From 52272a942ddcc3273d67003abcdd9e294ec4f948 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 18 Jun 2026 09:38:43 +0800 Subject: [PATCH] =?UTF-8?q?docs(iwooos):=20=E8=A8=98=E9=8C=84=20backup=20r?= =?UTF-8?q?estore=20=E5=9B=9E=E8=AE=80=E6=AD=A3=E5=BC=8F=E9=A9=97=E8=AD=89?= =?UTF-8?q?=20[skip=20ci]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/LOGBOOK.md | 17 ++++++++++++++++- docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md | 4 ++-- ...26-04-15-MASTER-ai-autonomous-flywheel-v2.md | 4 ++-- .../2026-06-04-iwooos-security-governance-p0.md | 6 +++--- 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 33cd744d2..ccbc6c3bb 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -33,7 +33,7 @@ **邊界**:本段不送 Telegram、不寫 Gateway queue、不呼叫 Bot API、不寫讀報回執、不啟動排程、不啟動 AI analysis runtime、不啟動中低風險自動處理、不讀 secret、不新增批准或發送按鈕;不得把 dry-run rehearsal 解讀成 runtime gate 已開啟。 -## 2026-06-18|Backup / Restore / Escrow 事故後回讀 Gate 本地收斂 +## 2026-06-18|Backup / Restore / Escrow 事故後回讀 Gate 本地收斂與正式站驗證 **背景**:Backup / Restore / Escrow 不能只看「最新備份成功」、route `200`、dashboard up、alert quiet、textfile present 或 UI 可見。前一階段已把 owner response acceptance 補到 restore recovery / freshness / remote delete / retention / credential recovery / no-false-green,但仍缺事故後「誰動、何時動、改前改後 freshness、restore/offsite/escrow/retention 狀態、rollback、post-change monitoring 與防再發」的回讀欄位。 @@ -48,6 +48,21 @@ - post-incident readback received / accepted、backup status readback accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、secret collection、host write、production write、runtime gate 與 action button 全部仍為 `0 / false`。 - 本階段未 SSH、未讀 live backup store、未跑 backup / restore / offsite sync、未 remote delete、未 restic prune、未寫 escrow marker、未改 retention、未跑 Velero、未 kubectl、未收 secret 明文、未 force push。 +**Gitea / Production 驗證**: +- Code commit:`1b9d44cf feat(iwooos): 新增備份復原事故回讀 gate`。 +- Deploy marker:`f5be4cb8 chore(cd): deploy 1b9d44c [skip ci]`。 +- Gitea Actions:code-review run `3084` 成功;CD run `3083` 成功,`tests` / `build-and-deploy` / `post-deploy-checks` 皆成功;post-deploy E2E smoke `5 passed`。 +- 平行 Wazuh / 主機入侵接入後續部署 marker:`7cb3fd32 chore(cd): deploy ac9ee65 [skip ci]`;CD run `3085` 成功,曾在 deploy 中觀察 transient ArgoCD `Progressing` rollout risk,但 rollout、API health、post-deploy smoke 皆成功。 +- Production health:`https://awoooi.wooo.work/api/v1/health` 回 `healthy`、`environment=prod`、`mock_mode=false`;postgres、redis、openclaw、signoz、ollama route、ollama_gcp_a、ollama_gcp_b、ollama_local 均為 up。 +- Production HTML readback:`/zh-TW/iwooos?_v=7cb3fd32-backup-restore-readback-prod` 回 200,`backup_restore_post_incident_readback_plan_candidate_count=38`、`backup_restore_post_incident_readback_plan_blocked_action_count=51`、`backup_restore_credential_coverage_percent=66`、`backup_restore_post_incident_readback_plan_runtime_gate_count=0` 全部命中;敏感 / 內部協作片語命中 `0`。 +- Browser smoke:desktop `1440x1100` 與 mobile `390x844` 皆 missing marker `0`、console error `0`、forbidden hit `0`、page horizontal overflow `false`;以 `window.innerWidth` 重測 overflowing element `0`。 + +**完成度同步**: +- Backup / Restore / Escrow post-incident readback plan:repo artifact / guard / 前台 marker `100%`,production deploy / marker readback `100%`。 +- Backup / Restore / Escrow 只讀治理成熟度:`64% -> 66%`。 +- 高價值配置平均成熟度:因後續 Wazuh 接入目前為 `72%`;IwoooS headline 仍維持 `64%`;active runtime gate 仍維持 `0`。 +- 不能把 CD success、deploy marker、route `200`、UI 可見、smoke pass 或 AwoooP approval 解讀成 backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、secret collection、host write、production write 或 runtime 授權。 + ## 2026-06-18|IwoooS Wazuh / 主機入侵 Readback 接入與本地驗證 **背景**:110 / 188 主機入侵與外部 Agent 高風險修復宣稱暴露 IwoooS 的重大缺口:既有資安工作偏向只讀治理、owner gate、前台可視化與低摩擦流程,無法把 Wazuh 事件、主機鑑識、runner / gateway / secret 連動與 containment / recovery proof 變成可驗收的 source-of-truth。Wazuh 已建置完成,但 IwoooS 不得把「平台存在」、「route 200」、「dashboard up」、「CD success」、「UI 可見」或外部 Agent 口頭宣稱誤判成木馬已清除、RCE 已修補、主機已乾淨或 active response 已授權。 diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 69e349941..ef03b6ad2 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -3,7 +3,7 @@ | 項目 | 內容 | |------|------| | 日期 | 2026-06-18 | -| 狀態 | IwoooS 64% 只讀治理推進中;高價值配置集中 guard、Package / Docker 供應鏈 repo-only baseline 與 Package / Docker 供應鏈 owner policy gate 已完成;Frontend public sensitive surface guard、Backup / Restore / Escrow owner response acceptance backfill、Monitoring / Alerting / Observability no-false-green owner response acceptance、Host Service change evidence acceptance、Host Service post-incident readback plan、AI provider / model routing owner response acceptance、CD / Runner / Secret 注入變更證據驗收、CD / Runner / Secret 注入事故後回讀計畫、Public / Admin / API runtime