Files
wehub-resource-sync 426e9eeabd
Voice Workbench / headless workbench (mocked backends) (push) Has been cancelled
Voice Workbench / real acoustic lane (nightly, provisioned only) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / lint-and-format (push) Has been cancelled
ci / build (push) Has been cancelled
ci / dev-startup (push) Has been cancelled
gitleaks / gitleaks (push) Has been cancelled
Markdown Links / Relative Markdown Links (push) Has been cancelled
Quality (Extended) / Homepage Build (PR smoke) (push) Has been cancelled
Quality (Extended) / Comment-only diff guard (push) Has been cancelled
Quality (Extended) / Format + Type Safety Ratchet (push) Has been cancelled
Quality (Extended) / Develop Gate (secret scan + UI determinism) (push) Has been cancelled
Quality (Extended) / Develop Gate (lint) (push) Has been cancelled
Chat shell gestures / Chat shell gesture + parity e2e (push) Has been cancelled
Cloud Gateway Discord / Test (push) Has been cancelled
Benchmark Bridge Tests / benchmark (bunx @biomejs/biome check packages/lifeops-bench/src, benchmark-lint) (push) Has been cancelled
Benchmark Bridge Tests / benchmark (bunx vitest run --config packages/lifeops-bench/vitest.config.ts --root packages/lifeops-bench --passWithNoTests, benchmark-tests) (push) Has been cancelled
Build Agent Image / build-and-push (push) Has been cancelled
Dev Smoke / bun run dev onboarding chat (push) Has been cancelled
Dev Smoke / Vite HMR dependency-level smoke (push) Has been cancelled
Electrobun Submodule Guard / electrobun gitlink is fetchable (push) Has been cancelled
Publish @elizaos/example-code / check_npm (push) Has been cancelled
Publish @elizaos/example-code / publish_npm (push) Has been cancelled
Publish @elizaos/plugin-elizacloud / verify_version (push) Has been cancelled
Publish @elizaos/plugin-elizacloud / publish_npm (push) Has been cancelled
Sandbox Live Smoke / Sandbox live smoke (push) Has been cancelled
Snap Build & Test / Build Snap (amd64) (push) Has been cancelled
Snap Build & Test / Build Snap (arm64) (push) Has been cancelled
Test Packaging / elizaos CLI global-install smoke (node + bun) (push) Has been cancelled
Cloud Gateway Webhook / Test (push) Has been cancelled
Cloud Tests / lint-and-types (push) Has been cancelled
Cloud Tests / unit-tests (push) Has been cancelled
Cloud Tests / integration-tests (push) Has been cancelled
Cloud Tests / e2e-tests (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Deploy Apps Worker (Product 2) / Determine environment (push) Has been cancelled
Deploy Apps Worker (Product 2) / Deploy apps worker to apps-control host (${{ needs.determine-env.outputs.environment }}) (push) Has been cancelled
Deploy Eliza Provisioning Worker / Determine environment (push) Has been cancelled
Deploy Eliza Provisioning Worker / Deploy worker to Hetzner host (${{ needs.determine-env.outputs.environment }} @ ${{ needs.determine-env.outputs.deployment_sha }}) (push) Has been cancelled
Dev Smoke / Classify changed paths (push) Has been cancelled
supply-chain / sbom (push) Has been cancelled
supply-chain / vulnerability-scan (push) Has been cancelled
Build, Push & Deploy to Phala Cloud / build-and-push (push) Has been cancelled
Test Packaging / Validate Packaging Configs (push) Has been cancelled
Test Packaging / Build & Test PyPI Package (push) Has been cancelled
Test Packaging / PyPI on Python ${{ matrix.python }} (push) Has been cancelled
Test Packaging / Pack & Test JS Tarballs (push) Has been cancelled
UI Fixture E2E / ui-fixture-e2e (push) Has been cancelled
UI Fixture E2E / fixture-e2e (push) Has been cancelled
UI Story Gate / story-gate (push) Has been cancelled
vault-ci / test (macos-latest) (push) Has been cancelled
vault-ci / test (ubuntu-latest) (push) Has been cancelled
vault-ci / test (windows-latest) (push) Has been cancelled
vault-ci / app-core wiring tests (push) Has been cancelled
verify-patches / verify patches/CHECKSUMS.sha256 (push) Has been cancelled
Voice Benchmark Smoke / voice-emotion fixture smoke (push) Has been cancelled
Voice Benchmark Smoke / voiceagentbench fixture smoke (push) Has been cancelled
Voice Benchmark Smoke / voicebench-quality unit smoke (push) Has been cancelled
Voice Benchmark Smoke / voicebench TypeScript unit (no audio) (push) Has been cancelled
Voice Benchmark Smoke / voice bench smoke summary (push) Has been cancelled
Windows CI / windows ([bun run --cwd packages/app-core test bun run --cwd packages/elizaos test bun run --cwd packages/cloud/shared test], app-and-cli) (push) Has been cancelled
Windows CI / windows ([bun run --cwd packages/scenario-runner test bun run --cwd packages/vault test bun run --cwd packages/security test bun run --cwd plugins/plugin-coding-tools test], framework-packages) (push) Has been cancelled
Windows CI / windows ([bun run --cwd plugins/plugin-elizacloud test bun run --cwd plugins/plugin-discord test bun run --cwd plugins/plugin-anthropic test bun run --cwd plugins/plugin-openai test bun run --cwd plugins/plugin-app-control test bun run --cwd plugins/pl… (push) Has been cancelled
Windows CI / windows ([node packages/scripts/run-turbo.mjs run build --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/agent --concurrency=4 node packages/scripts/run-bash-linux-only.mjs scripts/verify-riscv64-buildpaths.sh node packages/scripts/run… (push) Has been cancelled
Windows CI / windows ([node packages/scripts/run-turbo.mjs run typecheck --filter=@elizaos/core --filter=@elizaos/shared --filter=@elizaos/cloud-shared --concurrency=4 bun run --cwd packages/core test bun run --cwd packages/shared test], core-runtime, 75) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:43:05 +08:00

137 lines
5.3 KiB
Markdown

> **Mirror.** Authoritative copy lives in the outer monorepo at `../docs/security/INCIDENT-RUNBOOK.md`. Relative links below (`../../POLICIES/...`) resolve in the outer monorepo, not inside this submodule.
