213 lines
25 KiB
Markdown
213 lines
25 KiB
Markdown
# IwoooS 高價值配置控管清冊
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-12 |
|
||
| 狀態 | `inventory_and_classification_gate_ready` |
|
||
| 範圍 | AWOOOI / IwoooS 全產品重要配置 |
|
||
| 本階段模式 | source-control 修補 + 只讀盤點,不做 live reload / restart / sync |
|
||
| 覆蓋矩陣 | `docs/security/HIGH-VALUE-CONFIG-CONTROL-COVERAGE.md` |
|
||
| 覆蓋 snapshot | `docs/security/high-value-config-control-coverage.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 0. 核心結論
|
||
|
||
目前 IwoooS 的資安範圍不能只看程式碼漏洞,必須把「能改變公開入口、部署、憑證、告警、資料、備份、AI provider、agent 行為與跨產品路由」的配置全部納入控管。
|
||
|
||
本次盤點後,配置控管分為四級:
|
||
|
||
| 等級 | 定義 | 處理速度 | 例子 |
|
||
|------|------|----------|------|
|
||
| C0 | 立即影響公開入口、權限、secret、部署或遠端執行 | 立即納管,先止血再補 owner gate | Nginx public gateway、TLS、secret、workflow、runner、K8s prod、ArgoCD、backup credential |
|
||
| C1 | 會影響監控、資料、供應鏈、AI provider 或主機維護 | 近程納管,建立 drift 與維護窗口 | Prometheus、Alertmanager、Docker Compose、PostgreSQL、Redis、MinIO、Ollama、Kali、WireGuard |
|
||
| C2 | 產品 runtime、admin、API、webhook、frontend build 或跨產品 route | 隨產品變更納管 | AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、StockPlatform、Tsenyang、Bitan、VTuber |
|
||
| C3 | 文件、runbook、template、snapshot 與證據索引 | 持續納管,避免範例變成可複製風險 | `SERVICE-ENDPOINTS.md`、DR runbook、owner response template |
|
||
|
||
### 0.1 2026-06-11 覆蓋矩陣狀態
|
||
|
||
`high_value_config_control_coverage_v1` 已把高價值配置控管從文字清冊推進成可重跑 snapshot。這份 snapshot 直接讀取 `scripts/security/high-value-config-change-gate.py` 的 `CATEGORIES`,避免長期清冊與變更 Gate 漂移。
|
||
|
||
| 指標 | 目前值 | 邊界 |
|
||
|------|--------|------|
|
||
| 註冊配置類別 | `14` | 代表已進 Gate 分類,不代表已批准 |
|
||
| C0 類別 | `8` | Nginx、DNS / TLS、K8s、secret、workflow / runner、runtime config、backup、agent-bounty runtime |
|
||
| C1 類別 | `4` | 監控、Docker / systemd、SSH / network、AI provider |
|
||
| 平均只讀控管成熟度 | `66%` | 只代表框架 / evidence / owner packet 準備度 |
|
||
| 需要 live evidence 類別 | `7` | 只能等 owner-provided redacted evidence 或維護窗口,不主動 SSH |
|
||
| owner response required | `14` | owner response received / accepted 仍 `0 / 0` |
|
||
| runtime gate | `0` | 不提供執行按鈕 |
|
||
|
||
最低覆蓋優先順序為 Docker Compose / systemd、SSH / network、backup / restore、monitoring / alerting。這些是下一波 P1 只讀 inventory 的優先順序,不代表可以 restart、reload、scan 或收 secret value。
|
||
|
||
### 0.2 2026-06-11 Docker / systemd repo-only 清冊
|
||
|
||
`host_service_config_inventory_v1` 已把 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 納入只讀 snapshot。清冊目前共有 `9` 個 surface、`5` 個 host scope、`3` 個 write-capable surface、`2` 個 repair-bot whitelist 與 `1` 個 systemd restart surface,讓 Docker / systemd 類別成熟度從 `42%` 推進到 `50%`。
|
||
|
||
此更新仍不是 live host truth:110 / 188 live hash、restart window、rollback owner、post-check 指標與 owner response received / accepted 全部仍為 `0`,也不得執行 `docker compose`、`systemctl`、repair-bot、Ansible apply 或任何 SSH 讀寫。
|
||
|
||
### 0.3 2026-06-11 SSH / network access repo-only 清冊
|
||
|
||
`ssh_network_access_inventory_v1` 已把 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 納入只讀 snapshot。清冊目前共有 `16` 個 surface、`11` 個 SSH source surface、`6` 個 write-capable surface、`2` 個 NetworkPolicy、`2` 個 NodePort、`1` 個 sudoers surface 與 `1` 個 WireGuard surface,讓 SSH / network 類別成熟度從 `48%` 推進到 `54%`。
