feat(iwooos): 新增資安資產控制總帳
Some checks failed
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m45s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
Some checks failed
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m45s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
This commit is contained in:
@@ -1,3 +1,40 @@
|
||||
## 2026-06-18|P0-A 資安資產控制總帳本地收斂
|
||||
|
||||
**背景**:使用者要求 IwoooS 必須完整盤點所有主機、服務、套件、工具、網站前後台、Nginx、網路、Wazuh、Kali、告警監控、備份復原、供應鏈、AI provider 與跨專案 runtime,並優先處理會造成即時資安危害的配置控管。此段先把範圍收成 repo-side 只讀總帳與前台可視卡,避免再用零散長文或單一事故卡追蹤。
|
||||
|
||||
**完成內容**:
|
||||
- 新增 `scripts/security/security-asset-control-ledger.py`,輸出 `security_asset_control_ledger_v1` snapshot。
|
||||
- 新增 `docs/security/SECURITY-ASSET-CONTROL-LEDGER.md` 與 `docs/security/security-asset-control-ledger.snapshot.json`,固定 16 個資安資產群組、14 個 P0 群組、2 個 P1 群組、64 個 committed evidence refs、24 個 owner 必填欄位、24 個 reviewer checks、10 條 outcome lanes、44 個 blocked actions。
|
||||
- `/zh-TW/iwooos` 新增「P0-A 資安資產控制總帳」卡片,放在 SOC / SIEM / Kali / Wazuh 整合卡之後、外部入侵防堵矩陣之前。
|
||||
- `apps/web/messages/zh-TW.json` 與 `apps/web/messages/en.json` 都補上繁體中文文案;前台只顯示脫敏群組、缺口與 0 / false 邊界,不放工作視窗內容、個人 namespace、內部對話或內網拓樸。
|
||||
- `iwooos-config-control-guard.py` 與 `security-mirror-progress-guard.py` 已鎖住新文件、snapshot、前端 testid、卡片順序、i18n key 與所有 0 / false marker。
|
||||
|
||||
**完成度同步**:
|
||||
- P0-A repo-side 資安資產控制總帳:`100%`。
|
||||
- P0-A 前端本地可視化:`100%`。
|
||||
- owner packet 回覆:`0%`,`owner_response_received_count=0`、`owner_response_accepted_count=0`。
|
||||
- live evidence 驗收:`0%`,`live_evidence_accepted_count=0`。
|
||||
- runtime / response / containment:`0%`,`runtime_gate_count=0`、`action_button_count=0`、host write / active scan / Wazuh active response / Kali execute / SOAR / auto block / production write 全部維持 false。
|
||||
- IwoooS headline progress 仍維持 `64%`,不可因 repo-side 總帳完成而假性拉高。
|
||||
|
||||
**本地驗證**:
|
||||
- `python3 scripts/security/security-asset-control-ledger.py --root . --generated-at 2026-06-18T13:44:00+08:00 --output docs/security/security-asset-control-ledger.snapshot.json`:`SECURITY_ASSET_CONTROL_LEDGER_OK groups=16 p0=14 evidence_refs=64 runtime_gate=0`。
|
||||
- `python3 -m json.tool docs/security/security-asset-control-ledger.snapshot.json`、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json`:通過。
|
||||
- `python3 -m py_compile scripts/security/security-asset-control-ledger.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py`:通過。
|
||||
- `python3 scripts/security/iwooos-config-control-guard.py --root .`:通過。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .`:通過。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea apps/web/messages/zh-TW.json apps/web/messages/en.json 'apps/web/src/app/[locale]/iwooos/page.tsx'`:通過,`scanned_files=907`。
|
||||
- `python3 scripts/security/public-frontend-env-guard.py --root .`:通過,`violations=0 runtime_gate=0`。
|
||||
- 針對本段前端與總帳文件掃描工作視窗、外部對話標記、個人 namespace、內網片語:命中 `0`。
|
||||
- `pnpm --filter @awoooi/web typecheck`:通過。
|
||||
- `git diff --check`:通過。
|
||||
|
||||
**尚未完成**:
|
||||
- 本段尚未 push、尚未取得 Gitea run、尚未部署、尚未做正式站 desktop / mobile smoke。
|
||||
- 磁碟剩餘空間低於 1GiB,因此本地未執行 Next production build;正式部署後必須以 production route 補做 desktop / mobile、水平溢出、必要文字可見與外洩字串檢查。
|
||||
|
||||
**邊界**:本段沒有 SSH、沒有主機寫入、沒有 Nginx reload、沒有 firewall / K8s / workflow 變更、沒有 Wazuh active response、沒有 Kali active scan 或 `/execute`、沒有 Telegram 實發、沒有 SOAR case、沒有收 secret 明文、沒有新增任何正式操作按鈕。
|
||||
|
||||
## 2026-06-18|全 0 週報改為資料鏈異常而非正常報表
|
||||
|
||||
**背景**:使用者提供 AWOOOI 週報截圖,指出告警、AI 效能、開發活動、成本全部為 0,這種報表沒有用途,應該診斷資料鏈與 AI Agent 自動化,而不是只發出空報表。盤點後確認舊 `WeeklyReportService` 會在 Stats / K3s / Git 等資料來源失敗時 fallback 成 0,且 Git 統計依賴容器內 `/app`,成本 / token 也仍是缺資料路徑,導致「查不到資料」被偽裝成「沒有事件」。
|
