chore(security): sync with gitea main before ref detail diff [skip ci]
# Conflicts: # docs/LOGBOOK.md
This commit is contained in:
347
docs/LOGBOOK.md
347
docs/LOGBOOK.md
@@ -1,98 +1,251 @@
|
||||
## 2026-05-12 | Source Control Draft Reconcile Plan 草案
|
||||
## 2026-05-13 | T4 Config Drift fingerprint repeat-state 已推版
|
||||
|
||||
**背景**:統帥批准繼續推進後,本輪先同步最新 `gitea/main`,納入另一個 AwoooP Session 的 `legacy mcp audit -> gateway timeline` 進度,避免雙 Session 分歧。同步後繼續沿用低摩擦原則,只針對 refs-blocked repo 產生草案,不執行同步。
|
||||
**背景**:Config Drift Telegram 卡片只顯示單次 `report_id` 與 HIGH/MEDIUM/INFO 計數,Operator 無法判斷是否同一漂移一直重複、已跑到哪個流程階段、是否需要人工。舊 truth-chain repeat 只用 namespace/status/counts 分組,會把「剛好同計數但 items 不同」誤認為同一漂移。
|
||||
|
||||
**本次交付**:
|
||||
- 新增 `scripts/security/source-control-reconcile-plan.py`,只讀既有 redacted snapshot,不呼叫遠端 Git,不 fetch、不 push、不改 remote。
|
||||
- 新增 `docs/schemas/source_control_reconcile_plan_v1.schema.json`。
|
||||
- 產出 `docs/security/source-control-reconcile-plan.snapshot.json` 與 `docs/security/SOURCE-CONTROL-RECONCILE-PLAN.md`。
|
||||
- Draft plan 涵蓋 3 個 refs-blocked mapped repos:`wooo/awoooi`、`wooo/clawbot-v5`、`wooo/wooo-aiops`。
|
||||
- 更新 `SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST`,contract count 從 13 增至 14,新增 `source_control_reconcile_plan_v1`。
|
||||
- 更新 `SECURITY-SUPPLY-CHAIN-PROGRESS` 與 `AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST`,讓 AwoooP 可 mirror draft plan 但不得執行 refs sync。
|
||||
**修正**:
|
||||
- 新增 `drift_repeat_state.py`:
|
||||
- 以 namespace + sorted drift items 建立 stable fingerprint。
|
||||
- fingerprint 只看 drift 的實際 identity,不看 report_id / 掃描時間。
|
||||
- repeat-state schema:`drift_repeat_state_v1`。
|
||||
- `awooop_truth_chain_service`:
|
||||
- drift report 查詢納入 `items`。
|
||||
- repeat-state 改用 stable fingerprint,比對 24h 內候選並回傳 12h repeat window。
|
||||
- 回傳 `fingerprint`、`matching_strategy=namespace_and_stable_items_v1`、`operator_stage`、matching reports。
|
||||
- `drift_narrator_service`:
|
||||
- Telegram drift card body 會追加:
|
||||
- `流程: drift_scanned → ai_analyzed → pending_human`
|
||||
- `重複: 12h 內第 N 次同指紋`
|
||||
- `指紋: dfp_xxxxx`
|
||||
- 這仍只揭露真相鏈狀態,不自動採納 / 回滾 / 忽略。
|
||||
|
||||
**邊界**:
|
||||
- Plan 狀態為 `draft_blocked`;authenticated / admin_export server-side inventory 尚未完成前,不可執行。
|
||||
- 未 push refs、未 force push、未刪 refs、未建立 GitHub repo、未改 visibility、未切 GitHub primary、未部署。
|
||||
- 人工批准未來也必須單一 repo 生效,不得批次套用到所有 repo。
|
||||
**驗證與推版**:
|
||||
- Local:
|
||||
- `py_compile`:pass。
|
||||
- `ruff --select F,E9`:pass。
|
||||
- `pytest tests/test_awooop_truth_chain_service.py tests/test_phase25_drift_detection.py tests/test_drift_interpreter_ollama_first.py tests/test_platform_router_order.py tests/test_awooop_operator_auth.py -q`:37 passed。
|
||||
- `git diff --check`:pass。
|
||||
- Gitea:
|
||||
- `5b348774 feat(awooop): expose drift repeat fingerprint` 已推 `gitea main`。
|
||||
- Code Review run `1938`:success。
|
||||
- CD run `1937`:success。
|
||||
- Deploy marker:`3d38039b chore(cd): deploy 5b34877 [skip ci]`。
|
||||
- Production:
|
||||
- API/Web/Worker image 均為 `5b34877429c16c42f0f894eb4d7f0484711fde9b`。
|
||||
- K3s rollout status:API/Web/Worker success。
|
||||
- `/api/v1/health`:healthy,mock_mode=false。
|
||||
- Truth-chain smoke `7f858956`:
|
||||
- `source_type=drift_report`
|
||||
- `current_stage=dedup_or_repeat_updated`
|
||||
- `stage_status=pending`
|
||||
- `needs_human=true`
|
||||
- `repeat_schema=drift_repeat_state_v1`
|
||||
- `fingerprint=dfp_02dc625b64784b24`
|
||||
- `matching_strategy=namespace_and_stable_items_v1`
|
||||
- `operator_stage=pending_human`
|
||||
- `repeat_12h=2`
|
||||
- `outbound_visible=2`
|
||||
- Production narrator render smoke:
