docs(security): add Kali maintenance window draft [skip ci]

This commit is contained in:
Your Name
2026-06-04 19:56:23 +08:00
parent c046b9c81e
commit 291ff92534
8 changed files with 592 additions and 8 deletions

View File

@@ -1,3 +1,45 @@
## 2026-06-04IwoooS P1-7 Kali 112 Maintenance Window Draft
**背景**P1-5 rollback owner handoff 已推送;本段接續 P1-7針對 Kali `192.168.0.112` 已知缺口建立維護窗口草案。既有只讀證據顯示待更新套件 `1994``networking.service` failed、scanner service hardening `0 / 4`、reboot required `false`。本段只整理 owner / reviewer 可審的維護 handoff不登入主機、不更新、不重啟、不 restart、不套 hardening、不 active scan、不呼叫 `/execute`
**本輪完成**
- 新增 `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md`:整理 owner response 必填欄位、禁止輸入、四條維護 lane、維護前檢查、rollback 草案、post-check 與驗收規則。
- 新增 `docs/security/kali-112-maintenance-window-draft.snapshot.json`:固定 `pending_update_count=1994``failed_systemd_unit_count=1``service_hardening_enabled_count=0``service_hardening_expected_count=4`,並維持所有 host action flag 為 `false`
- 新增 `docs/schemas/kali_maintenance_window_draft_v1.schema.json`讓維護窗口草案、owner response handoff、rollback plan 與 post-check 有可驗契約。
- 更新 `KALI-INTEGRATION-STATUS.md``kali-integration-status.snapshot.json`:連到 P1-7 維護窗口草案,並把下一個 gate 改成先收 owner response / rollback owner / validation owner。
- 更新 `DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md`112 維護準備欄位連到 P1-7 草案。
- 更新 IwoooS P0/P1 主控總帳Kali 112 維護準備標記為 P1-7 maintenance window draft `100%`;維護執行仍未開始。
**完成度更新**
- P1-7 Kali 112 maintenance window draft`100%`
- Kali 112 維護執行:`0%`
- host update authorized`false`
- service restart authorized`false`
- hardening authorized`false`
- reboot authorized`false`
- active scan authorized`false`
- `/execute` authorized`false`
- active runtime gate`0`
- IwoooS headline維持 `64%`,不因文件草案假性調高。
**驗證**
- `python3 -m json.tool docs/security/kali-112-maintenance-window-draft.snapshot.json`:通過。
- `python3 -m json.tool docs/schemas/kali_maintenance_window_draft_v1.schema.json`:通過。
- `python3 -m json.tool docs/security/kali-integration-status.snapshot.json`:通過。
- 本段自訂結構檢查:`KALI_MAINTENANCE_WINDOW_DRAFT_STRUCTURE_OK`
- `git diff --check`:通過。
- `python3 scripts/security/source-control-owner-response-guard.py --root .``SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- 新增 diff 行 credential pattern 檢查:`NO_ADDED_URL_CREDENTIAL_PATTERNS`
- Schema validator 限制:本地沒有 Python `jsonschema` 與 Node AJV未跑完整 JSON Schema validator本段以 JSON parse、自訂結構檢查與既有 guard 補位。
- Production 頁面檢查:本段只改 docs / snapshot / schema / LOGBOOK未改 IwoooS 前端與 production 文案,不宣稱新的 production 狀態;沿用 P0 `/zh-TW/iwooos` desktop / mobile live sanity 基準。
**目前邊界**
- 本草案完成不代表 maintenance window 已批准。
- owner response received / accepted 前,不得執行 `apt upgrade`、full-upgrade、autoremove、restart、hardening、reboot。
- active scan、credentialed scan 與 `/execute` 仍需獨立 approval gate不可包進維護窗口。
- 未來 post-check 失敗只能建立人工 follow-up不得自動補救。
## 2026-06-04IwoooS P1-5 Primary Rollback Owner Handoff
**背景**P1-4 已補 workflow / secret owner response handoff本段接著補 P1-5 / S4.4 GitHub primary rollback ADR 的 owner handoff。目標是讓 7 個 in-scope repo 能用同一個只讀封套回覆 rollback owner、fallback role、trigger、pre-cutover / 1h / 24h validation window 與 follow-up owner這不是 owner approval、不是 dry-run、不是 GitHub primary cutover也不是 rollback execution。
@@ -32,7 +74,7 @@
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- URL credential pattern 檢查:本段新增 diff 行無命中;檔案級掃描命中 LOGBOOK 歷史舊行的外洩檢查旗標,非本段新增 credential payload。
- Schema validator 限制:本地沒有 Python `jsonschema` 與 Node AJV未跑完整 JSON Schema validator本段以 JSON parse、自訂結構檢查與既有 guard 補位。
- Production 頁面檢查:本段 P1-5 主要是 docs / snapshot / schema / LOGBOOK另含 5 個 i18n 鏡像字串修正,未改 layout 或資料鏈路。正式站頁面檢查若後續 CD 部署,需補 `/zh-TW/awooop/runs` desktop / mobile smoke本段不宣稱新的 production 狀態,IwoooS `/zh-TW/iwooos` 沿用 P0 desktop / mobile live sanity 基準。
- Production 頁面檢查:`8a326338` 已由 deploy marker `c046b9c8 chore(cd): deploy 8a32633 [skip ci]` 上線Browser smoke `/zh-TW/awooop/runs?project_id=awoooi` desktop 1440x1100 與 mobile 390x844 皆載入 50 列、`horizontalOverflow=0`,繁中狀態 / fallback 文案 `需人工``執行失敗``已驗證``已執行``待判讀``狀態鏈批次回補中` 可見,英文殘留 `Needs human``Execution failed``Verified``Executed``Pending``Status chain batch is catching up``Wait for status-chain batch` 皆為 0。截圖`/tmp/awoooi-runs-i18n-desktop-20260604.png``/tmp/awoooi-runs-i18n-mobile-20260604.png`IwoooS `/zh-TW/iwooos` 沿用 P0 desktop / mobile live sanity 基準。
**目前邊界**
- P1-5 handoff 只代表 rollback owner request package 可交接,不代表 request 已送出、owner 已回覆或 owner 已批准。

