diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index a34b12379..1e7d1097b 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,31 @@ +## 2026-06-14|高價值配置 Owner Packet 收件預檢本地完成 + +**背景**:高價值配置 Owner Packet、前台摘要與 posture projection 已同步為 `packet=3 / c0=2`;下一步需建立 request dispatch 前的低摩擦收件預檢與 reviewer intake lanes,避免 C0 補件在真正送 owner request 前被誤讀成已送件、已收件或已授權。 + +**完成項目**: +- 新增 `scripts/security/high-value-config-owner-packet-intake-preflight.py`,從 committed owner packet snapshot 產生 metadata-only 收件預檢。 +- 新增 `docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json`,固定 `packet_count=3`、`c0_packet_count=2`、`dispatch_preflight_check_count=9`、`reviewer_intake_lane_count=5`、`required_owner_field_total=27`、`blocked_request_count=16`。 +- 新增 `docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET-INTAKE-PREFLIGHT.md`,說明送件前預檢、reviewer intake lanes、絕對邊界與完成度。 +- `security-mirror-progress-guard.py` 已鎖住新 snapshot 的 schema、summary、execution false flags、packet ids、check ids、lane ids 與每包 false flags。 +- P0 總帳、供應鏈進度、Owner Packet 主文件與 MASTER 已同步 P0-13。 + +**本地驗證**: +- `python3 -m json.tool docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json` 通過。 +- `python3 -m json.tool docs/security/high-value-config-owner-packet.snapshot.json` 通過。 +- `python3 -m py_compile scripts/security/high-value-config-owner-packet-intake-preflight.py scripts/security/security-mirror-progress-guard.py` 通過。 +- 產生器 smoke:`HIGH_VALUE_CONFIG_OWNER_PACKET_INTAKE_PREFLIGHT_OK packets=3 c0=2 checks=9 lanes=5 runtime_gate=0`。 +- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。 +- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。 +- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=810`。 +- `git diff --check` 通過。 +- diff-only 工作溝通片語掃描通過;未加入工作溝通原文、委派 XML 或內部抱怨內容。 +- Snapshot assertion 通過:`OWNER_PACKET_INTAKE_ASSERTIONS_OK packets=3 c0=2 checks=9 lanes=5 runtime_gate=0`。 + +**完成度與邊界**: +- P0-13 高價值配置 Owner Packet 收件預檢:`100%`。 +- Production browser verification:不適用;本輪只改 repo 內文件、snapshot、guard 與產生器,不變更前端 bundle 或 runtime。 +- request sent、owner response received / accepted / rejected、reviewer queue write、live evidence、runtime gate、action buttons、Nginx live config、`nginx -t`、reload、DNS / TLS live probe、certbot renew、ArgoCD sync、kubectl action、workflow / secret 修改、public route change、agent-bounty runtime、host write、active scan、production write 全部維持 `0 / false`。 + ## 2026-06-14|IwoooS posture projection Owner Packet 數字漂移收斂 **背景**:高價值配置 owner packet snapshot 與正式前台已同步為 `packet=3 / c0=2`,但 `iwooos-posture-projection.snapshot.json` 與 `iwooos_posture_projection_v1.schema.json` 仍維持舊口徑 `packet=1 / c0=0`,會讓只讀 evidence 與前台 projection 分叉。 diff --git a/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET-INTAKE-PREFLIGHT.md b/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET-INTAKE-PREFLIGHT.md new file mode 100644 index 000000000..de38a569d --- /dev/null +++ b/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET-INTAKE-PREFLIGHT.md @@ -0,0 +1,92 @@ +# IwoooS 高價值配置 Owner Packet 收件預檢 + +| 項目 | 內容 | +|------|------| +| 日期 | 2026-06-14 | +| 狀態 | `request_dispatch_preflight_ready` | +| 工具 | `scripts/security/high-value-config-owner-packet-intake-preflight.py` | +| 輸入 | `docs/security/high-value-config-owner-packet.snapshot.json` | +| Snapshot | `docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json` | +| runtime gate | `0` | + +## 1. 目的 + +本文件承接高價值配置 Owner Packet 草案,建立送件前的只讀預檢與 reviewer 收件分流。它的目標是讓 Nginx public gateway、DNS / TLS / certbot 與 security evidence tooling 三包在送 owner request 前先完成欄位、脫敏、拒收執行要求與 reviewer lane 的一致框架。 + +本階段仍不是 request sent、不是 owner response received、不是 accepted record、不是 reviewer queue write,也不是 Nginx reload、DNS / TLS 變更、workflow 修改、host write、active scan、agent-bounty runtime、payout / withdrawal 或 production write 授權。 + +## 2. 目前摘要 + +| 指標 | 值 | 說明 | +|------|----|------| +| packet count | `3` | `dns_tls_certbot`、`nginx_public_gateway`、`security_evidence_tooling` | +| C0 packet count | `2` | DNS / TLS / certbot 與 Nginx public gateway | +| canonical owner fields | `9` | 對齊 Owner Packet 的九欄補件要求 | +| required owner field total | `27` | 三包各九欄 | +| dispatch preflight checks | `9` | 送件前必查項 | +| reviewer intake lanes | `5` | waiting、補件、隔離、拒收、進 reviewer validation | +| blocked request count | `16` | repo / refs / workflow / runner / host / scan / runtime / payout 等要求全部拒收 | +| request sent | `0` | 尚未送 request | +| received / accepted / rejected | `0 / 0 / 0` | 尚未收到或驗收任何 owner response | +| runtime gate | `0` | 未開啟 | + +## 3. 送件前預檢 + +| Check | 說明 | +|-------|------| +| `baseline_commit_synced` | 使用最新 `gitea/main` 與 committed snapshot,不用過期 packet 送件 | +| `source_snapshot_current` | 來源必須是 repo 內 committed owner packet snapshot,不讀 live 主機 | +| `packet_scope_mapped` | 每包都有 category、priority、control tier、required gate 與 affected files | +| `canonical_fields_present` | 每包都要求九個 canonical owner 欄位 | +| `redacted_evidence_refs_only` | Evidence 只允許脫敏參照 | +| `no_sensitive_payload` | 禁止 token、secret、private key、cookie、session、authorization header、runner token、webhook secret | +| `no_execution_request` | 拒收 reload、deploy、sync、host write、active scan、payout 或 withdrawal | +| `maintenance_and_rollback_fields_present` | C0 / P0 仍需維護窗口與 rollback owner,不由 packet 自動授權 | +| `validation_plan_present` | 必須有 preflight、post-check、rollback check 或文件 guard 驗證計畫 | + +## 4. Reviewer 收件分流 + +| Lane | 使用時機 | Gate 影響 | +|------|----------|-----------| +| `keep_waiting_owner_response` | 尚未收到 owner response、只有空白或口頭資訊 | request / received / accepted / rejected 維持 `0` | +| `request_more_evidence` | 欄位缺漏、scope 不清、evidence refs 不足 | 不增加 accepted | +| `quarantine_sensitive_payload` | 疑似含敏感 payload、raw log、未脫敏截圖或 private credential URL | 不保存 raw payload,不渲染到前端或 LOGBOOK | +| `reject_execution_request` | 夾帶 git、workflow、runner、host、scan、runtime、payout 等執行要求 | 不建立 action button、不進 runtime gate | +| `ready_for_reviewer_validation` | 欄位完整、證據脫敏、無敏感 payload 且無執行要求 | 只進 reviewer checklist,仍非 accepted | + +## 5. 