fix(web): 接入 Kali 112 只讀快照

2026-05-31 17:34:14 +08:00
parent a8f6a85002
commit 86b6481009
8 changed files with 127 additions and 7 deletions
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -3714,7 +3714,7 @@
        "reasons": {
          "providerHeartbeatNoMatch": "Provider 有心跳，但這個 Incident 尚未匹配",
          "noMatchingProviderSourceEvent": "查無可匹配的 Sentry / SigNoz 事件",
-          "noIncidentIds": "缺 Incident ID，無法關聯",
+          "noIncidentIds": "缺事件編號，無法關聯",
          "incidentNotFound": "Incident 記錄不存在",
          "fetchFailed": "讀取來源關聯失敗"
        },
@@ -10988,7 +10988,7 @@
        },
        "kali112": {
          "title": "Kali 112 已納入資安網",
-          "body": "192.168.0.112 已在主機覆蓋與證據框架中；目前是只讀納管，不是已批准主動掃描、憑證掃描、/execute 或主機更新。"
+          "body": "2026-05-31 17:22 已用既有 SSH key 完成只讀快照：Kali Rolling、kernel 6.16.8、root disk 26%、待更新套件 1994、失敗 systemd unit 1。沒有啟動掃描、/execute、主機更新或重啟。"
        },
        "allProducts": {
          "title": "所有產品先套只讀框架",
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -3714,7 +3714,7 @@
        "reasons": {
          "providerHeartbeatNoMatch": "Provider 有心跳，但這個 Incident 尚未匹配",
          "noMatchingProviderSourceEvent": "查無可匹配的 Sentry / SigNoz 事件",
-          "noIncidentIds": "缺 Incident ID，無法關聯",
+          "noIncidentIds": "缺事件編號，無法關聯",
          "incidentNotFound": "Incident 記錄不存在",
          "fetchFailed": "讀取來源關聯失敗"
        },
@@ -10988,7 +10988,7 @@
        },
        "kali112": {
          "title": "Kali 112 已納入資安網",
-          "body": "192.168.0.112 已在主機覆蓋與證據框架中；目前是只讀納管，不是已批准主動掃描、憑證掃描、/execute 或主機更新。"
+          "body": "2026-05-31 17:22 已用既有 SSH key 完成只讀快照：Kali Rolling、kernel 6.16.8、root disk 26%、待更新套件 1994、失敗 systemd unit 1。沒有啟動掃描、/execute、主機更新或重啟。"
        },
        "allProducts": {
          "title": "所有產品先套只讀框架",
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -636,7 +636,7 @@ const postureMetrics: PostureMetric[] = [

 const fastProgressItems: FastProgressItem[] = [
  { key: 'done', value: '7 頁', icon: CheckCircle2, tone: 'steady' },
-  { key: 'kali112', value: '已納管', icon: ShieldCheck, tone: 'warn' },
+  { key: 'kali112', value: '只讀通過', icon: ShieldCheck, tone: 'warn' },
  { key: 'allProducts', value: '6 / 6', icon: Radar, tone: 'steady' },
  { key: 'runtime', value: 'Gate 0', icon: Lock, tone: 'locked' },
 ]
--- a/apps/web/src/components/aiops/timeline/TimelineFilter.tsx
+++ b/apps/web/src/components/aiops/timeline/TimelineFilter.tsx
@@ -36,7 +36,7 @@ export function TimelineFilter({ filter, onChange, incidentCount }: TimelineFilt

