wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
main
awoooi/docs/security/high-value-config-change-gate.snapshot.json

726 lines
21 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"changed_files": [
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md",
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "docs/security/high-value-config-change-gate.snapshot.json",
"strongest_priority": "P3",
"strongest_tier": "C3"
},
{
"categories": [
{
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"label": "Nginx / reverse proxy / public route",
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
]
}
],
"matched": true,
"path": "k8s/nginx/awoooi-prod.conf",
"strongest_priority": "P0",
"strongest_tier": "C0"
},
{
"categories": [
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
}
],
"matched": true,
"path": "scripts/ops/188-registry-certbot-fix.sh",
"strongest_priority": "P0",
"strongest_tier": "C0"
},
{
"categories": [
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
}
],
"matched": true,
"path": "scripts/ops/fix-188-registry-certbot-renewal.sh",
"strongest_priority": "P0",
"strongest_tier": "C0"
},
{
"categories": [
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"matched": true,
"path": "scripts/security/high-value-config-change-gate.py",
"strongest_priority": "P3",
"strongest_tier": "C3"
}
],
"control_category_inventory": [
{
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"label": "Nginx / reverse proxy / public route",
"path_patterns": [
"infra/ansible/roles/nginx/templates/*.j2",
"infra/ansible/playbooks/nginx-sync.yml",
"k8s/nginx/**",
"ops/nginx/**",
"docs/runbooks/disaster-recovery/DR-Nginx.md"
],
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
]
},
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"path_patterns": [
"docs/runbooks/REGISTRY-CERTBOT-188.md",
"docs/runbooks/**/*CERTBOT*.md",
"docs/runbooks/**/*TLS*.md",
"scripts/ops/**/*cert*",
"scripts/ops/**/*tls*",
"ops/**/*cert*",
"ops/**/*tls*",
"infra/**/*cert*",
"infra/**/*tls*",
"k8s/**/*tls*"
],
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
},
{
"category_id": "k8s_production_gitops",
"control_tier": "C0",
"label": "K8s / ArgoCD / production manifests",
"path_patterns": [
"k8s/awoooi-prod/**",
"k8s/argocd/**",
"k8s/velero/**",
"k8s/monitoring/**"
],
"priority": "P0",
"required_gate": "gitops_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"gitops_diff",
"argocd_health_readback",
"sync_authorization_check",
"rollback_revision",
"post_deploy_health_if_executed"
]
},
{
"category_id": "secret_metadata",
"control_tier": "C0",
"label": "Secret metadata / injection / redaction",
"path_patterns": [
"k8s/**/*secret*",
"k8s/**/*Secret*",
".gitea/workflows/*.yml",
".gitea/workflows/*.yaml",
".github/workflows/*.yml",
".github/workflows/*.yaml",
"docs/runbooks/SECRETS-MANAGEMENT.md",
"docs/security/SECRETS_REFERENCE.md"
],
"priority": "P0",
"required_gate": "secret_metadata_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"secret_name_parity",
"metadata_only_check",
"no_secret_value_check",
"rotation_owner",
"injection_readback_if_deployed"
]
},
{
"category_id": "gitea_workflow_runner_source_control",
"control_tier": "C0",
"label": "Gitea workflow / runner / deploy key / webhook / branch protection",
"path_patterns": [
".gitea/workflows/**",
".github/workflows/**",
"ops/runner/**",
"scripts/setup-runner*.sh",
"scripts/**/*runner*",
"docs/security/SOURCE-CONTROL-*",
"docs/security/GITEA-*",
"docs/security/GITHUB-*"
],
"priority": "P0",
"required_gate": "workflow_source_control_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"workflow_diff",
"runner_label_owner",
"deploy_key_metadata_only",
"webhook_metadata_only",
"branch_protection_metadata",
"no_token_value_check"
]
},
{
"category_id": "public_admin_api_runtime_config",
"control_tier": "C0",
"label": "Public / admin / API / frontend runtime config",
"path_patterns": [
"apps/web/next.config.*",
"apps/web/src/lib/config.*",
"apps/api/src/core/config.py",
"apps/api/src/api/v1/monitoring.py",
"apps/api/src/middleware/**",
"apps/web/src/middleware.*"
],
"priority": "P0",
"required_gate": "public_runtime_config_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"public_url_check",
"frontend_internal_ip_ban",
"cors_boundary_check",
"admin_auth_boundary_check",
"desktop_mobile_smoke_if_frontend"
]
},
{
"category_id": "backup_restore_credential",
"control_tier": "C0",
"label": "Backup / restore / escrow / retention",
"path_patterns": [
"scripts/backup/**",
"k8s/velero/**",
"docs/runbooks/disaster-recovery/**",
"docs/runbooks/**/*RESTORE*.md",
"docs/runbooks/**/*BACKUP*.md"
],
"priority": "P0",
"required_gate": "backup_restore_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"credential_absence_check",
"restore_drill_gate",
"retention_policy",
"escrow_owner",
"rollback_ref"
]
},
{
"category_id": "agent_bounty_protocol_runtime",
"control_tier": "C0",
"label": "agent-bounty-protocol runtime / MCP / A2A / treasury boundary",
"path_patterns": [
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json",
"docs/schemas/agent_bounty_iwooos_onboarding_handoff_v1.schema.json",
"agent-bounty-protocol/**"
],
"priority": "P0",
"required_gate": "agent_bounty_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"repo_owner_scope",
"runtime_gate_false",
"no_payout_or_treasury_execution",
"no_mcp_a2a_runtime_execution",
"redacted_evidence_refs_only"
