wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
92e451cbdd10a762bfa215162ccc8b500bfd3dd9
awoooi/docs/security/high-value-config-control-coverage.snapshot.json
Your Name 066bf5d1be
All checks were successful
Code Review / ai-code-review (push) Successful in 15s
Details
fix(iwooos): 新增 dns tls owner acceptance ledger
2026-06-14 22:46:40 +08:00

656 lines
28 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"coverage_categories": [
{
"action_buttons_allowed": false,
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"coverage_percent": 86,
"coverage_status": "owner_response_acceptance_ledger_ready_needs_owner_live_diff",
"current_gap": "已固定 owner response acceptance 只讀帳本owner response、live conf、rendered diff、nginx -t、route smoke、maintenance window 與 rollback owner 仍全部為 0。",
"evidence_refs": [
"docs/security/NGINX-CONFIG-DRIFT-DETECTOR.md",
"docs/security/nginx-config-drift-repo.snapshot.json",
"docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md",
"docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md",
"docs/security/public-gateway-preflight-inventory.snapshot.json",
"docs/security/PUBLIC-GATEWAY-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/public-gateway-owner-response-acceptance.snapshot.json",
"docs/schemas/public_gateway_preflight_inventory_v1.schema.json"
],
"label": "Nginx / reverse proxy / public route",
"next_owner_action": "補 public gateway owner 回覆、owner-provided live conf、source-to-live rendered diff、nginx -t evidence、route smoke、maintenance window 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"infra/ansible/roles/nginx/templates/*.j2",
"infra/ansible/playbooks/nginx-sync.yml",
"k8s/nginx/**",
"ops/nginx/**",
"docs/runbooks/disaster-recovery/DR-Nginx.md"
],
"priority": "P0",
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"coverage_percent": 78,
"coverage_status": "owner_response_acceptance_ledger_ready_needs_certificate_owner_evidence",
"current_gap": "已固定 4 份 DNS / TLS / certbot owner response acceptance candidate仍缺 owner response、certificate coverage metadata ref、expiry metadata ref、renewal owner、ACME route owner、maintenance window、rollback owner 與 validation plan。",
"evidence_refs": [
"docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md",
"docs/security/domain-tls-certbot-inventory.snapshot.json",
"docs/security/DOMAIN-TLS-CERTBOT-OWNER-CONFIRMATION-REQUEST.md",
"docs/security/domain-tls-certbot-owner-confirmation-request.snapshot.json",
"docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json"
],
"label": "DNS / TLS / certbot / certificate path",
"next_owner_action": "補 SAN / wildcard / 共用憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口、rollback owner 與 validation plan。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"docs/runbooks/REGISTRY-CERTBOT-188.md",
"docs/runbooks/**/*CERTBOT*.md",
"docs/runbooks/**/*TLS*.md",
"scripts/ops/**/*cert*",
"scripts/ops/**/*tls*",
"ops/**/*cert*",
"ops/**/*tls*",
"infra/**/*cert*",
"infra/**/*tls*",
"k8s/**/*tls*"
],
"priority": "P0",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "k8s_production_gitops",
"control_tier": "C0",
"coverage_percent": 62,
"coverage_status": "owner_response_acceptance_ledger_ready_needs_runtime_evidence",
"current_gap": "已固定 owner response acceptance 只讀帳本ArgoCD health / sync readback、rollback revision、rendered manifest diff 與 post-deploy validation 仍全部為 0。",
"evidence_refs": [
"docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md",
"docs/security/K8S-ARGOCD-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/k8s-argocd-owner-response-acceptance.snapshot.json",
"k8s/awoooi-prod",
"k8s/argocd"
],
"label": "K8s / ArgoCD / production manifests",
"next_owner_action": "補 GitOps owner 回覆、rollback revision、health readback、rendered manifest diff 與 post-deploy validation plan。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"k8s/awoooi-prod/**",
"k8s/argocd/**",
"k8s/velero/**",
"k8s/monitoring/**"
],
"priority": "P0",
"required_gate": "gitops_owner_response_required",
"required_validation": [
"gitops_diff",
"argocd_health_readback",
"sync_authorization_check",
"rollback_revision",
"post_deploy_health_if_executed"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "secret_metadata",
"control_tier": "C0",
"coverage_percent": 66,
"coverage_status": "metadata_policy_ready",