config 變更證據驗收、K8s / ArgoCD post-incident readback plan、Monitoring / Alerting / Observability post-incident readback plan 與 Public Gateway / Nginx post-incident readback plan 已本地完成;端口 / 防火牆變更證據驗收、主機服務事故回補與 K8s / ArgoCD GitOps 變更證據驗收已正式部署驗證;S4.9 owner response gate 仍是第一優先 | +| 狀態 | IwoooS 64% 只讀治理推進中;高價值配置集中 guard、Package / Docker 供應鏈 repo-only baseline 與 Package / Docker 供應鏈 owner policy gate 已完成;Frontend public sensitive surface guard、Backup / Restore / Escrow owner response acceptance backfill、Backup / Restore / Escrow post-incident readback plan production verification、Monitoring / Alerting / Observability no-false-green owner response acceptance、Host Service change evidence acceptance、Host Service post-incident readback plan、AI provider / model routing owner response acceptance、CD / Runner / Secret 注入變更證據驗收、CD / Runner / Secret 注入事故後回讀計畫、Public / Admin / API runtime config 變更證據驗收、K8s / ArgoCD post-incident readback plan、Monitoring / Alerting / Observability post-incident readback plan 與 Public Gateway / Nginx post-incident readback plan 已完成;端口 / 防火牆變更證據驗收、主機服務事故回補與 K8s / ArgoCD GitOps 變更證據驗收已正式部署驗證;S4.9 owner response gate 仍是第一優先 | | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | | 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 | | 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 | @@ -504,7 +504,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | SSH / Firewall / Network Access Owner Request Draft | 本地完成 | `ssh-network-owner-request-draft.snapshot.json` 已固定 `request_draft_count=16`、`write_capable_request_draft_count=6`、`live_evidence_required_request_count=16`、`request_field_count=23`、`required_owner_field_count=13`、`blocked_action_count=16`、`request_sent_count=0`、`owner_response_received_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 request ids、blocked actions 與 false flags | 這是 SSH target、known_hosts、CI deploy SSH、monitoring SSH、backup SSH、sudoers、NetworkPolicy、NodePort、WireGuard 與 alert SSH action 的人工送件前 request draft,不是 request sent、owner response received / accepted、live host read、host keyscan、known_hosts patch、firewall / port change、NetworkPolicy apply、NodePort change、WireGuard change、secret collection、host write、production write 或 runtime gate;不需要 production browser smoke | | Backup / Restore / Escrow Owner Request Draft | 本地完成 | `backup-restore-owner-request-draft.snapshot.json` 已固定 `request_draft_count=38`、`write_capable_request_draft_count=27`、`live_evidence_required_request_count=38`、`request_field_count=24`、`required_owner_field_count=14`、`blocked_action_count=18`、`request_sent_count=0`、`owner_response_received_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 request ids、blocked actions 與 false flags | 這是 backup、restore、offsite、credential escrow、retention、Velero、alert / health 與 DR runbook 的人工送件前 request draft,不是 request sent、owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、remote delete、escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、secret collection、host write、production write 或 runtime gate;不需要 production browser smoke | | Backup / Restore / Escrow Owner Response Acceptance | 本地完成 | `backup-restore-owner-response-acceptance.snapshot.json` 已固定 `acceptance_candidate_count=38`、`write_capable_acceptance_candidate_count=27`、`live_evidence_required_candidate_count=38`、`acceptance_field_count=33`、`required_owner_field_count=23`、`reviewer_check_count=22`、`outcome_lane_count=9`、`blocked_action_count=31`、`owner_response_received_count=0`、`owner_response_accepted_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 candidate ids、reviewer checks、outcome lanes、blocked actions 與 false flags | 這是 backup、restore、offsite、credential escrow、retention、Velero、alert / health、freshness SLO、隔離還原目標、遠端刪除保護、保留期 runway、金庫非明文復原證明與 DR runbook 的 owner response 收件驗收帳本,不是 owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、remote delete、escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、secret collection、host write、production write 或 runtime gate;前端數字會隨本輪 commit / deploy 另行 smoke | -| Backup / Restore / Escrow Post-incident Readback Plan | 本地完成 | `backup-restore-post-incident-readback-plan.snapshot.json` 已固定 `readback_candidate_count=38`、`write_capable_readback_candidate_count=27`、`live_evidence_required_readback_candidate_count=38`、`restore_drill_readback_required_candidate_count=38`、`offsite_or_escrow_readback_required_candidate_count=20`、`retention_or_remote_delete_readback_required_candidate_count=17`、`required_readback_field_count=34`、`reviewer_check_count=32`、`outcome_lane_count=11`、`blocked_action_count=51`、`post_incident_readback_received_count=0`、`post_incident_readback_accepted_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 