docs(security): 補開發主機 scope handoff [skip ci]

This commit is contained in:
Your Name
2026-06-04 20:40:37 +08:00
parent 65bdfd1de3
commit 920c9a2d41
6 changed files with 761 additions and 9 deletions

View File

@@ -0,0 +1,130 @@
# 111 / 168 開發主機 Scope Handoff
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-04 |
| 狀態 | 草案,等待 owner review |
| Hosts | `192.168.0.111``192.168.0.168` |
| Asset keys | `host:dev-ai-111``host:dev-workstation-168` |
| Schema | `docs/schemas/dev_host_scope_handoff_v1.schema.json` |
| Snapshot | `docs/security/dev-hosts-111-168-scope-handoff.snapshot.json` |
| 上游證據 | `docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md``docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md` |
| 模式 | `scope_handoff_only` |
| 執行面授權 | `false` |
## 0. 核心結論
P1-8 補的是 `192.168.0.111``192.168.0.168` 的開發主機 scope / credential / rollback / validation handoff。這不是主機維護批准、不是 credentialed scan、不是 active scan也不是 Ollama fallback route 變更。
本階段只把 owner / reviewer 未來需要看的資料整理成只讀封套:
| 主機 | 角色 | 本階段輸出 | 仍未授權 |
|------|------|------------|----------|
| `192.168.0.111` | Local AI / Ollama fallback / 開發輔助主機 | fallback route truth、model inventory、service posture、SSH policy posture、AI route smoke 指標 | 停止模型、重啟服務、改 fallback route、credentialed scan、active scan |
| `192.168.0.168` | 開發工作站 / local development origin | repo hygiene、dev-only CORS、local service exposure、credential refusal、rollback / disable note | 讀取未授權目錄、掃描個人資料、credentialed scan、CORS / firewall / service 變更 |
## 1. 摘要
| 指標 | 值 |
|------|----|
| dev host scope handoff package | `ready` |
| package completion | `100%` |
| host change authorized | `false` |
| fallback route change authorized | `false` |
| credentialed scan authorized | `false` |
| active scan authorized | `false` |
| secret value collection authorized | `false` |
| owner response received / accepted | `false / false` |
| host execution completion | `0%` |
## 2. Owner Response Handoff
此 handoff 只讓 AwoooP 或 reviewer 請 owner 補開發主機 scope metadata。它不是 request sent、不是 approval queue也不是可執行動作。
### 2.1 必填欄位
| 欄位 | 說明 |
|------|------|
| `owner_role_or_team` | Dev Host Steward 或實際維護角色 / 團隊 |
| `host_scope_boundary` | 允許觀察的路徑、服務、repo、port 類型與排除範圍 |
| `decision` | 允許值:`confirm_observe_only``defer``reject``request_more_evidence` |
| `decision_reason` | 為何接受 / 延後 / 拒絕此只讀 scope |
| `affected_scope` | 影響主機、服務、repo、Ollama route、CORS 或 local origin |
| `maintenance_window_expectation` | 若未來要維護owner 需指定台北時間窗口;目前不得自動指定 |
| `credential_handling_confirmation` | 確認只收 present / absent、脫敏 metadata pointer不收 secret value |
| `rollback_owner` | 未來停用、回復 route、回復 CORS、停止觀察或撤回 evidence 的 owner |
| `validation_metrics_owner` | post-check / smoke / evidence readback 的 owner |
| `redacted_evidence_refs` | 只填文件、snapshot、ticket、hash 或脫敏 metadata pointer |
| `followup_owner` | 補件、拒收或下一階段 owner |
### 2.2 禁止輸入
| 類型 | 規則 |
|------|------|
| credential | 不貼模型 API key、SSH 密碼、private key、token value、cookie、session、authorization header、personal credential |
| secret derivative | 不貼可還原 secret 的 hash、masked token、partial token 或截圖 |
| host command | 不貼 SSH command、service restart、firewall change、model stop / pull / delete、CORS apply command |
| scan request | 不把 active scan、credentialed scan、個人資料掃描或未授權目錄讀取包進 scope |
| runtime action | 不新增 AwoooP action button不開 runtime blocking control不改 fallback route |
## 3. Host Scope 草案
| Host | Scope lane | 目的 | 目前授權 |
|------|------------|------|----------|
| `192.168.0.111` | Ollama fallback truth | 對齊 ADR-110 三層路由與 local fallback 事實來源,確認 evidence ref 與 owner | `false` |
| `192.168.0.111` | model inventory posture | 只收模型清單摘要、模型數量、版本 / tag metadata 與 list hash不收 prompt、token 或私有資料 | `false` |