|
||
|
||
此更新仍不是 live network truth:live firewall、sudoers、known_hosts、NetworkPolicy、NodePort、WireGuard evidence、network owner、maintenance window、rollback owner 與 owner response received / accepted 全部仍為 `0`,也不得執行 SSH、keyscan、sudo、firewall change、NetworkPolicy apply、NodePort change 或 WireGuard cutover。
|
||
|
||
### 0.4 2026-06-11 Backup / restore / escrow / retention repo-only 清冊
|
||
|
||
`backup_restore_escrow_inventory_v1` 已把 backup orchestration、service backup scripts、restic retention、offsite sync、credential escrow、Velero restore drill、backup health alert 與 cold-start / DR runbook 納入只讀 snapshot。清冊目前共有 `38` 個 surface、`15` 個 backup script surface、`8` 個 offsite / escrow surface、`5` 個 Velero surface、`3` 個 retention surface、`5` 個 credential surface 與 `27` 個 write-capable surface,讓 backup / restore / credential 類別成熟度從 `52%` 推進到 `58%`。
|
||
|
||
此更新仍不是 live backup truth:owner response、live evidence、restore drill acceptance、offsite sync acceptance、credential escrow acceptance、retention change acceptance、maintenance window、rollback owner 與 runtime gate 全部仍為 `0`,也不得執行 backup、restore、offsite sync、remote delete、restic prune、escrow marker write、rclone config、Velero restore、kubectl 或 SSH。
|
||
|
||
### 0.5 2026-06-12 Monitoring / alerting / observability repo-only 清冊
|
||
|
||
`monitoring_alerting_observability_inventory_v1` 已把 Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL、Telegram / notification policy、deploy / reload scripts 與 alert chain smoke scripts 納入只讀 snapshot。清冊目前共有 `60` 個 surface、`13` 個 alert rule surface、`6` 個 deploy / reload surface、`11` 個 write-capable surface 與 `1` 個 drift guard surface,讓 monitoring / alerting / observability 類別成熟度從 `56%` 推進到 `62%`。
|
||
|
||
此更新仍不是 live alert chain truth:owner response、live evidence、reload owner、receiver owner、route smoke、maintenance window、rollback owner 與 runtime gate 全部仍為 `0`,也不得執行 Prometheus reload、Alertmanager reload、Grafana import、SigNoz rule apply、Sentry deploy、Langfuse change、OTEL reload、remote write change、silence change、Telegram send、live alert fire、alert chain smoke、SSH 或 kubectl。
|
||
|
||
### 0.6 2026-06-12 Public Gateway Preflight repo-only 清冊
|
||
|
||
`public_gateway_preflight_inventory_v1` 已把 Nginx public gateway reload / route change 前置 Gate 固定成只讀 snapshot。清冊目前共有 `3` 份 Nginx source config、`2` 份 C0 source config、`14` 個 route impact、`14` 個 unique upstream、`10` 條 TLS certificate path、`4` 個 certificate owner 確認缺口、`7` 個 ACME challenge domain、`1` 個 admin route domain、`6` 個 WebSocket route domain 與 `12` 個 preflight gate,讓 Nginx public gateway 類別成熟度從 `78%` 推進到 `84%`。
|
||
|
||
此更新仍不是 live gateway truth:owner response、owner-provided live conf、rendered diff、`nginx -t` evidence、route smoke、maintenance window、rollback owner 與 runtime gate 全部仍為 `0`,也不得 SSH、讀 live conf、執行 `nginx -t`、reload Nginx、改 public route、改 admin route、改 WebSocket / API route、改 ACME、做 DNS / TLS probe、執行 certbot renew 或寫入主機。
|
||
|
||
## 1. 目前已不符合新要求的項目
|
||
|
||
