## Phase 0(文件層,全部 Accepted) - ADR-106/107:AwoooP 平台架構 + 儲存策略 - ADR-111~118:Bootstrap → RLS 七項核心 ADR - ADR-119~124:SAGA → Singleton Decomposition 六項 ADR - ADR-UI-01~04:Operator Console 四個 UI ADR ## Phase 1(DB schema + migration) - awooop_phase1_control_plane_2026-05-04.sql:7 張新表 + trigger + RLS - Step 1:三角色(platform_admin/migration BYPASSRLS,awooop_app 受 RLS) - Step 13:GRANT awooop_app 最小權限(7 條) - Step 14:RLS fail-closed,移除 __platform__ 後門 - awooop_phase1_batch1_rls_2026-05-04.sql:高流量四表三步式 ADD COLUMN - awooop_phase1_batch1_backfill.py:SKIP LOCKED 分批回填腳本 - awooop_models.py:7 個 SQLAlchemy 2.x models ## Critic 修正(4 Critical + 3 Major) - C-1:ADD CONSTRAINT IF NOT EXISTS → DO 塊 + pg_constraint 查詢 - C-2:__mapper_args__ 字串 list → primary_key=True on mapped_column - C-3:__platform__ RLS 後門 → 全移除,改用 BYPASSRLS role - C-4:awooop_app role 從未建立 → Step 1 + 7 條 GRANT - M-1:active_pointer_guard SECURITY DEFINER(FORCE RLS 跨租戶保護) - M-2:pg_partman create_parent 加冪等防護 - M-3:immutability trigger 新增身份欄位保護(project_id/family/contract_id) ## Task 1.2 修補 - agent_loader.py:硬編碼 Mac 路徑 → AGENTS_DIR 環境變數 - Dockerfile:補 COPY .claude/agents/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
206 lines
7.3 KiB
Markdown
206 lines
7.3 KiB
Markdown
# ADR-122: OWASP Agentic AI Top 10 & ISO 42001 Alignment
|
||
|
||
**狀態**:Accepted
|
||
**日期**:2026-05-03(台北)
|
||
**決策者**:統帥
|
||
**範圍**:行業標準映射到 AwoooP 控制項、合規差距識別
|
||
**關聯**:ADR-116(security hardening)、ADR-117(Confused Deputy)、ADR-120(budget)
|
||
|
||
---
|
||
|
||
## 背景
|
||
|
||
2025 年起,OWASP 發布了 **Agentic AI Top 10**(OAI-01 到 OAI-10),定義了 AI Agent 系統的十大安全風險。同期 ISO/IEC 42001(AI Management System Standard)也開始被企業採納。
|
||
|
||
AwoooP 作為 AI Agent 平台,需要對應這兩個標準,確保架構設計符合行業期望。本 ADR 記錄每個風險點的控制狀態。
|
||
|
||
---
|
||
|
||
## OWASP Agentic AI Top 10 映射
|
||
|
||
### OAI-01:Prompt Injection(提示注入)
|
||
|
||
**風險**:攻擊者透過惡意 prompt 操控 Agent 行為。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Input sanitization | ⚠️ Partial | `decision_manager.py`(需加強)|
|
||
| System prompt isolation | ⚠️ Partial | Agent contract `system_prompt` 欄位(Phase 3)|
|
||
| Output validation | ✅ | `requires_approval` 改 policy-derived(ADR-116 D3)|
|
||
| Injection detection pattern | ❌ TODO | Phase 5:injection pattern 規則庫 |
|
||
|
||
**差距**:需要在 LLM input 加 injection pattern 偵測層。
|
||
|
||
---
|
||
|
||
### OAI-02:Insecure Output Handling(不安全輸出處理)
|
||
|
||
**風險**:Agent 輸出被用於執行命令而不驗證。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Tool call parameter validation | ⚠️ Partial | `mcp_bridge.py`(需加 schema 驗證)|
|
||
