidate、6 個 write-capable、15 個 reviewer checks、7 條 outcome lanes、22 類 blocked action;成熟度 `54% -> 58%` | | 端口 / 防火牆變更證據驗收 | `100%` | 已新增並強化 `port_firewall_change_evidence_acceptance_v1`,14 個 candidate、6 個 write-capable、21 個 reviewer checks、9 條 outcome lanes、28 類 blocked action;成熟度 `58% -> 62%` | diff --git a/docs/security/IWOOOS-POSTURE-PROJECTION.md b/docs/security/IWOOOS-POSTURE-PROJECTION.md index 25692413..657aa5f2 100644 --- a/docs/security/IWOOOS-POSTURE-PROJECTION.md +++ b/docs/security/IWOOOS-POSTURE-PROJECTION.md @@ -95,7 +95,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence: 51. 10 個 frontend surface reverse bridge statuses,顯示既有資安入口目前是 embedded bridge、direct bridge 或 AwoooP read-only candidate;這只是連接狀態,不代表 owner response、runtime authorization、Code Review blocker、Gitea/GitHub action 或任何執行控制。 52. 6 個 source control primary readiness items,顯示 GitHub primary 前置缺口:candidate repo inventory、primary ready counter、owner response validation、refs truth、workflow / secret name inventory、rollback ADR;這只是 readiness,不代表 repo 建立、visibility 變更、refs mutation、secret value collection、primary switch 或 Gitea 停用。 53. 4 個 rollout risk read-only items,顯示風險來源部署 marker、`AWOOOI_ROLLOUT_RISK=1`、ArgoCD `Degraded` / `OutOfSync`、API health / smoke 已通過與執行期閘門仍為 0;這只是部署風險可見性,不代表 ArgoCD sync、kubectl、主機重啟、修復、部署或 runtime gate 已授權。 -54. 14 類 high-value config control coverage statuses,顯示 Nginx、DNS / TLS、K8s、機密、工作流程、執行器、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣;平均只讀成熟度 `68%`、C0 類別 `8`、需 live / owner evidence 類別 `8`、owner response received / accepted 與 runtime gate 仍為 `0`,不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。 +54. 14 類 high-value config control coverage statuses,顯示 Nginx、DNS / TLS、K8s、機密、工作流程、執行器、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣;平均只讀成熟度 `69%`、C0 類別 `8`、需 live / owner evidence 類別 `10`、owner response received / accepted 與 runtime gate 仍為 `0`,不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。 55. 9 個 host-service config repo-only inventory surfaces,顯示 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 的第一層清冊;write-capable surface `3`、repair-bot whitelist `2`、systemd restart surface `1`,owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`,不代表 `docker compose`、`systemctl`、repair-bot 或 Ansible apply 已授權。 56. 16 個 SSH / network access repo-only inventory surfaces、owner response acceptance 與端口 / 防火牆變更證據驗收只讀帳本,顯示 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 的第一層清冊;write-capable surface `6`、NetworkPolicy `2`、NodePort `2`、sudoers `1`、WireGuard `1`,acceptance candidate `16`、change evidence candidate `14`、reviewer check `16`、outcome lane `8`、blocked action `24`,讓 SSH / network 類別成熟度從 `58%` 推進到 `60%`;owner response、change evidence、actor、before / after state、cross-project sync、post-check evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 `0`,不代表 SSH、sudo、firewall、port close / open、NetworkPolicy、NodePort、WireGuard、route smoke 或 known_hosts patch 已授權。 56a. 4 個 K8s / ArgoCD GitOps 變更證據驗收候選,顯示 production manifests、ArgoCD app、Velero、monitoring manifests 的 proposed commit、rendered manifest diff、ArgoCD app / sync revision、health before / after、rollout、route smoke、metrics / alert、secret metadata parity、blast radius、maintenance window、rollback revision 與 postcheck owner 收件規則;C0 candidate `3`、write-capable candidate `4`、reviewer check `18`、outcome lane `8`、blocked action `28`,讓 K8s / ArgoCD 類別成熟度從 `62%` 推進到 `64%`;change evidence、runtime approval package、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、NetworkPolicy / NodePort / RBAC change、production write、runtime gate 與 action button 仍全部為 `0`。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 109f9c4e..9fbad175 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -9,7 +9,7 @@ | 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 | | P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`;Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`;Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`;Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`;Public Gateway owner response acceptance 只讀帳本已新增 `candidates=3 / c0=2 / fields=33 / checks=22 / lanes=8 / blocked=28 / accepted=0 / runtime=0`,並補上手動 / 緊急 gateway 變更的 intent、approval / break-glass、route health、rollback validation 與 post-change monitoring 必填 ref;DNS / TLS / certbot Owner Confirmation Request 已新增 `requests=4 / c0=4 / fields=9 / questions=5 / guards=12 / received=0 / accepted=0`;K8s / ArgoCD manifest repo-only 清冊已新增 `files=49 / c0=36 / yaml=45 / kinds=20 / blocked=13 / runtime=0`;K8s / ArgoCD Owner Request Draft 已新增 `drafts=4 / c0=3 / fields=11 / sent=0 / runtime=0`;K8s / ArgoCD owner response acceptance 只讀帳本已新增 `candidates=4 / c0=3 / fields=11 / checks=12 / lanes=7 / blocked=18 / accepted=0 / runtime=0`;K8s / ArgoCD GitOps 變更證據驗收已新增 `candidates=4 / c0=3 / write_capable=4 / evidence_fields=18 / checks=18 / lanes=8 / blocked=28 / accepted=0 / runtime=0`;CD / Runner / Secret 注入變更證據驗收已新增 `candidates=5 / c0=4 / write_capable=5 / workflow_files=33 / secret_names=42 / runner_labels=5 / evidence_fields=19 / checks=19 / lanes=8 / blocked=32 / accepted=0 / runtime=0`;Public / Admin / API runtime config 變更證據驗收已新增 `candidates=6 / c0=5 / write_capable=6 / source_refs=20 / evidence_fields=21 / checks=21 / lanes=8 / blocked=32 / accepted=0 / runtime=0`,並把 raw namespace、repo slug、內部狀態碼與內部協作內容外洩列為拒收 / 隔離;Backup / Restore / Escrow owner response acceptance 只讀帳本已新增 `candidates=38 / write_capable=27 / fields=14 / checks=13 / lanes=7 / blocked=22 / accepted=0 / runtime=0`;SSH / Firewall / Network Access owner response acceptance 只讀帳本已新增 `candidates=16 / write_capable=6 / fields=13 / checks=15 / lanes=7 / blocked=22 / accepted=0 / runtime=0`;端口 / 防火牆變更證據驗收只讀帳本已新增 `candidates=14 / write_capable=6 / policy_or_exposure=5 / evidence_fields=16 / checks=16 / lanes=8 / blocked=24 / accepted=0 / runtime=0`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 | | P0 agent-bounty 追加 | agent-bounty-protocol Owner Request Draft 已新增 `drafts=11 / control=4 / surface=7 / write_capable=8 / treasury=4 / mcp_a2a=5 / fields=22 / forbidden_inputs=25 / blocked=28 / sent=0 / runtime=0`;這是 repo / refs、deployment、data classification、MCP / A2A、cron / daemon、admin / treasury、webhook / traffic 的人工送件前草稿,不是 owner response、repo push、refs sync、workflow 修改、secret 收集、deploy、compose restart、DB migration、claim / submit、payout / withdrawal、cron / daemon、external send、host write 或 runtime gate | -| P1 追加 | Docker / systemd / Host Service Owner Request Draft 已新增 `drafts=9 / write_capable=3 / fields=12 / blocked=14 / sent=0 / runtime=0`;SSH / Firewall / Network Access Owner Request Draft 已新增 `drafts=16 / write_capable=6 / fields=13 / blocked=16 / sent=0 / runtime=0`;Backup / Restore / Escrow Owner Request Draft 已新增 `drafts=38 / write_capable=27 / fields=14 / blocked=18 / sent=0 / runtime=0`;Backup / Restore / Escrow Owner Response Acceptance 已新增 `candidates=38 / write_capable=27 / reviewer_checks=13 / lanes=7 / blocked=22 / accepted=0 / runtime=0`;Monitoring / Alerting / Observability Owner Request Draft 已新增 `drafts=60 / write_capable=11 / fields=14 / blocked=24 / sent=0 / runtime=0`;Monitoring / Alerting / Observability Owner Response Acceptance 已新增 `candidates=60 / write_capable=11 / live_evidence_required=60 / fields=30 / owner_fields=14 / reviewer_checks=15 / lanes=7 / blocked=28 / accepted=0 / runtime=0`;上述全部仍是人工送件前草稿或只讀 acceptance 帳本,不是 owner response、live evidence、reload、restart、backup、restore、Telegram send、alert smoke、host write 或 runtime gate | +| P1 追加 | Docker / systemd / Host Service Owner Request Draft 已新增 `drafts=9 / write_capable=3 / fields=12 / blocked=14 / sent=0 / runtime=0`;Docker / systemd / Host Service Owner Response Acceptance 已更新為 `candidates=9 / write_capable=3 / live_evidence_required=8 / fields=34 / owner_fields=18 / reviewer_checks=21 / lanes=8 / blocked=27 / accepted=0 / runtime=0`;SSH / Firewall / Network Access Owner Request Draft 已新增 `drafts=16 / write_capable=6 / fields=13 / blocked=16 / sent=0 / runtime=0`;Backup / Restore / Escrow Owner Request Draft 已新增 `drafts=38 / write_capable=27 / fields=14 / blocked=18 / sent=0 / runtime=0`;Backup / Restore / Escrow Owner Response Acceptance 已新增 `candidates=38 / write_capable=27 / reviewer_checks=13 / lanes=7 / blocked=22 / accepted=0 / runtime=0`;Monitoring / Alerting / Observability Owner Request Draft 已新增 `drafts=60 / write_capable=11 / fields=14 / blocked=24 / sent=0 / runtime=0`;Monitoring / Alerting / Observability Owner Response Acceptance 已新增 `candidates=60 / write_capable=11 / live_evidence_required=60 / fields=30 / owner_fields=14 / reviewer_checks=15 / lanes=7 / blocked=28 / accepted=0 / runtime=0`;上述全部仍是人工送件前草稿或只讀 acceptance 帳本,不是 owner response、live evidence、reload、restart、backup、restore、Telegram send、alert smoke、host write 或 runtime gate | | P2 供應鏈追加 | Package / Docker 供應鏈 repo-only baseline 已新增 `package_json=6 / pyproject=4 / requirements=2 / dockerfiles=2 / compose=6 / gaps=5 / runtime=0`;Package / Docker 供應鏈 owner policy gate 已新增 `requests=6 / c0=2 / fields=8 / checks=12 / blocked=20 / sent=0 / accepted=0 / runtime=0`;缺口為 Python lockfile 缺席、requirements 未 pin、Docker base image 未全數 digest pinning、Docker `COPY --from` 外部 image 未 digest pinning、compose image 未 digest pinning,以及 CVE / license / SBOM window 未定;目前尚未列入 36 個正式 AwoooP 消費 contract,後續若要前台消費需同步 manifest / readiness / route / rollup / dry-run / posture projection / guard count;本輪不 install、不 upgrade、不跑 CVE、不 pull / build / push image、不改 tag、不登入 registry、不部署 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | | P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` | @@ -46,7 +46,7 @@ ## 0.00a 2026-06-14 Docker / systemd / host service owner response acceptance -本輪把 Docker / systemd / host service 從 owner request draft 推進到 owner response acceptance 只讀帳本:`host_service_owner_response_acceptance_v1` 固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`owner_fields=12`、`reviewer_checks=14`、`outcome_lanes=7`、`blocked_actions=20`,並讓 `docker_compose_systemd_host_config` 只讀治理成熟度 `50% -> 54%`,高價值配置平均只讀成熟度 `67% -> 68%`。這是 metadata-only 收件驗收,不是 request sent、owner response received / accepted、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、production write 或 runtime gate。 +本輪把 Docker / systemd / host service owner response acceptance 追加事故回補:`host_service_owner_response_acceptance_v1` 固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`acceptance_fields=34`、`owner_fields=18`、`reviewer_checks=21`、`outcome_lanes=8`、`blocked_actions=27`,並讓 `docker_compose_systemd_host_config` 只讀治理成熟度 `54% -> 58%`。新增要求包含 source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。這是 metadata-only 收件驗收,不是 request sent、owner response received / accepted、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、production write 或 runtime gate。 同步邊界:IwoooS headline 維持 `64%`,active runtime gate 維持 `0`;owner response / live evidence / runtime gate / action buttons 全部仍為 `0 / false`。本段只更新文件、snapshot、guard 與覆蓋矩陣,不改前端 bundle、不部署、不碰 Docker daemon、systemd、repair-bot、Ansible、Nginx、firewall 或主機。 