feat(iwooos): add security control coverage board
Some checks failed
Code Review / ai-code-review (push) Successful in 14s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
Some checks failed
Code Review / ai-code-review (push) Successful in 14s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
This commit is contained in:
@@ -1,3 +1,34 @@
|
||||
## 2026-06-26|IwoooS 資安納管覆蓋總表:主機、產品、服務、工具、Wazuh、AI Agent 統一讀回
|
||||
|
||||
**背景**:使用者要求不要再只靠散落文件判斷「所有主機、產品、網站、套件、服務、工具、AI Agent 是否納入資安機制」。本段把現有 committed snapshot 收斂成單一只讀 API 與 IwoooS 前台總表,明確顯示可見納管範圍、控制域、待補缺口與仍為 `0 / false` 的 runtime 邊界。
|
||||
|
||||
**完成**:
|
||||
- 新增 `iwooos_security_control_coverage_v1` 後端 aggregator,彙整 8 份 committed snapshot:security asset ledger、host service config、monitoring / alerting / observability、SSH / network access、Wazuh managed host coverage、agent-bounty onboarding、runtime surface inventory、AI Agent automation inventory。
|
||||
- 新增 `GET /api/v1/iwooos/security-control-coverage`;端點只讀 repo snapshot,不查 live host、不讀 secret、不連 Wazuh / Kali、不 SSH、不啟動掃描、不送 Telegram、不開 runtime gate。
|
||||
- 前台 `/zh-TW/iwooos` 新增 `IwoooS 資安納管覆蓋總表`,顯示 `visible_scope_unit_count=160`、`control_domain_count=8`、控制面可視 `71%`、runtime acceptance `0%`、owner accepted `0`、Wazuh manager registry accepted `0`。
|
||||
- 納管域包含:高價值資產與配置總帳、主機服務 / Docker / systemd、監控 / 告警 / 可觀測性、SSH / Firewall / WireGuard / NodePort / NetworkPolicy、AWOOOI runtime surfaces、Wazuh 主機納管、agent-bounty-protocol、AI Agent / Provider / 自動化資產。
|
||||
|
||||
**只讀驗證結果**:
|
||||
- `pytest apps/api/tests/test_iwooos_security_control_coverage.py apps/api/tests/test_iwooos_runtime_security_readback.py apps/api/tests/test_iwooos_wazuh_api.py -q`:`12 passed`。
|
||||
- `pnpm --dir apps/web typecheck`:通過。
|
||||
- `python3 -m json.tool apps/web/messages/zh-TW.json` / `apps/web/messages/en.json`:通過。
|
||||
- `python3.11 -m py_compile apps/api/src/api/v1/iwooos.py apps/api/src/services/iwooos_security_control_coverage.py apps/api/src/services/iwooos_runtime_security_readback.py apps/api/src/services/snapshot_paths.py`:通過。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .`:`SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py docs/security docs/templates apps/web/messages docs/LOGBOOK.md 'apps/web/src/app/[locale]/iwooos/page.tsx' apps/web/src/lib/api-client.ts apps/api/src/api/v1/iwooos.py apps/api/src/services/iwooos_security_control_coverage.py apps/api/src/services/iwooos_runtime_security_readback.py`:`DOC_SECRET_SANITY_OK scanned_files=274`。
|
||||
- `git diff --check`:通過。
|
||||
|
||||
**完成度同步**:
|
||||
- 後端納管覆蓋 aggregator / API source:`100%`。
|
||||
- 前台 IwoooS 納管覆蓋總表 source:`100%`。
|
||||
- 本地驗證:`95%`;production deploy / desktop / mobile 驗證待補。
|
||||
- 資安 runtime acceptance:仍 `0%`。
|
||||
- Owner response received / accepted:仍 `0 / 0`。
|
||||
- Wazuh manager registry accepted:仍 `0`。
|
||||
- Active scan / active response / host write / secret collection / Telegram send:仍 `0 / false`。
|
||||
|
||||
**邊界**:本段只做只讀 API、前台讀回與測試;沒有宣稱所有資產已完成 runtime 控管,沒有修 Wazuh agent,沒有改 Nginx / Firewall / Docker / systemd / K8s / workflow / secret,沒有 active scan、active response 或任何主機寫入。
|
||||
|
||||
## 2026-06-26|IwoooS Runtime 資安讀回總板:Wazuh / Kali / 告警 / owner dispatch 六條 P0 線接上只讀 API 與前台
|
||||
|
||||
**背景**:IwoooS 資安工作不能停在文件、靜態卡片或截圖;Wazuh、資安觀測節點、告警可讀性、owner dispatch、外部入侵防護與 runtime gate 必須能被前台讀回,同時不得把 UI 可見、route 200、transport count 或一般操作批准誤判成 runtime 授權。
|
||||
|
||||
Reference in New Issue
Block a user