# AIPhone No・where Logicnoid Project — Incident Response Runbook

## 1. Purpose

This runbook defines incident response procedures for the AIPhone No・where Logicnoid production-near engine.

The objective is to detect, classify, preserve evidence, contain, recover, and verify the system after security or operational incidents.

## 2. Product Scope

AIPhone No・where Logicnoid Project provides:

- Phone-number non-exposure tokenization
- Text identifier claim and resolve
- Display Ready Proof
- One-time Tunnel Ticket
- One-time Session Authorization
- Reuse block
- Audit receipt retrieval
- Signed Admin Challenge
- Protected Admin Readiness
- HTTPS public surface
- OpenAPI and security documentation

## 3. Incident Severity Levels

| Severity | Definition | Examples |
|---|---|---|
| SEV-1 | Critical compromise or active abuse | Secret exposure, raw MSISDN exposure, admin bypass, unauthorized session authorization |
| SEV-2 | Security-impacting degradation | TLS failure, admin challenge failure, audit receipt failure, repeated reuse block failure |
| SEV-3 | Operational degradation | Nginx failure, engine restart loop, health check failure |
| SEV-4 | Low-risk anomaly | Suspicious scans, malformed requests, isolated 4xx spikes |

## 4. Incident Classes

| Class | Description |
|---|---|
| RAW_MSISDN_EXPOSURE | Raw phone number found in runtime, audit, logs, or public surface |
| ADMIN_BYPASS | Protected admin endpoint accessible without verified admin session |
| SESSION_INTERLOCK_BYPASS | Session authorized without Display Ready Proof or Tunnel Ticket |
| HANDLE_REUSE_FAILURE | Display proof, tunnel ticket, or session authorization reused successfully |
| AUDIT_FAILURE | Audit receipt not generated or not retrievable |
| TLS_FAILURE | HTTPS certificate invalid, expired, or misconfigured |
| ENGINE_FAILURE | gnx-aiphone service down or unhealthy |
| NGINX_FAILURE | Nginx reverse proxy down or misconfigured |
| SECRET_EXPOSURE | .env.production or secrets exposed |
| ABUSE_TRAFFIC | Suspicious request volume, scans, or endpoint abuse |

## 5. First Response Rule

Do not overwrite evidence.

Before modifying service, configuration, runtime state, or code, collect an incident snapshot unless the system is actively leaking secrets or sensitive data.

Incident snapshot command:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

## 6. Evidence Collection

Run:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

Evidence location:

/opt/gnx/aiphone-nowhere/docs/incident-snapshots

The snapshot includes:

- systemd status
- Nginx status and config test
- local and public health checks
- TLS certificate status
- recent engine logs
- recent Nginx logs
- runtime file hashes
- engine file hash
- OpenAPI hash
- readiness hash
- redacted environment file

The snapshot archive and manifest must remain chmod 600.

## 7. Immediate Triage Commands

Check service:

systemctl status gnx-aiphone --no-pager

Check logs:

journalctl -u gnx-aiphone -n 240 --no-pager

Check Nginx:

sudo nginx -t
systemctl status nginx --no-pager

Check health:

curl -sS http://127.0.0.1:3400/health/ready | jq
curl -sS https://logicnoid.kr/health/ready | jq

Check public headers:

curl -I https://logicnoid.kr

Check certificates:

sudo certbot certificates

Check PASS/PENDING gate:

grep -n "PASS\|PENDING" /opt/gnx/aiphone-nowhere/docs/production-readiness-gate.md

## 8. Containment Procedures

### 8.1 Engine Failure

If the engine is unhealthy:

1. Collect incident snapshot.
2. Check journal logs.
3. Restart engine.
4. Verify health.
5. Run HTTPS evidence-chain check.

Commands:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

journalctl -u gnx-aiphone -n 240 --no-pager

sudo systemctl restart gnx-aiphone

curl -sS https://logicnoid.kr/health/ready | jq

/tmp/aiphone-pass-check-https.sh

### 8.2 Nginx Failure

If Nginx is unhealthy:

1. Collect incident snapshot.
2. Validate config.
3. Check error log.
4. Reload or restart Nginx.
5. Verify public health.

Commands:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

sudo nginx -t

sudo tail -n 240 /var/log/nginx/error.log

sudo systemctl reload nginx

curl -sS https://logicnoid.kr/health/ready | jq

### 8.3 TLS Failure

If HTTPS fails:

1. Collect incident snapshot.
2. Check certificates.
3. Run renewal dry-run.
4. Reload Nginx.
5. Verify HTTPS.

Commands:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

sudo certbot certificates

sudo certbot renew --dry-run

sudo nginx -t

sudo systemctl reload nginx

curl -I https://logicnoid.kr

### 8.4 Admin Bypass Suspicion

If protected admin readiness appears accessible without a valid admin session:

1. Collect incident snapshot.
2. Test unauthenticated admin readiness.
3. Stop public exposure if bypass is confirmed.
4. Restart from last known good engine backup.
5. Verify Admin Signed Challenge.