| 優先 | 項目 | 現況 | 風險 | 本階段處置 |
|
||
|------|------|------|------|------------|
|
||
| P0 | Nginx public gateway | 已有 Ansible source-of-truth、repo-only drift detector、DNS / TLS 清冊與 public gateway preflight Gate,但尚缺 owner-provided live conf、rendered diff、`nginx -t` evidence、route smoke、maintenance window 與 rollback owner | 手改 live conf 會讓公開網站、admin route、TLS、API、WebSocket 或 ACME 被改壞,且不易追責 | 已新增高價值配置 Hard Rule、drift detector 與 preflight 清冊;仍不得 SSH 或 reload |
|
||
| P0 | `docs/runbooks/SECRETS-MANAGEMENT.md` Gitea token 範例 | 文件內存在可疑 token 範例 | 可能造成 Gitea API 權限外洩或複製貼上事故 | 已改為 owner-managed token env,不保存 value |
|
||
| P0 | `k8s/monitoring/docker-compose-110.yml` Grafana admin 密碼 | compose 內有固定密碼常值 | 若被當作 live 密碼或複製使用,會造成監控後台弱控管 | 已改為 `GRAFANA_ADMIN_PASSWORD` owner secret store 注入 |
|
||
| P0 | `ops/monitoring/discover_docker.py` SSH host key 驗證 | 仍使用關閉 host key 驗證的參數 | MITM 或錯誤主機信任風險 | 已改為 `BatchMode=yes` + `accept-new`;後續升級 pinned known_hosts |
|
||
| P0 | `apps/api/src/api/v1/monitoring.py` Grafana 探測認證 | 程式碼內有 Grafana Basic Auth 常值 | API 程式碼保存 credential,且會被複製到後續部署 | 已改為 `settings.GRAFANA_API_KEY` Bearer token;未設定時不送 Authorization header |
|
||
| P1 | Nginx 188 / 110 live conf drift | repo 有 templates 與 drift detector,比對模式需 owner 提供脫敏 live conf;目前 live evidence 仍為 `0` | 手改後 repo 不知道,下一次 Ansible 可能覆蓋或保留錯誤路由 | 下一步收 owner-provided live conf 與 rendered diff,不主動 SSH |
|
||
| P1 | 高價值配置變更 Gate | 已有 C0-C3 清冊與 Hard Rule,但原本缺少可重跑 path 分類 | reviewer 只能靠人工記憶判斷 Nginx、workflow、secret、K8s、DNS、AI provider 是否需 owner gate | 已新增 `scripts/security/high-value-config-change-gate.py`;本階段只分類,不接 CI blocking |
|
||
| P1 | DNS / TLS / certbot | 多產品共用 188 / 110 public gateway,憑證路徑與 renewal 仍分散在 runbook / template | 憑證過期、錯誤 cert path、ACME challenge 被覆蓋會造成公開服務中斷 | 納入 C0,需建立 domain / cert / renewal 清冊 |
|
||
| P1 | workflow / runner / deploy key / secret name | 已有 Gitea / GitHub readiness 盤點,但尚未把配置變更和 IwoooS 高價值配置共用 gate 合併 | workflow 或 runner 改錯會直接影響部署與 secret 注入 | 納入 C0,維持只讀 owner response,不收 secret value |
|
||
| P1 | Docker Compose / systemd live config | 110 / 188 多服務由 compose、systemd 與 recovery scripts 管理 | restart policy、port、volume、env 改動會影響 Harbor、Sentry、Langfuse、Gitea、agent-bounty-protocol | 納入 C1,先做只讀 inventory |
|
||
| P1 | AI provider / Ollama proxy | 110 Nginx proxy、GCP-A/B、111 fallback、API provider route 多處配置 | provider route drift 會造成成本、可用性、資料外送與模型品質風險 | 納入 C1,任何切換仍需 dry-run / benchmark / owner gate |
|
||
| P1 | agent-bounty-protocol runtime / treasury / A2A / MCP | 已納入只讀範圍,但尚未有 production host、compose、domain、TLS、rollback owner 完整資料 | 外部 agent、claim / submit、payout 或 webhook 若未控管,風險高於一般網站 | 納入 C2,仍不改該 repo、不讀 `.env`、不部署 |
|
||
|
||
## 2. Nginx 控管機制
|
||
|
||
Nginx 是目前必須最先資安控管的配置,原因是它同時控制公開 domain、TLS、admin route、API / WebSocket、ACME challenge、跨產品 upstream 與內網曝光邊界。
|
||
|
||
### 2.1 Source of truth
|
||
|
||
| 主機 | repo source-of-truth | live path | 涵蓋 |
|
||
|------|----------------------|-----------|------|
|
||
