feat(security): 新增 SSH network access 只讀清冊
All checks were successful
CD Pipeline / tests (push) Successful in 1m31s
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / build-and-deploy (push) Successful in 4m25s
CD Pipeline / post-deploy-checks (push) Successful in 1m45s

This commit is contained in:
Your Name
2026-06-11 22:18:02 +08:00
parent 472d0cf968
commit bc7e5e05ce
16 changed files with 1733 additions and 36 deletions

View File

@@ -24,7 +24,7 @@
| C1 類別 | `4` | 監控、Docker / systemd、SSH / network、AI provider |
| C2 類別 | `1` | 產品 runtime route 與跨產品邊界 |
| C3 類別 | `1` | security evidence / snapshot / guard tooling |
| 平均只讀控管成熟度 | `64%` | 僅代表框架 / evidence / owner packet 準備度,不代表 runtime 可執行 |
| 平均只讀控管成熟度 | `65%` | 僅代表框架 / evidence / owner packet 準備度,不代表 runtime 可執行 |
| 需要 live evidence 的類別 | `6` | 只能等 owner-provided redacted evidence 或維護窗口,不主動修改主機 |
| owner response required | `14` | 每類都需要 owner response 才能往 accepted 前進 |
| owner response received / accepted | `0 / 0` | 不得假性提高 |
@@ -35,7 +35,7 @@
| 優先 | 類別 | 目前成熟度 | 下一步 |
|------|------|------------|--------|
| P1-1 | Docker Compose / systemd / host service config | `50%` | repo-only 清冊已納入 9 個 surface仍缺 110 / 188 live hash、restart window、rollback owner 與 post-check 指標 |
| P1-2 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort | `48%` | 補 target whitelist、host key policy、ingress / egress matrix、network owner 與 rollback owner |
| P1-2 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort | `54%` | repo-only 清冊已納入 16 個 SSH / network access surface仍缺 live evidence、owner 與 rollback |
| P1-3 | Backup / restore / escrow / retention | `52%` | 補 restore drill approval package、offsite escrow owner、retention owner 與 no-secret-value evidence |
| P1-4 | Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse | `56%` | 補 rule diff、receiver diff、reload owner、failure-only notification policy 與 route smoke |
@@ -100,3 +100,7 @@ python3 scripts/security/high-value-config-control-coverage.py \
## 8. P1-1 Docker / systemd 清冊更新
`host_service_config_inventory_v1` 已把 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 納入 repo-only 清冊,共 `9` 個 surface、`3` 個 write-capable surface、`2` 個 repair-bot whitelist、`1` 個 systemd restart surface。此更新只讓 `docker_compose_systemd_host_config``42%` 推進到 `50%`owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`
## 9. P1-2 SSH / network access 清冊更新
`ssh_network_access_inventory_v1` 已把 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 納入 repo-only 清冊,共 `16` 個 surface、`6` 個 write-capable surface、`2` 個 NetworkPolicy、`2` 個 NodePort、`1` 個 sudoers surface 與 `1` 個 WireGuard surface。此更新只讓 `ssh_firewall_network_access``48%` 推進到 `54%`owner response、live evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 `0`

View File

@@ -32,7 +32,7 @@
| 註冊配置類別 | `14` | 代表已進 Gate 分類,不代表已批准 |
| C0 類別 | `8` | Nginx、DNS / TLS、K8s、secret、workflow / runner、runtime config、backup、agent-bounty runtime |
| C1 類別 | `4` | 監控、Docker / systemd、SSH / network、AI provider |
| 平均只讀控管成熟度 | `64%` | 只代表框架 / evidence / owner packet 準備度 |
| 平均只讀控管成熟度 | `65%` | 只代表框架 / evidence / owner packet 準備度 |
| 需要 live evidence 類別 | `6` | 只能等 owner-provided redacted evidence 或維護窗口,不主動 SSH |
| owner response required | `14` | owner response received / accepted 仍 `0 / 0` |
| runtime gate | `0` | 不提供執行按鈕 |
@@ -45,6 +45,12 @@
此更新仍不是 live host truth110 / 188 live hash、restart window、rollback owner、post-check 指標與 owner response received / accepted 全部仍為 `0`,也不得執行 `docker compose``systemctl`、repair-bot、Ansible apply 或任何 SSH 讀寫。
### 0.3 2026-06-11 SSH / network access repo-only 清冊
`ssh_network_access_inventory_v1` 已把 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 納入只讀 snapshot。清冊目前共有 `16` 個 surface、`11` 個 SSH source surface、`6` 個 write-capable surface、`2` 個 NetworkPolicy、`2` 個 NodePort、`1` 個 sudoers surface 與 `1` 個 WireGuard surface讓 SSH / network 類別成熟度從 `48%` 推進到 `54%`
此更新仍不是 live network truthlive firewall、sudoers、known_hosts、NetworkPolicy、NodePort、WireGuard evidence、network owner、maintenance window、rollback owner 與 owner response received / accepted 全部仍為 `0`,也不得執行 SSH、keyscan、sudo、firewall change、NetworkPolicy apply、NodePort change 或 WireGuard cutover。
## 1. 目前已不符合新要求的項目
| 優先 | 項目 | 現況 | 風險 | 本階段處置 |

