feat(iwooos): 新增 CD runner secret 事故回讀 gate
Some checks failed
Code Review / ai-code-review (push) Successful in 15s
CD Pipeline / tests (push) Successful in 1m43s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled

This commit is contained in:
Your Name
2026-06-16 11:42:38 +08:00
parent 7db05e0089
commit bb459d59f9
15 changed files with 3044 additions and 41 deletions

View File

@@ -0,0 +1,122 @@
# CD / Runner / Secret injection 事故後回讀只讀計畫
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-16 |
| 狀態 | `post_incident_readback_plan_ready_no_runtime_action` |
| 工具 | `scripts/security/cd-runner-secret-injection-post-incident-readback-plan.py` |
| Snapshot | `docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json` |
| Source evidence | `docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
此計畫補在 CD / runner / secret injection change evidence acceptance 之後專門處理事故後回讀workflow / runner / secret injection 相關異常或變更後owner 必須回讀 actor、時間窗、workflow diff state、runner attestation、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker、Gitea run、webhook / notification receipt、before / after deploy state、rollback、post-check 與防再發。
它只處理 metadata-only evidence ref不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署也不把 CD success、deploy marker、workflow success、route `200`、runner online、AwoooP approval 或 UI 可見狀態當成 runtime 授權。
## 2. 固定範圍
| 指標 | 數值 | 解讀 |
|------|------|------|
| `readback_candidate_count` | `5` | CD pipeline、Code Review、Deploy alerts、Runner attestation、Secret parity / injection owner 五類候選 |
| `c0_readback_candidate_count` | `4` | CD、Code Review、Runner、Secret parity 為 C0 |
| `c1_readback_candidate_count` | `1` | Deploy alerts / monitoring route 為 C1 |
| `write_capable_readback_candidate_count` | `5` | 五類都可能影響 workflow、runner、secret injection、通知或部署路徑 |
| `secret_sensitive_readback_candidate_count` | `5` | 五類都必須檢查 secret value / hash / partial token / runner token 不可出現 |
| `runner_or_workflow_readback_candidate_count` | `5` | 五類都必須回讀 workflow / runner 邊界 |
| `deploy_or_run_readback_required_candidate_count` | `5` | 五類都需要 deploy marker 或 Gitea run readback / 不適用理由 |
| `required_readback_field_count` | `33` | 事故後回讀必填欄位 |
| `reviewer_check_count` | `30` | reviewer 必檢規則 |
| `outcome_lane_count` | `11` | 收件結果分流 |
| `blocked_action_count` | `52` | 明確禁止動作 |
## 3. 必填事故後回讀欄位
每筆事故後回讀至少需要:
1. `incident_or_change_ref`
2. `actor_attribution_ref`
3. `change_time_window_ref`
4. `change_intent_or_break_glass_ref`
5. `workflow_diff_state_ref`
6. `runner_attestation_state_ref`
7. `runner_executor_host_readback_ref`
8. `runner_workspace_cleanup_readback_ref`
9. `runner_permission_scope_ref`
10. `secret_name_parity_state_ref`
11. `secret_injection_route_state_ref`
12. `step_env_secret_guard_result_ref`
13. `log_redaction_readback_ref`
14. `deploy_marker_readback_ref`
15. `gitea_action_run_readback_ref`
16. `webhook_delivery_state_ref`
17. `deploy_key_branch_protection_codeowners_ref`
18. `notification_delivery_receipt_ref`
19. `before_after_deploy_state_ref`
20. `affected_route_or_service_state_ref`
21. `cross_project_sync_ref`
22. `rollback_validation_ref`
23. `postcheck_evidence_ref`
24. `post_change_monitoring_ref`
25. `recurrence_guard_ref`
26. `maintenance_window`
27. `rollback_owner`
28. `followup_owner`
29. `redacted_evidence_refs`
30. `no_secret_value_attestation`
31. `no_raw_workflow_payload_attestation`
32. `no_unredacted_log_attestation`
33. `no_false_green_attestation`
以上欄位都只能保存脫敏 ref、commit、artifact pointer、run id、job id、ticket 或 hash。不得貼 secret value、secret hash、masked token、partial token、runner token、webhook secret、private key、deploy key private material、cookie、authorization header、完整 credential URL、未脫敏 action log 或未脫敏截圖。
