35 KiB
IwoooS 高價值配置控管覆蓋矩陣
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-15 |
| 狀態 | coverage_matrix_ready |
| 工具 | scripts/security/high-value-config-control-coverage.py |
| Snapshot | docs/security/high-value-config-control-coverage.snapshot.json |
| Schema | docs/schemas/high_value_config_control_coverage_v1.schema.json |
| runtime gate | 0 |
1. 目的
此矩陣把「所有重要配置都要被資安控管」從人讀清冊推進成可重跑 snapshot。它直接讀取 high-value-config-change-gate.py 的配置分類,避免變更 Gate 與長期覆蓋清冊各自漂移。
本階段仍是只讀覆蓋矩陣,不接 blocking CI、不 SSH、不讀 live host、不執行 nginx -t、不 reload Nginx、不做 DNS / TLS probe、不 renew cert、不同步 refs、不修改 workflow、不收 secret value、不啟動 agent-bounty runtime。
1.1 2026-06-14 P0 pattern 覆蓋同步
本輪 snapshot 已從最新 high-value-config-change-gate.py 讀回 P0 pattern 補強:
| 類別 | 新增覆蓋 | 目前解讀 |
|---|---|---|
nginx_public_gateway |
k8s/nginx/** |
K8s 內 Nginx 公開入口設定納入 P0 / C0 owner response 與 rollback 管控 |
dns_tls_certbot |
scripts/ops/**/*cert*、scripts/ops/**/*tls* |
憑證修復、renewal 與 TLS 腳本納入 P0 / C0 owner response 與維護窗口管控 |
此同步只修正長期覆蓋矩陣與變更 Gate 的一致性,不代表 live evidence 已收到,也不代表可執行 nginx -t、reload、certbot renew 或 DNS / TLS 變更。
1.2 2026-06-14 K8s / ArgoCD manifest repo-only 清冊
已新增 docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md 與 docs/security/k8s-argocd-manifest-inventory.snapshot.json,將 k8s/awoooi-prod、k8s/argocd、k8s/velero、k8s/monitoring 轉成 repo-only manifest inventory。
目前固定為 file_count=49、c0_file_count=36、yaml_manifest_file_count=45、unique_kind_count=20、top_level_kind_marker_count=56、blocked_action_count=13、runtime_gate_count=0。此 artifact 只補上 K8s / ArgoCD source inventory 的可重跑基線;owner request、rendered manifest diff、ArgoCD health readback、ArgoCD sync、kubectl action、live cluster read 與 production write 仍全部未授權。
2026-06-14 P0-21 再新增 docs/security/K8S-ARGOCD-OWNER-REQUEST-DRAFT.md 與 docs/security/k8s-argocd-owner-request-draft.snapshot.json,將四個 scan group 轉成 request_draft_count=4、c0_request_draft_count=3、required_owner_field_count=11、evidence_gap_count=8、blocked_action_count=13 的 request draft。此更新仍不是 request sent、owner response received / accepted、ArgoCD readback、sync、kubectl action 或 runtime gate。
2026-06-15 P0-25 再新增 docs/security/K8S-ARGOCD-OWNER-RESPONSE-ACCEPTANCE.md 與 docs/security/k8s-argocd-owner-response-acceptance.snapshot.json,將 manifest inventory 與 owner request draft 轉成 acceptance_candidate_count=4、c0_acceptance_candidate_count=3、required_owner_field_count=11、reviewer_check_count=12、outcome_lane_count=7、blocked_action_count=18 的 owner response acceptance 只讀帳本。此更新讓 k8s_production_gitops 從 58% 推進到 62%;owner response received / accepted、rendered manifest diff、ArgoCD API read、ArgoCD sync、kubectl action、live cluster read、secret collection、runtime gate 與 action button 仍全部為 0 / false。
2026-06-15 再新增 docs/security/K8S-ARGOCD-CHANGE-EVIDENCE-ACCEPTANCE.md 與 docs/security/k8s-argocd-change-evidence-acceptance.snapshot.json,將四個 K8s / ArgoCD scan group 轉成 GitOps 變更證據驗收只讀帳本。固定 change_evidence_candidate_count=4、c0_change_evidence_candidate_count=3、write_capable_candidate_count=4、required_evidence_field_count=18、reviewer_check_count=18、outcome_lane_count=8、blocked_action_count=28,讓 k8s_production_gitops 從 62% 推進到 64%;proposed commit、rendered manifest diff、ArgoCD app / sync revision、health before / after、rollout status、route smoke、metrics / alert、secret metadata parity、blast radius、maintenance window、rollback revision、postcheck owner、runtime approval package、ArgoCD sync、kubectl action、Helm upgrade、NetworkPolicy / NodePort / RBAC 變更、production write 與 runtime gate 仍全部為 0 / false。
1.2a 2026-06-15 CD / Runner / Secret 注入變更證據驗收
