diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx
index f9e7eeb8..b07224eb 100644
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -36,6 +36,7 @@ import Link from 'next/link'
import { useTranslations } from 'next-intl'
import { useEffect, useRef, useState, type ReactNode } from 'react'
import { AppLayout } from '@/components/layout'
+import { publicBoundaryText } from '@/lib/public-security-redaction'
import {
apiClient,
type IwoooSHighValueConfigControlCoverageCategory,
@@ -2936,7 +2937,7 @@ const ownerEvidenceIntakePreflightFallbackItems: OwnerEvidenceIntakePreflightDis
rank: 'P0',
title: '機密中繼資料 / 工作流程 / 執行器',
state: 'coverage-derived candidate',
- body: '只收 secret name、workflow diff、runner attestation、run readback 與 log redaction;secret value / runner token 拒收。',
+ body: '只收機密名稱、工作流程差異、執行器證明、run 讀回與日誌遮罩證據;機密明文與執行器憑證一律拒收。',
icon: Lock,
tone: 'locked',
},
@@ -9959,11 +9960,11 @@ function IwoooSWazuhManagerRegistryReviewerValidationBoard() {
}}
>
{slot.slot_id}
- {slot.title}
+ {publicBoundaryText(slot.title)}
{t('slotReceivedLabel')}:{slot.received ? '1' : '0'}
{t('slotAcceptedLabel')}:{slot.accepted ? '1' : '0'}
- {t('slotNextGateLabel')}:{slot.next_gate}
+ {t('slotNextGateLabel')}:{publicBoundaryText(slot.next_gate)}
)) : (
@@ -9988,12 +9989,12 @@ function IwoooSWazuhManagerRegistryReviewerValidationBoard() {
{check.check_id}
- {check.title}
+ {publicBoundaryText(check.title)}
- {check.required_evidence}
+ {publicBoundaryText(check.required_evidence)}
- {check.failure_lane}
+ {publicBoundaryText(check.failure_lane)}
)) : (
@@ -10034,7 +10035,7 @@ function IwoooSWazuhManagerRegistryReviewerValidationBoard() {
overflowWrap: 'anywhere',
}}
>
- {item}
+ {publicBoundaryText(item)}
))}
diff --git a/apps/web/src/lib/public-security-redaction.ts b/apps/web/src/lib/public-security-redaction.ts
index e2c19348..8b6349c3 100644
--- a/apps/web/src/lib/public-security-redaction.ts
+++ b/apps/web/src/lib/public-security-redaction.ts
@@ -1,4 +1,11 @@
export function publicBoundaryText(value: string): string {
+ const redacted = value
+ .replace(/live Wazuh/gi, "只讀管理端")
+ .replace(/runtime action/gi, "執行期變更")
+ .replace(/host write/gi, "主機變更")
+ .replace(/active response/gi, "主動回應流程")
+ .replace(/secret value/gi, "機密明文")
+ .replace(/raw secret/gi, "原始機密");
const labels: Record = {
"security_compliance_route_preserved=true": "安全合規路由已保留,並整合到 IwoooS 權威入口。",
"security_compliance_removed=false": "安全合規頁沒有被移除,但不再作為孤立入口。",
@@ -16,44 +23,44 @@ export function publicBoundaryText(value: string): string {
"security_compliance_rollout_runtime_phase_enabled=false": "執行期階段尚未開放。",
"security_compliance_rollout_enforcement_enabled=false": "強制執行尚未開放。",
};
- if (labels[value]) return labels[value];
- if (value.includes("runtime_execution_authorized=false")) return "執行期操作未授權。";
- if (value.includes("action_buttons_allowed=false")) return "此頁不提供可執行操作按鈕。";
- if (value.includes("active_runtime_gate_count=0")) return "執行期閘門維持關閉。";
- if (value.includes("owner_response_validation_received_count=0")) return "負責人回覆尚未收到。";
- if (value.includes("owner_response_validation_accepted_count=0")) return "負責人回覆尚未接受。";
- if (value.includes("owner_response_validation_rejected_count=0")) return "目前沒有正式拒收紀錄。";
- if (value.includes("repo_creation_authorized=false")) return "未核准建立專案庫或修改可見性。";
- if (value.includes("refs_mutation_authorized=false") || value.includes("refs_sync_authorized=false")) {
+ if (labels[redacted]) return labels[redacted];
+ if (redacted.includes("runtime_execution_authorized=false")) return "執行期操作未授權。";
+ if (redacted.includes("action_buttons_allowed=false")) return "此頁不提供可執行操作按鈕。";
+ if (redacted.includes("active_runtime_gate_count=0")) return "執行期閘門維持關閉。";
+ if (redacted.includes("owner_response_validation_received_count=0")) return "負責人回覆尚未收到。";
+ if (redacted.includes("owner_response_validation_accepted_count=0")) return "負責人回覆尚未接受。";
+ if (redacted.includes("owner_response_validation_rejected_count=0")) return "目前沒有正式拒收紀錄。";
