feat(iwooos): add security control coverage board
Some checks failed
Code Review / ai-code-review (push) Successful in 14s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled

This commit is contained in:
Your Name
2026-06-26 18:18:45 +08:00
parent f8c6dd7284
commit c8912204ce
8 changed files with 1021 additions and 1 deletions

View File

@@ -1,3 +1,34 @@
## 2026-06-26IwoooS 資安納管覆蓋總表主機、產品、服務、工具、Wazuh、AI Agent 統一讀回
**背景**使用者要求不要再只靠散落文件判斷「所有主機、產品、網站、套件、服務、工具、AI Agent 是否納入資安機制」。本段把現有 committed snapshot 收斂成單一只讀 API 與 IwoooS 前台總表,明確顯示可見納管範圍、控制域、待補缺口與仍為 `0 / false` 的 runtime 邊界。
**完成**
- 新增 `iwooos_security_control_coverage_v1` 後端 aggregator彙整 8 份 committed snapshotsecurity asset ledger、host service config、monitoring / alerting / observability、SSH / network access、Wazuh managed host coverage、agent-bounty onboarding、runtime surface inventory、AI Agent automation inventory。
- 新增 `GET /api/v1/iwooos/security-control-coverage`;端點只讀 repo snapshot不查 live host、不讀 secret、不連 Wazuh / Kali、不 SSH、不啟動掃描、不送 Telegram、不開 runtime gate。
- 前台 `/zh-TW/iwooos` 新增 `IwoooS 資安納管覆蓋總表`,顯示 `visible_scope_unit_count=160``control_domain_count=8`、控制面可視 `71%`、runtime acceptance `0%`、owner accepted `0`、Wazuh manager registry accepted `0`
- 納管域包含:高價值資產與配置總帳、主機服務 / Docker / systemd、監控 / 告警 / 可觀測性、SSH / Firewall / WireGuard / NodePort / NetworkPolicy、AWOOOI runtime surfaces、Wazuh 主機納管、agent-bounty-protocol、AI Agent / Provider / 自動化資產。
**只讀驗證結果**
- `pytest apps/api/tests/test_iwooos_security_control_coverage.py apps/api/tests/test_iwooos_runtime_security_readback.py apps/api/tests/test_iwooos_wazuh_api.py -q``12 passed`
- `pnpm --dir apps/web typecheck`:通過。
- `python3 -m json.tool apps/web/messages/zh-TW.json` / `apps/web/messages/en.json`:通過。
- `python3.11 -m py_compile apps/api/src/api/v1/iwooos.py apps/api/src/services/iwooos_security_control_coverage.py apps/api/src/services/iwooos_runtime_security_readback.py apps/api/src/services/snapshot_paths.py`:通過。
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `python3 scripts/security/source-control-owner-response-guard.py --root .``SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`
- `python3 scripts/ops/doc-secrets-sanity-check.py docs/security docs/templates apps/web/messages docs/LOGBOOK.md 'apps/web/src/app/[locale]/iwooos/page.tsx' apps/web/src/lib/api-client.ts apps/api/src/api/v1/iwooos.py apps/api/src/services/iwooos_security_control_coverage.py apps/api/src/services/iwooos_runtime_security_readback.py``DOC_SECRET_SANITY_OK scanned_files=274`
- `git diff --check`:通過。
**完成度同步**
- 後端納管覆蓋 aggregator / API source`100%`
- 前台 IwoooS 納管覆蓋總表 source`100%`
- 本地驗證:`95%`production deploy / desktop / mobile 驗證待補。
- 資安 runtime acceptance`0%`
- Owner response received / accepted`0 / 0`
- Wazuh manager registry accepted`0`
- Active scan / active response / host write / secret collection / Telegram send`0 / false`
**邊界**:本段只做只讀 API、前台讀回與測試沒有宣稱所有資產已完成 runtime 控管,沒有修 Wazuh agent沒有改 Nginx / Firewall / Docker / systemd / K8s / workflow / secret沒有 active scan、active response 或任何主機寫入。
## 2026-06-26IwoooS Runtime 資安讀回總板Wazuh / Kali / 告警 / owner dispatch 六條 P0 線接上只讀 API 與前台
**背景**IwoooS 資安工作不能停在文件、靜態卡片或截圖Wazuh、資安觀測節點、告警可讀性、owner dispatch、外部入侵防護與 runtime gate 必須能被前台讀回,同時不得把 UI 可見、route 200、transport count 或一般操作批准誤判成 runtime 授權。