Commands:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

curl -sS https://logicnoid.kr/v1/admin/readiness | jq

sudo systemctl stop gnx-aiphone

LATEST_BACKUP="$(ls -t /opt/gnx/aiphone-nowhere/backups/runtime/aiphone-backup-*.tar.gz | head -1)"
/opt/gnx/aiphone-nowhere/engine/tools/restore-dry-run.sh "$LATEST_BACKUP"

/tmp/aiphone-admin-challenge-check.sh

### 8.5 Session Interlock Bypass Suspicion

If a session is authorized without Display Ready Proof or Tunnel Ticket:

1. Collect incident snapshot.
2. Stop the engine.
3. Preserve runtime state and audit log.
4. Run restore dry-run on latest backup.
5. Restore last known good engine if needed.
6. Re-run full HTTPS evidence chain.

Commands:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

sudo systemctl stop gnx-aiphone

cp /opt/gnx/aiphone-nowhere/runtime/state.json /opt/gnx/aiphone-nowhere/docs/incident-snapshots/state-preserve-$(date +%Y%m%d-%H%M%S).json

cp /opt/gnx/aiphone-nowhere/runtime/audit.jsonl /opt/gnx/aiphone-nowhere/docs/incident-snapshots/audit-preserve-$(date +%Y%m%d-%H%M%S).jsonl

sudo systemctl start gnx-aiphone

/tmp/aiphone-pass-check-https.sh

### 8.6 Raw MSISDN Exposure Suspicion

If raw MSISDN is suspected in runtime files:

1. Collect incident snapshot.
2. Stop engine if exposure is confirmed.
3. Preserve runtime and logs.
4. Search runtime and public surface.
5. Rotate affected test data.
6. Patch source if raw storage path is found.
7. Re-run no-raw-MSISDN verification.

Commands:

/opt/gnx/aiphone-nowhere/engine/tools/collect-incident-snapshot.sh

sudo grep -R "+82\|010\|8210" /opt/gnx/aiphone-nowhere/runtime /opt/gnx/aiphone-nowhere/surface/public || true

/tmp/aiphone-pass-check-https.sh

### 8.7 Secret Exposure Suspicion

If .env.production or secrets may be exposed:

1. Collect incident snapshot if safe.
2. Remove public exposure immediately.
3. Rotate AIPHONE_ADMIN_SECRET.
4. Rotate AIPHONE_SECRET_PEPPER only with migration plan.
5. Restart engine.
6. Invalidate active admin sessions by clearing adminSessions from runtime state if required.
7. Re-run Admin Signed Challenge.

Do not rotate AIPHONE_SECRET_PEPPER casually. Existing token fingerprints and handle hashes depend on it.

## 9. Recovery Verification

After containment and recovery, all applicable checks must pass:

| Check | Required Result |
|---|---|
| systemd gnx-aiphone active | PASS |
| Nginx config valid | PASS |
| HTTPS health READY | PASS |
| Full evidence chain | PASS |
| No raw MSISDN runtime check | PASS |
| Admin Signed Challenge | PASS |
| Audit receipt retrieval | PASS |
| OpenAPI public retrieval | PASS |
| Threat Model public retrieval | PASS |
| Deployment Guide public retrieval | PASS |
| Backup/Restore Runbook public retrieval | PASS |

## 10. Required Verification Commands

Run:

/tmp/aiphone-pass-check-https.sh

Run:

/tmp/aiphone-admin-challenge-check.sh

Check public documents:

curl -fsS https://logicnoid.kr/openapi.yaml | head
curl -fsS https://logicnoid.kr/threat-model.md | head
curl -fsS https://logicnoid.kr/deployment-guide.md | head
curl -fsS https://logicnoid.kr/backup-restore-runbook.md | head

## 11. Post-incident Report Template

Record:

- Incident id
- Date and time
- Severity
- Incident class
- Detection source
- Affected components
- Evidence snapshot path
- Timeline
- Root cause
- Containment action
- Recovery action
- Verification results
- Preventive actions
- Remaining risks
- Owner
- Close date

## 12. Security Rules

- Do not delete audit logs during an incident.
- Do not overwrite runtime state before preserving evidence.
- Do not publish incident snapshots.
- Do not send backup archives or snapshots through chat or email.
- Do not expose .env.production.
- Do not add admin fallback tokens.
- Do not add public vault endpoints.
- Do not bypass Display Ready Proof.
- Do not disable reuse blocking.
- Do not claim external security audit completion unless completed.

## 13. Escalation

Escalate as SEV-1 if any of the following is confirmed:

- Raw MSISDN exposure
- AIPHONE_SECRET_PEPPER exposure
- AIPHONE_ADMIN_SECRET exposure
- Admin bypass
- Session authorization without required evidence chain
- Audit receipt failure for security-relevant decisions

## 14. Non-claims

This runbook does not claim that external incident response retainer coverage is active.

This runbook does not claim that a third-party forensic audit has been completed.

This runbook does not claim carrier production integration is complete.

This runbook documents the current production-near incident response procedure for the deployed AIPhone engine.

## 15. Current Status

Incident snapshot tool: PASS

Incident Response Runbook: PASS