docs(iwooos): 記錄 SSH network 事故回讀 gate [skip ci]

This commit is contained in:
Your Name
2026-06-15 19:40:03 +08:00
parent ebe6b9fe32
commit c641d1b2a0

View File

@@ -1,3 +1,54 @@
## 2026-06-15SSH / network / firewall 事故後回讀 Gate
**背景**端口、防火牆、NetworkPolicy、NodePort、WireGuard、deploy SSH、sudo 或 alert action 異動可能同時影響 public route、AI provider、monitoring 與跨產品部署。IwoooS 不能把「服務後來恢復」或「頁面可見」誤判成事故已驗收;本階段補上 post-incident readback plan只建立只讀事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 SSH、不讀 live firewall、不改 port / route / Nginx / Docker / systemd、不重啟、不做 active scan、不打 provider endpoint。
**完成項目**
- 新增 `scripts/security/ssh-network-post-incident-readback-plan.py``docs/security/ssh-network-post-incident-readback-plan.snapshot.json`
- 新增 `docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md`,把 14 個端口 / 防火牆事故 surface 轉成事故後回讀計畫。
- Post-incident readback plan 固定為 candidates `14`、write-capable candidates `6`、policy / exposure candidates `5`、readback fields `30`、required readback fields `24`、reviewer checks `24`、outcome lanes `10`、blocked actions `34`
- 必填回讀欄位包含 actor attribution、before / after state、service dependency、public route impact、AI provider impact、monitoring alert impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard 與 no-false-green attestation。
- 所有 post-incident readback received / accepted、actor accepted、before / after accepted、service / public route / AI provider / monitoring impact accepted、notification accepted、cross-project sync accepted、restoration accepted、recurrence guard accepted、no-false-green accepted、runtime gate 與 action button 仍為 `0 / false`
- `ssh_firewall_network_access` 只讀成熟度從 `62%` 推進到 `64%`,狀態為 `post_incident_readback_plan_ready_needs_network_owner_evidence`
- 高價值配置平均成熟度維持 `70%`needs-live-evidence 類別維持 `10`
- `/zh-TW/iwooos` 前台高價值配置卡片更新為Docker / systemd 主機服務 `62%`、SSH / network / firewall `64%`、AI provider / model routing `64%`、K8s / ArgoCD GitOps `64%``en.json` 維持繁中鏡像。
**本地驗證**
- JSON parse 驗證 `docs/security/ssh-network-post-incident-readback-plan.snapshot.json``docs/security/high-value-config-control-coverage.snapshot.json``docs/security/iwooos-posture-projection.snapshot.json``docs/schemas/iwooos_posture_projection_v1.schema.json``apps/web/messages/zh-TW.json``apps/web/messages/en.json` 通過。
- `python3 -m py_compile scripts/security/ssh-network-post-incident-readback-plan.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
- `python3 scripts/security/iwooos-config-control-guard.py --root .``IWOOOS_CONFIG_CONTROL_GUARD_OK`
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `python3 scripts/security/public-frontend-env-guard.py --root .``OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`
- `python3 scripts/security/source-control-owner-response-guard.py --root .``SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`
- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .``PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea``DOC_SECRET_SANITY_OK scanned_files=878`
- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。
- `git diff --check` 通過。
**Gitea / CD**
- Code commit`09aeebb7 feat(iwooos): 新增 SSH network 事故回讀 gate`
- Code-review run`3055`,公開 Actions 頁顯示成功。
- CD run`3054`,已回寫 deploy marker公開 Actions 頁在 marker 回寫後仍短暫顯示 Running因此本次以 deploy marker 與 production smoke 作為部署真相。
- Deploy marker`ebe6b9fe chore(cd): deploy 09aeebb [skip ci]`
**Production 驗證**
- 內建瀏覽器 attach 逾時,改用本機 Google Chrome headless DevTools protocol 對相同 production URL 做只讀 smoke未使用登入 token、未讀 secrets、未進行寫操作。
- HTTP HTML smoke`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-html``200`,必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`
- Chrome desktop `1280x720``/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-desktop` 必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=1274``clientWidth=1274`
- Chrome mobile `390x844``/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-mobile` 必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0``horizontalOverflow=false``scrollWidth=390``clientWidth=390`
- Chrome mobile `390x844` 補充 route smoke`/zh-TW/governance?tab=automation-inventory``/zh-TW/awooop/tenants``/zh-TW/code-review` 皆為敏感 / 內部協作片語命中 `0`、頁面級水平溢出 `false`
- Chrome 截圖:
- `/tmp/awoooi-iwooos-desktop-1280x720-ebe6b9fe.png`
- `/tmp/awoooi-iwooos-mobile-390x844-ebe6b9fe.png`
**完成度與邊界**
- SSH / network / firewall post-incident readback plan`0% -> 100%`
- SSH / network / firewall 只讀成熟度:`62% -> 64%`
- 高價值配置平均成熟度:維持 `70%`needs-live-evidence 類別維持 `10`
- IwoooS headline 維持 `64%`active runtime gate 維持 `0`
- post-incident readback received / accepted、actor attribution、before / after、service / public route / AI provider / monitoring impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard、no-false-green accepted、runtime gate 與 action button 全部維持 `0 / false`
- 本輪未 SSH、未讀 live firewall / live host / raw ACL、未改 firewall / port / route / NetworkPolicy / NodePort / WireGuard、未 reload Nginx、未重啟 Docker / systemd / host、未打 provider endpoint、未執行 active scan、未收 secrets 明文、未 force push。
- 下一優先Docker / systemd 主機服務仍為 `62%`,應補 owner-provided live hash / change evidence / rollback / maintenance windowSSH / network 下一步需收事故後回讀包,不得用 route 200 或 UI 可見當成驗收。
## 2026-06-15AI provider / model routing owner response 驗收 Gate
**背景**AI provider、Ollama proxy、fallback 順序、成本預算、隱私資料外送與 Agent replacement 都屬高價值配置;不能因為模型卡、前台健康卡或供應商名稱可見,就誤判為 provider 切換、外部呼叫、付費呼叫、prompt 送出或 runtime gate 已授權。本階段補上 AI provider owner response acceptance只建立只讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions、模型卡脫敏與前台可視化不切 provider、不打外部模型、不送 prompt、不做 benchmark live call、不安裝 SDK、不下載模型、不改 Nginx / env / deploy、不碰 host。