## 4. Reviewer checks
Reviewer 必須確認:
- 來源 change evidence acceptance snapshot 是目前版本。
- incident / change ref、actor、時間窗、intent / break-glass reason 都存在。
- workflow diff state 只以 ref 呈現,不保存 raw workflow payload。
- runner label、executor、host alias、workspace cleanup、permission scope 與 hosted runner 風險可追溯。
- secret name parity、secret injection route、step-env secret guard 與 log redaction readback 完整。
- deploy marker 與 Gitea run readback 只能作證據,不代表 runtime approval。
- webhook delivery、deploy key、branch protection、CODEOWNERS、notification receipt 與跨專案同步影響已標示。
- rollback validation、post-check、post-change monitoring 與 recurrence guard 已明確列出。
- 不把 CD success、deploy marker、workflow success、route `200`、runner online、UI 可見或 AwoooP approval 當驗收。
## 5. Outcome lanes
| Lane | 說明 |
|------|------|
| `waiting_post_incident_readback` | 尚未收到事故後回讀包 |
| `request_actor_or_time_supplement` | 缺 actor、時間窗、intent 或 break-glass reason |
| `request_workflow_runner_supplement` | 缺 workflow diff、runner attestation、executor / host、workspace cleanup 或 permission scope |
| `request_secret_injection_supplement` | 缺 secret name parity、injection route、step-env guard 或 log redaction readback |
| `request_deploy_run_supplement` | 缺 deploy marker、Gitea run readback、before / after deploy state 或 post-check |
| `request_webhook_notification_supplement` | 缺 webhook delivery、notification receipt、SRE route owner 或 cross-project sync |
| `quarantine_sensitive_payload` | 收到敏感值、runner token、webhook secret、private key、未脫敏 log 或截圖時隔離 |
| `reject_false_green_claim` | 把 CD success、deploy marker、workflow success、route `200`、runner online、UI 可見或 AwoooP approval 當驗收時拒收 |
| `ready_for_cd_runner_secret_post_incident_review` | metadata 合格後進 reviewer review |
| `recurrence_guard_backfill_required` | 需補防再發 guard、owner review、change freeze、automation block 或 runner isolation plan |
| `waiting_runtime_gate` | 即使 readback acceptedruntime gate 仍需獨立人工批准 |
## 6. 禁止動作
此計畫明確禁止修改 workflow、未批准 dispatch workflow、啟用 / 安裝 / 重啟 runner、修改 runner label、使用 runner admin token、啟用 GitHub hosted runner、收集 secret value / hash / partial token / runner token / webhook secret / deploy key private material、保存 raw workflow payload / 未脫敏 action log、建立 / 更新 / rotate / 刪除 repo secret、讀 secret store、修改 secret injection path、修改 webhook、修改 deploy key、修改 branch protection、修改 CODEOWNERS、sync refs、force push、切 GitHub primary、停用 Gitea、把 CD pipeline 當 action 執行、注入 K8s secret、ArgoCD sync、production deploy、新增 action button 或開 runtime gate。
## 7. 完成度與邊界
| 工作 | 完成度 | 邊界 |
|------|--------|------|
| CD / Runner / Secret injection post-incident readback plan | `100%` | 只讀計畫與 snapshot 已建立 |
| Secret metadata 只讀治理成熟度 | `68% -> 70%` | 只代表事故後回讀欄位補齊,不代表可讀或可改 secret |
| Gitea workflow / runner source-control 只讀治理成熟度 | `72% -> 74%` | 只代表 workflow / runner 事故後回讀欄位補齊,不代表 workflow / runner 可修改 |
| post-incident readback received / accepted | `0%` | 尚未收到或接受任何事故後回讀 |
| runtime gate | `0` | 不開 workflow、runner、secret、deploy、ArgoCD 或 production action |
## 8. 下一步
1. 要求 owner 只提供事故後 readback refworkflow diff state、runner attestation、secret name parity、secret injection route、Gitea run readback、guard result、deploy marker、notification receipt、rollback owner 與 post-check evidence。
2. reviewer 只檢查 metadata 完整性、no-secret-value、log redaction 與 no-false-green不保存 raw workflow payload、raw action log 或 credential material。
3. 若未來要進 runtime approval package必須另開維護窗口、rollback owner、跨專案同步與 production post-check gate。

