awoooi/docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md

# IwoooS 高價值配置控管覆蓋矩陣

| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-12 |
| 狀態 | `coverage_matrix_ready` |
| 工具 | `scripts/security/high-value-config-control-coverage.py` |
| Snapshot | `docs/security/high-value-config-control-coverage.snapshot.json` |
| Schema | `docs/schemas/high_value_config_control_coverage_v1.schema.json` |
| runtime gate | `0` |

## 1. 目的

此矩陣把「所有重要配置都要被資安控管」從人讀清冊推進成可重跑 snapshot。它直接讀取 `high-value-config-change-gate.py` 的配置分類，避免變更 Gate 與長期覆蓋清冊各自漂移。

本階段仍是只讀覆蓋矩陣，不接 blocking CI、不 SSH、不讀 live host、不執行 `nginx -t`、不 reload Nginx、不做 DNS / TLS probe、不 renew cert、不同步 refs、不修改 workflow、不收 secret value、不啟動 agent-bounty runtime。

## 2. 覆蓋摘要

| 指標 | 目前值 | 說明 |
|------|--------|------|
| 註冊配置類別 | `14` | 全部來自高價值配置 Gate 的 CATEGORIES |
| C0 類別 | `8` | Nginx、DNS / TLS、K8s、secret、workflow / runner、runtime config、backup、agent-bounty runtime |
| C1 類別 | `4` | 監控、Docker / systemd、SSH / network、AI provider |
| C2 類別 | `1` | 產品 runtime route 與跨產品邊界 |
| C3 類別 | `1` | security evidence / snapshot / guard tooling |
| 平均只讀控管成熟度 | `66%` | 僅代表框架 / evidence / owner packet 準備度，不代表 runtime 可執行 |
| 需要 live evidence 的類別 | `7` | 只能等 owner-provided redacted evidence 或維護窗口，不主動修改主機 |
| owner response required | `14` | 每類都需要 owner response 才能往 accepted 前進 |
| owner response received / accepted | `0 / 0` | 不得假性提高 |
| runtime gate | `0` | 不得產生執行按鈕 |

## 3. 最低覆蓋優先順序

| 優先 | 類別 | 目前成熟度 | 下一步 |
|------|------|------------|--------|
| P1-1 | Docker Compose / systemd / host service config | `50%` | repo-only 清冊已納入 9 個 surface；仍缺 110 / 188 live hash、restart window、rollback owner 與 post-check 指標 |
| P1-2 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort | `54%` | repo-only 清冊已納入 16 個 SSH / network access surface；仍缺 live evidence、owner 與 rollback |
| P1-3 | Backup / restore / escrow / retention | `58%` | repo-only 清冊已納入 38 個 surface；仍缺 restore drill approval package、offsite / escrow owner、retention owner、rollback owner 與 no-secret-value evidence |
| P1-4 | Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse | `62%` | repo-only 清冊已納入 60 個 monitoring / alerting / observability surface；仍缺 live drift evidence、reload owner、receiver owner、route smoke 與 receipt proof |

## 4. 固定 0 / false 邊界

以下旗標必須維持 `false`：

```text
runtime_execution_authorized=false
host_write_authorized=false
host_live_conf_read_authorized=false
nginx_test_authorized=false
public_gateway_reload_authorized=false
public_route_change_authorized=false
admin_route_change_authorized=false
websocket_route_change_authorized=false
acme_challenge_change_authorized=false
route_smoke_authorized=false
rollback_executed=false
nginx_reload_authorized=false
dns_tls_change_authorized=false
certbot_renew_authorized=false
argocd_sync_authorized=false
kubectl_action_authorized=false
backup_run_authorized=false
restore_run_authorized=false
restore_drill_authorized=false
offsite_sync_authorized=false
offsite_remote_delete_authorized=false
credential_escrow_marker_write_authorized=false
retention_change_authorized=false
restic_prune_authorized=false
rclone_config_authorized=false
velero_restore_authorized=false
workflow_modification_authorized=false
runner_change_authorized=false
refs_sync_authorized=false
force_push_authorized=false
secret_value_collection_allowed=false
active_scan_authorized=false
agent_bounty_runtime_authorized=false
payout_or_withdrawal_authorized=false
action_buttons_allowed=false
prometheus_reload_authorized=false
alertmanager_reload_authorized=false
grafana_dashboard_apply_authorized=false
signoz_rule_apply_authorized=false
sentry_deploy_authorized=false
langfuse_config_change_authorized=false
otel_collector_reload_authorized=false
receiver_route_change_authorized=false
silence_policy_change_authorized=false
telegram_send_authorized=false
notification_route_change_authorized=false
webhook_receiver_change_authorized=false
remote_write_change_authorized=false
exporter_deploy_authorized=false
live_alert_fire_authorized=false
alert_chain_smoke_authorized=false
```

