fix(iwooos): redact public security wording
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m20s
CD Pipeline / build-and-deploy (push) Failing after 52s
CD Pipeline / post-deploy-checks (push) Has been skipped
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 1m20s
CD Pipeline / build-and-deploy (push) Failing after 52s
CD Pipeline / post-deploy-checks (push) Has been skipped
This commit is contained in:
@@ -21911,7 +21911,7 @@
|
||||
},
|
||||
"intrusion_prevention": {
|
||||
"title": "外部入侵防護",
|
||||
"body": "候選已按公開入口、SSH、firewall、主機 runtime、runner、secret、Wazuh 等域分類;圍堵仍只能是候選。"
|
||||
"body": "候選已按公開入口、SSH、firewall、主機 runtime、runner、敏感設定、Wazuh 等域分類;圍堵仍只能是候選。"
|
||||
}
|
||||
}
|
||||
},
|
||||
@@ -22005,11 +22005,11 @@
|
||||
"read_only_inventory_runtime_write_gate_closed": "只讀盤點完成,AI runtime write gate 仍關閉"
|
||||
},
|
||||
"domainBody": {
|
||||
"high_value_asset_control": "Nginx、DNS / TLS、K8s、secret、workflow、runner、runtime config、backup 與 agent-bounty runtime 都先放進高價值配置總帳。",
|
||||
"high_value_asset_control": "Nginx、DNS / TLS、K8s、敏感設定、workflow、runner、runtime config、backup 與 agent-bounty runtime 都先放進高價值配置總帳。",
|
||||
"host_service_runtime": "Docker Compose、systemd、repair bot、port binding、process / persistence baseline 需要 live hash 與維護窗口。",
|
||||
"monitoring_alerting_observability": "Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL 與通知路由都需要 receipt 與 owner acceptance。",
|
||||
"ssh_firewall_network_access": "SSH target、known_hosts、deploy SSH、sudoers、NodePort、NetworkPolicy、WireGuard 與 firewall 需要 before / after 證據。",
|
||||
"awoooi_runtime_surfaces": "API、Web、Worker、Ingress、Secret、CronJob 與 K8s runtime surface 只做 manifest 讀回,不代表可 rollout。",
|
||||
"awoooi_runtime_surfaces": "API、Web、Worker、Ingress、敏感設定、CronJob 與 K8s runtime surface 只做 manifest 讀回,不代表可 rollout。",
|
||||
"wazuh_managed_host_coverage": "受管主機必須由 manager registry 交叉驗收;transport observed 不能當完成。",
|
||||
"agent_bounty_protocol": "agent-bounty-protocol 已納入產品邊界,但 MCP、A2A、claim、submit、payout 與 cron 仍鎖住。",
|
||||
"ai_agent_automation": "OpenClaw、Hermes、Nemotron、provider 與自動化資產維持只讀;replay / shadow / canary 前不可切 production。"
|
||||
@@ -22435,7 +22435,7 @@
|
||||
"items": {
|
||||
"assetGraph": {
|
||||
"title": "資產與暴露面要先成圖",
|
||||
"body": "主機、domain、route、service、port、package、repo、runner、secret metadata、backup 與 AI agent 都要進同一張資安作戰圖。"
|
||||
"body": "主機、domain、route、service、port、package、repo、runner、敏感設定 metadata、backup 與 AI agent 都要進同一張資安作戰圖。"
|
||||
},
|
||||
"wazuhRegistry": {
|
||||
"title": "Wazuh registry 還是第一個硬 Gate",
|
||||
@@ -22451,7 +22451,7 @@
|
||||
},
|
||||
"configControl": {
|
||||
"title": "高價值配置納入作戰線",
|
||||
"body": "Nginx、DNS / TLS、firewall、K8s、workflow、runner、secret metadata、backup 與 AI provider 不能再被零散手改。"
|
||||
"body": "Nginx、DNS / TLS、firewall、K8s、workflow、runner、敏感設定 metadata、backup 與 AI provider 不能再被零散手改。"
|
||||
},
|
||||
"kevExposure": {
|
||||
"title": "已遭利用弱點優先於一般 CVSS",
|
||||
@@ -22650,7 +22650,7 @@
|
||||
},
|
||||
"k8sWorkflow": {
|
||||
"title": "GitOps 與 workflow 待回讀",
|
||||
"body": "K8s、ArgoCD、workflow、runner、deploy key 與 secret metadata 需補 revision、diff 與 redaction readback。"