View File

@@ -0,0 +1,193 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:awoooi:kali-maintenance-window-draft-v1",
"title": "Kali 112 Maintenance Window Draft v1",
"description": "定義 Kali 192.168.0.112 維護窗口草案、owner 回覆欄位、rollback、post-check 與禁止動作。此契約不授權 apt upgrade、restart、hardening、reboot、active scan 或 /execute。",
"type": "object",
"required": [
"schema_version",
"status",
"date",
"mode",
"source_evidence_refs",
"summary",
"observed_gaps",
"owner_response_handoff",
"maintenance_window_draft",
"rollback_plan_draft",
"post_check_plan",
"acceptance_rules",
"forbidden_actions"
],
"properties": {
"schema_version": {
"const": "kali_maintenance_window_draft_v1"
},
"status": {
"type": "string",
"enum": ["draft_waiting_owner_review"]
},
"date": {
"type": "string"
},
"mode": {
"type": "string",
"enum": ["maintenance_window_draft_only"]
},
"source_evidence_refs": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"summary": {
"type": "object",
"required": [
"host",
"asset_key",
"pending_update_count",
"failed_systemd_unit_count",
"service_hardening_enabled_count",
"service_hardening_expected_count",
"reboot_required",
"maintenance_window_package_ready",
"maintenance_window_completion_percent",
"maintenance_window_approved",
"host_update_authorized",
"service_restart_authorized",
"hardening_authorized",
"reboot_authorized",
"active_scan_authorized",
"execute_endpoint_authorized"
],
"properties": {
"host": {"type": "string"},
"asset_key": {"type": "string"},
"pending_update_count": {"type": "integer", "minimum": 0},
"failed_systemd_unit_count": {"type": "integer", "minimum": 0},
"service_hardening_enabled_count": {"type": "integer", "minimum": 0},
"service_hardening_expected_count": {"type": "integer", "minimum": 0},
"reboot_required": {"type": "boolean"},
"maintenance_window_package_ready": {"type": "boolean"},
"maintenance_window_completion_percent": {"type": "integer", "minimum": 0, "maximum": 100},
"maintenance_window_approved": {"type": "boolean", "const": false},
"host_update_authorized": {"type": "boolean", "const": false},
"service_restart_authorized": {"type": "boolean", "const": false},
"hardening_authorized": {"type": "boolean", "const": false},
"reboot_authorized": {"type": "boolean", "const": false},
"active_scan_authorized": {"type": "boolean", "const": false},
"execute_endpoint_authorized": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"observed_gaps": {
"type": "array",
"items": {
"type": "object",
"required": ["gap_id", "current_evidence", "risk", "required_before_action"],
"properties": {
"gap_id": {"type": "string"},
"current_evidence": {"type": "string"},
"risk": {"type": "string", "enum": ["LOW", "MEDIUM", "HIGH"]},
"required_before_action": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
},
"minItems": 1
},
"owner_response_handoff": {
"type": "object",
"required": [
"status",
"request_dispatch_authorized",
"required_response_fields",
"forbidden_inputs",
"response_received",
"response_accepted"
],
"properties": {
"status": {"type": "string", "enum": ["ready_not_dispatched"]},
"request_dispatch_authorized": {"type": "boolean", "const": false},
"required_response_fields": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"forbidden_inputs": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"response_received": {"type": "boolean", "const": false},
"response_accepted": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"maintenance_window_draft": {
"type": "object",
"required": ["window_status", "candidate_window", "change_lanes", "pre_window_checks"],
"properties": {
"window_status": {"type": "string", "enum": ["waiting_owner_selection"]},
"candidate_window": {"type": "string"},
"change_lanes": {
"type": "array",
"items": {
"type": "object",
"required": ["lane_id", "description", "authorization_required", "current_authorized"],
"properties": {
"lane_id": {"type": "string"},
"description": {"type": "string"},
"authorization_required": {"type": "string"},
"current_authorized": {"type": "boolean", "const": false}
},
"additionalProperties": false
},
"minItems": 1
},
"pre_window_checks": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
},
"rollback_plan_draft": {
"type": "array",
"items": {
"type": "object",
"required": ["rollback_item", "required_evidence", "owner_status"],
"properties": {
"rollback_item": {"type": "string"},
"required_evidence": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"owner_status": {"type": "string", "enum": ["waiting_owner_assignment"]}
},
"additionalProperties": false
},
"minItems": 1
},
"post_check_plan": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"acceptance_rules": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
},
"forbidden_actions": {
"type": "array",
"items": {"type": "string"},
"minItems": 1
}
},
"additionalProperties": false
}

