Files
awoooi/docs/security/security-asset-control-ledger.snapshot.json
Your Name 81a60226bb
Some checks failed
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m45s
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled
feat(iwooos): 新增資安資產控制總帳
2026-06-18 13:56:38 +08:00

824 lines
30 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"asset_groups": [
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/public-gateway-preflight-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/PUBLIC-GATEWAY-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/public-gateway-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md",
"docs/security/public-gateway-preflight-inventory.snapshot.json",
"docs/security/PUBLIC-GATEWAY-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/public-gateway-post-incident-readback-plan.snapshot.json"
],
"group_id": "public_gateway_nginx",
"label": "Nginx / Public Gateway / Route",
"live_evidence_accepted": 0,
"next_owner_action": "補 owner-provided live conf、rendered diff、nginx -t、route smoke、rollback owner。",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "公開入口、API、WebSocket、ACME、admin route、Ollama proxy",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/domain-tls-certbot-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md"
},
{
"exists": true,
"ref": "docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json"
}
],
"evidence_refs": [
"docs/security/DOMAIN-TLS-CERTBOT-INVENTORY.md",
"docs/security/domain-tls-certbot-inventory.snapshot.json",
"docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json"
],
"group_id": "dns_tls_certbot",
"label": "DNS / TLS / Certbot",
"live_evidence_accepted": 0,
"next_owner_action": "補 SAN / wildcard 覆蓋依據、expiry metadata、renewal owner、ACME route owner。",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "domain、certificate path、ACME、renewal owner、TLS route",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/HOST-SERVICE-CONFIG-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/host-service-config-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/HOST-SERVICE-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/host-service-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/HOST-SERVICE-CONFIG-INVENTORY.md",
"docs/security/host-service-config-inventory.snapshot.json",
"docs/security/HOST-SERVICE-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/host-service-post-incident-readback-plan.snapshot.json"
],
"group_id": "host_service_runtime",
"label": "Docker / systemd / Host Service",
"live_evidence_accepted": 0,
"next_owner_action": "補 live hash metadata、incident readback、restart window、rollback owner、post-check。",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "Docker Compose、systemd、repair-bot、port binding、process / persistence baseline",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/SSH-NETWORK-ACCESS-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/ssh-network-access-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/ssh-network-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/SSH-NETWORK-ACCESS-INVENTORY.md",
"docs/security/ssh-network-access-inventory.snapshot.json",
"docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/ssh-network-post-incident-readback-plan.snapshot.json"
],
"group_id": "ssh_firewall_network",
"label": "SSH / Firewall / WireGuard / NodePort",
"live_evidence_accepted": 0,
"next_owner_action": "補 actor、before / after state、impact、operator notification、restoration evidence。",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "SSH target、known_hosts、sudoers、firewall、WireGuard、NetworkPolicy、NodePort",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/k8s-argocd-manifest-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/K8S-ARGOCD-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/k8s-argocd-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md",
"docs/security/k8s-argocd-manifest-inventory.snapshot.json",
"docs/security/K8S-ARGOCD-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/k8s-argocd-post-incident-readback-plan.snapshot.json"
],
"group_id": "k8s_argocd_gitops",
"label": "K8s / ArgoCD / GitOps",
"live_evidence_accepted": 0,
"next_owner_action": " ArgoCD revisionhealth / syncrendered manifest diffrollback revisionpostcheck owner",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "K8s manifestsArgoCD appRBACNetworkPolicyCronJobVelero",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/source-control-workflow-secret-name-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/SOURCE-CONTROL-WORKFLOW-SECRET-NAME-INVENTORY.md",
"docs/security/source-control-workflow-secret-name-inventory.snapshot.json",
