From dbad58bed339fdc5a449e2f57fbe35c7454e58d0 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sat, 13 Jun 2026 12:38:35 +0800 Subject: [PATCH] docs(security): add S4.9 owner response dispatch package --- docs/LOGBOOK.md | 18 ++ .../S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md | 120 ++++++++++++ ...er-response-dispatch-package.snapshot.json | 178 ++++++++++++++++++ ...026-06-04-iwooos-security-governance-p0.md | 2 + 4 files changed, 318 insertions(+) create mode 100644 docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md create mode 100644 docs/security/s4-9-owner-response-dispatch-package.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index e14afce8..789b6181 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -33861,3 +33861,21 @@ production browser smoke: 1. 繼續推進 S4.9 owner response 真實回覆資料包,必填 owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner;驗收前維持 `0 / false`。 2. 持續盤點高價值配置控管,優先納入 Nginx、K8s manifest、ArgoCD app、Gitea workflow、registry / Harbor、Sentry / SigNoz / Alertmanager、public gateway、AI provider route、資料庫 migration 與 secrets injection 流程。 3. 任何主機維護、Kali 更新、Nginx / Docker / firewall / active scan 仍需獨立維護窗口與人工批准,不得由治理頁或 AwoooP approval 直接替代。 + +## 2026-06-13 — S4.9 owner response 真實資料包與高價值配置 owner lanes 草案 + +**修正內容**: +- 新增 `docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md`:把 S4.9 五題 owner 回覆、六欄 canonical envelope、reviewer outcome lanes、拒收 / 隔離規則與高價值配置 P0 owner lanes 收成可交付資料包。 +- 新增 `docs/security/s4-9-owner-response-dispatch-package.snapshot.json`:機器可讀記錄 `dispatch_package_ready_not_sent`、五題 templates、九條高價值配置 owner lanes 與所有 `0 / false` gate。 +- 更新 `docs/workplans/2026-06-04-iwooos-security-governance-p0.md`:新增 P0-2h,明確標記 dispatch package `70%`,owner response gate 仍 `0%`。 + +**目前狀態**: +- S4.9 dispatch package:`70%`;可交給 owner 填寫,但尚未正式送件。 +- S4.9 owner response gate:仍 `0 / false`。 +- 高價值配置 owner lane 對齊:`55%`;Nginx、K8s / ArgoCD、Gitea workflow / runner、registry / TLS、Sentry / SigNoz / Alertmanager、public runtime config、AI provider route、DB migration、secrets injection 已對齊六欄 envelope。 +- IwoooS overall:仍維持 `64%`。 +- active runtime gate:仍為 `0`。 + +**邊界**: +- 本輪未執行 SSH、Nginx reload、Docker restart、firewall / iptables、K8s / ArgoCD 寫操作、active scan、secret 明文讀取、runtime restart、DB migration 或 AI provider route switch。 +- 不得把 dispatch package、snapshot、UI 可見或 AwoooP approval 解讀成 owner response received / accepted 或 runtime 授權。 diff --git a/docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md b/docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md new file mode 100644 index 00000000..136276d8 --- /dev/null +++ b/docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md @@ -0,0 +1,120 @@ +# S4.9 Owner Response Dispatch Package + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-06-13 | +| 狀態 | `dispatch_package_ready_not_sent` | +| 對應 envelope | `docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md` | +| 對應 intake form | `docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md` | +| 對應 validation | `docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md` | +| Snapshot | `docs/security/s4-9-owner-response-dispatch-package.snapshot.json` | +| runtime gate | `0` | + +## 1. 核心結論 + +本包把 S4.9 owner response 從「表單與驗收規則已定義」推進到「可交給 owner 填寫的送件包」。它固定 owner 要回覆哪些題目、每題必填欄位、哪些 evidence 只能用脫敏參照,以及 reviewer 收件後如何分流。 + +本包仍不是正式送件紀錄,不是 owner response received,不是 accepted,不是 repo / refs / workflow / secret / runner / host / runtime 授權。 + +## 2. 必填 Canonical Envelope + +每一題回覆都必須映射回六欄。缺任一欄,只能補件,不得增加 received / accepted count。 + +| 欄位 | 填寫要求 | 禁止誤用 | +|------|----------|----------| +| `owner_role_or_team` | 填角色、團隊或責任單位 | 不填私人帳密、token、session 或私人聯絡資訊 | +| `decision` | 只能填 `confirm`、`defer`、`reject`、`request_more_evidence` | `confirm` 不代表 runtime action approval | +| `decision_reason` | 填脫敏理由摘要 | 不貼 raw log、raw API body、未脫敏截圖或內部聊天原文 | +| `affected_scope` | 填 repo 群、namespace、endpoint、host scope、legacy disposition 或 canonical owner 範圍 | 不夾帶 repo create、refs sync、visibility change 或 workflow 修改要求 | +| `redacted_evidence_refs` | 填文件路徑、snapshot id、ticket id、hash 或脫敏 metadata pointer | 不收 secret value、partial token、private key、authorization header、runner token | +| `followup_owner` | 填後續補證、審查或決策負責角色 / 團隊 | 不等於執行批准人,也不等於 runtime operator | + +## 3. S4.9 五題送件內容 + +| 順序 | Template | Owner 必須回答 | 合格 evidence refs | +|------|----------|----------------|--------------------| +| 1 | `response-public-only-vs-local-gitea-gap` | 判定 `wooo/clawbot-v5`、`wooo/wooo-aiops` 是否屬本輪 inventory / migration scope | public probe snapshot、local inventory ref、owner note id | +| 2 | `response-org-user-endpoint-identity` | 判定 `wooo` 應以 user、org 或兩者盤點,並指定 canonical endpoint | endpoint probe summary、HTTP status metadata、owner note id | +| 3 | `response-internal-110-adjacent-scope` | 逐項判定 `bitan-pharmacy`、`root/momo-pro-system`、`tsenyang-website`、`wooo/wooo-infra-config` 是否納入本輪 scope | local repo / host scope snapshot、redacted owner note | +| 4 | `response-repo-owner-canonical-scope` | 指定 in-scope repo 的 owner、canonical source、GitHub target candidate 與 visibility review owner | refs truth summary、target probe summary、owner note id | +| 5 | `response-legacy-or-inaccessible-disposition` | 指定 legacy / inaccessible / external repo 的 disposition、理由與後續 owner | disposition note、archive candidate summary、ticket id | + +## 4. Owner 可回覆的形狀 + +```text +template_id: +owner_role_or_team: +decision: +decision_reason: +affected_scope: +redacted_evidence_refs: +followup_owner: +``` + +若 owner 需要更多資訊,`decision` 應填 `request_more_evidence`,並在 `decision_reason` 說明缺哪一種脫敏 evidence。不得用口頭「同意」、「可以」、「批准」取代六欄回覆。 + +## 5. Reviewer 收件分流 + +| Outcome | 使用時機 | Count 影響 | +|---------|----------|------------| +| `keep_waiting_owner_response` | 尚未收到完整六欄,或只有空白 / 口頭同意 | received / accepted 維持 0 | +| `request_more_evidence` | 欄位缺漏、scope 不清、evidence refs 不足 | accepted 維持 0 | +| `quarantine_sensitive_payload` | 疑似含 token、secret、private key、cookie、session、authorization header、runner token、未脫敏截圖或 private URL credential | 不保存 raw payload | +| `reject_execution_request` | 夾帶 repo / refs / workflow / secret / runner / Kali / host / runtime 執行要求 | 不建立 action button | +| `ready_for_reviewer_validation` | 五題完整、evidence refs 已脫敏、無執行要求 | 只進 reviewer checklist,仍非 accepted | + +## 6. 高價值配置控管對齊 + +S4.9 owner response 是 source-control owner gate 的第一步。高價值配置控管仍需要獨立 owner response,但應共用同一個六欄 envelope 與拒收邊界。 + +| 優先 | 類別 | 對應 owner lane | 送件前仍缺 | +|------|------|----------------|------------| +| P0-1 | Nginx / public gateway | `public_gateway_owner_response_required` | rendered diff、`nginx -t` evidence、route smoke、maintenance window、rollback owner | +| P0-2 | K8s manifest / ArgoCD app | `gitops_owner_response_required` | GitOps diff、ArgoCD health readback、sync authorization、rollback revision | +| P0-3 | Gitea workflow / runner / deploy key / webhook | `workflow_source_control_owner_response_required` | workflow diff、runner label owner、deploy key metadata only、webhook metadata only | +| P0-4 | Registry / Harbor / TLS / certbot | `domain_tls_owner_response_required` | certificate path check、renewal window、ACME smoke、public HTTPS smoke | +| P0-5 | Sentry / SigNoz / Alertmanager / Prometheus | `monitoring_owner_response_required` | live drift evidence、receiver owner、reload owner、route smoke、receipt proof | +| P0-6 | Public gateway / frontend runtime config | `public_runtime_config_owner_response_required` | public URL check、frontend internal IP ban、CORS boundary、desktop / mobile smoke | +| P0-7 | AI provider route | `ai_provider_route_owner_response_required` | provider route owner、fallback order evidence、cost boundary、rollback owner | +| P0-8 | DB migration | `database_migration_owner_response_required` | migration diff、backup / rollback owner、post-migration verification plan | +| P0-9 | Secrets injection / redaction | `secret_metadata_owner_response_required` | secret name parity、metadata-only check、rotation owner、no secret value check | + +這些 lane 可以共用 S4.9 的欄位與 quarantine-first 規則,但不能把 S4.9 回覆直接升級成 Nginx reload、ArgoCD sync、workflow 修改、registry change、alert reload、AI route switch、DB migration 或 secret rotation 授權。 + +## 7. 固定 0 / false 邊界 + +```text +dispatch_authorized=false +request_sent=false +request_sent_count=0 +received_response_count=0 +accepted_response_count=0 +rejected_response_count=0 +owner_response_received_count=0 +owner_response_accepted_count=0 +redacted_payload_ingested=false +active_runtime_gate_count=0 +runtime_execution_authorized=false +action_buttons_allowed=false +repo_creation_authorized=false +refs_sync_authorized=false +workflow_modification_authorized=false +github_primary_switch_authorized=false +host_update_authorized=false +active_scan_authorized=false +secret_value_collection_authorized=false +nginx_reload_authorized=false +argocd_sync_authorized=false +database_migration_authorized=false +ai_provider_route_change_authorized=false +``` + +## 8. 完成度 + +| 工作 | 完成度 | 說明 | +|------|--------|------| +| S4.9 dispatch package | `70%` | 可送 owner 填寫的資料包已固定;尚未正式送件 | +| S4.9 owner response gate | `0%` | 尚未收到或接受 owner response | +| 高價值配置 owner lane 對齊 | `55%` | 已共用六欄 envelope 與 P0 lane;仍需各 lane owner 實際回覆 | +| IwoooS overall | 維持 `64%` | 文件與資料包不調高整體進度 | +| active runtime gate | `0` | 不變 | diff --git a/docs/security/s4-9-owner-response-dispatch-package.snapshot.json b/docs/security/s4-9-owner-response-dispatch-package.snapshot.json new file mode 100644 index 00000000..f216b5af --- /dev/null +++ b/docs/security/s4-9-owner-response-dispatch-package.snapshot.json @@ -0,0 +1,178 @@ +{ + "schema_version": "s4_9_owner_response_dispatch_package_v1", + "generated_at": "2026-06-13T02:20:00+08:00", + "status": "dispatch_package_ready_not_sent", + "mode": "owner_response_dispatch_package_only", + "source_documents": [ + "docs/security/S4-9-CANONICAL-OWNER-RESPONSE-ENVELOPE.md", + "docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md", + "docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md", + "docs/security/S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md" + ], + "canonical_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner" + ], + "allowed_decisions": [ + "confirm", + "defer", + "reject", + "request_more_evidence" + ], + "s4_9_response_templates": [ + { + "template_id": "response-public-only-vs-local-gitea-gap", + "required_fields": 6, + "status": "waiting_owner_response" + }, + { + "template_id": "response-org-user-endpoint-identity", + "required_fields": 6, + "status": "waiting_owner_response" + }, + { + "template_id": "response-internal-110-adjacent-scope", + "required_fields": 6, + "status": "waiting_owner_response" + }, + { + "template_id": "response-repo-owner-canonical-scope", + "required_fields": 6, + "status": "waiting_owner_response" + }, + { + "template_id": "response-legacy-or-inaccessible-disposition", + "required_fields": 6, + "status": "waiting_owner_response" + } + ], + "outcome_lanes": [ + "keep_waiting_owner_response", + "request_more_evidence", + "quarantine_sensitive_payload", + "reject_execution_request", + "ready_for_reviewer_validation" + ], + "high_value_config_owner_lanes": [ + { + "priority": "P0-1", + "category_id": "nginx_public_gateway", + "owner_lane": "public_gateway_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-2", + "category_id": "k8s_production_gitops", + "owner_lane": "gitops_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-3", + "category_id": "gitea_workflow_runner_source_control", + "owner_lane": "workflow_source_control_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-4", + "category_id": "dns_tls_certbot", + "owner_lane": "domain_tls_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-5", + "category_id": "monitoring_alerting_observability", + "owner_lane": "monitoring_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-6", + "category_id": "public_admin_api_runtime_config", + "owner_lane": "public_runtime_config_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-7", + "category_id": "ai_provider_route", + "owner_lane": "ai_provider_route_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-8", + "category_id": "database_migration", + "owner_lane": "database_migration_owner_response_required", + "status": "owner_response_required" + }, + { + "priority": "P0-9", + "category_id": "secret_metadata", + "owner_lane": "secret_metadata_owner_response_required", + "status": "owner_response_required" + } + ], + "forbidden_payloads": [ + "token", + "secret", + "private_key", + "cookie", + "session", + "authorization_header", + "runner_token", + "webhook_secret", + "database_url", + "unredacted_screenshot", + "private_url_credential" + ], + "forbidden_actions": [ + "repo_create", + "visibility_change", + "refs_sync", + "delete_refs", + "force_push", + "workflow_modify", + "runner_enable", + "kali_scan", + "host_update", + "runtime_restart", + "nginx_reload", + "argocd_sync", + "database_migration", + "secret_rotation", + "ai_provider_route_switch" + ], + "gates": { + "dispatch_authorized": false, + "request_sent": false, + "request_sent_count": 0, + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "owner_response_received_count": 0, + "owner_response_accepted_count": 0, + "redacted_payload_ingested": false, + "active_runtime_gate_count": 0, + "runtime_execution_authorized": false, + "action_buttons_allowed": false, + "repo_creation_authorized": false, + "refs_sync_authorized": false, + "workflow_modification_authorized": false, + "github_primary_switch_authorized": false, + "host_update_authorized": false, + "active_scan_authorized": false, + "secret_value_collection_authorized": false, + "nginx_reload_authorized": false, + "argocd_sync_authorized": false, + "database_migration_authorized": false, + "ai_provider_route_change_authorized": false + }, + "progress": { + "s4_9_dispatch_package_percent": 70, + "s4_9_owner_response_gate_percent": 0, + "high_value_config_owner_lane_alignment_percent": 55, + "iwooos_overall_percent": 64, + "active_runtime_gate_count": 0 + } +} diff --git a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md index e2851832..58cb953d 100644 --- a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md +++ b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md @@ -28,6 +28,7 @@ | 最新 S4.9 owner response intake form 基準 | `docs/security/S4-9-OWNER-RESPONSE-INTAKE-FORM.md`;五題可填表、六欄填寫規則、reviewer 收件欄與 outcome lanes 已固定;owner response gate 仍 `0%` | | 最新 S4.9 reviewer validation checklist 基準 | `docs/security/S4-9-REVIEWER-VALIDATION-CHECKLIST.md`;Reviewer 分工、V0-V8 gates、outcome 決策表、count transition 與 cross-packet consistency 已固定;owner response gate 仍 `0%` | | 最新 S4.9 security acceptance record template 基準 | `docs/security/S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md`;acceptance record 前置條件、欄位、count transition、decision outcome、evidence redaction 與不可授權聲明已固定;owner response gate 仍 `0%` | +| 最新 S4.9 owner response dispatch package 基準 | `docs/security/S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md`;五題送件內容、六欄 owner 回覆格式、reviewer outcome lanes 與高價值配置 P0 owner lanes 已固定;dispatch package `70%`,owner response gate 仍 `0%` | | 目前平行 Session | AwoooP thread `019e9154-7d5e-7b72-85be-c9d97e43ecc9` 已補 P1-002 正式驗證紀錄;後續進 `P1-003` 前仍需重新 fetch / fast-forward,避免 LOGBOOK / workplan 衝突 | | 前一個正式 IwoooS 候選基準 | code `7b8fc093`、deploy marker `45c63488`、LOGBOOK `02cadee6` | | 最新導航 IA 基準 | code `973fc7a4`、LOGBOOK `2555c811`、deploy marker `0260ec89` | @@ -66,6 +67,7 @@ | P0-2e | S4.9 owner response intake form | 100% | 已新增 `S4-9-OWNER-RESPONSE-INTAKE-FORM.md`,固定五題可填表、六欄填寫規則、reviewer 收件欄與 outcome lanes;owner response gate 仍 0% | owner response guard、progress guard、diff check | | P0-2f | S4.9 reviewer validation checklist | 100% | 已新增 `S4-9-REVIEWER-VALIDATION-CHECKLIST.md`,固定 reviewer 分工、V0-V8 gates、outcome 決策表、count transition 與 cross-packet consistency;owner response gate 仍 0% | owner response guard、progress guard、diff check | | P0-2g | S4.9 security acceptance record template | 100% | 已新增 `S4-9-SECURITY-ACCEPTANCE-RECORD-TEMPLATE.md`,固定 acceptance record 前置條件、欄位、count transition、decision outcome、evidence redaction 與不可授權聲明;owner response gate 仍 0% | owner response guard、progress guard、diff check | +| P0-2h | S4.9 owner response dispatch package | 70% | 已新增 `S4-9-OWNER-RESPONSE-DISPATCH-PACKAGE.md` 與 snapshot,固定可交給 owner 填寫的五題送件包、高價值配置 P0 owner lanes 與 0 / false 邊界;尚未正式送件、尚未 received / accepted | JSON parse、owner response guard、progress guard、doc secrets sanity | | P0-3 | AwoooP 同步封包 | 100% | 已送至 AwoooP 平行工作 thread `019e9154-7d5e-7b72-85be-c9d97e43ecc9`;後續仍需每次推版前重新 fetch / fast-forward | 本文件、thread send readback、mirror checklist readback | | P0-4 | production live sanity 節點 | 100% | desktop / mobile / 展開區塊 / overflow / action href 檢查已完成 | Playwright production sanity 通過 | | P0-5 | LOGBOOK 與完成度更新 | 100% | D2 comments-only、D2 AIOps sample、D2 Code Review 候選分類與 D2 AwoooP Runs fallback 皆已回填;可見 / bundle 變更皆已補 local / production desktop + mobile smoke | `docs/LOGBOOK.md` readback |