||||
|
||||
101
docs/security/SECURITY-ASSET-CONTROL-LEDGER.md
Normal file
101
docs/security/SECURITY-ASSET-CONTROL-LEDGER.md
Normal file
@@ -0,0 +1,101 @@
|
||||
# IwoooS 資安資產控制總帳
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-18 |
|
||||
| 狀態 | `security_asset_control_ledger_ready_no_runtime_action` |
|
||||
| 工具 | `scripts/security/security-asset-control-ledger.py` |
|
||||
| Snapshot | `docs/security/security-asset-control-ledger.snapshot.json` |
|
||||
| 對應優先序 | P0-A 資產 / 配置總清冊 |
|
||||
| runtime gate | `0` |
|
||||
|
||||
## 1. 目的
|
||||
|
||||
此總帳把 IwoooS 既有的資安清冊、snapshot、owner gate、事故後回讀計畫與前台防洩漏 guard,彙整成一份可重跑的「資安資產控制總帳」。它回答的是:
|
||||
|
||||
1. 哪些主機、公開入口、版本來源、workflow、監控、Wazuh、Kali、備份、供應鏈、AI agent 與產品 runtime 已進入資安控管視野。
|
||||
2. 每一類資產目前缺哪一種 owner packet 與脫敏 evidence refs。
|
||||
3. 哪些動作仍必須維持 `0 / false`,不能因 UI 可見、snapshot 存在或 CD 成功而自動升級。
|
||||
|
||||
本文件不是 live host truth,也不是主機修復、掃描、封鎖、reload、restart、secret rotation、workflow dispatch、SOAR action 或 production write 授權。
|
||||
|
||||
## 2. 固定摘要
|
||||
|
||||
| 指標 | 值 |
|
||||
|------|----|
|
||||
| 資安資產群組 | `16` |
|
||||
| P0 資產群組 | `14` |
|
||||
| P1 資產群組 | `2` |
|
||||
| C0 群組 | `14` |
|
||||
| C1 群組 | `2` |
|
||||
| evidence refs | `64` |
|
||||
| 已存在 evidence refs | `64` |
|
||||
| 缺失 evidence refs | `0` |
|
||||
| owner 必填欄位 | `24` |
|
||||
| reviewer checks | `24` |
|
||||
| outcome lanes | `10` |
|
||||
| blocked actions | `44` |
|
||||
| owner packet required | `16` |
|
||||
| owner response received / accepted | `0 / 0` |
|
||||
| live evidence accepted | `0` |
|
||||
| runtime gate / action button | `0 / 0` |
|
||||
| P0-A repo 總帳完成度 | `100%` |
|
||||
| IwoooS headline | 仍維持 `64%` |
|
||||
|
||||
## 3. 資產群組與優先序
|
||||
|
||||
| 優先 | 群組 | 控制範圍 | 下一步 |
|
||||
|------|------|----------|--------|
|
||||
| P0 | Nginx / Public Gateway / Route | 公開入口、API、WebSocket、ACME、admin route、Ollama proxy | 補 live conf、rendered diff、`nginx -t`、route smoke、rollback owner |
|
||||
| P0 | DNS / TLS / Certbot | domain、certificate path、ACME、renewal owner、TLS route | 補憑證覆蓋依據、到期 metadata、renewal owner、ACME route owner |
|
||||
| P0 | Docker / systemd / Host Service | compose、systemd、repair-bot、port binding、process / persistence baseline | 補 live hash、incident readback、restart window、rollback owner、post-check |
|
||||
| P0 | SSH / Firewall / WireGuard / NodePort | SSH、known_hosts、sudoers、firewall、WireGuard、NetworkPolicy、NodePort | 補 actor、before / after、impact、operator notification、restoration evidence |
|
||||
| P0 | K8s / ArgoCD / GitOps | manifests、ArgoCD、RBAC、NetworkPolicy、CronJob、Velero | 補 ArgoCD revision、health / sync、rendered diff、rollback revision、postcheck owner |
|
||||
| P0 | Gitea Workflow / Runner / Secret Metadata | workflow、runner、deploy key、webhook、secret name parity、redaction guard | 補 runner attestation、secret injection route、log redaction、Gitea run readback |
|
||||
| P0 | Gitea / GitHub / Source Control | repo visibility、canonical refs、GitHub primary readiness、branch / tag / workflow boundary | 補 owner response;不得自動建 repo、改 visibility、sync refs 或切 primary |
|
||||
| P0 | Wazuh / Endpoint / SIEM | Wazuh manager、agent、FIM、rule / decoder、event ref、active response dry-run 邊界 | 補 Wazuh health refs、agent refs、event refs 與 no-raw-payload attestation |
|
||||
| P0 | Kali 112 / Assessment Tooling | Kali health、tool version、scope、finding envelope、maintenance window | 補 scope ref、health ref、normalized finding envelope;active scan 與 `/execute` 另批 |
|
||||
| P0 | Monitoring / Alerting / Observability | Prometheus、Alertmanager、Telegram route、SigNoz、Sentry、Langfuse、no-false-green | 補 route owner、receiver diff、receipt evidence、noise budget、reload owner |
