fix(iwooos): 新增 public runtime config 驗收與 tenants 防洩漏
This commit is contained in:
@@ -101,14 +101,16 @@ CONTROL_STATUS_BY_CATEGORY = {
|
||||
"next_owner_action": "補 workflow diff ref、runner owner attestation、secret name parity ref、Gitea run readback、guard result、maintenance window、rollback owner 與 post-check evidence。",
|
||||
},
|
||||
"public_admin_api_runtime_config": {
|
||||
"coverage_status": "policy_ready_needs_change_scoped_smoke",
|
||||
"coverage_percent": 62,
|
||||
"coverage_status": "change_evidence_acceptance_ready_needs_runtime_config_owner_evidence",
|
||||
"coverage_percent": 64,
|
||||
"evidence_refs": [
|
||||
"docs/HARD_RULES.md",
|
||||
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
|
||||
"docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json",
|
||||
],
|
||||
"current_gap": "每次產品 route / admin / API / frontend config 變更仍需逐次 smoke 與 owner gate。",
|
||||
"next_owner_action": "補 affected route、admin/auth boundary、CORS/public URL 與 desktop/mobile smoke plan。",
|
||||
"current_gap": "已固定 Public / Admin / API runtime config 變更證據驗收只讀帳本;affected route、admin/auth boundary、API readback、CORS diff、frontend env diff、i18n redaction、webhook owner、desktop/mobile smoke、sensitive string scan、rollback 與 post-check evidence 仍全部為 0。",
|
||||
"next_owner_action": "補 affected route refs、admin/auth boundary、API contract readback、CORS origin diff、frontend env diff、i18n redaction review、webhook/callback owner、desktop/mobile smoke、sensitive string scan、rollback owner 與 post-check evidence。",
|
||||
},
|
||||
"backup_restore_credential": {
|
||||
"coverage_status": "owner_response_acceptance_ledger_ready_needs_restore_drill_owner",
|
||||
@@ -271,6 +273,27 @@ FALSE_BOUNDARIES = {
|
||||
"exporter_deploy_authorized": False,
|
||||
"live_alert_fire_authorized": False,
|
||||
"alert_chain_smoke_authorized": False,
|
||||
"runtime_config_change_authorized": False,
|
||||
"api_route_change_authorized": False,
|
||||
"cors_change_authorized": False,
|
||||
"frontend_env_change_authorized": False,
|
||||
"middleware_auth_change_authorized": False,
|
||||
"callback_url_change_authorized": False,
|
||||
"webhook_secret_change_authorized": False,
|
||||
"security_header_change_authorized": False,
|
||||
"cookie_policy_change_authorized": False,
|
||||
"csrf_disable_authorized": False,
|
||||
"rate_limit_disable_authorized": False,
|
||||
"api_contract_change_authorized": False,
|
||||
"i18n_public_text_internal_identity_allowed": False,
|
||||
"internal_ip_exposure_allowed": False,
|
||||
"repo_namespace_exposure_allowed": False,
|
||||
"owner_namespace_exposure_allowed": False,
|
||||
"internal_status_code_exposure_allowed": False,
|
||||
"internal_transcript_exposure_allowed": False,
|
||||
"raw_payload_storage_allowed": False,
|
||||
"desktop_mobile_smoke_authorized": False,
|
||||
"database_migration_authorized": False,
|
||||
"secret_value_collection_allowed": False,
|
||||
"active_scan_authorized": False,
|
||||
"agent_bounty_runtime_authorized": False,
|
||||
@@ -347,6 +370,7 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
|
||||
"change_evidence_acceptance_ready_needs_gitops_owner_evidence",
|
||||
"secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
|
||||
"change_evidence_acceptance_ready_needs_runtime_config_owner_evidence",
|
||||
"owner_response_acceptance_ledger_ready_needs_restore_drill_owner",
|
||||
"owner_response_acceptance_ledger_ready_needs_network_owner",
|
||||
"change_evidence_acceptance_ready_needs_network_owner_evidence",
|
||||
@@ -400,6 +424,7 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
|
||||
"k8s_production_gitops",
|
||||
"secret_metadata",
|
||||
"gitea_workflow_runner_source_control",
|
||||
"public_admin_api_runtime_config",
|
||||
"agent_bounty_protocol_runtime",
|
||||
"docker_compose_systemd_host_config",
|
||||
"monitoring_alerting_observability",
|
||||
|
||||
Reference in New Issue
Block a user