# Incident Response Runbook
Operational playbook for the policy in `../../POLICIES/08-incident-response.md` (POLICIES/08-incident-response.md).
## On-call contacts (placeholders — fill in)
- **Primary on-call pager:** `<PagerDuty / Opsgenie URL>`
- **Incident channel:** `#incident-active` on `<chat platform>`
- **Status page:** `https://status.<eliza-domain>`
- **Security Lead:** `security-lead@elizaos.ai` (placeholder)
- **Legal:** `legal@elizaos.ai` (placeholder)
- **Communications:** `comms@elizaos.ai` (placeholder)
## Phases (apply to every incident)
### 1. Detection
- Source: alert from Prometheus rules (`deploy/observability/prometheus/alerts/security.yml`), customer report, internal report, automated scanner.
- First responder acknowledges within the SLA in `../../POLICIES/08-incident-response.md` (POLICIES/08-incident-response.md).
### 2. Triage
- Open `#incident-active`; designate Incident Commander (IC).
- Assign severity (SEV-0…3).
- Open a timeline document (linked in the channel topic).
- Page additional responders as needed (DB, networking, KMS, legal).
### 3. Contain
- Goal: stop spread before fixing.
- Common containment moves:
- Disable compromised account at the IdP.
- Rotate suspected credential (KMS, GitHub token, deploy key).
- Cordon affected service (route 100% traffic away).
- Quarantine affected host / pod (snapshot for forensics first).
### 4. Eradicate
- Remove malicious artifact (deploy clean image, revoke malicious plugin, patch vuln).
- Validate via the same detection signal that originally fired.
### 5. Recover
- Restore service; confirm normal metrics for at least one steady-state cycle.
- Update status page; customer comms per breach-notification rules.
### 6. Lessons learned
- Within 5 business days, blameless post-incident review.
- File remediation tickets; update risk register.
- Update this runbook with new playbook entries.
---
## Playbooks by scenario
### Playbook A — Suspected KMS / Steward master-key compromise (SEV-0)
1. **Page:** Security Lead + Engineering Lead + Legal.
2. **Contain:**
- Suspend issuance of new wrapped DEKs.
- Begin emergency rotation: generate new KEK; re-wrap all DEKs under new KEK.
- Invalidate any plaintext copies (audit Steward access log).
3. **Eradicate:**
- Identify how the key was exposed (audit Steward + host logs).
- Patch the exposure path.
4. **Recover:**
- Confirm all DEKs re-wrapped; archive old KEK for one dual-accept window then destroy.
5. **Notify:**
- Customers per DPA (likely required even if no data was actually decrypted).
- Regulators per applicable law (GDPR 72h).
### Playbook B — Plugin compromise (SEV-0/1)
1. **Page:** Security Lead + agent-runtime engineer.
2. **Contain:**
- Add the plugin (or publisher key) to the revocation list and publish.
- Runtime emergency-revoke check fires on next poll; manual broadcast notification to active customers.
3. **Eradicate:**
- Pull plugin from registry.
- Coordinate with plugin author if account compromise; rotate publisher key.
4. **Recover:**
- Customer comms with what to expect; assist affected customers with rotation of any connector tokens the plugin touched.
### Playbook C — Connector token theft (SEV-1)
1. **Page:** Security Lead.
2. **Contain:**
- Revoke affected grants in Cloud (DEK-destroy + provider-side revoke).
- If breadth uncertain, broadcast connector-class revoke for the affected provider.
3. **Eradicate:**
- Identify leak path (DB exposure, log leak, in-transit MITM).
4. **Recover:**
- Affected users re-grant; audit-event review for any unauthorized use during window.
### Playbook D — Cloud API auth bypass (SEV-0)
1. **Page:** Security Lead + cloud-api owner.
2. **Contain:**
- Roll JWT signing key (`auth.jwt`); all existing sessions invalidated.
- Deploy patch closing the bypass.
3. **Eradicate / Recover:**
- Verify via integration test fixture for the bypass.
- Customer notification per breach-notification rules.
### Playbook E — Supply chain (compromised npm dep) (SEV-1)
1. **Page:** Security Lead + the package owner.
2. **Contain:**
- Pin lockfile to last known-good; rebuild + redeploy.
3. **Eradicate:**
- Audit for runtime indicators of compromise (network destinations, suspicious processes).
4. **Recover:**
- File CVE / coordinate with upstream.
### Playbook F — Backup / DR failure (SEV-2 routine; SEV-1 if blocking)
1. Re-run backup job; investigate root cause.
2. If repeated failure, escalate; manual snapshot of affected datastore.
3. Document in monthly capacity / availability review.
### Playbook G — Anomalous data-export volume alert (SEV-2/1 by magnitude)
1. **Contain:** rate-limit / disable export endpoint for the affected account.
2. **Triage:** validate vs known automation; review audit events for the user; check for credential compromise indicators.
3. **Escalate** if credential compromise confirmed.
---
## After every incident
- Update `../../POLICIES/08-incident-response.md` (POLICIES/08-incident-response.md) if procedure changed.
- File risk-register entry if the incident reveals a new risk.
- Update [`THREAT-MODEL.md`](/security/THREAT-MODEL) if a new threat class emerged.