|
||||
| P0 | Backup / Restore / DR / Escrow | backup、restic、offsite、escrow、Velero、restore drill、retention | 補 restore drill、offsite ref、escrow non-secret proof、retention runway、DR scorecard |
|
||||
| P0 | Harbor / Registry / SBOM / Supply Chain | Harbor、registry、image tag、SBOM、Cosign、SLSA、dependency drift、CVE / KEV | 補 SBOM / VEX / provenance intake、image signing、KEV / EPSS / exposure SLA |
|
||||
| P0 | Public / Admin / API / Frontend Runtime | public URL、CORS、auth boundary、middleware、webhook、frontend env、i18n redaction | 補 route owner、API readback、CORS diff、desktop / mobile smoke、bundle scan |
|
||||
| P0 | AI Provider / Model Router / Agent Runtime | OpenClaw、Ollama、NemoTron、Hermes、Gemini、MCP / A2A、tool allowlist、cost / privacy | 補 dry-run、benchmark、cost review、privacy review、fallback order、rollback owner |
|
||||
| P1 | Product Surface / Runtime Route | AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、StockPlatform、Tsenyang、Bitan | 補逐產品 owner、route、admin、API、backup、webhook、rollback 與 validation 指標 |
|
||||
| P1 | KM / PlayBook / Script / Schedule / Verifier | incident、approval、repair candidate、manual handoff 的自動化資產沉澱 | 補 incident / approval / manual handoff writeback contract |
|
||||
|
||||
## 4. Owner Packet 必填欄位
|
||||
|
||||
每個資產群組要從候選進到 reviewer review,至少必須具備:
|
||||
|
||||
`asset_group_id`、`asset_alias`、`owner_role`、`owner_team`、`business_impact`、`technical_scope`、`affected_routes_or_services`、`data_classification`、`redacted_evidence_refs`、`source_of_truth_ref`、`live_state_ref`、`config_diff_ref`、`monitoring_signal_ref`、`wazuh_or_siem_ref`、`kali_scope_ref`、`backup_restore_ref`、`supply_chain_ref`、`secret_absence_attestation`、`raw_payload_absence_attestation`、`maintenance_window`、`rollback_owner`、`postcheck_owner`、`followup_owner`、`decision_reason`。
|
||||
|
||||
## 5. 固定停止線
|
||||
|
||||
以下項目仍維持 `0 / false`:
|
||||
|
||||
- owner response received / accepted。
|
||||
- live evidence accepted。
|
||||
- runtime gate / action button。
|
||||
- host write、SSH read、Nginx reload、firewall change、ArgoCD sync、workflow modification。
|
||||
- secret value collection。
|
||||
- Wazuh active response。
|
||||
- Kali active scan / Kali `/execute`。
|
||||
- Telegram send、SOAR action、auto block、production write。
|
||||
|
||||
## 6. 驗證指令
|
||||
|
||||
```bash
|
||||
python3 scripts/security/security-asset-control-ledger.py \
|
||||
--root . \
|
||||
--generated-at 2026-06-18T13:44:00+08:00 \
|
||||
--output docs/security/security-asset-control-ledger.snapshot.json
|
||||
```
|
||||
|
||||
## 7. 完成度
|
||||
|
||||
| 工作 | 完成度 | 說明 |
|
||||
|------|--------|------|
|
||||
| P0-A repo-side 資安資產控制總帳 | `100%` | 16 個群組、64 個 evidence refs 全部對上 |
|
||||
| owner packet 收件 | `0%` | 尚未收到或接受 owner response |
|
||||
| live evidence 驗收 | `0%` | 未 SSH、未讀 live host、未呼叫 Wazuh / Kali |
|
||||
| runtime / response / containment | `0%` | 未開掃描、封鎖、reload、restart、SOAR、auto block |
|
||||
823
docs/security/security-asset-control-ledger.snapshot.json
Normal file
823
docs/security/security-asset-control-ledger.snapshot.json
Normal file
@@ -0,0 +1,823 @@
|
||||
{
|
||||
"asset_groups": [
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/public-gateway-preflight-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/PUBLIC-GATEWAY-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/public-gateway-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md",
|
||||
"docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||||
"docs/security/PUBLIC-GATEWAY-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/public-gateway-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "public_gateway_nginx",
|