指令 + +產生 committed snapshot: + +```bash +python3 scripts/security/high-value-config-owner-packet-intake-preflight.py \ + --root . \ + --owner-packet-report docs/security/high-value-config-owner-packet.snapshot.json \ + --output docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json \ + --generated-at 2026-06-14T18:25:00+08:00 +``` + +驗證 guard: + +```bash +python3 scripts/security/security-mirror-progress-guard.py --root . +``` + +## 6. 絕對邊界 + +1. 預檢完成不代表 request sent。 +2. Packet 完整不代表 owner response received。 +3. Reviewer lane 存在不代表 reviewer accepted。 +4. `confirm` 不代表 runtime reload、deploy、sync、scan、payout 或 host write。 +5. 任何敏感 payload 都只能隔離 metadata,不得保存 raw value。 +6. 任何執行要求都必須切獨立人工批准與維護窗口。 + +## 7. 完成度 + +| 工作 | 完成度 | 說明 | +|------|--------|------| +| 收件預檢 artifact | `100%` | 產生器、snapshot 與 guard 已固定 | +| request dispatch | `0%` | 尚未送 owner request | +| owner response received | `0%` | 尚未收到正式回覆 | +| reviewer accepted | `0%` | 尚未建立 security acceptance record | +| runtime gate | `0%` | 未授權且未開啟 | diff --git a/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET.md b/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET.md index bf7facfa8..aef7da474 100644 --- a/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET.md +++ b/docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET.md @@ -27,6 +27,12 @@ P0.2 已能將變更分類成 C0 / C1 / C2 / C3。本文件與工具負責下一 重產結果為 `packet_count=3`、`c0_packet_count=2`、`c1_packet_count=0`、`runtime_gate_count=0`;request / received / accepted 仍全部維持 `0`。 +## 1.2 2026-06-14 收件預檢 + +已新增 `docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET-INTAKE-PREFLIGHT.md` 與 `docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json`,將三包草案轉成送件前預檢與 reviewer intake lanes。 + +目前固定為 `dispatch_preflight_check_count=9`、`reviewer_intake_lane_count=5`、`required_owner_field_total=27`、`blocked_request_count=16`。此 artifact 只表示收件框架已準備,不代表 request sent、owner response received、reviewer accepted、queue write、runtime execution、Nginx reload、DNS / TLS 變更、workflow 修改、host write、active scan 或 production write。 + ## 2. Canonical 欄位 高價值配置 packet 對齊 S4.9 canonical owner response envelope,使用以下欄位: diff --git a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md index 7c17ea002..f08e9517a 100644 --- a/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md +++ b/docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md @@ -7,7 +7,7 @@ | 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 | | 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 | | 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 | -| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;owner response / live evidence / runtime gate / action buttons 仍全部為 0 | +| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 | | 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary | | P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` | @@ -387,6 +387,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons | P0 配置控管優先序前台 | 正式驗證完成 | `/iwooos` 新增 P0 配置控管優先序看板,集中顯示 Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類即時風險配置;feature commit `e992af89`、deploy marker `ed651a98`、Gitea code-review `2971` / CD `2970` success;本地與正式 in-app browser、desktop `1440x1100`、mobile `390x844` 檢查通過,新增看板操作控制 `0`、水平溢位 `0`、工作視窗片語命中 `0` | 使用者與另一個 AwoooP Session 能先看到哪些重要配置要優先被資安控管;這不是 Nginx live conf 讀取、`nginx -t`、reload、DNS / TLS probe、certbot renew、ArgoCD sync、kubectl、workflow / secret 修改、public route change、agent-bounty runtime、payout / withdrawal、production write 或 runtime gate | | 高價值配置 Owner Packet 前台同步 | 正式驗證完成 | `/iwooos` 與 `/awooop` 已同步 owner packet snapshot,顯示 `packet=3 / c0=2`、Nginx public gateway、DNS / TLS / certbot 與 security tooling 影響範圍;feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;本地與正式 desktop / mobile / in-app browser smoke 已確認必要文字與 boundary keys 可見、水平溢位 `0`、卡片內操作控制 `0`、危險連結 `0`、工作溝通片語命中 `0` | 這是前台 read-only projection 對齊,不是 owner request sent、owner response received / accepted、Nginx reload、certbot renew、DNS / TLS probe、workflow 修改、secret rotation、agent-bounty runtime、host write、active scan、production write 或 runtime gate;headline 仍不提高 | | IwoooS posture projection Owner Packet 數字同步 | 本地完成 | `iwooos-posture-projection.snapshot.json`、`iwooos_posture_projection_v1.schema.json` 與 `security-mirror-progress-guard.py` 已同步 `high_value_config_owner_packet_count=3`、`high_value_config_owner_packet_c0_packet_count=2` | 這是 committed evidence / schema / guard drift closure,不是前端 bundle、CD、runtime gate、owner request sent、owner response received / accepted 或 production write;不需要 production browser smoke | +| 高價值配置 Owner Packet 收件預檢 | 本地完成 | `high-value-config-owner-packet-intake-preflight.snapshot.json` 已固定 `packet_count=3`、`c0_packet_count=2`、`dispatch_preflight_check_count=9`、`reviewer_intake_lane_count=5`、`required_owner_field_total=27`、`blocked_request_count=16`,並由 `security-mirror-progress-guard.py` 鎖住 packet ids、check ids、lane ids 與 false flags | 這是 request dispatch 前的只讀預檢與 reviewer intake lanes,不是 request sent、owner response received / accepted、reviewer queue write、Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate;不需要 production browser smoke | | S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate | | S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item | | S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 | diff --git a/docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json b/docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json new file mode 100644 index 000000000..e6a3e5e3d --- /dev/null +++ b/docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json @@ -0,0 +1,339 @@ +{ + "allowed_decisions": [ + "confirm", + "defer", + "reject", + "request_more_evidence" + ], + "blocked_requests": [ + "repo_create", + "visibility_change", + "refs_sync", + "refs_delete", + "force_push", + "workflow_modify", + "runner_enable", + "secret_value_submit", + "ssh_host_modify", + "nginx_reload", + "dns_tls_modify", + "argocd_sync", + "kubectl_apply", + "active_scan", + "agent_bounty_runtime_execute", + "payout_or_withdrawal" + ], + "canonical_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan" + ], + "completion": { + "owner_request_sent_percent": 0, + "owner_response_received_percent": 0, + "request_dispatch_preflight_artifact_percent": 100, + "reviewer_accepted_percent": 0, + "runtime_gate_percent": 0 + }, + "dispatch_preflight_checks": [ + { + "check_id": "baseline_commit_synced", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "使用最新 gitea/main 與 owner packet snapshot;不得用過期 packet 送件。", + "label": "基線 commit 已同步", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "source_snapshot_current", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "來源必須是 committed high-value-config-owner-packet snapshot,不讀 live 主機。", + "label": "來源 snapshot 目前有效", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "packet_scope_mapped", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "每包需有 category、priority、control tier、required gate 與 affected files。", + "label": "Packet scope 已映射", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "canonical_fields_present", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "每包需要求 owner role、decision、reason、scope、evidence refs、followup、rollback、window、validation。", + "label": "Canonical 欄位已固定", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "redacted_evidence_refs_only", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "只收文件路徑、snapshot id、ticket id、commit、hash 或 metadata pointer。", + "label": "Evidence refs 只允許脫敏參照", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "no_sensitive_payload", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "不得收 token、secret、private key、cookie、session、authorization header、runner token 或 webhook secret。", + "label": "禁止敏感 payload", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "no_execution_request", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "不得夾帶 reload、deploy、sync、host write、active scan、payout 或 withdrawal。", + "label": "拒收執行要求", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "maintenance_and_rollback_fields_present", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "C0 / P0 仍需獨立人工批准、維護窗口與 rollback owner,不能由 packet 自動授權。", + "label": "維護窗口與回滾 owner 欄位存在", + "required": true, + "status": "preflight_required_before_request_dispatch" + }, + { + "check_id": "validation_plan_present", + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + "instruction": "必須能說明 preflight、post-check、rollback check;只讀文件變更則對應 guard / JSON / doc sanity。", + "label": "驗證計畫欄位存在", + "required": true, + "status": "preflight_required_before_request_dispatch" + } + ], + "execution_boundaries": { + "action_buttons_allowed": false, + "active_scan_authorized": false, + "dispatch_authorized": false, + "dns_tls_change_authorized": false, + "host_write_authorized": false, + "nginx_reload_authorized": false, + "not_authorization": true, + "production_write_authorized": false, + "request_sent": false, + "reviewer_queue_write": false, + "runtime_execution_authorized": false, + "secret_value_collection_allowed": false, + "workflow_modification_authorized": false + }, + "generated_at": "2026-06-14T18:25:00+08:00", + "git_commit": "3de776f4", + "intake_packets": [ + { + "accepted_response": false, + "action_buttons_allowed": false, + "affected_file_count": 2, + "affected_files": [ + "scripts/ops/188-registry-certbot-fix.sh", + "scripts/ops/fix-188-registry-certbot-renewal.sh" + ], + "category_id": "dns_tls_certbot", + "control_tier": "C0", + "label": "DNS / TLS / certbot / certificate path", + "not_authorization": true, + "packet_id": "high_value_config_owner_packet:dns_tls_certbot", + "priority": "P0", + "production_write_authorized": false, + "received_response": false, + "rejected_response": false, + "request_sent": false, + "required_gate": "domain_tls_owner_response_required", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan" + ], + "required_validation": [ + "domain_inventory", + "certificate_path_check", + "renewal_window", + "acme_path_smoke", + "public_https_smoke", + "rollback_ref" + ], + "reviewer_queue_write": false, + "runtime_gate": false, + "secret_value_collection_allowed": false, + "status": "waiting_request_dispatch_preflight" + }, + { + "accepted_response": false, + "action_buttons_allowed": false, + "affected_file_count": 1, + "affected_files": [ + "k8s/nginx/awoooi-prod.conf" + ], + "category_id": "nginx_public_gateway", + "control_tier": "C0", + "label": "Nginx / reverse proxy / public route", + "not_authorization": true, + "packet_id": "high_value_config_owner_packet:nginx_public_gateway", + "priority": "P0", + "production_write_authorized": false, + "received_response": false, + "rejected_response": false, + "request_sent": false, + "required_gate": "public_gateway_owner_response_required", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan" + ], + "required_validation": [ + "rendered_diff", + "nginx_t", + "affected_route_smoke", + "admin_route_smoke_if_affected", + "acme_path_smoke_if_affected", + "rollback_ref" + ], + "reviewer_queue_write": false, + "runtime_gate": false, + "secret_value_collection_allowed": false, + "status": "waiting_request_dispatch_preflight" + }, + { + "accepted_response": false, + "action_buttons_allowed": false, + "affected_file_count": 3, + "affected_files": [ + "docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md", + "docs/security/high-value-config-change-gate.snapshot.json", + "scripts/security/high-value-config-change-gate.py" + ], + "category_id": "security_evidence_tooling", + "control_tier": "C3", + "label": "Security evidence / snapshot / guard tooling", + "not_authorization": true, + "packet_id": "high_value_config_owner_packet:security_evidence_tooling", + "priority": "P3", + "production_write_authorized": false, + "received_response": false, + "rejected_response": false, + "request_sent": false, + "required_gate": "security_evidence_owner_review_required", + "required_owner_fields": [ + "owner_role_or_team", + "decision", + "decision_reason", + "affected_scope", + "redacted_evidence_refs", + "followup_owner", + "rollback_owner", + "maintenance_window", + "validation_plan" + ], + "required_validation": [ + "snapshot_parse", + "guard_smoke", + "doc_secret_sanity", + "no_runtime_gate_increase" + ], + "reviewer_queue_write": false, + "runtime_gate": false, + "secret_value_collection_allowed": false, + "status": "waiting_request_dispatch_preflight" + } + ], + "next_steps": [ + "先由 reviewer 確認預檢 snapshot 與 owner packet snapshot 皆為最新 committed evidence。", + "送件前只準備脫敏欄位與禁止條款,不送 secret value、不附 raw payload。", + "收到回覆後先依 intake lanes 分流;通過 reviewer validation 之前 received / accepted 不得增加。", + "任何 runtime、Nginx reload、DNS / TLS、workflow、runner、host 或 payout 動作都必須切獨立人工批准。" + ], + "reviewer_intake_lanes": [ + { + "gate_effect": "request / received / accepted / rejected 維持 0。", + "instruction": "尚未收到 owner response 或只有空白 / 口頭同意時維持等待。", + "lane_id": "keep_waiting_owner_response", + "status": "reviewer_intake_lane_defined" + }, + { + "gate_effect": "不得增加 accepted 或 runtime gate。", + "instruction": "欄位缺漏、scope 不清或 redacted evidence refs 不足時補件。", + "lane_id": "request_more_evidence", + "status": "reviewer_intake_lane_defined" + }, + { + "gate_effect": "不得保存 raw payload、不得渲染到前端或 LOGBOOK。", + "instruction": "疑似含敏感 payload、raw log、未脫敏截圖或 private credential URL 時隔離。", + "lane_id": "quarantine_sensitive_payload", + "status": "reviewer_intake_lane_defined" + }, + { + "gate_effect": "不得建立 action button、不得轉成執行批准。", + "instruction": "夾帶 repo / refs / workflow / runner / host / scan / runtime 執行要求時拒收。", + "lane_id": "reject_execution_request", + "status": "reviewer_intake_lane_defined" + }, + { + "gate_effect": "仍不是 accepted,也不是 runtime authorization。", + "instruction": "欄位完整、證據脫敏、無敏感 payload 且無執行要求時才可進 reviewer checklist。", + "lane_id": "ready_for_reviewer_validation", + "status": "reviewer_intake_lane_defined" + } + ], + "schema_version": "high_value_config_owner_packet_intake_preflight_v1", + "source_false_flags": { + "action_buttons_allowed": false, + "active_scan_authorized": false, + "dns_tls_change_authorized": false, + "force_push_authorized": false, + "host_write_authorized": false, + "nginx_reload_authorized": false, + "refs_sync_authorized": false, + "request_sent": false, + "response_accepted": false, + "response_received": false, + "runner_change_authorized": false, + "runtime_execution_authorized": false, + "secret_value_collection_allowed": false, + "workflow_modification_authorized": false + }, + "source_owner_packet_schema_version": "high_value_config_owner_packet_v1", + "source_owner_packet_status": "draft_waiting_owner_response", + "status": "request_dispatch_preflight_ready", + "summary": { + "accepted_response_count": 0, + "action_button_count": 0, + "blocked_request_count": 16, + "c0_packet_count": 2, + "c1_packet_count": 0, + "canonical_owner_field_count": 9, + "dispatch_preflight_check_count": 9, + "packet_count": 3, + "received_response_count": 0, + "rejected_response_count": 0, + "request_sent_count": 0, + "required_owner_field_total": 27, + "reviewer_intake_lane_count": 5, + "reviewer_queue_write_count": 0, + "runtime_gate_count": 0 + } +} diff --git a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md index eda45327a..c40ba9268 100644 --- a/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md +++ b/docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md @@ -687,6 +687,7 @@ Alert / Sentry / SigNoz / Gitea / Market Watch / Operator | `scripts/security/high-value-config-change-gate.py` + `docs/security/high-value-config-change-gate.snapshot.json` + owner packet / coverage snapshots | P0 高價值配置 Gate pattern、工作樹 preflight、owner packet 與 coverage snapshot 同步本地完成;新增 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,讓 `k8s/nginx/awoooi-prod.conf` 命中 `nginx_public_gateway` P0 / C0,讓 `scripts/ops/188-registry-certbot-fix.sh` 與 `scripts/ops/fix-188-registry-certbot-renewal.sh` 命中 `dns_tls_certbot` P0 / C0;補強前 sample `matched=0 / C0=0`,補強後 sample `matched=3 / C0=2`;committed snapshot sample `changed_files=6`、`matched=6`、`categories=3`、`c0=2`、`c1=0`、strongest tier `C0`、strongest priority `P0`;預設模式已可讀取 staged / unstaged / untracked,臨時 `k8s/nginx/*` smoke 命中 C0;owner packet snapshot `packets=3 / c0=2 / runtime_gate=0`;coverage snapshot `categories=14 / c0=8 / avg=66 / runtime_gate=0`;owner evidence `provided=false / complete=false`,runtime execution `false` | 這是 repo 內分類工具與快照補強,不是 Nginx live conf 讀取、`nginx -t`、reload、DNS / TLS live probe、certbot renew、主機寫入、workflow 修改、secret 收集、active scan、production write 或 runtime gate | | `/zh-TW/iwooos` + `/zh-TW/awooop` 高價值配置 Owner Packet 前台同步 | 最新 owner packet snapshot 已投影到 IwoooS 與 AwoooP 前台,正式顯示 `packet=3 / c0=2`、最高命中 `C0 / P0`,並列出 Nginx public gateway、DNS / TLS / certbot 與 security tooling 影響範圍;request sent、received、accepted、runtime gate、action buttons 仍全部為 `0`;feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;本地與正式 desktop / mobile / in-app browser smoke 已確認必要文字、boundary keys、水平溢位 `0`、卡片內操作控制 `0`、危險連結 `0`、工作溝通片語命中 `0` | 這是前台 read-only projection 對齊,不是 