View File

@@ -89,8 +89,9 @@ IwoooS 首版只讀取或對齊以下已提交 evidence
51. 10 個 frontend surface reverse bridge statuses顯示既有資安入口目前是 embedded bridge、direct bridge 或 AwoooP read-only candidate這只是連接狀態不代表 owner response、runtime authorization、Code Review blocker、Gitea/GitHub action 或任何執行控制。
52. 6 個 source control primary readiness items顯示 GitHub primary 前置缺口candidate repo inventory、primary ready counter、owner response validation、refs truth、workflow / secret name inventory、rollback ADR這只是 readiness不代表 repo 建立、visibility 變更、refs mutation、secret value collection、primary switch 或 Gitea 停用。
53. 4 個 rollout risk read-only items顯示風險來源部署 marker、`AWOOOI_ROLLOUT_RISK=1`、ArgoCD `Degraded` / `OutOfSync`、API health / smoke 已通過與執行期閘門仍為 0這只是部署風險可見性不代表 ArgoCD sync、kubectl、主機重啟、修復、部署或 runtime gate 已授權。
54. 14 類 high-value config control coverage statuses顯示 Nginx、DNS / TLS、K8s、secret、workflow、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣;平均只讀成熟度 `64%`、C0 類別 `8`、需 live evidence 類別 `6`、owner response received / accepted 與 runtime gate 仍為 `0`,不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。
54. 14 類 high-value config control coverage statuses顯示 Nginx、DNS / TLS、K8s、secret、workflow、backup、agent-bounty runtime、monitoring、Docker / systemd、SSH / network、AI provider、產品 route 與 security evidence 的全域配置控管覆蓋矩陣;平均只讀成熟度 `65%`、C0 類別 `8`、需 live evidence 類別 `6`、owner response received / accepted 與 runtime gate 仍為 `0`,不代表 reload、sync、scan、secret rotation、payout 或主機操作授權。
55. 9 個 host-service config repo-only inventory surfaces顯示 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 的第一層清冊write-capable surface `3`、repair-bot whitelist `2`、systemd restart surface `1`owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 `0`,不代表 `docker compose``systemctl`、repair-bot 或 Ansible apply 已授權。
56. 16 個 SSH / network access repo-only inventory surfaces顯示 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 的第一層清冊write-capable surface `6`、NetworkPolicy `2`、NodePort `2`、sudoers `1`、WireGuard `1`owner response、live evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 `0`,不代表 SSH、sudo、firewall、NetworkPolicy、NodePort、WireGuard 或 known_hosts patch 已授權。
## 3.1 既有前端資安頁面整合