| `192.168.0.188` | `infra/ansible/roles/nginx/templates/188-all-sites.conf.j2` | `/etc/nginx/sites-enabled/all-sites.conf` | `aiops.wooo.work`、`gitlab.wooo.work`、`signoz.wooo.work`、`www.tsenyang.com`、`tsenyang.com`、`stock.wooo.work`、`mo.wooo.work`、`bitan.wooo.work`、`vtuber.wooo.work` |
|
||
| `192.168.0.188` | `infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2` | live path 需 owner 確認 | `gitea.wooo.work`、`sentry.wooo.work`、`langfuse.wooo.work`、`harbor.wooo.work`、`registry.wooo.work`、`signoz.wooo.work`、`stock.wooo.work` |
|
||
| `192.168.0.110` | `infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2` | `/etc/nginx/sites-enabled/110-ollama-proxy.conf` | Ollama GCP-A `11435`、GCP-B `11436`、local fallback `11437` |
|
||
| 部署入口 | `infra/ansible/playbooks/nginx-sync.yml` | Ansible apply | `nginx -t`、backup、reload handler |
|
||
| 回滾 SOP | `docs/runbooks/disaster-recovery/DR-Nginx.md` | Runbook | 語法錯誤、Git rollback、188 失效接管 |
|
||
|
||
### 2.2 必要 gate
|
||
|
||
| 階段 | 必要資料 | 未滿足時 |
|
||
|------|----------|----------|
|
||
| 變更前 | owner role / team、affected domains、affected paths、upstream、TLS / ACME 影響、rollback owner、maintenance window | 不可 reload,不可部署 |
|
||
| diff | repo diff、rendered diff、live drift evidence refs | 只可進入 owner review |
|
||
| preflight | `nginx -t`、port conflict check、certificate path check | 不可 reload |
|
||
| post-check | public route smoke、API / WebSocket smoke、admin route smoke、ACME path smoke、錯誤率觀察 | 不可宣稱完成 |
|
||
| rollback | 前一份 live backup、Git revert ref、rollback owner、停止條件 | 不可進 production window |
|
||
|
||
### 2.3 Drift 原則
|
||
|
||
1. 偵測到 live Nginx 與 repo template 不一致時,只建立 evidence,不自動覆寫 live。
|
||
2. drift 必須標記受影響 domain、upstream、TLS、admin route、ACME path 與風險等級。
|
||
3. 若 drift 是緊急手改,需補 break-glass owner response、時間、原因、回滾條件與後續 source-of-truth patch。
|
||
4. 若 drift 是未授權變更,列為 P0 config drift,不得等到下一次部署才處理。
|
||
5. IwoooS UI 可顯示 drift,但不能因此提高 runtime gate。
|
||
|
||
## 3. 需要優先納管的配置總清單
|
||
|
||
| 優先 | 配置 | 代表 repo 路徑 | live / owner 來源 | 必要控管 |
|
||
|------|------|----------------|-------------------|----------|
|
||
| P0 | Nginx public gateway | `infra/ansible/roles/nginx/templates/*.j2`、`infra/ansible/playbooks/nginx-sync.yml`、`ops/nginx/*` | 188 / 110 live Nginx | source-of-truth、drift detector、owner gate、`nginx -t`、route smoke、rollback |
|
||
| P0 | DNS / TLS / certbot | Nginx templates、`docs/runbooks/REGISTRY-CERTBOT-188.md`、TLS alert rules | DNS provider、Let's Encrypt、188 / 110 | domain inventory、cert path、renewal check、ACME path smoke |
|
||
| P0 | K8s production manifests | `k8s/awoooi-prod/*`、`k8s/argocd/awoooi-prod-app.yaml` | ArgoCD / K3s | GitOps diff、ArgoCD health / sync readback、rollback revision、no manual kubectl unless approved |
|
||
| P0 | K8s Secret metadata | `k8s/awoooi-prod/03-secrets.example.yaml`、secret templates、workflow injection | Gitea Secrets / K8s Secret names | secret name parity only、no value collection、rotation owner |
|
||
| P0 | Gitea workflows | `.gitea/workflows/*.yaml` | Gitea Actions | self-hosted runner, secret reference guard, deployment verification, no write action without owner |
|
||