## 5. 判讀規則

1. `coverage_percent` 只代表只讀框架成熟度，不代表已收到 owner response。
2. `coverage_status` 是下一步分流用語，不是 runtime approval state。
3. C0 / C1 類別若缺 live evidence，只能等待 owner-provided redacted evidence、維護窗口與 rollback owner。
4. `agent-bounty-protocol` 已是 C0 runtime / MCP / A2A / treasury boundary，但目前仍不得 claim / submit / payout / daemon / webhook / runtime execution。
5. IwoooS 前端可顯示覆蓋矩陣，但不得提供可執行按鈕，也不得把可見狀態解讀成資安批准。

## 6. 指令

```bash
python3 scripts/security/high-value-config-control-coverage.py \
  --root . \
  --output docs/security/high-value-config-control-coverage.snapshot.json
```

固定 committed snapshot 時間：

```bash
python3 scripts/security/high-value-config-control-coverage.py \
  --root . \
  --generated-at 2026-06-11T21:30:00+08:00 \
  --output docs/security/high-value-config-control-coverage.snapshot.json
```

## 7. 完成度

| 工作 | 完成度 | 說明 |
|------|--------|------|
| 全高價值配置類別註冊 | `100%` | 14 類全部來自既有 Gate 定義 |
| 覆蓋 snapshot / schema | `100%` | 已新增可重跑 snapshot 與 JSON schema |
| owner response 收件 | `0%` | 尚未收到或接受任何 owner response |
| live evidence collection | `0%` | 未 SSH、未 live probe、未 active scan |
| runtime gate | `0%` | 未開啟任何執行期閘門 |

## 8. P1-1 Docker / systemd 清冊更新

`host_service_config_inventory_v1` 已把 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 納入 repo-only 清冊，共 `9` 個 surface、`3` 個 write-capable surface、`2` 個 repair-bot whitelist、`1` 個 systemd restart surface。此更新只讓 `docker_compose_systemd_host_config` 從 `42%` 推進到 `50%`；owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`。

## 9. P1-2 SSH / network access 清冊更新

`ssh_network_access_inventory_v1` 已把 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 納入 repo-only 清冊，共 `16` 個 surface、`6` 個 write-capable surface、`2` 個 NetworkPolicy、`2` 個 NodePort、`1` 個 sudoers surface 與 `1` 個 WireGuard surface。此更新只讓 `ssh_firewall_network_access` 從 `48%` 推進到 `54%`；owner response、live evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 `0`。

## 10. P1-3 Backup / restore / escrow / retention 清冊更新

`backup_restore_escrow_inventory_v1` 已把 backup orchestration、service backup scripts、restic retention、offsite sync、credential escrow、Velero restore drill、backup health alert 與 cold-start / DR runbook 納入 repo-only 清冊，共 `38` 個 surface、`15` 個 backup script surface、`8` 個 offsite / escrow surface、`5` 個 Velero surface 與 `27` 個 write-capable surface。此更新只讓 `backup_restore_credential` 從 `52%` 推進到 `58%`；owner response、live evidence、restore drill acceptance、offsite sync acceptance、credential escrow acceptance、retention change acceptance、runtime gate 與 action button 仍全部為 `0`。

## 11. P1-4 Monitoring / alerting / observability 清冊更新

`monitoring_alerting_observability_inventory_v1` 已把 Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL、Telegram / notification policy、deploy / reload scripts 與 alert chain smoke scripts 納入 repo-only 清冊，共 `60` 個 surface、`13` 個 alert rule surface、`6` 個 deploy / reload surface、`11` 個 write-capable surface 與 `1` 個 drift guard surface。此更新只讓 `monitoring_alerting_observability` 從 `56%` 推進到 `62%`；owner response、live evidence、reload owner、receiver owner、route smoke、runtime gate 與 action button 仍全部為 `0`。

## 12. P0 Public Gateway Preflight 清冊更新

`public_gateway_preflight_inventory_v1` 已把 Nginx public gateway reload / route change 前置 Gate 固定成只讀清冊，共 `3` 份 source config、`14` 個 route impact、`14` 個 unique upstream、`12` 個 preflight gate，其中 `2` 個 gate 只代表 repo-only ready，`10` 個 gate 仍需 owner acceptance。此更新只讓 `nginx_public_gateway` 從 `78%` 推進到 `84%`；owner response、owner-provided live conf、rendered diff、`nginx -t` evidence、route smoke、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 `0`。