diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index e280aba0..24c91392 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -19,6 +19,27 @@ - 不能宣稱 DR complete,因為 credential escrow evidence marker 仍缺 `5`。 - 不手動建立 / 刪除 / patch `km-vectorize` Job,不重啟服務,不消音告警;下一步仍是等待下一次官方 03:00 排程,以只讀方式確認 Job / Pod / log / `lastSuccessfulTime` / ArgoCD health。 +## 2026-06-14|P0 高價值配置 Gate pattern 補強本地完成 + +**背景**:P0 配置控管優先序已在 `/zh-TW/iwooos` 前台完成正式驗證,但高價值配置變更 Gate 的路徑分類仍需要跟上已存在的 Nginx / certbot 檔案位置,避免公開入口與憑證修復腳本被誤判成一般文件或一般工具變更。 + +**完成項目**: +- `scripts/security/high-value-config-change-gate.py` 新增 `k8s/nginx/**`,將 `k8s/nginx/awoooi-prod.conf` 歸入 `nginx_public_gateway` P0 / C0。 +- 同一 Gate 新增 `scripts/ops/**/*cert*` 與 `scripts/ops/**/*tls*`,將 `scripts/ops/188-registry-certbot-fix.sh`、`scripts/ops/fix-188-registry-certbot-renewal.sh` 歸入 `dns_tls_certbot` P0 / C0。 +- `docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md` 補上 2026-06-14 pattern 補強說明,固定 Nginx public gateway 與 DNS / TLS / certbot 的 owner response、驗證與 rollback 需求。 +- `docs/security/high-value-config-change-gate.snapshot.json` 已重產,sample 顯示 changed files `6`、matched `6`、impacted C0 category `2`、impacted category `3`、strongest tier `C0`、strongest priority `P0`。 + +**本地驗證**: +- 補強前 sample:`k8s/nginx/awoooi-prod.conf`、`scripts/ops/fix-188-registry-certbot-renewal.sh`、`scripts/ops/188-registry-certbot-fix.sh` 為 `matched=0`、C0 `0`。 +- 補強後 sample:同三個路徑為 `matched=3`、C0 `2`,分別命中 `nginx_public_gateway` 與 `dns_tls_certbot`。 +- Committed snapshot sample:`HIGH_VALUE_CONFIG_CHANGE_GATE_OK changed_files=6 matched=6 categories=3 c0=2 c1=0`。 +- Owner evidence 仍為 `provided=false`、`complete=false`;required owner fields 仍缺 `owner_role_or_team`、`decision`、`decision_reason`、`affected_scope`、`redacted_evidence_refs`、`followup_owner`、`rollback_owner`、`maintenance_window`、`validation_plan`。 + +**完成度與邊界**: +- P0 高價值配置 Gate pattern 補強本地 slice:`100%`。 +- Production browser verification:不適用;本輪是 repo 內只讀分類工具與文件快照,不變更前端或 runtime。 +- IwoooS 整體 headline 仍維持 `64%`;owner response received / accepted、live evidence received、runtime gate、Nginx live config、`nginx -t`、reload、DNS / TLS live probe、certbot renew、ArgoCD sync、kubectl action、workflow / secret 修改、public route change、host write、active scan、production write 全部維持 `0 / false`。 + ## 2026-06-14|IwoooS P0 配置控管優先序正式驗證完成 **背景**:`e992af89 feat(iwooos): 顯示 P0 配置控管優先序` 已由 deploy marker `ed651a98 chore(cd): deploy e992af8 [skip ci]` 正式部署;Gitea code-review run `2971` success,CD run `2970` success。本段只驗證 `/zh-TW/iwooos` 的 P0 配置控管優先序可讀、可見與邊界保持,不代表 Nginx live config 讀取、`nginx -t`、reload、DNS / TLS probe、certbot renew、ArgoCD sync、kubectl action、workflow / secret 修改、public route change、agent-bounty runtime、payout / withdrawal、production write 或 runtime gate。 diff --git a/docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md b/docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md index 15b09aa7..03b4fec5 100644 --- a/docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md +++ b/docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md @@ -33,6 +33,17 @@ | P2 | C2 | AWOOOI / AwoooP / IwoooS / VibeWork / other product runtime routes | | P3 | C3 | Security evidence / snapshot / guard tooling | +### 2.1 2026-06-14 P0 pattern 補強 + +本輪補上兩類已存在但原本未被分類的 P0 路徑,避免 Nginx / certbot 相關檔案被視為普通文件或工具變更: + +| 新增 pattern | 歸屬類別 | 理由 | +|--------------|----------|------| +| `k8s/nginx/**` | P0 / C0 Nginx public gateway | `k8s/nginx/awoooi-prod.conf` 會影響公開入口與 upstream,必須要求 public gateway owner response、rendered diff、`nginx -t`、route smoke 與 rollback ref | +| `scripts/ops/**/*cert*`、`scripts/ops/**/*tls*` | P0 / C0 DNS / TLS / certbot | `scripts/ops/*certbot*` 會影響憑證修復、renewal 或 ACME 路徑,必須要求 domain / TLS owner response、renewal window、ACME smoke、public HTTPS smoke 與 rollback ref | + +驗證 sample:`k8s/nginx/awoooi-prod.conf`、`scripts/ops/188-registry-certbot-fix.sh`、`scripts/ops/fix-188-registry-certbot-renewal.sh` 皆命中 C0;owner evidence 仍為 incomplete,runtime execution 仍為 `false`。 + ## 3. 指令 檢查目前 commit 相對前一個 commit: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index a2aa65c7..ece2390d 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -7,7 +7,7 @@ | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | | 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 | | 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 | -| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;owner response / live evidence / runtime gate / action buttons 仍全部為 0 | +| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | | P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` | diff --git a/docs/security/high-value-config-change-gate.snapshot.json b/docs/security/high-value-config-change-gate.snapshot.json index 520f8ac4..241645e9 100644 --- a/docs/security/high-value-config-change-gate.snapshot.json +++ b/docs/security/high-value-config-change-gate.snapshot.json @@ -1,26 +1,5 @@ { "changed_files": [ - { - "categories": [ - { - "category_id": "security_evidence_tooling", - "control_tier": "C3", - "label": "Security evidence / snapshot / guard tooling", - "priority": "P3", - "required_gate": "security_evidence_owner_review_required", - "required_validation": [ - "snapshot_parse", - "guard_smoke", - "doc_secret_sanity", - "no_runtime_gate_increase" - ] - } - ], - "matched": true, - "path": "docs/LOGBOOK.md", - "strongest_priority": "P3", - "strongest_tier": "C3" - }, { "categories": [ { @@ -42,48 +21,6 @@ "strongest_priority": "P3", "strongest_tier": "C3" }, - { - "categories": [ - { - "category_id": "security_evidence_tooling", - "control_tier": "C3", - "label": "Security evidence / snapshot / guard tooling", - "priority": "P3", - "required_gate": "security_evidence_owner_review_required", - "required_validation": [ - "snapshot_parse", - "guard_smoke", - "doc_secret_sanity", - "no_runtime_gate_increase" - ] - } - ], - "matched": true, - "path": "docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET.md", - "strongest_priority": "P3", - "strongest_tier": "C3" - }, - { - "categories": [ - { - "category_id": "security_evidence_tooling", - "control_tier": "C3", - "label": "Security evidence / snapshot / guard tooling", - "priority": "P3", - "required_gate": "security_evidence_owner_review_required", - "required_validation": [ - "snapshot_parse", - "guard_smoke", - "doc_secret_sanity", - "no_runtime_gate_increase" - ] - } - ], - "matched": true, - "path": "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md", - "strongest_priority": "P3", - "strongest_tier": "C3" - }, { "categories": [ { @@ -108,23 +45,71 @@ { "categories": [ { - "category_id": "security_evidence_tooling", - "control_tier": "C3", - "label": "Security evidence / snapshot / guard tooling", - "priority": "P3", - "required_gate": "security_evidence_owner_review_required", + "category_id": "nginx_public_gateway", + "control_tier": "C0", + "label": "Nginx / reverse proxy / public route", + "priority": "P0", + "required_gate": "public_gateway_owner_response_required", "required_validation": [ - "snapshot_parse", - "guard_smoke", - "doc_secret_sanity", - "no_runtime_gate_increase" + "rendered_diff", + "nginx_t", + "affected_route_smoke", + "admin_route_smoke_if_affected", + "acme_path_smoke_if_affected", + "rollback_ref" ] } ], "matched": true, - "path": "docs/security/high-value-config-owner-packet.snapshot.json", - "strongest_priority": "P3", - "strongest_tier": "C3" + "path": "k8s/nginx/awoooi-prod.conf", + "strongest_priority": "P0", + "strongest_tier": "C0" + }, + { + "categories": [ + { + "category_id": "dns_tls_certbot", + "control_tier": "C0", + "label": "DNS / TLS / certbot / certificate path", + "priority": "P0", + "required_gate": "domain_tls_owner_response_required", + "required_validation": [ + "domain_inventory", + "certificate_path_check", + "renewal_window", + "acme_path_smoke", + "public_https_smoke", + "rollback_ref" + ] + } + ], + "matched": true, + "path": "scripts/ops/188-registry-certbot-fix.sh", + "strongest_priority": "P0", + "strongest_tier": "C0" + }, + { + "categories": [ + { + "category_id": "dns_tls_certbot", + "control_tier": "C0", + "label": "DNS / TLS / certbot / certificate path", + "priority": "P0", + "required_gate": "domain_tls_owner_response_required", + "required_validation": [ + "domain_inventory", + "certificate_path_check", + "renewal_window", + "acme_path_smoke", + "public_https_smoke", + "rollback_ref" + ] + } + ], + "matched": true, + "path": "scripts/ops/fix-188-registry-certbot-renewal.sh", + "strongest_priority": "P0", + "strongest_tier": "C0" }, { "categories": [ @@ -146,27 +131,6 @@ "path": "scripts/security/high-value-config-change-gate.py", "strongest_priority": "P3", "strongest_tier": "C3" - }, - { - "categories": [ - { - "category_id": "security_evidence_tooling", - "control_tier": "C3", - "label": "Security evidence / snapshot / guard tooling", - "priority": "P3", - "required_gate": "security_evidence_owner_review_required", - "required_validation": [ - "snapshot_parse", - "guard_smoke", - "doc_secret_sanity", - "no_runtime_gate_increase" - ] - } - ], - "matched": true, - "path": "scripts/security/high-value-config-owner-packet.py", - "strongest_priority": "P3", - "strongest_tier": "C3" } ], "control_category_inventory": [ @@ -177,6 +141,7 @@ "path_patterns": [ "infra/ansible/roles/nginx/templates/*.j2", "infra/ansible/playbooks/nginx-sync.yml", + "k8s/nginx/**", "ops/nginx/**", "docs/runbooks/disaster-recovery/DR-Nginx.md" ], @@ -210,6 +175,8 @@ "docs/runbooks/REGISTRY-CERTBOT-188.md", "docs/runbooks/**/*CERTBOT*.md", "docs/runbooks/**/*TLS*.md", + "scripts/ops/**/*cert*", + "scripts/ops/**/*tls*", "ops/**/*cert*", "ops/**/*tls*", "infra/**/*cert*", @@ -636,7 +603,7 @@ ], "diff": { "base": null, - "changed_file_count": 8, + "changed_file_count": 6, "head": "HEAD" }, "execution_boundaries": { @@ -650,9 +617,39 @@ "ssh_executed": false, "workflow_modified": false }, - "generated_at": "2026-06-11T13:00:00+08:00", - "git_commit": "ccf87213", + "generated_at": "2026-06-14T17:13:00+08:00", + "git_commit": "168bd777", "impacted_categories": [ + { + "category_id": "dns_tls_certbot", + "control_tier": "C0", + "label": "DNS / TLS / certbot / certificate path", + "priority": "P0", + "required_gate": "domain_tls_owner_response_required", + "required_validation": [ + "domain_inventory", + "certificate_path_check", + "renewal_window", + "acme_path_smoke", + "public_https_smoke", + "rollback_ref" + ] + }, + { + "category_id": "nginx_public_gateway", + "control_tier": "C0", + "label": "Nginx / reverse proxy / public route", + "priority": "P0", + "required_gate": "public_gateway_owner_response_required", + "required_validation": [ + "rendered_diff", + "nginx_t", + "affected_route_smoke", + "admin_route_smoke_if_affected", + "acme_path_smoke_if_affected", + "rollback_ref" + ] + }, { "category_id": "security_evidence_tooling", "control_tier": "C3", @@ -714,15 +711,15 @@ ], "schema_version": "high_value_config_change_gate_v1", "summary": { - "changed_file_count": 8, - "impacted_c0_category_count": 0, + "changed_file_count": 6, + "impacted_c0_category_count": 2, "impacted_c1_category_count": 0, - "impacted_category_count": 1, - "matched_high_value_file_count": 8, + "impacted_category_count": 3, + "matched_high_value_file_count": 