From e355c8eb0fee1b1b5b41955811bc987ba2d88ef1 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 4 Jun 2026 09:13:35 +0800 Subject: [PATCH] fix(web): show Kali maintenance runway --- apps/web/messages/en.json | 29 +++++++++- apps/web/messages/zh-TW.json | 29 +++++++++- apps/web/src/app/[locale]/iwooos/page.tsx | 58 ++++++++++++++++++- docs/security/KALI-INTEGRATION-STATUS.md | 16 ++--- docs/security/KALI-SECURITY-MESH-BLUEPRINT.md | 8 +-- .../KALI-SECURITY-MESH-EXECUTION-READINESS.md | 4 +- .../iwooos-posture-projection.snapshot.json | 3 +- .../kali-integration-status.snapshot.json | 15 ++--- ...ecurity-mirror-status-rollup.snapshot.json | 16 ++++- .../security-mirror-progress-guard.py | 21 ++++++- 10 files changed, 164 insertions(+), 35 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 0e5044f1..77d20789 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -7513,13 +7513,36 @@ "kaliMaintenanceReadiness": { "eyebrow": "Kali 112 維護就緒度", "title": "Kali 112 今天已重新只讀驗證,更新與重啟仍在維護閘門", - "subtitle": "這個看板把 2026-06-03 10:23 的只讀 SSH 快照轉成操作可讀狀態:掃描服務與健康檢查正常,node-exporter 與 wg-easy 仍在運作;但完整套件升級、自動移除、重啟、掃描、/execute 與服務硬化套用都還沒有批准。", + "subtitle": "這個看板把 2026-06-04 08:55 的只讀 SSH 快照轉成操作可讀狀態:掃描服務與 8080 /health 健康檢查正常,node-exporter 與 wg-easy 仍在運作;但完整套件升級、自動移除、重啟、掃描、/execute 與服務硬化套用都還沒有批准。", "maintenanceGateLabel": "維護 閘門", "maintenanceGate": "Kali 完整套件升級、自動移除與重啟仍在資安審批佇列等待批准。必須先有維護窗口、快照、回復方案、事後健康複驗與人工批准,才能往主機更新前進。", "nextEvidenceLabel": "下一份要補的證據", "nextEvidence": "將 Kali 112 維護窗口批准案的維護窗口、回復負責人、服務驗證清單與失敗處理路徑補齊。補齊前 IwoooS 只顯示就緒度,不提供任何更新或重啟入口。", + "runwayLabel": "維護闖關路徑", "boundaryTitle": "只讀邊界", "boundaryIntro": "以下邊界由 `kali-integration-status.snapshot.json` 與審批佇列投影而來,用來避免把可見狀態誤讀成執行授權。", + "runway": { + "snapshot": { + "title": "今日只讀快照", + "detail": "已完成,僅讀取主機狀態與健康檢查。" + }, + "window": { + "title": "維護窗口", + "detail": "尚未排定,不能直接升級或重啟。" + }, + "rollback": { + "title": "回復方案", + "detail": "需先定義快照、回復負責人與失敗處理。" + }, + "postHealth": { + "title": "事後健康檢查", + "detail": "需鎖定 SSH、Docker、scanner、監控複驗清單。" + }, + "humanApproval": { + "title": "人工批准", + "detail": "未批准前仍只有看板,不提供更新入口。" + } + }, "items": { "readOnlySnapshot": { "label": "最新只讀快照", @@ -7527,7 +7550,7 @@ }, "scannerHealth": { "label": "掃描服務健康", - "detail": "kali-scanner.service 目前運行且開機啟用,/health 回健康。" + "detail": "kali-scanner.service 目前運行且開機啟用,8080 /health 回健康。" }, "upgradablePackages": { "label": "待更新套件", @@ -13227,7 +13250,7 @@ }, "kali112": { "title": "Kali 112 已納入資安網", - "body": "2026-06-03 10:23 已用既有 SSH key 完成只讀快照:系統 Kali Rolling、核心 6.16.8、根目錄磁碟使用 26%、掃描服務健康、待更新套件 1994、失敗服務單元 networking.service、服務硬化 0/4。沒有啟動掃描、/execute、主機更新、調校或重啟。" + "body": "2026-06-04 08:55 已用既有 SSH key 完成只讀快照:系統 Kali Rolling、核心 6.16.8、根目錄磁碟使用 26%、掃描服務 8080 /health 健康、待更新套件 1994、失敗服務單元 networking.service、服務硬化 0/4。沒有啟動掃描、/execute、主機更新、調校或重啟。" }, "allProducts": { "title": "所有產品先套只讀框架", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 0e5044f1..77d20789 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -7513,13 +7513,36 @@ "kaliMaintenanceReadiness": { "eyebrow": "Kali 112 維護就緒度", "title": "Kali 112 今天已重新只讀驗證,更新與重啟仍在維護閘門", - "subtitle": "這個看板把 2026-06-03 10:23 的只讀 SSH 快照轉成操作可讀狀態:掃描服務與健康檢查正常,node-exporter 與 wg-easy 仍在運作;但完整套件升級、自動移除、重啟、掃描、/execute 與服務硬化套用都還沒有批准。", + "subtitle": "這個看板把 2026-06-04 08:55 的只讀 SSH 快照轉成操作可讀狀態:掃描服務與 8080 /health 健康檢查正常,node-exporter 與 wg-easy 仍在運作;但完整套件升級、自動移除、重啟、掃描、/execute 與服務硬化套用都還沒有批准。", "maintenanceGateLabel": "維護 閘門", "maintenanceGate": "Kali 完整套件升級、自動移除與重啟仍在資安審批佇列等待批准。