wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity

feat(iwooos): 強化主機服務事故回補 gate
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
Details
CD Pipeline / tests (push) Successful in 1m40s
Details
CD Pipeline / build-and-deploy (push) Successful in 6m17s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m35s
Details

Browse Source
This commit is contained in:
Your Name
2026-06-15 14:48:52 +08:00
parent a036b07673
commit 41f5ff1a38
17 changed files with 588 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md
View File

@@ -78,7 +78,7 @@
已新增 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md``docs/security/host-service-owner-response-acceptance.snapshot.json`,將 9 份 Docker / systemd / host service owner request draft 轉成 metadata-only owner response acceptance 只讀帳本。
固定數字為 `acceptance_candidate_count=9``write_capable_acceptance_candidate_count=3``live_evidence_required_candidate_count=8``acceptance_field_count=28``required_owner_field_count=12``reviewer_check_count=14``outcome_lane_count=7``blocked_action_count=20``owner_response_received_count=0``owner_response_accepted_count=0``live_host_read_authorized_count=0``docker_compose_action_authorized_count=0``systemctl_action_authorized_count=0``repair_bot_execution_authorized_count=0``ansible_apply_authorized_count=0``runtime_gate_count=0`。此更新讓 `docker_compose_systemd_host_config``50%` 推進到 `54%`,也讓高價值配置平均只讀成熟度從 `67%` 推進到 `68%`;它不代表 live host read、restart、repair-bot、Ansible、sudo、host write 或 runtime gate 已授權。
固定數字為 `acceptance_candidate_count=9``write_capable_acceptance_candidate_count=3``live_evidence_required_candidate_count=8``acceptance_field_count=34``required_owner_field_count=18``reviewer_check_count=21``outcome_lane_count=8``blocked_action_count=27``owner_response_received_count=0``owner_response_accepted_count=0``live_host_read_authorized_count=0``docker_compose_action_authorized_count=0``systemctl_action_authorized_count=0``repair_bot_execution_authorized_count=0``ansible_apply_authorized_count=0``runtime_gate_count=0`。此更新讓 `docker_compose_systemd_host_config``54%` 推進到 `58%`;它不代表 live host read、restart、repair-bot、Ansible、sudo、host write 或 runtime gate 已授權。
## 1.7 2026-06-15 端口 / 防火牆變更證據驗收只讀帳本
@@ -113,7 +113,7 @@
| 優先 | 類別 | 目前成熟度 | 下一步 |
|------|------|------------|--------|
| P1-1 | Docker Compose / systemd / host service config | `54%` | repo-only 清冊已納入 9 個 surfaceowner request draft 與 owner response acceptance ledger 已完成;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence |
| P1-1 | Docker Compose / systemd / host service config | `58%` | repo-only 清冊已納入 9 個 surfaceowner request draft 與 owner response acceptance ledger 已完成;事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補已納入;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence |
| P1-2 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort | `62%` | repo-only 清冊已納入 16 個 SSH / network access surfaceowner request draft、owner response acceptance 與事故型端口 / 防火牆變更證據驗收 ledger 已完成;仍缺 owner-provided change / incident ref、actor、before / after state、health impact、notification、cross-project sync、maintenance window、rollback owner 與 post-check evidence |
| P1-3 | Backup / restore / escrow / retention | `62%` | repo-only 清冊已納入 38 個 surfaceowner request draft 與 owner response acceptance ledger 已完成;仍缺 owner response、restore drill approval package、offsite / escrow owner、retention owner、rollback owner、validation plan 與 no-secret-value evidence |
| P1-4 | Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse | `62%` | repo-only 清冊已納入 60 個 monitoring / alerting / observability surfaceowner request draft 已轉成 60 份草稿;仍缺 owner response、live drift evidence、reload owner、receiver owner、route smoke 與 receipt proof |
@@ -245,7 +245,7 @@ python3 scripts/security/iwooos-config-control-guard.py --root .
| 覆蓋 snapshot / schema | `100%` | 已新增可重跑 snapshot 與 JSON schema |
| 高價值配置集中 guard | `100%` | 已新增 `scripts/security/iwooos-config-control-guard.py`,並串接 `security-mirror-progress-guard.py`14 類配置、主要 owner / change evidence 帳本、supply-chain manifest 與 `0 / false` 邊界可集中驗證 |
| DNS / TLS / certbot owner response acceptance | `100%` | 已新增 `domain_tls_certbot_owner_response_acceptance_v1`4 個 C0 candidate、13 個 owner 必填欄位、13 個 reviewer checks、7 條 outcome lanes、20 類 blocked action成熟度 `74% -> 78%` |
| Docker / systemd / host service owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`9 個 candidate、3 個 write-capable、14 個 reviewer checks、7 條 outcome lanes、20 類 blocked action成熟度 `50% -> 54%` |
| Docker / systemd / host service owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`9 個 candidate、3 個 write-capable、21 個 reviewer checks、8 條 outcome lanes、27 類 blocked action成熟度 `54% -> 58%` |
| CD / Runner / Secret injection change evidence acceptance | `100%` | 已新增 `cd_runner_secret_injection_change_evidence_acceptance_v1`5 個 candidate、4 個 C0、19 個 reviewer checks、8 條 outcome lanes、32 類 blocked actionsecret metadata 成熟度 `66% -> 68%`workflow / runner 成熟度 `70% -> 72%` |
| Public / Admin / API runtime config 變更證據驗收 | `100%` | 已新增 `public_runtime_config_change_evidence_acceptance_v1`6 個 candidate、5 個 C0、21 個 reviewer checks、8 條 outcome lanes、32 類 blocked actionpublic/admin/API runtime config 成熟度 `62% -> 64%`raw namespace / repo slug / 內部狀態碼 / 內部協作內容外洩列為拒收或隔離條件 |
| owner response 收件 | `0%` | 尚未收到或接受任何 owner response |
@@ -258,7 +258,7 @@ python3 scripts/security/iwooos-config-control-guard.py --root .
