docs(iwooos): 記錄主機服務事故回讀 gate [skip ci]

This commit is contained in:
Your Name
2026-06-15 20:17:44 +08:00
parent d547dc5f5a
commit 18cf52631c

View File

@@ -1,3 +1,59 @@
## 2026-06-15Docker / systemd / Host Service 事故後回讀 Gate
**背景**110 / 188 類主機服務事故證明Docker daemon、compose、systemd、repair-bot、Ansible、host config backup、port binding、public / admin route、AI provider 與 monitoring 可能互相影響。IwoooS 不能把「容器起來」、「route 200」、「服務健康」或「頁面可見」誤判成主機服務事故已驗收本階段補上 host service post-incident readback plan只建立事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台 marker不 SSH、不讀 live host、不碰 Docker / systemd / repair-bot / Ansible / Nginx / firewall、不做 route smoke、不收 secrets 明文。
**完成項目**
- 新增 `scripts/security/host-service-post-incident-readback-plan.py``docs/security/host-service-post-incident-readback-plan.snapshot.json`
- 新增 `docs/security/HOST-SERVICE-POST-INCIDENT-READBACK-PLAN.md`,把 9 個 Docker / systemd / host service surface 轉成事故後回讀計畫。
- Post-incident readback plan 固定為 candidates `9`、write-capable candidates `3`、live-evidence required `8`、readback fields `36`、required readback fields `28`、reviewer checks `28`、outcome lanes `10`、blocked actions `41`
- 必填回讀欄位包含 actor、boot time、restart / recovery window、before / after、Docker daemon、compose、systemd、failed unit、port binding、dependency impact、public / admin route recovery、AI provider health、monitoring alert、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard 與 no-false-green attestation。
- 所有 post-incident readback received / accepted、Docker daemon accepted、compose accepted、systemd accepted、failed unit accepted、port binding accepted、route recovery accepted、AI provider accepted、monitoring accepted、cross-project sync accepted、recurrence guard accepted、runtime gate 與 action button 仍為 `0 / false`
- `docker_compose_systemd_host_config` 只讀成熟度從 `62%` 推進到 `64%`,狀態為 `post_incident_readback_plan_ready_needs_host_service_owner_evidence`
- 高價值配置平均成熟度從 `70%` 推進到 `71%`needs-live-evidence 類別從 `10` 降為 `9`
- `/zh-TW/iwooos` 前台高價值配置卡片更新為Docker / systemd 主機服務 `64%`、SSH / network / firewall `64%`、AI provider / model routing `64%`、K8s / ArgoCD GitOps `64%``en.json` 維持繁中鏡像。
- `/zh-TW/awooop/tenants` 正式站與 API 已確認不顯示 raw repo namespace、個人 namespace、raw blocker 狀態或內部協作語句;前台只顯示產品 / 專案代號、脫敏來源代號與控管狀態。
**本地驗證**
- JSON parse 驗證 `docs/security/host-service-post-incident-readback-plan.snapshot.json``docs/security/high-value-config-control-coverage.snapshot.json``docs/security/iwooos-posture-projection.snapshot.json``docs/schemas/iwooos_posture_projection_v1.schema.json``apps/web/messages/zh-TW.json``apps/web/messages/en.json` 通過。
- `python3 -m py_compile scripts/security/host-service-post-incident-readback-plan.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
- `python3 scripts/security/iwooos-config-control-guard.py --root .``IWOOOS_CONFIG_CONTROL_GUARD_OK`
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `python3 scripts/security/public-frontend-env-guard.py --root .``OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`
- `python3 scripts/security/source-control-owner-response-guard.py --root .``SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`
- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .``PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea``DOC_SECRET_SANITY_OK scanned_files=880`
- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。
- `git diff --check` 通過。
**Gitea / CD**
- Code commit`abda0ef6 feat(iwooos): 新增主機服務事故回讀 gate`
- Code-review run`3057`,公開 Actions 頁顯示成功。
- CD run`3056`tests job `3182 passed / 23 skipped`B5 integration `5 passed`build-and-deploy job 成功。
- Deploy marker`d547dc5f chore(cd): deploy abda0ef [skip ci]`
- CD log 顯示 ArgoCD `Synced / Healthy``awoooi-api` / `awoooi-web` / `awoooi-worker` rollout 成功、API health 通過、`AWOOOI_ROLLOUT_RISK=0`、CI/CD notification 已送出。
**Production 驗證**
- 內建瀏覽器 attach 逾時,改用本機 Google Chrome headless 對相同 production URL 做只讀 smoke未使用登入 token、未讀 secrets、未進行寫操作。
- Chrome desktop `1440x1100``/zh-TW/iwooos?_v=d547dc5f-host-service-readback-prod-desktop``200`,必要 marker 缺漏 `0`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=1440``clientWidth=1440`
- Chrome mobile `390x844``/zh-TW/iwooos?_v=d547dc5f-host-service-readback-prod-mobile``200`,必要 marker 缺漏 `0`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=390``clientWidth=390`
- Chrome desktop `1440x1000``/zh-TW/awooop/tenants?_v=d547dc5f-tenant-redaction-prod-desktop``200`,必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=1440``clientWidth=1440`
- Chrome mobile `390x844``/zh-TW/awooop/tenants?_v=d547dc5f-tenant-redaction-prod-mobile``200`,必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=390``clientWidth=390`
- API readback`/api/v1/platform/tenants``200`raw repo namespace、個人 namespace、raw blocker 狀態與內部協作語句命中 `0`response 目前為 `tenants=2``asset_inventory.products=16``public_route_count=31``source_candidate_repo_count=10``runtime_gate_count=0`
- Chrome 截圖:
- `/tmp/iwooos-desktop-d547dc5f.png`
- `/tmp/iwooos-mobile-d547dc5f.png`
- `/tmp/tenants-desktop-d547dc5f.png`
- `/tmp/tenants-mobile-d547dc5f.png`
**完成度與邊界**
- Docker / systemd / Host Service post-incident readback plan`0% -> 100%`
- Docker / systemd / Host Service 只讀成熟度:`62% -> 64%`
- 高價值配置平均成熟度:`70% -> 71%`needs-live-evidence 類別:`10 -> 9`
- IwoooS headline 維持 `64%`active runtime gate 維持 `0`
- post-incident readback received / accepted、actor attribution、before / after、Docker daemon、compose、systemd、failed unit、port binding、route recovery、AI provider、monitoring、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard、no-false-green accepted、runtime gate 與 action button 全部維持 `0 / false`
- 本輪未 SSH、未讀 live host / raw compose / raw systemd / raw docker logs / raw journal / raw env、未重啟 Docker / systemd / host、未執行 repair-bot / Ansible、未 reload Nginx、未改 firewall / port、未做 active scan、未收 secrets 明文、未 force push。
- 下一優先:收 Host Service 事故後回讀包與 owner evidence同時推進 K8s / ArgoCD、Backup / Restore / Escrow、Monitoring / Alerting / Observability 的 owner evidence不得用 route 200、container up、UI 可見或 CD success 當成資安 runtime 授權。
## 2026-06-15SSH / network / firewall 事故後回讀 Gate
**背景**端口、防火牆、NetworkPolicy、NodePort、WireGuard、deploy SSH、sudo 或 alert action 異動可能同時影響 public route、AI provider、monitoring 與跨產品部署。IwoooS 不能把「服務後來恢復」或「頁面可見」誤判成事故已驗收;本階段補上 post-incident readback plan只建立只讀事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 SSH、不讀 live firewall、不改 port / route / Nginx / Docker / systemd、不重啟、不做 active scan、不打 provider endpoint。