View File

@@ -36,7 +36,7 @@
| Host | scope | maintenance window | credential handling | rollback owner | validation 指標 |
|------|-------|--------------------|---------------------|----------------|-----------------|
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readiness | 待人工指定目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readinessP1-7 草案見 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` | 待人工指定目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
| `192.168.0.111` | Ollama fallback、model inventory、host reachability、SSH policy posture、fallback readiness | 待人工指定;目前不得停止模型、重啟服務或改 fallback route | 不收模型 API key、SSH 密碼或 private key只保存脫敏 evidence ref | Dev Host Steward 指派後才可動作 | Ollama route truth、fallback availability、model list hash、service status、AI route smoke |
| `192.168.0.168` | local development origin、repo hygiene、dev-only CORS、local service exposure | 待人工指定;目前不得 credentialed scan 或讀取未授權目錄 | 不收個人憑證、不讀私有目錄、不保存 secrets value | Dev Host Steward 指派後才可動作 | repo secret scan summary、local service list summary、CORS origin review、rollback / disable note |

View File

@@ -0,0 +1,123 @@
# Kali 112 維護窗口草案
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-04 |
| 狀態 | 草案,等待 owner review |
| Host | `192.168.0.112` |
| Asset key | `host:kali-112` |
| Schema | `docs/schemas/kali_maintenance_window_draft_v1.schema.json` |
| Snapshot | `docs/security/kali-112-maintenance-window-draft.snapshot.json` |
| 上游證據 | `docs/security/KALI-INTEGRATION-STATUS.md``docs/security/kali-integration-status.snapshot.json` |
| 模式 | `maintenance_window_draft_only` |
| 執行面授權 | `false` |
## 0. 核心結論
P1-7 補的是 Kali `192.168.0.112` 的維護窗口草案,不是維護批准,也不是主機操作計畫。
目前只讀證據顯示:
| 證據 | 目前值 |
|------|--------|
| 待更新套件 | `1994` |
| failed systemd units | `1`,為 `networking.service` |
| scanner service hardening | `0 / 4` |
| reboot required | `false` |
| scanner API health | `127.0.0.1:8080/health``healthy` |
| Docker services | `node-exporter``wg-easy` 運作中 |
這些值代表「需要人工安排維護窗口與 rollback」不代表可以直接 `apt upgrade`、restart、套 hardening、reboot、active scan 或呼叫 `/execute`
## 1. 摘要
| 指標 | 值 |
|------|----|
| maintenance window package | `ready` |
| package completion | `100%` |
| maintenance window approved | `false` |
| host update authorized | `false` |
| service restart authorized | `false` |
| hardening authorized | `false` |
| reboot authorized | `false` |
| active scan authorized | `false` |
| `/execute` authorized | `false` |
| owner response received / accepted | `false / false` |
## 2. Owner Response Handoff
此 handoff 只讓 AwoooP 或 reviewer 請 owner 補維護窗口 metadata。它不是 request sent也不是 approval queue更不是可執行動作。
### 2.1 必填欄位
| 欄位 | 說明 |
|------|------|
| `owner_role_or_team` | 維護 owner 的角色或團隊 |
| `maintenance_window_start_end_taipei` | 台北時間維護窗口起訖;未填前不安排 |