| `192.168.0.111` | service / SSH policy posture | 只收服務狀態摘要與 SSH policy posture不登入、不改 service | `false` |
| `192.168.0.168` | local development origin | 確認 168 作為本機開發來源、preview origin、dev-only CORS 候選,不改 runtime | `false` |
| `192.168.0.168` | repo hygiene | 只收 repo 層級 hygiene 摘要、secret scan summary、dirty worktree policy不讀未授權目錄 | `false` |
| `192.168.0.168` | local service exposure | 只收服務清單摘要、port 類型、owner 與 disable note不做 port scan 或 firewall 變更 | `false` |
## 4. Credential Handling
1. 只能記錄 `present` / `absent`、owner role、scope、來源文件或脫敏 evidence ref。
2. 不保存、回顯或轉貼任何 secret value、private key、token、cookie、session、authorization header、model API key、SSH password 或個人憑證。
3. 若 evidence 夾帶 raw credential必須隔離為 `quarantine_required`,不得納入 snapshot。
4. 若需要 credentialed scan必須另開獨立人工批准、credential handling plan、audit trail、rollback 與 post-check本 handoff 不授權。
5. 168 的個人目錄、私有資料夾、瀏覽器 profile、通訊軟體資料與未授權 repo 預設排除。
## 5. 維護窗口草案
| Host | 維護窗口狀態 | 本階段允許 | 本階段禁止 |
|------|--------------|------------|------------|
| `192.168.0.111` | `waiting_owner_selection` | owner 指定未來低流量窗口、停止條件、rollback owner、route validation 指標 | 停止模型、重啟 Ollama、pull / delete model、改 `OLLAMA_*` route、改 firewall |
| `192.168.0.168` | `waiting_owner_selection` | owner 指定未來 repo hygiene / local service review 窗口、排除範圍、disable note | credentialed scan、讀私有目錄、改 CORS、關閉服務、改本機防火牆 |
## 6. Rollback / Disable 草案
| Host | rollback / disable item | 需要證據 | owner 狀態 |
|------|-------------------------|----------|------------|
| `192.168.0.111` | fallback route rollback | route before / after refs、fallback owner、AI route smoke、stop condition | waiting owner assignment |
| `192.168.0.111` | model service rollback | service state ref、model inventory hash before / after、operator notice owner | waiting owner assignment |
| `192.168.0.168` | dev CORS rollback | current allowed origins ref、candidate change note、disable owner、browser smoke plan | waiting owner assignment |
| `192.168.0.168` | local service disable / restore | service list summary、owner、restore note、post-check ref | waiting owner assignment |
## 7. Validation Metrics
| Host | 指標 | 說明 |
|------|------|------|
| `192.168.0.111` | Ollama route truth | GCP-A、GCP-B、local 111 fallback 的設定與 health evidence ref 是否一致 |
| `192.168.0.111` | fallback availability | local fallback 可用性摘要,不等於可改路由或重啟服務 |
| `192.168.0.111` | model list hash | 模型清單摘要 / hash用於漂移判讀不保存 prompt 或資料內容 |
| `192.168.0.111` | service status | Ollama / proxy / AI route 相關服務狀態摘要 |
| `192.168.0.111` | AI route smoke | 只讀 smoke evidence ref若要實際改 route 必須另行批准 |
| `192.168.0.168` | repo secret scan summary | repo 層級摘要;不得收 secret value、partial token 或私人目錄內容 |
| `192.168.0.168` | local service list summary | owner 提供或授權的 local service summary不做未批准 port scan |
| `192.168.0.168` | CORS origin review | dev-only origin 是否與 production public domain 邊界一致 |
| `192.168.0.168` | rollback / disable note | 若未來需關閉 dev exposure 或回復設定owner 與步驟是否已指定 |
## 8. 驗收規則
1. 本 handoff 完成不代表 owner response 已收到、已接受或已批准。
2. `192.168.0.111` 的 fallback route truth 只能作為 observe-only evidence不得改 `OLLAMA_URL``OLLAMA_SECONDARY_URL``OLLAMA_FALLBACK_URL` 或任何 proxy route。
3. `192.168.0.168` 的 repo / CORS / service exposure 只能作為 scope review不得讀取未授權目錄或個人資料。
4. 所有 credential / secret 類資料只能記錄脫敏 metadataraw value 一律拒收或隔離。
5. 維護窗口、rollback owner、validation owner 到齊前,不得做 host change、service restart、active scan、credentialed scan 或 runtime gate。
6. 未來 post-check 失敗只能建立人工 follow-up不得自動修復。
## 9. 階段定位
P1-8 只把 111 / 168 從「observe-only mapping 已宣告」推到「owner / reviewer 可照表審 scope、credential、rollback 與 validation」。它不改主機、不改 AI route、不開 runtime gate、不啟動掃描也不提高 IwoooS headline 64%。

View File

@@ -3,7 +3,7 @@
