wooo/awoooi

Fork 0

Files

Your Name 6239712507

CD Pipeline / build-and-deploy (push) Has been cancelled

Details

CD Pipeline / post-deploy-checks (push) Has been cancelled

Details

CD Pipeline / tests (push) Has been cancelled

Details

Code Review / ai-code-review (push) Has been cancelled

Details

feat(security): 新增 public gateway preflight 只讀清冊

2026-06-12 01:25:04 +08:00

9.1 KiB

Raw Blame History

IwoooS 高價值配置控管覆蓋矩陣

項目	內容
日期	2026-06-12
狀態	`coverage_matrix_ready`
工具	`scripts/security/high-value-config-control-coverage.py`
Snapshot	`docs/security/high-value-config-control-coverage.snapshot.json`
Schema	`docs/schemas/high_value_config_control_coverage_v1.schema.json`
runtime gate	`0`

1. 目的

此矩陣把「所有重要配置都要被資安控管」從人讀清冊推進成可重跑 snapshot。它直接讀取 high-value-config-change-gate.py 的配置分類，避免變更 Gate 與長期覆蓋清冊各自漂移。

本階段仍是只讀覆蓋矩陣，不接 blocking CI、不 SSH、不讀 live host、不執行 nginx -t、不 reload Nginx、不做 DNS / TLS probe、不 renew cert、不同步 refs、不修改 workflow、不收 secret value、不啟動 agent-bounty runtime。

2. 覆蓋摘要

指標	目前值	說明
註冊配置類別	`14`	全部來自高價值配置 Gate 的 CATEGORIES
C0 類別	`8`	Nginx、DNS / TLS、K8s、secret、workflow / runner、runtime config、backup、agent-bounty runtime
C1 類別	`4`	監控、Docker / systemd、SSH / network、AI provider
C2 類別	`1`	產品 runtime route 與跨產品邊界
C3 類別	`1`	security evidence / snapshot / guard tooling
平均只讀控管成熟度	`66%`	僅代表框架 / evidence / owner packet 準備度，不代表 runtime 可執行
需要 live evidence 的類別	`7`	只能等 owner-provided redacted evidence 或維護窗口，不主動修改主機
owner response required	`14`	每類都需要 owner response 才能往 accepted 前進
owner response received / accepted	`0 / 0`	不得假性提高
runtime gate	`0`	不得產生執行按鈕

3. 最低覆蓋優先順序

優先	類別	目前成熟度	下一步
P1-1	Docker Compose / systemd / host service config	`50%`	repo-only 清冊已納入 9 個 surface；仍缺 110 / 188 live hash、restart window、rollback owner 與 post-check 指標
P1-2	SSH / sudoers / known_hosts / firewall / WireGuard / NodePort	`54%`	repo-only 清冊已納入 16 個 SSH / network access surface；仍缺 live evidence、owner 與 rollback
P1-3	Backup / restore / escrow / retention	`58%`	repo-only 清冊已納入 38 個 surface；仍缺 restore drill approval package、offsite / escrow owner、retention owner、rollback owner 與 no-secret-value evidence
P1-4	Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse	`62%`	repo-only 清冊已納入 60 個 monitoring / alerting / observability surface；仍缺 live drift evidence、reload owner、receiver owner、route smoke 與 receipt proof

4. 固定 0 / false 邊界

以下旗標必須維持 false：

runtime_execution_authorized=false
host_write_authorized=false
host_live_conf_read_authorized=false
nginx_test_authorized=false
public_gateway_reload_authorized=false
public_route_change_authorized=false
admin_route_change_authorized=false
websocket_route_change_authorized=false
acme_challenge_change_authorized=false
route_smoke_authorized=false
rollback_executed=false
nginx_reload_authorized=false
dns_tls_change_authorized=false
certbot_renew_authorized=false
argocd_sync_authorized=false
kubectl_action_authorized=false
backup_run_authorized=false
restore_run_authorized=false
restore_drill_authorized=false
offsite_sync_authorized=false
offsite_remote_delete_authorized=false
credential_escrow_marker_write_authorized=false
retention_change_authorized=false
restic_prune_authorized=false
rclone_config_authorized=false
velero_restore_authorized=false
workflow_modification_authorized=false
runner_change_authorized=false
refs_sync_authorized=false
force_push_authorized=false
secret_value_collection_allowed=false
active_scan_authorized=false
agent_bounty_runtime_authorized=false
payout_or_withdrawal_authorized=false
action_buttons_allowed=false
prometheus_reload_authorized=false
alertmanager_reload_authorized=false
grafana_dashboard_apply_authorized=false
signoz_rule_apply_authorized=false
sentry_deploy_authorized=false
langfuse_config_change_authorized=false
otel_collector_reload_authorized=false
receiver_route_change_authorized=false
silence_policy_change_authorized=false
telegram_send_authorized=false
notification_route_change_authorized=false
webhook_receiver_change_authorized=false
remote_write_change_authorized=false
exporter_deploy_authorized=false
live_alert_fire_authorized=false
alert_chain_smoke_authorized=false