]
},
{
"category_id": "monitoring_alerting_observability",
"control_tier": "C1",
"label": "Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse",
"path_patterns": [
"ops/monitoring/**",
"ops/alertmanager/**",
"ops/grafana/**",
"ops/signoz/**",
"ops/sentry-self-hosted/**",
"infra/langfuse/**",
"k8s/monitoring/**"
],
"priority": "P1",
"required_gate": "monitoring_observability_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"rule_diff",
"receiver_diff",
"reload_gate",
"failure_notification_policy",
"public_route_smoke_if_affected"
]
},
{
"category_id": "docker_compose_systemd_host_config",
"control_tier": "C1",
"label": "Docker Compose / systemd / host service config",
"path_patterns": [
"docker-compose*.yml",
"docker-compose*.yaml",
"ops/**/docker-compose*.yml",
"ops/**/docker-compose*.yaml",
"scripts/reboot-recovery/**",
"scripts/**/*.service",
"ops/**/*.service"
],
"priority": "P1",
"required_gate": "host_service_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"port_conflict_check",
"volume_diff",
"env_name_diff",
"restart_window",
"rollback_owner"
]
},
{
"category_id": "ssh_firewall_network_access",
"control_tier": "C1",
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"path_patterns": [
"infra/ansible/inventory/**",
"infra/ansible/**/*known_hosts*",
"infra/ansible/**/*ssh*",
"scripts/**/*ssh*",
"scripts/**/*known_hosts*",
"ops/**/*wireguard*",
"ops/**/*firewall*",
"k8s/**/*network*",
"k8s/**/*Network*"
],
"priority": "P1",
"required_gate": "network_access_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"target_whitelist",
"host_key_policy",
"ingress_egress_matrix",
"rollback_owner",
"maintenance_window"
]
},
{
"category_id": "ai_provider_model_routing",
"control_tier": "C1",
"label": "AI provider / model routing / Ollama proxy / cost and privacy",
"path_patterns": [
"apps/api/src/services/ai_providers/**",
"apps/api/src/services/**/*model*",
"apps/api/src/services/**/*provider*",
"infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2",
"docs/ai/**",
"docs/**/*Ollama*"
],
"priority": "P1",
"required_gate": "ai_provider_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"dry_run",
"benchmark",
"cost_review",
"privacy_review",
"fallback_order_check"
]
},
{
"category_id": "product_surface_runtime_routes",
"control_tier": "C2",
"label": "AWOOOI / AwoooP / IwoooS / VibeWork / other product runtime routes",
"path_patterns": [
"apps/web/src/app/**",
"apps/web/messages/*.json",
"docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/vibework-iwooos-onboarding-handoff.snapshot.json"
],
"priority": "P2",
"required_gate": "product_surface_owner_response_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"product_boundary_check",
"i18n_traditional_chinese_check",
"no_internal_transcript_check",
"desktop_mobile_smoke_if_frontend"
]
},
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"path_patterns": [
"docs/security/**",
"docs/schemas/**",
"scripts/security/**",
"docs/LOGBOOK.md"
],
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"diff": {
"base": null,
"changed_file_count": 6,
"head": "HEAD"
},
"execution_boundaries": {
"active_scan_executed": false,
"dns_tls_modified": false,
"host_write_executed": false,
"nginx_reload_executed": false,
"runtime_deploy_executed": false,
"runtime_gate_opened": false,
"secret_value_collected": false,
"ssh_executed": false,
"workflow_modified": false
},
"generated_at": "2026-06-14T17:18:00+08:00",
"git_commit": "dd8c2c09",
"impacted_categories": [
{
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"label": "DNS / TLS / certbot / certificate path",
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
]
},
{
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"label": "Nginx / reverse proxy / public route",
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
]
},
{
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"label": "Security evidence / snapshot / guard tooling",
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
]
}
],
"mode": "classification_only",
"next_steps": [
"若 impacted_c0_category_count > 0先建立 owner response packet不得直接 reload、deploy、sync 或修改主機。",
"owner response 必須包含 owner role / team、decision、decision reason、affected scope、redacted evidence refs、followup owner、rollback owner、maintenance window 與 validation plan。",
"若只有 C3 security evidence / tooling仍需跑 guard 與 doc secret sanity但不得藉此提高 runtime gate。"
],
"owner_evidence_validation": {
"complete": false,
"invalid_false_flags": [],
"missing_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"note": "未提供 owner response evidence本階段只能分類不得執行 runtime 變更。",
"provided": false
},
"required_false_flags": [
"runtime_execution_authorized",
"host_write_authorized",
"secret_value_collection_allowed",
"workflow_modification_authorized",
"runner_change_authorized",
"refs_sync_authorized",
"force_push_authorized",
"active_scan_authorized",
"action_buttons_allowed"
],
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"schema_version": "high_value_config_change_gate_v1",
"summary": {
"changed_file_count": 6,
"impacted_c0_category_count": 2,
"impacted_c1_category_count": 0,
"impacted_category_count": 3,
"matched_high_value_file_count": 6,
"owner_evidence_complete": false,
"owner_evidence_provided": false,
"runtime_execution_authorized": false,
"strongest_priority": "P0",
"strongest_tier": "C0"
}
}
Reference in New Issue View Git Blame Copy Permalink