6, "owner_evidence_complete": false, "owner_evidence_provided": false, "runtime_execution_authorized": false, - "strongest_priority": "P3", - "strongest_tier": "C3" + "strongest_priority": "P0", + "strongest_tier": "C0" } } diff --git a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md index 6917fce2..89bd6bc6 100644 --- a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md +++ b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md @@ -684,6 +684,7 @@ Alert / Sentry / SigNoz / Gitea / Market Watch / Operator | `docs/evaluations/ai_agent_result_capture_release_decision_owner_response_readback_2026-06-14.json` + `GET /api/v1/agents/agent-result-capture-release-decision-owner-response-readback` | P2-144 owner response readback;承接 P2-143 preflight,建立 5 條 response readback lane、18 個 required owner field、6 個 readback validation check、6 個 readback rejection guard、5 個 operator action、5 個 waiting external response 與 5 個 no external response received lane;runtime authority 固定 `result_capture_release_decision_owner_response_readback_only_no_live_write`;owner response received / accepted / rejected、redacted payload ingested、owner decision approved、verifier decision approved、maintenance window approved、release decision passed、release authorization granted、rollback release passed、live apply release passed、writer apply、execution apply、receipt write、reviewer queue write、Gateway queue write、Telegram send、Bot API call、result capture write、learning write、PlayBook trust write、production write、secret read 與 destructive action 全部 `0 / false`;feature commit `8795f100`、deploy marker `ac938037`、Gitea code-review `2965` / CD `2964` success、本地 P2-139 至 P2-144 regression `45 passed`,rebase 後含 tenants regression 的推送前回歸 `47 passed`、JSON parse、Python compile、Web typecheck、guard、doc secret sanity、value-only 禁用外露值掃描、i18n key parity 與 diff check 通過;production API readback、desktop / mobile smoke、水平溢位 `0`、危險控制 `0`、工作溝通片語命中 `0` 已完成,下一步 P2-145 owner response acceptance gate | | `docs/evaluations/ai_agent_result_capture_release_decision_owner_response_acceptance_gate_2026-06-14.json` + `GET /api/v1/agents/agent-result-capture-release-decision-owner-response-acceptance-gate` | P2-145 owner response acceptance gate;承接 P2-144 readback,建立 5 條 acceptance gate lane、18 個 required owner field、6 個 acceptance validation check、6 個 acceptance rejection guard、5 個 operator action、5 個 blocked no external response 與 5 個 no acceptable external response;runtime authority 固定 `result_capture_release_decision_owner_response_acceptance_gate_only_no_live_write`;owner response received / accepted / rejected、redacted payload ingested、owner release authorized / approved、owner review approved、owner decision approved、verifier decision approved、maintenance window approved、rollback owner confirmed、release decision passed、release authorization granted、rollback release passed、live apply release passed、writer apply、execution apply、receipt write、reviewer queue write、Gateway queue write、Telegram send、Bot API call、result capture write、learning write、PlayBook trust write、production write、secret read 與 destructive action 全部 `0 / false`;feature commit `386dbd07`、deploy marker `36fbfc6b`、Gitea code-review `2969` / CD `2968` success、本地 P2-144 + P2-145 owner response chain regression `16 passed`、JSON parse、Python compile、Web typecheck、guard、doc secret sanity、顯示值工作視窗污染掃描、i18n key parity 與 diff check 通過;production API readback、in-app browser smoke、desktop / mobile smoke、水平溢位 `0`、P2-145 卡片操作控制 `0`、工作溝通片語命中 `0` 已完成,下一步 P2-146 acceptance receipt preview | | `/zh-TW/iwooos` P0 配置控管優先序看板 | P0 配置控管優先序前台正式驗證完成;集中顯示 Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類即時風險配置;owner response `0 / 0`、live evidence `0`、執行期 `0`、操作按鈕 `0`;feature commit `e992af89`、deploy marker `ed651a98`、Gitea code-review `2971` / CD `2970` success;本地與正式 in-app browser、desktop `1440x1100`、mobile `390x844` 檢查通過,新增看板水平溢位 `0`、看板內外凸元素 `0`、工作溝通片語命中 `0` | 這是高價值配置控管的可視化優先序,不是 Nginx live conf 讀取、`nginx -t`、reload、DNS / TLS probe、certbot renew、ArgoCD sync、kubectl、workflow / secret 修改、public route change、agent-bounty runtime、payout / withdrawal、production write 或 runtime gate | +| `scripts/security/high-value-config-change-gate.py` + `docs/security/high-value-config-change-gate.snapshot.json` | P0 高價值配置 Gate pattern 補強本地完成;新增 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,讓 `k8s/nginx/awoooi-prod.conf` 命中 `nginx_public_gateway` P0 / C0,讓 `scripts/ops/188-registry-certbot-fix.sh` 與 `scripts/ops/fix-188-registry-certbot-renewal.sh` 命中 `dns_tls_certbot` P0 / C0;補強前 sample `matched=0 / C0=0`,補強後 sample `matched=3 / C0=2`;committed snapshot sample `changed_files=6`、`matched=6`、`categories=3`、`c0=2`、`c1=0`、strongest tier `C0`、strongest priority `P0`;owner evidence `provided=false / complete=false`,runtime execution `false` | 這是 repo 內分類工具與快照補強,不是 Nginx live conf 讀取、`nginx -t`、reload、DNS / TLS live probe、certbot renew、主機寫入、workflow 修改、secret 收集、active scan、production write 或 runtime gate | | `docs/evaluations/ai_agent_live_read_model_gate_2026-06-11.json` + `GET /api/v1/agents/agent-live-read-model-gate` | P2-403B AgentSession / Redis Streams live read model gate;定義 safe fields、Redis envelope、worker gate、rollback plan 與 no-write smoke,不連 DB、不讀寫 Redis、不啟動 worker | #### 3.2.1c 2026-06-11 AI Agent 主動營運委派與版本生命週期契約 @@ -819,6 +820,7 @@ Repo / registry / release notes / K8s / host / observability / backup evidence 65. 建立 owner response readback。✅ P2-144 已完成正式驗證;承接 P2-143 preflight,固定 response readback lane `5`、required owner field `18`、readback validation check `6`、readback rejection guard `6`、operator action `5`、waiting external response `5`、no external response received lane `5`;owner response received / accepted / rejected、redacted payload ingested、reviewer queue write、Gateway queue write、Telegram send、Bot API、result capture、learning、PlayBook trust、production write、secret read、destructive operation 仍為 `0 / false`;feature commit `8795f100`、deploy marker `ac938037`、Gitea code-review `2965` / CD `2964` success;本地 P2-139 至 P2-144 regression `45 passed`,rebase 後含 tenants regression 的推送前回歸 `47 passed`、JSON parse、Python compile、Web typecheck、guard、doc secret sanity、value-only 禁用外露值掃描、i18n key parity 與 diff check 通過;production API readback、desktop / mobile smoke、水平溢位 `0`、危險控制 `0`、工作溝通片語命中 `0` 已完成。下一步 P2-145 owner response acceptance gate。 66. 建立 owner response acceptance gate。✅ P2-145 已完成並正式驗證;承接 P2-144 readback,固定 acceptance gate lane `5`、required owner field `18`、acceptance validation check `6`、acceptance rejection guard `6`、operator action `5`、blocked no external response `5`、no acceptable external response `5`;owner response received / accepted / rejected、redacted payload ingested、reviewer queue write、Gateway queue write、Telegram send、Bot API、result capture、learning、PlayBook trust、production write、secret read、destructive operation 仍為 `0 / false`;feature commit `386dbd07`、deploy marker `36fbfc6b`、Gitea code-review `2969` / CD `2968` success;P2-144 + P2-145 regression `16 passed`、JSON parse、Python compile、Web typecheck、guard、doc secret sanity、顯示值工作視窗污染掃描、i18n key parity、diff check、production API readback、in-app browser smoke、desktop / mobile smoke、水平溢位 `0`、P2-145 卡片操作控制 `0`、工作溝通片語命中 `0` 已完成。下一步 P2-146 acceptance receipt preview,且必須等合格、遮罩、欄位完整、可驗證來源的外部正式回覆後才能建立 receipt preview。 67. 新增 P0 配置控管優先序前台可視化。✅ 正式驗證完成;`/zh-TW/iwooos` 已集中顯示 Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類即時風險配置;owner response `0 / 0`、live evidence `0`、執行期 `0`、操作按鈕 `0`;feature commit `e992af89`、deploy marker `ed651a98`、Gitea code-review `2971` / CD `2970` success;本地與正式 in-app browser、desktop `1440x1100`、mobile `390x844` smoke 通過。