|
||||
- `流程: drift_scanned → ai_analyzed → pending_human | 重複: 12h 內第 2 次同指紋 | 指紋: dfp_smoke1234`
|
||||
|
||||
**驗證**:
|
||||
- `source-control-reconcile-plan.py` 產生 3 plans。
|
||||
- JSON / schema / snapshot parse 通過。
|
||||
- `scripts/security/*.py` 可編譯。
|
||||
- `git diff --check` 通過。
|
||||
- PR diff added lines 未命中本輪敏感 token / credential pattern。
|
||||
**重要校正**:
|
||||
- 舊 count-based repeat 會把 `7f858956` 算成 12 次。
|
||||
- 新 stable fingerprint 顯示同一 items fingerprint 12h 內是 2 次;這代表之前的 12 次是「同計數重複候選」,不是已證明同一漂移。
|
||||
|
||||
## 2026-05-12 | Source Control Approval Board 低摩擦決策隊列
|
||||
**整體進度**:
|
||||
- Wave 0:MOMO PostgreSQL backup → AwoooP 失敗通知接線完成並已推版。
|
||||
- T0:Truth-chain read-only API 完成、部署、production smoke 完成。
|
||||
- T1:Channel Event hardening 完成、部署、production smoke 完成。
|
||||
- T2:legacy MCP audit bridge / backfill / truth-chain visibility 完成、部署、production smoke 完成;first-class Gateway enforced path 仍待後續 wave。
|
||||
- T3:Ansible audit contract + decision candidate dry-run audit 完成、部署、production smoke 完成。
|
||||
- T4:Config Drift stable fingerprint / repeat-state / Telegram stage visibility 完成、部署、production smoke 完成。
|
||||
- 仍未完成:T5 incident / approval / execution reconciliation、Ansible 真正 check-mode executor / diff / apply / rollback、first-class MCP Gateway enforcement。
|
||||
|
||||
**背景**:統帥批准繼續推進後,下一步原本是 Gitea authenticated read-only inventory;但目前 `GITEA_READONLY_TOKEN` 未提供。本輪因此不使用可 push 的既有 Gitea remote credential 代替 read-only token,避免把 inventory 與寫入權限憑證混在一起。
|
||||
## 2026-05-13 | T3 Ansible decision candidate audit 已推版
|
||||
|
||||
**本次交付**:
|
||||
- 新增 `scripts/security/source-control-approval-board.py`,只讀既有 redacted snapshot,不呼叫 Gitea/GitHub API,不需要 token。
|
||||
- 新增 `docs/schemas/source_control_approval_board_v1.schema.json`。
|
||||
- 產出 `docs/security/source-control-approval-board.snapshot.json` 與 `docs/security/SOURCE-CONTROL-APPROVAL-BOARD.md`。
|
||||
- Board 彙整 8 個 target,其中 7 個為 pending approval:`awoooi`、`clawbot-v5`、`wooo-aiops`、`wooo-infra-config`、`ewoooc`、`bitan-pharmacy`、`tsenyang-website`;`nexu-io/open-design` 維持 scope review。
|
||||
- 更新 `SECURITY-SUPPLY-CHAIN-CONTRACT-MANIFEST`,contract count 從 12 增至 13,新增 `source_control_approval_board_v1`。
|
||||
- 更新 `SECURITY-SUPPLY-CHAIN-PROGRESS` 與 `AWOOOP-MIRROR-ONLY-CONSUMPTION-CHECKLIST`,讓 AwoooP 可 mirror board 但不得執行 board item。
|
||||
**背景**:T3 第一段只讓 truth-chain 看得到 Ansible audit contract 與 repo playbook catalog;但 AI decision path 還不會留下「曾考慮 Ansible、但尚未進 check-mode/apply」的 first-class record。這會讓 Telegram / Operator Console 仍看不出 Ansible 是否真的被 AI 修復鏈評估過。
|
||||
|
||||
**修正**:
|
||||
- `awooop_ansible_audit_service.py` 新增 decision candidate audit payload / writer。
|
||||
- `decision_manager` 在 auto-execute / manual-approval 分支排程 best-effort `ansible_candidate_matched` audit write。
|
||||
- Audit row 明確是 dry-run / audit-only:
|
||||
- `status=dry_run`
|
||||
- `input.executor=ansible`
|
||||
- `input.check_mode=true`
|
||||
- `input.apply_enabled=false`
|
||||
- `input.approval_required=true`
|
||||
- `output.decision_effect=audit_only`
|
||||
- Docker/container 類 incident 也會命中 188 / 110 Ansible catalog hints;未來新 decision 可在 truth-chain 顯示「有候選、尚未執行 check-mode」。
|
||||
|
||||
**驗證與推版**:
|
||||
- Local:
|
||||
- `py_compile`:pass。
|
||||
- `ruff --select F,E9`:pass。
|
||||
- `pytest apps/api/tests/test_awooop_truth_chain_service.py apps/api/tests/test_platform_router_order.py apps/api/tests/test_awooop_operator_auth.py -q`:14 passed。
|
||||
- Tier 3 adjacent tests:133 passed, 1 existing RuntimeWarning。
|
||||
- `git diff --check`:pass。
|
||||
- Gitea:
|
||||
- `3799e0db feat(awooop): audit ansible decision candidates` 已推 `gitea main`。
|