2026-06-14 再新增 `host_service_owner_request_draft_v1`,把 9 個 surface 轉成 `request_draft_count=9``write_capable_request_draft_count=3``live_evidence_required_request_count=8``required_owner_field_count=12``blocked_action_count=14` 的人工送件前草稿。此更新仍不調高類別成熟度,因為 request sent、owner response received / accepted、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`
2026-06-14 再新增 `host_service_owner_response_acceptance_v1`,把 9 份 request draft 轉成 `acceptance_candidate_count=9``write_capable_acceptance_candidate_count=3``live_evidence_required_candidate_count=8``required_owner_field_count=12``reviewer_check_count=14``outcome_lane_count=7``blocked_action_count=20` 的 owner response acceptance 只讀帳本。此更新讓 `docker_compose_systemd_host_config``50%` 推進到 `54%`,但 owner response received / accepted、live hash、maintenance / restart window、rollback owner、post-check plan、disable switch、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 與 action button 仍全部為 `0`
2026-06-15 追加事故回補欄位,將 `host_service_owner_response_acceptance_v1` 固定為 `acceptance_field_count=34``required_owner_field_count=18``reviewer_check_count=21``outcome_lane_count=8``blocked_action_count=27`。新增要求包含 source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。此更新讓 `docker_compose_systemd_host_config``54%` 推進到 `58%`,但 owner response received / accepted、live hash、maintenance / restart window、rollback owner、post-check plan、disable switch、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 與 action button 仍全部為 `0`
## 9. P1-2 SSH / network access 清冊更新

2
docs/security/HOST-SERVICE-CONFIG-INVENTORY.md
View File

@@ -19,7 +19,7 @@
此 artifact 只表示 owner request 的 required shape不代表 request sent、recipient confirmed、owner response received / accepted、live host read、Docker Compose action、systemctl action、repair-bot execution、Ansible apply、secret collection、host write、production write 或 runtime gate。
2026-06-14 再新 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md``docs/security/host-service-owner-response-acceptance.snapshot.json`,將 9 份 request draft 轉成 owner response acceptance 只讀帳本。固定 `acceptance_candidate_count=9``write_capable_acceptance_candidate_count=3``live_evidence_required_candidate_count=8``required_owner_field_count=12``reviewer_check_count=14``outcome_lane_count=7``blocked_action_count=20``owner_response_received_count=0``owner_response_accepted_count=0``runtime_gate_count=0`
2026-06-15`docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md``docs/security/host-service-owner-response-acceptance.snapshot.json`,將 9 份 request draft 轉成 owner response acceptance 只讀帳本並追加事故回補。固定 `acceptance_candidate_count=9``write_capable_acceptance_candidate_count=3``live_evidence_required_candidate_count=8``required_owner_field_count=18``reviewer_check_count=21``outcome_lane_count=8``blocked_action_count=27``owner_response_received_count=0``owner_response_accepted_count=0``runtime_gate_count=0`
此 artifact 只表示未來 owner 回覆可被收件、補件、隔離、拒收或進 reviewer review不代表 live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、production write 或 runtime gate。

2
docs/security/HOST-SERVICE-OWNER-REQUEST-DRAFT.md
View File

@@ -15,7 +15,7 @@
這不是主機真相、不是 live hash 收件、不是 restart window 已接受,也不是 `docker compose``systemctl`、repair-bot、Ansible 或 SSH 授權。
2026-06-14 已新 `docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md``docs/security/host-service-owner-response-acceptance.snapshot.json`,把本文件 9 份 request draft 轉成 owner response acceptance 只讀帳本。固定 `candidates=9``write_capable=3``live_evidence_required=8``reviewer_checks=14``outcome_lanes=7``blocked_actions=20`,但 owner response received / accepted、live host read、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write 與 runtime gate 仍全部為 `0 / false`
2026-06-15`docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md``docs/security/host-service-owner-response-acceptance.snapshot.json`,把本文件 9 份 request draft 轉成 owner response acceptance 只讀帳本並追加事故回補。固定 `candidates=9``write_capable=3``live_evidence_required=8``owner_fields=18``reviewer_checks=21``outcome_lanes=8``blocked_actions=27`,但 owner response received / accepted、live host read、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write 與 runtime gate 仍全部為 `0 / false`
## 2. 摘要

31
docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md
View File

@@ -22,11 +22,11 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta
| acceptance candidate count | `9` | 9 個 host service surface |
| write-capable candidate count | `3` | Ansible role、110 repair-bot、188 repair-bot |
| live evidence required candidate count | `8` | local dev compose 之外都需 owner-provided live hash / disposition |
| acceptance field count | `28` | 每份 candidate 的 metadata-only 欄位 |
| required owner field count | `12` | owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch |
| reviewer check count | `14` | owner、scope、redaction、secret、live hash、restart window、rollback、post-check、runtime request 檢查 |