| P0 | Runner / deploy key / webhook / branch protection | `ops/runner/*`、source-control snapshots | Gitea / GitHub owner metadata | labels、key names、webhook names、ruleset metadata only;no token / key value |
|
||
| P0 | Public admin / API route config | Nginx templates、`apps/web/src/lib/config.ts`、`apps/api/src/core/config.py` | Product owner + runtime owner | auth boundary、CORS、public URL、admin path smoke、frontend internal IP ban |
|
||
| P0 | Backup / restore credential | `scripts/backup/*`、`k8s/velero/*`、DR runbooks、`docs/security/BACKUP-RESTORE-ESCROW-INVENTORY.md` | MinIO / restic / offsite escrow | credential value absent、restore drill gate、offsite owner、escrow owner、retention policy、rollback owner |
|
||
| P0 | agent-bounty-protocol treasury / MCP / A2A | `docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md` | agent-bounty owner response | no payout / claim / submit / daemon / webhook until explicit runtime approval |
|
||
| P1 | Prometheus / Alertmanager | `k8s/monitoring/*`、`ops/alertmanager/alertmanager.yml`、`ops/monitoring/*`、`docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md` | 110 monitoring stack | repo-only 清冊、rule diff、receiver diff、reload gate、failure-only notification policy |
|
||
| P1 | Grafana / SigNoz / Sentry / Langfuse | `ops/grafana/*`、`ops/signoz/*`、`ops/sentry-self-hosted/*`、`infra/langfuse/*`、`docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md` | 110 compose / public gateway | admin secret externalized、public route, backup, smoke, upgrade window |
|
||
| P1 | Harbor / registry | Nginx templates、backup scripts、CD workflows | 110 Harbor / registry domains | robot account owner、image tag immutability、scan policy、TLS |
|
||
| P1 | PostgreSQL / Redis / MinIO | app config、backup scripts、monitoring config | 188 / 110 / K3s | no plaintext DSN, access boundary, backup, restore, metrics auth |
|
||
| P1 | Docker Compose / systemd | `docker-compose.yml`、`ops/*/docker-compose.yml`、`scripts/reboot-recovery/*.service` | 110 / 188 / agent-bounty hosts | port / volume / env diff、restart window、rollback owner |
|
||
| P1 | SSH / sudoers / known_hosts | Ansible inventory、ops scripts、runner scripts | host owners | pinned or accept-new policy、no host key disable、target whitelist |
|
||
| P1 | Firewall / WireGuard / NodePort / VIP | K8s service / network policy、Kali / wg-easy docs | network owner | ingress / egress matrix、no unreviewed port exposure |
|
||
| P1 | AI provider / model routing | `apps/api/src/services/ai_providers/*`、Ollama runbooks、Nginx proxy | AI owner | dry-run、benchmark、cost / privacy review、fallback order gate |
|
||
| P1 | Kali 112 scanner config | `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md`、Kali snapshots | Kali owner | maintenance window、no active scan、no `/execute`、hardening dry-run |
|
||
| P2 | AWOOOI / AwoooP / IwoooS frontend runtime config | `apps/web/next.config.js`、`apps/web/src/lib/config.ts`、i18n | web owner | NEXT_PUBLIC public-domain only、no internal transcript, desktop/mobile smoke |
|
||
| P2 | VibeWork product boundary | VibeWork owner docs / future evidence refs | VibeWork owner | independent product boundary、repo / deploy / admin / backup scope |