已新增 docs/security/CD-RUNNER-SECRET-INJECTION-CHANGE-EVIDENCE-ACCEPTANCE.md 與 docs/security/cd-runner-secret-injection-change-evidence-acceptance.snapshot.json,將 CD pipeline、Code Review、Deploy alerts、Runner attestation 與 Secret parity / injection owner 轉成 metadata-only 變更證據驗收帳本。
固定數字為 change_evidence_candidate_count=5、c0_change_evidence_candidate_count=4、c1_change_evidence_candidate_count=1、write_capable_candidate_count=5、local_workflow_file_count=33、local_referenced_secret_name_count=42、runner_label_count=5、required_evidence_field_count=19、reviewer_check_count=19、outcome_lane_count=8、blocked_action_count=32。此更新讓 secret_metadata 從 66% 推進到 68%,讓 gitea_workflow_runner_source_control 從 70% 推進到 72%;workflow diff、runner attestation、secret name parity、secret injection route、deploy marker readback、guard result、post-check evidence、runtime approval package、workflow 修改、runner 啟用、secret rotation、repo secret change、Gitea action dispatch、production deploy 與 runtime gate 仍全部為 0 / false。
1.2b 2026-06-15 Public / Admin / API runtime config 變更證據驗收
已新增 docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md 與 docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json,將公開產品頁、AwoooP 後台、API / CORS、frontend env、Sentry tunnel、webhook / callback 與跨產品 runtime route 轉成 metadata-only 變更證據驗收帳本。
固定數字為 change_evidence_candidate_count=6、c0_change_evidence_candidate_count=5、c1_change_evidence_candidate_count=1、write_capable_candidate_count=6、source_ref_count=20、required_evidence_field_count=21、reviewer_check_count=21、outcome_lane_count=8、blocked_action_count=32。此更新讓 public_admin_api_runtime_config 從 62% 推進到 64%,但 affected route、admin/auth boundary、API contract readback、CORS diff、frontend env diff、i18n redaction review、webhook / callback owner、desktop / mobile smoke、sensitive string scan、post-check evidence、runtime approval package、route / CORS / env / auth / webhook 變更、production deploy 與 runtime gate 仍全部為 0 / false。
此帳本明確把 raw owner namespace、repo slug、內部狀態碼、內部協作文字、cookie、token、secret value、DSN value、raw payload 與未脫敏截圖列為拒收或隔離條件。前台可以顯示產品 / 專案脫敏名稱與控管狀態,但不得顯示個人 namespace、內部狀態碼、內部協作內容或抱怨語句。
1.3 2026-06-14 agent-bounty-protocol owner request draft
已新增 docs/security/AGENT-BOUNTY-OWNER-REQUEST-DRAFT.md 與 docs/security/agent-bounty-owner-request-draft.snapshot.json,將 agent-bounty-protocol onboarding handoff 轉成 11 份 owner request draft。
固定數字為 request_draft_count=11、control_boundary_request_count=4、product_surface_request_count=7、write_capable_request_draft_count=8、treasury_related_request_draft_count=4、mcp_a2a_related_request_draft_count=5、required_owner_field_count=22、forbidden_input_count=25、blocked_action_count=28、runtime_gate_count=0。此更新不提高 agent_bounty_protocol_runtime 成熟度,仍維持 68%;owner response、repo / refs truth、deployment boundary、MCP / A2A boundary、treasury boundary、claim / submit、payout / withdrawal、cron / daemon、runtime gate 與 action button 仍全部為 0 / false。
1.4 2026-06-14 Public Gateway owner response acceptance 只讀帳本
已新增 docs/security/PUBLIC-GATEWAY-OWNER-RESPONSE-ACCEPTANCE.md 與 docs/security/public-gateway-owner-response-acceptance.snapshot.json,將 Public Gateway live conf 匯出請求、redacted export 收件預檢與 rendered diff / nginx -t gate 草稿串成 owner response acceptance 只讀帳本。
固定數字為 acceptance_candidate_count=3、c0_acceptance_candidate_count=2、c1_acceptance_candidate_count=1、acceptance_field_count=27、required_owner_response_field_count=16、reviewer_check_count=16、outcome_lane_count=7、blocked_action_count=22、owner_response_received_count=0、owner_response_accepted_count=0、runtime_gate_count=0。2026-06-15 已補手動 / 緊急 gateway 變更 metadata gate,要求 change actor/source、change time window、cross-project impact 與 communication sync 四欄脫敏 ref;此更新維持 nginx_public_gateway=88%,因為 live conf、rendered diff、nginx -t、reload、route smoke、DNS / TLS probe、certbot renew、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 0 / false。