| outcome lane count | `7` | waiting、quarantine、reject、supplement、host service review、read-only update、waiting runtime gate |
| blocked action count | `20` | SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、active scan 等 |
| acceptance field count | `34` | 每份 candidate 的 metadata-only 欄位 |
| required owner field count | `18` | owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch / source-of-truth / 依賴 / port / cold-start / incident / contention |
| reviewer check count | `21` | owner、scope、redaction、secret、live hash、restart window、rollback、post-check、事故回補、runtime request 檢查 |
| outcome lane count | `8` | waiting、quarantine、reject、supplement、incident backfill、host service review、read-only update、waiting runtime gate |
| blocked action count | `27` | SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、silent restart、active scan 等 |
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
| live host read / Docker / systemctl / repair-bot / Ansible | `0 / 0 / 0 / 0 / 0` | 尚未批准且未執行 |
| runtime gate / action button | `0 / 0` | 未開啟 |
@@ -60,6 +60,12 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta
| `rollback_owner` | 未來若進變更的 rollback owner |
| `post_check_plan` | 服務健康、route、queue、log、error budget 與 rollback 停止條件 |
| `disable_switch` | repair-bot、Ansible role 或 service config 的停用方式 / freeze rule |
| `config_source_of_truth_ref` | repo source、live source、runner source 與 backup source 的脫敏真相來源 ref |
| `service_dependency_map_ref` | 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref |
| `port_binding_inventory_ref` | host port、container port、proxy 與 firewall exposure inventory ref |
| `cold_start_sequence_ref` | Docker daemon、compose stack、systemd unit、runner 與 post-check 的冷啟動 / recovery 順序 ref |
| `incident_recovery_evidence_ref` | 服務異常、重啟或端口事故的恢復時間、服務健康、route health 與 operator notice ref |
| `daemon_runner_contention_ref` | Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 的競爭風險 ref |
| `followup_owner` | 後續補證、reviewer 或 runtime gate 負責角色 |
## 5. Reviewer checks
@@ -77,6 +83,13 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta
| `rollback_owner_present` | rollback owner、rollback ref 或 disable path 必須存在 |
| `post_check_plan_present` | post-check 必須列服務健康、route、queue、log 與 rollback 停止條件 |
| `disable_switch_present` | repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule |
| `config_source_of_truth_present` | 必須提供 repo / live / runner / backup source-of-truth ref |
| `service_dependency_map_present` | 必須提供服務依賴圖 ref |
| `port_binding_inventory_present` | 必須提供 host / container / proxy / firewall port binding inventory ref |
| `cold_start_sequence_present` | 必須提供 cold-start / recovery sequence ref |
| `incident_recovery_evidence_present` | 涉及服務異常、重啟或端口事故時必須提供恢復與健康證據 ref |
| `daemon_runner_contention_reviewed` | 必須說明 Docker daemon、iptables、runner、repair-bot、backup job 或 compose action 是否競爭 |
| `silent_restart_not_accepted` | 沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的 restart / reload 不可接受 |
| `write_capable_requires_extra_review` | write-capable surface 必須進額外 reviewer review |
| `no_runtime_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 |
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected且不得開 runtime gate |
@@ -89,6 +102,7 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta
| `quarantine_secret_or_raw_payload` | 收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離 |
| `reject_execution_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 |
| `request_supplement` | 欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件 |
| `incident_recovery_backfill_required` | 涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補 |
| `ready_for_host_service_review` | metadata 合格後,只能進 host service reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
| `waiting_runtime_gate` | 即使 owner response acceptedruntime gate 仍等待獨立人工批准 |
@@ -104,6 +118,9 @@ Docker / systemd / host service config 會直接影響 110 / 188 的 Compose sta
7. 不保存 raw live config、env dump、secret value、未脫敏 log 或 shell history。
8. 不把 restart window、maintenance window 或 owner response 當成 runtime approval。
9. 不開 runtime gate不建立 action button。
10. 不接受靜默 restart / reload。
11. 不把服務目前 healthy 當成 config 已驗收。
12. 不跳過 source-of-truth、服務依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。
## 8. 指令
@@ -115,7 +132,7 @@ python3 scripts/security/host-service-owner-response-acceptance.py \
--inventory-report docs/security/host-service-config-inventory.snapshot.json \
--owner-request-report docs/security/host-service-owner-request-draft.snapshot.json \
--output docs/security/host-service-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-14T23:45:00+08:00
--generated-at 2026-06-15T14:45:00+08:00
```
驗證 guard
@@ -129,7 +146,7 @@ python3 scripts/security/security-mirror-progress-guard.py --root .