| `change_scope` | 本次允許討論的範圍,例如 package planning、networking.service review、hardening dry-run design |
| `rollback_owner` | rollback / stop decision owner |
| `validation_owner` | 維護後健康檢查 owner |
| `communication_owner` | 對 AwoooP / Telegram / LOGBOOK / operator 同步的 owner |
| `reboot_decision` | 是否允許未來 reboot目前預設 `false` |
| `redacted_evidence_refs` | 只填文件、snapshot、ticket 或脫敏 metadata pointer |
| `followup_owner` | 補件、拒收或下一階段 owner |
### 2.2 禁止輸入
| 類型 | 規則 |
|------|------|
| credential | 不貼密碼、token value、API key value、private key 或 runner token |
| host command | 不貼 `apt upgrade`、restart、hardening apply、reboot 或 shell command |
| scan request | 不把 active scan、credentialed scan 或 `/execute` 包進維護窗口 |
| runtime action | 不新增 AwoooP action button不開 runtime blocking control |
## 3. 維護 Lane 草案
| Lane | 目的 | 目前授權 |
|------|------|----------|
| package update planning | 整理 full-upgrade / autoremove / reboot 前置條件 | `false` |
| networking.service review | 釐清 failed unit 是否 expected / legacy / real failure | `false` |
| scanner systemd hardening dry-run design | 設計 override 與工具相容檢查 | `false` |
| post-maintenance validation | 定義維護後 health / service / update / evidence readback | `false` |
## 4. 維護前檢查
1. owner response 已收到且 accepted。
2. package、service、hardening、reboot scope 不混在同一個未批准動作中。
3. 不保存任何 credential value。
4. rollback owner 與 validation owner 已指定。
5. out-of-band access 與停止條件已定義。
6. active scan、credentialed scan 與 `/execute` 仍未授權。
## 5. Rollback 草案
| 項目 | 需要證據 | owner 狀態 |
|------|----------|------------|
| package update rollback | pre-window package list snapshot、apt history / dpkg log redacted ref、rollback owner、reboot decision | waiting owner assignment |
| networking.service restart rollback | current network service model、out-of-band access、previous service state snapshot、rollback owner | waiting owner assignment |
| systemd hardening override rollback | override file path、scanner tool compatibility result、scanner health before / after refs、rollback owner | waiting owner assignment |
## 6. 維護後 Post-check
1. scanner API `/health` 回 healthy。
2. `kali-scanner.service` active / enabled。
3. `node-exporter` container up。
4. `wg-easy` container healthy。
5. failed systemd units 已 review。
6. pending update count 已記錄。
7. reboot required flag 已記錄。
8. service hardening state 已記錄。
9. AwoooP / IwoooS evidence refs 已更新。
10. 沒有 active scan 或 `/execute`,除非另有獨立批准。
## 7. 驗收規則
1. 本草案完成不代表 maintenance window 已批准。
2. owner response received / accepted 前,不得執行 `apt upgrade`、restart、hardening 或 reboot。
3. active scan、credentialed scan 或 `/execute` 必須走獨立 approval gate不可包進維護窗口。
4. 所有 evidence refs 必須脫敏,不保存 credential value。
5. 維護後若任何 post-check 失敗,只能建立人工 follow-up不得自動補救。
## 8. 階段定位
P1-7 只把 Kali 112 的維護準備從「缺口已知」推到「owner / reviewer 可照表審維護窗口」。它不改變主機、不開 runtime gate、不啟動掃描也不提高 IwoooS headline 64%。

