{
  "schema_version": "kali_integration_status_v1",
  "status": "partial_runtime_health_integrated",
  "date": "2026-05-13",
  "host": {
    "ip": "192.168.0.112",
    "asset_key": "host:kali-112",
    "hostname": "kali",
    "role": "Kali 資安感測與掃描 API 主機",
    "timezone": "Asia/Taipei",
    "observe_only": true
  },
  "mode": "observe_only",
  "live_checks": {
    "ssh_access": "ok_authorized_read_and_low_risk_update",
    "scanner_api_health": "ok_http_200_health_status_healthy",
    "scanner_service": "active_enabled_kali_scanner_service",
    "node_exporter": "docker_container_up_on_9100",
    "scheduled_jobs": [
      "hourly_port_monitor",
      "daily_code_security_scan",
      "weekly_harbor_image_scan"
    ],
    "docker_services": [
      "node-exporter_up",
      "wg-easy_up_healthy"
    ],
    "post_update_health": "ok_ssh_cron_docker_kali_scanner_active_no_reboot_required"
  },
  "updates_applied": {
    "apt_update": "completed",
    "targeted_packages_upgraded": [
      "ca-certificates",
      "ca-certificates-java",
      "curl",
      "openssl",
      "nmap",
      "nmap-common",
      "nikto",
      "nuclei",
      "libssl3t64",
      "libcurl4t64",
      "libc6",
      "perl"
    ],
    "new_packages_installed": [
      "jq",
      "nikto_perl_xml_dependencies"
    ],
    "timezone_changed_to": "Asia/Taipei",
    "reboot_required": false,
    "remaining_upgradable_count": 1994,
    "full_upgrade_status": "not_run_requires_maintenance_window"
  },
    "latest_read_only_observation": {
        "observed_at_utc": "2026-06-04T00:55:43Z",
        "observed_at_taipei": "2026-06-04T08:55:43+08:00",
        "collection_mode": "ssh_batch_read_only_existing_key",
        "runtime_actions_executed": false,
        "active_scan_executed": false,
        "package_update_executed": false,
        "host_reboot_executed": false,
        "hostname": "kali",
        "os": "Kali GNU/Linux Rolling",
        "kernel": "Linux 6.16.8+kali-amd64",
        "uptime": "up 3 weeks, 5 days, 4 hours, 48 minutes",
        "load_1_5_15": "0.15 0.20 0.18",
        "memory_used_total": "921Mi/7.8Gi",
        "disk_root_used_total_percent": "19G/79G 26%",
        "scanner_service_state": "active",
        "scanner_service_enabled": "enabled",
        "scanner_api_health_status": "healthy",
        "scanner_api_health_endpoint": "127.0.0.1:8080/health",
        "docker_services": [
            "node-exporter=Up 4 weeks",
            "wg-easy=Up 4 weeks (healthy)"
        ],
        "failed_systemd_unit_count": 1,
        "failed_systemd_unit_names": [
            "networking.service"
        ],
        "upgradable_package_count": 1994,
        "listening_tcp_socket_count": 7,
        "listening_udp_socket_count": 2,
        "reboot_required": false,
        "scanner_systemd_hardening_enabled_count": 0,
        "scanner_systemd_hardening_expected_count": 4,
        "scanner_systemd_hardening_missing": [
            "NoNewPrivileges",
            "PrivateTmp",
            "ProtectSystem",
            "ProtectHome"
        ],
        "evidence_boundary": "只讀連線與主機狀態快照；未執行掃描、更新、調校、重啟或 /execute。"
    },
  "integration_state": {
    "already_integrated": [
      "Kali Scanner API 在 192.168.0.112:8080 運作且 /health healthy",
      "kali-scanner.service active 且 enabled",
      "Prometheus / blackbox 類 health probe 正在從 192.168.0.120 / 192.168.0.121 命中 /health",
      "node-exporter container 運作中",
      "crontab 已有 port monitor、code security scan、Harbor image scan",
      "docs 與 security_finding_v1 已把 Kali 納入資安網契約",
      "Kali scan scope approval package 已建立草案，包含 111/168 observe-only 與 high-risk gate"
    ],
    "not_yet_integrated": [
      "尚未確認 AWOOOI API 有正式 Kali scan result ingestion endpoint",
      "Kali scan result 仍停留在 API in-memory results 或本機 log，尚未正規化寫入 asset_inventory / asset_compliance_snapshot",
      "尚未把 Kali finding mirror 成 AwoooP Runtime State / Channel Event / Audit evidence",
      "scan scope approval package 與 credentialed scan gate 已建立草案，但尚未人工批准或執行",
      "尚未移除 scanner API 原始碼中的 API key fallback",
      "尚未套用 kali-scanner.service systemd hardening override"
    ],
    "awooop_consumption": "mirror_only_status_and_gap_evidence_plus_security_approval_queue"
  },
  "risk_register": [
    {
      "risk": "scanner_execute_endpoint_can_run_shell_commands",
      "severity": "HIGH",
      "status": "confirmed_endpoint_exists_api_key_protected",
      "next_action": "AwoooP 不得直接接 execution action；需另建 approval_required_event_v1 與 allowlist / disable gate"
    },
    {
      "risk": "default_api_key_fallback_present_in_source",
      "severity": "HIGH",
      "status": "confirmed_source_pattern_present_value_not_recorded",
      "next_action": "移除 fallback、確認 .env secret 來源、輪替 API key；不得把 secret value 寫入文件"
    },
    {
      "risk": "kali_scanner_service_lacks_systemd_hardening",
      "severity": "MEDIUM",
      "status": "NoNewPrivileges/PrivateTmp/ProtectSystem/ProtectHome 目前未啟用",
      "next_action": "先設計 dry-run hardening override，驗證 scan tools 不被破壞後再套用"
    },
    {
      "risk": "harbor_image_scan_currently_failing",
      "severity": "MEDIUM",
      "status": "recent logs show image/project/auth/certificate mismatch",
      "next_action": "修正 Harbor target、project/credential 或憑證鏈；先納入 evidence，不阻擋其他資安框架"
    },
    {
      "risk": "kali_rolling_full_upgrade_pending",
      "severity": "MEDIUM",
      "status": "1994 packages remain upgradable after targeted update",
      "next_action": "安排維護窗口，先 snapshot / rollback / service verification，再做 full-upgrade 與 reboot"
    }
  ],
  "next_gates": [
    "取得 Kali scan scope approval package 的逐 gate 人工批准",
    "未來批准後建立 Kali scan result ingestion adapter，先只接收 redacted findings",
    "把 /execute endpoint 改成預設停用或單獨 high-risk approval path",
    "把 Harbor scan failure 轉成 security finding / ops finding，不直接自動修復",
    "依 docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md 收 owner response、rollback owner、validation owner 與維護窗口；未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗"
  ],
  "still_forbidden": [
    "run_active_scan_without_scope_approval",
    "run_credentialed_scan_without_approval",
    "call_execute_endpoint_from_awooop_runtime",
    "store_api_key_or_password_value",
    "change_firewall_or_networkpolicy",
    "autoremove_packages_without_maintenance_window",
    "full_upgrade_or_reboot_without_maintenance_window"
  ]
}