diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 2be71cf19..f48940b5e 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,54 @@ +## 2026-06-15|SSH / network / firewall 事故後回讀 Gate + +**背景**:端口、防火牆、NetworkPolicy、NodePort、WireGuard、deploy SSH、sudo 或 alert action 異動可能同時影響 public route、AI provider、monitoring 與跨產品部署。IwoooS 不能把「服務後來恢復」或「頁面可見」誤判成事故已驗收;本階段補上 post-incident readback plan,只建立只讀事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 SSH、不讀 live firewall、不改 port / route / Nginx / Docker / systemd、不重啟、不做 active scan、不打 provider endpoint。 + +**完成項目**: +- 新增 `scripts/security/ssh-network-post-incident-readback-plan.py` 與 `docs/security/ssh-network-post-incident-readback-plan.snapshot.json`。 +- 新增 `docs/security/SSH-NETWORK-POST-INCIDENT-READBACK-PLAN.md`,把 14 個端口 / 防火牆事故 surface 轉成事故後回讀計畫。 +- Post-incident readback plan 固定為 candidates `14`、write-capable candidates `6`、policy / exposure candidates `5`、readback fields `30`、required readback fields `24`、reviewer checks `24`、outcome lanes `10`、blocked actions `34`。 +- 必填回讀欄位包含 actor attribution、before / after state、service dependency、public route impact、AI provider impact、monitoring alert impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard 與 no-false-green attestation。 +- 所有 post-incident readback received / accepted、actor accepted、before / after accepted、service / public route / AI provider / monitoring impact accepted、notification accepted、cross-project sync accepted、restoration accepted、recurrence guard accepted、no-false-green accepted、runtime gate 與 action button 仍為 `0 / false`。 +- `ssh_firewall_network_access` 只讀成熟度從 `62%` 推進到 `64%`,狀態為 `post_incident_readback_plan_ready_needs_network_owner_evidence`。 +- 高價值配置平均成熟度維持 `70%`;needs-live-evidence 類別維持 `10`。 +- `/zh-TW/iwooos` 前台高價值配置卡片更新為:Docker / systemd 主機服務 `62%`、SSH / network / firewall `64%`、AI provider / model routing `64%`、K8s / ArgoCD GitOps `64%`;`en.json` 維持繁中鏡像。 + +**本地驗證**: +- JSON parse 驗證 `docs/security/ssh-network-post-incident-readback-plan.snapshot.json`、`docs/security/high-value-config-control-coverage.snapshot.json`、`docs/security/iwooos-posture-projection.snapshot.json`、`docs/schemas/iwooos_posture_projection_v1.schema.json`、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` 通過。 +- `python3 -m py_compile scripts/security/ssh-network-post-incident-readback-plan.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。 +- `python3 scripts/security/iwooos-config-control-guard.py --root .` → `IWOOOS_CONFIG_CONTROL_GUARD_OK`。 +- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。 +- `python3 scripts/security/public-frontend-env-guard.py --root .` → `OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`。 +- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。 +- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .` → `PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`。 +- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=878`。 +- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。 +- `git diff --check` 通過。 + +**Gitea / CD**: +- Code commit:`09aeebb7 feat(iwooos): 新增 SSH network 事故回讀 gate`。 +- Code-review run:`3055`,公開 Actions 頁顯示成功。 +- CD run:`3054`,已回寫 deploy marker;公開 Actions 頁在 marker 回寫後仍短暫顯示 Running,因此本次以 deploy marker 與 production smoke 作為部署真相。 +- Deploy marker:`ebe6b9fe chore(cd): deploy 09aeebb [skip ci]`。 + +**Production 驗證**: +- 內建瀏覽器 attach 逾時,改用本機 Google Chrome headless DevTools protocol 對相同 production URL 做只讀 smoke;未使用登入 token、未讀 secrets、未進行寫操作。 +- HTTP HTML smoke:`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-html` 回 `200`,必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`。 +- Chrome desktop `1280x720`:`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-desktop` 必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`,`scrollWidth=1274`,`clientWidth=1274`。 +- Chrome mobile `390x844`:`/zh-TW/iwooos?_v=ebe6b9fe-ssh-network-prod-mobile` 必要文案缺漏 `0`,敏感 / 內部協作片語命中 `0`,`horizontalOverflow=false`,`scrollWidth=390`,`clientWidth=390`。 +- Chrome mobile `390x844` 補充 route smoke:`/zh-TW/governance?tab=automation-inventory`、`/zh-TW/awooop/tenants`、`/zh-TW/code-review` 皆為敏感 / 內部協作片語命中 `0`、頁面級水平溢出 `false`。 +- Chrome 截圖: + - `/tmp/awoooi-iwooos-desktop-1280x720-ebe6b9fe.png` + - `/tmp/awoooi-iwooos-mobile-390x844-ebe6b9fe.png` + +**完成度與邊界**: +- SSH / network / firewall post-incident readback plan:`0% -> 100%`。 +- SSH / network / firewall 只讀成熟度:`62% -> 64%`。 +- 高價值配置平均成熟度:維持 `70%`;needs-live-evidence 類別維持 `10`。 +- IwoooS headline 維持 `64%`;active runtime gate 維持 `0`。 +- post-incident readback received / accepted、actor attribution、before / after、service / public route / AI provider / monitoring impact、operator notification、cross-project sync、restoration evidence、post-check、recurrence guard、no-false-green accepted、runtime gate 與 action button 全部維持 `0 / false`。 +- 本輪未 SSH、未讀 live firewall / live host / raw ACL、未改 firewall / port / route / NetworkPolicy / NodePort / WireGuard、未 reload Nginx、未重啟 Docker / systemd / host、未打 provider endpoint、未執行 active scan、未收 secrets 明文、未 force push。 +- 下一優先:Docker / systemd 主機服務仍為 `62%`,應補 owner-provided live hash / change evidence / rollback / maintenance window;SSH / network 下一步需收事故後回讀包,不得用 route 200 或 UI 可見當成驗收。 + ## 2026-06-15|AI provider / model routing owner response 驗收 Gate **背景**:AI provider、Ollama proxy、fallback 順序、成本預算、隱私資料外送與 Agent replacement 都屬高價值配置;不能因為模型卡、前台健康卡或供應商名稱可見,就誤判為 provider 切換、外部呼叫、付費呼叫、prompt 送出或 runtime gate 已授權。本階段補上 AI provider owner response acceptance,只建立只讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions、模型卡脫敏與前台可視化;不切 provider、不打外部模型、不送 prompt、不做 benchmark live call、不安裝 SDK、不下載模型、不改 Nginx / env / deploy、不碰 host。