View File

@@ -46,6 +46,8 @@
固定數字為 `change_evidence_candidate_count=5``c0_change_evidence_candidate_count=4``c1_change_evidence_candidate_count=1``write_capable_candidate_count=5``local_workflow_file_count=33``local_referenced_secret_name_count=42``runner_label_count=5``required_evidence_field_count=19``reviewer_check_count=19``outcome_lane_count=8``blocked_action_count=32`。此更新讓 `secret_metadata``66%` 推進到 `68%`,讓 `gitea_workflow_runner_source_control``70%` 推進到 `72%`workflow diff、runner attestation、secret name parity、secret injection route、deploy marker readback、guard result、post-check evidence、runtime approval package、workflow 修改、runner 啟用、secret rotation、repo secret change、Gitea action dispatch、production deploy 與 runtime gate 仍全部為 `0 / false`
2026-06-16 再新增 `docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md``docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json`,將同一批 CD pipeline、Code Review、Deploy alerts、Runner attestation 與 Secret parity / injection owner 轉成事故後回讀計畫。固定 `readback_candidate_count=5``c0_readback_candidate_count=4``c1_readback_candidate_count=1``write_capable_readback_candidate_count=5``required_readback_field_count=33``reviewer_check_count=30``outcome_lane_count=11``blocked_action_count=52`,讓 `secret_metadata``68%` 推進到 `70%`,讓 `gitea_workflow_runner_source_control``72%` 推進到 `74%`,高價值配置平均維持 `71%`,需 live evidence 類別仍為 `9`。此更新只補上 actor、時間窗、workflow diff state、runner executor / host、workspace cleanup、permission scope、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker / Gitea run、webhook / notification receipt、before / after deploy state、跨專案同步、rollback、post-check、防再發與 no-false-green 的脫敏回讀欄位post-incident readback received / accepted、workflow 修改、dispatch、runner 變更、repo secret 變更、secret value collection、secret injection change、webhook / deploy key / branch protection / CODEOWNERS 變更、Gitea action dispatch、K8s secret injection、ArgoCD sync、production deploy、runtime gate 與 action button 仍全部為 `0 / false`
## 1.2b 2026-06-15 Public / Admin / API runtime config 變更證據驗收
已新增 `docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md``docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json`將公開產品頁、AwoooP 後台、API / CORS、frontend env、Sentry tunnel、webhook / callback 與跨產品 runtime route 轉成 metadata-only 變更證據驗收帳本。

View File

@@ -77,6 +77,12 @@
此更新讓 `secret_metadata` 類別成熟度從 `66%` 推進到 `68%`,讓 `gitea_workflow_runner_source_control` 類別成熟度從 `70%` 推進到 `72%`。它只表示 workflow diff、runner owner attestation、secret name parity、secret injection route、Gitea run readback、guard result、rollback owner 與 post-check evidence 已有收件驗收規則workflow 修改、workflow dispatch、runner 啟用 / 重啟、GitHub hosted runner、secret value / hash / partial token 收集、secret store read、secret 建立 / 更新 / rotate / 刪除、webhook 修改、deploy key 修改、branch protection / CODEOWNERS 修改、refs sync、force push、GitHub primary switch、Gitea 停用、production deploy、runtime gate 仍全部為 `0 / false`
### 0.3c-1 2026-06-16 CD / Runner / Secret 注入事故後回讀計畫
`cd_runner_secret_injection_post_incident_readback_plan_v1` 已把同一批 CD pipeline、Code Review、Deploy alerts、Runner attestation 與 Repository secret name parity / injection owner 轉成事故後回讀計畫。固定 `candidates=5``c0=4``c1=1``write_capable=5``readback_fields=44``required_readback_fields=33``reviewer_checks=30``outcome_lanes=11``blocked_actions=52`
此更新讓 `secret_metadata` 類別成熟度從 `68%` 推進到 `70%`,讓 `gitea_workflow_runner_source_control` 類別成熟度從 `72%` 推進到 `74%`。它只表示 workflow diff state、runner attestation、executor / host、workspace cleanup、permission scope、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker / Gitea run、webhook / notification receipt、before / after deploy state、cross-project sync、rollback、post-check、post-change monitoring、recurrence guard 與 no-false-green 已有事故後脫敏回讀欄位post-incident readback received / accepted、workflow 修改、workflow dispatch、runner 變更、GitHub hosted runner、repo secret 變更、secret value collection、secret injection change、webhook / deploy key / branch protection / CODEOWNERS 變更、Gitea action dispatch、K8s secret injection、ArgoCD sync、production deploy、runtime gate 仍全部為 `0 / false`
### 0.3d 2026-06-15 Public / Admin / API runtime config 變更證據驗收
`public_runtime_config_change_evidence_acceptance_v1` 已把公開產品頁、AwoooP 後台、API / CORS、frontend env、Sentry tunnel、webhook / callback 與跨產品 runtime route 轉成 metadata-only 變更證據驗收只讀帳本。固定 `candidates=6``c0=5``c1=1``write_capable=6``source_refs=20``required_evidence_fields=21``reviewer_checks=21``outcome_lanes=8``blocked_actions=32`

