docs(iwooos): 補記 CD runner secret 正式驗證 [skip ci]

This commit is contained in:
Your Name
2026-06-16 12:37:45 +08:00
parent 1ce36cb26c
commit 3e30807ce3

View File

@@ -1,3 +1,39 @@
## 2026-06-16IwoooS CD / Runner / Secret 回讀 Gate 正式部署驗證
**背景**:上一段 CD / Runner / Secret 注入事故後回讀 gate 已完成 repo 內 artifact / guard / 前台 marker但一度被 CD run `3071` 的 Docker build lock timeout 擋住,不能宣告 production 完成。後續另一個 Session 記錄 empty lock cleanup evidence並以 `97b66a0e` 前端 locale commit 觸發正式 CD本視窗只做只讀 Actions / production 回讀與 LOGBOOK 同步,未 SSH、未 Docker / host live write、未 workflow dispatch、未改 runner 或 repository secret。
**Gitea / CD**
- Feature commit`bb459d59 feat(iwooos): 新增 CD runner secret 事故回讀 gate`
- LOGBOOK blocker commit`c9b4363b docs(iwooos): 記錄 CD runner lock 阻塞 [skip ci]`
- Recovery trigger commit`97b66a0e fix(governance): 強化日週月報主看板前段提示`
- Code-review run`3074` 成功。
- CD run`3073` 成功build-and-deploy job 確認 Docker build lock acquired / released、image pushed、ArgoCD `Synced / Healthy``awoooi-api` / `awoooi-web` / `awoooi-worker` rollout 成功、API health 通過、post-deploy smoke `5 passed`
- Deploy marker`bd66e264 chore(cd): deploy 97b66a0 [skip ci]`
- 後續 LOGBOOK commit`1ce36cb2 docs(governance): 補記日週月報正式驗證 [skip ci]`
**Production 驗證**
- HTML readback`https://awoooi.wooo.work/zh-TW/iwooos?_v=bd66e264-iwooos-cd-runner-secret-prod``200`CD / runner / secret post-incident readback 必要 marker 缺漏 `0`
- 命中的 IwoooS marker`cd_runner_secret_injection_post_incident_readback_plan_candidate_count=5``cd_runner_secret_injection_post_incident_readback_plan_blocked_action_count=52``secret_metadata_coverage_percent=70``gitea_workflow_runner_source_control_coverage_percent=74``cd_runner_secret_injection_post_incident_readback_plan_runtime_gate_count=0`
- Chrome desktop `1440x1100``/zh-TW/iwooos?_v=bd66e264-iwooos-cd-runner-secret-prod-cdp` marker 全部命中,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=1434``clientWidth=1434`
- Chrome mobile `390x844``/zh-TW/iwooos?_v=bd66e264-iwooos-cd-runner-secret-prod-cdp` marker 全部命中,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=390``clientWidth=390`
- Governance automation inventory`/zh-TW/governance?tab=automation-inventory&_v=bd66e264-governance-reports-prod-cdp` 在 desktop / mobile 均命中 `日報 / 週報 / 月報``報告可見``AI Agent``Telegram``live`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false`
- AwoooP tenants`/zh-TW/awooop/tenants?_v=bd66e264-tenants-redaction-prod-cdp` 在 desktop / mobile 均命中 `脫敏範圍``runtime gate`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false`;現行頁面不顯示 `agent-bounty-protocol` raw repo 字串,符合脫敏要求。
- Chrome 截圖:
- `/tmp/iwooos-desktop-bd66e264.png`
- `/tmp/iwooos-mobile-bd66e264.png`
- `/tmp/governance-desktop-bd66e264.png`
- `/tmp/governance-mobile-bd66e264.png`
- `/tmp/tenants-desktop-bd66e264.png`
- `/tmp/tenants-mobile-bd66e264.png`
**完成度與邊界**
- CD / Runner / Secret injection post-incident readback planrepo 內 artifact / guard / 前台 marker `100%`production deploy / marker readback `100%`
- Secret metadata 只讀成熟度:`68% -> 70%`Gitea workflow / runner source control 只讀成熟度:`72% -> 74%`
- 高價值配置平均成熟度:維持 `71%`IwoooS headline 維持 `64%`active runtime gate 維持 `0`
- readback received / accepted、runtime execution authorized、action buttons allowed、workflow modification authorized、runner change authorized、repo secret change authorized、secret rotation authorized、Gitea action dispatch authorized、host write、production write、active scan 與 runtime gate 全部仍為 `0 / false`
- 本視窗未 SSH、未 Docker / systemd / Nginx / firewall / ArgoCD / K8s live action、未 workflow dispatch、未改 runner、未改 repository secret、未讀 secret value / hash / partial token、未 active scan、未 force push。
- 下一優先CD runner Docker build lock owner readback 仍需補正式 owner evidence另需回到 S4.9 owner response、Backup / Restore / Escrow、Monitoring receiver receipt 與 Public Gateway / Nginx owner evidence不得用 CD success、deploy marker、route `200`、UI 可見或 AwoooP approval 當 runtime 授權。
## 2026-06-16CD / Runner / Secret 注入事故後回讀 Gate 與 CD Lock 阻塞
**背景**CD / Runner / repository secret injection 屬於高價值配置面,不能因 code-review 成功、CD 開始、UI marker 預期存在或 deploy 通知預覽就視為 runtime 已授權。近期 110 冷啟動、端口異動、Harbor / registry / StockPlatform / monitoring 類事故也證明,部署通道本身必須有事故後回讀欄位與 no-false-green 邊界。本階段已完成 repo 內只讀 gate、snapshot、guard 與前台 marker但 production deploy 被後續 `9f4ed285` 觸發的 CD run `3071` 擋在 Docker build lock timeout正式站尚未出現新 marker。