diff --git a/docs/security/high-value-config-control-coverage.snapshot.json b/docs/security/high-value-config-control-coverage.snapshot.json index fcdacb4e..5046ec67 100644 --- a/docs/security/high-value-config-control-coverage.snapshot.json +++ b/docs/security/high-value-config-control-coverage.snapshot.json @@ -367,9 +367,9 @@ "action_buttons_allowed": false, "category_id": "docker_compose_systemd_host_config", "control_tier": "C1", - "coverage_percent": 54, - "coverage_status": "owner_response_acceptance_ledger_ready_needs_live_owner_evidence", - "current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。", + "coverage_percent": 58, + "coverage_status": "incident_recovery_backfill_ready_needs_live_owner_evidence", + "current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate,並加入事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補欄位;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。", "evidence_refs": [ "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md", "docs/security/HOST-SERVICE-CONFIG-INVENTORY.md", @@ -381,7 +381,7 @@ "docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md" ], "label": "Docker Compose / systemd / host service config", - "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plan 與 disable switch。", + "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plan、disable switch、source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。", "owner_response_accepted": false, "owner_response_received": false, "owner_response_required": true, @@ -634,15 +634,15 @@ "websocket_route_change_authorized": false, "workflow_modification_authorized": false }, - "generated_at": "2026-06-15T14:12:00+08:00", - "git_commit": "ed8c1905", + "generated_at": "2026-06-15T14:46:00+08:00", + "git_commit": "a77317fe", "lowest_coverage_categories": [ { "category_id": "docker_compose_systemd_host_config", - "coverage_percent": 54, - "current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。", + "coverage_percent": 58, + "current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate,並加入事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補欄位;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。", "label": "Docker Compose / systemd / host service config", - "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plan 與 disable switch。" + "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plan、disable switch、source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。" }, { "category_id": "ai_provider_model_routing", @@ -697,7 +697,7 @@ "c3_category_count": 1, "category_count": 14, "lowest_coverage_category_count": 4, - "needs_live_evidence_count": 9, + "needs_live_evidence_count": 10, "owner_response_accepted_count": 0, "owner_response_received_count": 0, "owner_response_required_count": 14, diff --git a/docs/security/host-service-owner-response-acceptance.snapshot.json b/docs/security/host-service-owner-response-acceptance.snapshot.json index 443511b1..3a7796b6 100644 --- a/docs/security/host-service-owner-response-acceptance.snapshot.json +++ b/docs/security/host-service-owner-response-acceptance.snapshot.json @@ -28,6 +28,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -55,11 +61,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "docker_compose_source", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -68,6 +87,8 @@ "expected_host_scope": "local_dev_only", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "AWOOOI local development compose", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -81,6 +102,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -91,6 +113,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -112,7 +136,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": false, "restart_window": "pending_owner_response", @@ -129,6 +159,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -138,6 +175,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "web", "api", @@ -182,6 +221,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -209,11 +254,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "docker_compose_source", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -222,6 +280,8 @@ "expected_host_scope": "192.168.0.110", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "110 monitoring docker compose", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -235,6 +295,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -245,6 +306,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -266,7 +329,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -283,6 +352,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -292,6 +368,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "cadvisor", "prometheus", @@ -338,6 +416,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -365,11 +449,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "docker_compose_source", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -378,6 +475,8 @@ "expected_host_scope": "192.168.0.188", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "188 database exporters compose", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -391,6 +490,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -401,6 +501,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -422,7 +524,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -439,6 +547,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -448,6 +563,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "postgres-exporter", "redis-exporter" @@ -490,6 +607,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -517,11 +640,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "docker_compose_reference", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -530,6 +666,8 @@ "expected_host_scope": "192.168.0.110", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "110 Sentry self-hosted reference compose", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -543,6 +681,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -553,6 +692,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -574,7 +715,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -591,6 +738,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -600,6 +754,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "sentry-placeholder-reference" ], @@ -641,6 +797,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -668,11 +830,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "docker_compose_source", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -681,6 +856,8 @@ "expected_host_scope": "192.168.0.110", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "110 Langfuse compose", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -694,6 +871,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -704,6 +882,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -725,7 +905,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -742,6 +928,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -751,6 +944,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "langfuse", "langfuse-db" @@ -793,6 +988,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -820,11 +1021,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "ansible_service_executor", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -833,6 +1047,8 @@ "expected_host_scope": "multi_host", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "Ansible docker-compose-service role", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -846,6 +1062,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -856,6 +1073,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -877,7 +1096,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -894,6 +1119,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -903,6 +1135,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "docker compose up -d" ], @@ -944,6 +1178,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -971,11 +1211,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "host_repair_whitelist", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -984,6 +1237,8 @@ "expected_host_scope": "192.168.0.110", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "110 repair-bot compose whitelist", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -997,6 +1252,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -1007,6 +1263,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -1028,7 +1286,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -1045,6 +1309,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -1054,6 +1325,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "sentry", "harbor", @@ -1101,6 +1374,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -1128,11 +1407,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "host_repair_whitelist", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -1141,6 +1433,8 @@ "expected_host_scope": "192.168.0.188", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "188 repair-bot compose/systemd whitelist", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -1154,6 +1448,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -1164,6 +1459,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -1185,7 +1482,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -1202,6 +1505,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -1211,6 +1521,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "openclaw", "minio", @@ -1257,6 +1569,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -1284,11 +1602,24 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], + "cold_start_sequence_accepted": false, + "cold_start_sequence_ref": null, "config_kind": "backup_capture_contract", + "config_source_of_truth_accepted": false, + "config_source_of_truth_ref": null, "control_tier": "C1", + "daemon_runner_contention_accepted": false, + "daemon_runner_contention_ref": null, "decision": "pending_owner_response", "decision_reason": "pending_owner_response", "disable_switch": "pending_owner_response", @@ -1297,6 +1628,8 @@ "expected_host_scope": "110_188_120_121_cluster", "followup_owner": "pending_owner_response", "host_write_authorized": false, + "incident_recovery_evidence_accepted": false, + "incident_recovery_evidence_ref": null, "label": "host config backup capture contract", "live_config_hash_accepted": false, "live_config_hash_ref": null, @@ -1310,6 +1643,7 @@ "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate" @@ -1320,6 +1654,8 @@ "owner_response_ref": null, "owner_response_rejected": false, "owner_role_or_team": "pending_owner_response", + "port_binding_inventory_accepted": false, + "port_binding_inventory_ref": null, "post_check_plan": "pending_owner_response", "post_check_plan_accepted": false, "recipient_confirmed": false, @@ -1341,7 +1677,13 @@ "rollback_owner", "post_check_plan", "disable_switch", - "followup_owner" + "followup_owner", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref" ], "requires_live_evidence": true, "restart_window": "pending_owner_response", @@ -1358,6 +1700,13 @@ "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe" @@ -1367,6 +1716,8 @@ "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, + "service_dependency_map_accepted": false, + "service_dependency_map_ref": null, "service_scope": [ "systemd", "docker", @@ -1412,6 +1763,12 @@ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval" @@ -1435,6 +1792,13 @@ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button" ], @@ -1456,12 +1820,12 @@ "sudo_action_authorized": false, "systemctl_action_authorized": false }, - "generated_at": "2026-06-14T23:45:00+08:00", - "git_commit": "92e451cb", + "generated_at": "2026-06-15T14:45:00+08:00", + "git_commit": "a77317fe", "next_steps": [ - "等待 owner 以脫敏 metadata ref 回覆 live config hash、maintenance / restart window、rollback owner、post-check plan 與 disable switch。", + "等待 owner 以脫敏 metadata ref 回覆 live config hash、maintenance / restart window、rollback owner、post-check plan、disable switch、source of truth、依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。", "收到回覆後先做欄位完整性、敏感 payload 隔離與 execution request 拒收,不得直接 host read、restart、repair-bot 或 Ansible apply。", - "write-capable surface 必須額外 reviewer review,且 runtime gate 需獨立人工批准、rollback 與 post-check 成立。" + "write-capable 或事故回補 surface 必須額外 reviewer review,且 runtime gate 需獨立人工批准、rollback、dependency / port / cold-start 與 post-check 成立。" ], "outcome_lanes": [ { @@ -1480,6 +1844,10 @@ "lane_id": "request_supplement", "meaning": "欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件。" }, + { + "lane_id": "incident_recovery_backfill_required", + "meaning": "涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補,不得直接 accepted。" + }, { "lane_id": "ready_for_host_service_review", "meaning": "metadata 合格後,只能進 host service reviewer review。" @@ -1538,6 +1906,34 @@ "check_id": "disable_switch_present", "instruction": "repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule。" }, + { + "check_id": "config_source_of_truth_present", + "instruction": "必須提供 repo source、live source、runner source 與 backup source 的真相來源 ref;不得只用口頭描述。" + }, + { + "check_id": "service_dependency_map_present", + "instruction": "必須提供服務依賴 ref,涵蓋上游、下游、資料庫、queue、registry、AI provider 與 public route 影響。" + }, + { + "check_id": "port_binding_inventory_present", + "instruction": "必須提供 port binding / exposure inventory ref,避免 host port、container port、proxy 與防火牆狀態彼此漂移。" + }, + { + "check_id": "cold_start_sequence_present", + "instruction": "必須提供 cold-start / recovery sequence ref,明確列出 Docker daemon、compose stack、systemd unit、runner 與 post-check 順序。" + }, + { + "check_id": "incident_recovery_evidence_present", + "instruction": "若回覆涉及服務異常、重啟或端口事故,必須提供恢復時間、服務健康、route health 與 operator notice ref。" + }, + { + "check_id": "daemon_runner_contention_reviewed", + "instruction": "必須說明 Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 是否可能互相競爭。" + }, + { + "check_id": "silent_restart_not_accepted", + "instruction": "不得接受沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的靜默 restart / reload。" + }, { "check_id": "write_capable_requires_extra_review", "instruction": "write-capable surface 必須進額外 reviewer review,不得直接 accepted。" @@ -1559,34 +1955,40 @@ "status": "owner_response_acceptance_ledger_ready_no_runtime_action", "summary": { "acceptance_candidate_count": 9, - "acceptance_field_count": 28, + "acceptance_field_count": 34, "action_button_count": 0, "active_scan_authorized_count": 0, "ansible_apply_authorized_count": 0, - "blocked_action_count": 20, + "blocked_action_count": 27, + "cold_start_sequence_accepted_count": 0, + "config_source_of_truth_accepted_count": 0, + "daemon_runner_contention_accepted_count": 0, "disable_switch_accepted_count": 0, "docker_compose_action_authorized_count": 0, "host_write_authorized_count": 0, + "incident_recovery_evidence_accepted_count": 0, "live_config_hash_accepted_count": 0, "live_evidence_received_count": 0, "live_evidence_required_candidate_count": 8, "live_host_read_authorized_count": 0, "maintenance_window_accepted_count": 0, - "outcome_lane_count": 7, + "outcome_lane_count": 8, "owner_response_accepted_count": 0, "owner_response_quarantined_count": 0, "owner_response_received_count": 0, "owner_response_rejected_count": 0, + "port_binding_inventory_accepted_count": 0, "post_check_plan_accepted_count": 0, "recipient_confirmed_count": 0, "repair_bot_execution_authorized_count": 0, "request_sent_count": 0, - "required_owner_field_count": 12, + "required_owner_field_count": 18, "restart_window_accepted_count": 0, - "reviewer_check_count": 14, + "reviewer_check_count": 21, "rollback_owner_accepted_count": 0, "runtime_gate_count": 0, "secret_value_collection_allowed_count": 0, + "service_dependency_map_accepted_count": 0, "source_owner_request_count": 9, "ssh_read_authorized_count": 0, "ssh_write_authorized_count": 0, diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json index 5dcaaffa..59bc1af4 100644 --- a/docs/security/iwooos-posture-projection.snapshot.json +++ b/docs/security/iwooos-posture-projection.snapshot.json @@ -8611,14 +8611,14 @@ "global_security_mesh_matrix_read_only_count": 9, "global_security_mesh_matrix_runtime_gate_count": 0, "high_value_config_control_coverage_action_button_count": 0, - "high_value_config_control_coverage_average_percent": 68, + "high_value_config_control_coverage_average_percent": 69, "high_value_config_control_coverage_c0_category_count": 8, "high_value_config_control_coverage_c1_category_count": 4, "high_value_config_control_coverage_category_count": 14, "high_value_config_control_coverage_first_layer": true, "high_value_config_control_coverage_item_count": 4, "high_value_config_control_coverage_lowest_category_count": 4, - "high_value_config_control_coverage_needs_live_evidence_count": 9, + "high_value_config_control_coverage_needs_live_evidence_count": 10, "high_value_config_control_coverage_owner_response_accepted_count": 0, "high_value_config_control_coverage_owner_response_received_count": 0, "high_value_config_control_coverage_owner_response_required_count": 14, diff --git a/scripts/security/high-value-config-control-coverage.py b/scripts/security/high-value-config-control-coverage.py index 1df41f6d..58d29a04 100644 --- a/scripts/security/high-value-config-control-coverage.py +++ b/scripts/security/high-value-config-control-coverage.py @@ -156,8 +156,8 @@ CONTROL_STATUS_BY_CATEGORY = { "next_owner_action": "補 Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse / Telegram owner、live drift evidence、reload window、receiver owner、route smoke plan、noise budget、rollback owner 與 no-secret-value evidence。", }, "docker_compose_systemd_host_config": { - "coverage_status": "owner_response_acceptance_ledger_ready_needs_live_owner_evidence", - "coverage_percent": 54, + "coverage_status": "incident_recovery_backfill_ready_needs_live_owner_evidence", + "coverage_percent": 58, "evidence_refs": [ "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md", "docs/security/HOST-SERVICE-CONFIG-INVENTORY.md", @@ -168,8 +168,8 @@ CONTROL_STATUS_BY_CATEGORY = { "docs/security/host-service-owner-response-acceptance.snapshot.json", "docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md", ], - "current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。", - "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plan 與 disable switch。", + "current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate,並加入事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補欄位;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。", + "next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plan、disable switch、source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。", }, "ssh_firewall_network_access": { "coverage_status": "incident_change_evidence_acceptance_ready_needs_network_owner_evidence", @@ -384,6 +384,7 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]: "policy_ready_needs_drift_evidence", "inventory_needed", "repo_only_inventory_ready_needs_live_owner_evidence", + "incident_recovery_backfill_ready_needs_live_owner_evidence", "policy_ready_needs_network_matrix", "policy_ready_needs_dry_run_pack", } diff --git a/scripts/security/host-service-owner-response-acceptance.py b/scripts/security/host-service-owner-response-acceptance.py index 41c2f6d2..6f7e010b 100644 --- a/scripts/security/host-service-owner-response-acceptance.py +++ b/scripts/security/host-service-owner-response-acceptance.py @@ -48,11 +48,26 @@ ACCEPTANCE_FIELDS = [ "rollback_owner", "post_check_plan", "disable_switch", + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", "reviewer_outcome", "followup_owner", "not_approval", ] +INCIDENT_OWNER_RESPONSE_FIELDS = [ + "config_source_of_truth_ref", + "service_dependency_map_ref", + "port_binding_inventory_ref", + "cold_start_sequence_ref", + "incident_recovery_evidence_ref", + "daemon_runner_contention_ref", +] + REVIEWER_CHECKS = [ {"check_id": "owner_identity_present", "instruction": "owner role / team 必須可追溯。"}, {"check_id": "decision_reason_present", "instruction": "decision 與 decision reason 必須同時存在。"}, @@ -65,6 +80,13 @@ REVIEWER_CHECKS = [ {"check_id": "rollback_owner_present", "instruction": "rollback owner、rollback ref 或 disable path 必須存在。"}, {"check_id": "post_check_plan_present", "instruction": "post-check 必須列服務健康、route、queue、log 與 rollback 停止條件。"}, {"check_id": "disable_switch_present", "instruction": "repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule。"}, + {"check_id": "config_source_of_truth_present", "instruction": "必須提供 repo source、live source、runner source 與 backup source 的真相來源 ref;不得只用口頭描述。"}, + {"check_id": "service_dependency_map_present", "instruction": "必須提供服務依賴 ref,涵蓋上游、下游、資料庫、queue、registry、AI provider 與 public route 影響。"}, + {"check_id": "port_binding_inventory_present", "instruction": "必須提供 port binding / exposure inventory ref,避免 host port、container port、proxy 與防火牆狀態彼此漂移。"}, + {"check_id": "cold_start_sequence_present", "instruction": "必須提供 cold-start / recovery sequence ref,明確列出 Docker daemon、compose stack、systemd unit、runner 與 post-check 順序。"}, + {"check_id": "incident_recovery_evidence_present", "instruction": "若回覆涉及服務異常、重啟或端口事故,必須提供恢復時間、服務健康、route health 與 operator notice ref。"}, + {"check_id": "daemon_runner_contention_reviewed", "instruction": "必須說明 Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 是否可能互相競爭。"}, + {"check_id": "silent_restart_not_accepted", "instruction": "不得接受沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的靜默 restart / reload。"}, {"check_id": "write_capable_requires_extra_review", "instruction": "write-capable surface 必須進額外 reviewer review,不得直接 accepted。"}, {"check_id": "no_runtime_request", "instruction": "夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收。"}, {"check_id": "counts_transition_safe", "instruction": "只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate。"}, @@ -75,6 +97,7 @@ OUTCOME_LANES = [ {"lane_id": "quarantine_secret_or_raw_payload", "meaning": "收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離。"}, {"lane_id": "reject_execution_request", "meaning": "夾帶 SSH、docker compose、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收。"}, {"lane_id": "request_supplement", "meaning": "欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件。"}, + {"lane_id": "incident_recovery_backfill_required", "meaning": "涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補,不得直接 accepted。"}, {"lane_id": "ready_for_host_service_review", "meaning": "metadata 合格後,只能進 host service reviewer review。"}, {"lane_id": "owner_review_only_update", "meaning": "只允許更新只讀 owner review ledger,不得改 compose、systemd、repair-bot 或 Ansible。"}, {"lane_id": "waiting_runtime_gate", "meaning": "即使 owner response accepted,runtime gate 仍等待獨立人工批准。"