"docs/security/CD-RUNNER-SECRET-INJECTION-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/cd-runner-secret-injection-post-incident-readback-plan.snapshot.json"
],
"group_id": "workflow_runner_secret",
"label": "Gitea Workflow / Runner / Secret Metadata",
"live_evidence_accepted": 0,
"next_owner_action": " runner attestationworkspace cleanupsecret injection routelog redactionGitea run readback",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "workflowrunner labeldeploy keywebhooksecret name parityredaction guard",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md"
},
{
"exists": true,
"ref": "docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md"
},
{
"exists": true,
"ref": "docs/security/source-control-primary-readiness-gate.snapshot.json"
}
],
"evidence_refs": [
"docs/security/GITEA-GITHUB-MIGRATION-INVENTORY.md",
"docs/security/SOURCE-CONTROL-PRIMARY-READINESS-GATE.md",
"docs/security/GITHUB-TARGET-OWNER-DECISION-RESPONSE.md",
"docs/security/source-control-primary-readiness-gate.snapshot.json"
],
"group_id": "source_control_repo_visibility",
"label": "Gitea / GitHub / Source Control",
"live_evidence_accepted": 0,
"next_owner_action": " owner response repo visibilitysync refs primary",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "repo visibilitycanonical refsGitHub primary readinessbranch / tag / workflow boundary",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/WAZUH-IWOOOS-INTRUSION-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md"
},
{
"exists": true,
"ref": "docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
}
],
"evidence_refs": [
"docs/security/WAZUH-IWOOOS-INTRUSION-READBACK-PLAN.md",
"docs/security/wazuh-iwooos-intrusion-readback-plan.snapshot.json",
"docs/security/SOC-SIEM-KALI-WAZUH-INTEGRATION-CONTROL.md",
"docs/security/soc-siem-kali-wazuh-integration-control.snapshot.json"
],
"group_id": "wazuh_endpoint_siem",
"label": "Wazuh / Endpoint / SIEM",
"live_evidence_accepted": 0,
"next_owner_action": " Wazuh health refsagent refsevent refsrule / decoder readback no-raw-payload attestation",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "Wazuh manageragentFIMrule / decoderevent refactive response dry-run boundary",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/KALI-INTEGRATION-STATUS.md"
},
{
"exists": true,
"ref": "docs/security/kali-integration-status.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md"
},
{
"exists": true,
"ref": "docs/security/kali-112-maintenance-window-draft.snapshot.json"
}
],
"evidence_refs": [
"docs/security/KALI-INTEGRATION-STATUS.md",
"docs/security/kali-integration-status.snapshot.json",
"docs/security/KALI-112-MAINTENANCE-WINDOW-DRAFT.md",
"docs/security/kali-112-maintenance-window-draft.snapshot.json"
],
"group_id": "kali_112_assessment",
"label": "Kali 112 / Assessment Tooling",
"live_evidence_accepted": 0,
"next_owner_action": " scope refhealth refnormalized finding envelopeactive scan /execute ",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "Kali healthtool versionscopefinding envelopemaintenance window",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/monitoring-alerting-observability-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/MONITORING-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/monitoring-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/MONITORING-ALERTING-OBSERVABILITY-INVENTORY.md",
"docs/security/monitoring-alerting-observability-inventory.snapshot.json",
"docs/security/MONITORING-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/monitoring-post-incident-readback-plan.snapshot.json"
],
"group_id": "monitoring_alerting_observability",
"label": "Monitoring / Alerting / Observability",
"live_evidence_accepted": 0,
"next_owner_action": " route ownerreceiver diffreceipt evidencenoise budgetreload owner no-false-green",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "PrometheusAlertmanagerTelegram routeSigNozSentryLangfuseno-false-green",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/BACKUP-RESTORE-ESCROW-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/backup-restore-escrow-inventory.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md"
},
{
"exists": true,
"ref": "docs/security/backup-restore-post-incident-readback-plan.snapshot.json"
}
],
"evidence_refs": [
"docs/security/BACKUP-RESTORE-ESCROW-INVENTORY.md",
"docs/security/backup-restore-escrow-inventory.snapshot.json",
"docs/security/BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md",
"docs/security/backup-restore-post-incident-readback-plan.snapshot.json"
],
"group_id": "backup_restore_dr",
"label": "Backup / Restore / DR / Escrow",