+ if (redacted.includes("repo_creation_authorized=false")) return "未核准建立專案庫或修改可見性。";
+ if (redacted.includes("refs_mutation_authorized=false") || redacted.includes("refs_sync_authorized=false")) {
return "未核准同步、刪除或強制推送分支 / 標籤。";
}
- if (value.includes("workflow_modification_authorized=false") || value.includes("workflow_secret_modification_authorized=false")) {
+ if (redacted.includes("workflow_modification_authorized=false") || redacted.includes("workflow_secret_modification_authorized=false")) {
return "未核准修改工作流程、runner 或機密設定。";
}
- if (value.includes("secret_value_collection_allowed=false")) return "不得收集或顯示任何機密明文值。";
- if (value.includes("github_primary_switch_authorized=false")) return "GitHub primary 尚未核准切換。";
- if (value.includes("gitea_disablement_authorized=false")) return "Gitea 不得停用,仍是目前 CI/CD 來源。";
- if (value.includes("execution_router_linked=false")) return "尚未連接執行路由。";
- if (value.includes("security_run_created=false") || value.includes("github_primary_run_created=false")) {
+ if (redacted.includes("secret_value_collection_allowed=false")) return "不得收集或顯示任何機密明文值。";
+ if (redacted.includes("github_primary_switch_authorized=false")) return "GitHub primary 尚未核准切換。";
+ if (redacted.includes("gitea_disablement_authorized=false")) return "Gitea 不得停用,仍是目前 CI/CD 來源。";
+ if (redacted.includes("execution_router_linked=false")) return "尚未連接執行路由。";
+ if (redacted.includes("security_run_created=false") || redacted.includes("github_primary_run_created=false")) {
return "目前沒有建立資安執行 run。";
}
- if (value.includes("approval_record_created=false") || value.includes("security_approval_record_created=false")) {
+ if (redacted.includes("approval_record_created=false") || redacted.includes("security_approval_record_created=false")) {
return "目前沒有建立審批紀錄。";
}
- if (value.includes("platform_run_creation_authorized=false")) return "未核准建立平台 run。";
- if (value.includes("not_authorization=true")) return "此區塊僅為只讀證據,不代表授權。";
- if (value.includes("contract_publish_authorized=false")) return "未核准發布或改版合約。";
- if (value.includes("contract_mutation_authorized=false")) return "未核准修改合約內容。";
- if (value.includes("send_owner_request_allowed=false")) return "未核准送出負責人請求。";
- if (value.includes("mark_received_allowed=false")) return "未核准標記已收到。";
- if (value.includes("mark_accepted_allowed=false")) return "未核准標記已接受。";
- if (value.includes("nginx_reload_authorized=false")) return "未核准 Nginx reload 或公開入口變更。";
- if (value.includes("agent_bounty_runtime_authorized=false")) return "agent-bounty-protocol 執行期維持關閉。";
- if (value.includes("github_primary_approval_granted=false")) return "GitHub primary 尚未獲得審批。";
- if (value.includes("owner_response_accepted_count=0")) return "負責人回覆接受數仍為 0。";
- if (value.includes("_count=0")) return "目前計數仍為 0,僅供只讀觀測。";
- if (value.includes("=false")) return "目前狀態為未授權,僅供只讀觀測。";
- return value;
+ if (redacted.includes("platform_run_creation_authorized=false")) return "未核准建立平台 run。";
+ if (redacted.includes("not_authorization=true")) return "此區塊僅為只讀證據,不代表授權。";
+ if (redacted.includes("contract_publish_authorized=false")) return "未核准發布或改版合約。";
+ if (redacted.includes("contract_mutation_authorized=false")) return "未核准修改合約內容。";
+ if (redacted.includes("send_owner_request_allowed=false")) return "未核准送出負責人請求。";
+ if (redacted.includes("mark_received_allowed=false")) return "未核准標記已收到。";
+ if (redacted.includes("mark_accepted_allowed=false")) return "未核准標記已接受。";
+ if (redacted.includes("nginx_reload_authorized=false")) return "未核准 Nginx reload 或公開入口變更。";
+ if (redacted.includes("agent_bounty_runtime_authorized=false")) return "agent-bounty-protocol 執行期維持關閉。";
+ if (redacted.includes("github_primary_approval_granted=false")) return "GitHub primary 尚未獲得審批。";
+ if (redacted.includes("owner_response_accepted_count=0")) return "負責人回覆接受數仍為 0。";
+ if (redacted.includes("_count=0")) return "目前計數仍為 0,僅供只讀觀測。";
+ if (redacted.includes("=false")) return "目前狀態為未授權,僅供只讀觀測。";
+ return redacted;
}
export function publicContractText(value: string): string {