||||
"label": "Nginx / Public Gateway / Route",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 owner-provided live conf、rendered diff、nginx -t、route smoke、rollback owner。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "公開入口、API、WebSocket、ACME、admin route、Ollama proxy",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/domain-tls-certbot-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md",
|
||||
"docs/security/domain-tls-certbot-inventory.snapshot.json",
|
||||
"docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md",
|
||||
"docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json"
|
||||
],
|
||||
"group_id": "dns_tls_certbot",
|
||||
"label": "DNS / TLS / Certbot",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 SAN / wildcard 覆蓋依據、expiry metadata、renewal owner、ACME route owner。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "domain、certificate path、ACME、renewal owner、TLS route",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/HOST-SERVICE-CONFIG-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/host-service-config-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/HOST-SERVICE-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/host-service-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/HOST-SERVICE-CONFIG-INVENTORY.md",
|
||||
"docs/security/host-service-config-inventory.snapshot.json",
|
||||
"docs/security/HOST-SERVICE-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/host-service-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "host_service_runtime",
|
||||
"label": "Docker / systemd / Host Service",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 live hash metadata、incident readback、restart window、rollback owner、post-check。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "Docker Compose、systemd、repair-bot、port binding、process / persistence baseline",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SSH-NETWORK-ACCESS-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/ssh-network-access-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/ssh-network-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/SSH-NETWORK-ACCESS-INVENTORY.md",
|
||||
"docs/security/ssh-network-access-inventory.snapshot.json",
|
||||
"docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/ssh-network-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "ssh_firewall_network",
|
||||
"label": "SSH / Firewall / WireGuard / NodePort",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 actor、before / after state、impact、operator notification、restoration evidence。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "SSH target、known_hosts、sudoers、firewall、WireGuard、NetworkPolicy、NodePort",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/k8s-argocd-manifest-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/K8S-ARGOCD-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/k8s-argocd-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md",
|
||||
"docs/security/k8s-argocd-manifest-inventory.snapshot.json",
|
||||
"docs/security/K8S-ARGOCD-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/k8s-argocd-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "k8s_argocd_gitops",
|
||||
"label": "K8s / ArgoCD / GitOps",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 ArgoCD revision、health / sync、rendered manifest diff、rollback revision、postcheck owner。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "K8s manifests、ArgoCD app、RBAC、NetworkPolicy、CronJob、Velero",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/source-control-workflow-secret-name-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
|
||||
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