View File

@@ -0,0 +1,111 @@
# IwoooS SSH / network access 只讀清冊
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-11 |
| 狀態 | `repo_only_inventory_ready` |
| 工具 | `scripts/security/ssh-network-access-inventory.py` |
| Snapshot | `docs/security/ssh-network-access-inventory.snapshot.json` |
| Schema | `docs/schemas/ssh_network_access_inventory_v1.schema.json` |
| runtime gate | `0` |
## 1. 目的
這份清冊補齊高價值配置覆蓋矩陣中的 `ssh_firewall_network_access` 類別,把 repo 內會影響 SSH、sudoers、known_hosts、firewall / NetworkPolicy、NodePort 與 WireGuard 的配置來源先集中成可重跑 snapshot。
本階段仍是 repo-only 只讀清冊。它不是 live host truth不是 firewall approval不是 known_hosts patch approval不是 NetworkPolicy apply approval也不是 WireGuard cutover approval。
## 2. 覆蓋摘要
| 指標 | 目前值 | 說明 |
|------|--------|------|
| repo surface | `16` | 已納入 SSH / network access 相關 committed source |
| source exists / hash | `16` | 每個 source path 皆存在並有 SHA-256 |
| expected scope | `16` | 已整理每個 surface 的預期影響範圍 |
| SSH source surface | `11` | 包含 inventory、CI deploy、monitoring、backup、alert action |
| NetworkPolicy surface | `2` | production 與 ArgoCD metrics policy |
| NodePort surface | `2` | ArgoCD metrics 與 Velero metrics |
| sudoers surface | `1` | `awoooi-wrapper.sudoers` |
| WireGuard surface | `1` | GCP Ollama WireGuard mesh runbook |
| write-capable surface | `6` | CI deploy、monitoring deploy、sudoers、alert action catalog |
| owner response received / accepted | `0 / 0` | 尚未收到或接受 owner response |
| live evidence received | `0` | 尚未取得 owner-provided live evidence |
| runtime / action | `0 / 0` | 未開 runtime gate未提供操作按鈕 |
| SSH / network 類別成熟度 | `48% -> 54%` | 只代表 repo-only 清冊完成,不代表 live 授權 |
## 3. 已納入 surface
| Surface | 類型 | 範圍 | 寫入能力 |
|---------|------|------|----------|
| `ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | 否 |
| `ansible_common_ssh_args` | SSH client policy | `multi_host` | 否 |
| `gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | 否 |
| `gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | 是 |
| `gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | 是 |
| `deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | 是 |
| `monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | 否 |
| `monitoring_exporter_deploy_ssh` | monitoring SSH deploy script | `192.168.0.188` | 是 |
| `backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | 否 |
| `host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | 是 |
| `k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | 否 |
| `argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | 否 |
| `argocd_metrics_nodeport` | K8s NodePort service | `argocd_nodeport_30882_30883` | 否 |
| `velero_metrics_nodeport` | K8s NodePort service | `velero_nodeport_30885` | 否 |
| `wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | 否 |
| `alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | 是 |
## 4. 固定 0 / false 邊界
```text
runtime_execution_authorized=false
host_write_authorized=false
ssh_read_authorized=false
ssh_write_authorized=false
sudo_action_authorized=false
firewall_change_authorized=false
network_policy_apply_authorized=false
nodeport_change_authorized=false
wireguard_change_authorized=false
known_hosts_patch_authorized=false
host_keyscan_authorized=false
live_host_read_authorized=false
secret_value_collection_allowed=false
ssh_key_collection_allowed=false
active_scan_authorized=false
action_buttons_allowed=false
```
## 5. 判讀規則
1. `source_exists=true` 只代表 repo 檔案存在,不代表 live host 與 repo 一致。
2. `sha256` 是 committed source 的 hash不是 live `/etc/ssh`、firewall、sudoers、NetworkPolicy 或 WireGuard hash。
3. `write_capable_surface_count=6` 代表需要 owner review 的高風險入口,不代表可執行。
4. `accept-new`、known_hosts、NodePort、NetworkPolicy 與 WireGuard 只能先形成 owner 問題,不得自動 patch、keyscan、apply 或 cutover。
5. 後續若要取得 live evidence只能走 owner-provided redacted evidence、維護窗口與 rollback owner不得在本階段主動 SSH、sudo、掃描或讀 secret。
## 6. 指令
```bash
python3 scripts/security/ssh-network-access-inventory.py \
--root . \
--output docs/security/ssh-network-access-inventory.snapshot.json
```
固定 committed snapshot 時間:
```bash
python3 scripts/security/ssh-network-access-inventory.py \
--root . \
--generated-at 2026-06-11T23:55:00+08:00 \
--output docs/security/ssh-network-access-inventory.snapshot.json
```
## 7. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| repo-only surface 註冊 | `100%` | 已納入 16 個 SSH / network access surface |
| source existence / hash | `100%` | 16 個 source path 皆已驗證存在並產生 hash |
| owner response 收件 | `0%` | 尚未收到或接受 owner response |
| live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall、未讀 live sudoers |
| SSH / sudo / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 全部維持未授權 |