readback ids、reviewer checks、outcome lanes、blocked actions 與 false flags | 這是 backup / restore / escrow / retention 事故後回讀計畫,不是 owner response received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow proof accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、kubectl、SSH、secret collection、host write、production write 或 runtime gate;前端數字會隨本輪 commit / deploy 另行 smoke | +| Backup / Restore / Escrow Post-incident Readback Plan | 正式站驗證完成 | `backup-restore-post-incident-readback-plan.snapshot.json` 已固定 `readback_candidate_count=38`、`write_capable_readback_candidate_count=27`、`live_evidence_required_readback_candidate_count=38`、`restore_drill_readback_required_candidate_count=38`、`offsite_or_escrow_readback_required_candidate_count=20`、`retention_or_remote_delete_readback_required_candidate_count=17`、`required_readback_field_count=34`、`reviewer_check_count=32`、`outcome_lane_count=11`、`blocked_action_count=51`、`post_incident_readback_received_count=0`、`post_incident_readback_accepted_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 readback ids、reviewer checks、outcome lanes、blocked actions 與 false flags;code `1b9d44cf`、deploy marker `f5be4cb8`、code-review `3084`、CD `3083` 成功,後續 `7cb3fd32` production readback 仍命中 4 個 marker,desktop / mobile console error `0`、forbidden hit `0`、horizontal overflow `false` | 這是 backup / restore / escrow / retention 事故後回讀計畫,不是 owner response received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow proof accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、kubectl、SSH、secret collection、host write、production write 或 runtime gate;production verification 不提高任何 runtime / action count | | Monitoring / Alerting / Observability Owner Request Draft | 本地完成 | `monitoring-owner-request-draft.snapshot.json` 已固定 `request_draft_count=60`、`write_capable_request_draft_count=11`、`live_evidence_required_request_count=60`、`request_field_count=24`、`required_owner_field_count=14`、`blocked_action_count=24`、`request_sent_count=0`、`owner_response_received_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 request ids、blocked actions 與 false flags | 這是 Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL、Telegram / notification policy、deploy / reload scripts 與 alert chain smoke 的人工送件前 request draft,不是 request sent、owner response received / accepted、live evidence、Prometheus reload、Alertmanager reload、Grafana import、SigNoz apply、Sentry deploy、Langfuse change、OTEL reload、receiver route change、silence change、Telegram send、live alert fire、alert chain smoke、secret collection、host write、production write 或 runtime gate;不需要 production browser smoke | | Monitoring / Alerting / Observability Post-incident Readback Plan | 本地完成 | `monitoring-post-incident-readback-plan.snapshot.json` 已固定 `readback_candidate_count=60`、`write_capable_readback_candidate_count=11`、`live_evidence_required_readback_candidate_count=60`、`alert_rule_readback_candidate_count=13`、`deploy_or_reload_readback_candidate_count=6`、`required_readback_field_count=30`、`reviewer_check_count=28`、`outcome_lane_count=11`、`blocked_action_count=53`、`post_incident_readback_received_count=0`、`post_incident_readback_accepted_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 readback ids、reviewer checks、outcome lanes、blocked actions 與 false flags | 這是監控 / 告警事故後回讀計畫,不是 owner response received / accepted、live evidence、Prometheus reload、Alertmanager reload、Grafana import、SigNoz apply、Sentry deploy、Langfuse change、OTEL reload、receiver route change、silence change、Telegram send、live alert fire、alert chain smoke、secret collection、host write、production write 或 runtime gate;前端數字會隨本輪 commit / deploy 另行 smoke | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | diff --git a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md index b02353bba..2c77c0af2 100644 --- a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md +++ b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md @@ -704,7 +704,7 @@ Alert / Sentry / SigNoz / Gitea / Market Watch / Operator | `docs/security/ssh-network-owner-response-acceptance.snapshot.json` + `scripts/security/ssh-network-owner-response-acceptance.py` | SSH / Firewall / Network Access Owner Response Acceptance 已本地完成;承接 SSH / network repo-only 清冊與 owner request draft,固定 16 份 acceptance candidate、6 份 write-capable candidate、16 份需 live evidence candidate、29 欄 acceptance field、13 欄 required owner fields、15 個 reviewer check、7 條 outcome lane 與 22 類 blocked action;SSH / network 類別只讀成熟度 `54% -> 58%`,高價值配置平均只讀成熟度仍為 `67%`;request sent、recipient confirmed、owner response received / accepted、live