|
||||
"docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "workflow_runner_secret",
|
||||
"label": "Gitea Workflow / Runner / Secret Metadata",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 runner attestation、workspace cleanup、secret injection route、log redaction、Gitea run readback。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "workflow、runner label、deploy key、webhook、secret name parity、redaction guard",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md",
|
||||
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md",
|
||||
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
|
||||
"docs/security/source-control-primary-readiness-gate.snapshot.json"
|
||||
],
|
||||
"group_id": "source_control_repo_visibility",
|
||||
"label": "Gitea / GitHub / Source Control",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 owner response;不得建立 repo、改 visibility、sync refs 或切 primary。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "repo visibility、canonical refs、GitHub primary readiness、branch / tag / workflow boundary",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/WAZUH-IWOOOS-INTRUSION-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/WAZUH-IWOOOS-INTRUSION-READBACK-PLAN.md",
|
||||
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
|
||||
"docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md",
|
||||
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
|
||||
],
|
||||
"group_id": "wazuh_endpoint_siem",
|
||||
"label": "Wazuh / Endpoint / SIEM",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 Wazuh health refs、agent refs、event refs、rule / decoder readback 與 no-raw-payload attestation。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "Wazuh manager、agent、FIM、rule / decoder、event ref、active response dry-run boundary",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/KALI-INTEGRATION-STATUS.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/kali-integration-status.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/kali-112-maintenance-window-draft.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/KALI-INTEGRATION-STATUS.md",
|
||||
"docs/security/kali-integration-status.snapshot.json",
|
||||
"docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md",
|
||||
"docs/security/kali-112-maintenance-window-draft.snapshot.json"
|
||||
],
|
||||
"group_id": "kali_112_assessment",
|
||||
"label": "Kali 112 / Assessment Tooling",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 scope ref、health ref、normalized finding envelope;active scan 與 /execute 仍獨立批准。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "Kali health、tool version、scope、finding envelope、maintenance window",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/monitoring-alerting-observability-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/MONITORING-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/monitoring-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md",
|
||||
"docs/security/monitoring-alerting-observability-inventory.snapshot.json",
|
||||
"docs/security/MONITORING-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/monitoring-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "monitoring_alerting_observability",
|
||||
"label": "Monitoring / Alerting / Observability",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 route owner、receiver diff、receipt evidence、noise budget、reload owner 與 no-false-green。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "Prometheus、Alertmanager、Telegram route、SigNoz、Sentry、Langfuse、no-false-green",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/BACKUP-RESTORE-ESCROW-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/backup-restore-escrow-inventory.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/backup-restore-post-incident-readback-plan.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/BACKUP-RESTORE-ESCROW-INVENTORY.md",