|
||
| P2 | StockPlatform / Tsenyang / Bitan / VTuber routes | Nginx templates、product runbooks | product owner | domain / admin / API / backup / owner matrix |
|
||
| P2 | Package / supply-chain baselines | `pnpm-lock.yaml`、`package.json`、Dockerfiles、inventory snapshots | repo owner | lockfile drift, CVE / license policy, image digest evidence |
|
||
| P3 | Runbook / endpoint docs / snapshots | `docs/reference/*`、`docs/runbooks/*`、`docs/security/*.snapshot.json` | doc owner | no secret value, stale endpoint flag, owner-reviewed evidence refs |
|
||
|
||
## 4. 新增規範
|
||
|
||
1. 高價值配置必須先分級:C0 / C1 / C2 / C3。
|
||
2. 所有 C0 配置變更必須有 source-of-truth、owner gate、diff、rollback owner 與驗證點。
|
||
3. Nginx live drift 不得自動覆蓋,只能先形成 P0 evidence 與 owner decision。
|
||
4. 文件與 runbook 的範例不得包含可用 token、password、private key、runner token、webhook secret、cookie、authorization header 或 partial credential。
|
||
5. SSH 類工具不得關閉 host key 驗證;短期可用 `accept-new`,長期要升級 pinned known_hosts。
|
||
6. Grafana / Harbor / MinIO / ArgoCD / Gitea / Telegram / AI provider 等管理面密碼只能由 owner secret store 注入。
|
||
7. agent-bounty-protocol、VibeWork 與其他產品的 route / admin / webhook / payout / deploy config 必須放入 IwoooS 控管,但不能混用 AWOOOI runtime approval。
|
||
8. Backup / restore / offsite / escrow / retention 清冊可見只代表需被控管;不得把 runbook 命令、snapshot、AwoooP approval 或 IwoooS UI 當作 backup run、restore drill、rclone sync、remote delete、restic prune、escrow marker write 或 Velero restore 授權。
|
||
|
||
## 5. 需要調整的既有規範
|
||
|
||
| 規範 | 目前狀態 | 調整方向 |
|
||
|------|----------|----------|
|
||
| IwoooS 初期低摩擦 | 原本偏只讀框架 | 保留只讀框架,但 P0 即時危害可先做 source-control 止血 |
|
||
| Nginx DR runbook | 已寫禁止直接手改 live conf | 補 owner-provided live conf、rendered diff、`nginx -t` evidence、route smoke、跨產品通知、post-check |
|
||
| Secrets 管理手冊 | 有 secret 來源與 CD 注入說明 | 去除可用 token 範例,補「metadata only」與 owner secret store |
|
||
| Gitea / GitHub readiness | 已有 repo / workflow / secret name 盤點 | 與高價值配置分級合併,workflow 變更仍需獨立批准 |
|
||
| Deployment verification | 偏重 Pod / health | 加入 Nginx / DNS / TLS / public route / admin route smoke |
|
||
| AI provider governance | 已有 dry-run / benchmark 邊界 | 加入 Nginx Ollama proxy、GCP fallback、成本與資料外送控管 |
|
||
| Frontend i18n / internal IP | 已有 NEXT_PUBLIC 禁令 | 擴大到 public route / Sentry tunnel / admin path / product domain 一起驗證 |
|
||
|
||
## 6. 階段完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| 重要配置範圍盤點 | `100%` | 已建立 C0-C3 分級與總清單 |
|
||
| Nginx 控管機制定義 | `100%` | 已定義 source-of-truth、live path、gate、drift 原則 |
|
||
| source-control P0 止血 | `100%` | 已清掉本波掃到的 token 範例、Grafana 密碼常值與 SSH host key 關閉 |
|
||
| repo-only Nginx drift detector | `100%` | 已新增 `scripts/security/nginx-config-drift-detector.py` 與 repo source-of-truth snapshot |
|
||
| public gateway preflight 清冊 | `100%` | 已新增 `public_gateway_preflight_inventory_v1`,固定 12 個 reload / route change 前置 Gate;成熟度 `78% -> 84%` |
|
||
| 高價值配置變更分類 Gate | `100%` | 已新增 `scripts/security/high-value-config-change-gate.py`,可用 git diff 或手動檔案分類 C0/C1/C2/C3 並列出 owner / rollback / evidence / 驗證欄位 |
|
||