2026-06-14 再新增 docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-ACCEPTANCE.md 與 docs/security/public-gateway-rendered-diff-acceptance.snapshot.json,把 owner response acceptance 後的 rendered diff evidence、owner-provided nginx -t readback、route smoke evidence、TLS / ACME impact、maintenance window、rollback owner 與 post-check evidence 轉成只讀驗收帳本。
固定數字為 diff_acceptance_candidate_count=3、c0_diff_acceptance_candidate_count=2、c1_diff_acceptance_candidate_count=1、diff_acceptance_field_count=25、required_evidence_field_count=14、reviewer_check_count=15、outcome_lane_count=8、blocked_action_count=22、rendered_diff_accepted_count=0、nginx_test_evidence_accepted_count=0、route_smoke_result_accepted_count=0、runtime_gate_count=0。此更新只讓 nginx_public_gateway 從 86% 推進到 88%;owner response accepted、redacted live conf accepted、rendered diff accepted、nginx -t、reload、route smoke、DNS / TLS probe、certbot renew、production write、runtime gate 與 action button 仍全部為 0 / false。
1.5 2026-06-14 DNS / TLS / certbot owner response acceptance 只讀帳本
已新增 docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md 與 docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json,將 4 份 DNS / TLS / certbot owner confirmation request 轉成 metadata-only owner response acceptance 只讀帳本。
固定數字為 acceptance_candidate_count=4、c0_acceptance_candidate_count=4、acceptance_field_count=23、required_owner_response_field_count=13、reviewer_check_count=13、outcome_lane_count=7、blocked_action_count=20、owner_response_received_count=0、owner_response_accepted_count=0、certificate_coverage_confirmed_count=0、dns_query_authorized_count=0、live_tls_probe_authorized_count=0、certbot_renew_authorized_count=0、nginx_reload_authorized_count=0、route_smoke_authorized_count=0、runtime_gate_count=0。此更新讓 dns_tls_certbot 從 74% 推進到 78%,代表未來 owner 回覆可被補件、隔離、拒收或送 reviewer review;它不代表 DNS query、TLS probe、certbot renew、Nginx reload、route smoke、host write 或 runtime gate 已授權。
1.6 2026-06-14 Docker / systemd / host service owner response acceptance 只讀帳本
已新增 docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md 與 docs/security/host-service-owner-response-acceptance.snapshot.json,將 9 份 Docker / systemd / host service owner request draft 轉成 metadata-only owner response acceptance 只讀帳本。
固定數字為 acceptance_candidate_count=9、write_capable_acceptance_candidate_count=3、live_evidence_required_candidate_count=8、acceptance_field_count=28、required_owner_field_count=12、reviewer_check_count=14、outcome_lane_count=7、blocked_action_count=20、owner_response_received_count=0、owner_response_accepted_count=0、live_host_read_authorized_count=0、docker_compose_action_authorized_count=0、systemctl_action_authorized_count=0、repair_bot_execution_authorized_count=0、ansible_apply_authorized_count=0、runtime_gate_count=0。此更新讓 docker_compose_systemd_host_config 從 50% 推進到 54%,也讓高價值配置平均只讀成熟度從 67% 推進到 68%;它不代表 live host read、restart、repair-bot、Ansible、sudo、host write 或 runtime gate 已授權。
1.7 2026-06-15 端口 / 防火牆變更證據驗收只讀帳本
已新增 docs/security/PORT-FIREWALL-CHANGE-EVIDENCE-ACCEPTANCE.md 與 docs/security/port-firewall-change-evidence-acceptance.snapshot.json,將 SSH / Firewall / Network Access owner response acceptance 裡的端口、防火牆、NodePort、NetworkPolicy、WireGuard、deploy SSH、sudo 與 alert action surface 轉成 change evidence acceptance 只讀帳本。