| Output schema enforcement | ❌ TODO | Phase 3:Agent contract output_schema |
|
||
| Structured output only(no free-form exec)| ✅ | MCP Gateway 強制 tool_id + params 結構 |
|
||
|
||
---
|
||
|
||
### OAI-03:Excessive Agency(過度授權)
|
||
|
||
**風險**:Agent 被賦予超出必要的工具和資源存取權限。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Per-run allowed_tools allowlist | ✅ | ADR-117 D2 |
|
||
| Agent contract tool restriction | ✅ | ADR-106(allowed_tools 欄位)|
|
||
| HIGH risk tool requires approval | ✅ | ADR-116 D4 + ADR-117 |
|
||
| Namespace restriction in K8s ops | ✅ | ADR-117 D2(contract-derived)|
|
||
|
||
**狀態:COMPLIANT**(Phase 3 實作後)
|
||
|
||
---
|
||
|
||
### OAI-04:Resource Exhaustion(資源耗盡)
|
||
|
||
**風險**:Agent 呼叫無限 LLM 或工具,耗盡計算/費用資源。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Token budget hard kill | ✅ | ADR-120 D2 |
|
||
| LLM call count limit per run | ✅ | ADR-120 D6(llm_call_limit_per_run)|
|
||
| Tenant budget isolation | ✅ | ADR-120 D1 |
|
||
| Emergency kill switch | ✅ | ADR-120 D2 防線 3 |
|
||
|
||
**狀態:COMPLIANT**(Phase 2 實作後)
|
||
|
||
---
|
||
|
||
### OAI-05:Supply Chain Vulnerabilities(供應鏈漏洞)
|
||
|
||
**風險**:使用的 AI 模型、工具或 SDK 有未修補的漏洞。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Model version tracking | ✅ | `ai_provider_version_history` 表 |
|
||
| Dependency scanning(pip-audit)| ⚠️ Partial | CI/CD 需要加入 pip-audit |
|
||
| Container image scanning | ⚠️ Partial | Harbor 有 Trivy,但未開啟 |
|
||
| SBOM generation | ❌ TODO | Phase 5 |
|
||
|
||
**差距**:CI/CD 需要加入 pip-audit + Harbor Trivy 掃描啟用。
|
||
|
||
---
|
||
|
||
### OAI-06:Data Privacy Violation(資料隱私違規)
|
||
|
||
**風險**:Agent 處理或洩漏敏感使用者資料。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Tenant data isolation(RLS)| ✅ | ADR-118 |
|
||
| PII detection before LLM | ❌ TODO | Phase 5:PII filter middleware |
|
||
| Audit log for sensitive operations | ✅ | ADR-112 D7 |
|
||
| K8s Secret 不進 DB | ✅ | INV-4 已確認 |
|
||
|
||
**差距**:PII filter 在 Phase 5 實作,Phase 1~4 期間靠 RLS 隔離。
|
||
|
||
---
|
||
|
||
### OAI-07:Memory Poisoning(記憶體污染)
|
||
|
||
**風險**:攻擊者透過操控 Agent 記憶(KM)影響未來決策。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| KM write requires approval (HIGH risk) | ⚠️ Partial | `knowledge_write` 已在 approval gate(ADR-116 D3)|
|
||
| KM entry source tracking | ✅ | `knowledge_entries.source` 欄位 |
|
||
| KM poisoning detection | ❌ TODO | Phase 5:KM 異常寫入頻率監控 |
|
||
| Human review for critical KM | ⚠️ Partial | 目前只有 approval,沒有 review UI |
|
||
|
||
---
|
||
|
||
### OAI-08:Unauthorized Actions(未授權操作)
|
||
|
||
