diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index df448011..94c4fb6b 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -47890,3 +47890,52 @@ production browser smoke: **下一個 P0**: - commit feature,正常 push 到 Gitea;確認 CD idle/success 後 normal push `HEAD:main`,再做 production readback,目標為 `safe_credential_evidence_intake_ready=true`、required refs `9`、rules `5`、redaction examples `5`、forbidden payloads `15`、quarantine lanes `1`,同時 create/private ready `0`、refs sync ready `0`、execution ready `0` 維持不變。 + +## 2026-06-27 — 22:35 GitHub safe credential evidence intake readiness production 讀回完成 + +**時間與來源**: +- 2026-06-27 22:18-22:35 Asia/Taipei。 +- 來源:feature branch `codex/github-safe-credential-intake-20260627`、main release `30af0fb420`、deploy marker `257544d09`、Gitea Actions 與 production API readback。 + +**完成內容**: +- GitHub private backup evidence gate 已正式暴露 `safe_credential_evidence_intake_readiness`,可讀出脫敏 evidence ref 收件狀態、redaction examples、forbidden payloads 與 quarantine lanes。 +- 本段只建立 safe credential evidence 的 read-only intake contract;不代表 safe credential evidence 已 accepted,也不代表 repo creation、visibility change、refs sync 或 GitHub primary switch 已授權。 + +**runs 與驗證**: +- feature latest:`30af0fb420 Merge remote-tracking branch 'gitea/main' into codex/github-safe-credential-intake-20260627`。 +- deploy marker:`257544d09 chore(cd): deploy 30af0fb [skip ci]`。 +- Gitea CD run `3707`:Success。 +- Gitea code-review run `3708`:Success。 +- 本地驗證:`python3.11 -m ruff check ...` 通過、`python3 -m py_compile apps/api/src/services/github_target_private_backup_evidence_gate.py` 通過、focused pytest `12 passed`、`pnpm --dir apps/web typecheck` 通過、`git diff --check` 通過。 + +**production API readback**: +- `GET https://awoooi.wooo.work/api/v1/health`:`200`,`status=healthy`、`environment=prod`、`mock_mode=false`。 +- `GET https://awoooi.wooo.work/api/v1/agents/github-target-private-backup-evidence-gate`:`200`。 +- `safe_credential_evidence_intake_ready=True`。 +- `safe_credential_required_redacted_evidence_ref_count=9`、`safe_credential_evidence_ref_rule_count=5`、`safe_credential_redaction_example_count=5`、`safe_credential_forbidden_payload_count=15`、`safe_credential_quarantine_lane_count=1`。 +- `safe_credential_raw_payload_storage_allowed=False`、`private_clone_url_collection_allowed=False`、`secret_value_collection_allowed=False`。 +- top-level status:`ready_to_collect_redacted_evidence_refs_not_credentials`、`intake_ready=True`、`execution_authorized=False`、`not_approval=True`。 +- first target `owenhytsai/awoooi`:`safe_credential_evidence_submission_status=waiting_redacted_evidence_ref`、`safe_credential_raw_payload_storage_allowed=False`。 + +**production delivery readback**: +- `GET https://awoooi.wooo.work/api/v1/agents/delivery-closure-workbench`:`200`,`schema_version=delivery_closure_workbench_v1`。 +- GitHub lane:`lane_id=github`、`status=blocked_private_visibility_and_safe_credential_evidence_required`、`completion_percent=44`、`blocker_count=9`。 + +**完成度與同步狀態**: +- 本段「GitHub safe credential evidence intake readiness API / production 讀回」:`85% -> 100%`。 +- GitHub backup mirror governance:仍為 blocked;本段只把安全收件契約正式上線,不代表 private backup gate 已開。 + +**仍維持 0 / false**: +- `safe_credential_accepted_evidence_count=0`、`owner_response_received_count=0`、`owner_response_accepted_count=0`。 +- `github_missing_target_create_private_repo_ready_count=0`、`github_missing_target_refs_sync_ready_count=0`、`execution_ready_count=0`、`blocked_target_count=9`、`private_backup_verified_count=4`。 +- `repo_creation_authorized=false`、`visibility_change_authorized=false`、`refs_sync_authorized=false`、`workflow_trigger_authorized=false`、`secret_value_collection_allowed=false`、`private_clone_url_collection_allowed=false`、`stored_raw_payload_allowed=false`。 + +**做過的命令類型**: +- 寫入:repo service / test / LOGBOOK,以及正常 Gitea feature / main push。 +- 只讀:Gitea Actions UI readback、production health、production GitHub gate API、Delivery Workbench API。 +- 未做:沒有 GitHub repo creation、visibility change、refs sync、workflow trigger、private clone URL collection、secret value collection;沒有 host / Docker / systemd / Nginx / firewall / K8s / DB / Wazuh runtime 寫操作;沒有 force push。 + +**下一個 P0**: +- `P0-01` GitHub private backup evidence acceptance:逐 target 收 owner-provided redacted evidence refs,讓 `safe_credential_accepted_evidence_count` 從 `0/9` 往上推;仍不得收 private clone URL、secret value、repo archive 或 git object pack。 +- `P0-02` missing target canonical source owner decision:釐清 `ewoooc`、`bitan-pharmacy`、`tsenyang-website`、`VibeWork`、`agent-bounty-protocol` 的 canonical source before repo creation。 +- `P0-03` refs sync readiness:canonical source 與 owner decision 未成立前,`refs_sync_ready_count` 必須維持 `0`。