View File

@@ -9,6 +9,7 @@
| 模式 | `observe_only` |
| Snapshot | `docs/security/kali-integration-status.snapshot.json` |
| Schema | `docs/schemas/kali_integration_status_v1.schema.json` |
| Maintenance window draft | `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md` |
## 0. 核心結論
@@ -48,6 +49,12 @@ Kali 主機不是只有文件預留;`192.168.0.112` 目前已經有 live runti
結論Kali `192.168.0.112` 今天仍可被 IwoooS 以只讀方式納入證據鏈scanner runtime 健康也有實機證據;但 `networking.service` failed、`upgradable_package_count=1994` 與服務硬化缺口代表後續仍需要維護窗口、rollback / reboot gate、hardening dry-run 與人工批准,不能直接把「可連線」解讀為主機更新、掃描或調校已完成。
## 0.1.1 2026-06-04 P1-7 維護窗口草案
已新增 `docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md``docs/security/kali-112-maintenance-window-draft.snapshot.json`,把 1994 個待更新套件、`networking.service` failed、scanner service hardening `0 / 4`、rollback owner、post-check owner 與維護後驗證指標整理成 owner / reviewer 可審的 handoff package。
這是 maintenance window readiness不是 maintenance approval。`host_update_authorized=false``service_restart_authorized=false``hardening_authorized=false``reboot_authorized=false``active_scan_authorized=false``execute_endpoint_authorized=false` 全部維持不變。
## 0.2 2026-05-31 只讀實機快照
本輪用既有 SSH key 完成 read-only 連線檢查,沒有輸入或保存密碼,沒有啟動 scan、沒有呼叫 `/execute`、沒有執行 package update、沒有調整設定、沒有重啟。
@@ -163,4 +170,4 @@ AwoooP 現階段只能 mirror `kali_integration_status_v1`
2. 未來批准後,再建立 `security_finding_v1` ingestion endpoint 或 adapter先只接 redacted finding。
3.`/execute` endpoint 降級為預設停用或單獨 high-risk approval path。
4. 修正 Harbor image scan 的 target / project / auth / certificate chain。
5. 排 Kali rolling full-upgrade 維護窗口;先 snapshot再 upgrade最後 reboot 健康複驗。
5. `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 健康複驗。