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-04 |
| 狀態 | observe-only mapping + 維護準備規範;尚未寫入 DB / inventory seed |
| 狀態 | observe-only mapping + 維護準備 / scope handoff 規範;尚未寫入 DB / inventory seed |
| 範圍 | Kali 資安主機與兩台開發主機 |
| 上游 | `docs/security/KALI-SECURITY-MESH-BLUEPRINT.md` |
@@ -37,10 +37,21 @@
| Host | scope | maintenance window | credential handling | rollback owner | validation 指標 |
|------|-------|--------------------|---------------------|----------------|-----------------|
| `192.168.0.112` | Kali scanner health、tool version、package posture、`networking.service`、service hardening readinessP1-7 草案見 `KALI-112-MAINTENANCE-WINDOW-DRAFT.md` | 待人工指定目前不得更新、重啟、hardening 或 active scan | SSH key / token 狀態只可記錄 present / absent不得保存密碼、token value、private key | Security Supply Chain 指派後才可動作 | scanner health、node exporter、wg-easy、pending updates、failed services、reboot required、post-check screenshot / log ref |
| `192.168.0.111` | Ollama fallback、model inventory、host reachability、SSH policy posture、fallback readiness | 待人工指定;目前不得停止模型、重啟服務或改 fallback route | 不收模型 API key、SSH 密碼private key只保存脫敏 evidence ref | Dev Host Steward 指派後才可動作 | Ollama route truth、fallback availability、model list hash、service status、AI route smoke |
| `192.168.0.168` | local development origin、repo hygiene、dev-only CORS、local service exposure | 待人工指定;目前不得 credentialed scan讀取未授權目錄 | 不收個人憑證、不讀私有目錄、不保存 secrets value | Dev Host Steward 指派後才可動作 | repo secret scan summary、local service list summary、CORS origin review、rollback / disable note |
| `192.168.0.111` | Ollama fallback、model inventory、host reachability、SSH policy posture、fallback readinessP1-8 草案見 `DEV-HOSTS-111-168-SCOPE-HANDOFF.md` | 待人工指定;目前不得停止模型、重啟服務或改 fallback route | 不收模型 API key、SSH 密碼private key、token、cookie、authorization header 或任何可還原 secret derivative;只保存脫敏 evidence ref | Dev Host Steward 指派後才可動作 | Ollama route truth、fallback availability、model list hash、service status、AI route smoke |
| `192.168.0.168` | local development origin、repo hygiene、dev-only CORS、local service exposureP1-8 草案見 `DEV-HOSTS-111-168-SCOPE-HANDOFF.md` | 待人工指定;目前不得 credentialed scan讀取未授權目錄、讀個人資料或改 CORS / firewall / service | 不收個人憑證、不讀私有目錄、不保存 secrets value、secret hash、masked token 或 partial token | Dev Host Steward 指派後才可動作 | repo secret scan summary、local service list summary、CORS origin review、rollback / disable note |
## 1.2 目前已知 112 缺口
## 1.2 目前已知 111 / 168 缺口
| 缺口 | 狀態 | 邊界 |
|------|------|------|
| `192.168.0.111` Ollama fallback route truth | P1-8 scope handoff 已建立owner response 未收 | 不改 `OLLAMA_URL``OLLAMA_SECONDARY_URL``OLLAMA_FALLBACK_URL`、proxy route 或 model runtime |
| `192.168.0.111` model inventory posture | 只允許收模型清單摘要 / hash 與 owner evidence ref | 不收 prompt、token、API key、私有資料或模型操作命令 |
| `192.168.0.111` service / SSH policy posture | 只允許收服務狀態摘要與 policy posture | 不 SSH、不 restart、不改 firewall、不停止模型 |
| `192.168.0.168` local development origin | P1-8 scope handoff 已建立owner response 未收 | 不改 dev-only CORS、不改 production route、不把 local origin 當 production 授權 |
| `192.168.0.168` repo hygiene / secret summary | 只允許 repo 層級摘要與脫敏 evidence ref | 不讀未授權目錄、不收 secret value / hash / partial token、不掃描個人資料 |
| `192.168.0.168` local service exposure | 只允許 owner 提供或授權的 service summary | 不 port scan、不改 firewall、不停止服務 |
## 1.3 目前已知 112 缺口
| 缺口 | 狀態 | 邊界 |
|------|------|------|
@@ -104,4 +115,4 @@ AwoooP 初期不做:
## 6. IwoooS 顯示邊界
IwoooS 可以顯示 112 / 111 / 168 的 observe-only 狀態、維護準備欄位、缺口與下一步但不得顯示或提供任何會直接觸發主機命令、掃描、更新、重啟、hardening、credentialed scan、firewall/RBAC/NetworkPolicy 修改或 `/execute` 的 action button。
IwoooS 可以顯示 112 / 111 / 168 的 observe-only 狀態、維護準備欄位、scope handoff、缺口與下一步但不得顯示或提供任何會直接觸發主機命令、掃描、更新、重啟、hardening、credentialed scan、fallback route change、CORS / firewall / service 修改、firewall/RBAC/NetworkPolicy 修改或 `/execute` 的 action button。