View File

@@ -3,7 +3,7 @@
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | 草案P0 governance 總帳已建立;高價值配置 Owner Packet count sync、K8s / ArgoCDPublic Gateway / Nginx 事故後回讀投影已完成 |
| 狀態 | 草案P0 governance 總帳已建立;高價值配置 Owner Packet count sync、K8s / ArgoCDPublic Gateway / Nginx、Monitoring 與 CD / Runner / Secret 事故後回讀投影已完成 |
| Schema | `docs/schemas/iwooos_posture_projection_v1.schema.json` |
| Snapshot | `docs/security/iwooos-posture-projection.snapshot.json` |
| 模式 | `mirror_only` |
@@ -41,6 +41,12 @@
此同步只代表前端可以顯示監控 / 告警 / 可觀測性事故後回讀計畫與邊界;`post_incident_readback_received_count``post_incident_readback_accepted_count``receiver_receipt_readback_accepted_count``stale_pending_resolved_review_accepted_count``silence_mute_dedup_inhibit_review_accepted_count``alert_chain_health_readback_accepted_count``runtime_gate_count``action_button_count` 仍全部維持 `0`。不得把 route `200`、dashboard up、container up、receiver reachable、CD success 或 UI 可見視為告警鏈路驗收。
## 1.5 2026-06-16 CD / Runner / Secret injection 事故後回讀投影
`cd_runner_secret_injection_post_incident_readback_plan_v1` 已投影到 `iwooos-posture-projection.snapshot.json` 與前台 marker。固定 `candidate_count=5``c0_candidate_count=4``write_capable_candidate_count=5``required_readback_field_count=33``reviewer_check_count=30``outcome_lane_count=11``blocked_action_count=52`,並讓 `secret_metadata_coverage_percent=70``gitea_workflow_runner_source_control_coverage_percent=74`
此同步只代表前端可以顯示 CD / Runner / Secret injection 事故後回讀計畫與邊界;`post_incident_readback_received_count``post_incident_readback_accepted_count``workflow_diff_state_accepted_count``runner_attestation_accepted_count``secret_name_parity_accepted_count``secret_injection_route_accepted_count``deploy_marker_readback_accepted_count``gitea_action_run_readback_accepted_count``log_redaction_readback_accepted_count``runtime_gate_count``action_button_count` 仍全部維持 `0`。不得把 CD success、deploy marker、workflow success、route `200`、runner online、AwoooP approval 或 UI 可見視為資安驗收。
## 2. 來源
IwoooS 首版只讀取或對齊以下已提交 evidence
@@ -54,6 +60,7 @@ IwoooS 首版只讀取或對齊以下已提交 evidence
| `public_gateway_post_incident_readback_plan_v1` | Public Gateway / Nginx 事故後回讀計畫、92% 子項成熟度、30 個必填欄位、41 類 blocked action、runtime gate 0 |
| `k8s_argocd_post_incident_readback_plan_v1` | K8s / ArgoCD 事故後回讀計畫、66% 子項成熟度、31 個必填欄位、41 類 blocked action、runtime gate 0 |
| `monitoring_post_incident_readback_plan_v1` | Monitoring / Alerting / Observability 事故後回讀計畫、70% 子項成熟度、30 個必填欄位、53 類 blocked action、runtime gate 0 |
| `cd_runner_secret_injection_post_incident_readback_plan_v1` | CD / Runner / Secret injection 事故後回讀計畫、secret metadata 70%、workflow / runner 74%、33 個必填欄位、52 類 blocked action、runtime gate 0 |
| `kali_integration_status_v1` | Kali 112 observe-only 整合態勢 |
| `vibework_iwooos_onboarding_handoff_v1` | VibeWork repo / product / surface / owner / evidence refs / 獨立產品邊界只讀 handoff |
| `docs/LOGBOOK.md` | 部署 marker、Gitea run 與 rollout risk 邊界紀錄 |