View File

@@ -365,15 +365,17 @@
"action_buttons_allowed": false,
"category_id": "ssh_firewall_network_access",
"control_tier": "C1",
"coverage_percent": 48,
"coverage_status": "policy_ready_needs_network_matrix",
"current_gap": "尚未集中 ingress / egress、WireGuard、NodePort、firewall 與 known_hosts 矩陣。",
"coverage_percent": 54,
"coverage_status": "repo_only_inventory_ready_needs_live_owner_evidence",
"current_gap": "repo-only 清冊已納入 16 個 SSH / network access surface仍缺 live firewall / sudoers / known_hosts / NetworkPolicy / NodePort / WireGuard evidence、network owner 與 rollback owner。",
"evidence_refs": [
"docs/HARD_RULES.md",
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md"
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/SSH-NETWORK-ACCESS-INVENTORY.md",
"docs/security/ssh-network-access-inventory.snapshot.json"
],
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"next_owner_action": "補 target whitelist、host key policy、network owner、maintenance windowrollback owner。",
"next_owner_action": "補 owner-provided live hash / disposition、host key pinning、firewall owner、NetworkPolicy / NodePort owner、WireGuard owner、maintenance windowrollback owner 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"owner_response_required": true,
@@ -520,16 +522,9 @@
"secret_value_collection_allowed": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-11T23:21:00+08:00",
"git_commit": "0a82648e",
"generated_at": "2026-06-12T00:05:00+08:00",
"git_commit": "7cd47558",
"lowest_coverage_categories": [
{
"category_id": "ssh_firewall_network_access",
"coverage_percent": 48,
"current_gap": "尚未集中 ingress / egress、WireGuard、NodePort、firewall 與 known_hosts 矩陣。",
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"next_owner_action": "補 target whitelist、host key policy、network owner、maintenance window 與 rollback owner。"
},
{
"category_id": "docker_compose_systemd_host_config",
"coverage_percent": 50,
@@ -544,6 +539,13 @@
"label": "Backup / restore / escrow / retention",
"next_owner_action": "補 restore drill approval package、escrow owner、retention owner 與 no-secret-value evidence。"
},
{
"category_id": "ssh_firewall_network_access",
"coverage_percent": 54,
"current_gap": "repo-only 清冊已納入 16 個 SSH / network access surface仍缺 live firewall / sudoers / known_hosts / NetworkPolicy / NodePort / WireGuard evidence、network owner 與 rollback owner。",
"label": "SSH / sudoers / known_hosts / firewall / WireGuard / NodePort",
"next_owner_action": "補 owner-provided live hash / disposition、host key pinning、firewall owner、NetworkPolicy / NodePort owner、WireGuard owner、maintenance window、rollback owner 與 post-check 指標。"
},
{
"category_id": "monitoring_alerting_observability",
"coverage_percent": 56,
@@ -573,7 +575,7 @@
"status": "coverage_matrix_ready",
"summary": {
"action_button_count": 0,
"average_coverage_percent": 64,
"average_coverage_percent": 65,
"c0_category_count": 8,
"c1_category_count": 4,
"c2_category_count": 1,