access state、host key pinning、port policy、firewall owner、NetworkPolicy / NodePort、WireGuard cutover、SSH、keyscan、known_hosts patch、firewall / port change、host write、runtime gate、action buttons 仍全部為 `0` | 這是 owner response acceptance 只讀帳本,不是 owner response received / accepted、live host read、host keyscan、known_hosts patch、firewall / port change、NetworkPolicy apply、NodePort change、WireGuard cutover、secret collection、host write、production write 或 runtime gate | | `docs/security/backup-restore-owner-request-draft.snapshot.json` + `scripts/security/backup-restore-owner-request-draft.py` | Backup / Restore / Escrow Owner Request Draft 已本地完成;承接 backup / restore repo-only 清冊,固定 38 份 request draft、27 份 write-capable request draft、38 份需 live evidence request、24 欄 request fields、14 欄 required owner fields 與 18 類 blocked action;request sent、recipient confirmed、owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、escrow marker write、retention change、runtime gate、action buttons 仍全部為 `0` | 這是人工送件前 request draft,不是 request sent、owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、secret collection、host write、production write 或 runtime gate | | `docs/security/backup-restore-owner-response-acceptance.snapshot.json` + `scripts/security/backup-restore-owner-response-acceptance.py` | Backup / Restore / Escrow Owner Response Acceptance 只讀帳本已本地完成;承接 backup / restore owner request draft,固定 38 份 acceptance candidate、27 份 write-capable acceptance candidate、24 欄 acceptance field、14 欄 required owner field、13 個 reviewer check、7 條 outcome lane 與 22 類 blocked action;owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、credential escrow marker write、retention change、runtime gate、action buttons 仍全部為 `0` | 這是 owner response 收件驗收帳本,不是 owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、secret collection、host write、production write 或 runtime gate | -| `docs/security/backup-restore-post-incident-readback-plan.snapshot.json` + `scripts/security/backup-restore-post-incident-readback-plan.py` | Backup / Restore / Escrow Post-incident Readback Plan 已本地完成;承接 owner response acceptance 與 restore recovery 回補,固定 38 份事故後回讀 candidate、27 份 write-capable、38 份需 live evidence、38 份 restore drill required、20 份 offsite / escrow required、17 份 retention / remote delete required、34 欄 required readback field、32 個 reviewer check、11 條 outcome lane 與 51 類 blocked action;backup / restore / credential 類別只讀成熟度 `64% -> 66%`,高價值配置平均維持 `71%`;post-incident readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、runtime gate、action buttons 仍全部為 `0` | 這是事故後回讀計畫,不是 owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、kubectl、SSH、secret collection、host write、production write 或 runtime gate | +| `docs/security/backup-restore-post-incident-readback-plan.snapshot.json` + `scripts/security/backup-restore-post-incident-readback-plan.py` | Backup / Restore / Escrow Post-incident Readback Plan 已正式站驗證完成;承接 owner response acceptance 與 restore recovery 回補,固定 38 份事故後回讀 candidate、27 份 write-capable、38 份需 live evidence、38 份 restore drill required、20 份 offsite / escrow required、17 份 retention / remote delete required、34 欄 required readback field、32 個 reviewer check、11 條 outcome lane 與 51 類 blocked action;backup / restore / credential 類別只讀成熟度 `64% -> 66%`,高價值配置平均維持 `71%`,後續 Wazuh 接入後程式化平均為 `72%`;code `1b9d44cf`、deploy marker `f5be4cb8`、CD `3083` 與後續 `7cb3fd32` production marker readback 已通過;post-incident readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、runtime gate、action buttons 仍全部為 `0` | 這是事故後回讀計畫,不是 owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、kubectl、SSH、secret collection、host write、production write 或 runtime gate | | `docs/security/monitoring-owner-request-draft.snapshot.json` + `scripts/security/monitoring-owner-request-draft.py` | Monitoring / Alerting / Observability Owner Request Draft 已本地完成;承接 monitoring repo-only 清冊,固定 60 份 request draft、11 份 write-capable request draft、60 份需 live evidence request、24 欄 request fields、14 欄 required owner fields 與 24 類 blocked action;request sent、recipient confirmed、owner response received / accepted、live evidence、reload、receiver route change、silence change、Telegram send、alert chain smoke、runtime gate、action buttons 仍全部為 `0` | 這是人工送件前 request draft,不是 request sent、owner response received / accepted、Prometheus reload、Alertmanager reload、Grafana import、SigNoz apply、Sentry deploy、Langfuse change、OTEL reload、receiver route change、silence change、Telegram send、live alert fire、alert chain smoke、secret collection、host write、production write 或 runtime gate | | `docs/security/monitoring-owner-response-acceptance.snapshot.json` + `scripts/security/monitoring-owner-response-acceptance.py` | Monitoring / Alerting / Observability Owner Response Acceptance 只讀帳本已本地完成;承接 monitoring owner request draft,固定 60 份 acceptance candidate、11 份 write-capable acceptance candidate、60 份需 live evidence candidate、30 欄 acceptance field、14 欄 required owner field、15 個 reviewer check、7 條 outcome lane 與 28 類 blocked action;monitoring 類別成熟度 `62% -> 66%`,高價值配置平均成熟度 `68% -> 69%`;owner response received / accepted / rejected、live evidence、reload、receiver route change、silence change、Telegram send、live alert fire、alert chain smoke、runtime gate、action buttons 仍全部為 `0` | 這是 owner response 收件驗收帳本,不是 owner response received / accepted、Prometheus reload、Alertmanager reload、Grafana import、SigNoz apply、Sentry deploy、Langfuse change、OTEL reload、receiver route change、silence change、Telegram send、live alert fire、alert chain smoke、secret collection、host write、production write 或 runtime gate | | `docs/security/agent-bounty-owner-request-draft.snapshot.json` + `scripts/security/agent-bounty-owner-request-draft.py` | agent-bounty-protocol Owner Request Draft 已本地完成;承接 onboarding handoff,固定 11 份 request draft、4 份 control boundary、7 份 product surface、8 份 write-capable request draft、4 份 treasury-related request draft、5 份 MCP / A2A-related request draft、22 欄 required owner fields、25 類 forbidden input 與 28 類 blocked action;request sent、recipient confirmed、owner response received / accepted、repo refs truth、deployment boundary、data classification、external agent boundary、treasury boundary、runtime gate、action buttons 仍全部為 `0` | 這是人工送件前 request draft,不是 request sent、owner response received / accepted、repo push、refs sync、workflow 修改、secret collection、deploy、compose restart、DB migration、claim / submit、payout / withdrawal、cron / daemon、external send、host write、production write 或 runtime gate | @@ -864,7 +864,7 @@ Repo / registry / release notes / K8s / host / observability / backup evidence 85. 建立 K8s / ArgoCD Owner Response Acceptance 只讀帳本。✅ 本地完成;新增 `k8s-argocd-owner-response-acceptance.py`、snapshot 與說明文件,將 manifest inventory 與 owner request draft 串成 `acceptance_candidate_count=4`、`c0_acceptance_candidate_count=3`、`required_owner_field_count=11`、`reviewer_check_count=12`、`outcome_lane_count=7`、`blocked_action_count=18` 的 owner response acceptance ledger;owner response received / accepted、rendered manifest diff、ArgoCD API read、ArgoCD sync、kubectl action、live cluster read、secret collection、runtime gate、action buttons 仍全部為 `0`。這不是 owner response received / accepted、ArgoCD API read、ArgoCD sync、kubectl action、live cluster read、secret collection、production write 或 runtime gate。 85a. 建立 K8s / ArgoCD GitOps 變更證據驗收只讀帳本。✅ 本地完成;新增 `k8s-argocd-change-evidence-acceptance.py`、snapshot 與說明文件,將四個 scan group 串成 `change_evidence_candidate_count=4`、`c0_change_evidence_candidate_count=3`、`write_capable_candidate_count=4`、`required_evidence_field_count=18`、`reviewer_check_count=18`、`outcome_lane_count=8`、`blocked_action_count=28` 的 GitOps change evidence acceptance ledger;change evidence received / accepted、runtime approval package、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、NetworkPolicy / NodePort / RBAC change、live cluster read、secret collection、runtime gate、action buttons 仍全部為 `0`。這不是 change evidence received / accepted、runtime approval、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、production write 或 runtime gate。 86. 建立 Backup / Restore / Escrow Owner Response Acceptance 只讀帳本。✅ 本地完成;新增 `backup-restore-owner-response-acceptance.py`、snapshot 與說明文件,將 38 份 backup / restore / escrow owner request draft 串成 `acceptance_candidate_count=38`、`write_capable_acceptance_candidate_count=27`、`live_evidence_required_candidate_count=38`、`required_owner_field_count=14`、`reviewer_check_count=13`、`outcome_lane_count=7`、`blocked_action_count=22` 的 owner response acceptance ledger;backup / restore 類別只讀成熟度 `58% -> 62%`,高價值配置平均只讀成熟度 `66% -> 67%`;owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、secret collection、host write、runtime gate、action buttons 仍全部為 `0`。這不是 owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、secret collection、host write、production write 或 runtime gate。 -86a. 建立 Backup / Restore / Escrow 事故後回讀計畫。✅ 本地完成;新增 `backup-restore-post-incident-readback-plan.py`、snapshot 與說明文件,將 38 份 backup / restore / escrow / retention surface 串成 `readback_candidate_count=38`、`write_capable_readback_candidate_count=27`、`live_evidence_required_readback_candidate_count=38`、`restore_drill_readback_required_candidate_count=38`、`offsite_or_escrow_readback_required_candidate_count=20`、`retention_or_remote_delete_readback_required_candidate_count=17`、`required_readback_field_count=34`、`reviewer_check_count=32`、`outcome_lane_count=11`、`blocked_action_count=51` 的 post-incident readback plan;backup / restore / credential 類別只讀成熟度 `64% -> 66%`,高價值配置平均維持 `71%`;post-incident readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、secret collection、host write、runtime gate、action buttons 仍全部為 `0`。