固定數字為 change_evidence_candidate_count=14、write_capable_change_evidence_candidate_count=6、policy_or_exposure_candidate_count=5、change_evidence_field_count=40、required_evidence_field_count=21、reviewer_check_count=21、outcome_lane_count=9、blocked_action_count=28、change_evidence_received_count=0、change_evidence_accepted_count=0、service_health_impact_accepted_count=0、operator_notification_accepted_count=0、firewall_change_authorized_count=0、port_close_authorized_count=0、port_open_authorized_count=0、runtime_gate_count=0。此更新讓 ssh_firewall_network_access 從 58% 推進到 62%;它補齊端口 / 防火牆變更與事故回補的 actor、before / after state、service dependency、customer impact、service health impact、operator notification、cross-project sync、rollback 與 post-check evidence 驗收規則,不代表 SSH、live firewall read、firewall change、port close / open、route smoke、host restart、production write 或 runtime gate 已授權。
1.8 2026-06-15 高價值配置集中 Guard
已新增 docs/security/IWOOOS-CONFIG-CONTROL-GUARD.md 與 scripts/security/iwooos-config-control-guard.py,把 14 類高價值配置、C0 類別、evidence refs、owner response / change evidence 帳本、supply-chain contract manifest 與 0 / false 邊界串成集中驗證。
此 guard 已由 security-mirror-progress-guard.py 呼叫。後續只要跑主進度 guard,就會同步檢查 Nginx、DNS / TLS、K8s / ArgoCD、Secrets / runner、Public runtime、SSH / firewall、Backup / DR、Monitoring、agent-bounty-protocol 與 supply-chain contract 的 repo snapshot 基線。
此更新只讓「配置控管集中驗證」從 0% 推進到 100%;owner response 收件、live evidence、Nginx reload、firewall change、workflow / runner / secret 變更、backup / restore、active scan、agent-bounty runtime 與 production deploy 仍全部維持 0 / false。
2. 覆蓋摘要
| 指標 | 目前值 | 說明 |
|---|---|---|
| 註冊配置類別 | 14 |
全部來自高價值配置 Gate 的 CATEGORIES |
| C0 類別 | 8 |
Nginx、DNS / TLS、K8s、secret、workflow / runner、runtime config、backup、agent-bounty runtime |
| C1 類別 | 4 |
監控、Docker / systemd、SSH / network、AI provider |
| C2 類別 | 1 |
產品 runtime route 與跨產品邊界 |
| C3 類別 | 1 |
security evidence / snapshot / guard tooling |
| 平均只讀控管成熟度 | 69% |
僅代表框架 / evidence / owner packet / acceptance ledger 準備度,不代表 runtime 可執行 |
| 需要 live / owner evidence 的類別 | 9 |
只能等 owner-provided redacted evidence 或維護窗口,不主動修改 workflow、secret、runner、route、CORS、env 或主機 |
| owner response required | 14 |
每類都需要 owner response 才能往 accepted 前進 |
| owner response received / accepted | 0 / 0 |
不得假性提高 |
| runtime gate | 0 |
不得產生執行按鈕 |
3. 低成熟與高風險追蹤優先順序
| 優先 | 類別 | 目前成熟度 | 下一步 |
|---|---|---|---|
| P1-1 | Docker Compose / systemd / host service config | 54% |
repo-only 清冊已納入 9 個 surface,owner request draft 與 owner response acceptance ledger 已完成;仍缺 owner response、110 / 188 live hash、maintenance / restart window、rollback owner、post-check plan、disable switch 與 no-secret-value evidence |
| P1-2 | SSH / sudoers / known_hosts / firewall / WireGuard / NodePort | 62% |
repo-only 清冊已納入 16 個 SSH / network access surface,owner request draft、owner response acceptance 與事故型端口 / 防火牆變更證據驗收 ledger 已完成;仍缺 owner-provided change / incident ref、actor、before / after state、health impact、notification、cross-project sync、maintenance window、rollback owner 與 post-check evidence |
| P1-3 | Backup / restore / escrow / retention | 62% |
repo-only 清冊已納入 38 個 surface,owner request draft 與 owner response acceptance ledger 已完成;仍缺 owner response、restore drill approval package、offsite / escrow owner、retention owner、rollback owner、validation plan 與 no-secret-value evidence |
| P1-4 | Prometheus / Alertmanager / Grafana / SigNoz / Sentry / Langfuse | 62% |
repo-only 清冊已納入 60 個 monitoring / alerting / observability surface,owner request draft 已轉成 60 份草稿;仍缺 owner response、live drift evidence、reload owner、receiver owner、route smoke 與 receipt proof |
4. 固定 0 / false 邊界
以下旗標必須維持 false:
runtime_execution_authorized=false
host_write_authorized=false
host_live_conf_read_authorized=false
nginx_test_authorized=false