View File

@@ -28,6 +28,9 @@
"docs/security/host-service-config-inventory.snapshot.json",
"docs/security/HOST-SERVICE-CONFIG-INVENTORY.md",
"docs/schemas/host_service_config_inventory_v1.schema.json",
"docs/security/ssh-network-access-inventory.snapshot.json",
"docs/security/SSH-NETWORK-ACCESS-INVENTORY.md",
"docs/schemas/ssh_network_access_inventory_v1.schema.json",
"docs/LOGBOOK.md",
"docs/workplans/2026-06-04-iwooos-security-governance-p0.md",
"apps/web/src/app/[locale]/iwooos/page.tsx",
@@ -236,7 +239,7 @@
"high_value_config_control_coverage_category_count": 14,
"high_value_config_control_coverage_c0_category_count": 8,
"high_value_config_control_coverage_c1_category_count": 4,
"high_value_config_control_coverage_average_percent": 64,
"high_value_config_control_coverage_average_percent": 65,
"high_value_config_control_coverage_needs_live_evidence_count": 6,
"high_value_config_control_coverage_owner_response_required_count": 14,
"high_value_config_control_coverage_owner_response_received_count": 0,
@@ -263,6 +266,27 @@
"host_service_config_inventory_action_button_count": 0,
"host_service_config_inventory_coverage_percent_before_inventory": 42,
"host_service_config_inventory_coverage_percent_after_inventory": 50,
"ssh_network_access_inventory_first_layer": true,
"ssh_network_access_inventory_surface_count": 16,
"ssh_network_access_inventory_source_exists_count": 16,
"ssh_network_access_inventory_expected_scope_count": 16,
"ssh_network_access_inventory_ssh_source_surface_count": 11,
"ssh_network_access_inventory_network_policy_surface_count": 2,
"ssh_network_access_inventory_nodeport_surface_count": 2,
"ssh_network_access_inventory_sudoers_surface_count": 1,
"ssh_network_access_inventory_wireguard_surface_count": 1,
"ssh_network_access_inventory_write_capable_surface_count": 6,
"ssh_network_access_inventory_owner_response_required_count": 16,
"ssh_network_access_inventory_owner_response_received_count": 0,
"ssh_network_access_inventory_owner_response_accepted_count": 0,
"ssh_network_access_inventory_live_evidence_required_count": 16,
"ssh_network_access_inventory_live_evidence_received_count": 0,
"ssh_network_access_inventory_maintenance_window_accepted_count": 0,
"ssh_network_access_inventory_rollback_owner_accepted_count": 0,
"ssh_network_access_inventory_runtime_gate_count": 0,
"ssh_network_access_inventory_action_button_count": 0,
"ssh_network_access_inventory_coverage_percent_before_inventory": 48,
"ssh_network_access_inventory_coverage_percent_after_inventory": 54,
"high_value_config_owner_packet_first_layer": true,
"high_value_config_owner_packet_summary_count": 4,
"high_value_config_owner_packet_item_count": 6,