||||
- Code Review run `1936`:success。
|
||||
- CD run `1935`:success。
|
||||
- Deploy marker:`90b9ddb7 chore(cd): deploy 3799e0d [skip ci]`。
|
||||
- Production:
|
||||
- API/Web/Worker image 均為 `192.168.0.110:5000/awoooi/*:3799e0db0d30f29fdc251197634d2fca4c2c67fd`。
|
||||
- K3s rollout status:API/Web/Worker success。
|
||||
- `/api/v1/health`:healthy,mock_mode=false。
|
||||
- Pure function smoke(API pod):DockerContainerUnhealthy 事件可產生 `ansible_candidate_matched` payload,`candidate_count=2`,`check_mode_executed=false`。
|
||||
- Truth-chain smoke `INC-20260512-B6C589`:
|
||||
- `source_type=incident`
|
||||
- `current_stage=manual_required`
|
||||
- `stage_status=blocked`
|
||||
- `needs_human=true`
|
||||
- `execution.ansible.audit_contract.schema_version=ansible_executor_audit_v1`
|
||||
- `ansible_candidates=2`
|
||||
- `mcp_gateway_total=8`
|
||||
- Truth-chain smoke `7f858956`:
|
||||
- `source_type=drift_report`
|
||||
- `current_stage=dedup_or_repeat_updated`
|
||||
- `stage_status=pending`
|
||||
- `needs_human=true`
|
||||
- `repeat_12h=12`
|
||||
- `outbound_visible=2`
|
||||
|
||||
**整體進度**:
|
||||
- Wave 0:MOMO PostgreSQL backup → AwoooP 失敗通知接線完成並已推版。
|
||||
- T0:Truth-chain read-only API 完成、部署、production smoke 完成。
|
||||
- T1:Channel Event hardening 完成、部署、production smoke 完成。
|
||||
- T2:legacy MCP audit bridge / backfill / truth-chain visibility 完成、部署、production smoke 完成;first-class Gateway enforced path 仍待後續 wave。
|
||||
- T3:Ansible audit contract + decision candidate dry-run audit 完成、部署、production smoke 完成。
|
||||
- 仍未完成:Ansible 真正 check-mode executor、diff artifact、apply / rollback audit、T4 drift fingerprint FSM、T5 incident / approval / execution reconciliation、first-class MCP Gateway enforcement。
|
||||
|
||||
## 2026-05-12 | Security Supply Chain PR #117 累積紀錄
|
||||
|
||||
**背景**:統帥批准 Kali `192.168.0.112`、開發主機 `192.168.0.111` / `192.168.0.168`、Code Review -> Codex、Gitea -> GitHub 長期遷移納入同一個資安工作項目;同時要求初期不要把資安等級一次拉太高,避免產品、架構與流程變得過度複雜。本支線以乾淨 worktree 建立 PR `#117`,並持續與另一個 AwoooP Session 的 `gitea/main` 同步。
|
||||
|
||||
**累積交付**:
|
||||
- 建立 docs-only / contracts-first Security Supply Chain scaffold,涵蓋 Kali、Code Review、Codex、Gitea、GitHub 與 AwoooP mirror-only handoff。
|
||||
- 產出 Gitea/GitHub refs diff、Gitea public-only inventory、local remote inventory、GitHub target probe、canonical lineage、110 refs probe、repo-by-repo approval package 與 contract manifest snapshot。
|
||||
- 建立 `SOURCE-CONTROL-APPROVAL-BOARD.md`,彙整 8 個 target,其中 7 個為 pending approval;authenticated inventory gate 仍為 `blocked`。
|
||||
- 建立 `SOURCE-CONTROL-RECONCILE-PLAN.md`,涵蓋 `awoooi`、`clawbot-v5`、`wooo-aiops` 三個 refs-blocked mapped repos;狀態仍為 `draft_blocked`。
|
||||
- Contract manifest 已收斂到 14 個主要 contract,可供 AwoooP mirror / read-only policy / approval candidate 消費,但不得作 execution router。
|
||||
|
||||
**邊界**:
|
||||
- 未使用 Gitea write-capable remote credential 做 authenticated inventory。
|
||||
- 未建立 GitHub repo、未改 visibility、未同步 refs、未切 GitHub primary、未部署。
|
||||
- authenticated inventory gate 仍為 `blocked`,等待 read-only token 或 redacted admin export。
|
||||
- AwoooP 可 mirror board / plan / policy,但不得執行 board item 或新增高風險 action button。
|
||||
|
||||
**驗證**:
|
||||
- `source-control-approval-board.py` 產生 8 items,pending approval 7。
|
||||
- JSON / schema / snapshot parse 通過。
|
||||
- `scripts/security/*.py` 可編譯。
|
||||
- `git diff --check` 通過。
|
||||
- PR diff added lines 未命中本輪敏感 token / credential pattern。
|
||||
|
||||
## 2026-05-12 | Security Supply Chain PR #117 與 AwoooP 主線同步
|
||||
## 2026-05-12 | T3 Ansible audit surface 第一段
|
||||
|
||||