5. 判讀規則

coverage_percent 只代表只讀框架成熟度，不代表已收到 owner response。
coverage_status 是下一步分流用語，不是 runtime approval state。
C0 / C1 類別若缺 live evidence，只能等待 owner-provided redacted evidence、維護窗口與 rollback owner。
agent-bounty-protocol 已是 C0 runtime / MCP / A2A / treasury boundary，但目前仍不得 claim / submit / payout / daemon / webhook / runtime execution。
IwoooS 前端可顯示覆蓋矩陣，但不得提供可執行按鈕，也不得把可見狀態解讀成資安批准。

6. 指令

python3 scripts/security/high-value-config-control-coverage.py \
  --root . \
  --output docs/security/high-value-config-control-coverage.snapshot.json

固定 committed snapshot 時間：

python3 scripts/security/high-value-config-control-coverage.py \
  --root . \
  --generated-at 2026-06-11T21:30:00+08:00 \
  --output docs/security/high-value-config-control-coverage.snapshot.json

7. 完成度

工作	完成度	說明
全高價值配置類別註冊	`100%`	14 類全部來自既有 Gate 定義
覆蓋 snapshot / schema	`100%`	已新增可重跑 snapshot 與 JSON schema
owner response 收件	`0%`	尚未收到或接受任何 owner response
live evidence collection	`0%`	未 SSH、未 live probe、未 active scan
runtime gate	`0%`	未開啟任何執行期閘門

8. P1-1 Docker / systemd 清冊更新

host_service_config_inventory_v1 已把 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 納入 repo-only 清冊，共 9 個 surface、3 個 write-capable surface、2 個 repair-bot whitelist、1 個 systemd restart surface。此更新只讓 docker_compose_systemd_host_config 從 42% 推進到 50%；owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 0。

9. P1-2 SSH / network access 清冊更新

ssh_network_access_inventory_v1 已把 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 納入 repo-only 清冊，共 16 個 surface、6 個 write-capable surface、2 個 NetworkPolicy、2 個 NodePort、1 個 sudoers surface 與 1 個 WireGuard surface。此更新只讓 ssh_firewall_network_access 從 48% 推進到 54%；owner response、live evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 0。

10. P1-3 Backup / restore / escrow / retention 清冊更新

backup_restore_escrow_inventory_v1 已把 backup orchestration、service backup scripts、restic retention、offsite sync、credential escrow、Velero restore drill、backup health alert 與 cold-start / DR runbook 納入 repo-only 清冊，共 38 個 surface、15 個 backup script surface、8 個 offsite / escrow surface、5 個 Velero surface 與 27 個 write-capable surface。此更新只讓 backup_restore_credential 從 52% 推進到 58%；owner response、live evidence、restore drill acceptance、offsite sync acceptance、credential escrow acceptance、retention change acceptance、runtime gate 與 action button 仍全部為 0。

11. P1-4 Monitoring / alerting / observability 清冊更新

monitoring_alerting_observability_inventory_v1 已把 Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL、Telegram / notification policy、deploy / reload scripts 與 alert chain smoke scripts 納入 repo-only 清冊，共 60 個 surface、13 個 alert rule surface、6 個 deploy / reload surface、11 個 write-capable surface 與 1 個 drift guard surface。此更新只讓 monitoring_alerting_observability 從 56% 推進到 62%；owner response、live evidence、reload owner、receiver owner、route smoke、runtime gate 與 action button 仍全部為 0。

12. P0 Public Gateway Preflight 清冊更新

public_gateway_preflight_inventory_v1 已把 Nginx public gateway reload / route change 前置 Gate 固定成只讀清冊，共 3 份 source config、14 個 route impact、14 個 unique upstream、12 個 preflight gate，其中 2 個 gate 只代表 repo-only ready，10 個 gate 仍需 owner acceptance。此更新只讓 nginx_public_gateway 從 78% 推進到 84%；owner response、owner-provided live conf、rendered diff、nginx -t evidence、route smoke、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 0。

9.1 KiB Raw Blame History Unescape Escape

IwoooS 高價值配置控管覆蓋矩陣

1. 目的

2. 覆蓋摘要

3. 最低覆蓋優先順序

4. 固定 0 / false 邊界

5. 判讀規則

6. 指令

7. 完成度

8. P1-1 Docker / systemd 清冊更新

9. P1-2 SSH / network access 清冊更新

10. P1-3 Backup / restore / escrow / retention 清冊更新

11. P1-4 Monitoring / alerting / observability 清冊更新

12. P0 Public Gateway Preflight 清冊更新

9.1 KiB

Raw Blame History