View File

@@ -3,7 +3,7 @@
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | IwoooS 64% 只讀治理推進中;高價值配置集中 guard、Package / Docker 供應鏈 repo-only baseline 與 Package / Docker 供應鏈 owner policy gate 已完成Frontend public sensitive surface guard、Backup / Restore / Escrow owner response acceptance backfill、Monitoring / Alerting / Observability no-false-green owner response acceptance、Host Service change evidence acceptance、Host Service post-incident readback plan、AI provider / model routing owner response acceptance、CD / Runner / Secret 注入變更證據驗收、Public / Admin / API runtime config 變更證據驗收、K8s / ArgoCD post-incident readback plan 與 Public Gateway / Nginx post-incident readback plan 已本地完成;端口 / 防火牆變更證據驗收、主機服務事故回補與 K8s / ArgoCD GitOps 變更證據驗收已正式部署驗證S4.9 owner response gate 仍是第一優先 |
| 狀態 | IwoooS 64% 只讀治理推進中;高價值配置集中 guard、Package / Docker 供應鏈 repo-only baseline 與 Package / Docker 供應鏈 owner policy gate 已完成Frontend public sensitive surface guard、Backup / Restore / Escrow owner response acceptance backfill、Monitoring / Alerting / Observability no-false-green owner response acceptance、Host Service change evidence acceptance、Host Service post-incident readback plan、AI provider / model routing owner response acceptance、CD / Runner / Secret 注入變更證據驗收、CD / Runner / Secret 注入事故後回讀計畫、Public / Admin / API runtime config 變更證據驗收、K8s / ArgoCD post-incident readback plan、Monitoring / Alerting / Observability post-incident readback plan 與 Public Gateway / Nginx post-incident readback plan 已本地完成;端口 / 防火牆變更證據驗收、主機服務事故回補與 K8s / ArgoCD GitOps 變更證據驗收已正式部署驗證S4.9 owner response gate 仍是第一優先 |
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 |
| 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 |
@@ -76,6 +76,12 @@
同步邊界IwoooS headline 維持 `64%`active runtime gate 維持 `0`workflow diff、runner attestation、secret name parity、secret injection route、deploy marker readback、guard result、postcheck evidence、runtime approval package、runtime gate 與 action buttons 全部仍為 `0 / false`。本段只更新文件、snapshot、guard、覆蓋矩陣與前端 marker不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署。
## 0.00aaaa0 2026-06-16 CD / Runner / Secret 注入事故後回讀計畫
本輪把 CD pipeline、程式碼審查、部署通知、執行器證明與 repository secret name parity / injection owner 從 change evidence acceptance 再補一層事故後回讀計畫:`cd_runner_secret_injection_post_incident_readback_plan_v1` 固定 `candidates=5``c0=4``c1=1``write_capable=5``readback_fields=44``required_readback_fields=33``reviewer_checks=30``outcome_lanes=11``blocked_actions=52`,並讓 `secret_metadata` 只讀治理成熟度 `68% -> 70%``gitea_workflow_runner_source_control` 只讀治理成熟度 `72% -> 74%`,高價值配置平均只讀成熟度仍維持 `71%`。新增要求包含 actor、change time window、workflow diff state、runner attestation、executor / host、workspace cleanup、permission scope、secret name parity、secret injection route、step-env secret guard、log redaction、deploy marker / Gitea run、webhook / notification receipt、before / after deploy state、cross-project sync、rollback validation、post-check、post-change monitoring、recurrence guard 與 no-false-green attestation。
同步邊界IwoooS headline 維持 `64%`active runtime gate 維持 `0`post-incident readback received / accepted、workflow diff state accepted、runner attestation accepted、secret name parity accepted、secret injection route accepted、deploy marker readback accepted、Gitea run readback accepted、log redaction readback accepted、workflow modification、workflow dispatch、runner change、repo secret change、secret injection change、webhook / deploy key / branch protection / CODEOWNERS change、K8s secret injection、ArgoCD sync、production deploy、runtime gate 與 action buttons 全部仍為 `0 / false`。本段只更新文件、snapshot、guard、覆蓋矩陣、投影契約與前端 marker不呼叫 Gitea / GitHub API、不讀 secret store、不讀 secret value、不修改 workflow、不啟用 runner、不 rotate secret、不 dispatch workflow、不觸發部署。
## 0.00aaa 2026-06-15 K8s / ArgoCD GitOps 變更證據驗收
本輪把 K8s / ArgoCD 從 owner response acceptance 推進到 GitOps 變更證據驗收只讀帳本:`k8s_argocd_change_evidence_acceptance_v1` 固定 `candidates=4``c0=3``write_capable=4``required_evidence_fields=18``reviewer_checks=18``outcome_lanes=8``blocked_actions=28`,並讓 `k8s_production_gitops` 只讀治理成熟度 `62% -> 64%`,高價值配置平均只讀成熟度仍維持 `68%`。這是 metadata-only 收件驗收,不是 change evidence received / accepted、runtime approval package、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、NetworkPolicy apply、NodePort change、RBAC change、live cluster read、production write 或 runtime gate。