owner request sent、owner response received / accepted、Nginx reload、certbot renew、DNS / TLS probe、workflow 修改、secret rotation、agent-bounty runtime、host write、active scan、production write 或 runtime gate | | `docs/security/iwooos-posture-projection.snapshot.json` + schema + guard | IwoooS posture projection Owner Packet 數字漂移已收斂;`high_value_config_owner_packet_count` 從 `1` 同步為 `3`,`high_value_config_owner_packet_c0_packet_count` 從 `0` 同步為 `2`,schema const 與 `security-mirror-progress-guard.py` expectation 已同步;request / received / accepted / runtime gate 仍全部為 `0` | 這是 committed evidence / schema / guard drift closure,不是前端 bundle、CD、owner request sent、owner response received / accepted、production write 或 runtime gate | +| `docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json` + `scripts/security/high-value-config-owner-packet-intake-preflight.py` | 高價值配置 Owner Packet 收件預檢已本地完成;承接 `packet=3 / c0=2` owner packet snapshot,固定 9 項 request dispatch preflight、5 條 reviewer intake lane、27 個 required owner fields 與 16 類 blocked request;`security-mirror-progress-guard.py` 已鎖住 schema、summary、false flags、packet ids、check ids 與 lane ids;request sent、received、accepted、rejected、reviewer queue write、runtime gate、action buttons 仍全部為 `0` | 這是 request dispatch 前只讀 artifact,不是 owner request sent、owner response received / accepted、reviewer queue write、Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate | | `docs/evaluations/ai_agent_live_read_model_gate_2026-06-11.json` + `GET /api/v1/agents/agent-live-read-model-gate` | P2-403B AgentSession / Redis Streams live read model gate;定義 safe fields、Redis envelope、worker gate、rollback plan 與 no-write smoke,不連 DB、不讀寫 Redis、不啟動 worker | #### 3.2.1c 2026-06-11 AI Agent 主動營運委派與版本生命週期契約 @@ -825,6 +826,7 @@ Repo / registry / release notes / K8s / host / observability / backup evidence 68. 補強 P0 高價值配置 Gate path pattern、工作樹 preflight、owner packet 與 coverage snapshot。✅ 本地完成;`k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*` 已納入 high-value config classification,Nginx public gateway 與 DNS / TLS / certbot sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;gate snapshot 顯示 `changed_files=6`、`matched=6`、`categories=3`、`c0=2`、`c1=0`;預設模式已可讀取 staged / unstaged / untracked,臨時 `k8s/nginx/*` smoke 命中 C0;owner packet snapshot `packets=3 / c0=2 / runtime_gate=0`;coverage snapshot `categories=14 / c0=8 / avg=66 / runtime_gate=0`;owner evidence 仍 `provided=false / complete=false`,runtime execution 仍 `false`。這不是 live config read、`nginx -t`、reload、certbot renew、DNS / TLS probe、host write、active scan、workflow 修改、secret 收集、production write 或 runtime gate。 69. 同步高價值配置 Owner Packet 前台 projection。✅ 已完成並正式驗證;`/zh-TW/iwooos` 與 `/zh-TW/awooop` 已顯示 owner packet snapshot `packet=3 / c0=2`、最高命中 `C0 / P0`、Nginx public gateway、DNS / TLS / certbot 與 security tooling 影響範圍;feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;request sent、received、accepted、runtime gate 與 action buttons 仍為 `0`;本地與正式 desktop / mobile / in-app browser smoke 已通過,水平溢位 `0`、卡片內操作控制 `0`、危險連結 `0`、工作溝通片語命中 `0`。不得因此調高 IwoooS headline。 70. 收斂 IwoooS posture projection Owner Packet 數字漂移。✅ 本地完成;`iwooos-posture-projection.snapshot.json`、`iwooos_posture_projection_v1.schema.json` 與 `security-mirror-progress-guard.py` 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;request sent、received、accepted 與 runtime gate 仍全部為 `0`。這不是前端 bundle、CD、owner response accepted、production write 或 runtime gate,下一步回到高價值配置 owner response request dispatch / reviewer intake。 +71. 建立高價值配置 Owner Packet 收件預檢與 reviewer intake。✅ 本地完成;新增 `high-value-config-owner-packet-intake-preflight.py`、snapshot 與說明文件,將三包 owner packet 轉成 `dispatch_preflight_check_count=9`、`reviewer_intake_lane_count=5`、`required_owner_field_total=27`、`blocked_request_count=16` 的只讀預檢;`security-mirror-progress-guard.py` 已固定 schema、summary、false flags、packet ids、check ids 與 lane ids;request sent、received、accepted、rejected、reviewer queue write、runtime gate、action buttons 仍全部為 `0`。這不是 owner request sent、owner response received / accepted、Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate。 #### 3.2.1d 2026-06-11 Agent 互動、學習與成長證據面 @@ -4684,3 +4686,16 @@ Trigger commit `f5cd37b7` 與 deploy marker `0ba92357` 已把 governance UI 的 - in-app browser 與 Playwright desktop / mobile production smoke 均確認 D4 面板、必填欄位、阻擋原因、下一步、Runs / 審批連結可見;水平溢出 `0`,危險執行入口 `0`。 **裁決:** D4 只把 blocked repair candidate 變成 operator 可讀、可追蹤、可補件的 Work Items 處置板;仍不是 AI 全自動修復完成。下一步必須補服務專屬 PlayBook coverage、MCP tool call / result 證據面,並用真實中低風險告警完成 approval -> execution -> verifier -> KM / PlayBook trust live-fire。active runtime gate 仍 `0`。 + +### 2026-06-14 18:25 (台北) — §3.2 / §5 — 新增高價值配置 Owner Packet 收件預檢 — 把三包草案轉成送件前 reviewer intake + +**觸發**:高價值配置 Owner Packet 已同步為 `packet=3 / c0=2`,且 posture projection / 前台已對齊;下一步需要把三包草案送件前的欄位、脫敏、拒收執行要求與 reviewer intake lane 固定成 committed evidence。 + +**已推進:** +- 新增 `scripts/security/high-value-config-owner-packet-intake-preflight.py`,讀取 `docs/security/high-value-config-owner-packet.snapshot.json`,產生 metadata-only 收件預檢。 +- 新增 `docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json`,固定 `packet_count=3`、`c0_packet_count=2`、`dispatch_preflight_check_count=9`、`reviewer_intake_lane_count=5`、`required_owner_field_total=27`、`blocked_request_count=16`。 +- 新增 `docs/security/HIGH-VALUE-CONFIG-OWNER-PACKET-INTAKE-PREFLIGHT.md`,說明送件前預檢、reviewer intake lanes、絕對邊界與完成度。 +- `security-mirror-progress-guard.py` 已鎖住新 snapshot 的 schema、summary、execution false flags、packet ids、check ids 與 lane ids。 +- P0 總帳、供應鏈進度與 MASTER artifact 表已同步 P0-13。 + +**裁決:** 這是 request dispatch 前的只讀預檢與 reviewer intake artifact,不是 request sent、owner response received / accepted、reviewer queue write、Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate;IwoooS headline 仍維持 `64%`,active runtime gate 仍 `0`。 