View File

@@ -0,0 +1,571 @@
{
"access_surfaces": [
{
"access_scope": [
"192.168.0.110",
"192.168.0.111",
"192.168.0.112",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"action_buttons_allowed": false,
"config_kind": "ssh_target_inventory",
"control_tier": "C1",
"current_state": "repo_source_visible_needs_pinned_host_key_policy",
"expected_scope": "110_111_112_120_121_188",
"label": "Ansible inventory SSH targets",
"line_count": 48,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 host owner、pinned known_hosts disposition、ProxyJump policy、key owner 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "86108dce9174b5c0a794d240dd40518966d9c340950fc6306845b704f12e6536",
"source_exists": true,
"source_path": "infra/ansible/inventory/hosts.yml",
"surface_id": "ansible_inventory_ssh_targets"
},
{
"access_scope": [
"StrictHostKeyChecking=accept-new",
"ConnectTimeout=10"
],
"action_buttons_allowed": false,
"config_kind": "ssh_client_policy",
"control_tier": "C1",
"current_state": "accept_new_policy_visible_needs_owner_disposition",
"expected_scope": "multi_host",
"label": "Ansible common SSH host key policy",
"line_count": 20,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "確認 accept-new 是否只限 bootstrap補升級 pinned known_hosts 的 owner 與時間窗。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "c3d5cb63cf84dea98195aa075e69ca90be7422b5805c0cfc50c1d97b832ad86e",
"source_exists": true,
"source_path": "infra/ansible/inventory/group_vars/all.yml",
"surface_id": "ansible_common_ssh_args"
},
{
"access_scope": [
"192.168.0.110",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"action_buttons_allowed": false,
"config_kind": "known_hosts_secret_workflow",
"control_tier": "C1",
"current_state": "repo_guard_visible_live_secret_not_verified",
"expected_scope": "110_120_121_188_known_hosts",
"label": "Gitea CD repair known_hosts secret",
"line_count": 1562,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 owner-provided known_hosts secret metadata、缺 120 時的處置、key rotation owner 與失敗通知 owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593",
"source_exists": true,
"source_path": ".gitea/workflows/cd.yaml",
"surface_id": "gitea_cd_known_hosts_secret"
},
{
"access_scope": [
"K8S_SSH_HOST",
"deploy_key",
"kubectl apply",
"ArgoCD sync"
],
"action_buttons_allowed": false,
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"current_state": "write_capable_deploy_path_visible_gate_closed",
"expected_scope": "k8s_ssh_host",
"label": "Gitea CD K8s deploy SSH path",
"line_count": 1562,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 deploy SSH host owner、maintenance window、rollback owner、post-check 指標與 break-glass policy。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593",
"source_exists": true,
"source_path": ".gitea/workflows/cd.yaml",
"surface_id": "gitea_cd_deploy_ssh"
},
{
"access_scope": [
"192.168.0.120",
"deploy_key",
"kubectl apply"
],
"action_buttons_allowed": false,
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"current_state": "dev_write_capable_deploy_path_visible_gate_closed",
"expected_scope": "192.168.0.120",
"label": "Gitea CD dev deploy SSH path",
"line_count": 262,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "確認 dev deploy key scope、host key policy、rollback owner 與 dev/prod 邊界。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "e344a4672cb543979c3bb8ea67967c103332587b4a52a939c837457aaeae686d",
"source_exists": true,
"source_path": ".gitea/workflows/cd-dev.yaml",
"surface_id": "gitea_cd_dev_ssh"
},
{
"access_scope": [
"192.168.0.110",
"deploy alert scripts"
],
"action_buttons_allowed": false,
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"current_state": "write_capable_alert_deploy_path_visible_gate_closed",
"expected_scope": "192.168.0.110",
"label": "Deploy alerts SSH path",
"line_count": 72,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 alert deploy owner、known_hosts pinning、rollback owner、post-check 與通知路徑。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "b0389fa65da643d411f6961928a276d555ad6a416366bf87f3f5c2c06ee45d13",
"source_exists": true,
"source_path": ".gitea/workflows/deploy-alerts.yaml",
"surface_id": "deploy_alerts_ssh_path"
},
{
"access_scope": [
"192.168.0.110",
"192.168.0.188",
"docker ps"
],
"action_buttons_allowed": false,
"config_kind": "ssh_discovery_script",
"control_tier": "C1",
"current_state": "accept_new_scanner_visible_needs_read_only_gate",
"expected_scope": "110_188_docker_hosts",
"label": "Monitoring Docker discovery SSH scanner",
"line_count": 314,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 scanner 執行 owner、read-only window、pinned known_hosts、輸出脫敏與失敗處置。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "563faf8efcfdbd5a79cc87e0d43c2ba11bebf755a773c97b9c0778f1f0634a15",
"source_exists": true,
"source_path": "ops/monitoring/discover_docker.py",
"surface_id": "monitoring_discover_docker_ssh"
},
{
"access_scope": [
"192.168.0.188",
"scp",
"docker compose up -d"
],