public_gateway_reload_authorized=false
public_route_change_authorized=false
admin_route_change_authorized=false
websocket_route_change_authorized=false
acme_challenge_change_authorized=false
route_smoke_authorized=false
rollback_executed=false
nginx_reload_authorized=false
dns_tls_change_authorized=false
certbot_renew_authorized=false
argocd_sync_authorized=false
kubectl_action_authorized=false
backup_run_authorized=false
restore_run_authorized=false
restore_drill_authorized=false
offsite_sync_authorized=false
offsite_remote_delete_authorized=false
credential_escrow_marker_write_authorized=false
retention_change_authorized=false
restic_prune_authorized=false
rclone_config_authorized=false
velero_restore_authorized=false
workflow_modification_authorized=false
runner_change_authorized=false
refs_sync_authorized=false
force_push_authorized=false
gitea_action_dispatch_authorized=false
cd_pipeline_run_authorized=false
github_hosted_runner_enable_authorized=false
repo_secret_change_authorized=false
secret_store_read_authorized=false
secret_injection_change_authorized=false
secret_value_collection_allowed=false
secret_hash_collection_allowed=false
partial_token_collection_allowed=false
secret_rotation_authorized=false
runtime_config_change_authorized=false
api_route_change_authorized=false
cors_change_authorized=false
frontend_env_change_authorized=false
middleware_auth_change_authorized=false
callback_url_change_authorized=false
webhook_secret_change_authorized=false
security_header_change_authorized=false
cookie_policy_change_authorized=false
csrf_disable_authorized=false
rate_limit_disable_authorized=false
api_contract_change_authorized=false
i18n_public_text_internal_identity_allowed=false
internal_ip_exposure_allowed=false
repo_namespace_exposure_allowed=false
owner_namespace_exposure_allowed=false
internal_status_code_exposure_allowed=false
internal_transcript_exposure_allowed=false
raw_payload_storage_allowed=false
desktop_mobile_smoke_authorized=false
database_migration_authorized=false
active_scan_authorized=false
agent_bounty_runtime_authorized=false
payout_or_withdrawal_authorized=false
action_buttons_allowed=false
prometheus_reload_authorized=false
alertmanager_reload_authorized=false
grafana_dashboard_apply_authorized=false
signoz_rule_apply_authorized=false
sentry_deploy_authorized=false
langfuse_config_change_authorized=false
otel_collector_reload_authorized=false
receiver_route_change_authorized=false
silence_policy_change_authorized=false
telegram_send_authorized=false
notification_route_change_authorized=false
webhook_receiver_change_authorized=false
remote_write_change_authorized=false
exporter_deploy_authorized=false
live_alert_fire_authorized=false
alert_chain_smoke_authorized=false
5. 判讀規則
coverage_percent只代表只讀框架成熟度,不代表已收到 owner response。coverage_status是下一步分流用語,不是 runtime approval state。- C0 / C1 類別若缺 live evidence,只能等待 owner-provided redacted evidence、維護窗口與 rollback owner。
agent-bounty-protocol已是 C0 runtime / MCP / A2A / treasury boundary,且 owner request draft 已完成;目前仍不得 claim / submit / payout / daemon / webhook / runtime execution。- IwoooS 前端可顯示覆蓋矩陣,但不得提供可執行按鈕,也不得把可見狀態解讀成資安批准。
6. 指令
python3 scripts/security/high-value-config-control-coverage.py \
--root . \
--output docs/security/high-value-config-control-coverage.snapshot.json
固定 committed snapshot 時間:
python3 scripts/security/high-value-config-control-coverage.py \
--root . \
--generated-at 2026-06-11T21:30:00+08:00 \
--output docs/security/high-value-config-control-coverage.snapshot.json
集中驗證 guard:
python3 scripts/security/iwooos-config-control-guard.py --root .
7. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| 全高價值配置類別註冊 | 100% |
14 類全部來自既有 Gate 定義 |
| 覆蓋 snapshot / schema | 100% |
已新增可重跑 snapshot 與 JSON schema |
| 高價值配置集中 guard | 100% |
已新增 scripts/security/iwooos-config-control-guard.py,並串接 security-mirror-progress-guard.py;14 類配置、主要 owner / change evidence 帳本、supply-chain manifest 與 0 / false 邊界可集中驗證 |
| DNS / TLS / certbot owner response acceptance | 100% |
已新增 domain_tls_certbot_owner_response_acceptance_v1,4 個 C0 candidate、13 個 owner 必填欄位、13 個 reviewer checks、7 條 outcome lanes、20 類 blocked action;成熟度 74% -> 78% |
| Docker / systemd / host service owner response acceptance | 100% |
已新增 host_service_owner_response_acceptance_v1,9 個 candidate、3 個 write-capable、14 個 reviewer checks、7 條 outcome lanes、20 類 blocked action;成熟度 50% -> 54% |
| CD / Runner / Secret injection change evidence acceptance | 100% |
已新增 cd_runner_secret_injection_change_evidence_acceptance_v1,5 個 candidate、4 個 C0、19 個 reviewer checks、8 條 outcome lanes、32 類 blocked action;secret metadata 成熟度 66% -> 68%,workflow / runner 成熟度 70% -> 72% |
| Public / Admin / API runtime config 變更證據驗收 | 100% |
已新增 public_runtime_config_change_evidence_acceptance_v1,6 個 candidate、5 個 C0、21 個 reviewer checks、8 條 outcome lanes、32 類 blocked action;public/admin/API runtime config 成熟度 62% -> 64%,raw namespace / repo slug / 內部狀態碼 / 內部協作內容外洩列為拒收或隔離條件 |
| owner response 收件 | 0% |
尚未收到或接受任何 owner response |
| live evidence collection | 0% |
未 SSH、未 live probe、未 active scan |
| runtime gate | 0% |
未開啟任何執行期閘門 |
8. P1-1 Docker / systemd 清冊更新
host_service_config_inventory_v1 已把 Docker Compose、systemd / repair-bot、Ansible service role 與 host config backup capture 納入 repo-only 清冊,共 9 個 surface、3 個 write-capable surface、2 個 repair-bot whitelist、1 個 systemd restart surface。此更新只讓 docker_compose_systemd_host_config 從 42% 推進到 50%;owner response、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 host_service_owner_request_draft_v1,把 9 個 surface 轉成 request_draft_count=9、write_capable_request_draft_count=3、live_evidence_required_request_count=8、required_owner_field_count=12、blocked_action_count=14 的人工送件前草稿。此更新仍不調高類別成熟度,因為 request sent、owner response received / accepted、live evidence、restart window、rollback owner、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 host_service_owner_response_acceptance_v1,把 9 份 request draft 轉成 acceptance_candidate_count=9、write_capable_acceptance_candidate_count=3、live_evidence_required_candidate_count=8、required_owner_field_count=12、reviewer_check_count=14、outcome_lane_count=7、blocked_action_count=20 的 owner response acceptance 只讀帳本。此更新讓 docker_compose_systemd_host_config 從 50% 推進到 54%,但 owner response received / accepted、live hash、maintenance / restart window、rollback owner、post-check plan、disable switch、live host read、SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、runtime gate 與 action button 仍全部為 0。
9. P1-2 SSH / network access 清冊更新
ssh_network_access_inventory_v1 已把 SSH target、known_hosts workflow、CI deploy SSH、monitoring SSH、backup SSH capture、sudoers wrapper、NetworkPolicy、NodePort、WireGuard runbook 與 alert SSH action catalog 納入 repo-only 清冊,共 16 個 surface、6 個 write-capable surface、2 個 NetworkPolicy、2 個 NodePort、1 個 sudoers surface 與 1 個 WireGuard surface。此更新只讓 ssh_firewall_network_access 從 48% 推進到 54%;owner response、live evidence、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 ssh_network_owner_request_draft_v1,把 16 個 surface 轉成 request_draft_count=16、write_capable_request_draft_count=6、live_evidence_required_request_count=16、required_owner_field_count=13、blocked_action_count=16 的人工送件前草稿。此更新仍不調高類別成熟度,因為 request sent、owner response received / accepted、live access state、firewall / port / NetworkPolicy / NodePort / WireGuard 變更、runtime gate 與 action button 仍全部為 0。