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 產生器、snapshot 與文件已固定 |
| Docker / systemd / host service 只讀治理成熟度 | `50% -> 54%` | 收件驗收帳本更完整;不代表 live evidence 或 runtime action |
| Docker / systemd / host service 只讀治理成熟度 | `54% -> 58%` | 事故恢復、依賴圖、port binding、cold-start、source-of-truth 與 daemon / runner 競爭回補已納入;不代表 live evidence 或 runtime action |
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
| live config hash accepted | `0%` | 尚未收到 owner-provided metadata ref |
| live host read / SSH | `0%` | 尚未批准且未執行 |

4
docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md
View File

@@ -117,7 +117,7 @@
### 0.8 2026-06-14 Docker / systemd / host service owner response acceptance 只讀帳本
`host_service_owner_response_acceptance_v1` 已把 9 份 Docker / systemd / host service owner request draft 轉成 owner response acceptance 只讀帳本。固定 `candidates=9``write_capable=3``live_evidence_required=8``owner_fields=12``reviewer_checks=14``outcome_lanes=7``blocked_actions=20`,讓 Docker / systemd / host service 類別成熟度從 `50%` 推進到 `54%`,高價值配置平均只讀成熟度從 `67%` 推進到 `68%`
`host_service_owner_response_acceptance_v1` 已把 9 份 Docker / systemd / host service owner request draft 轉成 owner response acceptance 只讀帳本。固定 `candidates=9``write_capable=3``live_evidence_required=8``owner_fields=18``reviewer_checks=21``outcome_lanes=8``blocked_actions=27`並追加事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補要求,讓 Docker / systemd / host service 類別成熟度從 `54%` 推進到 `58%`
此更新只表示 live config hash ref、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence 已有收件驗收規則owner response received / accepted、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 仍全部為 `0 / false`
@@ -252,7 +252,7 @@ Nginx 是目前必須最先資安控管的配置,原因是它同時控制公
| owner response request / received / accepted | `0%` | Packet 只是草案;尚未送件、尚未收件、尚未 reviewer accepted |
| agent-bounty-protocol owner request draft | `100%` | 已將 repo / refs、deployment、data classification、external agent / treasury 與 7 個 product surface 轉成 11 份 owner request draftclaim / submit、payout、cron / daemon、runtime gate 仍為 0 |
| Docker / systemd owner request draft | `100%` | 已將 9 個 host service surface 轉成 owner request draftrequest sent / received / accepted 仍為 0 |
| Docker / systemd owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`9 個 candidate、3 個 write-capable、8 個需 live evidence、14 個 reviewer checks、7 條 outcome lanes、20 類 blocked action成熟度 `50% -> 54%` |
| Docker / systemd owner response acceptance | `100%` | 已新增 `host_service_owner_response_acceptance_v1`9 個 candidate、3 個 write-capable、8 個需 live evidence、21 個 reviewer checks、8 條 outcome lanes、27 類 blocked action成熟度 `54% -> 58%` |
| SSH / firewall / network owner request draft | `100%` | 已將 16 個 SSH / network access surface 轉成 owner request draftrequest sent / received / accepted、port change、firewall change、NetworkPolicy apply、NodePort change、WireGuard change 仍為 0 |
| SSH / firewall / network owner response acceptance | `100%` | 已新增 `ssh_network_owner_response_acceptance_v1`16 個 candidate、6 個 write-capable、15 個 reviewer checks、7 條 outcome lanes、22 類 blocked action成熟度 `54% -> 58%` |
| 端口 / 防火牆變更證據驗收 | `100%` | 已新增並強化 `port_firewall_change_evidence_acceptance_v1`14 個 candidate、6 個 write-capable、21 個 reviewer checks、9 條 outcome lanes、28 類 blocked action成熟度 `58% -> 62%` |

2
docs/security/IWOOOS-POSTURE-PROJECTION.md
View File

@@ -95,7 +95,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence
51. 10 個 frontend surface reverse bridge statuses顯示既有資安入口目前是 embedded bridge、direct bridge 或 AwoooP read-only candidate這只是連接狀態不代表 owner response、runtime authorization、Code Review blocker、Gitea/GitHub action 或任何執行控制。
52. 6 個 source control primary readiness items顯示 GitHub primary 前置缺口candidate repo inventory、primary ready counter、owner response validation、refs truth、workflow / secret name inventory、rollback ADR這只是 readiness不代表 repo 建立、visibility 變更、refs mutation、secret value collection、primary switch 或 Gitea 停用。
53. 4 個 rollout risk read-only items顯示風險來源部署 marker、`AWOOOI_ROLLOUT_RISK=1`、ArgoCD `Degraded` / `OutOfSync`、API health / smoke 已通過與執行期閘門仍為 0這只是部署風險可見性不代表 ArgoCD sync、kubectl、主機重啟、修復、部署或 runtime gate 已授權。
54. 14 類 high-value config control coverage statuses顯示 Nginx、DNS / TLS、K8s、機密、工作流程、執行器、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣;平均只讀成熟度 `68%`、C0 類別 `8`、需 live / owner evidence 類別 `8`、owner response received / accepted 與 runtime gate 仍為 `0`,不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。
54. 14 類 high-value config control coverage statuses顯示 Nginx、DNS / TLS、K8s、機密、工作流程、執行器、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣;平均只讀成熟度 `69%`、C0 類別 `8`、需 live / owner evidence 類別 `10`、owner response received / accepted 與 runtime gate 仍為 `0`,不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。
55. 9 個 host-service config repo-only inventory surfaces顯示 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 的第一層清冊write-capable surface `3`、repair-bot whitelist `2`、systemd restart surface `1`owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`,不代表 `docker compose``systemctl`、repair-bot 或 Ansible apply 已授權。
56. 16 個 SSH / network access repo-only inventory surfaces、owner response acceptance 與端口 / 防火牆變更證據驗收只讀帳本,顯示 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 的第一層清冊write-capable surface `6`、NetworkPolicy `2`、NodePort `2`、sudoers `1`、WireGuard `1`acceptance candidate `16`、change evidence candidate `14`、reviewer check `16`、outcome lane `8`、blocked action `24`,讓 SSH / network 類別成熟度從 `58%` 推進到 `60%`owner response、change evidence、actor、before / after state、cross-project sync、post-check evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 `0`,不代表 SSH、sudo、firewall、port close / open、NetworkPolicy、NodePort、WireGuard、route smoke 或 known_hosts patch 已授權。
56a. 4 個 K8s / ArgoCD GitOps 變更證據驗收候選,顯示 production manifests、ArgoCD app、Velero、monitoring manifests 的 proposed commit、rendered manifest diff、ArgoCD app / sync revision、health before / after、rollout、route smoke、metrics / alert、secret metadata parity、blast radius、maintenance window、rollback revision 與 postcheck owner 收件規則C0 candidate `3`、write-capable candidate `4`、reviewer check `18`、outcome lane `8`、blocked action `28`,讓 K8s / ArgoCD 類別成熟度從 `62%` 推進到 `64%`change evidence、runtime approval package、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、NetworkPolicy / NodePort / RBAC change、production write、runtime gate 與 action button 仍全部為 `0`