"live_evidence_accepted": 0,
"next_owner_action": " restore drilloffsite sync refescrow non-secret proofretention runwayDR scorecard",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "backup scriptsresticoffsitecredential escrowVelerorestore drillretention",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md"
},
{
"exists": true,
"ref": "docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md"
},
{
"exists": true,
"ref": "docs/security/security-supply-chain-contract-manifest.snapshot.json"
},
{
"exists": true,
"ref": "docs/evaluations/dependency_supply_chain_drift_monitor_2026-06-18.json"
}
],
"evidence_refs": [
"docs/security/SECURITY-SUPPLY-CHAIN-PROGRESS.md",
"docs/security/SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST.md",
"docs/security/security-supply-chain-contract-manifest.snapshot.json",
"docs/evaluations/dependency_supply_chain_drift_monitor_2026-06-18.json"
],
"group_id": "container_registry_supply_chain",
"label": "Harbor / Registry / SBOM / Supply Chain",
"live_evidence_accepted": 0,
"next_owner_action": " SBOM / VEX / provenance intakeimage signingKEV / EPSS / exposure SLA",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "Harborregistryimage tagSBOMCosignSLSAdependency driftCVE / KEV",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md"
},
{
"exists": true,
"ref": "docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json"
},
{
"exists": true,
"ref": "docs/security/public-frontend-sensitive-surface-guard.snapshot.json"
},
{
"exists": true,
"ref": "docs/HARD_RULES.md"
}
],
"evidence_refs": [
"docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md",
"docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json",
"docs/security/public-frontend-sensitive-surface-guard.snapshot.json",
"docs/HARD_RULES.md"
],
"group_id": "public_admin_api_runtime",
"label": "Public / Admin / API / Frontend Runtime",
"live_evidence_accepted": 0,
"next_owner_action": " route ownerAPI contract readbackCORS diffdesktop / mobile smokebundle sensitive scan",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "public URLCORSauth boundarymiddlewarewebhookfrontend envi18n redaction",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/AI-PROVIDER-OWNER-RESPONSE-ACCEPTANCE.md"
},
{
"exists": true,
"ref": "docs/security/ai-provider-owner-response-acceptance.snapshot.json"
},
{
"exists": true,
"ref": "docs/ai"
},
{
"exists": true,
"ref": "docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md"
}
],
"evidence_refs": [
"docs/security/AI-PROVIDER-OWNER-RESPONSE-ACCEPTANCE.md",
"docs/security/ai-provider-owner-response-acceptance.snapshot.json",
"docs/ai",
"docs/superpowers/specs/2026-04-15-MASTER-ai-autonomous-flywheel-v2.md"
],
"group_id": "ai_provider_agent_runtime",
"label": "AI Provider / Model Router / Agent Runtime",
"live_evidence_accepted": 0,
"next_owner_action": " dry-runbenchmarkcost reviewprivacy reviewfallback order rollback owner",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P0",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "OpenClawOllamaNemoTronHermesGeminiMCP / A2Atool allowlistcost / privacy",
"secret_value_collection_allowed": false,
"tier": "C0"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md"
},
{
"exists": true,
"ref": "docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md"
},
{
"exists": true,
"ref": "docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md"
},
{
"exists": true,
"ref": "docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json"
}
],
"evidence_refs": [
"docs/security/IWOOOS-CONFIG-CONTROL-INVENTORY.md",
"docs/security/VIBEWORK-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/AGENT-BOUNTY-IWOOOS-ONBOARDING-HANDOFF.md",
"docs/security/agent-bounty-iwooos-onboarding-handoff.snapshot.json"
],
"group_id": "product_surface_runtime_routes",
"label": "Product Surface / Runtime Route",
"live_evidence_accepted": 0,
"next_owner_action": " ownerrouteadminAPIbackupwebhookrollback validation ",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P1",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "AWOOOIAwoooPIwoooSVibeWorkagent-bounty-protocolStockPlatformTsenyangBitan",
"secret_value_collection_allowed": false,
"tier": "C1"
},
{
"action_button": 0,
"evidence_ref_states": [
{
"exists": true,
"ref": "docs/LOGBOOK.md"
},
{
"exists": true,
"ref": "apps/api/src/services/repair_candidate_service.py"
},
{
"exists": true,
"ref": "apps/api/src/services/telegram_gateway.py"
},
{
"exists": true,
"ref": "apps/web/src/app/[locale]/awooop/work-items/page.tsx"
}
],
"evidence_refs": [
"docs/LOGBOOK.md",
"apps/api/src/services/repair_candidate_service.py",
"apps/api/src/services/telegram_gateway.py",