View File

@@ -0,0 +1,311 @@
{
"schema_version": "dev_host_scope_handoff_v1",
"status": "draft_waiting_owner_review",
"date": "2026-06-04",
"mode": "scope_handoff_only",
"source_evidence_refs": [
"docs/security/DEV-HOSTS-112-111-168-OBSERVE-ONLY-MAPPING.md",
"docs/security/KALI-SCAN-SCOPE-APPROVAL-PACKAGE.md",
"docs/security/IWOOOS-POSTURE-PROJECTION.md",
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md",
"/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/feedback_ollama_111_only.md",
"/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/feedback_secret_debug_output_ban.md",
"/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/feedback_ssh_command_security.md"
],
"summary": {
"hosts": [
"192.168.0.111",
"192.168.0.168"
],
"asset_keys": [
"host:dev-ai-111",
"host:dev-workstation-168"
],
"scope_handoff_package_ready": true,
"scope_handoff_completion_percent": 100,
"host_execution_completion_percent": 0,
"owner_response_received": false,
"owner_response_accepted": false,
"host_change_authorized": false,
"fallback_route_change_authorized": false,
"credentialed_scan_authorized": false,
"active_scan_authorized": false,
"secret_value_collection_authorized": false,
"runtime_execution_authorized": false,
"action_buttons_allowed": false
},
"hosts": [
{
"host": "192.168.0.111",
"asset_key": "host:dev-ai-111",
"role": "Local AI / Ollama fallback / 開發輔助主機",
"mode": "observe_only",
"scope_lanes": [
{
"lane_id": "ollama-fallback-truth",
"description": "對齊 ADR-110 三層路由與 local fallback 事實來源,確認 evidence ref 與 owner。",
"validation_metrics": [
"Ollama route truth",
"fallback availability",
"AI route smoke"
],
"current_authorized": false
},
{
"lane_id": "model-inventory-posture",
"description": "只收模型清單摘要、模型數量、版本 / tag metadata 與 list hash不收 prompt、token 或私有資料。",
"validation_metrics": [
"model list hash",
"model tag summary",
"inventory owner ref"
],
"current_authorized": false
},
{
"lane_id": "service-ssh-policy-posture",
"description": "只收服務狀態摘要與 SSH policy posture不登入、不改 service。",
"validation_metrics": [
"service status summary",
"SSH policy posture",
"rollback owner ref"
],
"current_authorized": false
}
],
"maintenance_window": {
"window_status": "waiting_owner_selection",
"allowed_metadata": [
"future low-traffic window",
"stop condition",
"rollback owner",
"route validation metrics"
],
"forbidden_actions": [
"stop_model",
"restart_ollama",
"pull_model",
"delete_model",
"change_ollama_route",
"change_firewall"
]
},
"rollback_plan_draft": [
{
"rollback_item": "fallback route rollback",
"required_evidence": [
"route before / after refs",
"fallback owner",
"AI route smoke",
"stop condition"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "model service rollback",
"required_evidence": [
"service state ref",
"model inventory hash before / after",
"operator notice owner"
],
"owner_status": "waiting_owner_assignment"
}
]
},
{
"host": "192.168.0.168",
"asset_key": "host:dev-workstation-168",
"role": "開發工作站 / local development origin",
"mode": "observe_only",
"scope_lanes": [
{
"lane_id": "local-development-origin",
"description": "確認 168 作為本機開發來源、preview origin、dev-only CORS 候選,不改 runtime。",
"validation_metrics": [
"CORS origin review",
"local origin owner ref",
"production boundary note"
],
"current_authorized": false
},
{
"lane_id": "repo-hygiene",
"description": "只收 repo 層級 hygiene 摘要、secret scan summary、dirty worktree policy不讀未授權目錄。",
"validation_metrics": [
"repo secret scan summary",
"repo owner ref",
"dirty worktree policy"
],
"current_authorized": false
},
{
"lane_id": "local-service-exposure",