4
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -9,7 +9,7 @@
| 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 |
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**``scripts/ops/**/*cert*``scripts/ops/**/*tls*`sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0Owner Packet snapshot 已同步為 `packets=3 / c0=2`Coverage snapshot 已同步最新 patternsIwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` successIwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`Public Gateway owner response acceptance 只讀帳本已新增 `candidates=3 / c0=2 / fields=33 / checks=22 / lanes=8 / blocked=28 / accepted=0 / runtime=0`,並補上手動 / 緊急 gateway 變更的 intent、approval / break-glass、route health、rollback validation 與 post-change monitoring 必填 refDNS / TLS / certbot Owner Confirmation Request 已新增 `requests=4 / c0=4 / fields=9 / questions=5 / guards=12 / received=0 / accepted=0`K8s / ArgoCD manifest repo-only 清冊已新增 `files=49 / c0=36 / yaml=45 / kinds=20 / blocked=13 / runtime=0`K8s / ArgoCD Owner Request Draft 已新增 `drafts=4 / c0=3 / fields=11 / sent=0 / runtime=0`K8s / ArgoCD owner response acceptance 只讀帳本已新增 `candidates=4 / c0=3 / fields=11 / checks=12 / lanes=7 / blocked=18 / accepted=0 / runtime=0`K8s / ArgoCD GitOps 變更證據驗收已新增 `candidates=4 / c0=3 / write_capable=4 / evidence_fields=18 / checks=18 / lanes=8 / blocked=28 / accepted=0 / runtime=0`CD / Runner / Secret 注入變更證據驗收已新增 `candidates=5 / c0=4 / write_capable=5 / workflow_files=33 / secret_names=42 / runner_labels=5 / evidence_fields=19 / checks=19 / lanes=8 / blocked=32 / accepted=0 / runtime=0`Public / Admin / API runtime config 變更證據驗收已新增 `candidates=6 / c0=5 / write_capable=6 / source_refs=20 / evidence_fields=21 / checks=21 / lanes=8 / blocked=32 / accepted=0 / runtime=0`,並把 raw namespace、repo slug、內部狀態碼與內部協作內容外洩列為拒收 / 隔離Backup / Restore / Escrow owner response acceptance 只讀帳本已新增 `candidates=38 / write_capable=27 / fields=14 / checks=13 / lanes=7 / blocked=22 / accepted=0 / runtime=0`SSH / Firewall / Network Access owner response acceptance 只讀帳本已新增 `candidates=16 / write_capable=6 / fields=13 / checks=15 / lanes=7 / blocked=22 / accepted=0 / runtime=0`;端口 / 防火牆變更證據驗收只讀帳本已新增 `candidates=14 / write_capable=6 / policy_or_exposure=5 / evidence_fields=16 / checks=16 / lanes=8 / blocked=24 / accepted=0 / runtime=0`owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
| P0 agent-bounty 追加 | agent-bounty-protocol Owner Request Draft 已新增 `drafts=11 / control=4 / surface=7 / write_capable=8 / treasury=4 / mcp_a2a=5 / fields=22 / forbidden_inputs=25 / blocked=28 / sent=0 / runtime=0`;這是 repo / refs、deployment、data classification、MCP / A2A、cron / daemon、admin / treasury、webhook / traffic 的人工送件前草稿,不是 owner response、repo push、refs sync、workflow 修改、secret 收集、deploy、compose restart、DB migration、claim / submit、payout / withdrawal、cron / daemon、external send、host write 或 runtime gate |
| P1 追加 | Docker / systemd / Host Service Owner Request Draft 已新增 `drafts=9 / write_capable=3 / fields=12 / blocked=14 / sent=0 / runtime=0`SSH / Firewall / Network Access Owner Request Draft 已新增 `drafts=16 / write_capable=6 / fields=13 / blocked=16 / sent=0 / runtime=0`Backup / Restore / Escrow Owner Request Draft 已新增 `drafts=38 / write_capable=27 / fields=14 / blocked=18 / sent=0 / runtime=0`Backup / Restore / Escrow Owner Response Acceptance 已新增 `candidates=38 / write_capable=27 / reviewer_checks=13 / lanes=7 / blocked=22 / accepted=0 / runtime=0`Monitoring / Alerting / Observability Owner Request Draft 已新增 `drafts=60 / write_capable=11 / fields=14 / blocked=24 / sent=0 / runtime=0`Monitoring / Alerting / Observability Owner Response Acceptance 已新增 `candidates=60 / write_capable=11 / live_evidence_required=60 / fields=30 / owner_fields=14 / reviewer_checks=15 / lanes=7 / blocked=28 / accepted=0 / runtime=0`;上述全部仍是人工送件前草稿或只讀 acceptance 帳本,不是 owner response、live evidence、reload、restart、backup、restore、Telegram send、alert smoke、host write 或 runtime gate |
| P1 追加 | Docker / systemd / Host Service Owner Request Draft 已新增 `drafts=9 / write_capable=3 / fields=12 / blocked=14 / sent=0 / runtime=0`Docker / systemd / Host Service Owner Response Acceptance 已更新為 `candidates=9 / write_capable=3 / live_evidence_required=8 / fields=34 / owner_fields=18 / reviewer_checks=21 / lanes=8 / blocked=27 / accepted=0 / runtime=0`SSH / Firewall / Network Access Owner Request Draft 已新增 `drafts=16 / write_capable=6 / fields=13 / blocked=16 / sent=0 / runtime=0`Backup / Restore / Escrow Owner Request Draft 已新增 `drafts=38 / write_capable=27 / fields=14 / blocked=18 / sent=0 / runtime=0`Backup / Restore / Escrow Owner Response Acceptance 已新增 `candidates=38 / write_capable=27 / reviewer_checks=13 / lanes=7 / blocked=22 / accepted=0 / runtime=0`Monitoring / Alerting / Observability Owner Request Draft 已新增 `drafts=60 / write_capable=11 / fields=14 / blocked=24 / sent=0 / runtime=0`Monitoring / Alerting / Observability Owner Response Acceptance 已新增 `candidates=60 / write_capable=11 / live_evidence_required=60 / fields=30 / owner_fields=14 / reviewer_checks=15 / lanes=7 / blocked=28 / accepted=0 / runtime=0`;上述全部仍是人工送件前草稿或只讀 acceptance 帳本,不是 owner response、live evidence、reload、restart、backup、restore、Telegram send、alert smoke、host write 或 runtime gate |
| P2 供應鏈追加 | Package / Docker 供應鏈 repo-only baseline 已新增 `package_json=6 / pyproject=4 / requirements=2 / dockerfiles=2 / compose=6 / gaps=5 / runtime=0`Package / Docker 供應鏈 owner policy gate 已新增 `requests=6 / c0=2 / fields=8 / checks=12 / blocked=20 / sent=0 / accepted=0 / runtime=0`;缺口為 Python lockfile 缺席、requirements 未 pin、Docker base image 未全數 digest pinning、Docker `COPY --from` 外部 image 未 digest pinning、compose image 未 digest pinning以及 CVE / license / SBOM window 未定;目前尚未列入 36 個正式 AwoooP 消費 contract後續若要前台消費需同步 manifest / readiness / route / rollup / dry-run / posture projection / guard count本輪不 install、不 upgrade、不跑 CVE、不 pull / build / push image、不改 tag、不登入 registry、不部署 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
