feat(delivery): expose production deploy readback blocker

This commit is contained in:
Your Name
2026-06-28 19:32:36 +08:00
parent b1da5cc7d3
commit 40dc4315f2
5 changed files with 323 additions and 3 deletions

View File

@@ -48726,6 +48726,35 @@ production browser smoke:
**本段驗證目標**
- JSON parse、`py_compile`、focused GitHub gate API tests、Delivery Workbench test、`git diff --check`
- 此段只關閉內部 MCP / RAG / KM / PlayBook / LOG governance gapGitHub executable channel 仍維持 freeze / external unblock。
## 2026-06-28 — 19:28 Production deploy readback blocker 機器可讀化
**背景**
- GitHub operator unblock governance closure 已在 Gitea `main` 歷史內,最新 source control main 為 `b1da5cc7d324`
- Production 仍讀回舊 image tag `af45811e876fda322ee63c036fbc39c9f07ffd76``/api/v1/agents/github-target-controlled-execution-preflight``/api/v1/agents/delivery-closure-workbench` 尚未出現 `internal_governance_writeback` / KM / PlayBook 新欄位。
- Gitea actions 公開頁僅見舊 CD run `#3848` 指向 `af45811e87`;未登入狀態沒有 Run workflow 按鈕,未帶 token 的 workflow dispatch 回 `401 token is required`
**完成內容**
- 新增 `docs/operations/awoooi-production-deploy-readback-blocker.snapshot.json`,把 source main、production tag、CD run 與 dispatch blocker 收斂為 P0 read-only snapshot。
- 新增 `awoooi_production_deploy_readback_blocker` loader強制 `deploy_trigger_allowed=false``workflow_modification_allowed=false``gitea_api_write_allowed=false``host_write_allowed=false``k8s_write_allowed=false``secret_read_allowed=false`
- `delivery_closure_workbench` 新增 `production_deploy` lane 與 summary counters`production_deploy_image_tag_matches_main=false``production_deploy_authorized_dispatch_channel_ready=false``production_deploy_hard_blocker_count=1`
**驗證結果**
- JSON parse通過。
- `py_compile`:通過。
- `ruff check`:通過。
- focused pytest`20 passed`
- `git diff --check`:通過。
**仍維持**
- Production 尚未部署最新 `main`,不能宣稱 runtime closure 完成。
- 沒有使用 GitHub app / connector / MCP、`gh`、GitHub API、GitHub Actions、PR / issue / search。
- 沒有讀 raw sessions / SQLite / auth / `.env` / token / cookie沒有 host / Docker / K8s / firewall / Wazuh runtime 操作。
- 沒有修改 Gitea workflow trigger、沒有 workflow_dispatch、沒有手改 K8s image tag、沒有重開 110 runner。
**下一個 P0**
- 取得合法的 Gitea manual workflow_dispatch channel 後觸發 `cd.yaml ref=main`
- CD 完成後重跑 production readback目標是 Workbench 與 GitHub preflight production payload 出現 `internal_governance_writeback` 與 KM / PlayBook / LOG counters。
## 2026-06-28 — 19:09 Wazuh allowlisted check-mode dry-run 本地完成
**時間與來源**

View File

@@ -0,0 +1,64 @@
{
"schema_version": "awoooi_production_deploy_readback_blocker_v1",
"generated_at": "2026-06-28T19:28:54+08:00",
"status": "blocked_waiting_authorized_gitea_workflow_dispatch",
"priority": "P0",
"scope": "awoooi_production_truth",
"readback": {
"source_control_main_sha": "b1da5cc7d32415667a1a74288874f817bb97f639",
"source_control_main_short_sha": "b1da5cc7d324",
"governance_closure_merge_sha": "27b96f0450d0e3ca6651d6b5f274a341dd727ef2",
"governance_closure_commit_sha": "9e3e7fbb6ba3ffd324b45abf3ad1e7b6ec826b22",
"production_image_tag_sha": "af45811e876fda322ee63c036fbc39c9f07ffd76",
"production_image_tag_short_sha": "af45811e87",
"production_image_tag_matches_main": false,
"production_preflight_http_status": 200,
"production_workbench_http_status": 200,
"production_internal_governance_writeback_present": false,
"production_workbench_governance_ready_present": false,
"latest_visible_cd_run_id": "3848",
"latest_visible_cd_run_commit_short_sha": "af45811e87",
"current_main_cd_run_visible": false,
"manual_run_button_visible": false,
"gitea_sign_in_required": true,
"dispatch_without_token_http_status": 401,
"dispatch_without_token_message": "token is required",
"authorized_dispatch_channel_ready": false
},
"blockers": [
{
"id": "authorized_gitea_workflow_dispatch_channel_missing",
"kind": "external_authorized_control_channel",
"severity": "P0",
"description": "Source 已進 Gitea main但 production image tag 仍停在舊 SHA目前沒有可用的已授權 Gitea workflow_dispatch channel 觸發 CD。",
"blocked_action": "deploy_current_gitea_main_to_production",
"safe_boundary": "不得讀 token/cookie/session不得改 workflow 為 push trigger不得手改 K8s tag不得重開 110 runner 或 host/K8s runtime。"
}
],
"next_actions": [
"使用已授權的 Gitea manual workflow_dispatch channel 觸發 cd.yaml ref=main。",
"CD 完成後讀回 production image tag確認不再是 af45811e87。",
"重新讀回 /api/v1/agents/github-target-controlled-execution-preflight 與 /api/v1/agents/delivery-closure-workbench確認 internal_governance_writeback 與 KM / PlayBook counters 出現。"
],
"rollups": {
"hard_blocker_count": 1,
"next_action_count": 3,
"source_control_main_ready": true,
"production_image_tag_matches_main": false,
"production_governance_fields_present": false,
"authorized_dispatch_channel_ready": false,
"runtime_write_performed": false,
"secret_values_collected": false
},
"operation_boundaries": {
"read_only_api_allowed": true,
"deploy_trigger_allowed": false,
"workflow_modification_allowed": false,
"gitea_api_write_allowed": false,
"host_write_allowed": false,
"k8s_write_allowed": false,
"secret_read_allowed": false,
"github_api_allowed": false,
"raw_session_or_sqlite_read_allowed": false
}
}