View File

@@ -0,0 +1,217 @@
{
"schema_version": "kali_maintenance_window_draft_v1",
"status": "draft_waiting_owner_review",
"date": "2026-06-04",
"mode": "maintenance_window_draft_only",
"source_evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/kali-integration-status.snapshot.json",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md",
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md"
],
"summary": {
"host": "192.168.0.112",
"asset_key": "host:kali-112",
"pending_update_count": 1994,
"failed_systemd_unit_count": 1,
"service_hardening_enabled_count": 0,
"service_hardening_expected_count": 4,
"reboot_required": false,
"maintenance_window_package_ready": true,
"maintenance_window_completion_percent": 100,
"maintenance_window_approved": false,
"host_update_authorized": false,
"service_restart_authorized": false,
"hardening_authorized": false,
"reboot_authorized": false,
"active_scan_authorized": false,
"execute_endpoint_authorized": false
},
"observed_gaps": [
{
"gap_id": "pending-updates-1994",
"current_evidence": "2026-06-04 只讀快照顯示 upgradable_package_count=1994。",
"risk": "MEDIUM",
"required_before_action": [
"maintenance window owner response",
"package change scope",
"rollback owner",
"post-check owner",
"reboot decision"
]
},
{
"gap_id": "networking-service-failed",
"current_evidence": "2026-06-04 只讀快照顯示 failed_systemd_unit_names=[networking.service]。",
"risk": "MEDIUM",
"required_before_action": [
"service owner confirmation",
"expected network manager / interface model",
"restart impact review",
"rollback path",
"out-of-band access confirmation"
]
},
{
"gap_id": "scanner-service-hardening-0-of-4",
"current_evidence": "2026-06-04 只讀快照顯示 NoNewPrivileges、PrivateTmp、ProtectSystem、ProtectHome 尚未啟用。",
"risk": "MEDIUM",
"required_before_action": [
"dry-run hardening design",
"scanner tool compatibility review",
"override rollback file plan",
"health check plan",
"manual approval"
]
},
{
"gap_id": "execute-endpoint-present",
"current_evidence": "Kali Scanner API 文件化存在 /execute path仍是 block candidate。",
"risk": "HIGH",
"required_before_action": [
"separate high-risk approval",
"allowlist / disable gate design",
"audit event design",
"runtime gate",
"manual exception record"
]
}
],
"owner_response_handoff": {
"status": "ready_not_dispatched",
"request_dispatch_authorized": false,
"required_response_fields": [
"owner_role_or_team",
"maintenance_window_start_end_taipei",
"change_scope",
"rollback_owner",
"validation_owner",
"communication_owner",
"reboot_decision",
"redacted_evidence_refs",
"followup_owner"
],
"forbidden_inputs": [
"password value",
"token value",
"private key",
"API key value",
"runner token",
"raw secret",
"command to execute",
"apt upgrade request",
"service restart request",
"hardening apply request",
"active scan request",
"execute endpoint request"
],
"response_received": false,
"response_accepted": false
},
"maintenance_window_draft": {
"window_status": "waiting_owner_selection",
"candidate_window": "建議由 owner 指定台北時間低流量 2 小時窗口;本草案不自動指定日期或開始維護。",
"change_lanes": [
{
"lane_id": "package-update-planning",
"description": "整理 full-upgrade / autoremove / reboot 的人工批准前檢查,不執行 apt upgrade。",
"authorization_required": "kali-full-upgrade-reboot approval + rollback owner + post-check owner",
"current_authorized": false
},
{
"lane_id": "networking-service-review",
"description": "釐清 networking.service failed 是否為 expected / legacy / real failure不直接 restart。",
"authorization_required": "service owner decision + out-of-band access + rollback path",
"current_authorized": false
},
{
"lane_id": "scanner-systemd-hardening-dry-run-design",
"description": "設計 kali-scanner.service hardening override 的 dry-run / compatibility review不套用 hardening。",
"authorization_required": "scanner owner decision + health compatibility review + rollback file plan",
"current_authorized": false
},
{
"lane_id": "post-maintenance-validation",
"description": "定義維護後 scanner health、Docker service、failed units、pending updates、reboot required 與 AwoooP / IwoooS evidence readback。",
"authorization_required": "validation owner + evidence refs + reviewer acceptance",
"current_authorized": false
}
],
"pre_window_checks": [
"確認 maintenance window owner response 已收到且 accepted。",
"確認 package / service / hardening / reboot scope 沒有混在同一個未批准動作中。",
"確認不保存任何 credential value。",
"確認 rollback owner 與 validation owner 已指定。",
"確認 out-of-band access 與停止條件已定義。",
"確認 active scan、credentialed scan 與 /execute 仍未授權。"
]
},
"rollback_plan_draft": [
{
"rollback_item": "package update rollback",
"required_evidence": [
"pre-window package list snapshot ref",
"apt history / dpkg log redacted ref",
"rollback owner",
"reboot decision"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "networking.service restart rollback",
"required_evidence": [
"current network service model",
"out-of-band access confirmation",
"previous service state snapshot ref",
"rollback owner"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "systemd hardening override rollback",
"required_evidence": [
"override file path",
"scanner tool compatibility result",
"scanner health before / after refs",
"rollback owner"
],
"owner_status": "waiting_owner_assignment"
}
],
"post_check_plan": [
"scanner API /health returns healthy",
"kali-scanner.service active / enabled",
"node-exporter container up",
"wg-easy container healthy",
"failed systemd units reviewed",
"pending update count recorded",
"reboot required flag recorded",
"service hardening state recorded",
"AwoooP / IwoooS evidence refs updated",
"no active scan or /execute call occurred during maintenance unless separately approved"
],
"acceptance_rules": [
"本草案完成不代表 maintenance window 已批准。",
"maintenance owner response received / accepted 前,不得執行 apt upgrade、restart、hardening 或 reboot。",
"任何 active scan、credentialed scan 或 /execute 都必須走獨立 approval gate不可包進維護窗口。",
"所有 evidence refs 必須脫敏,不保存 credential value。",
"維護後若任何 post-check 失敗,只能建立人工 follow-up不得自動補救。"
],
"forbidden_actions": [
"apt_upgrade",
"apt_full_upgrade",
"apt_autoremove",
"restart_networking_service",
"apply_systemd_hardening",
"reboot_host",
"active_scan",
"credentialed_scan",
"call_execute_endpoint",
"store_credential_value",
"change_firewall",
"change_networkpolicy",
"change_rbac",
"enable_runtime_blocking_control"
]
}