View File

@@ -135,9 +135,9 @@
"action_buttons_allowed": false,
"category_id": "secret_metadata",
"control_tier": "C0",
"coverage_percent": 68,
"coverage_status": "secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
"current_gap": "已固定 secret name / injection owner 變更證據驗收帳本secret value、hash、partial token、secret store read、secret rotation、repo secret change 與 injection path change 仍全部為 0。",
"coverage_percent": 70,
"coverage_status": "post_incident_readback_plan_ready_needs_secret_injection_owner_evidence",
"current_gap": "已固定 secret name / injection owner 變更證據驗收帳本並新增事故後回讀計畫secret name parity state、secret injection route、step-env secret guard、log redaction、deploy marker / Gitea run readback、rollback、post-check、防再發與 no-false-green 已納入secret value、hash、partial token、runner token、secret store read、secret rotation、repo secret change 與 injection path change 仍全部為 0。",
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
@@ -145,10 +145,12 @@
"docs/security/source-control-workflow-secret-name-owner-response.snapshot.json",
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
"docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json",
"docs/security/SECRETS_REFERENCE.md"
],
"label": "Secret metadata / injection / redaction",
"next_owner_action": "補 secret name parity ref、injection route owner、rotation owner、guard result ref、rollback owner、post-check evidence 與 redacted evidence refs。",
"next_owner_action": "補 secret name parity state ref、secret injection route state ref、step-env secret guard result、log redaction readback、deploy marker / Gitea run readback、notification receipt、rollback owner、post-check evidence、recurrence guard 與 no-secret-value evidence。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
@@ -177,18 +179,20 @@
"action_buttons_allowed": false,
"category_id": "gitea_workflow_runner_source_control",
"control_tier": "C0",
"coverage_percent": 72,
"coverage_status": "cd_runner_secret_injection_change_evidence_acceptance_ready_needs_owner_evidence",
"current_gap": "已固定 CD / runner / secret injection 變更證據驗收帳本workflow diff、runner attestation、secret parity、guard result、deploy marker readback、rollback owner 與 post-check evidence 仍全部為 0。",
"coverage_percent": 74,
"coverage_status": "post_incident_readback_plan_ready_needs_workflow_runner_owner_evidence",
"current_gap": "已固定 CD / runner / secret injection 變更證據驗收帳本,並新增事故後回讀計畫workflow diff state、runner attestation、executor / host、workspace cleanup、permission scope、webhook / notification、deploy key / branch protection / CODEOWNERS、deploy marker / Gitea run、rollback、post-change monitoring、防再發與 no-false-green 已納入workflow 修改、dispatch、runner 啟用 / 重啟、GitHub hosted runner、webhook / deploy key / branch protection / CODEOWNERS 修改仍全部為 0。",
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-OWNER-RESPONSE.md",
"docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md",
"docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json",
"docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json",
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
],
"label": "Gitea workflow / runner / deploy key / webhook / branch protection",
"next_owner_action": "補 workflow diff ref、runner owner attestation、secret name parity ref、Gitea run readback、guard result、maintenance window、rollback ownerpost-check evidence。",
"next_owner_action": "補 workflow diff state ref、runner owner attestation、executor / host readback、workspace cleanup、permission scope、Gitea run readback、deploy marker readback、webhook / notification receipt、maintenance window、rollback ownerpost-change monitoring 與 recurrence guard evidence。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
@@ -649,8 +653,8 @@
"websocket_route_change_authorized": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-15T23:45:00+08:00",
"git_commit": "dfee85c0",
"generated_at": "2026-06-16T00:30:00+08:00",
"git_commit": "7db05e00",
"lowest_coverage_categories": [
{
"category_id": "backup_restore_credential",