"action_buttons_allowed": false,
"config_kind": "monitoring_ssh_deploy_script",
"control_tier": "C1",
"current_state": "write_capable_script_visible_gate_closed",
"expected_scope": "192.168.0.188",
"label": "Monitoring exporter deploy SSH script",
"line_count": 76,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 exporter deploy owner、maintenance window、rollback owner、host key policy 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "dbcbca21cf6fd5083177cb8a12c008c1aefed8e6ed05b70d738b3db37699cef3",
"source_exists": true,
"source_path": "ops/monitoring/deploy-exporters.sh",
"surface_id": "monitoring_exporter_deploy_ssh"
},
{
"access_scope": [
"/etc/ssh",
"/etc/nginx",
"systemd",
"docker",
"k8s"
],
"action_buttons_allowed": false,
"config_kind": "ssh_backup_capture",
"control_tier": "C1",
"current_state": "read_capable_capture_visible_not_executed",
"expected_scope": "110_188_120_121_cluster",
"label": "Backup config SSH capture",
"line_count": 359,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 backup execution owner、secret redaction proof、retention owner 與 restore validation。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "d24301cff44e464bd19ce0792362be16916ccde8c92f92351a19ef4ee988f15e",
"source_exists": true,
"source_path": "scripts/backup/backup-configs.sh",
"surface_id": "backup_config_ssh_capture"
},
{
"access_scope": [
"awoooi-hosts-add",
"docker kill SIGHUP",
"promtool",
"amtool"
],
"action_buttons_allowed": false,
"config_kind": "sudoers_policy",
"control_tier": "C1",
"current_state": "sudoers_source_visible_needs_live_owner_evidence",
"expected_scope": "host_ops_minimal_sudo",
"label": "Host ops sudoers wrapper",
"line_count": 27,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 live sudoers hash、visudo validation、command owner、rollback owner 與 forbidden command proof。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "eff02c67402d2f5b2ac8d112dca26a15dc34f03593ca490a0682a6dfa9b0394d",
"source_exists": true,
"source_path": "scripts/host-ops/awoooi-wrapper.sudoers",
"surface_id": "host_ops_sudoers_wrapper"
},
{
"access_scope": [
"default deny",
"ingress",
"egress",
"SSH egress",
"Ollama",
"monitoring"
],
"action_buttons_allowed": false,
"config_kind": "k8s_network_policy",
"control_tier": "C1",
"current_state": "repo_policy_visible_needs_live_cluster_diff",
"expected_scope": "awoooi_prod_namespace",
"label": "K8s production NetworkPolicy",
"line_count": 306,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 live NetworkPolicy diff、ingress / egress owner、rollback owner 與 route smoke。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "f5ea6a9f5fb0cc44664d97a3ed639fa4b43ffd9bcfd70a1f6b44640791b7859f",
"source_exists": true,
"source_path": "k8s/awoooi-prod/02-network-policy.yaml",
"surface_id": "k8s_prod_network_policy"
},
{
"access_scope": [
"192.168.0.188",
"argocd metrics",
"192.168.0.0/24 UI"
],
"action_buttons_allowed": false,
"config_kind": "k8s_network_policy",
"control_tier": "C1",
"current_state": "repo_policy_visible_needs_prometheus_owner_confirmation",
"expected_scope": "argocd_namespace",
"label": "ArgoCD metrics NetworkPolicy",
"line_count": 80,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 Prometheus scrape owner、NodePort exposure owner、live policy diff 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "41ccd0bb22410c48adc84eae74391106c3f28fe181786cfe4128a07f99d2942c",
"source_exists": true,
"source_path": "k8s/argocd/argocd-metrics-network-policy.yaml",
"surface_id": "argocd_metrics_network_policy"
},
{
"access_scope": [
"nodePort 30882",
"nodePort 30883"
],
"action_buttons_allowed": false,
"config_kind": "k8s_nodeport_service",
"control_tier": "C1",
"current_state": "nodeport_source_visible_needs_exposure_review",
"expected_scope": "argocd_nodeport_30882_30883",
"label": "ArgoCD metrics NodePort",
"line_count": 47,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 NodePort exposure owner、firewall owner、Prometheus source whitelist 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "7f4a8f09206ce0afc185fe11d5e55265bb553b671471724cdcd83c259ec7d266",
"source_exists": true,
"source_path": "k8s/argocd/argocd-metrics-nodeport.yaml",
"surface_id": "argocd_metrics_nodeport"
},
{
"access_scope": [
"nodePort 30885",
"backup metrics"
],
"action_buttons_allowed": false,
"config_kind": "k8s_nodeport_service",
"control_tier": "C1",
"current_state": "nodeport_source_visible_needs_exposure_review",
"expected_scope": "velero_nodeport_30885",
"label": "Velero metrics NodePort",
"line_count": 26,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 Velero metrics exposure owner、firewall owner、Prometheus source whitelist 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "684959def32b792e2bca34b477afcdfe2b0c6dfd0cb90f4b681a514922d62b75",
"source_exists": true,
"source_path": "k8s/velero/velero-metrics-service.yaml",
"surface_id": "velero_metrics_nodeport"
},
{
"access_scope": [
"10.77.114.0/24",
"51820/udp",
"GCP-A",
"GCP-B"