| P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` |
@@ -46,7 +46,7 @@
## 0.00a 2026-06-14 Docker / systemd / host service owner response acceptance
本輪把 Docker / systemd / host service 從 owner request draft 推進到 owner response acceptance 只讀帳本`host_service_owner_response_acceptance_v1` 固定 `candidates=9``write_capable=3``live_evidence_required=8``owner_fields=12``reviewer_checks=14``outcome_lanes=7``blocked_actions=20`,並讓 `docker_compose_systemd_host_config` 只讀治理成熟度 `50% -> 54%`,高價值配置平均只讀成熟度 `67% -> 68%`。這是 metadata-only 收件驗收,不是 request sent、owner response received / accepted、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、production write 或 runtime gate。
本輪把 Docker / systemd / host service owner response acceptance 追加事故回補`host_service_owner_response_acceptance_v1` 固定 `candidates=9``write_capable=3``live_evidence_required=8``acceptance_fields=34``owner_fields=18``reviewer_checks=21``outcome_lanes=8``blocked_actions=27`,並讓 `docker_compose_systemd_host_config` 只讀治理成熟度 `54% -> 58%`。新增要求包含 source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。這是 metadata-only 收件驗收,不是 request sent、owner response received / accepted、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、production write 或 runtime gate。
同步邊界IwoooS headline 維持 `64%`active runtime gate 維持 `0`owner response / live evidence / runtime gate / action buttons 全部仍為 `0 / false`。本段只更新文件、snapshot、guard 與覆蓋矩陣,不改前端 bundle、不部署、不碰 Docker daemon、systemd、repair-bot、Ansible、Nginx、firewall 或主機。

20
docs/security/high-value-config-control-coverage.snapshot.json
View File

@@ -367,9 +367,9 @@
"action_buttons_allowed": false,
"category_id": "docker_compose_systemd_host_config",
"control_tier": "C1",
"coverage_percent": 54,
"coverage_status": "owner_response_acceptance_ledger_ready_needs_live_owner_evidence",
"current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。",
"coverage_percent": 58,
"coverage_status": "incident_recovery_backfill_ready_needs_live_owner_evidence",
"current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate並加入事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補欄位;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。",
"evidence_refs": [
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/HOST-SERVICE-CONFIG-INVENTORY.md",
@@ -381,7 +381,7 @@
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md"
],
"label": "Docker Compose / systemd / host service config",
"next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plandisable switch。",
"next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plandisable switch、source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
@@ -634,15 +634,15 @@
"websocket_route_change_authorized": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-15T14:12:00+08:00",
"git_commit": "ed8c1905",
"generated_at": "2026-06-15T14:46:00+08:00",
"git_commit": "a77317fe",
"lowest_coverage_categories": [
{
"category_id": "docker_compose_systemd_host_config",
"coverage_percent": 54,
"current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。",
"coverage_percent": 58,
"current_gap": "已固定 9 份 Docker / systemd / host service owner response acceptance candidate並加入事故恢復、依賴圖、port binding、cold-start sequence、source-of-truth 與 daemon / runner 競爭回補欄位;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence。",
"label": "Docker Compose / systemd / host service config",
"next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plandisable switch。"
"next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、maintenance / restart window、rollback owner、post-check plandisable switch、source-of-truth、服務依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。"
},
{
"category_id": "ai_provider_model_routing",
@@ -697,7 +697,7 @@
"c3_category_count": 1,
"category_count": 14,
"lowest_coverage_category_count": 4,
"needs_live_evidence_count": 9,
"needs_live_evidence_count": 10,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"owner_response_required_count": 14,

438
docs/security/host-service-owner-response-acceptance.snapshot.json
View File

@@ -28,6 +28,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -55,11 +61,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "docker_compose_source",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -68,6 +87,8 @@
"expected_host_scope": "local_dev_only",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "AWOOOI local development compose",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -81,6 +102,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -91,6 +113,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -112,7 +136,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": false,
"restart_window": "pending_owner_response",
@@ -129,6 +159,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -138,6 +175,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"web",
"api",
@@ -182,6 +221,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -209,11 +254,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "docker_compose_source",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -222,6 +280,8 @@
"expected_host_scope": "192.168.0.110",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "110 monitoring docker compose",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -235,6 +295,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -245,6 +306,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -266,7 +329,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -283,6 +352,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -292,6 +368,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"cadvisor",
"prometheus",
@@ -338,6 +416,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -365,11 +449,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "docker_compose_source",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -378,6 +475,8 @@
"expected_host_scope": "192.168.0.188",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "188 database exporters compose",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -391,6 +490,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -401,6 +501,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -422,7 +524,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -439,6 +547,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -448,6 +563,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"postgres-exporter",