**背景**:Security Supply Chain docs-only 分支完成首次推版後,另一個 AwoooP Session 已將 `feat(awooop): harden outbound truth chain mirror` 與 deploy marker 推入 `gitea/main`。為避免雙 Session 推進互相衝突,本輪先把最新 `gitea/main` 合入資安分支,再建立 review-only PR。
|
||||
**背景**:Telegram / truth-chain live audit 顯示 Ansible 目前仍只是 repo/主機部署工具,沒有出現在 AI 自動化修復鏈路的 first-class audit record;Operator 無法知道「是否被考慮、是否 dry-run、為何沒用」。
|
||||
|
||||
**本次同步**:
|
||||
- 資安分支 `codex/security-supply-chain-contracts-20260512` 已合入最新 `gitea/main`,merge commit 為 `dc540cba`。
|
||||
- 已建立 Gitea PR `#117`:`http://192.168.0.110:3001/wooo/awoooi/pulls/117`。
|
||||
- PR 維持 review-only / docs-first / contracts-first;未合併、未部署、未切 GitHub primary。
|
||||
- AwoooP 主線 runtime / migration / k8s 變更由 `gitea/main` 保留,本資安分支的 PR diff 仍只呈現資安文件、schema、snapshot 與 read-only tooling。
|
||||
**修正**:
|
||||
- 新增 migration `adr090d_ansible_operation_types.sql`,擴充 `automation_operation_log.operation_type`:
|
||||
- `ansible_candidate_matched`
|
||||
- `ansible_check_mode_executed`
|
||||
- `ansible_apply_executed`
|
||||
- `ansible_rollback_executed`
|
||||
- `ansible_execution_skipped`
|
||||
- 新增 rollback migration `adr090d_ansible_operation_types_down.sql`;`run-migration.yml` 會跳過 `_down.sql`。
|
||||
- 新增 `awooop_ansible_audit_service.py`:
|
||||
- 讀取 automation ops 中的 Ansible operation type/tag/backend。
|
||||
- 暴露 repo 既有 playbook catalog hint。
|
||||
- 明確標示 `decision_effect=none`,避免把候選 playbook 當成已執行。
|
||||
- truth-chain `execution.ansible` 現在會顯示:
|
||||
- `considered` 是否有真實 Ansible audit record。
|
||||
- `records`、`audit_contract`、`candidate_catalog`、`not_used_reason`。
|
||||
- `incident_timeline_service` 補 Ansible operation type → stage mapping。
|
||||
|
||||
**驗證**:
|
||||
- `gitea/main` 已是資安分支祖先。
|
||||
- `python3 -m py_compile scripts/security/*.py` 通過。
|
||||
- `git diff --check gitea/main...HEAD` 通過。
|
||||
- JSON / schema / snapshot parse 通過,`security_supply_chain_contract_manifest_v1` 12 個 contracts path check 通過。
|
||||
- PR diff added lines 未命中本輪敏感 token / credential pattern。
|
||||
- `py_compile`:Ansible audit service / truth-chain / incident timeline / truth-chain tests 通過。
|
||||
- `ruff --select F,E9`:All checks passed。
|
||||
- `pytest apps/api/tests/test_awooop_truth_chain_service.py apps/api/tests/test_platform_router_order.py apps/api/tests/test_awooop_operator_auth.py -q`:13 passed。
|
||||
- `ruby YAML.load_file(".gitea/workflows/run-migration.yml")`:ok。
|
||||
- `git diff --check`:ok。
|
||||
|
||||
**下一步**:
|
||||
- 等 PR review 後再決定是否合併;不得直接切 GitHub primary 或啟動 refs sync。
|
||||
- Gitea read-only inventory approval 未批准前,private/internal server-side repo list 保持 blocked。
|
||||
- 下一階段仍維持低摩擦 observe-first,不做 runtime blocking。
|
||||
**整體進度**:
|
||||
- Wave 0:MOMO PostgreSQL backup → AwoooP 失敗通知接線完成並已推版。
|
||||
- T0:Truth-chain read-only API 完成、部署、production smoke 完成。
|
||||
- T1:Channel Event hardening 完成、部署、production smoke 完成。
|
||||
- T2:legacy MCP audit bridge / backfill / truth-chain visibility 完成、部署、production smoke 完成;first-class Gateway enforced path 仍待後續 wave。
|
||||
- T3:Ansible first-class audit contract / truth-chain 可見性完成、已部署;尚未把 approval execution path 寫入 Ansible dry-run/check-mode。
|
||||
- 下一步:T3 第二段接 decision / approval execution 的 Ansible check-mode audit row,仍不直接 apply。
|
||||
|
||||
## 2026-05-12 | Security Supply Chain docs-only contract manifest
|
||||
**production push 追加**:
|
||||
- Gitea `run-migration` run `1933` 顯示 migration 本體已成功:
|
||||
- `adr090d_ansible_operation_types.sql` 以 owner fallback 套用成功。
|
||||
- 但 audit seed 仍失敗,這次不是 `:'commit_sha'`,而是 tools JSON literal 在 unquoted heredoc 下仍保留反斜線:
|
||||
- `'{\"psql\": 1, \"gitea_ci\": 1}'::jsonb`
|
||||
- PostgreSQL 回 `invalid input syntax for type json`。
|
||||
- 已修 `.gitea/workflows/run-migration.yml`:tools JSON 改為 `'{"psql": 1, "gitea_ci": 1}'::jsonb`。
