awoooi/docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md

IwoooS SSH / network / firewall post-incident readback plan

項目	內容
日期	2026-06-15
狀態	post_incident_readback_plan_ready_no_runtime_action
工具	scripts/security/ssh-network-post-incident-readback-plan.py
Snapshot	docs/security/ssh-network-post-incident-readback-plan.snapshot.json
Source acceptance	docs/security/port-firewall-change-evidence-acceptance.snapshot.json
runtime gate	0

1. 目的

本文件承接端口 / 防火牆變更證據驗收帳本，補上事故後回讀計畫。未來若再次發生端口被關、firewall / NetworkPolicy / NodePort / WireGuard policy 被改動、deploy SSH 斷線、AI provider route 異常、public route 或 monitoring 路徑受影響，IwoooS 必須先收齊「誰改、何時改、改前改後狀態、影響哪些服務、是否同步相關產品、怎麼恢復、怎麼防再發」的脫敏證據。

這不是 SSH 授權、不是 live firewall read、不是 firewall / port change、不是 route smoke、不是 host restart，也不是 runtime gate。它只建立 post-incident readback 的欄位、reviewer checks、分流與拒收條件，避免把「服務後來恢復」誤判成「事故原因、責任、影響與防再發都已驗收」。

2. 摘要

指標	目前值	說明
readback candidate	14	承接端口 / 防火牆 / NodePort / NetworkPolicy / WireGuard / deploy SSH / sudo / alert action surface
write-capable readback candidate	6	可能影響 deploy SSH、monitoring deploy、sudoers 或 alert action catalog 的 surface
policy / exposure readback candidate	5	NetworkPolicy、NodePort、WireGuard 與 exposure 相關 surface
health impact review required	14	全部都必須交代 service / AI provider / monitoring / product impact
cross-project sync required	14	全部都必須交代跨產品 / owner / Session 同步 ref
recurrence guard required	14	全部都必須提出防再發 guard 或 change freeze rule
readback field	30	readback 欄位總數
required readback field	24	owner / reviewer 必填欄位
reviewer check	24	actor、before / after、health impact、通知、同步、恢復、防再發與 no-false-green 檢查
outcome lane	10	waiting、補 actor、補 before-after、補 health impact、隔離、拒收、review、ledger-only、防再發回補、runtime gate
blocked action	34	SSH、firewall、port、route smoke、reload、restart、secret、active scan、provider switch、prompt send、production write 等
post-incident readback received / accepted	0 / 0	尚未收到或驗收
no-false-green accepted	0	不把 route 200、service up 或 UI 可見當事故驗收
runtime gate / action button	0 / 0	不提供操作入口

3. Readback Candidate 範圍

Candidate	驗收焦點
ssh_network_post_incident_readback:ansible_inventory_ssh_targets	主機存取異動、端口影響、維護窗口、rollback 與 post-check
ssh_network_post_incident_readback:gitea_cd_deploy_ssh	deploy SSH 可達性、回復證據、rollback owner 與跨專案通知
ssh_network_post_incident_readback:gitea_cd_dev_ssh	dev / prod 邊界、端口 policy、owner decision 與防再發
ssh_network_post_incident_readback:deploy_alerts_ssh_path	alert deploy path、通知鏈路、受影響產品與恢復 readback
ssh_network_post_incident_readback:monitoring_discover_docker_ssh	monitoring discovery 可達性、read-only window 與 false-green 風險
ssh_network_post_incident_readback:monitoring_exporter_deploy_ssh	exporter deploy access、firewall owner、post-check 與 rollback
ssh_network_post_incident_readback:backup_config_ssh_capture	backup access、restore validation、service dependency 與 notification
ssh_network_post_incident_readback:host_ops_sudoers_wrapper	sudo 授權邊界、break-glass、回復責任與 forbidden command proof
ssh_network_post_incident_readback:k8s_prod_network_policy	ingress / egress policy、route impact、metrics / alert 與回滾
ssh_network_post_incident_readback:argocd_metrics_network_policy	metrics scrape、NodePort exposure、source whitelist 與 monitoring impact
ssh_network_post_incident_readback:argocd_metrics_nodeport	NodePort exposure、firewall owner、rollback 與 public/admin route 影響
ssh_network_post_incident_readback:velero_metrics_nodeport	backup metrics exposure、access policy 與 restore readiness 影響
ssh_network_post_incident_readback:wireguard_mesh_runbook	mesh cutover、firewall rule owner、canary / rollback 與 maintenance window
ssh_network_post_incident_readback:alert_rules_ssh_actions	alert action catalog、read/write/admin 分級、cooldown 與 post-check