|
||||
"body": "K8s、ArgoCD、workflow、runner、deploy key 與敏感設定 metadata 需補 revision、diff 與 redaction readback。"
|
||||
},
|
||||
"wazuhKali": {
|
||||
"title": "Wazuh / Kali 維持證據收件",
|
||||
@@ -22677,7 +22677,7 @@
|
||||
"externalHostIntrusionPreventionControl": {
|
||||
"eyebrow": "外部入侵主機防堵控制",
|
||||
"title": "把主機、入口、網路與供應鏈先收成 P0 防堵矩陣",
|
||||
"subtitle": "這張卡把公開入口、SSH、端口、防火牆、Nginx、runner、secret、Docker / systemd、K8s、Wazuh、套件更新、backup / restore 與跨專案同步放進同一條防堵線;目前只顯示主機別名、候選數、必填 owner 欄位與 0/false 邊界。",
|
||||
"subtitle": "這張卡把公開入口、SSH、端口、防火牆、Nginx、runner、敏感設定、Docker / systemd、K8s、Wazuh、套件更新、backup / restore 與跨專案同步放進同一條防堵線;目前只顯示主機別名、候選數、必填 owner 欄位與 0/false 邊界。",
|
||||
"checkLabel": "優先",
|
||||
"stateLabel": "狀態",
|
||||
"boundaryTitle": "外部入侵防堵邊界",
|
||||
@@ -22715,7 +22715,7 @@
|
||||
},
|
||||
"runnerSecret": {
|
||||
"title": "Runner / workflow / secret freeze",
|
||||
"body": "runner、workflow、deploy key、webhook 與 secret metadata 變更必須串回高價值配置 gate。"
|
||||
"body": "runner、workflow、deploy key、webhook 與敏感設定 metadata 變更必須串回高價值配置 gate。"
|
||||
},
|
||||
"wazuhResponse": {
|
||||
"title": "Wazuh response 先 乾跑",
|
||||
@@ -22770,7 +22770,7 @@
|
||||
},
|
||||
"k8sArgocd": {
|
||||
"title": "K8s / ArgoCD / production manifests",
|
||||
"body": "production manifests、ConfigMap / Secret metadata、NetworkPolicy、CronJob 與 rollback revision 需被納管;GitOps 變更證據驗收後已新增事故後回讀計畫,固定 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作。目前 post-incident readback received / accepted、ArgoCD app health、sync status、Pending / image pull / scheduling、drift、route / AI / monitoring impact、cross-project sync、no-false-green 與 runtime gate 仍全部為 0;不執行 ArgoCD sync、kubectl、Helm upgrade、NetworkPolicy / NodePort / RBAC 變更或 live patch。"
|
||||
"body": "production manifests、ConfigMap / 敏感設定 metadata、NetworkPolicy、CronJob 與 rollback revision 需被納管;GitOps 變更證據驗收後已新增事故後回讀計畫,固定 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作。目前 post-incident readback received / accepted、ArgoCD app health、sync status、Pending / image pull / scheduling、drift、route / AI / monitoring impact、cross-project sync、no-false-green 與 runtime gate 仍全部為 0;不執行 ArgoCD sync、kubectl、Helm upgrade、NetworkPolicy / NodePort / RBAC 變更或 live patch。"
|
||||
},
|
||||
"workflowSecret": {
|
||||
"title": "工作流程 / 執行器 / 機密中繼資料",
|
||||
@@ -22924,7 +22924,7 @@
|
||||
},
|
||||
"k8sGitops": {
|
||||
"title": "K8s / ArgoCD GitOps",
|
||||
"body": "manifest 清冊、負責人回覆驗收、GitOps 變更證據驗收與事故後回讀計畫已固定;目前成熟度 66%。新回讀計畫涵蓋 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作;仍缺 actor、ArgoCD app / sync、Degraded / Pending、image pull / scheduling、rollout 前後、event / metrics / alert、drift scanner、CronJob、NetworkPolicy / RBAC / Secret metadata、route / AI / monitoring impact、跨專案同步與 no-false-green 脫敏證據。readback accepted 與 runtime gate 仍全部為 0。"
|
||||
"body": "manifest 清冊、負責人回覆驗收、GitOps 變更證據驗收與事故後回讀計畫已固定;目前成熟度 66%。新回讀計畫涵蓋 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作;仍缺 actor、ArgoCD app / sync、Degraded / Pending、image pull / scheduling、rollout 前後、event / metrics / alert、drift scanner、CronJob、NetworkPolicy / RBAC / 敏感設定 metadata、route / AI / monitoring impact、跨專案同步與 no-false-green 脫敏證據。readback accepted 與 runtime gate 仍全部為 0。"