|
||||
- 已補 production `asset_discovery_run` repair audit row:
|
||||
- `triggered_by=codex:gitea-migration-audit-repair`
|
||||
- `summary.type=ci_migration_manual_repair`
|
||||
- `summary.commit_sha=ca80972dc73cb647f8fab3bf9439784c4b8eef7b`
|
||||
- Production DB constraint 驗證:`automation_operation_log_type_valid` 已包含全部 `ansible_*` operation types。
|
||||
- CD 部署:
|
||||
- `07000dae chore(cd): deploy ca80972 [skip ci]`
|
||||
- API/Web/Worker image 均為 `ca80972dc73cb647f8fab3bf9439784c4b8eef7b`
|
||||
- rollout success。
|
||||
- Truth-chain smoke(B6C589):
|
||||
- `truth_status=manual_required/blocked`
|
||||
- `mcp_gateway_total=8`
|
||||
- `execution.ansible.considered=false`
|
||||
- `execution.ansible.records=0`
|
||||
- `not_used_reason=no automation_operation_log row with Ansible operation type, tag, or executor backend for this source`
|
||||
- `audit_contract.schema_version=ansible_executor_audit_v1`
|
||||
- Caveat:下一個 migration push 仍需 live 驗證 `run-migration` audit seed 是否完全通過;本輪 workflow 修正後沒有新的 migration 觸發可重跑。
|
||||
|
||||
**背景**:統帥批准 Kali `192.168.0.112`、開發主機 `192.168.0.111` / `192.168.0.168`、Code Review -> Codex、Gitea -> GitHub 長期遷移納入同一個資安工作項目;同時要求初期不要把資安等級一次拉太高,避免產品、架構與流程變得過度複雜。
|
||||
**T3 第二段本地實作**:
|
||||
- `awooop_ansible_audit_service.py` 新增 decision audit payload/writer:
|
||||
- 只有 static catalog 有候選 playbook 時才寫 `automation_operation_log`。
|
||||
- operation_type=`ansible_candidate_matched`。
|
||||
- status=`dry_run`。
|
||||
- `input.executor=ansible`、`check_mode=true`、`apply_enabled=false`、`approval_required=true`。
|
||||
- `output.decision_effect=audit_only`。
|
||||
- `decision_manager` 在 auto-execute / manual-approval 分支都排程 best-effort audit write:
|
||||
- 不改 executor。
|
||||
- 不跑 Ansible。
|
||||
- 不阻塞決策和 Telegram。
|
||||
- Docker/container 類 incident 也會命中 Ansible catalog hint,讓 B6C589 這類事件後續新 decision 能留下 Ansible candidate audit row。
|
||||
- 本地驗證:
|
||||
- `py_compile`:pass。
|
||||
- `ruff --select F,E9`:pass。
|
||||
- `pytest test_awooop_truth_chain_service.py test_platform_router_order.py test_awooop_operator_auth.py -q`:14 passed。
|
||||
- `git diff --check`:pass。
|
||||
- 待推版與 production smoke。
|
||||
|
||||
**本次交付**:
|
||||
- 建立 Kali / Code Review / GitHub / Gitea / Codex / AwoooP 的 docs-only security supply chain scaffold。
|
||||
- 建立 `security_finding_v1`、`coding_task_v1`、`source_control_migration_event_v1`、`gitea_repo_inventory_v1`、`local_git_remote_inventory_v1`、`github_target_probe_v1`、`github_target_decision_v1`、`github_target_repo_approval_package_v1`、`local_repo_canonical_probe_v1`、`git_remote_refs_probe_v1`、`approval_required_event_v1`、`security_rollout_policy_v1`、`security_supply_chain_contract_manifest_v1` schema 草案。
|
||||
- 產出 Gitea/GitHub refs diff、Gitea public-only inventory、local remote inventory、GitHub target probe、canonical lineage、110 refs probe、repo-by-repo approval package 與 contract manifest snapshot。
|
||||
- 明確採低摩擦 `observe-first` / `mirror_only`:LOW / MEDIUM observation 先 observe / warn;只有 read-only token、repo creation、visibility change、refs sync、secret、deploy、primary switch 等高風險動作才進 approval。
|
||||
## 2026-05-12 | run-migration audit seed 再修正
|
||||
|
||||
**邊界**:
|
||||
- 本輪只做文件、schema、read-only scripts 與 redacted snapshots。
|
||||
- 未建立 repo、未修改 visibility、未同步 refs、未切 GitHub primary、未部署、未碰 runtime enforcement。
|
||||
- AwoooP 只可 mirror / read-only policy / approval candidate,不可把 manifest 當 execution router。
|
||||
**背景**:Gitea `run-migration` 在 `Seed asset_discovery_run (audit)` 再次失敗:
|
||||
|
||||
```text
|
||||
ERROR: syntax error at or near ":"
|
||||
LINE 16: 'commit_sha', :'commit_sha',
|
||||
```
|
||||