這不是 owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、kubectl、SSH、secret collection、host write、production write 或 runtime gate。 +86a. 建立 Backup / Restore / Escrow 事故後回讀計畫。✅ 正式站驗證完成;新增 `backup-restore-post-incident-readback-plan.py`、snapshot 與說明文件,將 38 份 backup / restore / escrow / retention surface 串成 `readback_candidate_count=38`、`write_capable_readback_candidate_count=27`、`live_evidence_required_readback_candidate_count=38`、`restore_drill_readback_required_candidate_count=38`、`offsite_or_escrow_readback_required_candidate_count=20`、`retention_or_remote_delete_readback_required_candidate_count=17`、`required_readback_field_count=34`、`reviewer_check_count=32`、`outcome_lane_count=11`、`blocked_action_count=51` 的 post-incident readback plan;backup / restore / credential 類別只讀成熟度 `64% -> 66%`,高價值配置平均維持 `71%`;code `1b9d44cf`、deploy marker `f5be4cb8`、Gitea code-review `3084`、CD `3083` 與後續 `7cb3fd32` production marker readback 已驗證;post-incident readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、secret collection、host write、runtime gate、action buttons 仍全部為 `0`。這不是 owner response received / accepted、backup run、restore run、offsite sync、remote delete、credential escrow marker write、retention change、restic prune、rclone config、Velero restore / backup、kubectl、SSH、secret collection、host write、production write 或 runtime gate。 87. 建立 SSH / Firewall / Network Access Owner Response Acceptance 只讀帳本。✅ 本地完成;新增 `ssh-network-owner-response-acceptance.py`、snapshot 與說明文件,將 16 份 SSH / network owner request draft 串成 `acceptance_candidate_count=16`、`write_capable_acceptance_candidate_count=6`、`live_evidence_required_candidate_count=16`、`required_owner_field_count=13`、`reviewer_check_count=15`、`outcome_lane_count=7`、`blocked_action_count=22` 的 owner response acceptance ledger;SSH / network 類別只讀成熟度 `54% -> 58%`,高價值配置平均只讀成熟度仍為 `67%`;owner response received / accepted、live access state、host key pinning、port policy、firewall owner、NetworkPolicy / NodePort、WireGuard cutover、SSH、keyscan、known_hosts patch、firewall / port change、secret collection、host write、runtime gate、action buttons 仍全部為 `0`。這不是 owner response received / accepted、live host read、host keyscan、known_hosts patch、firewall / port change、NetworkPolicy apply、NodePort change、WireGuard cutover、secret collection、host write、production write 或 runtime gate。 88. 建立 Monitoring / Alerting / Observability Owner Response Acceptance 只讀帳本。✅ 本地完成;新增 `monitoring-owner-response-acceptance.py`、snapshot 與說明文件,將 60 份 monitoring owner request draft 串成 `acceptance_candidate_count=60`、`write_capable_acceptance_candidate_count=11`、`live_evidence_required_candidate_count=60`、`acceptance_field_count=30`、`required_owner_field_count=14`、`reviewer_check_count=15`、`outcome_lane_count=7`、`blocked_action_count=28` 的 owner response acceptance ledger;monitoring / alerting / observability 類別只讀成熟度 `62% -> 66%`,高價值配置平均只讀成熟度 `68% -> 69%`;owner response received / accepted / rejected、live evidence、Prometheus reload、Alertmanager reload、Grafana import、SigNoz apply、Sentry deploy、Langfuse change、OTEL reload、receiver route change、silence change、Telegram send、live alert fire、alert chain smoke、secret collection、host write、runtime gate、action buttons 仍全部為 `0`。這不是 owner response received / accepted、reload、deploy、receiver route change、silence change、Telegram send、alert chain smoke、host write、production write 或 runtime gate。 diff --git a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md index 580d6c2c1..53f5c7dae 100644 --- a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md +++ b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md @@ -9,7 +9,7 @@ | 工作視窗 | IwoooS / AWOOOI 資安治理 P0 | | 本次乾淨 worktree | `/tmp/awoooi-cd-runner-secret-verify-20260618` | | 本次分支 | detached at `gitea/main`;推送時使用 `HEAD:main`,不 force push | -| 最新觀察到的 `gitea/main` | `3e30807c docs(iwooos): 補記 CD runner secret 正式驗證 [skip ci]` | +| 最新觀察到的 `gitea/main` | `d1374257 docs(iwooos): 記錄 Wazuh 回讀正式驗證 [skip ci]`;最新 production deploy marker 仍是 `7cb3fd32 chore(cd): deploy ac9ee65 [skip ci]`;本輪 backup / restore / escrow readback code `1b9d44cf`、deploy marker `f5be4cb8`、code-review `3084`、CD `3083` 已正式驗證,後續 Wazuh deploy `7cb3fd32` 後 production marker 仍命中 | | 最新 P0 Telegram 告警 / 批准執行真相鏈基準 | code `32e4beca`、deploy marker `717b5870`、code-review `2658`、CD `2657`;no-action approval 不再觸發 executor,可執行修復 approval 會寫入 `auto_repair_executions`、KM 與 verifier | | 最新 P0 Telegram no-action 人工處置包基準 | code `cd928852`、deploy marker `9181cc0e`、code-review `2666`;正式部署 tree 已包含 no-action 人工處置包、`處置包 / 重診 / 歷史 / 靜默 / 真相鏈 / Runs` 鍵盤、production pod render / keyboard smoke | | 最新 P0 MCP evidence / PlayBook 修復候選基準 | code `cc614023`、D1 blocker clarity `47d677ac`、D2 manual draft package `febe9ecf`、D3 draft work item `e8d5eafb`、D4 work item detail panel `e8a5bac5`、D5 coverage gap contract 本地完成;目前 production deploy marker 仍為 `985a2cfe` 的 D4 Work Items detail panel,D5 尚待推送 / 部署驗證。