必須先有維護窗口、快照、回復方案、事後健康複驗與人工批准,才能往主機更新前進。", "nextEvidenceLabel": "下一份要補的證據", "nextEvidence": "將 Kali 112 維護窗口批准案的維護窗口、回復負責人、服務驗證清單與失敗處理路徑補齊。補齊前 IwoooS 只顯示就緒度,不提供任何更新或重啟入口。", + "runwayLabel": "維護闖關路徑", "boundaryTitle": "只讀邊界", "boundaryIntro": "以下邊界由 `kali-integration-status.snapshot.json` 與審批佇列投影而來,用來避免把可見狀態誤讀成執行授權。", + "runway": { + "snapshot": { + "title": "今日只讀快照", + "detail": "已完成,僅讀取主機狀態與健康檢查。" + }, + "window": { + "title": "維護窗口", + "detail": "尚未排定,不能直接升級或重啟。" + }, + "rollback": { + "title": "回復方案", + "detail": "需先定義快照、回復負責人與失敗處理。" + }, + "postHealth": { + "title": "事後健康檢查", + "detail": "需鎖定 SSH、Docker、scanner、監控複驗清單。" + }, + "humanApproval": { + "title": "人工批准", + "detail": "未批准前仍只有看板,不提供更新入口。" + } + }, "items": { "readOnlySnapshot": { "label": "最新只讀快照", @@ -7527,7 +7550,7 @@ }, "scannerHealth": { "label": "掃描服務健康", - "detail": "kali-scanner.service 目前運行且開機啟用,/health 回健康。" + "detail": "kali-scanner.service 目前運行且開機啟用,8080 /health 回健康。" }, "upgradablePackages": { "label": "待更新套件", @@ -13227,7 +13250,7 @@ }, "kali112": { "title": "Kali 112 已納入資安網", - "body": "2026-06-03 10:23 已用既有 SSH key 完成只讀快照:系統 Kali Rolling、核心 6.16.8、根目錄磁碟使用 26%、掃描服務健康、待更新套件 1994、失敗服務單元 networking.service、服務硬化 0/4。沒有啟動掃描、/execute、主機更新、調校或重啟。" + "body": "2026-06-04 08:55 已用既有 SSH key 完成只讀快照:系統 Kali Rolling、核心 6.16.8、根目錄磁碟使用 26%、掃描服務 8080 /health 健康、待更新套件 1994、失敗服務單元 networking.service、服務硬化 0/4。沒有啟動掃描、/execute、主機更新、調校或重啟。" }, "allProducts": { "title": "所有產品先套只讀框架", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index 026c06c1..d6e069ec 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -728,6 +728,13 @@ type KaliMaintenanceReadinessItem = { tone: 'steady' | 'warn' | 'locked' } +type KaliMaintenanceRunwayStep = { + key: string + step: string + icon: typeof ShieldCheck + tone: 'steady' | 'warn' | 'locked' +} + type HostActionGateItem = { key: string gate: string @@ -4116,7 +4123,7 @@ const hostCoverageItems: HostCoverageItem[] = [ ] const kaliMaintenanceReadinessItems: KaliMaintenanceReadinessItem[] = [ - { key: 'readOnlySnapshot', value: '2026-06-03 10:23', icon: ShieldCheck, tone: 'steady' }, + { key: 'readOnlySnapshot', value: '2026-06-04 08:55', icon: ShieldCheck, tone: 'steady' }, { key: 'scannerHealth', value: '健康', icon: CheckCircle2, tone: 'steady' }, { key: 'upgradablePackages', value: '1994', icon: FileWarning, tone: 'warn' }, { key: 'failedSystemdUnits', value: '1', icon: AlertTriangle, tone: 'warn' }, @@ -4126,8 +4133,9 @@ const kaliMaintenanceReadinessItems: KaliMaintenanceReadinessItem[] = [ const kaliMaintenanceReadinessBoundaries = [ 'kali_112_read_only_snapshot_collected=true', - 'kali_112_read_only_observed_at=2026-06-03T10:23:51+08:00', + 'kali_112_read_only_observed_at=2026-06-04T08:55:43+08:00', 'kali_112_scanner_health=healthy', + 'kali_112_scanner_health_endpoint=127.0.0.1:8080/health', 'kali_112_scanner_service_active=active', 'kali_112_scanner_service_enabled=enabled', 'kali_112_upgradable_package_count=1994', @@ -4144,6 +4152,14 @@ const kaliMaintenanceReadinessBoundaries = [ 'not_authorization=true', ] as