|
||||
"docs/security/backup-restore-escrow-inventory.snapshot.json",
|
||||
"docs/security/BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md",
|
||||
"docs/security/backup-restore-post-incident-readback-plan.snapshot.json"
|
||||
],
|
||||
"group_id": "backup_restore_dr",
|
||||
"label": "Backup / Restore / DR / Escrow",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 restore drill、offsite sync ref、escrow non-secret proof、retention runway、DR scorecard。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "backup scripts、restic、offsite、credential escrow、Velero、restore drill、retention",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/security-supply-chain-contract-manifest.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/evaluations/dependency_supply_chain_drift_monitor_2026-06-18.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
|
||||
"docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md",
|
||||
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
|
||||
"docs/evaluations/dependency_supply_chain_drift_monitor_2026-06-18.json"
|
||||
],
|
||||
"group_id": "container_registry_supply_chain",
|
||||
"label": "Harbor / Registry / SBOM / Supply Chain",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 SBOM / VEX / provenance intake、image signing、KEV / EPSS / exposure SLA。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "Harbor、registry、image tag、SBOM、Cosign、SLSA、dependency drift、CVE / KEV",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/public-frontend-sensitive-surface-guard.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/HARD_RULES.md"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md",
|
||||
"docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json",
|
||||
"docs/security/public-frontend-sensitive-surface-guard.snapshot.json",
|
||||
"docs/HARD_RULES.md"
|
||||
],
|
||||
"group_id": "public_admin_api_runtime",
|
||||
"label": "Public / Admin / API / Frontend Runtime",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 route owner、API contract readback、CORS diff、desktop / mobile smoke、bundle sensitive scan。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "public URL、CORS、auth boundary、middleware、webhook、frontend env、i18n redaction",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/AI-PROVIDER-OWNER-RESPONSE-ACCEPTANCE.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/ai-provider-owner-response-acceptance.snapshot.json"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/ai"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/AI-PROVIDER-OWNER-RESPONSE-ACCEPTANCE.md",
|
||||
"docs/security/ai-provider-owner-response-acceptance.snapshot.json",
|
||||
"docs/ai",
|
||||
"docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md"
|
||||
],
|
||||
"group_id": "ai_provider_agent_runtime",
|
||||
"label": "AI Provider / Model Router / Agent Runtime",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 dry-run、benchmark、cost review、privacy review、fallback order 與 rollback owner。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P0",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "OpenClaw、Ollama、NemoTron、Hermes、Gemini、MCP / A2A、tool allowlist、cost / privacy",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C0"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
|
||||
"docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md",
|
||||
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
