wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 6 Packages Projects Releases Wiki Activity

fix(security): 補高價值配置 Gate P0 路徑覆蓋 [skip ci]

Browse Source
This commit is contained in:
Your Name
2026-06-14 17:11:44 +08:00
parent 14be52ca77
commit dd8c2c0924
7 changed files with 141 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md
View File

@@ -33,6 +33,17 @@
| P2 | C2 | AWOOOI / AwoooP / IwoooS / VibeWork / other product runtime routes |
| P3 | C3 | Security evidence / snapshot / guard tooling |
### 2.1 2026-06-14 P0 pattern 補強
本輪補上兩類已存在但原本未被分類的 P0 路徑,避免 Nginx / certbot 相關檔案被視為普通文件或工具變更:
| 新增 pattern | 歸屬類別 | 理由 |
|--------------|----------|------|
| `k8s/nginx/**` | P0 / C0 Nginx public gateway | `k8s/nginx/awoooi-prod.conf` 會影響公開入口與 upstream必須要求 public gateway owner response、rendered diff、`nginx -t`、route smoke 與 rollback ref |
| `scripts/ops/**/*cert*``scripts/ops/**/*tls*` | P0 / C0 DNS / TLS / certbot | `scripts/ops/*certbot*` 會影響憑證修復、renewal 或 ACME 路徑,必須要求 domain / TLS owner response、renewal window、ACME smoke、public HTTPS smoke 與 rollback ref |
驗證 sample`k8s/nginx/awoooi-prod.conf``scripts/ops/188-registry-certbot-fix.sh``scripts/ops/fix-188-registry-certbot-renewal.sh` 皆命中 C0owner evidence 仍為 incompleteruntime execution 仍為 `false`
## 3. 指令
檢查目前 commit 相對前一個 commit

2
docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md
View File

@@ -7,7 +7,7 @@
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 |
| 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 |
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**``scripts/ops/**/*cert*``scripts/ops/**/*tls*`sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
| P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` |

207
docs/security/high-value-config-change-gate.snapshot.json
View File

@@ -1,26 +1,5 @@
{
"changed_files": [
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "docs/LOGBOOK.md",
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
@@ -42,48 +21,6 @@
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET.md",
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
@@ -108,23 +45,71 @@
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"label": "Nginx / reverse proxy / public route",
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
]
}
],
"matched": true,
"path": "docs/security/high-value-config-owner-packet.snapshot.json",
"strongest_priority": "P3",
"strongest_tier": "C3"
"path": "k8s/nginx/awoooi-prod.conf",
"strongest_priority": "P0",
"strongest_tier": "C0"
},
{
"categories": [
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
}
],
"matched": true,
"path": "scripts/ops/188-registry-certbot-fix.sh",
"strongest_priority": "P0",
"strongest_tier": "C0"
},
{
"categories": [
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
}
],
"matched": true,
"path": "scripts/ops/fix-188-registry-certbot-renewal.sh",
"strongest_priority": "P0",
"strongest_tier": "C0"
},
{
"categories": [
@@ -146,27 +131,6 @@
"path": "scripts/security/high-value-config-change-gate.py",
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "scripts/security/high-value-config-owner-packet.py",
"strongest_priority": "P3",
"strongest_tier": "C3"
}
],
"control_category_inventory": [
@@ -177,6 +141,7 @@
"path_patterns": [
"infra/ansible/roles/nginx/templates/*.j2",
"infra/ansible/playbooks/nginx-sync.yml",
"k8s/nginx/**",
"ops/nginx/**",
"docs/runbooks/disaster-recovery/DR-Nginx.md"
],
@@ -210,6 +175,8 @@
"docs/runbooks/REGISTRY-CERTBOT-188.md",
"docs/runbooks/**/*CERTBOT*.md",
"docs/runbooks/**/*TLS*.md",
"scripts/ops/**/*cert*",
"scripts/ops/**/*tls*",
"ops/**/*cert*",
"ops/**/*tls*",
"infra/**/*cert*",
@@ -636,7 +603,7 @@
],
"diff": {
"base": null,
"changed_file_count": 8,
"changed_file_count": 6,
"head": "HEAD"
},
"execution_boundaries": {
@@ -650,9 +617,39 @@
"ssh_executed": false,
"workflow_modified": false
},
"generated_at": "2026-06-11T13:00:00+08:00",
"git_commit": "ccf87213",
"generated_at": "2026-06-14T17:13:00+08:00",
"git_commit": "168bd777",
"impacted_categories": [
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
},
{
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"label": "Nginx / reverse proxy / public route",
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
]
},
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
@@ -714,15 +711,15 @@
],
"schema_version": "high_value_config_change_gate_v1",
"summary": {
"changed_file_count": 8,
"impacted_c0_category_count": 0,
"changed_file_count": 6,
"impacted_c0_category_count": 2,
"impacted_c1_category_count": 0,
"impacted_category_count": 1,
"matched_high_value_file_count": 8,
"impacted_category_count": 3,
"matched_high_value_file_count": 6,
"owner_evidence_complete": false,
"owner_evidence_provided": false,
"runtime_execution_authorized": false,
"strongest_priority": "P3",
"strongest_tier": "C3"
"strongest_priority": "P0",
"strongest_tier": "C0"
}
}