feat(iwooos): 強化前台敏感資訊防洩漏 guard
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m38s
CD Pipeline / build-and-deploy (push) Successful in 3m44s
CD Pipeline / post-deploy-checks (push) Successful in 1m28s

This commit is contained in:
Your Name
2026-06-15 15:46:29 +08:00
parent b16f4c7332
commit 65f2d50d69
14 changed files with 395 additions and 71 deletions

View File

@@ -101,16 +101,17 @@ CONTROL_STATUS_BY_CATEGORY = {
"next_owner_action": "補 workflow diff ref、runner owner attestation、secret name parity ref、Gitea run readback、guard result、maintenance window、rollback owner 與 post-check evidence。",
},
"public_admin_api_runtime_config": {
"coverage_status": "change_evidence_acceptance_ready_needs_runtime_config_owner_evidence",
"coverage_percent": 64,
"coverage_status": "frontend_sensitive_surface_guard_ready_needs_runtime_config_owner_evidence",
"coverage_percent": 66,
"evidence_refs": [
"docs/HARD_RULES.md",
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md",
"docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json",
"docs/security/public-frontend-sensitive-surface-guard.snapshot.json",
],
"current_gap": "已固定 Public / Admin / API runtime config 變更證據驗收只讀帳本affected route、admin/auth boundary、API readback、CORS diff、frontend env diff、i18n redaction、webhook owner、desktop/mobile smoke、sensitive string scan、rollback 與 post-check evidence 仍全部為 0。",
"next_owner_action": "補 affected route refs、admin/auth boundary、API contract readback、CORS origin diff、frontend env diff、i18n redaction review、webhook/callback owner、desktop/mobile smoke、sensitive string scan、rollback owner 與 post-check evidence。",
"current_gap": "已固定 Public / Admin / API runtime config 變更證據驗收只讀帳本,並新增前台 source / messages 敏感資訊防洩漏 guardaffected route、admin/auth boundary、API readback、CORS diff、frontend env diff、i18n redaction、webhook owner、desktop/mobile production smoke、bundle scan、rollback 與 post-check evidence 仍全部為 0。",
"next_owner_action": "補 affected route refs、admin/auth boundary、API contract readback、CORS origin diff、frontend env diff、i18n redaction review、webhook/callback owner、desktop/mobile production smoke、bundle sensitive scan、rollback owner 與 post-check evidence。",
},
"backup_restore_credential": {
"coverage_status": "restore_recovery_backfill_ready_needs_owner_live_evidence",
@@ -376,6 +377,7 @@ def build_report(root: Path, generated_at: str | None) -> dict[str, Any]:
"secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
"cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
"change_evidence_acceptance_ready_needs_runtime_config_owner_evidence",
"frontend_sensitive_surface_guard_ready_needs_runtime_config_owner_evidence",
"owner_response_acceptance_ledger_ready_needs_restore_drill_owner",
"restore_recovery_backfill_ready_needs_owner_live_evidence",
"owner_response_acceptance_ledger_ready_needs_network_owner",