正式部署 tree 經 production pod smoke 與 Work Items browser smoke 確認可由 MCP evidence + approved PlayBook trust 產生 medium approval candidate、綁定預配置 approval id、不外露 preallocated metadata,且通用兜底 / 診斷型 PlayBook 不會被誤當修復命令;若缺安全修復候選,Telegram 人工處置包會顯示阻擋原因、下一步、PlayBook 草案欄位與 AwoooP 修復候選草案工作項,工作項頁會顯示 PlayBook 草案處置板、必填欄位、阻擋原因、下一步與 Runs / 審批連結;D5 讓 blocked result 進一步輸出服務 coverage gap、blocking stage、必收 MCP evidence refs 與 PlayBook template fields | @@ -25,7 +25,7 @@ | 最新 P0 agent-bounty-protocol 配置控管基準 | onboarding handoff 已固定 `product_scope_handoff_only`、owner response / runtime gate 全部 `false`;本輪新增 owner request draft,固定 `drafts=11`、`control=4`、`surface=7`、`write_capable=8`、`treasury=4`、`mcp_a2a=5`、`owner_fields=22`、`forbidden_inputs=25`、`blocked_actions=28`、request sent / received / accepted / repo push / refs sync / deploy / claim / submit / payout / daemon / cron / runtime gate 全部 `0` | | 最新 P1 Docker / systemd / Host Service 配置控管基準 | repo-only inventory 已固定 `surface=9`、`write_capable=3`、`live_evidence_required=8`、成熟度 `42% -> 50%`;owner request draft 固定 `drafts=9`、`owner_fields=12`、`blocked_actions=14`;本輪新增 owner response acceptance 只讀帳本,固定 `candidates=9`、`write_capable=3`、`live_evidence_required=8`、`reviewer_checks=14`、`outcome_lanes=7`、`blocked_actions=20`,成熟度 `50% -> 54%`;request sent / received / accepted / live evidence / host read / restart window / rollback owner / host write / runtime gate 全部 `0` | | 最新 P1 SSH / Firewall / Network Access 配置控管基準 | repo-only inventory 已固定 `surface=16`、`write_capable=6`、`live_evidence_required=16`、成熟度 `48% -> 54%`;本輪新增 owner request draft,固定 `drafts=16`、`owner_fields=13`、`blocked_actions=16`、request sent / received / accepted / live access state / firewall / port change / NetworkPolicy / NodePort / WireGuard / host write / runtime gate 全部 `0` | -| 最新 P1 Backup / Restore / Escrow 配置控管基準 | repo-only inventory 已固定 `surface=38`、`write_capable=27`、`live_evidence_required=38`,owner request draft、owner response acceptance 與 restore recovery 回補已完成;本輪新增 post-incident readback plan,固定 `candidates=38`、`write_capable=27`、`live_evidence_required=38`、`restore_drill_required=38`、`offsite_or_escrow_required=20`、`retention_or_remote_delete_required=17`、`required_fields=34`、`reviewer_checks=32`、`outcome_lanes=11`、`blocked_actions=51`,成熟度 `52% -> 66%`;request sent / received / accepted / backup run / restore run / offsite sync / remote delete / escrow marker / retention change / runtime gate 全部 `0` | +| 最新 P1 Backup / Restore / Escrow 配置控管基準 | repo-only inventory 已固定 `surface=38`、`write_capable=27`、`live_evidence_required=38`,owner request draft、owner response acceptance 與 restore recovery 回補已完成;本輪新增 post-incident readback plan,固定 `candidates=38`、`write_capable=27`、`live_evidence_required=38`、`restore_drill_required=38`、`offsite_or_escrow_required=20`、`retention_or_remote_delete_required=17`、`required_fields=34`、`reviewer_checks=32`、`outcome_lanes=11`、`blocked_actions=51`,成熟度 `52% -> 66%`;code `1b9d44cf`、deploy marker `f5be4cb8`、code-review `3084`、CD `3083` 與後續 `7cb3fd32` production marker readback 已驗證;request sent / received / accepted / backup run / restore run / offsite sync / remote delete / escrow marker / retention change / runtime gate 全部 `0` | | 最新 P1 Monitoring / Alerting / Observability 配置控管基準 | repo-only inventory 已固定 `surface=60`、`write_capable=11`、`live_evidence_required=60`、成熟度 `56% -> 62%`;owner request draft 固定 `drafts=60`、`owner_fields=14`、`blocked_actions=24`;本輪新增 owner response acceptance 只讀帳本,固定 `candidates=60`、`write_capable=11`、`live_evidence_required=60`、`reviewer_checks=15`、`outcome_lanes=7`、`blocked_actions=28`,成熟度 `62% -> 66%`;request sent / received / accepted / rejected / live evidence / reload / receiver route change / Telegram send / alert chain smoke / runtime gate 全部 `0` | | 最新 P0 CD / Runner / Secret 注入變更證據驗收基準 | 已新增 `CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md`、snapshot 與產生器;固定 `candidates=5`、`c0=4`、`c1=1`、`write_capable=5`、`workflow_files=33`、`referenced_secret_names=42`、`runner_labels=5`、`evidence_fields=19`、`reviewer_checks=19`、`outcome_lanes=8`、`blocked_actions=32`;secret