const +const kaliMaintenanceRunwaySteps: KaliMaintenanceRunwayStep[] = [ + { key: 'snapshot', step: '01', icon: ShieldCheck, tone: 'steady' }, + { key: 'window', step: '02', icon: Clock3, tone: 'warn' }, + { key: 'rollback', step: '03', icon: FileWarning, tone: 'warn' }, + { key: 'postHealth', step: '04', icon: CheckCircle2, tone: 'warn' }, + { key: 'humanApproval', step: '05', icon: Lock, tone: 'locked' }, +] + const hostActionGateItems: HostActionGateItem[] = [ { key: 'activeScan', gate: 'S1.6', icon: Radar, tone: 'locked' }, { key: 'credentialedScan', gate: 'S1.6', icon: Lock, tone: 'locked' }, @@ -16823,6 +16839,44 @@ function KaliMaintenanceReadinessBoard() { +
+
{t('runwayLabel')}
+
+ {kaliMaintenanceRunwaySteps.map(item => { + const Icon = item.icon + return ( +
+
+ {item.step} + +
+
+ {t(`runway.${item.key}.title` as never)} +
+

+ {t(`runway.${item.key}.detail` as never)} +

+
+ ) + })} +
+
+
日期:2026-05-06(台北時間) -> 狀態:原始規劃;2026-05-13 已完成 Kali 112 live 盤點、低風險主機更新、`security_finding_v1` sample 與 scan scope approval package;2026-06-03 已完成 Kali 112 只讀重驗證,尚未開始 AWOOOI runtime ingestion 實作 +> 狀態:原始規劃;2026-05-13 已完成 Kali 112 live 盤點、低風險主機更新、`security_finding_v1` sample 與 scan scope approval package;2026-06-04 已完成 Kali 112 只讀重驗證,尚未開始 AWOOOI runtime ingestion 實作 > 上游藍圖:`docs/security/KALI-SECURITY-MESH-BLUEPRINT.md` > AwoooP 同步:`docs/security/AWOOOP-SECURITY-SUPPLYCHAIN-INTEGRATION-HANDOFF.md` @@ -19,7 +19,7 @@ 2026-05-13 追加契約狀態:已建立 `docs/security/SECURITY-FINDING-CONTRACT.md`、`docs/security/security-finding-kali-sample.snapshot.json`、`docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` 與 `docs/security/kali-scan-scope-approval.snapshot.json`。這代表 scope 與 finding envelope 可被 review / mirror,不代表已批准或執行任何 scan。 -2026-06-03 追加只讀重驗證:已用既有 SSH key 讀取 `192.168.0.112` 狀態,確認 scanner health healthy、`kali-scanner.service` active / enabled、node-exporter 與 wg-easy 運作中、失敗服務單元為 `networking.service`、待更新套件仍為 1994、服務 hardening 仍為 `0 / 4`。本追加不代表已批准 active scan、credentialed scan、AWOOOI runtime ingestion、`/execute` 接入、full-upgrade、autoremove、reboot 或服務 hardening 套用。 +2026-06-04 追加只讀重驗證:已用既有 SSH key 讀取 `192.168.0.112` 狀態,確認 scanner `127.0.0.1:8080/health` 回 `200 healthy`、`kali-scanner.service` active / enabled、node-exporter 與 wg-easy 運作中、失敗服務單元為 `networking.service`、待更新套件仍為 1994、服務 hardening 仍為 `0 / 4`。本追加不代表已批准 active scan、credentialed scan、AWOOOI runtime ingestion、`/execute` 接入、full-upgrade、autoremove、reboot 或服務 hardening 套用。 ## 1. 非實作邊界 diff --git a/docs/security/iwooos-posture-projection.snapshot.json b/docs/security/iwooos-posture-projection.snapshot.json index d8887d8d..4463a1ba 100644 --- a/docs/security/iwooos-posture-projection.snapshot.json +++ b/docs/security/iwooos-posture-projection.snapshot.json @@ -2353,7 +2353,7 @@ "item_id": "kali_112_read_only_snapshot", "display_order": 1, "source_contract": "kali_integration_status_v1", - "source_observed_at_taipei": "2026-06-03T10:23:51+08:00", + "source_observed_at_taipei": "2026-06-04T08:55:43+08:00", "readiness_state": "snapshot_collected_read_only", "display_mode": "maintenance_readiness_only", "runtime_execution_authorized": false, @@ -2367,6 +2367,7 @@ "display_order": 