View File

@@ -351,7 +351,7 @@
"target_surface": "execution_boundary"
}
],
"date": "2026-06-14",
"date": "2026-06-16",
"decision_runway_boundary_signals": [
{
"authorized": false,
@@ -8555,6 +8555,63 @@
"cd_runner_secret_injection_change_evidence_acceptance_secret_name_parity_accepted_count": 0,
"cd_runner_secret_injection_change_evidence_acceptance_workflow_diff_accepted_count": 0,
"cd_runner_secret_injection_change_evidence_acceptance_write_capable_candidate_count": 5,
"cd_runner_secret_injection_post_incident_readback_plan_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_action_button_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_actor_attribution_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_affected_route_or_service_state_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_argocd_sync_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_before_after_deploy_state_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_blocked_action_count": 52,
"cd_runner_secret_injection_post_incident_readback_plan_branch_protection_change_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_c0_candidate_count": 4,
"cd_runner_secret_injection_post_incident_readback_plan_c1_candidate_count": 1,
"cd_runner_secret_injection_post_incident_readback_plan_candidate_count": 5,
"cd_runner_secret_injection_post_incident_readback_plan_cd_pipeline_run_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_codeowners_change_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_cross_project_sync_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_deploy_key_branch_protection_codeowners_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_deploy_key_change_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_deploy_marker_readback_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_deploy_or_run_readback_required_candidate_count": 5,
"cd_runner_secret_injection_post_incident_readback_plan_first_layer": true,
"cd_runner_secret_injection_post_incident_readback_plan_gitea_action_dispatch_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_gitea_action_run_readback_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_gitea_workflow_runner_coverage_percent_after_readback_plan": 74,
"cd_runner_secret_injection_post_incident_readback_plan_github_hosted_runner_enable_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_k8s_secret_injection_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_log_redaction_readback_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_no_false_green_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_notification_delivery_receipt_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_outcome_lane_count": 11,
"cd_runner_secret_injection_post_incident_readback_plan_post_change_monitoring_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_postcheck_evidence_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_production_deploy_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_received_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_recurrence_guard_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_repo_secret_change_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_required_readback_field_count": 33,
"cd_runner_secret_injection_post_incident_readback_plan_reviewer_check_count": 30,
"cd_runner_secret_injection_post_incident_readback_plan_rollback_validation_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_runner_attestation_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_runner_change_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_runner_executor_host_readback_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_runner_or_workflow_candidate_count": 5,
"cd_runner_secret_injection_post_incident_readback_plan_runner_permission_scope_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_runner_workspace_cleanup_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_runtime_gate_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_secret_injection_change_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_secret_injection_route_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_secret_metadata_coverage_percent_after_readback_plan": 70,
"cd_runner_secret_injection_post_incident_readback_plan_secret_name_parity_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_secret_sensitive_candidate_count": 5,
"cd_runner_secret_injection_post_incident_readback_plan_secret_value_collection_allowed_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_step_env_secret_guard_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_webhook_delivery_state_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_webhook_modification_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_workflow_diff_state_accepted_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_workflow_dispatch_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_workflow_modification_authorized_count": 0,
"cd_runner_secret_injection_post_incident_readback_plan_write_capable_candidate_count": 5,
"command_map_above_first_progress_unlock_path": true,
"command_map_default_mode": "unlock",
"command_map_default_visible": false,
@@ -8652,6 +8709,7 @@
"gate_radar_interactive_lens_allowed": true,
"gate_radar_lane_count": 4,
"gate_radar_runtime_gate_count": 0,
"gitea_workflow_runner_source_control_coverage_percent": 74,
"github_primary_ready_count": 0,
"global_security_mesh_matrix_asset_count": 9,
"global_security_mesh_matrix_default_visible": false,
@@ -9152,6 +9210,7 @@
"s4_9_request_draft_package_request_sent_count": 0,
"s4_9_request_draft_package_runtime_gate_count": 0,
"s4_9_request_draft_package_template_ready_count": 5,
"secret_metadata_coverage_percent": 70,
"source_control_primary_readiness_item_count": 6,
"ssh_firewall_network_access_coverage_percent": 64,
"ssh_network_access_inventory_action_button_count": 0,