"description": "只收服務清單摘要、port 類型、owner 與 disable note不做 port scan 或 firewall 變更。",
"validation_metrics": [
"local service list summary",
"service owner ref",
"rollback / disable note"
],
"current_authorized": false
}
],
"maintenance_window": {
"window_status": "waiting_owner_selection",
"allowed_metadata": [
"future repo hygiene review window",
"future local service review window",
"excluded directories",
"disable note owner"
],
"forbidden_actions": [
"credentialed_scan",
"read_private_directory",
"change_cors",
"stop_service",
"change_local_firewall"
]
},
"rollback_plan_draft": [
{
"rollback_item": "dev CORS rollback",
"required_evidence": [
"current allowed origins ref",
"candidate change note",
"disable owner",
"browser smoke plan"
],
"owner_status": "waiting_owner_assignment"
},
{
"rollback_item": "local service disable / restore",
"required_evidence": [
"service list summary",
"owner",
"restore note",
"post-check ref"
],
"owner_status": "waiting_owner_assignment"
}
]
}
],
"owner_response_handoff": {
"status": "ready_not_dispatched",
"request_dispatch_authorized": false,
"required_response_fields": [
"owner_role_or_team",
"host_scope_boundary",
"decision",
"decision_reason",
"affected_scope",
"maintenance_window_expectation",
"credential_handling_confirmation",
"rollback_owner",
"validation_metrics_owner",
"redacted_evidence_refs",
"followup_owner"
],
"allowed_decisions": [
"confirm_observe_only",
"defer",
"reject",
"request_more_evidence"
],
"forbidden_inputs": [
"model API key value",
"SSH password",
"private key",
"token value",
"cookie",
"session",
"authorization header",
"personal credential",
"secret hash",
"masked token",
"partial token",
"command to execute",
"service restart request",
"firewall change request",
"model stop request",
"CORS apply request",
"active scan request",
"credentialed scan request",
"private directory content"
],
"response_received": false,
"response_accepted": false
},
"credential_handling": {
"policy": "metadata_only_no_secret_value",
"allowed_evidence": [
"present / absent",
"owner role",
"scope",
"document ref",
"ticket ref",
"redacted metadata pointer"
],
"forbidden_evidence": [
"secret value",
"private key",
"token",
"cookie",
"session",
"authorization header",
"model API key",
"SSH password",
"personal credential",
"reversible secret hash",
"partial token",
"raw screenshot containing credential"
],
"quarantine_required_on_plaintext_credential": true,
"secret_value_collection_authorized": false
},
"validation_metrics": [
{
"host": "192.168.0.111",
"metrics": [
"Ollama route truth",
"fallback availability",
"model list hash",
"service status",
"AI route smoke"
]
},
{
"host": "192.168.0.168",
"metrics": [
"repo secret scan summary",
"local service list summary",
"CORS origin review",
"rollback / disable note"
]
}
],
"acceptance_rules": [
"本 handoff 完成不代表 owner response 已收到、已接受或已批准。",
"192.168.0.111 的 fallback route truth 只能作為 observe-only evidence不得改 OLLAMA_URL、OLLAMA_SECONDARY_URL、OLLAMA_FALLBACK_URL 或 proxy route。",
"192.168.0.168 的 repo / CORS / service exposure 只能作為 scope review不得讀取未授權目錄或個人資料。",
"所有 credential / secret 類資料只能記錄脫敏 metadataraw value 一律拒收或隔離。",
"維護窗口、rollback owner、validation owner 到齊前,不得做 host change、service restart、active scan、credentialed scan 或 runtime gate。",
"未來 post-check 失敗只能建立人工 follow-up不得自動修復。"
],
"forbidden_actions": [
"ssh_to_host",
"read_private_directory",
"credentialed_scan",
"active_scan",
"port_scan",
"stop_model",
"pull_model",
"delete_model",
"restart_ollama",
"change_ollama_route",
"change_cors",
"change_firewall",
"change_service",
"store_credential_value",
"enable_runtime_blocking_control",
"add_awooop_action_button"
]
}