"redis-exporter"
@@ -490,6 +607,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -517,11 +640,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "docker_compose_reference",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -530,6 +666,8 @@
"expected_host_scope": "192.168.0.110",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "110 Sentry self-hosted reference compose",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -543,6 +681,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -553,6 +692,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -574,7 +715,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -591,6 +738,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -600,6 +754,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"sentry-placeholder-reference"
],
@@ -641,6 +797,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -668,11 +830,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "docker_compose_source",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -681,6 +856,8 @@
"expected_host_scope": "192.168.0.110",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "110 Langfuse compose",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -694,6 +871,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -704,6 +882,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -725,7 +905,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -742,6 +928,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -751,6 +944,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"langfuse",
"langfuse-db"
@@ -793,6 +988,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -820,11 +1021,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "ansible_service_executor",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -833,6 +1047,8 @@
"expected_host_scope": "multi_host",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "Ansible docker-compose-service role",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -846,6 +1062,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -856,6 +1073,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -877,7 +1096,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -894,6 +1119,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -903,6 +1135,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"docker compose up -d"
],
@@ -944,6 +1178,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -971,11 +1211,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "host_repair_whitelist",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -984,6 +1237,8 @@
"expected_host_scope": "192.168.0.110",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "110 repair-bot compose whitelist",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -997,6 +1252,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -1007,6 +1263,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -1028,7 +1286,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -1045,6 +1309,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -1054,6 +1325,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"sentry",
"harbor",
@@ -1101,6 +1374,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -1128,11 +1407,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "host_repair_whitelist",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -1141,6 +1433,8 @@
"expected_host_scope": "192.168.0.188",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "188 repair-bot compose/systemd whitelist",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -1154,6 +1448,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -1164,6 +1459,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -1185,7 +1482,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -1202,6 +1505,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -1211,6 +1521,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"openclaw",
"minio",
@@ -1257,6 +1569,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -1284,11 +1602,24 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
"cold_start_sequence_accepted": false,
"cold_start_sequence_ref": null,
"config_kind": "backup_capture_contract",
"config_source_of_truth_accepted": false,
"config_source_of_truth_ref": null,
"control_tier": "C1",
"daemon_runner_contention_accepted": false,
"daemon_runner_contention_ref": null,
"decision": "pending_owner_response",
"decision_reason": "pending_owner_response",
"disable_switch": "pending_owner_response",
@@ -1297,6 +1628,8 @@
"expected_host_scope": "110_188_120_121_cluster",
"followup_owner": "pending_owner_response",
"host_write_authorized": false,
"incident_recovery_evidence_accepted": false,
"incident_recovery_evidence_ref": null,
"label": "host config backup capture contract",
"live_config_hash_accepted": false,
"live_config_hash_ref": null,
@@ -1310,6 +1643,7 @@
"quarantine_secret_or_raw_payload",
"reject_execution_request",
"request_supplement",
"incident_recovery_backfill_required",
"ready_for_host_service_review",
"owner_review_only_update",
"waiting_runtime_gate"
@@ -1320,6 +1654,8 @@
"owner_response_ref": null,
"owner_response_rejected": false,
"owner_role_or_team": "pending_owner_response",
"port_binding_inventory_accepted": false,
"port_binding_inventory_ref": null,
"post_check_plan": "pending_owner_response",
"post_check_plan_accepted": false,
"recipient_confirmed": false,
@@ -1341,7 +1677,13 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"followup_owner"
"followup_owner",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref"
],
"requires_live_evidence": true,
"restart_window": "pending_owner_response",
@@ -1358,6 +1700,13 @@
"rollback_owner_present",
"post_check_plan_present",
"disable_switch_present",
"config_source_of_truth_present",
"service_dependency_map_present",
"port_binding_inventory_present",
"cold_start_sequence_present",
"incident_recovery_evidence_present",
"daemon_runner_contention_reviewed",
"silent_restart_not_accepted",
"write_capable_requires_extra_review",
"no_runtime_request",
"counts_transition_safe"
@@ -1367,6 +1716,8 @@
