# IwoooS SSH / Firewall / Network Access Owner Request Draft | 項目 | 內容 | |------|------| | 日期 | 2026-06-14 | | 狀態 | `owner_request_draft_ready_not_dispatched` | | 工具 | `scripts/security/ssh-network-owner-request-draft.py` | | Snapshot | `docs/security/ssh-network-owner-request-draft.snapshot.json` | | Source inventory | `docs/security/ssh-network-access-inventory.snapshot.json` | | runtime gate | `0` | ## 1. 目的 本文件承接 SSH / network access repo-only 清冊,把 16 個 surface 轉成人工送件前 request draft。它讓 SSH target、known_hosts、CI deploy SSH、monitoring SSH、backup SSH、sudoers、NetworkPolicy、NodePort、WireGuard 與 alert SSH action catalog 有一致的 owner 回覆欄位。 這不是 live firewall 真相、不是端口關閉 / 開放批准、不是 known_hosts patch、不是 host keyscan、不是 NetworkPolicy apply,也不是 WireGuard cutover。 ## 2. 摘要 | 指標 | 目前值 | 說明 | |------|--------|------| | request draft | `16` | 每個 SSH / network access surface 一份草稿 | | write-capable request draft | `6` | CI deploy SSH、monitoring deploy、sudoers、alert action catalog | | live evidence required request | `16` | 全部都需 owner 提供脫敏 live access evidence | | request field | `23` | 草稿欄位總數 | | required owner field | `13` | owner 必填欄位 | | blocked action | `16` | SSH、keyscan、known_hosts、firewall、port、NetworkPolicy、NodePort、WireGuard、sudo、deploy SSH、active scan、runtime gate 等 | | request sent / recipient confirmed | `0 / 0` | 尚未送件 | | owner response received / accepted | `0 / 0` | 尚未收到或驗收 | | live evidence received | `0` | 不 SSH、不 keyscan、不讀 live firewall | | maintenance window / rollback owner / validation accepted | `0 / 0 / 0` | 不得改端口、套 policy 或 cutover | | runtime gate / action button | `0 / 0` | 不提供操作入口 | ## 3. Request Draft 範圍 | Request | 類型 | 範圍 | 風險焦點 | |---------|------|------|----------| | `ssh_network_owner_request:ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | host owner、pinned known_hosts、ProxyJump、key owner | | `ssh_network_owner_request:ansible_common_ssh_args` | SSH client policy | `multi_host` | `accept-new` 是否只限 bootstrap | | `ssh_network_owner_request:gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | known_hosts secret metadata、缺 120 處置、key rotation owner | | `ssh_network_owner_request:gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | deploy SSH host owner、rollback、break-glass | | `ssh_network_owner_request:gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | dev/prod 邊界、deploy key scope、host key policy | | `ssh_network_owner_request:deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | alert deploy owner、known_hosts pinning、通知路徑 | | `ssh_network_owner_request:monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | read-only window、輸出脫敏、失敗處置 | | `ssh_network_owner_request:monitoring_exporter_deploy_ssh` | monitoring SSH deploy | `192.168.0.188` | exporter deploy owner、maintenance window、post-check | | `ssh_network_owner_request:backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | backup execution owner、secret redaction、restore validation | | `ssh_network_owner_request:host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | live sudoers hash、visudo validation、forbidden command proof | | `ssh_network_owner_request:k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | ingress / egress owner、live policy diff、route smoke | | `ssh_network_owner_request:argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | Prometheus scrape owner、NodePort exposure owner | | `ssh_network_owner_request:argocd_metrics_nodeport` | K8s NodePort | `argocd_nodeport_30882_30883` | NodePort exposure owner、firewall owner、source whitelist | | `ssh_network_owner_request:velero_metrics_nodeport` | K8s NodePort | `velero_nodeport_30885` | backup metrics exposure、firewall owner | | `ssh_network_owner_request:wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | WireGuard owner、firewall rule owner、canary / rollback | | `ssh_network_owner_request:alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | action owner、read/write/admin 分級、cooldown、post-check | ## 4. Owner 必填欄位 1. `owner_role_or_team` 2. `decision` 3. `decision_reason` 4. `affected_scope` 5. `redacted_evidence_refs` 6. `live_access_state_ref` 7. `allowed_source_cidrs_ref` 8. `maintenance_window` 9. `rollback_owner` 10. `validation_plan` 11. `break_glass_owner` 12. `change_freeze_rule` 13. `followup_owner` ## 5. 禁止動作 1. `ssh_read` 2. `ssh_write` 3. `host_keyscan` 4. `known_hosts_patch` 5. `firewall_change` 6. `port_close` 7. `port_open` 8. `network_policy_apply` 9. `nodeport_change` 10. `wireguard_change` 11. `sudo_action` 12. `deploy_ssh_action` 13. `secret_value_collection` 14. `ssh_key_collection` 15. `active_scan` 16. `runtime_gate_open` ## 6. 指令 產生 committed snapshot: ```bash python3 scripts/security/ssh-network-owner-request-draft.py \ --root . \ --inventory-report docs/security/ssh-network-access-inventory.snapshot.json \ --output docs/security/ssh-network-owner-request-draft.snapshot.json \ --generated-at 2026-06-14T22:45:00+08:00 ``` 驗證 guard: ```bash python3 scripts/security/security-mirror-progress-guard.py --root . ``` ## 7. 完成度 | 工作 | 完成度 | 說明 | |------|--------|------| | owner request draft artifact | `100%` | 16 份 request draft、snapshot、文件與 guard 已固定 | | request dispatch | `0%` | 尚未送件 | | owner response received / accepted | `0%` | 尚未收到,尚未驗收 | | live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall | | SSH / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 未授權且未執行 | | runtime gate / production write | `0%` | 未授權且未執行 | ## 8. 後續 Acceptance Ledger 2026-06-15 已新增 `docs/security/SSH-NETWORK-OWNER-RESPONSE-ACCEPTANCE.md` 與 `docs/security/ssh-network-owner-response-acceptance.snapshot.json`,把本文件的 16 份 request draft 轉成 owner response acceptance 只讀帳本。該帳本只定義收到回覆後如何收件、隔離、拒收、補件或送 network / firewall reviewer review;不代表 request sent、owner response received / accepted、SSH、keyscan、known_hosts patch、firewall / port change、NetworkPolicy apply、NodePort change、WireGuard cutover、host write、production write 或 runtime gate。