],
"action_buttons_allowed": false,
"config_kind": "wireguard_runbook",
"control_tier": "C1",
"current_state": "target_architecture_documented_not_applied",
"expected_scope": "110_111_120_121_gcp_a_gcp_b",
"label": "GCP Ollama WireGuard mesh runbook",
"line_count": 280,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 WireGuard owner、public-key metadata、firewall rule owner、canary plan、rollback owner 與 cutover gate。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "0af082698c727176ca82c79f95f3950f4c32ed6aabc91c88aff41831fbf0c044",
"source_exists": true,
"source_path": "docs/runbooks/GCP-OLLAMA-WIREGUARD-MESH.md",
"surface_id": "wireguard_mesh_runbook"
},
{
"access_scope": [
"ssh_diagnose",
"docker restart",
"systemctl restart",
"docker compose",
"docker prune"
],
"action_buttons_allowed": false,
"config_kind": "alert_ssh_action_rules",
"control_tier": "C1",
"current_state": "ssh_action_catalog_visible_gate_closed",
"expected_scope": "ssh_mcp_action_catalog",
"label": "Alert rules SSH action surface",
"line_count": 889,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 action owner、read/write/admin 分級、approval gate、cooldown、rollback owner 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "5786505aa05073bbb2069203a443a75c8337a289dc015630792d0c201c85cafb",
"source_exists": true,
"source_path": "apps/api/alert_rules.yaml",
"surface_id": "alert_rules_ssh_actions"
}
],
"execution_boundaries": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"firewall_change_authorized": false,
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"live_host_read_authorized": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"sudo_action_authorized": false,
"wireguard_change_authorized": false
},
"expected_scopes": [
"110_111_112_120_121_188",
"110_111_120_121_gcp_a_gcp_b",
"110_120_121_188_known_hosts",
"110_188_120_121_cluster",
"110_188_docker_hosts",
"192.168.0.110",
"192.168.0.120",
"192.168.0.188",
"argocd_namespace",
"argocd_nodeport_30882_30883",
"awoooi_prod_namespace",
"host_ops_minimal_sudo",
"k8s_ssh_host",
"multi_host",
"ssh_mcp_action_catalog",
"velero_nodeport_30885"
],
"generated_at": "2026-06-11T23:55:00+08:00",
"git_commit": "7cd47558",
"next_collection_order": [
"gitea_cd_known_hosts_secret",
"ansible_inventory_ssh_targets",
"host_ops_sudoers_wrapper",
"k8s_prod_network_policy",
"alert_rules_ssh_actions",
"argocd_metrics_nodeport",
"velero_metrics_nodeport",
"wireguard_mesh_runbook",
"monitoring_discover_docker_ssh",
"backup_config_ssh_capture"
],
"operator_interpretation": [
"這是 repo-only SSH / network access 清冊,不是 live host、firewall 或 cluster truth。",
"source_exists=true 只代表 repo 檔案存在;不代表 known_hosts、sudoers、NetworkPolicy、NodePort 或 WireGuard 已套用。",
"write-capable SSH / sudoers / alert action surface 可見代表需被管控,不代表 SSH、sudo、docker、systemctl 或 kubectl 已授權。",
"所有 live hash、pinned host key、maintenance window、rollback owner、firewall owner 與 post-check 指標都仍需 owner response。"
],
"schema_version": "ssh_network_access_inventory_v1",
"source_scope": "committed_repo_files_only",
"status": "repo_only_inventory_ready",
"summary": {
"action_button_count": 0,
"coverage_percent_after_inventory": 54,
"coverage_percent_before_inventory": 48,
"expected_scope_count": 16,
"live_evidence_received_count": 0,
"maintenance_window_accepted_count": 0,
"network_policy_surface_count": 2,
"nodeport_surface_count": 2,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"rollback_owner_accepted_count": 0,
"runtime_gate_count": 0,
"source_exists_count": 16,
"ssh_source_surface_count": 11,
"sudoers_surface_count": 1,
"surface_count": 16,
"surfaces_requiring_live_evidence_count": 16,
"surfaces_requiring_owner_response_count": 16,
"wireguard_surface_count": 1,
"write_capable_surface_count": 6
},
"write_capable_surfaces": [
{
"config_kind": "ci_deploy_ssh",
"expected_scope": "k8s_ssh_host",
"label": "Gitea CD K8s deploy SSH path",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "gitea_cd_deploy_ssh"
},
{
"config_kind": "ci_deploy_ssh",
"expected_scope": "192.168.0.120",
"label": "Gitea CD dev deploy SSH path",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "gitea_cd_dev_ssh"
},
{
"config_kind": "ci_deploy_ssh",
"expected_scope": "192.168.0.110",
"label": "Deploy alerts SSH path",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "deploy_alerts_ssh_path"
},
{
"config_kind": "monitoring_ssh_deploy_script",
"expected_scope": "192.168.0.188",
"label": "Monitoring exporter deploy SSH script",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "monitoring_exporter_deploy_ssh"
},
{
"config_kind": "sudoers_policy",
"expected_scope": "host_ops_minimal_sudo",
"label": "Host ops sudoers wrapper",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "host_ops_sudoers_wrapper"
},
{
"config_kind": "alert_ssh_action_rules",
"expected_scope": "ssh_mcp_action_catalog",
"label": "Alert rules SSH action surface",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "alert_rules_ssh_actions"
}
]
}