|
||||
},
|
||||
"backupRestore": {
|
||||
"title": "備份 / 還原 / 金庫",
|
||||
|
||||
@@ -21911,7 +21911,7 @@
|
||||
},
|
||||
"intrusion_prevention": {
|
||||
"title": "外部入侵防護",
|
||||
"body": "候選已按公開入口、SSH、firewall、主機 runtime、runner、secret、Wazuh 等域分類;圍堵仍只能是候選。"
|
||||
"body": "候選已按公開入口、SSH、firewall、主機 runtime、runner、敏感設定、Wazuh 等域分類;圍堵仍只能是候選。"
|
||||
}
|
||||
}
|
||||
},
|
||||
@@ -22005,11 +22005,11 @@
|
||||
"read_only_inventory_runtime_write_gate_closed": "只讀盤點完成,AI runtime write gate 仍關閉"
|
||||
},
|
||||
"domainBody": {
|
||||
"high_value_asset_control": "Nginx、DNS / TLS、K8s、secret、workflow、runner、runtime config、backup 與 agent-bounty runtime 都先放進高價值配置總帳。",
|
||||
"high_value_asset_control": "Nginx、DNS / TLS、K8s、敏感設定、workflow、runner、runtime config、backup 與 agent-bounty runtime 都先放進高價值配置總帳。",
|
||||
"host_service_runtime": "Docker Compose、systemd、repair bot、port binding、process / persistence baseline 需要 live hash 與維護窗口。",
|
||||
"monitoring_alerting_observability": "Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL 與通知路由都需要 receipt 與 owner acceptance。",
|
||||
"ssh_firewall_network_access": "SSH target、known_hosts、deploy SSH、sudoers、NodePort、NetworkPolicy、WireGuard 與 firewall 需要 before / after 證據。",
|
||||
"awoooi_runtime_surfaces": "API、Web、Worker、Ingress、Secret、CronJob 與 K8s runtime surface 只做 manifest 讀回,不代表可 rollout。",
|
||||
"awoooi_runtime_surfaces": "API、Web、Worker、Ingress、敏感設定、CronJob 與 K8s runtime surface 只做 manifest 讀回,不代表可 rollout。",
|
||||
"wazuh_managed_host_coverage": "受管主機必須由 manager registry 交叉驗收;transport observed 不能當完成。",
|
||||
"agent_bounty_protocol": "agent-bounty-protocol 已納入產品邊界,但 MCP、A2A、claim、submit、payout 與 cron 仍鎖住。",
|
||||
"ai_agent_automation": "OpenClaw、Hermes、Nemotron、provider 與自動化資產維持只讀;replay / shadow / canary 前不可切 production。"
|
||||
@@ -22435,7 +22435,7 @@
|
||||
"items": {
|
||||
"assetGraph": {
|
||||
"title": "資產與暴露面要先成圖",
|
||||
"body": "主機、domain、route、service、port、package、repo、runner、secret metadata、backup 與 AI agent 都要進同一張資安作戰圖。"
|
||||
"body": "主機、domain、route、service、port、package、repo、runner、敏感設定 metadata、backup 與 AI agent 都要進同一張資安作戰圖。"
|
||||
},
|
||||
"wazuhRegistry": {
|
||||
"title": "Wazuh registry 還是第一個硬 Gate",
|
||||
@@ -22451,7 +22451,7 @@
|
||||
},
|
||||
"configControl": {
|
||||
"title": "高價值配置納入作戰線",
|
||||
"body": "Nginx、DNS / TLS、firewall、K8s、workflow、runner、secret metadata、backup 與 AI provider 不能再被零散手改。"
|
||||
"body": "Nginx、DNS / TLS、firewall、K8s、workflow、runner、敏感設定 metadata、backup 與 AI provider 不能再被零散手改。"
|
||||
},
|
||||
"kevExposure": {
|
||||
"title": "已遭利用弱點優先於一般 CVSS",
|
||||
@@ -22650,7 +22650,7 @@
|
||||
},
|
||||
"k8sWorkflow": {
|
||||
"title": "GitOps 與 workflow 待回讀",
|
||||
"body": "K8s、ArgoCD、workflow、runner、deploy key 與 secret metadata 需補 revision、diff 與 redaction readback。"
|
||||
"body": "K8s、ArgoCD、workflow、runner、deploy key 與敏感設定 metadata 需補 revision、diff 與 redaction readback。"
|
||||
},
|
||||
"wazuhKali": {
|
||||
"title": "Wazuh / Kali 維持證據收件",
|