|
||||
**修正**:
|
||||
- `.gitea/workflows/run-migration.yml` 不再依賴 `psql` 的 `:'commit_sha'` / `:'files_json'` 變數展開。
|
||||
- 改由 `jq` 先產生完整 `summary` JSON,再以 shell-safe SQL literal 寫入 `asset_discovery_run.summary`。
|
||||
- 保留 owner connection fallback,只修 audit seed,不改 migration apply 流程。
|
||||
|
||||
**驗證**:
|
||||
- JSON / schema parse 通過。
|
||||
- `scripts/security/*.py` 可編譯。
|
||||
- `git diff --check` 通過。
|
||||
- 新增 / 修改內容未命中本輪敏感 token / credential pattern。
|
||||
- `ruby -e 'require "yaml"; YAML.load_file(".gitea/workflows/run-migration.yml")'`:yaml ok。
|
||||
- 抽出 `Seed asset_discovery_run (audit)` step 後 `bash -n`:通過。
|
||||
- mock `psql` 實跑該 step:rendered SQL 已無 `:'...'` psql 變數,並包含 `commit_sha` / `files` JSON。
|
||||
- `git diff --check`:通過。
|
||||
|
||||
**下一步**:
|
||||
- 等 Gitea read-only inventory approval 被批准後,補 private/internal server-side repo list。
|
||||
- 逐 repo 取得 owner / visibility / canonical 決策。
|
||||
- 對 refs blocked repos 產生 reconcile plan;GitHub primary 仍保持 blocked。
|
||||
**整體進度**:
|
||||
- Wave 0:MOMO PostgreSQL backup → AwoooP 失敗通知接線完成並已推版。
|
||||
- Truth-chain T0:read-only truth-chain API 完成、部署、production smoke 完成。
|
||||
- T1:Channel Event hardening 完成、部署、production smoke 完成。
|
||||
- T2:legacy MCP audit bridge / backfill / truth-chain visibility 完成、部署、production smoke 完成;first-class MCP Gateway enforced path 仍待後續 wave。
|
||||
- 本次:CI migration audit seed 紅燈修正完成,待推 Gitea main 觀察下一次 `run-migration`。
|
||||
- 下一步:回到 T3 Ansible declarative executor 盤點與 first-class audit surface。
|
||||
|
||||
## 2026-05-12 | Truth-chain T0 read-only API 第一版
|
||||
|
||||
@@ -6601,3 +6754,67 @@ gateway_audit_total=0 last_15m=0 bridge_total=0
|
||||
|
||||
- 因此目前只能宣稱「T2 bridge 寫入能力已部署並經 rollback smoke 驗證」。
|
||||
- 尚不能宣稱「所有 MCP / 自建 MCP 都已完全經 AwoooP Gateway 強制治理」;下一段要讓下一個真實 incident / MCP 呼叫自然產生 durable bridge row,或把高頻 caller 改成 first-class `McpGateway`。
|
||||
|
||||
**T2 backfill / truth-chain visibility 追加**:
|
||||
|
||||
- 新增 `scripts/ops/awooop-mcp-gateway-bridge-backfill-24h.sql`:
|
||||
- 將最近 24h 真實 `mcp_audit_log` 鏡像到 `awooop_mcp_gateway_audit`。
|
||||
- 以 `gate_result.legacy_audit_id` 做 idempotency key。
|
||||
- bridge row 保留 `policy_enforced=false` 與 `not_used_reason`,避免誤判為五閘門已 enforcement。
|
||||
- production 已執行 backfill:
|
||||
|
||||
```text
|
||||
inserted_bridge_rows=1160
|
||||
gateway_total=1310 bridge_total=1310 last_24h=1276
|
||||
B6C589_gateway_rows=8 failed=8 success=0
|
||||
```
|
||||
|
||||
- truth-chain API 追加 `gate_result` 欄位,並把 JSONB text 解析回物件,讓 UI 能顯示 bridge reason。
|
||||
|
||||
```text
|
||||
py_compile:
|
||||
apps/api/src/services/awooop_truth_chain_service.py
|
||||
apps/api/tests/test_awooop_truth_chain_service.py
|
||||
# OK
|
||||
|
||||
ruff F,E9:
|
||||
# All checks passed
|
||||
|
||||
pytest:
|
||||
apps/api/tests/test_awooop_truth_chain_service.py
|
||||
apps/api/tests/test_platform_router_order.py
|
||||
apps/api/tests/test_awooop_operator_auth.py
|
||||
# 11 passed
|
||||
```
|
||||
|
||||
**效果**:
|
||||
|
||||
- `INC-20260512-B6C589` truth-chain 現在不再是 `awooop_mcp_gateway_audit_empty`。
|
||||
- 仍顯示 `manual_required/blocked`,因為 8 個 SSH MCP 都失敗,approval/incident 狀態仍矛盾;這是 T5 要處理,不能用 T2 粉飾成自動修復完成。
|
||||
|
||||
**production deploy / endpoint smoke 追加(完成)**:
|
||||
|
||||
```text
|
||||
Gitea:
|
||||
1928 CD Pipeline b4d367ee -> success
|
||||
1929 Code Review b4d367ee -> success
|
||||
|
||||
K8s image:
|
||||
awoooi-api 192.168.0.110:5000/awoooi/api:b4d367eeb463eccda5aec8aa9c90f19897dbd634
|
||||
awoooi-worker 192.168.0.110:5000/awoooi/api:b4d367eeb463eccda5aec8aa9c90f19897dbd634
|
||||
awoooi-web 192.168.0.110:5000/awoooi/web:b4d367eeb463eccda5aec8aa9c90f19897dbd634