"apps/web/src/app/[locale]/awooop/work-items/page.tsx"
],
"group_id": "automation_asset_sedimentation",
"label": "KM / PlayBook / Script / Schedule / Verifier",
"live_evidence_accepted": 0,
"next_owner_action": " incident / approval / manual handoff writeback contract",
"owner_packet_status": "waiting_asset_owner_packet",
"owner_response_accepted": 0,
"owner_response_received": 0,
"priority": "P1",
"raw_payload_allowed": false,
"redacted_evidence_refs_required": true,
"runtime_gate": 0,
"scope": "incidentapprovalrepair candidatemanual handoff ",
"secret_value_collection_allowed": false,
"tier": "C1"
}
],
"blocked_actions": [
"ssh_to_host",
"read_live_host_log",
"write_host_file",
"nginx_reload",
"certbot_renew",
"dns_change",
"firewall_change",
"wireguard_change",
"nodeport_change",
"networkpolicy_apply",
"kubectl_action",
"argocd_sync",
"helm_upgrade",
"docker_restart",
"docker_compose_up",
"systemctl_restart",
"repair_bot_execute",
"ansible_apply",
"wazuh_active_response",
"wazuh_rule_change",
"kali_active_scan",
"kali_execute",
"nmap_scan",
"nuclei_scan",
"trivy_live_scan",
"package_upgrade",
"workflow_modify",
"workflow_dispatch",
"runner_restart",
"secret_read",
"secret_rotate",
"webhook_modify",
"deploy_key_modify",
"refs_sync",
"force_push",
"github_primary_switch",
"backup_run",
"restore_run",
"offsite_sync",
"remote_delete",
"telegram_send",
"soar_case_create",
"auto_block",
"production_write"
],
"execution_boundaries": {
"action_buttons_allowed": false,
"argocd_sync_authorized": false,
"auto_block_authorized": false,
"firewall_change_authorized": false,
"host_write_authorized": false,
"kali_active_scan_authorized": false,
"kali_execute_authorized": false,
"nginx_reload_authorized": false,
"not_authorization": true,
"production_write_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"soar_action_authorized": false,
"ssh_read_authorized": false,
"telegram_send_authorized": false,
"wazuh_active_response_authorized": false,
"workflow_modification_authorized": false
},
"generated_at": "2026-06-18T13:44:00+08:00",
"git_commit": "c7597df2",
"outcome_lanes": [
"waiting_asset_owner_packet",
"request_gateway_supplement",
"request_host_service_supplement",
"request_network_supplement",
"request_wazuh_kali_supplement",
"request_backup_restore_supplement",
"request_supply_chain_supplement",
"request_product_surface_supplement",
"quarantine_secret_or_raw_payload",
"ready_for_security_reviewer_review"
],
"required_owner_fields": [
"asset_group_id",
"asset_alias",
"owner_role",
"owner_team",
"business_impact",
"technical_scope",
"affected_routes_or_services",
"data_classification",
"redacted_evidence_refs",
"source_of_truth_ref",
"live_state_ref",
"config_diff_ref",
"monitoring_signal_ref",
"wazuh_or_siem_ref",
"kali_scope_ref",
"backup_restore_ref",
"supply_chain_ref",
"secret_absence_attestation",
"raw_payload_absence_attestation",
"maintenance_window",
"rollback_owner",
"postcheck_owner",
"followup_owner",
"decision_reason"
],
"reviewer_checks": [
"asset alias namespace",
"owner role / team ",
"source-of-truth ",
"live evidence ref",
"secret value / hash / partial token ",
"raw Wazuh / raw Kali output ",
"Nginx / firewall / K8s / workflow runtime approval",
"route 200 ",
"dashboard remediation ",
"backup restore drill ",
"Kali active scan ",
"Wazuh event active response ",
"repo snapshot live host truth",
" actorbefore / afterimpactpostcheck",
"no-false-green ",
"owner response received / accepted 0",
"runtime gate 0",
"action button 0",
"Gitea / GitHub refs ",
"GitHub primary ",
"Telegram ",
"SOAR auto block",
"AI agent secret host write",
"LOGBOOK 稿"
],
"schema_version": "security_asset_control_ledger_v1",
"status": "security_asset_control_ledger_ready_no_runtime_action",
"summary": {
"action_button_count": 0,
"active_scan_authorized_count": 0,
"asset_group_count": 16,
"auto_block_authorized_count": 0,
"blocked_action_count": 44,
"c0_asset_group_count": 14,
"c1_asset_group_count": 2,
"evidence_ref_count": 64,
"existing_evidence_ref_count": 64,
"host_write_authorized_count": 0,
"iwooos_headline_progress_percent": 64,
"kali_execute_authorized_count": 0,
"live_evidence_accepted_count": 0,
"missing_evidence_ref_count": 0,
"outcome_lane_count": 10,
"owner_packet_required_count": 16,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"p0_asset_group_count": 14,
"p1_asset_group_count": 2,
"raw_payload_stored_count": 0,
"required_owner_field_count": 24,
"reviewer_check_count": 24,
"runtime_gate_count": 0,
"secret_value_collected_count": 0,
"security_asset_control_ledger_completion_percent": 100,
"soar_action_authorized_count": 0,
"wazuh_active_response_authorized_count": 0
}
}