}, @@ -99,6 +122,13 @@ BLOCKED_ACTIONS = [ "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button", ] @@ -151,10 +181,16 @@ def acceptance_candidate(request: dict[str, Any]) -> dict[str, Any]: "rollback_owner": "pending_owner_response", "post_check_plan": "pending_owner_response", "disable_switch": "pending_owner_response", + "config_source_of_truth_ref": None, + "service_dependency_map_ref": None, + "port_binding_inventory_ref": None, + "cold_start_sequence_ref": None, + "incident_recovery_evidence_ref": None, + "daemon_runner_contention_ref": None, "reviewer_outcome": "waiting_owner_response", "followup_owner": "pending_owner_response", "acceptance_fields": ACCEPTANCE_FIELDS, - "required_owner_fields": request["required_owner_fields"], + "required_owner_fields": [*request["required_owner_fields"], *INCIDENT_OWNER_RESPONSE_FIELDS], "reviewer_checks": [item["check_id"] for item in REVIEWER_CHECKS], "outcome_lanes": [item["lane_id"] for item in OUTCOME_LANES], "blocked_actions": BLOCKED_ACTIONS, @@ -173,6 +209,12 @@ def acceptance_candidate(request: dict[str, Any]) -> dict[str, Any]: "rollback_owner_accepted": False, "post_check_plan_accepted": False, "disable_switch_accepted": False, + "config_source_of_truth_accepted": False, + "service_dependency_map_accepted": False, + "port_binding_inventory_accepted": False, + "cold_start_sequence_accepted": False, + "incident_recovery_evidence_accepted": False, + "daemon_runner_contention_accepted": False, "host_write_authorized": False, "ssh_read_authorized": False, "ssh_write_authorized": False, @@ -216,7 +258,7 @@ def build_report( "write_capable_acceptance_candidate_count": len(write_capable), "live_evidence_required_candidate_count": len(live_evidence), "acceptance_field_count": len(ACCEPTANCE_FIELDS), - "required_owner_field_count": len(requests[0]["required_owner_fields"]) if requests else 0, + "required_owner_field_count": len(acceptance_candidates[0]["required_owner_fields"]) if acceptance_candidates else 0, "reviewer_check_count": len(REVIEWER_CHECKS), "outcome_lane_count": len(OUTCOME_LANES), "blocked_action_count": len(BLOCKED_ACTIONS), @@ -234,6 +276,12 @@ def build_report( "rollback_owner_accepted_count": 0, "post_check_plan_accepted_count": 0, "disable_switch_accepted_count": 0, + "config_source_of_truth_accepted_count": 0, + "service_dependency_map_accepted_count": 0, + "port_binding_inventory_accepted_count": 0, + "cold_start_sequence_accepted_count": 0, + "incident_recovery_evidence_accepted_count": 0, + "daemon_runner_contention_accepted_count": 0, "host_write_authorized_count": 0, "ssh_read_authorized_count": 0, "ssh_write_authorized_count": 0, @@ -272,9 +320,9 @@ def build_report( "blocked_actions": BLOCKED_ACTIONS, "acceptance_candidates": acceptance_candidates, "next_steps": [ - "等待 owner 以脫敏 metadata ref 回覆 live config hash、maintenance / restart window、rollback owner、post-check plan 與 disable switch。", + "等待 owner 以脫敏 metadata ref 回覆 live config hash、maintenance / restart window、rollback owner、post-check plan、disable switch、source of truth、依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。", "收到回覆後先做欄位完整性、敏感 payload 隔離與 execution request 拒收,不得直接 host read、restart、repair-bot 或 Ansible apply。", - "write-capable surface 必須額外 reviewer review,且 runtime gate 需獨立人工批准、rollback 與 post-check 成立。", + "write-capable 或事故回補 surface 必須額外 reviewer review,且 runtime gate 需獨立人工批准、rollback、dependency / port / cold-start 與 post-check 成立。", ], } diff --git a/scripts/security/iwooos-config-control-guard.py b/scripts/security/iwooos-config-control-guard.py index 107387f6..62778301 100644 --- a/scripts/security/iwooos-config-control-guard.py +++ b/scripts/security/iwooos-config-control-guard.py @@ -26,7 +26,7 @@ EXPECTED_CATEGORIES = { "backup_restore_credential": 62, "agent_bounty_protocol_runtime": 68, "monitoring_alerting_observability": 66, - "docker_compose_systemd_host_config": 54, + "docker_compose_systemd_host_config": 58, "ssh_firewall_network_access": 62, "ai_provider_model_routing": 60, "product_surface_runtime_routes": 72, @@ -171,13 +171,17 @@ ARTIFACT_SPECS = [ "status": "owner_response_acceptance_ledger_ready_no_runtime_action", "list_counts": { "acceptance_candidates": 9, - "blocked_actions": 20, - "reviewer_checks": 14, - "outcome_lanes": 7, + "blocked_actions": 27, + "reviewer_checks": 21, + "outcome_lanes": 8, }, "summary_counts": { "acceptance_candidate_count": 9, "write_capable_acceptance_candidate_count": 3, + "required_owner_field_count": 18, + "reviewer_check_count": 21, + "outcome_lane_count": 8, + "blocked_action_count": 27, "owner_response_received_count": 0, "owner_response_accepted_count": 0, "runtime_gate_count": 0, diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index d35b411f..7c429dd7 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -2719,7 +2719,7 @@ def validate(root: Path) -> None: assert_equal( "high_value_config_coverage.summary.needs_live_evidence_count", high_value_config_coverage["summary"]["needs_live_evidence_count"], - 9, + 10, ) for key in [ "owner_response_received_count", @@ -3135,12 +3135,12 @@ def validate(root: Path) -> None: assert_equal( "high_value_config_coverage.coverage_categories.docker.coverage_percent", docker_systemd_category["coverage_percent"], - 54, + 58, ) assert_equal( "high_value_config_coverage.coverage_categories.docker.coverage_status", docker_systemd_category["coverage_status"], - "owner_response_acceptance_ledger_ready_needs_live_owner_evidence", + "incident_recovery_backfill_ready_needs_live_owner_evidence", ) for evidence_ref in [ "docs/security/HOST-SERVICE-CONFIG-INVENTORY.md", @@ -3474,11 +3474,11 @@ def validate(root: Path) -> None: "acceptance_candidate_count": 9, "write_capable_acceptance_candidate_count": 3, "live_evidence_required_candidate_count": 8, - "acceptance_field_count": 28, - "required_owner_field_count": 12, - "reviewer_check_count": 14, - "outcome_lane_count": 7, - "blocked_action_count": 20, + "acceptance_field_count": 34, + "required_owner_field_count": 18, + "reviewer_check_count": 