| owner response evidence JSON 欄位檢查 | `70%` | Gate 可檢查必要欄位與 false flags;尚未接正式收件 API 或 AwoooP queue |
|
||
| Gate → owner response packet 草案 | `100%` | 已新增 `scripts/security/high-value-config-owner-packet.py`,可將 impacted category 轉成 canonical owner response packet 草案 |
|
||
| canonical owner 欄位對齊 | `100%` | 高價值配置 Gate 已對齊 S4.9 `owner_role_or_team`,並保留 `owner_role_team` 等 alias 支援 |
|
||
| 全域配置覆蓋矩陣 | `100%` | 已新增 `scripts/security/high-value-config-control-coverage.py`、snapshot 與 schema,14 類高價值配置可重跑檢查 |
|
||
| Backup / restore / escrow 清冊 | `100%` | 已新增 `backup_restore_escrow_inventory_v1`,納入 38 個 repo-only surface;成熟度 `52% -> 58%` |
|
||
| Monitoring / alerting / observability 清冊 | `100%` | 已新增 `monitoring_alerting_observability_inventory_v1`,納入 60 個 repo-only surface;成熟度 `56% -> 62%` |
|
||
| owner packet 前台只讀接入 | `100%` | `/zh-TW/iwooos` 已顯示高價值配置 owner packet 草案、C0/C1 packet 數、request / received / accepted 仍為 0 與禁止執行邊界 |
|
||
| owner response request / received / accepted | `0%` | Packet 只是草案;尚未送件、尚未收件、尚未 reviewer accepted |
|
||
| CI blocking / workflow gate | `0%` | 本階段刻意不修改 `.gitea/workflows`,避免初期資安流程摩擦過大 |
|
||
| owner-provided live Nginx file compare | `70%` | 工具可吃 owner 匯出的 live conf 檔比較;本階段不主動 SSH 取得 |
|
||
| live Nginx evidence collection | `0%` | 尚未 SSH / Ansible check-mode / live hash;需 owner 與維護窗口規則 |
|
||
| live Nginx reload / restart | `0%` | 未授權,未執行 |
|
||
| DNS / TLS live validation | `0%` | 本階段未跑 live probe;若下一階段改前端或 route,需 desktop / mobile / route smoke |
|
||
| cross-product owner response | `0%` | 尚未收到 VibeWork、agent-bounty-protocol、StockPlatform 等 owner acceptance |
|
||
|
||
## 7. 下一階段優先順序
|
||
|
||
1. P0:將 owner response packet 草案接入 AwoooP 只讀狀態,顯示 request / received / accepted 仍為 0。
|
||
2. P0:由 owner 提供脫敏 live Nginx conf 匯出檔,重跑 compare mode;不自動覆寫、不 reload。
|
||
3. P0:補 DNS / TLS / certbot domain inventory,先只讀,不 renew、不 reload。
|
||
4. P0:把 workflow / runner / secret name owner response 與高價值配置 C0 gate 串成同一個 IwoooS 狀態。
|
||
5. P0:把 agent-bounty-protocol compose / MCP / A2A / treasury 高價值配置欄位接入同一個 owner packet queue;不啟用 runtime。
|
||
6. P1:盤點 110 / 188 Docker Compose 與 systemd live config,標記 Harbor、Sentry、Langfuse、Gitea、agent-bounty-protocol 影響面。
|
||
7. P1:把 backup / restore / offsite / escrow owner response packet 接入 AwoooP 只讀狀態;驗收前 backup run、restore drill、offsite sync、remote delete、escrow marker write、retention change 全部維持 `0 / false`。
|
||
8. P1:把 Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse owner response packet 接入 AwoooP 只讀狀態;驗收前 reload、receiver route change、silence change、Telegram send 與 alert chain smoke 全部維持 `0 / false`。
|
||
9. P1:補 Kali 112、111、168 維護窗口 owner 欄位,仍不做 upgrade / restart / scan。
|
||
10. P2:持續精簡 `/zh-TW/iwooos` 配置控管摘要,但不得顯示內部工作對話、token、secret 或可執行按鈕。
|
||
|
||
## 8. 邊界
|
||
|
||
本清冊完成不代表 Nginx reload、DNS 修改、TLS renew、ArgoCD sync、kubectl、SSH 主機修改、workflow 修改、runner 啟用、secret rotation、backup run、restore drill、offsite sync、remote delete、restic prune、escrow marker write、Velero restore、active scan、agent-bounty runtime、payout、withdrawal、deploy 或任何 runtime execution 已授權。
|