||||
@@ -22677,7 +22677,7 @@
|
||||
"externalHostIntrusionPreventionControl": {
|
||||
"eyebrow": "外部入侵主機防堵控制",
|
||||
"title": "把主機、入口、網路與供應鏈先收成 P0 防堵矩陣",
|
||||
"subtitle": "這張卡把公開入口、SSH、端口、防火牆、Nginx、runner、secret、Docker / systemd、K8s、Wazuh、套件更新、backup / restore 與跨專案同步放進同一條防堵線;目前只顯示主機別名、候選數、必填 owner 欄位與 0/false 邊界。",
|
||||
"subtitle": "這張卡把公開入口、SSH、端口、防火牆、Nginx、runner、敏感設定、Docker / systemd、K8s、Wazuh、套件更新、backup / restore 與跨專案同步放進同一條防堵線;目前只顯示主機別名、候選數、必填 owner 欄位與 0/false 邊界。",
|
||||
"checkLabel": "優先",
|
||||
"stateLabel": "狀態",
|
||||
"boundaryTitle": "外部入侵防堵邊界",
|
||||
@@ -22715,7 +22715,7 @@
|
||||
},
|
||||
"runnerSecret": {
|
||||
"title": "Runner / workflow / secret freeze",
|
||||
"body": "runner、workflow、deploy key、webhook 與 secret metadata 變更必須串回高價值配置 gate。"
|
||||
"body": "runner、workflow、deploy key、webhook 與敏感設定 metadata 變更必須串回高價值配置 gate。"
|
||||
},
|
||||
"wazuhResponse": {
|
||||
"title": "Wazuh response 先 乾跑",
|
||||
@@ -22770,7 +22770,7 @@
|
||||
},
|
||||
"k8sArgocd": {
|
||||
"title": "K8s / ArgoCD / production manifests",
|
||||
"body": "production manifests、ConfigMap / Secret metadata、NetworkPolicy、CronJob 與 rollback revision 需被納管;GitOps 變更證據驗收後已新增事故後回讀計畫,固定 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作。目前 post-incident readback received / accepted、ArgoCD app health、sync status、Pending / image pull / scheduling、drift、route / AI / monitoring impact、cross-project sync、no-false-green 與 runtime gate 仍全部為 0;不執行 ArgoCD sync、kubectl、Helm upgrade、NetworkPolicy / NodePort / RBAC 變更或 live patch。"
|
||||
"body": "production manifests、ConfigMap / 敏感設定 metadata、NetworkPolicy、CronJob 與 rollback revision 需被納管;GitOps 變更證據驗收後已新增事故後回讀計畫,固定 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作。目前 post-incident readback received / accepted、ArgoCD app health、sync status、Pending / image pull / scheduling、drift、route / AI / monitoring impact、cross-project sync、no-false-green 與 runtime gate 仍全部為 0;不執行 ArgoCD sync、kubectl、Helm upgrade、NetworkPolicy / NodePort / RBAC 變更或 live patch。"
|
||||
},
|
||||
"workflowSecret": {
|
||||
"title": "工作流程 / 執行器 / 機密中繼資料",
|
||||
@@ -22924,7 +22924,7 @@
|
||||
},
|
||||
"k8sGitops": {
|
||||
"title": "K8s / ArgoCD GitOps",
|
||||
"body": "manifest 清冊、負責人回覆驗收、GitOps 變更證據驗收與事故後回讀計畫已固定;目前成熟度 66%。新回讀計畫涵蓋 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作;仍缺 actor、ArgoCD app / sync、Degraded / Pending、image pull / scheduling、rollout 前後、event / metrics / alert、drift scanner、CronJob、NetworkPolicy / RBAC / Secret metadata、route / AI / monitoring impact、跨專案同步與 no-false-green 脫敏證據。readback accepted 與 runtime gate 仍全部為 0。"
|
||||
"body": "manifest 清冊、負責人回覆驗收、GitOps 變更證據驗收與事故後回讀計畫已固定;目前成熟度 66%。新回讀計畫涵蓋 4 個範圍、31 個必填欄位、28 個審查檢查項、10 條結果分流與 41 類禁止動作;仍缺 actor、ArgoCD app / sync、Degraded / Pending、image pull / scheduling、rollout 前後、event / metrics / alert、drift scanner、CronJob、NetworkPolicy / RBAC / 敏感設定 metadata、route / AI / monitoring impact、跨專案同步與 no-false-green 脫敏證據。readback accepted 與 runtime gate 仍全部為 0。"
|
||||
},
|
||||
"backupRestore": {
|
||||
"title": "備份 / 還原 / 金庫",
|
||||
|
||||
Reference in New Issue
Block a user