|
||||
|
||||
health:
|
||||
http://192.168.0.125:32334/api/v1/health -> 200 healthy
|
||||
|
||||
Truth-chain:
|
||||
GET /api/v1/platform/truth-chain/INC-20260512-B6C589?project_id=awoooi -> 200
|
||||
stage=manual_required status=blocked needs_human=True
|
||||
blockers=all_evidence_sensors_failed,
|
||||
approval_resolved_no_action_without_execution,
|
||||
incident_still_investigating_after_approval
|
||||
gateway_total=8 legacy_total=8
|
||||
first_gateway_tool=legacy:ssh_host:ssh_get_nginx_error_log result=failed
|
||||
gate_schema=legacy_mcp_bridge_v1 policy_enforced=False
|
||||
not_used_reason=legacy direct provider path; bridge audit only
|
||||
```
|
||||
|
||||
@@ -1883,12 +1883,83 @@ Phase 6 完成後
|
||||
- T2 bridge image `94d006ea` 已部署,CD run `1921` success,health 200。
|
||||
- rollback smoke 證明 `record_mcp_call()` 在同一 transaction 內會同時寫 legacy `mcp_audit_log` 與 `awooop_mcp_gateway_audit` bridge row,且 bridge row 標示 `policy_enforced=false` / `not_used_reason=legacy direct provider path; bridge audit only`;rollback 後兩邊皆未污染 production。
|
||||
- 部署後短觀察窗內沒有自然新 legacy MCP call(`legacy_mcp_15m=0`),所以 live `awooop_mcp_gateway_audit` total 仍是 0。T2 bridge capability 已上線,但 T2 全退出條件仍需下一個真實 MCP 呼叫產生 durable row,或把高頻 caller 改成 first-class Gateway path。
|
||||
- 已執行最近 24h 真實 legacy MCP backfill:`inserted_bridge_rows=1160`,目前 `awooop_mcp_gateway_audit gateway_total=1310 / bridge_total=1310 / last_24h=1276`。`INC-20260512-B6C589` 現在 gateway side 可見 8 筆 MCP,8 failed / 0 success;truth-chain blocker 移除 `awooop_mcp_gateway_audit_empty`,但仍是 `manual_required/blocked`,因為 evidence sensors 全失敗、NO_ACTION approval 無 execution、incident 仍 investigating。
|
||||
- truth-chain API 追加回傳 `gate_result`,讓 Operator Console 可直接顯示 `policy_enforced=false` 與 `not_used_reason`,避免把 bridge row 誤認為 first-class Gateway enforcement。
|
||||
- `b4d367ee` 已部署,CD run `1928` success。B6C589 endpoint smoke:`gateway_total=8 / legacy_total=8`,第一筆 gateway row 顯示 `gate_schema=legacy_mcp_bridge_v1`、`policy_enforced=False`、`not_used_reason=legacy direct provider path; bridge audit only`;truth status 仍是 `manual_required/blocked`。
|
||||
|
||||
**仍未宣稱完成**:
|
||||
- 這只是 legacy bridge,不是把所有呼叫強制改經 AwoooP Gateway;T2 後續仍要把新 MCP caller 收斂到 first-class Gateway path。
|
||||
|
||||
---
|
||||
|
||||
### 2026-05-12 晚 (台北) — T3 Ansible declarative executor audit surface 第一段
|
||||
|
||||
**範圍**:
|
||||
- `automation_operation_log.operation_type` CHECK 追加 Ansible executor audit states:
|
||||
`ansible_candidate_matched` / `ansible_check_mode_executed` /
|
||||
`ansible_apply_executed` / `ansible_rollback_executed` /
|
||||
`ansible_execution_skipped`。
|
||||
- 新增 `awooop_ansible_audit_service.py`,把 repo 既有 Ansible playbook catalog 以
|
||||
read-only 方式暴露給 truth-chain。
|
||||
- truth-chain `execution.ansible` 改為顯示:
|
||||
- 是否真的有 `automation_operation_log` Ansible audit record。
|
||||
- audit contract / required fields。
|
||||
- static catalog keyword hints,且 `decision_effect=none`,避免把候選 playbook 誤判成已自動修復。
|
||||
- `incident_timeline_service` 加入 Ansible operation type stage mapping。
|
||||
|
||||
**已驗證**:
|
||||
- 本地 `py_compile` / `ruff F,E9` / `git diff --check` 通過。
|
||||
- `test_awooop_truth_chain_service.py`、router order、operator auth 共 13 passed。
|
||||
- `run-migration.yml` YAML parse 通過;新增 `_down.sql` 會被既有 workflow skip 規則排除。
|
||||
|
||||
**仍未宣稱完成**:
|
||||
- 這不是 Ansible 自動修復執行器接線;目前只建立 first-class audit contract 與 truth-chain 可見性。
|
||||
- 下一段需把 decision / approval execution path 在「只 dry-run/check-mode」下寫入上述 operation types,再談 apply。
|
||||
|
||||
**production 追加**:
|
||||
- Gitea `run-migration` run `1933`:`adr090d_ansible_operation_types.sql` 已成功套用,含 owner fallback。
