# IwoooS SSH / Firewall / Network Access Owner Response Acceptance | 項目 | 內容 | |------|------| | 日期 | 2026-06-15 | | 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` | | 工具 | `scripts/security/ssh-network-owner-response-acceptance.py` | | Snapshot | `docs/security/ssh-network-owner-response-acceptance.snapshot.json` | | Source inventory | `docs/security/ssh-network-access-inventory.snapshot.json` | | Source owner request | `docs/security/ssh-network-owner-request-draft.snapshot.json` | | runtime gate | `0` | ## 1. 目的 本文件承接 SSH / network access repo-only 清冊與 owner request draft,把 16 個 surface 轉成 owner response acceptance 只讀帳本。它定義收到 owner 回覆後,必須如何做欄位完整性、脫敏證據、live access state、allowed source CIDR、host key pinning、port impact、firewall owner、NetworkPolicy / NodePort、WireGuard cutover、維護窗口、rollback 與 validation plan 檢查。 這不是 SSH 授權、不是 host keyscan、不是 known_hosts patch、不是 firewall / port change、不是 NetworkPolicy apply、不是 NodePort change、不是 WireGuard cutover,也不是 runtime gate。 ## 2. 摘要 | 指標 | 目前值 | 說明 | |------|--------|------| | acceptance candidate | `16` | 每個 SSH / network request draft 一份 acceptance candidate | | write-capable acceptance candidate | `6` | CI deploy SSH、monitoring deploy、sudoers、alert action catalog | | live evidence required candidate | `16` | 全部都需 owner 提供脫敏 live access evidence | | acceptance field | `29` | acceptance 欄位總數 | | required owner field | `13` | owner 必填欄位,沿用 request draft | | reviewer check | `15` | owner、scope、secret、CIDR、host key、port impact、firewall、NetworkPolicy、WireGuard、rollback 檢查 | | outcome lane | `7` | waiting、quarantine、reject、supplement、review、ledger-only、runtime gate | | blocked action | `22` | SSH、keyscan、known_hosts、firewall、port、NetworkPolicy、NodePort、WireGuard、sudo、secret、active scan、runtime gate 等 | | request sent / recipient confirmed | `0 / 0` | 尚未送件 | | owner response received / accepted | `0 / 0` | 尚未收到或驗收 | | live evidence received | `0` | 不 SSH、不 keyscan、不讀 live firewall | | runtime gate / action button | `0 / 0` | 不提供操作入口 | ## 3. Acceptance Candidate 範圍 | Candidate | 類型 | 範圍 | 驗收焦點 | |-----------|------|------|----------| | `ssh_network_owner_response_acceptance:ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | host owner、pinned known_hosts、ProxyJump、key owner | | `ssh_network_owner_response_acceptance:ansible_common_ssh_args` | SSH client policy | `multi_host` | `accept-new` 是否只限 bootstrap | | `ssh_network_owner_response_acceptance:gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | known_hosts secret metadata、缺 120 處置、key rotation owner | | `ssh_network_owner_response_acceptance:gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | deploy SSH host owner、rollback、break-glass | | `ssh_network_owner_response_acceptance:gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | dev/prod 邊界、deploy key scope、host key policy | | `ssh_network_owner_response_acceptance:deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | alert deploy owner、known_hosts pinning、通知路徑 | | `ssh_network_owner_response_acceptance:monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | read-only window、輸出脫敏、失敗處置 | | `ssh_network_owner_response_acceptance:monitoring_exporter_deploy_ssh` | monitoring SSH deploy | `192.168.0.188` | exporter deploy owner、maintenance window、post-check | | `ssh_network_owner_response_acceptance:backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | backup execution owner、secret redaction、restore validation | | `ssh_network_owner_response_acceptance:host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | live sudoers hash、visudo validation、forbidden command proof | | `ssh_network_owner_response_acceptance:k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | ingress / egress owner、live policy diff、route smoke | | `ssh_network_owner_response_acceptance:argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | Prometheus scrape owner、NodePort exposure owner | | `ssh_network_owner_response_acceptance:argocd_metrics_nodeport` | K8s NodePort | `argocd_nodeport_30882_30883` | NodePort exposure owner、firewall owner、source whitelist | | `ssh_network_owner_response_acceptance:velero_metrics_nodeport` | K8s NodePort | `velero_nodeport_30885` | backup metrics exposure、firewall owner | | `ssh_network_owner_response_acceptance:wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | WireGuard owner、firewall rule owner、canary / rollback | | `ssh_network_owner_response_acceptance:alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | action owner、read/write/admin 分級、cooldown、post-check | ## 4. Reviewer Checks 1. `owner_identity_present` 2. `decision_reason_present` 3. `affected_scope_matches_surface` 4. `redacted_refs_only` 5. `secret_or_key_value_absent` 6. `live_access_state_metadata_only` 7. `allowed_source_cidr_metadata_only` 8. `host_key_pinning_shape` 9. `port_impact_review` 10. `firewall_owner_present` 11. `network_policy_nodeport_review` 12. `wireguard_cutover_separate_gate` 13. `maintenance_window_present` 14. `rollback_validation_present` 15. `counts_transition_safe` ## 5. Outcome Lanes | Lane | 說明 | |------|------| | `waiting_owner_response` | 尚未收到 owner response;所有 accepted / runtime count 維持 0 | | `quarantine_raw_payload` | 收到 raw firewall dump、SSH key、private key、token 或不可保存內容時只能隔離 | | `reject_secret_or_key_value` | 出現 secret value、key material、credential derivative 或未脫敏 payload 時直接拒收 | | `request_supplement` | 欄位不足、scope 不清、CIDR / owner / rollback / validation 缺失時要求補件 | | `ready_for_network_review` | metadata 合格後,只能進 network / firewall reviewer review | | `owner_review_only_update` | 只允許更新只讀 owner review ledger,不得改 port、firewall、known_hosts 或 policy | | `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 | ## 6. 禁止動作 1. `ssh_read` 2. `ssh_write` 3. `host_keyscan` 4. `known_hosts_patch` 5. `firewall_change` 6. `port_close` 7. `port_open` 8. `network_policy_apply` 9. `nodeport_change` 10. `wireguard_change` 11. `sudo_action` 12. `deploy_ssh_action` 13. `secret_value_collection` 14. `ssh_key_collection` 15. `active_scan` 16. `runtime_gate_open` 17. `live_firewall_read` 18. `live_sudoers_read` 19. `raw_key_material_storage` 20. `raw_firewall_dump_storage` 21. `mark_owner_response_accepted_without_reviewer_record` 22. `add_action_button` ## 7. 指令 產生 committed snapshot: ```bash python3 scripts/security/ssh-network-owner-response-acceptance.py \ --root . \ --inventory-report docs/security/ssh-network-access-inventory.snapshot.json \ --owner-request-report docs/security/ssh-network-owner-request-draft.snapshot.json \ --output docs/security/ssh-network-owner-response-acceptance.snapshot.json \ --generated-at 2026-06-15T01:18:00+08:00 ``` 驗證 guard: ```bash python3 scripts/security/security-mirror-progress-guard.py --root . ``` ## 8. 完成度 | 工作 | 完成度 | 說明 | |------|--------|------| | owner response acceptance ledger artifact | `100%` | 16 份 acceptance candidate、snapshot、文件與 guard 已固定 | | request dispatch | `0%` | 尚未送件 | | owner response received / accepted | `0%` | 尚未收到,尚未驗收 | | live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall | | SSH / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 未授權且未執行 | | runtime gate / production write | `0%` | 未授權且未執行 |