{ "schema_version": "kali_scan_scope_approval_v1", "status": "draft_waiting_approval", "date": "2026-05-13", "source_host": { "asset_key": "host:kali-112", "ip": "192.168.0.112", "role": "Kali 資安感測與掃描 API 主機" }, "mode": "approval_only", "scope_groups": [ { "group_id": "kali_112_health", "title": "Kali 112 health 與 scanner 狀態", "default_mode": "observe", "scan_level": "health_only", "assets": [ { "asset_key": "host:kali-112", "target_type": "host", "target": "192.168.0.112", "environment": "infra", "owner_team": "security-commander", "allowed_scan_modes": [ "health_only", "passive_inventory" ], "approval_required": false, "notes": "只允許 health / service / tool version 類觀測;不得啟動 active scan 或 /execute。" } ] }, { "group_id": "dev_hosts_observe_only", "title": "開發主機 111 / 168 observe-only 納管", "default_mode": "observe", "scan_level": "passive", "assets": [ { "asset_key": "host:dev-111", "target_type": "host", "target": "192.168.0.111", "environment": "dev", "owner_team": "dev-host-steward", "allowed_scan_modes": [ "passive_inventory" ], "approval_required": false, "notes": "先納入資產地圖與 owner;任何 credentialed scan、active scan、service hardening 都要另走 approval。" }, { "asset_key": "host:dev-168", "target_type": "host", "target": "192.168.0.168", "environment": "dev", "owner_team": "dev-host-steward", "allowed_scan_modes": [ "passive_inventory" ], "approval_required": false, "notes": "先納入資產地圖與 owner;不得把 dev host observation 直接變成 compliance blocker。" } ] }, { "group_id": "core_runtime_hosts", "title": "核心 runtime 主機健康與被動盤點", "default_mode": "observe", "scan_level": "passive", "assets": [ { "asset_key": "host:infra-110", "target_type": "host", "target": "192.168.0.110", "environment": "infra", "owner_team": "sre-security", "allowed_scan_modes": [ "health_only", "passive_inventory" ], "approval_required": false, "notes": "Gitea、Harbor、runner、monitoring 類控制面只做 read-only evidence;active port scan 需另批。" }, { "asset_key": "host:k3s-120", "target_type": "host", "target": "192.168.0.120", "environment": "prod", "owner_team": "sre-security", "allowed_scan_modes": [ "health_only", "passive_inventory" ], "approval_required": false, "notes": "K3s node 初期只接既有 health / metadata evidence,不改 RBAC 或 NetworkPolicy。" }, { "asset_key": "host:k3s-121", "target_type": "host", "target": "192.168.0.121", "environment": "prod", "owner_team": "sre-security", "allowed_scan_modes": [ "health_only", "passive_inventory" ], "approval_required": false, "notes": "K3s node 初期只接既有 health / metadata evidence,不改 RBAC 或 NetworkPolicy。" }, { "asset_key": "host:data-ai-188", "target_type": "host", "target": "192.168.0.188", "environment": "prod", "owner_team": "sre-security", "allowed_scan_modes": [ "health_only", "passive_inventory" ], "approval_required": false, "notes": "DB、Redis、AI、SignOz、MinIO 類服務初期只做被動 evidence,不做 credentialed scan。" } ] }, { "group_id": "public_web_perimeter", "title": "公開網站與 API 邊界", "default_mode": "warn", "scan_level": "safe_active", "assets": [ { "asset_key": "web:awoooi-public-domains", "target_type": "website", "target": "public_product_domains_from_service_endpoints", "environment": "prod", "owner_team": "web-perimeter", "allowed_scan_modes": [ "tls_header_check", "basic_crawl" ], "approval_required": true, "notes": "TLS/header/basic crawl 可以準備批准;active DAST、fuzz、auth flow testing 必須另批。" } ] }, { "group_id": "kali_execute_and_maintenance", "title": "Kali /execute 與維護窗口", "default_mode": "block_candidate", "scan_level": "execute", "assets": [ { "asset_key": "tool:kali-scanner-execute", "target_type": "tool", "target": "kali-scanner:/execute", "environment": "infra", "owner_team": "security-commander", "allowed_scan_modes": [ "blocked" ], "approval_required": true, "notes": "AwoooP 不得直接接此 endpoint;若未來保留,必須獨立 high-risk approval、allowlist、audit、disable gate。" }, { "asset_key": "host:kali-112-maintenance", "target_type": "host", "target": "192.168.0.112", "environment": "infra", "owner_team": "security-commander", "allowed_scan_modes": [ "full_upgrade_reboot" ], "approval_required": true, "notes": "Kali rolling full-upgrade / autoremove / reboot 必須排維護窗口、snapshot、rollback 與 post-health check。" } ] } ], "approval_gates": [ { "gate_id": "kali-safe-web-crawl-approval-20260513", "requested_action": "run_safe_active_scan", "risk": "MEDIUM", "required_reviewers": [ "security-commander", "human-owner" ], "blocked_until_approved": true, "evidence_refs": [ "docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md", "docs/security/KALI-SECURITY-MESH-BLUEPRINT.md" ] }, { "gate_id": "kali-credentialed-scan-approval-20260513", "requested_action": "run_credentialed_scan", "risk": "HIGH", "required_reviewers": [ "security-commander", "vuln-verifier", "human-owner" ], "blocked_until_approved": true, "evidence_refs": [ "docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md", "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md" ] }, { "gate_id": "kali-execute-endpoint-approval-20260513", "requested_action": "call_execute_endpoint", "risk": "CRITICAL", "required_reviewers": [ "critic", "security-commander", "human-owner" ], "blocked_until_approved": true, "evidence_refs": [ "docs/security/KALI-INTEGRATION-STATUS.md", "docs/security/SECURITY-LOW-FRICTION-ROLLOUT-POLICY.md" ] }, { "gate_id": "kali-finding-runtime-ingestion-approval-20260513", "requested_action": "ingest_findings_to_awooop_runtime", "risk": "MEDIUM", "required_reviewers": [ "security-commander", "human-owner" ], "blocked_until_approved": true, "evidence_refs": [ "docs/security/SECURITY-FINDING-CONTRACT.md", "docs/security/security-finding-kali-sample.snapshot.json" ] }, { "gate_id": "kali-full-upgrade-reboot-approval-20260513", "requested_action": "run_full_upgrade_reboot", "risk": "HIGH", "required_reviewers": [ "security-commander", "human-owner" ], "blocked_until_approved": true, "evidence_refs": [ "docs/security/KALI-INTEGRATION-STATUS.md" ] } ], "finding_ingestion_policy": { "finding_contract": "security_finding_v1", "consumption_mode": "mirror_only", "redaction_required": true, "runtime_ingestion_status": "not_enabled_contract_only", "storage_landing": [ "asset_inventory.metadata", "asset_compliance_snapshot", "asset_change_event", "AwoooP Runtime State / Channel Event / Audit mirror" ], "awooop_allowed_actions": [ "mirror_redacted_finding", "display_scope_group", "display_approval_gate", "create_approval_candidate" ], "awooop_forbidden_actions": [ "start_scan", "call_execute_endpoint", "store_secret_value", "auto_patch", "auto_block_deploy" ] }, "still_forbidden": [ "run_active_scan_without_scope_approval", "run_credentialed_scan_without_approval", "call_execute_endpoint_from_awooop_runtime", "store_api_key_password_token_cookie_or_private_key", "change_firewall_networkpolicy_rbac_or_route", "full_upgrade_autoremove_or_reboot_without_maintenance_window", "turn_low_medium_observations_into_blocking_gates" ] }