2026-06-15 再新增 ssh_network_owner_response_acceptance_v1,把 16 份 request draft 轉成 acceptance_candidate_count=16、write_capable_acceptance_candidate_count=6、live_evidence_required_candidate_count=16、required_owner_field_count=13、reviewer_check_count=15、outcome_lane_count=7、blocked_action_count=22 的 owner response acceptance 只讀帳本。此更新讓 ssh_firewall_network_access 從 54% 推進到 58%,但 owner response received / accepted、live access state、host key pinning、port policy、firewall owner、NetworkPolicy / NodePort、WireGuard cutover、SSH、keyscan、known_hosts patch、firewall / port 變更、runtime gate 與 action button 仍全部為 0。
2026-06-15 再新增 port_firewall_change_evidence_acceptance_v1,把 14 個端口、防火牆、NodePort、NetworkPolicy、WireGuard、deploy SSH、sudo 與 alert action surface 轉成 change_evidence_candidate_count=14、write_capable_change_evidence_candidate_count=6、policy_or_exposure_candidate_count=5、required_evidence_field_count=21、reviewer_check_count=21、outcome_lane_count=9、blocked_action_count=28 的 change evidence acceptance 只讀帳本;同日再補事故型欄位,要求 severity、service health impact、operator notification、restoration time 與 break-glass backfill。此更新讓 ssh_firewall_network_access 從 58% 推進到 62%,但 change evidence received / accepted、actor identified、before / after state、service health impact accepted、operator notification accepted、cross-project sync、post-check evidence、firewall change、port close / open、NetworkPolicy apply、NodePort change、WireGuard change、route smoke、host restart、runtime gate 與 action button 仍全部為 0。
10. P1-3 Backup / restore / escrow / retention 清冊更新
backup_restore_escrow_inventory_v1 已把 backup orchestration、service backup scripts、restic retention、offsite sync、credential escrow、Velero restore drill、backup health alert 與 cold-start / DR runbook 納入 repo-only 清冊,共 38 個 surface、15 個 backup script surface、8 個 offsite / escrow surface、5 個 Velero surface 與 27 個 write-capable surface。此更新只讓 backup_restore_credential 從 52% 推進到 58%;owner response、live evidence、restore drill acceptance、offsite sync acceptance、credential escrow acceptance、retention change acceptance、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 backup_restore_owner_request_draft_v1,把 38 個 surface 轉成 request_draft_count=38、write_capable_request_draft_count=27、live_evidence_required_request_count=38、required_owner_field_count=14、blocked_action_count=18 的人工送件前草稿。此更新仍不調高類別成熟度,因為 request sent、owner response received / accepted、live backup evidence、backup run、restore run、offsite sync、escrow marker write、retention change、runtime gate 與 action button 仍全部為 0。
2026-06-15 再新增 backup_restore_owner_response_acceptance_v1,把 38 份 request draft 轉成 acceptance_candidate_count=38、write_capable_acceptance_candidate_count=27、live_evidence_required_candidate_count=38、required_owner_field_count=14、reviewer_check_count=13、outcome_lane_count=7、blocked_action_count=22 的 owner response acceptance 只讀帳本。此更新讓 backup_restore_credential 從 58% 推進到 62%,但 owner response received / accepted、live backup evidence、restore drill acceptance、offsite sync acceptance、credential escrow acceptance、retention change acceptance、backup run、restore run、runtime gate 與 action button 仍全部為 0。
11. P1-4 Monitoring / alerting / observability 清冊更新