|
||||
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json"
|
||||
],
|
||||
"group_id": "product_surface_runtime_routes",
|
||||
"label": "Product Surface / Runtime Route",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補逐產品 owner、route、admin、API、backup、webhook、rollback 與 validation 指標。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P1",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "AWOOOI、AwoooP、IwoooS、VibeWork、agent-bounty-protocol、StockPlatform、Tsenyang、Bitan",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C1"
|
||||
},
|
||||
{
|
||||
"action_button": 0,
|
||||
"evidence_ref_states": [
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "docs/LOGBOOK.md"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "apps/api/src/services/repair_candidate_service.py"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "apps/api/src/services/telegram_gateway.py"
|
||||
},
|
||||
{
|
||||
"exists": true,
|
||||
"ref": "apps/web/src/app/[locale]/awooop/work-items/page.tsx"
|
||||
}
|
||||
],
|
||||
"evidence_refs": [
|
||||
"docs/LOGBOOK.md",
|
||||
"apps/api/src/services/repair_candidate_service.py",
|
||||
"apps/api/src/services/telegram_gateway.py",
|
||||
"apps/web/src/app/[locale]/awooop/work-items/page.tsx"
|
||||
],
|
||||
"group_id": "automation_asset_sedimentation",
|
||||
"label": "KM / PlayBook / Script / Schedule / Verifier",
|
||||
"live_evidence_accepted": 0,
|
||||
"next_owner_action": "補 incident / approval / manual handoff writeback contract,讓資產總帳從可視化進入可追蹤閉環。",
|
||||
"owner_packet_status": "waiting_asset_owner_packet",
|
||||
"owner_response_accepted": 0,
|
||||
"owner_response_received": 0,
|
||||
"priority": "P1",
|
||||
"raw_payload_allowed": false,
|
||||
"redacted_evidence_refs_required": true,
|
||||
"runtime_gate": 0,
|
||||
"scope": "incident、approval、repair candidate、manual handoff 的自動化資產沉澱",
|
||||
"secret_value_collection_allowed": false,
|
||||
"tier": "C1"
|
||||
}
|
||||
],
|
||||
"blocked_actions": [
|
||||
"ssh_to_host",
|
||||
"read_live_host_log",
|
||||
"write_host_file",
|
||||
"nginx_reload",
|
||||
"certbot_renew",
|
||||
"dns_change",
|
||||
"firewall_change",
|
||||
"wireguard_change",
|
||||
"nodeport_change",
|
||||
"networkpolicy_apply",
|
||||
"kubectl_action",
|
||||
"argocd_sync",
|
||||
"helm_upgrade",
|
||||
"docker_restart",
|
||||
"docker_compose_up",
|
||||
"systemctl_restart",
|
||||
"repair_bot_execute",
|
||||
"ansible_apply",
|
||||
"wazuh_active_response",
|
||||
"wazuh_rule_change",
|
||||
"kali_active_scan",
|
||||
"kali_execute",
|
||||
"nmap_scan",
|
||||
"nuclei_scan",
|
||||
"trivy_live_scan",
|
||||
"package_upgrade",
|
||||
"workflow_modify",
|
||||
"workflow_dispatch",
|
||||
"runner_restart",
|
||||
"secret_read",
|
||||
"secret_rotate",
|
||||
"webhook_modify",
|
||||
"deploy_key_modify",
|
||||
"refs_sync",
|
||||
"force_push",
|
||||
"github_primary_switch",
|
||||
"backup_run",
|
||||
"restore_run",
|
||||
"offsite_sync",
|
||||
"remote_delete",
|
||||
"telegram_send",
|
||||
"soar_case_create",
|
||||
"auto_block",
|
||||
"production_write"
|
||||
],
|
||||
"execution_boundaries": {
|
||||
"action_buttons_allowed": false,
|
||||
"argocd_sync_authorized": false,
|
||||
"auto_block_authorized": false,
|
||||
"firewall_change_authorized": false,
|
||||
"host_write_authorized": false,
|
||||
"kali_active_scan_authorized": false,
|
||||
"kali_execute_authorized": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"not_authorization": true,
|
||||
"production_write_authorized": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"soar_action_authorized": false,
|
||||
"ssh_read_authorized": false,
|
||||
"telegram_send_authorized": false,