metadata 成熟度 `66% -> 68%`,workflow / runner 成熟度 `70% -> 72%`;workflow diff / runner attestation / secret name parity / secret injection route / deploy marker readback / guard result / postcheck evidence accepted、workflow modification、runner change、repo secret change、secret rotation、Gitea action dispatch、production deploy、runtime gate 全部 `0` | | 最新 P0 Public / Admin / API runtime config 變更證據驗收基準 | 已新增 `PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md`、snapshot 與產生器;固定 `candidates=6`、`c0=5`、`c1=1`、`write_capable=6`、`source_refs=20`、`evidence_fields=21`、`reviewer_checks=21`、`outcome_lanes=8`、`blocked_actions=32`;public/admin/API runtime config 成熟度 `62% -> 64%`;affected route / admin auth / API readback / CORS diff / frontend env diff / i18n redaction / desktop-mobile smoke / sensitive scan / postcheck accepted、route / CORS / env / auth / webhook 變更、production deploy、runtime gate 全部 `0`;raw namespace、repo slug、內部狀態碼、內部協作內容外洩列為拒收或隔離 | @@ -321,7 +321,7 @@ P1 只讀重盤階段整體完成度:`70%`。它代表 freshness / inventory / | P0-26 | Backup / Restore / Escrow owner response acceptance 只讀帳本 | 已新增 `BACKUP-RESTORE-OWNER-RESPONSE-ACCEPTANCE.md`、`backup-restore-owner-response-acceptance.snapshot.json` 與產生器;38 份 acceptance candidate、27 份 write-capable、14 個 owner 必填欄位、13 個 reviewer checks、7 條 outcome lanes、22 類 blocked action | 帳本 artifact `100%`;owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、remote delete、escrow marker write、retention change、secret collection、host write、runtime gate 仍全部 `0 / false`;backup / restore 類別成熟度 `58% -> 62%` | | P0-27 | DNS / TLS / certbot owner response acceptance 只讀帳本 | 已新增 `DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md`、`domain-tls-certbot-owner-response-acceptance.snapshot.json` 與產生器;4 份 acceptance candidate、4 份 C0、13 個 owner 必填欄位、13 個 reviewer checks、7 條 outcome lanes、20 類 blocked action | 帳本 artifact `100%`;owner response received / accepted、certificate coverage confirmed、DNS query、live TLS probe、certbot renew、Nginx reload、route smoke、DNS record / certificate path / ACME route 變更、host write、runtime gate 仍全部 `0 / false`;DNS / TLS 類別成熟度 `74% -> 78%` | | P0-29 | Public / Admin / API runtime config 變更證據驗收只讀帳本 | 已新增 `PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md`、`public-runtime-config-change-evidence-acceptance.snapshot.json` 與產生器;6 份 change evidence candidate、5 份 C0、6 份 write-capable、20 個 source refs、21 個 reviewer checks、8 條 outcome lanes、32 類 blocked action | 帳本 artifact `100%`;affected route、admin/auth boundary、API readback、CORS diff、frontend env diff、i18n redaction、webhook owner、desktop / mobile smoke、sensitive scan、postcheck、runtime approval package、route / CORS / env / auth / webhook 變更、frontend / API deploy、runtime gate 仍全部 `0 / false`;raw namespace / repo slug / 內部狀態碼 / 內部協作內容外洩列為拒收或隔離;完成後需 production desktop / mobile smoke | -| P1-15 | Backup / Restore / Escrow 事故後回讀計畫 | 已新增 `BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md`、`backup-restore-post-incident-readback-plan.snapshot.json` 與產生器;38 個 readback candidate、27 個 write-capable、38 個需 live evidence、38 個 restore drill required、20 個 offsite / escrow required、17 個 retention / remote delete required、34 個必填回讀欄位、32 個 reviewer checks、11 條 outcome lanes、51 類 blocked action | 事故後回讀 artifact `100%`;post-incident readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、backup run、restore run、offsite sync、remote delete、escrow marker write、retention change、secret collection、host write、runtime gate 仍全部 `0 / false`;backup / restore 類別成熟度 `64% -> 66%` | +| P1-15 | Backup / Restore / Escrow 事故後回讀計畫 | 已新增 `BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md`、`backup-restore-post-incident-readback-plan.snapshot.json` 與產生器;38 個 readback candidate、27 個 write-capable、38 個需 live evidence、38 個 restore drill required、20 個 offsite / escrow required、17 個 retention / remote delete required、34 個必填回讀欄位、32 個 reviewer checks、11 條 outcome lanes、51 類 blocked action;code `1b9d44cf`、deploy marker `f5be4cb8`、Gitea code-review `3084` / CD `3083` 已完成,後續 `7cb3fd32` production readback 仍命中 marker | 事故後回讀 artifact `100%`,production deploy / marker readback `100%`;post-incident readback received / accepted、backup status accepted、restore drill accepted、offsite sync accepted、credential escrow non-secret proof accepted、retention runway accepted、backup health no-false-green accepted、backup run、restore run、offsite sync、remote delete、escrow marker write、retention change、secret collection、host write、runtime gate 仍全部 `0 / false`;backup / restore 類別成熟度 `64% -> 66%` | ## 7. 2026-06-04 本輪驗證紀錄