"current_gap": "只允許 secret name / metadata仍缺 owner response 與 parity acceptance。",
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/SECRETS_REFERENCE.md"
],
"label": "Secret metadata / injection / redaction",
"next_owner_action": "只回覆 secret name owner、rotation owner、injection owner 與 redacted evidence refs。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"k8s/**/*secret*",
"k8s/**/*Secret*",
".gitea/workflows/*.yml",
".gitea/workflows/*.yaml",
".github/workflows/*.yml",
".github/workflows/*.yaml",
"docs/runbooks/SECRETS-MANAGEMENT.md",
"docs/security/SECRETS_REFERENCE.md"
],
"priority": "P0",
"required_gate": "secret_metadata_owner_response_required",
"required_validation": [
"secret_name_parity",
"metadata_only_check",
"no_secret_value_check",
"rotation_owner",
"injection_readback_if_deployed"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "gitea_workflow_runner_source_control",
"control_tier": "C0",
"coverage_percent": 70,
"coverage_status": "metadata_inventory_ready",
"current_gap": "workflow / runner / deploy key / webhook / branch protection 仍待 owner response不得改 workflow。",
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
],
"label": "Gitea workflow / runner / deploy key / webhook / branch protection",
"next_owner_action": "補 runner label、webhook、deploy key、branch protection 與 workflow parity owner metadata。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
".gitea/workflows/**",
".github/workflows/**",
"ops/runner/**",
"scripts/setup-runner*.sh",
"scripts/**/*runner*",
"docs/security/SOURCE-CONTROL-*",
"docs/security/GITEA-*",
"docs/security/GITHUB-*"
],
"priority": "P0",
"required_gate": "workflow_source_control_owner_response_required",
"required_validation": [
"workflow_diff",
"runner_label_owner",
"deploy_key_metadata_only",
"webhook_metadata_only",
"branch_protection_metadata",
"no_token_value_check"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "public_admin_api_runtime_config",
"control_tier": "C0",
"coverage_percent": 62,
"coverage_status": "policy_ready_needs_change_scoped_smoke",
"current_gap": "每次產品 route / admin / API / frontend config 變更仍需逐次 smoke 與 owner gate。",
"evidence_refs": [
"docs/HARD_RULES.md",
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md"
],
"label": "Public / admin / API / frontend runtime config",
"next_owner_action": "補 affected route、admin/auth boundary、CORS/public URL 與 desktop/mobile smoke plan。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"apps/web/next.config.*",
"apps/web/src/lib/config.*",
"apps/api/src/core/config.py",
"apps/api/src/api/v1/monitoring.py",
"apps/api/src/middleware/**",
"apps/web/src/middleware.*"
],
"priority": "P0",
"required_gate": "public_runtime_config_owner_response_required",
"required_validation": [
"public_url_check",
"frontend_internal_ip_ban",
"cors_boundary_check",
"admin_auth_boundary_check",
"desktop_mobile_smoke_if_frontend"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "backup_restore_credential",
"control_tier": "C0",
"coverage_percent": 62,
"coverage_status": "owner_response_acceptance_ledger_ready_needs_restore_drill_owner",
"current_gap": "已固定 owner response acceptance 只讀帳本restore drill、offsite sync、credential escrow、retention change、live evidence 與 owner response 仍全部為 0。",
"evidence_refs": [
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/BACKUP-RESTORE-ESCROW-INVENTORY.md",
"docs/security/backup-restore-escrow-inventory.snapshot.json",
"docs/security/BACKUP-RESTORE-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/backup-restore-owner-response-acceptance.snapshot.json",
"docs/schemas/backup_restore_escrow_inventory_v1.schema.json"
],
"label": "Backup / restore / escrow / retention",
"next_owner_action": "補 restore drill approval package、offsite owner、escrow owner、retention owner、rollback owner、validation plan 與 no-secret-value evidence。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"scripts/backup/**",
"k8s/velero/**",
"docs/runbooks/disaster-recovery/**",
"docs/runbooks/**/*RESTORE*.md",
"docs/runbooks/**/*BACKUP*.md"
],
"priority": "P0",
"required_gate": "backup_restore_owner_response_required",
"required_validation": [
"credential_absence_check",
"restore_drill_gate",
"retention_policy",
"escrow_owner",
"rollback_ref"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "agent_bounty_protocol_runtime",
"control_tier": "C0",
"coverage_percent": 68,
