docs(iwooos): 記錄端口防火牆驗證 [skip ci]
This commit is contained in:
@@ -1,3 +1,45 @@
|
||||
## 2026-06-15|端口 / 防火牆變更證據驗收正式部署與 production 驗證完成
|
||||
|
||||
**背景**:110 端口關閉事件已造成 Ollama、ArgoCD、drift-scanner 與相關 route 異常,且使用者明確要求「所有重要配置都要被管控」。既有 SSH / network owner response acceptance 只能描述存取路徑與 owner response gate,仍缺少專門針對端口開關、防火牆規則、服務影響、跨專案同步、維護窗口、rollback owner 與 post-check evidence 的只讀驗收帳本;若缺少此層,未來很容易把「看得到端口異常」誤判成「已授權關閉 / 開啟 / 修復」。
|
||||
|
||||
**完成項目**:
|
||||
- 新增 `scripts/security/port-firewall-change-evidence-acceptance.py`,從 SSH / network owner response acceptance snapshot 產生 metadata-only port / firewall change evidence acceptance ledger。
|
||||
- 新增 `docs/security/port-firewall-change-evidence-acceptance.snapshot.json`,固定 `change_evidence_candidate_count=14`、`write_capable_candidate_count=6`、`policy_or_exposure_candidate_count=5`、`required_evidence_field_count=16`、`reviewer_check_count=16`、`outcome_lane_count=8`、`blocked_action_count=24`。
|
||||
- 新增 `docs/security/PORT-FIREWALL-CHANGE-EVIDENCE-ACCEPTANCE.md`,明確要求 change / incident ref、actor、before / after state、service impact、cross-project sync、maintenance window、rollback owner 與 post-check evidence。
|
||||
- `high-value-config-control-coverage.snapshot.json` 已同步 SSH / network / firewall 類別成熟度 `58% -> 60%`;高價值配置平均只讀成熟度維持 `68%`,IwoooS headline 維持 `64%`。
|
||||
- `/zh-TW/iwooos` 前端 evidence marker 已同步 `port_firewall_change_evidence_acceptance_candidate_count=14`、`port_change_authorized=false`、`port_close_authorized=false`、`port_open_authorized=false` 與 SSH / network coverage `60%`。
|
||||
- `security-mirror-progress-guard.py` 已鎖住新 snapshot schema、summary、candidate ids、false flags、coverage 60%、posture source paths 與前端 marker。
|
||||
|
||||
**本地驗證**:
|
||||
- 產生器 smoke:`PORT_FIREWALL_CHANGE_EVIDENCE_ACCEPTANCE_OK candidates=14 write_capable=6 policy_or_exposure=5 checks=16 lanes=8 accepted=0 runtime_gate=0`。
|
||||
- high-value config coverage 重產:`HIGH_VALUE_CONFIG_CONTROL_COVERAGE_OK categories=14 c0=8 avg=68 runtime_gate=0`。
|
||||
- `python3 -m py_compile scripts/security/port-firewall-change-evidence-acceptance.py scripts/security/high-value-config-control-coverage.py scripts/security/security-mirror-progress-guard.py` 通過。
|
||||
- JSON parse:port / firewall acceptance snapshot、high-value coverage snapshot、IwoooS posture projection snapshot、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` 通過。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=852`。
|
||||
- `pnpm --dir apps/web typecheck` 通過。
|
||||
- `NEXT_PUBLIC_API_URL=https://awoooi.wooo.work SENTRY_SUPPRESS_GLOBAL_ERROR_HANDLER_FILE_WARNING=1 pnpm --dir apps/web build` 通過,92/92 static pages generated。
|
||||
- local build artifact scan:`/iwooos` bundle 可見 `port_firewall_change_evidence_acceptance_candidate_count=14`、SSH / network `60%`、`runtime_execution_authorized=false`;raw owner namespace、外部 raw namespace、內部工作片語與本輪截圖抱怨文字均未命中。
|
||||
|
||||
**Gitea / CD**:
|
||||
- Code commit:`471054b8 fix(iwooos): 新增端口防火牆變更證據驗收`,已正常 push 到 `gitea/main`,無 force push。
|
||||
- Code Review:Gitea Actions run `2992` / `ai-code-review` Success。
|
||||
- CD:Gitea Actions run `2991`,`tests`、`build-and-deploy`、`post-deploy-checks` 全部 Success;deploy marker `67396d93 chore(cd): deploy 471054b [skip ci]`。
|
||||
|
||||
**Production 只讀驗證(deploy marker `67396d93`)**:
|
||||
- In-app browser desktop `1440x900`:`/zh-TW/iwooos?_v=471054b8-port-firewall-prod-desktop` 可見 port / firewall evidence acceptance marker、SSH / network `60%`、runtime gate `0` 與 `port_change_authorized=false`;`innerWidth=1440`、`scrollWidth=1434`、`horizontalOverflow=false`;raw owner namespace 與工作視窗片語均為 `false`。
|
||||
- In-app browser mobile `390x844`:`/zh-TW/iwooos?_v=471054b8-port-firewall-prod-mobile` 可見 port / firewall evidence acceptance marker、SSH / network `60%`、runtime gate `0` 與 `port_change_authorized=false`;`innerWidth=390`、`scrollWidth=384`、`horizontalOverflow=false`;raw owner namespace 與工作視窗片語均為 `false`。
|
||||
- In-app browser mobile `390x844`:`/zh-TW/awooop/tenants?_v=471054b8-port-firewall-tenants-mobile` 可見脫敏範圍代號與 redaction boundary;`innerWidth=390`、`scrollWidth=384`、`horizontalOverflow=false`;raw owner namespace 與工作視窗片語均為 `false`。
|
||||
|
||||
**完成度與邊界**:
|
||||
- Port / firewall change evidence acceptance artifact:`100%`。
|
||||
- SSH / network / firewall 只讀治理成熟度:`58% -> 60%`。
|
||||
- 高價值配置平均只讀成熟度:維持 `68%`。
|
||||
- IwoooS headline:維持 `64%`;active runtime gate:維持 `0`。
|
||||
- change evidence received / accepted、actor identified、before / after state accepted、cross-project sync accepted、maintenance window accepted、rollback owner accepted、postcheck evidence accepted 全部維持 `0 / false`。
|
||||
- 本輪沒有 SSH 修改主機、沒有開關端口、沒有 firewall / iptables / ufw 變更、沒有 Nginx reload、沒有 Docker restart、沒有 active scan、沒有 secret 明文收集、沒有 production 寫操作授權,也沒有把 AwoooP approval 當資安批准。
|
||||
|
||||
## 2026-06-15|Nginx Public Gateway rendered diff evidence acceptance 正式部署與 production 驗證完成
|
||||
|
||||
**背景**:使用者要求「所有重要配置都要被管控」,並特別指出 Nginx 常被亂變動。既有 Public Gateway live conf export request、redacted export intake、rendered diff gate draft 與 owner response acceptance 已完成,但仍缺少一層專門驗收 rendered diff、owner-provided `nginx -t` readback、route smoke evidence、TLS / ACME impact、maintenance window、rollback owner 與 post-check evidence 的只讀帳本。若缺少此層,未來很容易把 diff evidence 誤判成 `nginx -t`、reload 或 route change 授權。
|
||||
|
||||
Reference in New Issue
Block a user