21, + "outcome_lane_count": 8, + "blocked_action_count": 27, "request_sent_count": 0, "recipient_confirmed_count": 0, "owner_response_received_count": 0, @@ -3493,6 +3493,12 @@ def validate(root: Path) -> None: "rollback_owner_accepted_count": 0, "post_check_plan_accepted_count": 0, "disable_switch_accepted_count": 0, + "config_source_of_truth_accepted_count": 0, + "service_dependency_map_accepted_count": 0, + "port_binding_inventory_accepted_count": 0, + "cold_start_sequence_accepted_count": 0, + "incident_recovery_evidence_accepted_count": 0, + "daemon_runner_contention_accepted_count": 0, "host_write_authorized_count": 0, "ssh_read_authorized_count": 0, "ssh_write_authorized_count": 0, @@ -3551,6 +3557,13 @@ def validate(root: Path) -> None: "rollback_owner_present", "post_check_plan_present", "disable_switch_present", + "config_source_of_truth_present", + "service_dependency_map_present", + "port_binding_inventory_present", + "cold_start_sequence_present", + "incident_recovery_evidence_present", + "daemon_runner_contention_reviewed", + "silent_restart_not_accepted", "write_capable_requires_extra_review", "no_runtime_request", "counts_transition_safe", @@ -3565,6 +3578,7 @@ def validate(root: Path) -> None: "quarantine_secret_or_raw_payload", "reject_execution_request", "request_supplement", + "incident_recovery_backfill_required", "ready_for_host_service_review", "owner_review_only_update", "waiting_runtime_gate", @@ -3593,6 +3607,13 @@ def validate(root: Path) -> None: "raw_live_config_storage", "restart_without_window", "rollback_without_owner", + "accept_silent_restart", + "treat_service_healthy_as_config_accepted", + "skip_config_source_of_truth_review", + "skip_service_dependency_map", + "skip_port_binding_review", + "skip_cold_start_sequence", + "hide_daemon_runner_contention", "runtime_gate_open", "add_action_button", ] @@ -3605,27 +3626,27 @@ def validate(root: Path) -> None: assert_equal( f"host_service_owner_response_acceptance.{item['acceptance_candidate_id']}.acceptance_fields", len(item["acceptance_fields"]), - 28, + 34, ) assert_equal( f"host_service_owner_response_acceptance.{item['acceptance_candidate_id']}.required_owner_fields", len(item["required_owner_fields"]), - 12, + 18, ) assert_equal( f"host_service_owner_response_acceptance.{item['acceptance_candidate_id']}.reviewer_checks", len(item["reviewer_checks"]), - 14, + 21, ) assert_equal( f"host_service_owner_response_acceptance.{item['acceptance_candidate_id']}.outcome_lanes", len(item["outcome_lanes"]), - 7, + 8, ) assert_equal( f"host_service_owner_response_acceptance.{item['acceptance_candidate_id']}.blocked_actions", len(item["blocked_actions"]), - 20, + 27, ) assert_true( f"host_service_owner_response_acceptance.{item['acceptance_candidate_id']}.not_approval", @@ -3646,6 +3667,12 @@ def validate(root: Path) -> None: "rollback_owner_accepted", "post_check_plan_accepted", "disable_switch_accepted", + "config_source_of_truth_accepted", + "service_dependency_map_accepted", + "port_binding_inventory_accepted", + "cold_start_sequence_accepted", + "incident_recovery_evidence_accepted", + "daemon_runner_contention_accepted", "host_write_authorized", "ssh_read_authorized", "ssh_write_authorized", @@ -6325,8 +6352,8 @@ def validate(root: Path) -> None: "high_value_config_control_coverage_category_count": 14, "high_value_config_control_coverage_c0_category_count": 8, "high_value_config_control_coverage_c1_category_count": 4, - "high_value_config_control_coverage_average_percent": 68, - "high_value_config_control_coverage_needs_live_evidence_count": 9, + "high_value_config_control_coverage_average_percent": 69, + "high_value_config_control_coverage_needs_live_evidence_count": 10, "high_value_config_control_coverage_owner_response_required_count": 14, "high_value_config_control_coverage_owner_response_received_count": 0, "high_value_config_control_coverage_owner_response_accepted_count": 0, @@ -16212,7 +16239,7 @@ def validate(root: Path) -> None: assert_text_contains( "iwooos_page.high_value_config_control_coverage_docker_systemd_percent", iwooos_projection_page, - "{ key: 'dockerSystemd', rank: 'P1-1', value: '54%'", + "{ key: 'dockerSystemd', rank: 'P1-1', value: '58%'", ) assert_text_contains( "iwooos_page.high_value_config_control_coverage_ssh_network_percent", @@ -16242,7 +16269,7 @@ def validate(root: Path) -> None: "high_value_config_control_coverage_c0_category_count=8", "high_value_config_control_coverage_c1_category_count=4", "high_value_config_control_coverage_average_percent=69", - "high_value_config_control_coverage_needs_live_evidence_count=9", + "high_value_config_control_coverage_needs_live_evidence_count=10", "high_value_config_control_coverage_owner_response_required_count=14", "high_value_config_control_coverage_owner_response_received_count=0", "high_value_config_control_coverage_owner_response_accepted_count=0", @@ -16326,7 +16353,10 @@ def validate(root: Path) -> None: "host_service_config_inventory_runtime_gate_count=0", "host_service_owner_response_acceptance_candidate_count=9", "host_service_owner_response_acceptance_write_capable_candidate_count=3", - "host_service_owner_response_acceptance_reviewer_check_count=14", + "host_service_owner_response_acceptance_required_owner_field_count=18", + "host_service_owner_response_acceptance_reviewer_check_count=21", + "host_service_owner_response_acceptance_outcome_lane_count=8", + "host_service_owner_response_acceptance_blocked_action_count=27", "host_service_owner_response_acceptance_runtime_gate_count=0", "ssh_network_access_inventory_surface_count=16", "ssh_network_access_inventory_write_capable_surface_count=6",