"coverage_status": "owner_request_draft_ready_needs_runtime_owner",
"current_gap": "owner request draft 已固定 11 份草稿;尚未收到 runtime / MCP / A2A / treasury / payout owner responseruntime gate 必須維持 0。",
"evidence_refs": [
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json",
"docs/security/AGENT-BOUNTY-OWNER-REQUEST-DRAFT.md",
"docs/security/agent-bounty-owner-request-draft.snapshot.json",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
],
"label": "agent-bounty-protocol runtime / MCP / A2A / treasury boundary",
"next_owner_action": "補 repo owner、external agent owner、treasury owner、runtime gate owner、maintenance window、rollback owner 與 validation plan。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json",
"docs/schemas/agent_bounty_iwooos_onboarding_handoff_v1.schema.json",
"agent-bounty-protocol/**"
],
"priority": "P0",
"required_gate": "agent_bounty_owner_response_required",
"required_validation": [
"repo_owner_scope",
"runtime_gate_false",
"no_payout_or_treasury_execution",
"no_mcp_a2a_runtime_execution",
"redacted_evidence_refs_only"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "monitoring_alerting_observability",
"control_tier": "C1",
"coverage_percent": 62,
"coverage_status": "repo_only_inventory_ready_needs_live_route_evidence",
"current_gap": "repo-only 清冊已納入 60 個 monitoring / alerting / observability surface仍缺 live config hash、rule diff、receiver diff、reload owner、route smoke、receipt proof 與 owner response。",
"evidence_refs": [
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md",
"docs/security/monitoring-alerting-observability-inventory.snapshot.json",
"docs/schemas/monitoring_alerting_observability_inventory_v1.schema.json"
],
"label": "Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse",
"next_owner_action": "補 Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse / Telegram owner、live drift evidence、reload window、receiver owner、rollback owner 與 no-secret-value evidence。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"ops/monitoring/**",
"ops/alertmanager/**",
"ops/grafana/**",
"ops/signoz/**",
"ops/sentry-self-hosted/**",
"infra/langfuse/**",
"k8s/monitoring/**"
],
"priority": "P1",
"required_gate": "monitoring_observability_owner_response_required",
"required_validation": [
"rule_diff",
"receiver_diff",
"reload_gate",
"failure_notification_policy",
"public_route_smoke_if_affected"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "docker_compose_systemd_host_config",
"control_tier": "C1",
"coverage_percent": 50,
"coverage_status": "repo_only_inventory_ready_needs_live_owner_evidence",
"current_gap": "repo-only 清冊已納入 9 個 surface仍缺 110 / 188 live hash、restart window、rollback owner 與 post-check 指標。",
"evidence_refs": [
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/HOST-SERVICE-CONFIG-INVENTORY.md",
"docs/security/host-service-config-inventory.snapshot.json",
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md"
],
"label": "Docker Compose / systemd / host service config",
"next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、restart window、rollback owner 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"docker-compose*.yml",
"docker-compose*.yaml",
"ops/**/docker-compose*.yml",
"ops/**/docker-compose*.yaml",
"scripts/reboot-recovery/**",
"scripts/**/*.service",
"ops/**/*.service"
],
"priority": "P1",
"required_gate": "host_service_owner_response_required",
"required_validation": [
"port_conflict_check",
"volume_diff",
"env_name_diff",
"restart_window",
"rollback_owner"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "ssh_firewall_network_access",
"control_tier": "C1",
"coverage_percent": 58,
"coverage_status": "owner_response_acceptance_ledger_ready_needs_network_owner",
"current_gap": "owner response acceptance 帳本已固定 16 個 SSH / network acceptance candidate仍缺 owner response、live access state、allowed source CIDR、host key pinning、port impact、firewall owner、NetworkPolicy / NodePort owner、WireGuard owner、maintenance window、rollback owner 與 validation plan。",
"evidence_refs": [
"docs/HARD_RULES.md",
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/SSH-NETWORK-ACCESS-INVENTORY.md",
"docs/security/ssh-network-access-inventory.snapshot.json",
"docs/security/SSH-NETWORK-OWNER-REQUEST-DRAFT.md",
"docs/security/ssh-network-owner-request-draft.snapshot.json",