|
||||
- 同 run 的 `Seed asset_discovery_run (audit)` 仍失敗;新根因是 unquoted heredoc 下 tools JSON literal 還寫成 `'{\"psql\": 1, \"gitea_ci\": 1}'::jsonb`,PostgreSQL 視為非法 JSON。
|
||||
- 後續修正:workflow tools JSON literal 改成 `'{"psql": 1, "gitea_ci": 1}'::jsonb`。
|
||||
- 已補 production `asset_discovery_run` repair audit row(`ci_migration_manual_repair` / `commit_sha=ca80972dc73cb647f8fab3bf9439784c4b8eef7b`)。
|
||||
- Production DB constraint 已確認包含全部 `ansible_*` operation types。
|
||||
- CD 已部署 `ca80972d` image,deploy marker `07000dae`;API/Web/Worker rollout success。
|
||||
- B6C589 truth-chain smoke:`manual_required/blocked`、`mcp_gateway_total=8`、`execution.ansible.considered=false`、`records=0`、not_used_reason 清楚顯示沒有 Ansible audit record。
|
||||
- 下一個 migration push 仍需驗證 `run-migration` audit seed live gate,因本輪 workflow 修正後未再新增 migration 觸發重跑。
|
||||
|
||||
**T3 第二段本地追加**:
|
||||
- `decision_manager` 在 auto-execute / manual-approval 分支新增 best-effort Ansible candidate audit write。
|
||||
- 僅在 catalog 有候選 playbook 時寫 `automation_operation_log`:
|
||||
`operation_type=ansible_candidate_matched`、`status=dry_run`、
|
||||
`input.check_mode=true`、`input.apply_enabled=false`、
|
||||
`output.decision_effect=audit_only`。
|
||||
- 這仍不是 Ansible 執行器;它只讓 truth-chain 能看到 AI decision path 曾考慮 Ansible candidate,以及為何未進入 check-mode/apply。
|
||||
- 本地 `py_compile` / `ruff F,E9` / 14 個 truth-chain/operator/router tests 通過;待推版和 production smoke。
|
||||
|
||||
**T3 第二段 production verified(2026-05-13 台北)**:
|
||||
- `3799e0db feat(awooop): audit ansible decision candidates` 已推 Gitea main,Code Review run `1936` success,CD run `1935` success。
|
||||
- Deploy marker:`90b9ddb7 chore(cd): deploy 3799e0d [skip ci]`。
|
||||
- Production API/Web/Worker image 均為 `3799e0db0d30f29fdc251197634d2fca4c2c67fd`,K3s rollout success,health 200 / `mock_mode=false`。
|
||||
- API pod pure smoke:DockerContainerUnhealthy 事件可產生 `ansible_candidate_matched` audit payload,`candidate_count=2`,`check_mode_executed=false`。
|
||||
- Truth-chain smoke:
|
||||
- `INC-20260512-B6C589` → `manual_required/blocked`,`mcp_gateway_total=8`,`execution.ansible.audit_contract=ansible_executor_audit_v1`,`ansible_candidates=2`。
|
||||
- `7f858956` → `dedup_or_repeat_updated/pending`,`repeat_12h=12`,`outbound_visible=2`。
|
||||
- 邊界:仍未執行 Ansible check-mode / apply / rollback;T3 目前完成的是 first-class candidate audit,而不是修復執行器。
|
||||
|
||||
**T4 Config Drift fingerprint repeat-state production verified(2026-05-13 台北)**:
|
||||
- `5b348774 feat(awooop): expose drift repeat fingerprint` 已推 Gitea main,Code Review run `1938` success,CD run `1937` success。
|
||||
- Deploy marker:`3d38039b chore(cd): deploy 5b34877 [skip ci]`。
|
||||
- 新增 `drift_repeat_state_v1`:以 namespace + sorted drift items 建 stable fingerprint,不再只靠 HIGH/MEDIUM/INFO counts。
|
||||
- Truth-chain drift repeat-state 現在回傳 `fingerprint`、`matching_strategy=namespace_and_stable_items_v1`、`operator_stage`、matching reports。
|
||||
- Telegram drift narrator 會在 card body 補:
|
||||
- `流程: drift_scanned → ai_analyzed → pending_human`
|
||||
- `重複: 12h 內第 N 次同指紋`
|
||||
- `指紋: dfp_xxxxx`
|
||||
- Production `7f858956` smoke:`repeat_schema=drift_repeat_state_v1`、`fingerprint=dfp_02dc625b64784b24`、`operator_stage=pending_human`、`repeat_12h=2`、`outbound_visible=2`。
|
||||
- 重要校正:舊 count-based repeat 看到 12 次,新 stable item fingerprint 證實同一漂移 fingerprint 只有 2 次;12 次只能稱為同計數候選,不能稱為同一漂移。
|
||||
- 邊界:T4 只補可觀測與重複判定,不做 auto-adopt / rollback / ignore。
|
||||
|
||||
---
|
||||
|
||||
### 2026-04-20 晚 (台北) — C1-C4 全流程串接 — Playbook 鏈路保護(commit de2d34d)
|
||||
|
||||
**觸發**:統帥全景盤查 AI 自動化節點後,發現 Playbook 自動修復鏈路有 3 個結構性斷點。
|
||||
|
||||
Reference in New Issue
Block a user