monitoring_alerting_observability_inventory_v1 已把 Prometheus、Alertmanager、Grafana、SigNoz、Sentry、Langfuse、OTEL、Telegram / notification policy、deploy / reload scripts 與 alert chain smoke scripts 納入 repo-only 清冊,共 60 個 surface、13 個 alert rule surface、6 個 deploy / reload surface、11 個 write-capable surface 與 1 個 drift guard surface。此更新只讓 monitoring_alerting_observability 從 56% 推進到 62%;owner response、live evidence、reload owner、receiver owner、route smoke、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 monitoring_owner_request_draft_v1,把 60 個 surface 轉成 request_draft_count=60、write_capable_request_draft_count=11、live_evidence_required_request_count=60、required_owner_field_count=14、blocked_action_count=24 的人工送件前草稿。此更新仍不調高類別成熟度,因為 request sent、owner response received / accepted、live evidence、reload、receiver route change、silence change、Telegram send、alert chain smoke、runtime gate 與 action button 仍全部為 0。
2026-06-15 再新增 monitoring_owner_response_acceptance_v1,把 60 份 request draft 轉成 acceptance_candidate_count=60、write_capable_acceptance_candidate_count=11、live_evidence_required_candidate_count=60、required_owner_field_count=14、reviewer_check_count=15、outcome_lane_count=7、blocked_action_count=28 的 owner response acceptance 只讀帳本。此更新讓 monitoring_alerting_observability 從 62% 推進到 66%,高價值配置平均成熟度從 68% 推進到 69%;但 owner response received / accepted / rejected、live evidence、reload、receiver route change、silence change、Telegram send、alert chain smoke、runtime gate 與 action button 仍全部為 0。
12. P0 Public Gateway Preflight 清冊更新
public_gateway_preflight_inventory_v1 已把 Nginx public gateway reload / route change 前置 Gate 固定成只讀清冊,共 3 份 source config、14 個 route impact、14 個 unique upstream、12 個 preflight gate,其中 2 個 gate 只代表 repo-only ready,10 個 gate 仍需 owner acceptance。此更新讓 nginx_public_gateway 從 78% 推進到 84%;owner response、owner-provided live conf、rendered diff、nginx -t evidence、route smoke、maintenance window、rollback owner、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 public_gateway_owner_response_acceptance_v1,把 3 份 public gateway config 轉成 owner response acceptance 只讀帳本;2026-06-15 已強化手動 / 緊急 gateway 變更 metadata gate,固定 acceptance_candidate_count=3、c0_acceptance_candidate_count=2、required_owner_response_field_count=16、reviewer_check_count=16、outcome_lane_count=7、blocked_action_count=22。此更新要求 change actor/source、change time window、cross-project impact 與 communication sync 四欄脫敏 ref;nginx_public_gateway 仍維持 88%,因為 owner response received / accepted、redacted export received / accepted、rendered diff ready、nginx -t、reload、route smoke、DNS / TLS probe、certbot renew、runtime gate 與 action button 仍全部為 0。
2026-06-14 再新增 public_gateway_rendered_diff_acceptance_v1,把 3 份 public gateway config 轉成 diff_acceptance_candidate_count=3、c0_diff_acceptance_candidate_count=2、required_evidence_field_count=14、reviewer_check_count=15、outcome_lane_count=8、blocked_action_count=22 的 rendered diff evidence acceptance 只讀帳本。此更新只讓 nginx_public_gateway 從 86% 推進到 88%;owner response accepted、rendered diff accepted、owner-provided nginx -t evidence accepted、route smoke evidence accepted、reload、DNS / TLS probe、certbot renew、runtime gate 與 action button 仍全部為 0。
13. P0 DNS / TLS / certbot owner response acceptance 更新
domain_tls_certbot_owner_response_acceptance_v1 已把 4 份 DNS / TLS / certbot owner confirmation request 轉成 owner response acceptance 只讀帳本。四份候選全部為 C0,固定 acceptance_candidate_count=4、required_owner_response_field_count=13、reviewer_check_count=13、outcome_lane_count=7、blocked_action_count=20,讓 dns_tls_certbot 從 74% 推進到 78%。
此更新只補齊 SAN / wildcard / 共用憑證覆蓋關係、certificate expiry metadata ref、renewal owner、ACME route owner、maintenance window、rollback owner 與 validation plan 的收件驗收規則;owner response received / accepted、certificate coverage confirmed、DNS query、live TLS probe、certbot renew、Nginx reload、route smoke、DNS record 修改、certificate path 修改、ACME challenge route 修改、host write、runtime gate 與 action button 仍全部為 0 / false。