這不是 Nginx live conf 讀取、`nginx -t`、reload、DNS / TLS probe、certbot renew、ArgoCD sync、kubectl、workflow / secret 修改、public route change、agent-bounty runtime、payout / withdrawal、production write 或 runtime gate。 +68. 補強 P0 高價值配置 Gate path pattern。✅ 本地完成;`k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*` 已納入 high-value config classification,Nginx public gateway 與 DNS / TLS / certbot sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;snapshot 顯示 `changed_files=6`、`matched=6`、`categories=3`、`c0=2`、`c1=0`,owner evidence 仍 `provided=false / complete=false`,runtime execution 仍 `false`。這不是 live config read、`nginx -t`、reload、certbot renew、DNS / TLS probe、host write、active scan、workflow 修改、secret 收集、production write 或 runtime gate。 #### 3.2.1d 2026-06-11 Agent 互動、學習與成長證據面 diff --git a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md index d54d1cf7..61274df5 100644 --- a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md +++ b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md @@ -74,6 +74,7 @@ | P0-7 | Telegram 批准後執行真相鏈止血 | 100% | no-action approval 不再顯示批准 / 執行中;可執行修復 approval 會寫入 `auto_repair_executions`、KM 與 verifier;下一步補 MCP evidence / PlayBook trust 產生真正修復候選 | 目標 pytest `125 passed`、py_compile、guard、production health、API / worker rollout、production pod classifier readback | | P0-8 | Telegram no-action 人工處置包與操作入口 | 100% | no-action 卡片已新增人工處置包、證據補齊清單、AwoooP 修復候選建立步驟、verifier / KM / PlayBook 回寫提醒,並改成 `處置包`、`重診`、`歷史`、`靜默`、`真相鏈`、`Runs` 鍵盤;舊訊息不 retroactive 改寫 | 目標 pytest `64 passed + 44 passed`、py_compile、guard、production health、API / worker rollout、production pod render / keyboard smoke | | P0-9 | MCP evidence -> PlayBook 修復候選產生 | D5 `88%` | 已補 webhook fallback 先建立 incident,再收 MCP evidence、查 approved PlayBook、檢查 trust / command safety、產生 medium approval candidate 與 verifier plan;D1 追加通用兜底 PlayBook / 診斷型命令不可誤當修復、阻擋理由繁中化;D2 在缺候選時產生 `repair_candidate_draft_package_v1`、`playbook_draft_required`、下一步與必填欄位;D3 新增 `awooop_repair_candidate_draft_work_item_v1` read-only projection 與 Telegram `工作項目` deeplink;D4 讓 AwoooP Work Items 詳細呈現 PlayBook 草案處置板、必填欄位、阻擋原因、下一步、Runs / 審批連結;D5 新增 `repair_candidate_coverage_gap_v1`,讓 blocked result 帶出 coverage key、target kind、blocking stage、必收 MCP evidence refs、PlayBook template fields 與 runtime 0 / false 邊界;下一步要補 MCP tool call/result 詳細證據面與真實告警 approval -> execution -> verifier -> KM / PlayBook 回寫 | 目標 pytest `7 passed`、py_compile、guard、diff check;後續部署後需補 production health、API / worker rollout 與 production pod metadata render smoke;status-chain 後續仍必須看到 tool call、PlayBook id、risk gate、repair candidate、verifier plan | +| P0-10 | 高價值配置 Gate path coverage 補強 | 100% | 已將 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*` 納入 `high-value-config-change-gate.py`,讓 Nginx public gateway 與 DNS / TLS / certbot 既有路徑命中 P0 / C0;owner evidence 仍未提供,runtime execution 仍 false | `high-value-config-change-gate.py` sample:補強後 `changed_files=6 matched=6 categories=3 c0=2 c1=0`;`py_compile`、snapshot JSON parse、progress guard、owner response guard、doc secret sanity、diff check | ## 3. S4.9 Owner Response Gate 規範 diff --git a/scripts/security/high-value-config-change-gate.py b/scripts/security/high-value-config-change-gate.py index aa4c5dd5..c9ed14dd 100644 --- a/scripts/security/high-value-config-change-gate.py +++ b/scripts/security/high-value-config-change-gate.py @@ -83,6 +83,7 @@ CATEGORIES = [ patterns=( "infra/ansible/roles/nginx/templates/*.j2", "infra/ansible/playbooks/nginx-sync.yml", + "k8s/nginx/**", "ops/nginx/**", "docs/runbooks/disaster-recovery/DR-Nginx.md", ), @@ -105,6 +106,8 @@ CATEGORIES = [ "docs/runbooks/REGISTRY-CERTBOT-188.md", "docs/runbooks/**/*CERTBOT*.md", "docs/runbooks/**/*TLS*.md", + "scripts/ops/**/*cert*", + "scripts/ops/**/*tls*", "ops/**/*cert*", "ops/**/*tls*", "infra/**/*cert*",