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"service_dependency_map_accepted": false,
"service_dependency_map_ref": null,
"service_scope": [
"systemd",
"docker",
@@ -1412,6 +1763,12 @@
"rollback_owner",
"post_check_plan",
"disable_switch",
"config_source_of_truth_ref",
"service_dependency_map_ref",
"port_binding_inventory_ref",
"cold_start_sequence_ref",
"incident_recovery_evidence_ref",
"daemon_runner_contention_ref",
"reviewer_outcome",
"followup_owner",
"not_approval"
@@ -1435,6 +1792,13 @@
"raw_live_config_storage",
"restart_without_window",
"rollback_without_owner",
"accept_silent_restart",
"treat_service_healthy_as_config_accepted",
"skip_config_source_of_truth_review",
"skip_service_dependency_map",
"skip_port_binding_review",
"skip_cold_start_sequence",
"hide_daemon_runner_contention",
"runtime_gate_open",
"add_action_button"
],
@@ -1456,12 +1820,12 @@
"sudo_action_authorized": false,
"systemctl_action_authorized": false
},
"generated_at": "2026-06-14T23:45:00+08:00",
"git_commit": "92e451cb",
"generated_at": "2026-06-15T14:45:00+08:00",
"git_commit": "a77317fe",
"next_steps": [
"等待 owner 以脫敏 metadata ref 回覆 live config hash、maintenance / restart window、rollback owner、post-check plandisable switch。",
"等待 owner 以脫敏 metadata ref 回覆 live config hash、maintenance / restart window、rollback owner、post-check plandisable switch、source of truth、依賴圖、port binding、cold-start sequence、incident recovery evidence 與 daemon / runner contention review。",
"收到回覆後先做欄位完整性、敏感 payload 隔離與 execution request 拒收,不得直接 host read、restart、repair-bot 或 Ansible apply。",
"write-capable surface 必須額外 reviewer review且 runtime gate 需獨立人工批准、rollback 與 post-check 成立。"
"write-capable 或事故回補 surface 必須額外 reviewer review且 runtime gate 需獨立人工批准、rollback、dependency / port / cold-start 與 post-check 成立。"
],
"outcome_lanes": [
{
@@ -1480,6 +1844,10 @@
"lane_id": "request_supplement",
"meaning": "欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件。"
},
{
"lane_id": "incident_recovery_backfill_required",
"meaning": "涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補,不得直接 accepted。"
},
{
"lane_id": "ready_for_host_service_review",
"meaning": "metadata 合格後,只能進 host service reviewer review。"
@@ -1538,6 +1906,34 @@
"check_id": "disable_switch_present",
"instruction": "repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule。"
},
{
"check_id": "config_source_of_truth_present",
"instruction": "必須提供 repo source、live source、runner source 與 backup source 的真相來源 ref不得只用口頭描述。"
},
{
"check_id": "service_dependency_map_present",
"instruction": "必須提供服務依賴 ref涵蓋上游、下游、資料庫、queue、registry、AI provider 與 public route 影響。"
},
{
"check_id": "port_binding_inventory_present",
"instruction": "必須提供 port binding / exposure inventory ref避免 host port、container port、proxy 與防火牆狀態彼此漂移。"
},
{
"check_id": "cold_start_sequence_present",
"instruction": "必須提供 cold-start / recovery sequence ref明確列出 Docker daemon、compose stack、systemd unit、runner 與 post-check 順序。"
},
{
"check_id": "incident_recovery_evidence_present",
"instruction": "若回覆涉及服務異常、重啟或端口事故必須提供恢復時間、服務健康、route health 與 operator notice ref。"
},
{
"check_id": "daemon_runner_contention_reviewed",
"instruction": "必須說明 Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 是否可能互相競爭。"
},
{
"check_id": "silent_restart_not_accepted",
"instruction": "不得接受沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的靜默 restart / reload。"
},
{
"check_id": "write_capable_requires_extra_review",
"instruction": "write-capable surface 必須進額外 reviewer review不得直接 accepted。"
@@ -1559,34 +1955,40 @@
"status": "owner_response_acceptance_ledger_ready_no_runtime_action",
"summary": {
"acceptance_candidate_count": 9,
"acceptance_field_count": 28,
"acceptance_field_count": 34,
"action_button_count": 0,
"active_scan_authorized_count": 0,
"ansible_apply_authorized_count": 0,
"blocked_action_count": 20,
"blocked_action_count": 27,
"cold_start_sequence_accepted_count": 0,
"config_source_of_truth_accepted_count": 0,
"daemon_runner_contention_accepted_count": 0,
"disable_switch_accepted_count": 0,
"docker_compose_action_authorized_count": 0,
"host_write_authorized_count": 0,
"incident_recovery_evidence_accepted_count": 0,
"live_config_hash_accepted_count": 0,
"live_evidence_received_count": 0,
"live_evidence_required_candidate_count": 8,
"live_host_read_authorized_count": 0,
"maintenance_window_accepted_count": 0,
"outcome_lane_count": 7,
"outcome_lane_count": 8,
"owner_response_accepted_count": 0,
"owner_response_quarantined_count": 0,
"owner_response_received_count": 0,
"owner_response_rejected_count": 0,
"port_binding_inventory_accepted_count": 0,
"post_check_plan_accepted_count": 0,
"recipient_confirmed_count": 0,
"repair_bot_execution_authorized_count": 0,
"request_sent_count": 0,
"required_owner_field_count": 12,
"required_owner_field_count": 18,
"restart_window_accepted_count": 0,
"reviewer_check_count": 14,
"reviewer_check_count": 21,
"rollback_owner_accepted_count": 0,
"runtime_gate_count": 0,
"secret_value_collection_allowed_count": 0,
"service_dependency_map_accepted_count": 0,
"source_owner_request_count": 9,
"ssh_read_authorized_count": 0,
"ssh_write_authorized_count": 0,

4
docs/security/iwooos-posture-projection.snapshot.json
View File

@@ -8611,14 +8611,14 @@
"global_security_mesh_matrix_read_only_count": 9,
"global_security_mesh_matrix_runtime_gate_count": 0,
"high_value_config_control_coverage_action_button_count": 0,
"high_value_config_control_coverage_average_percent": 68,
"high_value_config_control_coverage_average_percent": 69,
"high_value_config_control_coverage_c0_category_count": 8,
"high_value_config_control_coverage_c1_category_count": 4,
"high_value_config_control_coverage_category_count": 14,
"high_value_config_control_coverage_first_layer": true,
"high_value_config_control_coverage_item_count": 4,
"high_value_config_control_coverage_lowest_category_count": 4,
"high_value_config_control_coverage_needs_live_evidence_count": 9,
"high_value_config_control_coverage_needs_live_evidence_count": 10,
"high_value_config_control_coverage_owner_response_accepted_count": 0,
"high_value_config_control_coverage_owner_response_received_count": 0,
"high_value_config_control_coverage_owner_response_required_count": 14,