  return (
    <div className="flex flex-col gap-3 sm:flex-row sm:items-center sm:gap-4 mb-6">
-      {/* Incident ID 搜尋 */}
+      {/* 事件編號搜尋 */}
      <div className="relative flex-1 min-w-0">
        <Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-nothing-gray-400 pointer-events-none" />
        <input
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,49 @@
+## 2026-05-31｜Kali 112 只讀實機快照接入 IwoooS
+
+**背景**：
+
+- 使用者持續追問 Kali `192.168.0.112` 是否真的整合進資安網，以及資安工作是否有具體推進。
+- 本輪延續低摩擦策略：先取得真實只讀證據並前台可見，不啟動掃描、不呼叫 `/execute`、不做主機更新或重啟。
+
+**本次調整**：
+
+- 以既有 SSH key 對 Kali `192.168.0.112` 完成 read-only 快照：OS、kernel、uptime、load、memory、root disk、failed systemd units、待更新套件數、TCP / UDP listening socket 數。
+- `docs/security/kali-integration-status.snapshot.json` 新增 `latest_read_only_observation`，紀錄 `2026-05-31T17:22:20+08:00` 的只讀證據與禁止邊界。
+- `docs/security/KALI-INTEGRATION-STATUS.md` 新增 2026-05-31 只讀實機快照章節。
+- `/iwooos` 首屏 Kali 112 卡片從「已納管」推進為「只讀通過」，直接呈現 `待更新套件 1994`、`失敗 systemd unit 1`、`root disk 26%` 等可驗證狀態。
+- 清除前台文案殘留 `Incident ID`，改為「事件編號」，符合全站繁體中文要求。
+- `security-mirror-progress-guard.py` 鎖住 Kali 112 最新只讀快照與四個禁止 runtime 旗標，避免後續誤把只讀證據升級成掃描 / 更新 / 重啟授權。
+
+**驗證**：
+
+```text
+ssh kali@192.168.0.112 read-only batch
+  -> host=kali, OS=Kali GNU/Linux Rolling, kernel=Linux 6.16.8+kali-amd64
+  -> uptime=up 3 weeks, 1 day, 21 hours, 58 minutes
+  -> load=0.09 0.12 0.15, memory=885Mi/7.8Gi, root disk=19G/79G 26%
+  -> failed_units=1, upgradable_lines=1994, listening_tcp=7, listening_udp=2
+python3 -m json.tool docs/security/kali-integration-status.snapshot.json
+  -> pass
+python3 -m json.tool apps/web/messages/zh-TW.json / en.json
+  -> pass
+python3 scripts/security/security-mirror-progress-guard.py
+  -> SECURITY_MIRROR_PROGRESS_GUARD_OK
+python3 scripts/security/source-control-owner-response-guard.py
+  -> SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK
+pnpm --dir apps/web run typecheck
+  -> pass
+NEXT_PUBLIC_API_URL=https://awoooi.wooo.work pnpm --dir apps/web run build
+  -> pass
+本地 Playwright（production build / next start）:
+  /zh-TW/iwooos 與 /en/iwooos -> Kali 112 只讀快照文案可見、無 Incident ID 英文殘留、無水平溢出
+```
+
+**進度邊界**：
+
+- 整體資安網 headline 仍維持 `61%`：Kali 112 已從「文件納管」推進為「可連線、已驗證、可前台呈現、guard 鎖住的只讀實機證據」，但尚未到 scan result ingestion、維護窗口更新或 runtime gate，因此先不灌水成 headline +1。
+- active runtime gate 仍為 `0`；本輪沒有掃描、credentialed scan、`/execute`、主機更新、套件升級、調校、重啟、repo / refs / workflow 變更或 GitHub primary 切換。
+- 後續要真正做 Kali 更新 / 調校，仍需維護窗口、rollback / reboot gate、failed unit 調查與人工批准。
+
 ## 2026-05-31｜Telegram / AwoooP 執行完成與失敗判定明確化

 **背景**：
--- a/docs/security/KALI-INTEGRATION-STATUS.md
+++ b/docs/security/KALI-INTEGRATION-STATUS.md
@@ -2,7 +2,7 @@

 | 項目 | 內容 |
 |------|------|
-| 日期 | 2026-05-13 |
+| 日期 | 2026-05-13；最新只讀快照 2026-05-31 17:22（台北） |
 | Host | `192.168.0.112` |
 | Asset key | `host:kali-112` |
 | 狀態 | `partial_runtime_health_integrated` |
@@ -22,6 +22,27 @@ Kali 主機不是只有文件預留；`192.168.0.112` 目前已經有 live runti

 但它還沒有完成「資安網閉環」整合：Kali scan result 尚未正式寫入 AWOOOI asset / compliance 表，也尚未 mirror 成 AwoooP Runtime State、Channel Event 或 Audit evidence。因此目前判定是「健康與基礎掃描已存在，治理閉環尚未接通」。