diff --git a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md index 218039c58..80f42b1ae 100644 --- a/docs/workplans/2026-06-04-iwooos-security-governance-p0.md +++ b/docs/workplans/2026-06-04-iwooos-security-governance-p0.md @@ -77,6 +77,7 @@ | P0-10 | 高價值配置 Gate path coverage、工作樹 preflight、owner packet / coverage snapshot 補強 | 100% | 已將 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*` 納入 `high-value-config-change-gate.py`,讓 Nginx public gateway 與 DNS / TLS / certbot 既有路徑命中 P0 / C0;預設模式可讀取 staged / unstaged / untracked,避免本地 preflight 漏掉未提交配置;owner packet 與 coverage snapshot 已同步最新 pattern;owner evidence 仍未提供,runtime execution 仍 false | Gate sample:`changed_files=6 matched=6 categories=3 c0=2 c1=0`;工作樹 smoke:臨時 `k8s/nginx/*` 檔命中 C0;owner packet:`packets=3 c0=2 runtime_gate=0`;coverage:`categories=14 c0=8 avg=66 runtime_gate=0`;`py_compile`、snapshot JSON parse、progress guard、owner response guard、doc secret sanity、diff check | | P0-11 | 高價值配置 Owner Packet 前台同步 | local 100%;production 100% | `/zh-TW/iwooos` 與 `/zh-TW/awooop` 已同步 latest owner packet snapshot,顯示 `packet=3 / c0=2`、Nginx public gateway、DNS / TLS / certbot 與 security tooling 影響範圍;request sent、received、accepted、runtime gate 與 action buttons 仍全部為 `0` | Feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;本地與正式 desktop / mobile / in-app browser smoke:IwoooS 與 AwoooP 均 HTTP `200`、必要文字與 boundary keys 可見、水平溢位 `0`、卡片內操作控制 `0`、危險連結 `0`、工作溝通片語命中 `0`;headline 不提高 | | P0-12 | IwoooS posture projection Owner Packet count sync | 100% | `iwooos-posture-projection.snapshot.json` 與 schema 已從舊 `packet=1 / c0=0` 同步為 `packet=3 / c0=2`,避免 committed projection 與前台 / owner packet snapshot 分叉;request / received / accepted / runtime gate 仍為 `0` | `security-mirror-progress-guard.py` expectation 已同步;後續驗證以 JSON parse、schema parse、progress guard、owner response guard、doc secret sanity、diff check 為準;不需要 production browser smoke | +| P0-13 | 高價值配置 Owner Packet 收件預檢 / reviewer intake | 100% | 已新增 `high-value-config-owner-packet-intake-preflight.py`、snapshot 與文件,把三包 owner packet 轉成送件前 9 項預檢、5 條 reviewer intake lane、27 個 required owner fields 與 16 類 blocked request;request sent、received、accepted、rejected、reviewer queue write、runtime gate、action button 仍全部為 `0` | `HIGH_VALUE_CONFIG_OWNER_PACKET_INTAKE_PREFLIGHT_OK packets=3 c0=2 checks=9 lanes=5 runtime_gate=0`;progress guard 已固定 snapshot schema、summary、false flags、packet ids、check ids 與 lane ids;純 repo 內文件 / snapshot / guard,不需要 production browser smoke | ## 3. S4.9 Owner Response Gate 規範 diff --git a/scripts/security/high-value-config-owner-packet-intake-preflight.py b/scripts/security/high-value-config-owner-packet-intake-preflight.py new file mode 100644 index 000000000..f2b68585f --- /dev/null +++ b/scripts/security/high-value-config-owner-packet-intake-preflight.py @@ -0,0 +1,287 @@ +#!/usr/bin/env python3 +""" +IwoooS 高價值配置 owner packet 收件預檢產生器。 + +本工具讀取 committed owner packet snapshot,產生 request dispatch 前的 +只讀預檢與 reviewer intake lanes。它不送 request、不收回覆、不寫入 +reviewer queue、不建立 action button,也不開啟 runtime gate。 +""" + +from __future__ import annotations + +import argparse +import json +import subprocess +import sys +from datetime import datetime, timedelta, timezone +from pathlib import Path +from typing import Any + + +TAIPEI = timezone(timedelta(hours=8)) + +DISPATCH_PREFLIGHT_CHECKS = [ + ( + "baseline_commit_synced", + "基線 commit 已同步", + "使用最新 gitea/main 與 owner packet snapshot;不得用過期 packet 送件。", + ), + ( + "source_snapshot_current", + "來源 snapshot 目前有效", + "來源必須是 committed high-value-config-owner-packet snapshot,不讀 live 主機。", + ), + ( + "packet_scope_mapped", + "Packet scope 已映射", + "每包需有 category、priority、control tier、required gate 與 affected files。", + ), + ( + "canonical_fields_present", + "Canonical 欄位已固定", + "每包需要求 owner role、decision、reason、scope、evidence refs、followup、rollback、window、validation。", + ), + ( + "redacted_evidence_refs_only", + "Evidence refs 只允許脫敏參照", + "只收文件路徑、snapshot id、ticket id、commit、hash 或 metadata pointer。", + ), + ( + "no_sensitive_payload", + "禁止敏感 payload", + "不得收 token、secret、private key、cookie、session、authorization header、runner token 或 webhook secret。", + ), + ( + "no_execution_request", + "拒收執行要求", + "不得夾帶 reload、deploy、sync、host write、active scan、payout 或 withdrawal。", + ), + ( + "maintenance_and_rollback_fields_present", + "維護窗口與回滾 owner 欄位存在", + "C0 / P0 仍需獨立人工批准、維護窗口與 rollback owner,不能由 packet 自動授權。", + ), + ( + "validation_plan_present", + "驗證計畫欄位存在", + "必須能說明 preflight、post-check、rollback check;只讀文件變更則對應 guard / JSON / doc sanity。", + ), +] + +REVIEWER_INTAKE_LANES = [ + ( + "keep_waiting_owner_response", + "尚未收到 owner response 或只有空白 / 口頭同意時維持等待。", + "request / received / accepted / rejected 維持 0。", + ), + ( + "request_more_evidence", + "欄位缺漏、scope 不清或 redacted evidence refs 不足時補件。", + "不得增加 accepted 或 runtime gate。", + ), + ( + "quarantine_sensitive_payload", + "疑似含敏感 payload、raw log、未脫敏截圖或 private credential URL 時隔離。", + "不得保存 raw payload、不得渲染到前端或 LOGBOOK。", + ), + ( + "reject_execution_request", + "夾帶 repo / refs / workflow / runner / host / scan / runtime 執行要求時拒收。", + "不得建立 action button、不得轉成執行批准。", + ), + ( + "ready_for_reviewer_validation", + "欄位完整、證據脫敏、無敏感 payload 且無執行要求時才可進 reviewer checklist。", + "仍不是 accepted,也不是 runtime authorization。", + ), +] + +NEXT_STEPS = [ + "先由 reviewer 確認預檢 snapshot 與 owner packet snapshot 皆為最新 committed evidence。", + "送件前只準備脫敏欄位與禁止條款,不送 secret value、不附 raw payload。", + "收到回覆後先依 intake lanes 分流;通過 reviewer validation 之前 received / accepted 不得增加。", + "任何 runtime、Nginx reload、DNS / TLS、workflow、runner、host 或 payout 動作都必須切獨立人工批准。", +] + + +def git_short_sha(root: Path) -> str: + try: + result = subprocess.run( + ["git", "rev-parse", "--short", "HEAD"], + cwd=root, + check=True, + capture_output=True, + text=True, + ) + return result.stdout.strip() + except Exception: + return "unknown" + + +def load_json(path: Path) -> dict[str, Any]: + return json.loads(path.read_text(encoding="utf-8")) + + +def dispatch_preflight_checks() -> list[dict[str, Any]]: + return [ + { + "check_id": check_id, + "label": label, + "status": "preflight_required_before_request_dispatch", + "required": True, + "instruction": instruction, + "gate_effect": "不增加 request_sent / received / accepted / runtime gate。", + } + for check_id, label, instruction in DISPATCH_PREFLIGHT_CHECKS + ] + + +def reviewer_intake_lanes() -> list[dict[str, Any]]: + return [ + { + "lane_id": lane_id, + "status": "reviewer_intake_lane_defined", + "instruction": instruction, + "gate_effect": gate_effect, + } + for lane_id, instruction, gate_effect in REVIEWER_INTAKE_LANES + ] + + +def intake_packet(packet: dict[str, Any]) -> dict[str, Any]: + required_owner_fields = [ + field["field"] + for field in packet.get("field_templates", []) + if field.get("required") is True + ] + return { + "packet_id": packet["packet_id"], + "status": "waiting_request_dispatch_preflight", + "category_id": packet["category_id"], + "label": packet["label"], + "priority": packet["priority"], + "control_tier": packet["control_tier"], + "required_gate": packet["required_gate"], + "affected_file_count": len(packet.get("affected_files", [])), + "affected_files": packet.get("affected_files", []), + "required_owner_fields": required_owner_fields, + "required_validation": packet.get("required_validation", []), + "request_sent": False, + "received_response": False, + "accepted_response": False, + "rejected_response": False, + "reviewer_queue_write": False, + "runtime_gate": False, + "action_buttons_allowed": False, + "secret_value_collection_allowed": False, + "production_write_authorized": False, + "not_authorization": True, + } + + +def build_report(root: Path, owner_packet_report: dict[str, Any], generated_at: str | None) -> dict[str, Any]: + report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds") + packets = owner_packet_report.get("packets", []) + c0_packets = [packet for packet in packets if packet.get("control_tier") == "C0"] + c1_packets = [packet for packet in packets if packet.get("control_tier") == "C1"] + canonical_owner_fields = owner_packet_report.get("canonical_owner_fields", []) + required_owner_field_total = len(canonical_owner_fields) * len(packets) + blocked_requests = packets[0].get("blocked_requests", []) if packets else [] + false_flags = owner_packet_report.get("universal_owner_response_template", {}).get("false_flags", {}) + + return { + "schema_version": "high_value_config_owner_packet_intake_preflight_v1", + "generated_at": report_time, + "git_commit": git_short_sha(root), + "source_owner_packet_schema_version": owner_packet_report.get("schema_version"), + "source_owner_packet_status": owner_packet_report.get("status"), + "status": "request_dispatch_preflight_ready", + "summary": { + "packet_count": len(packets), + "c0_packet_count": len(c0_packets), + "c1_packet_count": len(c1_packets), + "canonical_owner_field_count": len(canonical_owner_fields), + "required_owner_field_total": required_owner_field_total, + "dispatch_preflight_check_count": len(DISPATCH_PREFLIGHT_CHECKS), + "reviewer_intake_lane_count": len(REVIEWER_INTAKE_LANES), + "blocked_request_count": len(blocked_requests), + "request_sent_count": 0, + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "reviewer_queue_write_count": 0, + "runtime_gate_count": 0, + "action_button_count": 0, + }, + "execution_boundaries": { + "dispatch_authorized": False, + "request_sent": False, + "reviewer_queue_write": False, + "runtime_execution_authorized": False, + "secret_value_collection_allowed": False, + "production_write_authorized": False, + "host_write_authorized": False, + "nginx_reload_authorized": False, + "dns_tls_change_authorized": False, + "workflow_modification_authorized": False, + "active_scan_authorized": False, + "action_buttons_allowed": False, + "not_authorization": True, + }, + "canonical_owner_fields": canonical_owner_fields, + "allowed_decisions": owner_packet_report.get("allowed_decisions", []), + "dispatch_preflight_checks": dispatch_preflight_checks(), + "reviewer_intake_lanes": reviewer_intake_lanes(), + "blocked_requests": blocked_requests, + "source_false_flags": false_flags, + "intake_packets": [intake_packet(packet) for packet in packets], + "completion": { + "request_dispatch_preflight_artifact_percent": 100, + "owner_request_sent_percent": 0, + "owner_response_received_percent": 0, + "reviewer_accepted_percent": 0, + "runtime_gate_percent": 0, + }, + "next_steps": NEXT_STEPS, + } + + +def main() -> int: + parser = argparse.ArgumentParser(description="IwoooS 高價值配置 owner packet 收件預檢產生器") + parser.add_argument("--root", default=".", help="repo root") + parser.add_argument( + "--owner-packet-report", + default="docs/security/high-value-config-owner-packet.snapshot.json", + help="high-value-config-owner-packet.py 輸出的 JSON", + ) + parser.add_argument("--output", help="寫出 JSON 報告") + parser.add_argument("--generated-at", help="固定報告時間,供 committed snapshot 使用") + args = parser.parse_args() + + root = Path(args.root).resolve() + owner_packet_report = load_json(root / args.owner_packet_report) + report = build_report(root, owner_packet_report, args.generated_at) + payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True) + + if args.output: + output = Path(args.output) + output.parent.mkdir(parents=True, exist_ok=True) + output.write_text(payload + "\n", encoding="utf-8") + else: + print(payload) + + summary = report["summary"] + print( + "HIGH_VALUE_CONFIG_OWNER_PACKET_INTAKE_PREFLIGHT_OK " + f"packets={summary['packet_count']} " + f"c0={summary['c0_packet_count']} " + f"checks={summary['dispatch_preflight_check_count']} " + f"lanes={summary['reviewer_intake_lane_count']} " + f"runtime_gate={summary['runtime_gate_count']}", + file=sys.stderr, + ) + return 0 + + +if __name__ == "__main__": + sys.exit(main()) diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index 9c6b31f72..68b12a3ac 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -88,6 +88,9 @@ def validate(root: Path) -> None: rollout_policy = load_json(security_dir / "security-rollout-policy.snapshot.json") iwooos_projection = load_json(security_dir / "iwooos-posture-projection.snapshot.json") high_value_config_coverage = load_json(security_dir / "high-value-config-control-coverage.snapshot.json") + high_value_config_owner_packet_intake = load_json( + security_dir / "high-value-config-owner-packet-intake-preflight.snapshot.json" + ) host_service_config_inventory = load_json(security_dir / "host-service-config-inventory.snapshot.json") ssh_network_access_inventory = load_json(security_dir / "ssh-network-access-inventory.snapshot.json") backup_restore_escrow_inventory = load_json(security_dir / "backup-restore-escrow-inventory.snapshot.json") @@ -3459,6 +3462,132 @@ def validate(root: Path) -> None: iwooos_projection["summary"][key], 0, ) + assert_equal( + "high_value_config_owner_packet_intake.schema_version", + high_value_config_owner_packet_intake["schema_version"], + "high_value_config_owner_packet_intake_preflight_v1", + ) + assert_equal( + "high_value_config_owner_packet_intake.source_owner_packet_schema_version", + high_value_config_owner_packet_intake["source_owner_packet_schema_version"], + "high_value_config_owner_packet_v1", + ) + assert_equal( + "high_value_config_owner_packet_intake.status", + high_value_config_owner_packet_intake["status"], + "request_dispatch_preflight_ready", + ) + expected_high_value_config_owner_packet_intake_summary = { + "packet_count": 3, + "c0_packet_count": 2, + "c1_packet_count": 0, + "canonical_owner_field_count": 9, + "required_owner_field_total": 27, + "dispatch_preflight_check_count": 9, + "reviewer_intake_lane_count": 5, + "blocked_request_count": 16, + "request_sent_count": 0, + "received_response_count": 0, + "accepted_response_count": 0, + "rejected_response_count": 0, + "reviewer_queue_write_count": 0, + "runtime_gate_count": 0, + "action_button_count": 0, + } + for key, expected in expected_high_value_config_owner_packet_intake_summary.items(): + assert_equal( + f"high_value_config_owner_packet_intake.summary.{key}", + high_value_config_owner_packet_intake["summary"][key], + expected, + ) + for false_key in [ + "dispatch_authorized", + "request_sent", + "reviewer_queue_write", + "runtime_execution_authorized", + "secret_value_collection_allowed", + "production_write_authorized", + "host_write_authorized", + "nginx_reload_authorized", + "dns_tls_change_authorized", + "workflow_modification_authorized", + "active_scan_authorized", + "action_buttons_allowed", + ]: + assert_false( + f"high_value_config_owner_packet_intake.execution_boundaries.{false_key}", + high_value_config_owner_packet_intake["execution_boundaries"][false_key], + ) + assert_true( + "high_value_config_owner_packet_intake.execution_boundaries.not_authorization", + high_value_config_owner_packet_intake["execution_boundaries"]["not_authorization"], + ) + expected_high_value_config_owner_packet_intake_ids = [ + "high_value_config_owner_packet:dns_tls_certbot", + "high_value_config_owner_packet:nginx_public_gateway", + "high_value_config_owner_packet:security_evidence_tooling", + ] + assert_equal( + "high_value_config_owner_packet_intake.packet_ids", + [item["packet_id"] for item in high_value_config_owner_packet_intake["intake_packets"]], + expected_high_value_config_owner_packet_intake_ids, + ) + expected_high_value_config_owner_packet_intake_check_ids = [ + "baseline_commit_synced", + "source_snapshot_current", + "packet_scope_mapped", + "canonical_fields_present", + "redacted_evidence_refs_only", + "no_sensitive_payload", + "no_execution_request", + "maintenance_and_rollback_fields_present", + "validation_plan_present", + ] + assert_equal( + "high_value_config_owner_packet_intake.dispatch_preflight_check_ids", + [ + item["check_id"] + for item in high_value_config_owner_packet_intake["dispatch_preflight_checks"] + ], + expected_high_value_config_owner_packet_intake_check_ids, + ) + expected_high_value_config_owner_packet_intake_lane_ids = [ + "keep_waiting_owner_response", + "request_more_evidence", + "quarantine_sensitive_payload", + "reject_execution_request", + "ready_for_reviewer_validation", + ] + assert_equal( + "high_value_config_owner_packet_intake.reviewer_intake_lane_ids", + [item["lane_id"] for item in high_value_config_owner_packet_intake["reviewer_intake_lanes"]], + expected_high_value_config_owner_packet_intake_lane_ids, + ) + for packet in high_value_config_owner_packet_intake["intake_packets"]: + assert_equal( + f"high_value_config_owner_packet_intake.{packet['packet_id']}.required_owner_field_count", + len(packet["required_owner_fields"]), + 9, + ) + assert_true( + f"high_value_config_owner_packet_intake.{packet['packet_id']}.not_authorization", + packet["not_authorization"], + ) + for false_key in [ + "request_sent", + "received_response", + "accepted_response", + "rejected_response", + "reviewer_queue_write", + "runtime_gate", + "action_buttons_allowed", + "secret_value_collection_allowed", + "production_write_authorized", + ]: + assert_false( + f"high_value_config_owner_packet_intake.{packet['packet_id']}.{false_key}", + packet[false_key], + ) expected_iwooos_surface_ids = [ "security_compliance", "legacy_security",