wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md

133 lines
5.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS 高價值配置變更 Gate
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | `classification_gate_ready` |
| 工具 | `scripts/security/high-value-config-change-gate.py` |
| Snapshot | `docs/security/high-value-config-change-gate.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
此 Gate 將「所有重要配置都要被控管」落成可重跑的只讀分類流程。它會讀取 git diff 或手動指定檔案,判斷是否碰到 C0 / C1 / C2 / C3 高價值配置,並列出後續 owner response、rollback、redacted evidence 與驗證需求。
本階段是低摩擦分類 Gate不接 CI blocking不修改 workflow、不讀 secret value、不 SSH、不 reload、不部署、不開 runtime gate。
## 2. 納管配置
| 優先 | 等級 | 配置類別 |
|------|------|----------|
| P0 | C0 | Nginx / reverse proxy / public route |
| P0 | C0 | DNS / TLS / certbot / certificate path |
| P0 | C0 | K8s / ArgoCD / production manifests |
| P0 | C0 | Secret metadata / injection / redaction |
| P0 | C0 | Gitea workflow / runner / deploy key / webhook / branch protection |
| P0 | C0 | Public / admin / API / frontend runtime config |
| P0 | C0 | Backup / restore / escrow / retention |
| P0 | C0 | `agent-bounty-protocol` runtime / MCP / A2A / treasury boundary |
| P1 | C1 | Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse |
| P1 | C1 | Docker Compose / systemd / host service config |
| P1 | C1 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort |
| P1 | C1 | AI provider / model routing / Ollama proxy / cost and privacy |
| P2 | C2 | AWOOOI / AwoooP / IwoooS / VibeWork / other product runtime routes |
| P3 | C3 | Security evidence / snapshot / guard tooling |
## 3. 指令
檢查目前 commit 相對前一個 commit
```bash
python3 scripts/security/high-value-config-change-gate.py \
--root . \
--base HEAD~1 \
--head HEAD
```
手動分類單一檔案:
```bash
python3 scripts/security/high-value-config-change-gate.py \
--root . \
--changed-file infra/ansible/roles/nginx/templates/188-all-sites.conf.j2
```
更新 committed snapshot
```bash
python3 scripts/security/high-value-config-change-gate.py \
--root . \
--base HEAD~1 \
--head HEAD \
--generated-at 2026-06-11T12:30:00+08:00 \
--output docs/security/high-value-config-change-gate.snapshot.json
```
未來若要升級成更嚴格的人工審核,可提供 owner response evidence JSON
```bash
python3 scripts/security/high-value-config-change-gate.py \
--root . \
--base gitea/main \
--head HEAD \
--evidence /path/to/redacted-owner-response.json \
--fail-on-missing-evidence
```
## 4. owner response 欄位
所有 C0 / C1 高價值配置變更至少要補:
1. `owner_role_or_team`
2. `decision`
3. `decision_reason`
4. `affected_scope`
5. `redacted_evidence_refs`
6. `followup_owner`
7. `rollback_owner`
8. `maintenance_window`
9. `validation_plan`
這些欄位只是讓 reviewer 可以判斷,不等同 runtime 授權。
## 5. 必須維持 false
| flag | 要求 |
|------|------|
| `runtime_execution_authorized` | `false` |
| `host_write_authorized` | `false` |
| `secret_value_collection_allowed` | `false` |
| `workflow_modification_authorized` | `false` |
| `runner_change_authorized` | `false` |
| `refs_sync_authorized` | `false` |
| `force_push_authorized` | `false` |
| `active_scan_authorized` | `false` |
| `action_buttons_allowed` | `false` |
## 6. 判讀規則
| 狀態 | 意義 | 可做事項 |
|------|------|----------|
| `impacted_c0_category_count > 0` | 變更碰到公開入口、secret、部署、備份、agent runtime 等最高風險配置 | 先建立 owner response packet不可直接 reload、deploy、sync 或修改主機 |
| `impacted_c1_category_count > 0` | 變更碰到監控、主機服務、網路、AI provider 等近程高風險配置 | 建立 maintenance window、rollback owner 與驗證計畫 |
| 只有 C2 | 產品 runtime route 或前端呈現變更 | 需要產品 owner、i18n、desktop / mobile smoke |
| 只有 C3 | 文件、snapshot、guard 或 evidence tooling | 跑 guard、JSON parse、doc secret sanity不可提高 runtime gate |
## 7. 邊界
1. 本工具不接 CI blocking。
2. 本工具不修改 `.gitea/workflows`
3. 本工具不讀 secret value、hash、partial token、private key、runner token 或 webhook secret。
4. 本工具不 SSH、不執行 `nginx -t`、不 reload / restart。
5. 本工具不做 DNS 修改、TLS renew、ArgoCD sync、kubectl、active scan 或 agent-bounty runtime execution。
6. IwoooS UI 可顯示分類結果,但不得把分類結果當 runtime 授權。
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| 高價值配置 path pattern 分類 | `100%` | 已覆蓋 Nginx、DNS / TLS、K8s、secret、workflow、runner、backup、monitoring、host service、network、AI provider、agent-bounty-protocol 與產品 route |
| owner response 欄位檢查 | `70%` | 支援 evidence JSON 欄位與 false flag 檢查;尚未接正式收件 API |
| CI blocking | `0%` | 本階段刻意不接,避免初期摩擦過大 |
| live runtime 驗證 | `0%` | 本工具只分類,不執行 live probe |
Reference in New Issue View Git Blame Copy Permalink