docs(iwooos): 記錄 SSH network 事故回讀 gate [skip ci]
This commit is contained in:
@@ -1,3 +1,54 @@
|
||||
## 2026-06-15|SSH / network / firewall 事故後回讀 Gate
|
||||
|
||||
**背景**:端口、防火牆、NetworkPolicy、NodePort、WireGuard、deploy SSH、sudo 或 alert action 異動可能同時影響 public route、AI provider、monitoring 與跨產品部署。IwoooS 不能把「服務後來恢復」或「頁面可見」誤判成事故已驗收;本階段補上 post-incident readback plan,只建立只讀事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 SSH、不讀 live firewall、不改 port / route / Nginx / Docker / systemd、不重啟、不做 active scan、不打 provider endpoint。
|
||||
|
||||
**完成項目**:
|
||||
- 新增 `scripts/security/ssh-network-post-incident-readback-plan.py` 與 `docs/security/ssh-network-post-incident-readback-plan.snapshot.json`。
|
||||
- 新增 `docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md`,把 14 個端口 / 防火牆事故 surface 轉成事故後回讀計畫。
|
||||
- Post-incident readback plan 固定為 candidates `14`、write-capable candidates `6`、policy / exposure candidates `5`、readback fields `30`、required readback fields `24`、reviewer checks `24`、outcome lanes `10`、blocked actions `34`。
|
||||
- 必填回讀欄位包含 actor attribution、before / after state、service dependency、public route impact、AI provider impact、monitoring alert impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard 與 no-false-green attestation。
|
||||
- 所有 post-incident readback received / accepted、actor accepted、before / after accepted、service / public route / AI provider / monitoring impact accepted、notification accepted、cross-project sync accepted、restoration accepted、recurrence guard accepted、no-false-green accepted、runtime gate 與 action button 仍為 `0 / false`。
|
||||
- `ssh_firewall_network_access` 只讀成熟度從 `62%` 推進到 `64%`,狀態為 `post_incident_readback_plan_ready_needs_network_owner_evidence`。
|
||||
- 高價值配置平均成熟度維持 `70%`;needs-live-evidence 類別維持 `10`。
|
||||
- `/zh-TW/iwooos` 前台高價值配置卡片更新為:Docker / systemd 主機服務 `62%`、SSH / network / firewall `64%`、AI provider / model routing `64%`、K8s / ArgoCD GitOps `64%`;`en.json` 維持繁中鏡像。
|
||||
|
||||
**本地驗證**:
|
||||
- JSON parse 驗證 `docs/security/ssh-network-post-incident-readback-plan.snapshot.json`、`docs/security/high-value-config-control-coverage.snapshot.json`、`docs/security/iwooos-posture-projection.snapshot.json`、`docs/schemas/iwooos_posture_projection_v1.schema.json`、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` 通過。
|
||||
- `python3 -m py_compile scripts/security/ssh-network-post-incident-readback-plan.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
|
||||
- `python3 scripts/security/iwooos-config-control-guard.py --root .` → `IWOOOS_CONFIG_CONTROL_GUARD_OK`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/security/public-frontend-env-guard.py --root .` → `OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .` → `PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=878`。
|
||||
- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。
|
||||
- `git diff --check` 通過。
|
||||
|
||||
**Gitea / CD**:
|
||||
- Code commit:`09aeebb7 feat(iwooos): 新增 SSH network 事故回讀 gate`。
|
||||
- Code-review run:`3055`,公開 Actions 頁顯示成功。
|
||||
- CD run:`3054`,已回寫 deploy marker;公開 Actions 頁在 marker 回寫後仍短暫顯示 Running,因此本次以 deploy marker 與 production smoke 作為部署真相。
|
||||
- Deploy marker:`ebe6b9fe chore(cd): deploy 09aeebb [skip ci]`。
|
||||
|
||||
**Production 驗證**:
|
||||
- 內建瀏覽器 attach 逾時,改用本機 Google Chrome headless DevTools protocol 對相同 production URL 做只讀 smoke;未使用登入 token、未讀 secrets、未進行寫操作。
|
||||
- HTTP HTML smoke:`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-html` 回 `200`,必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`。
|
||||
- Chrome desktop `1280x720`:`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-desktop` 必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`,`scrollWidth=1274`,`clientWidth=1274`。
|
||||
- Chrome mobile `390x844`:`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-mobile` 必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`,`scrollWidth=390`,`clientWidth=390`。
|
||||
- Chrome mobile `390x844` 補充 route smoke:`/zh-TW/governance?tab=automation-inventory`、`/zh-TW/awooop/tenants`、`/zh-TW/code-review` 皆為敏感 / 內部協作片語命中 `0`、頁面級水平溢出 `false`。
|
||||
- Chrome 截圖:
|
||||
- `/tmp/awoooi-iwooos-desktop-1280x720-ebe6b9fe.png`
|
||||
- `/tmp/awoooi-iwooos-mobile-390x844-ebe6b9fe.png`
|
||||
|
||||
**完成度與邊界**:
|
||||
- SSH / network / firewall post-incident readback plan:`0% -> 100%`。
|
||||
- SSH / network / firewall 只讀成熟度:`62% -> 64%`。
|
||||
- 高價值配置平均成熟度:維持 `70%`;needs-live-evidence 類別維持 `10`。
|
||||
- IwoooS headline 維持 `64%`;active runtime gate 維持 `0`。
|
||||
- post-incident readback received / accepted、actor attribution、before / after、service / public route / AI provider / monitoring impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard、no-false-green accepted、runtime gate 與 action button 全部維持 `0 / false`。
|
||||
- 本輪未 SSH、未讀 live firewall / live host / raw ACL、未改 firewall / port / route / NetworkPolicy / NodePort / WireGuard、未 reload Nginx、未重啟 Docker / systemd / host、未打 provider endpoint、未執行 active scan、未收 secrets 明文、未 force push。
|
||||
- 下一優先:Docker / systemd 主機服務仍為 `62%`,應補 owner-provided live hash / change evidence / rollback / maintenance window;SSH / network 下一步需收事故後回讀包,不得用 route 200 或 UI 可見當成驗收。
|
||||
|
||||
## 2026-06-15|AI provider / model routing owner response 驗收 Gate
|
||||
|
||||
**背景**:AI provider、Ollama proxy、fallback 順序、成本預算、隱私資料外送與 Agent replacement 都屬高價值配置;不能因為模型卡、前台健康卡或供應商名稱可見,就誤判為 provider 切換、外部呼叫、付費呼叫、prompt 送出或 runtime gate 已授權。本階段補上 AI provider owner response acceptance,只建立只讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions、模型卡脫敏與前台可視化;不切 provider、不打外部模型、不送 prompt、不做 benchmark live call、不安裝 SDK、不下載模型、不改 Nginx / env / deploy、不碰 host。
|
||||
|
||||
Reference in New Issue
Block a user