View File

@@ -150,7 +150,7 @@
"未來批准後建立 Kali scan result ingestion adapter先只接收 redacted findings",
"把 /execute endpoint 改成預設停用或單獨 high-risk approval path",
"把 Harbor scan failure 轉成 security finding / ops finding不直接自動修復",
"安排 Kali rolling full-upgrade 維護窗口與 reboot gate"
"依 docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md 收 owner response、rollback owner、validation owner 與維護窗口;未驗收前不做 full-upgrade、restart、hardening、autoremove、reboot 或健康複驗"
],
"still_forbidden": [
"run_active_scan_without_scope_approval",

View File

@@ -9,7 +9,7 @@
| 工作視窗 | IwoooS / AWOOOI 資安治理 P0 |
| 本次乾淨 worktree | `/private/tmp/awoooi-iwooos-governance-p0-20260604` |
| 本次分支 | `codex/iwooos-governance-p0-20260604` |
| 最新觀察到的 `gitea/main` | `8ad8bf48 fix(web): keep run status readable without chain batch` |
| 最新觀察到的 `gitea/main` | `c046b9c8 chore(cd): deploy 8a32633 [skip ci]` |
| 前一個正式 IwoooS 候選基準 | code `7b8fc093`、deploy marker `45c63488`、LOGBOOK `02cadee6` |
| 最新導航 IA 基準 | code `973fc7a4`、LOGBOOK `2555c811`、deploy marker `0260ec89` |
| 禁止事項 | 不 force push、不 destructive git、不 SSH 修改主機、不 active scan、不收 secrets 明文、不把 AwoooP approval 當資安批准、不把 UI 可見當 runtime 授權 |
@@ -24,7 +24,7 @@
| active runtime gate | 0 | 否 | 必須維持 0直到獨立人工批准、rollback、post-check 與 guard 成立 |
| S4.9 owner response gate | 0% | 可在收到合格回覆後調整 | 目前只定義欄位、預檢、收件與驗收,不標記 received / accepted |
| GitHub primary readiness | 0 | 否 | primary gate 仍為 0P1 只讀重盤工作本身目前約 70%,不代表可切 primary |
| Kali 112 維護準備 | 只讀證據已納管,維護尚未開始 | 否 | 不更新套件、不重啟、不 hardening、不 active scan |
| Kali 112 維護準備 | P1-7 maintenance window draft `100%`維護尚未開始 | 否 | 不更新套件、不重啟、不 hardening、不 active scan |
| 111 / 168 開發主機納管 | observe-only mapping 已有,維護包需補強 | 可補文件,不調 runtime | 仍不 credentialed scan、不讀未授權資料、不自動修復 |
| VibeWork 納入 IwoooS | 前端態勢已有 onboarding 欄位,產品邊界需補規範 | 可補文件 | 保留 VibeWork 獨立產品邊界 |
@@ -129,7 +129,7 @@ S4.9 是目前 IwoooS 64% 能往前的第一優先 gate。驗收前所有 count
| 優先 | 工作 | 細項 | 驗證 |
|------|------|------|------|
| P1 | GitHub primary readiness 只讀重盤 | repo visibility、refs、tags、workflow、secret name、runner、rollback ADR | 只讀 inventory不建立 repo、不同步 refs |
| P1 | Kali 112 維護窗口草案 | 1994 pending updates、`networking.service` failed、服務硬化 0/4、rollback、post-check | 文件與人工批准;不 `apt upgrade`、不 restart |
| P1 | Kali 112 維護窗口草案 | 1994 pending updates、`networking.service` failed、服務硬化 0/4、rollback、post-check | P1-7 草案已完成;不 `apt upgrade`、不 restart |
| P1 | 111 / 168 主機 scope 補強 | scope、maintenance window、credential handling、rollback owner、validation 指標 | observe-only不 credentialed scan |
| P1 | VibeWork 納入 IwoooS | repo、product、surface、owner、evidence refs、獨立產品邊界 | 繁中 docs/specs不合併產品責任 |
| P1 | Code Review 候選分類 | 前端體驗、測試補洞、文件同步、低風險重構;人工批准後才 Codex | 候選不自動改 code、不自動 deploy |
@@ -186,7 +186,7 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory /
| P1-4 | Workflow / runner / secret parity evidence | 已補 2026-06-04 owner response handoff packagewebhook、runner owner、deploy key、branch protection、CODEOWNERS、secret name parity 只收 redacted metadata | secret value、hash、masked token、partial token 仍拒收received / accepted 前全部 0 |