+## 0.1 2026-05-31 只讀實機快照
+
+本輪用既有 SSH key 完成 read-only 連線檢查，沒有輸入或保存密碼，沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 package update、沒有調整設定、沒有重啟。
+
+| 項目 | 結果 |
+|------|------|
+| 觀測時間 | `2026-05-31T17:22:20+08:00` |
+| Collection mode | `ssh_batch_read_only_existing_key` |
+| Hostname | `kali` |
+| OS | `Kali GNU/Linux Rolling` |
+| Kernel | `Linux 6.16.8+kali-amd64` |
+| Uptime | `up 3 weeks, 1 day, 21 hours, 58 minutes` |
+| Load 1/5/15 | `0.09 0.12 0.15` |
+| Memory | `885Mi/7.8Gi` |
+| Root disk | `19G/79G 26%` |
+| Failed systemd units | `1` |
+| Upgradable packages | `1994` |
+| Listening TCP / UDP | `7 / 2` |
+
+結論：Kali `192.168.0.112` 已可被 IwoooS 以只讀方式納入證據鏈；但 `failed_systemd_unit_count=1` 與 `upgradable_package_count=1994` 代表後續仍需要維護窗口、rollback / reboot gate 與人工批准，不能直接把「可連線」解讀為已完成主機調校或安全更新。
+
 ## 1. 已確認的 live 狀態

 | 項目 | 結果 |
--- a/docs/security/kali-integration-status.snapshot.json
+++ b/docs/security/kali-integration-status.snapshot.json
@@ -52,6 +52,27 @@
    "remaining_upgradable_count": 1994,
    "full_upgrade_status": "not_run_requires_maintenance_window"
  },
+  "latest_read_only_observation": {
+    "observed_at_utc": "2026-05-31T09:22:20Z",
+    "observed_at_taipei": "2026-05-31T17:22:20+08:00",
+    "collection_mode": "ssh_batch_read_only_existing_key",
+    "runtime_actions_executed": false,
+    "active_scan_executed": false,
+    "package_update_executed": false,
+    "host_reboot_executed": false,
+    "hostname": "kali",
+    "os": "Kali GNU/Linux Rolling",
+    "kernel": "Linux 6.16.8+kali-amd64",
+    "uptime": "up 3 weeks, 1 day, 21 hours, 58 minutes",
+    "load_1_5_15": "0.09 0.12 0.15",
+    "memory_used_total": "885Mi/7.8Gi",
+    "disk_root_used_total_percent": "19G/79G 26%",
+    "failed_systemd_unit_count": 1,
+    "upgradable_package_count": 1994,
+    "listening_tcp_socket_count": 7,
+    "listening_udp_socket_count": 2,
+    "evidence_boundary": "只讀連線與主機狀態快照；未執行掃描、更新、調校、重啟或 /execute。"
+  },
  "integration_state": {
    "already_integrated": [
      "Kali Scanner API 在 192.168.0.112:8080 運作且 /health healthy",
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -76,6 +76,7 @@ def validate(root: Path) -> None:
    primary_gate = load_json(security_dir / "source-control-primary-readiness-gate.snapshot.json")
    rollout_policy = load_json(security_dir / "security-rollout-policy.snapshot.json")
    iwooos_projection = load_json(security_dir / "iwooos-posture-projection.snapshot.json")
+    kali_status = load_json(security_dir / "kali-integration-status.snapshot.json")
    iwooos_projection_page = (
        root / "apps" / "web" / "src" / "app" / "[locale]" / "iwooos" / "page.tsx"
    ).read_text(encoding="utf-8")
@@ -5552,6 +5553,37 @@ def validate(root: Path) -> None:
        "docs/security/kali-integration-status.snapshot.json",
    ]:
        assert_contains("iwooos_projection.evidence_refs", iwooos_projection["evidence_refs"], evidence_ref)
+    latest_kali_observation = kali_status["latest_read_only_observation"]
+    assert_equal(
+        "kali_status.latest_read_only_observation.observed_at_taipei",
+        latest_kali_observation["observed_at_taipei"],
+        "2026-05-31T17:22:20+08:00",
+    )
+    assert_equal(
+        "kali_status.latest_read_only_observation.collection_mode",
+        latest_kali_observation["collection_mode"],
+        "ssh_batch_read_only_existing_key",
+    )
+    assert_equal(
+        "kali_status.latest_read_only_observation.upgradable_package_count",
+        latest_kali_observation["upgradable_package_count"],
+        1994,
+    )
+    assert_equal(
+        "kali_status.latest_read_only_observation.failed_systemd_unit_count",
+        latest_kali_observation["failed_systemd_unit_count"],
+        1,
+    )
+    for forbidden_runtime_flag in [
+        "runtime_actions_executed",
+        "active_scan_executed",
+        "package_update_executed",
+        "host_reboot_executed",
+    ]:
+        assert_false(
+            f"kali_status.latest_read_only_observation.{forbidden_runtime_flag}",
+            latest_kali_observation[forbidden_runtime_flag],
+        )
    for output in [
        "display_security_posture",
        "display_progress_estimate",