|
||||
"wazuh_active_response_authorized": false,
|
||||
"workflow_modification_authorized": false
|
||||
},
|
||||
"generated_at": "2026-06-18T13:44:00+08:00",
|
||||
"git_commit": "c7597df2",
|
||||
"outcome_lanes": [
|
||||
"waiting_asset_owner_packet",
|
||||
"request_gateway_supplement",
|
||||
"request_host_service_supplement",
|
||||
"request_network_supplement",
|
||||
"request_wazuh_kali_supplement",
|
||||
"request_backup_restore_supplement",
|
||||
"request_supply_chain_supplement",
|
||||
"request_product_surface_supplement",
|
||||
"quarantine_secret_or_raw_payload",
|
||||
"ready_for_security_reviewer_review"
|
||||
],
|
||||
"required_owner_fields": [
|
||||
"asset_group_id",
|
||||
"asset_alias",
|
||||
"owner_role",
|
||||
"owner_team",
|
||||
"business_impact",
|
||||
"technical_scope",
|
||||
"affected_routes_or_services",
|
||||
"data_classification",
|
||||
"redacted_evidence_refs",
|
||||
"source_of_truth_ref",
|
||||
"live_state_ref",
|
||||
"config_diff_ref",
|
||||
"monitoring_signal_ref",
|
||||
"wazuh_or_siem_ref",
|
||||
"kali_scope_ref",
|
||||
"backup_restore_ref",
|
||||
"supply_chain_ref",
|
||||
"secret_absence_attestation",
|
||||
"raw_payload_absence_attestation",
|
||||
"maintenance_window",
|
||||
"rollback_owner",
|
||||
"postcheck_owner",
|
||||
"followup_owner",
|
||||
"decision_reason"
|
||||
],
|
||||
"reviewer_checks": [
|
||||
"asset alias 不得暴露個人 namespace",
|
||||
"owner role / team 必填",
|
||||
"source-of-truth 必須可追溯",
|
||||
"live evidence 只能收脫敏 ref",
|
||||
"secret value / hash / partial token 一律拒收",
|
||||
"raw Wazuh / raw Kali output 一律拒收",
|
||||
"Nginx / firewall / K8s / workflow 變更需獨立 runtime approval",
|
||||
"route 200 不得當資安完成",
|
||||
"dashboard 可見不得當 remediation 完成",
|
||||
"backup 存在不得當 restore drill 完成",
|
||||
"Kali 納入範圍不得當 active scan 授權",
|
||||
"Wazuh event 可見不得當 active response 授權",
|
||||
"repo snapshot 不得當 live host truth",
|
||||
"事故後回讀需含 actor、before / after、impact、postcheck",
|
||||
"no-false-green 必須明確標示",
|
||||
"owner response received / accepted 必須維持 0,除非有實際收件",
|
||||
"runtime gate 必須維持 0",
|
||||
"action button 必須維持 0",
|
||||
"Gitea / GitHub refs 不得自動同步",
|
||||
"GitHub primary 不得自動切換",
|
||||
"Telegram 不得實發",
|
||||
"SOAR 不得 auto block",
|
||||
"AI agent 不得讀 secret 或 host write",
|
||||
"LOGBOOK 不得包含內部對話逐字稿"
|
||||
],
|
||||
"schema_version": "security_asset_control_ledger_v1",
|
||||
"status": "security_asset_control_ledger_ready_no_runtime_action",
|
||||
"summary": {
|
||||
"action_button_count": 0,
|
||||
"active_scan_authorized_count": 0,
|
||||
"asset_group_count": 16,
|
||||
"auto_block_authorized_count": 0,
|
||||
"blocked_action_count": 44,
|
||||
"c0_asset_group_count": 14,
|
||||
"c1_asset_group_count": 2,
|
||||
"evidence_ref_count": 64,
|
||||
"existing_evidence_ref_count": 64,
|
||||
"host_write_authorized_count": 0,
|
||||
"iwooos_headline_progress_percent": 64,
|
||||
"kali_execute_authorized_count": 0,
|
||||
"live_evidence_accepted_count": 0,
|
||||
"missing_evidence_ref_count": 0,
|
||||
"outcome_lane_count": 10,
|
||||
"owner_packet_required_count": 16,
|
||||
"owner_response_accepted_count": 0,
|
||||
"owner_response_received_count": 0,
|
||||
"p0_asset_group_count": 14,
|
||||
"p1_asset_group_count": 2,
|
||||
"raw_payload_stored_count": 0,
|
||||
"required_owner_field_count": 24,
|
||||
"reviewer_check_count": 24,
|
||||
"runtime_gate_count": 0,
|
||||
"secret_value_collected_count": 0,
|
||||
"security_asset_control_ledger_completion_percent": 100,
|
||||
"soar_action_authorized_count": 0,
|
||||
"wazuh_active_response_authorized_count": 0
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user