2, "source_contract": "kali_integration_status_v1", "metric_value": "healthy", + "scanner_api_health_endpoint": "127.0.0.1:8080/health", "scanner_service_state": "active", "scanner_service_enabled": "enabled", "readiness_state": "scanner_runtime_healthy_read_only", diff --git a/docs/security/kali-integration-status.snapshot.json b/docs/security/kali-integration-status.snapshot.json index d60e4e07..d3466f02 100644 --- a/docs/security/kali-integration-status.snapshot.json +++ b/docs/security/kali-integration-status.snapshot.json @@ -53,8 +53,8 @@ "full_upgrade_status": "not_run_requires_maintenance_window" }, "latest_read_only_observation": { - "observed_at_utc": "2026-06-03T02:23:51Z", - "observed_at_taipei": "2026-06-03T10:23:51+08:00", + "observed_at_utc": "2026-06-04T00:55:43Z", + "observed_at_taipei": "2026-06-04T08:55:43+08:00", "collection_mode": "ssh_batch_read_only_existing_key", "runtime_actions_executed": false, "active_scan_executed": false, @@ -63,16 +63,17 @@ "hostname": "kali", "os": "Kali GNU/Linux Rolling", "kernel": "Linux 6.16.8+kali-amd64", - "uptime": "up 3 weeks, 4 days, 8 hours, 31 minutes", - "load_1_5_15": "0.07 0.14 0.16", - "memory_used_total": "922Mi/7.8Gi", + "uptime": "up 3 weeks, 5 days, 4 hours, 48 minutes", + "load_1_5_15": "0.15 0.20 0.18", + "memory_used_total": "921Mi/7.8Gi", "disk_root_used_total_percent": "19G/79G 26%", "scanner_service_state": "active", "scanner_service_enabled": "enabled", "scanner_api_health_status": "healthy", + "scanner_api_health_endpoint": "127.0.0.1:8080/health", "docker_services": [ - "node-exporter=Up 3 weeks", - "wg-easy=Up 3 weeks (healthy)" + "node-exporter=Up 4 weeks", + "wg-easy=Up 4 weeks (healthy)" ], "failed_systemd_unit_count": 1, "failed_systemd_unit_names": [ diff --git a/docs/security/security-mirror-status-rollup.snapshot.json b/docs/security/security-mirror-status-rollup.snapshot.json index 67724fc4..cf661641 100644 --- a/docs/security/security-mirror-status-rollup.snapshot.json +++ b/docs/security/security-mirror-status-rollup.snapshot.json @@ -2477,11 +2477,23 @@ { "delta_id": "s2_167_iwooos_kali_112_live_read_only_recheck", "display_order": 196, - "completed_stage": "S2.167 IwoooS Kali 112 今日只讀重驗證", + "completed_stage": "S2.167 IwoooS Kali 112 今日只讀重驗證與維護闖關路徑", "progress_axis": "framework_detail", "headline_percent_delta": 0, "framework_delta_visible": true, - "why_headline_unchanged": "IwoooS 只把 2026-06-03T10:23:51+08:00 的 Kali 112 只讀 SSH 快照、scanner health=healthy、scanner service active/enabled、failed_systemd_unit=networking.service、upgradable_package_count=1994 與 systemd hardening 0/4 投影到維護就緒度;runtime_actions_executed=false、active_scan_executed=false、package_update_executed=false、host_reboot_executed=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,不把只讀重驗證當掃描、更新、主機調校、修復、部署、Kali /execute、GitHub 主要來源切換或 Gitea 停用。", + "why_headline_unchanged": "IwoooS 只把 2026-06-04T08:55:43+08:00 的 Kali 112 只讀 SSH 快照、scanner health=healthy、scanner endpoint=127.0.0.1:8080/health、scanner service active/enabled、failed_systemd_unit=networking.service、upgradable_package_count=1994 與 systemd hardening 0/4 投影到維護就緒度,並新增維護闖關路徑;runtime_actions_executed=false、active_scan_executed=false、package_update_executed=false、host_reboot_executed=false、runtime_execution_authorized=false、active_runtime_gate_count=0、action_buttons_allowed=false,不把只讀重驗證當掃描、更新、主機調校、修復、部署、Kali /execute、GitHub 主要來源切換或 Gitea 停用。", + "runtime_delta": false, + "execution_authorized": false, + "not_authorization": true + }, + { + "delta_id": "s2_168_iwooos_kali_112_maintenance_runway", + "display_order": 197, + "completed_stage": "S2.168 IwoooS Kali 112 維護闖關路徑", + "progress_axis": "framework_detail", + "headline_percent_delta": 0, + "framework_delta_visible": true, + "why_headline_unchanged": "IwoooS 將 Kali 112 下一階段拆成今日只讀快照、維護窗口、回復方案、事後健康檢查與人工批准五個可視化闖關節點;runway_action_buttons_allowed=false、runtime_actions_executed=false、active_scan_executed=false、package_update_executed=false、host_reboot_executed=false、runtime_execution_authorized=false、active_runtime_gate_count=0,不把闖關路徑當成維護窗口已排定、主機更新、重啟、掃描、服務硬化套用或 /execute 授權。", "runtime_delta": false, "execution_authorized": false, "not_authorization": true diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index fd98b66b..6470a0c5 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -504,8 +504,10 @@ def validate(root: Path) -> None: "maintenanceGate", "nextEvidenceLabel", "nextEvidence", + "runwayLabel", "boundaryTitle", "boundaryIntro", + "runway", "items", ]: assert_contains( @@ -529,9 +531,11 @@ def validate(root: Path) -> None: for text in [ "KaliMaintenanceReadinessBoard", 'data-testid="iwooos-kali-maintenance-readiness-board"', - "2026-06-03 10:23", - "kali_112_read_only_observed_at=2026-06-03T10:23:51+08:00", + "kaliMaintenanceRunwaySteps", + "2026-06-04 08:55", + "kali_112_read_only_observed_at=2026-06-04T08:55:43+08:00", "kali_112_scanner_health=healthy", + "kali_112_scanner_health_endpoint=127.0.0.1:8080/health", "kali_112_scanner_service_active=active", "kali_112_scanner_service_enabled=enabled", "kali_112_upgradable_package_count=1994", @@ -767,6 +771,7 @@ def validate(root: Path) -> None: "s2_165_iwooos_s49_owner_response_delivery_cards", "s2_166_iwooos_progress_integrity_ribbon", "s2_167_iwooos_kali_112_live_read_only_recheck", + "s2_168_iwooos_kali_112_maintenance_runway", ] assert_equal( "progress_delta_ledger.delta_ids", @@ -4043,6 +4048,11 @@ def validate(root: Path) -> None: iwooos_kali_maintenance_readiness[1]["metric_value"], "healthy", ) + assert_equal( + "iwooos_projection.kali_maintenance_readiness_items.scanner_api_health_endpoint", + iwooos_kali_maintenance_readiness[1]["scanner_api_health_endpoint"], + "127.0.0.1:8080/health", + ) assert_equal( "iwooos_projection.kali_maintenance_readiness_items.scanner_service_state", iwooos_kali_maintenance_readiness[1]["scanner_service_state"], @@ -6861,7 +6871,7 @@ def validate(root: Path) -> None: assert_equal( "kali_status.latest_read_only_observation.observed_at_taipei", latest_kali_observation["observed_at_taipei"], - "2026-06-03T10:23:51+08:00", + "2026-06-04T08:55:43+08:00", ) assert_equal( "kali_status.latest_read_only_observation.collection_mode", @@ -6883,6 +6893,11 @@ def validate(root: Path) -> None: latest_kali_observation["scanner_api_health_status"], "healthy", ) + assert_equal( + "kali_status.latest_read_only_observation.scanner_api_health_endpoint", + latest_kali_observation["scanner_api_health_endpoint"], + "127.0.0.1:8080/health", + ) assert_equal( "kali_status.latest_read_only_observation.scanner_service_state", latest_kali_observation["scanner_service_state"],