"docs/security/SSH-NETWORK-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/ssh-network-owner-response-acceptance.snapshot.json"
],
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"next_owner_action": "補 owner-provided live hash / disposition、host key pinning、firewall owner、NetworkPolicy / NodePort owner、WireGuard owner、maintenance window、rollback owner 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"infra/ansible/inventory/**",
"infra/ansible/**/*known_hosts*",
"infra/ansible/**/*ssh*",
"scripts/**/*ssh*",
"scripts/**/*known_hosts*",
"ops/**/*wireguard*",
"ops/**/*firewall*",
"k8s/**/*network*",
"k8s/**/*Network*"
],
"priority": "P1",
"required_gate": "network_access_owner_response_required",
"required_validation": [
"target_whitelist",
"host_key_policy",
"ingress_egress_matrix",
"rollback_owner",
"maintenance_window"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "ai_provider_model_routing",
"control_tier": "C1",
"coverage_percent": 60,
"coverage_status": "policy_ready_needs_dry_run_pack",
"current_gap": "模型 / provider / Ollama proxy 切換需 dry-run、benchmark、成本與 privacy review目前不切 production。",
"evidence_refs": [
"docs/HARD_RULES.md",
"docs/ai"
],
"label": "AI provider / model routing / Ollama proxy / cost and privacy",
"next_owner_action": "補 provider owner、fallback order、cost review、privacy review、benchmark 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"apps/api/src/services/ai_providers/**",
"apps/api/src/services/**/*model*",
"apps/api/src/services/**/*provider*",
"infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2",
"docs/ai/**",
"docs/**/*Ollama*"
],
"priority": "P1",
"required_gate": "ai_provider_owner_response_required",
"required_validation": [
"dry_run",
"benchmark",
"cost_review",
"privacy_review",
"fallback_order_check"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "product_surface_runtime_routes",
"control_tier": "C2",
"coverage_percent": 72,
"coverage_status": "scope_inventory_ready",
"current_gap": "跨產品 owner response 尚未 accepted產品 route / admin / webhook 仍需逐產品補證。",
"evidence_refs": [
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/AGENT-BOUNTY-OWNER-REQUEST-DRAFT.md"
],
"label": "AWOOOI / AwoooP / IwoooS / VibeWork / other product runtime routes",
"next_owner_action": "補 AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol 與公開網站 owner response。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"apps/web/src/app/**",
"apps/web/messages/*.json",
"docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/vibework-iwooos-onboarding-handoff.snapshot.json"
],
"priority": "P2",
"required_gate": "product_surface_owner_response_required",
"required_validation": [
"product_boundary_check",
"i18n_traditional_chinese_check",
"no_internal_transcript_check",
"desktop_mobile_smoke_if_frontend"
],
"runtime_gate_open": false
},
{
"action_buttons_allowed": false,
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"coverage_percent": 86,
"coverage_status": "guard_ready",
"current_gap": "guard 已可重跑,但尚未接 blocking CI本階段刻意維持低摩擦。",
"evidence_refs": [
"scripts/security/security-mirror-progress-guard.py",
"scripts/security/high-value-config-change-gate.py",
"scripts/security/high-value-config-owner-packet.py",
"docs/security/high-value-config-change-gate.snapshot.json"
],
"label": "Security evidence / snapshot / guard tooling",
"next_owner_action": "維持 guard / doc secret sanity若要 CI blocking 需另開人工批准與 rollout plan。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
"patterns": [
"docs/security/**",
"docs/schemas/**",
"scripts/security/**",
"docs/LOGBOOK.md"
],
"priority": "P3",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
],
"runtime_gate_open": false
}
],
"execution_boundaries": {
"acme_challenge_change_authorized": false,
"action_buttons_allowed": false,
"active_scan_authorized": false,
"admin_route_change_authorized": false,
"agent_bounty_runtime_authorized": false,
"alert_chain_smoke_authorized": false,
"alertmanager_reload_authorized": false,
"argocd_sync_authorized": false,
"backup_run_authorized": false,
"certbot_renew_authorized": false,
"credential_escrow_marker_write_authorized": false,
"dns_tls_change_authorized": false,
"exporter_deploy_authorized": false,
"force_push_authorized": false,
"grafana_dashboard_apply_authorized": false,
"host_live_conf_read_authorized": false,
"host_write_authorized": false,