| P1-5 | Primary rollback ADR 補強 | 已補 2026-06-04 rollback owner handoff package逐 repo rollback owner、trigger、validation window、fallback role 進入可交接模板 | ADR approved 前不切 primaryreceived / accepted / approved 仍 0 |
| P1-6 | AwoooP Session 同步 | 同步 commits、runs、production sanity、P1 refresh counts、gate 0 / false | 另一 Session 不再使用舊 refs count |
| P1-7 | Kali 112 maintenance window 草案 | packages、`networking.service` failed、hardening 0/4、rollback、post-check | 文件草案,不執行 `apt upgrade` / restart / scan |
| P1-7 | Kali 112 maintenance window 草案 | 已補 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md`、snapshot 與 schemapackages、`networking.service` failed、hardening 0/4、rollback、post-check 已進 owner handoff | 文件草案,不執行 `apt upgrade` / restart / hardening / scan |
| P1-8 | 111 / 168 開發主機 scope | scope、credential handling、rollback owner、validation 指標 | observe-only不做 credentialed scan |
| P1-9 | VibeWork 納入 IwoooS | repo / product / surface / owner / evidence refs / 獨立產品邊界 | docs/specs 繁中,產品責任不合併 |
@@ -216,6 +216,8 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory /
| P1-4 JSON parse / structure check | `source-control-workflow-secret-name-owner-response.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `WORKFLOW_SECRET_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV未跑完整 schema validator |
| P1-5 Primary rollback owner handoff | S4.4 日期更新為 2026-06-04補 6 項 rollback owner handoff preflight、11 欄 handoff packet、7 個 repo owner response templates 與送後不變條件received / accepted / rejected、owner approved、dry-run、active cutover 仍 0 |
| P1-5 JSON parse / structure check | `source-control-primary-rollback-adr.snapshot.json` 與 schema JSON parse 通過;本段自訂結構檢查 `PRIMARY_ROLLBACK_OWNER_HANDOFF_STRUCTURE_OK`;本地無 `jsonschema` / AJV 時以 JSON parse、自訂結構檢查與既有 guard 補位 |
| AwoooP Runs i18n production smoke | deploy marker `c046b9c8` 已上線 `8a326338`desktop 1440x1100 / mobile 390x844 皆載入 50 列、`horizontalOverflow=0`;繁中狀態與 fallback 文案可見,英文殘留 0 | 截圖 `/tmp/awoooi-runs-i18n-desktop-20260604.png``/tmp/awoooi-runs-i18n-mobile-20260604.png` |
| P1-7 Kali 112 maintenance window draft | 新增 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md``kali-112-maintenance-window-draft.snapshot.json``kali_maintenance_window_draft_v1.schema.json`1994 pending updates、`networking.service` failed、hardening `0 / 4`、rollback owner、post-check owner 已整理成 handoff | `host_update_authorized=false``service_restart_authorized=false``hardening_authorized=false``reboot_authorized=false``active_scan_authorized=false``execute_endpoint_authorized=false` |
| P1 JSON parse | `gitea-github-awoooi-inventory``github-target-probe``source-control-primary-readiness-gate``source-control-workflow-secret-name-local-evidence`、Gitea repo / search / org blocked snapshots 皆通過 |
| P1 production 頁面檢查 | 本輪未改前端、未改 production 文案、未新增 deploy不宣稱新的 production 狀態,沿用 P0 live sanity 作為基準 |