**風險**:Agent 在沒有授權的情況下執行影響系統的操作。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Principal mapping(who sent this run?)| ✅ | ADR-115(platform_subjects 表)|
|
||
| Approval workflow | ✅ | ADR-114 + ADR-116 |
|
||
| requires_approval not from LLM | ✅ | ADR-116 D3(P0-04 修補)|
|
||
| SAGA compensation on rejection | ✅ | ADR-119 |
|
||
|
||
**狀態:COMPLIANT**(Phase 2 實作後)
|
||
|
||
---
|
||
|
||
### OAI-09:Access Control Bypass(存取控制繞過)
|
||
|
||
**風險**:攻擊者繞過 Agent 的存取控制機制。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| Callback nonce HMAC(防偽造)| ✅ | ADR-116 D1(P0-05 修補)|
|
||
| Webhook replay 防護 | ✅ | ADR-116 D2(P0-06 修補)|
|
||
| JWT / approval_token HS256 | ✅ | ADR-116 D4 |
|
||
| RLS 防 cross-tenant | ✅ | ADR-118 |
|
||
| Confused Deputy prevention | ✅ | ADR-117 D2 |
|
||
|
||
**狀態:COMPLIANT**(Phase 2 實作後)
|
||
|
||
---
|
||
|
||
### OAI-10:Observability Deficiency(可觀測性不足)
|
||
|
||
**風險**:AI Agent 的行為無法被審計和追蹤。
|
||
|
||
| 控制項 | 狀態 | 實作位置 |
|
||
|--------|------|---------|
|
||
| OTel GenAI spans | ✅ | ADR-121 |
|
||
| run_id / trace_id 全鏈路 | ✅ | ADR-111(contextvars)|
|
||
| Audit log for all contract ops | ✅ | ADR-112 D7 |
|
||
| Token usage telemetry | ✅ | ADR-120 D2 + ADR-121 D2 |
|
||
| Background loop 31 個 tagging | ⚠️ Partial | PR-10(Phase 2)|
|
||
|
||
---
|
||
|
||
## ISO 42001 映射
|
||
|
||
| 條款 | 要求 | AwoooP 控制項 |
|
||
|------|------|-------------|
|
||
| 6.1 風險評估 | AI 系統風險識別 | ADR 系列(111~124)= 正式風險評估文件 |
|
||
| 6.2 目標與計畫 | AI 目標量化 | DETAILED-IMPLEMENTATION-PLAN Phase DoD |
|
||
| 8.4 AI 系統生命週期 | 版本管理、審批流程 | ADR-112(contract governance)|
|
||
| 9.1 監控與量測 | 效能指標追蹤 | ADR-121(OTel)+ SignOz dashboard |
|
||
| 10.1 不符合項與矯正 | 問題追蹤與改善 | ADR + INV 系統 |
|
||
|
||
---
|
||
|
||
## 差距摘要(需後續 Phase 解決)
|
||
|
||
| OWASP Item | 差距項目 | 目標 Phase |
|
||
|-----------|---------|-----------|
|
||
| OAI-01 | Injection detection pattern 規則庫 | Phase 5 |
|
||
| OAI-02 | Agent contract output_schema 驗證 | Phase 3 |
|
||
| OAI-05 | pip-audit CI + Harbor Trivy | Phase 4 |
|
||
| OAI-06 | PII filter middleware | Phase 5 |
|
||
| OAI-07 | KM 異常寫入頻率監控 | Phase 5 |
|
||
| OAI-10 | 31 個 background loop tagging(PR-10)| Phase 2 |
|
||
|
||
---
|
||
|
||
## 驗收標準
|
||
|
||
- [ ] OWASP OAI-03/04/08/09:Phase 2 實作後 vuln-verifier PoC 全過
|
||
- [ ] OWASP OAI-10:31 個 background loop 全部 tagged(PR-10 完成)
|
||
- [ ] ISO 42001 映射表展示給統帥確認(Phase 2 收尾)
|
||
- [ ] 差距清單進入 Phase 4/5 backlog
|
||
|
||
## 關聯
|
||
|
||
- ADR-116(security hardening,P0-04/05/06)
|
||
- ADR-117(Confused Deputy,OAI-03/09)
|
||
- ADR-118(RLS,OAI-06/09)
|
||
- ADR-119(SAGA,OAI-08)
|
||
- ADR-120(budget hard kill,OAI-04)
|
||
- ADR-121(OTel,OAI-10)
|