"kubectl_action_authorized": false,
"langfuse_config_change_authorized": false,
"live_alert_fire_authorized": false,
"nginx_reload_authorized": false,
"nginx_test_authorized": false,
"notification_route_change_authorized": false,
"offsite_remote_delete_authorized": false,
"offsite_sync_authorized": false,
"otel_collector_reload_authorized": false,
"payout_or_withdrawal_authorized": false,
"prometheus_reload_authorized": false,
"public_gateway_reload_authorized": false,
"public_route_change_authorized": false,
"rclone_config_authorized": false,
"receiver_route_change_authorized": false,
"refs_sync_authorized": false,
"remote_write_change_authorized": false,
"restic_prune_authorized": false,
"restore_drill_authorized": false,
"restore_run_authorized": false,
"retention_change_authorized": false,
"rollback_executed": false,
"route_smoke_authorized": false,
"runner_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"sentry_deploy_authorized": false,
"signoz_rule_apply_authorized": false,
"silence_policy_change_authorized": false,
"telegram_send_authorized": false,
"velero_restore_authorized": false,
"webhook_receiver_change_authorized": false,
"websocket_route_change_authorized": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-14T23:05:00+08:00",
"git_commit": "d26f3bef",
"lowest_coverage_categories": [
{
"category_id": "docker_compose_systemd_host_config",
"coverage_percent": 50,
"current_gap": "repo-only 清冊已納入 9 個 surface仍缺 110 / 188 live hash、restart window、rollback owner 與 post-check 指標。",
"label": "Docker Compose / systemd / host service config",
"next_owner_action": "補 owner-provided live hash / disposition、compose / systemd owner、restart window、rollback owner 與 post-check 指標。"
},
{
"category_id": "ssh_firewall_network_access",
"coverage_percent": 58,
"current_gap": "owner response acceptance 帳本已固定 16 個 SSH / network acceptance candidate仍缺 owner response、live access state、allowed source CIDR、host key pinning、port impact、firewall owner、NetworkPolicy / NodePort owner、WireGuard owner、maintenance window、rollback owner 與 validation plan。",
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"next_owner_action": "補 owner-provided live hash / disposition、host key pinning、firewall owner、NetworkPolicy / NodePort owner、WireGuard owner、maintenance window、rollback owner 與 post-check 指標。"
},
{
"category_id": "ai_provider_model_routing",
"coverage_percent": 60,
"current_gap": "模型 / provider / Ollama proxy 切換需 dry-run、benchmark、成本與 privacy review目前不切 production。",
"label": "AI provider / model routing / Ollama proxy / cost and privacy",
"next_owner_action": "補 provider owner、fallback order、cost review、privacy review、benchmark 與 rollback owner。"
},
{
"category_id": "k8s_production_gitops",
"coverage_percent": 62,
"current_gap": "已固定 owner response acceptance 只讀帳本ArgoCD health / sync readback、rollback revision、rendered manifest diff 與 post-deploy validation 仍全部為 0。",
"label": "K8s / ArgoCD / production manifests",
"next_owner_action": "補 GitOps owner 回覆、rollback revision、health readback、rendered manifest diff 與 post-deploy validation plan。"
}
],
"next_collection_order": [
"nginx_public_gateway",
"dns_tls_certbot",
"secret_metadata",
"gitea_workflow_runner_source_control",
"agent_bounty_protocol_runtime",
"docker_compose_systemd_host_config",
"monitoring_alerting_observability",
"ssh_firewall_network_access",
"backup_restore_credential"
],
"operator_interpretation": [
"這是全域配置控管覆蓋矩陣,不是單次 git diff 變更分類。",
"所有 category 都已有高價值配置 Gate 註冊與 owner response 欄位,但 owner response received / accepted 仍為 0。",
"C0 / C1 coverage percent 只代表只讀框架成熟度,不代表 runtime 可執行。",
"缺 live evidence 的項目只能收 owner-provided redacted evidence不得主動 SSH、reload、scan 或讀 secret value。"
],
"schema_version": "high_value_config_control_coverage_v1",
"source_category_definition": "scripts/security/high-value-config-change-gate.py",
"status": "coverage_matrix_ready",
"summary": {
"action_button_count": 0,
"average_coverage_percent": 67,
"c0_category_count": 8,
"c1_category_count": 4,
"c2_category_count": 1,
"c3_category_count": 1,
"category_count": 14,
"lowest_coverage_category_count": 4,
"needs_live_evidence_count": 7,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"owner_response_required_count": 14,
"registered_control_count": 14,
"runtime_gate_count": 0
}
}
Reference in New Issue View Git Blame Copy Permalink