4. 必填 Readback 欄位

1. change_or_incident_ref
2. actor_attribution_ref
3. incident_detected_at_ref
4. change_window_ref
5. affected_port_or_policy_ref
6. before_state_ref
7. after_state_ref
8. service_dependency_ref
9. public_route_impact_ref
10. ai_provider_impact_ref
11. monitoring_alert_impact_ref
12. customer_or_product_impact_ref
13. operator_notification_ref
14. cross_project_sync_ref
15. restoration_evidence_ref
16. postcheck_readback_ref
17. recurrence_guard_ref
18. maintenance_window
19. rollback_owner
20. followup_owner
21. redacted_evidence_refs
22. no_secret_value_attestation
23. no_raw_firewall_dump_attestation
24. no_false_green_attestation

5. Reviewer Checks

1. source_change_evidence_current
2. incident_ref_present
3. actor_not_anonymous
4. before_after_state_present
5. port_policy_redacted
6. service_dependency_present
7. public_route_impact_present
8. ai_provider_impact_present
9. monitoring_alert_impact_present
10. customer_product_impact_present
11. operator_notification_present
12. cross_project_sync_present
13. restoration_evidence_present
14. postcheck_independent
15. recurrence_guard_present
16. emergency_classification_present
17. maintenance_window_present
18. rollback_owner_present
19. no_false_green_route_200
20. raw_firewall_dump_absent
21. secret_or_key_value_absent
22. hidden_impact_absent
23. counts_transition_safe
24. runtime_stays_zero

6. Outcome Lanes

Lane	說明
waiting_post_incident_readback	尚未收到事故回讀包；所有 accepted / runtime count 維持 0
request_actor_supplement	缺 actor / owner / decision 時要求補件
request_before_after_supplement	缺 before / after 或 restoration evidence 時要求補件
request_health_impact_supplement	缺 service / AI provider / monitoring / product impact 時要求補件
quarantine_raw_payload	收到 raw firewall dump、secret 或 key material 時只能隔離
reject_unattributed_incident	無 actor、無 affected scope、無 rollback 或無 notification 的事故回讀不得驗收
ready_for_post_incident_review	metadata 合格後，只能進 reviewer review
incident_readback_only_update	只允許更新只讀 ledger，不得反向視為已批准操作
recurrence_guard_backfill_required	需補防再發 guard、owner review 與 change freeze
waiting_runtime_gate	即使 readback accepted，runtime gate 仍需獨立人工批准

7. 禁止動作

1. ssh_read
2. ssh_write
3. live_firewall_read
4. firewall_change
5. port_change
6. port_close
7. port_open
8. network_policy_apply
9. nodeport_change
10. wireguard_change
11. sudo_action
12. deploy_ssh_action
13. route_smoke
14. public_gateway_reload
15. nginx_reload
16. host_restart
17. docker_restart
18. systemd_restart
19. secret_value_collection
20. ssh_key_collection
21. raw_firewall_dump_storage
22. raw_key_material_storage
23. mark_readback_accepted_without_reviewer_record
24. mark_incident_resolved_without_postcheck
25. hide_cross_project_impact
26. treat_route_200_as_all_green
27. treat_break_glass_as_approval
28. close_management_port_without_owner
29. open_runtime_gate
30. add_action_button
31. production_write
32. active_scan
33. provider_switch
34. prompt_send

8. 指令

產生 committed snapshot：

python3 scripts/security/ssh-network-post-incident-readback-plan.py \
  --root . \
  --source-change-evidence-report docs/security/port-firewall-change-evidence-acceptance.snapshot.json \
  --output docs/security/ssh-network-post-incident-readback-plan.snapshot.json \
  --generated-at 2026-06-15T19:16:00+08:00

驗證 guard：

python3 scripts/security/security-mirror-progress-guard.py --root .

9. 完成度

工作	完成度	說明
post-incident readback plan artifact	100%	14 份候選、snapshot、文件與 guard 已固定
post-incident readback received / accepted	0%	尚未收到，尚未驗收
actor / before-after / impact evidence	0%	尚未收到 owner-provided evidence
service / AI provider / monitoring impact	0%	尚未收到脫敏 impact refs
cross-project sync / notification evidence	0%	尚未收到同步與通知證據
recurrence guard / no-false-green accepted	0%	尚未驗收防再發或 no-false-green
SSH / firewall / port / route / restart action	0%	未授權且未執行
runtime gate / production write	0%	未授權且未執行