# IwoooS Docker / systemd / 主機服務 Owner Response Acceptance | 項目 | 內容 | |------|------| | 日期 | 2026-06-14 | | 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` | | 工具 | `scripts/security/host-service-owner-response-acceptance.py` | | 輸入 | `docs/security/host-service-config-inventory.snapshot.json`、`docs/security/host-service-owner-request-draft.snapshot.json` | | Snapshot | `docs/security/host-service-owner-response-acceptance.snapshot.json` | | runtime gate | `0` | ## 1. 目的 Docker / systemd / host service config 會直接影響 110 / 188 的 Compose stack、repair-bot、Ansible service role、host config backup 與服務 restart 邊界。既有 repo-only 清冊與 owner request draft 已完成,但若缺少 owner response acceptance 帳本,後續容易把未驗收回覆誤判成 live host read、`docker compose`、`systemctl`、repair-bot、Ansible、sudo 或 host write 授權。 本文件只定義 owner response 如何收件、補證、隔離、拒收與進 reviewer review。它不是 request sent、不是 owner response received、不是 accepted response、不是 live host read、不是 Docker / systemd 操作,也不是 repair-bot、Ansible、SSH、host write、production write 或 runtime gate 授權。 ## 2. 摘要 | 指標 | 值 | 說明 | |------|----|------| | acceptance candidate count | `9` | 9 個 host service surface | | write-capable candidate count | `3` | Ansible role、110 repair-bot、188 repair-bot | | live evidence required candidate count | `8` | local dev compose 之外都需 owner-provided live hash / disposition | | acceptance field count | `34` | 每份 candidate 的 metadata-only 欄位 | | required owner field count | `18` | owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch / source-of-truth / 依賴 / port / cold-start / incident / contention | | reviewer check count | `21` | owner、scope、redaction、secret、live hash、restart window、rollback、post-check、事故回補、runtime request 檢查 | | outcome lane count | `8` | waiting、quarantine、reject、supplement、incident backfill、host service review、read-only update、waiting runtime gate | | blocked action count | `27` | SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、silent restart、active scan 等 | | owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 | | live host read / Docker / systemctl / repair-bot / Ansible | `0 / 0 / 0 / 0 / 0` | 尚未批准且未執行 | | runtime gate / action button | `0 / 0` | 未開啟 | ## 3. 九份驗收候選 | Acceptance candidate | Host scope | 類型 | 驗收焦點 | |----------------------|------------|------|----------| | `host_service_owner_response_acceptance:local_dev_compose` | `local_dev_only` | Docker Compose | dev-only disposition、不得誤用 production、secret placeholder policy | | `host_service_owner_response_acceptance:monitoring_110_compose` | `192.168.0.110` | Docker Compose | live hash ref、restart window、rollback owner、post-check 指標 | | `host_service_owner_response_acceptance:monitoring_exporters_188_compose` | `192.168.0.188` | Docker Compose | exporter env source、live hash ref、rollback owner | | `host_service_owner_response_acceptance:sentry_110_reference_compose` | `192.168.0.110` | reference compose | actual source-of-truth、official revision、backup path、rollback owner | | `host_service_owner_response_acceptance:langfuse_110_compose` | `192.168.0.110` | Docker Compose | live hash ref、secret placeholder disposition、restart window、rollback owner | | `host_service_owner_response_acceptance:ansible_docker_compose_service_role` | `multi_host` | Ansible executor role | allowed service_dir、check-mode、人工 gate、rollback owner | | `host_service_owner_response_acceptance:repair_bot_110_whitelist` | `192.168.0.110` | repair whitelist | authorized_keys binding、disable switch、audit log、post-check | | `host_service_owner_response_acceptance:repair_bot_188_whitelist` | `192.168.0.188` | repair whitelist | systemd restart approval gate、sudoers boundary、disable switch、route smoke | | `host_service_owner_response_acceptance:config_backup_host_capture` | `110_188_120_121_cluster` | config backup capture | latest backup status、restore drill owner、secret handling proof | ## 4. Owner response 必填欄位 | 欄位 | 規則 | |------|------| | `owner_role_or_team` | 只填角色或團隊,不填私人聯絡資料或 credential | | `decision` | 允許 `confirm`、`defer`、`reject`、`request_more_evidence` | | `decision_reason` | 摘要說明,不貼 raw compose、env dump、systemd unit、secret 或 log payload | | `affected_scope` | 明確列出 host scope、service scope、repo source、runtime 影響範圍 | | `redacted_evidence_refs` | 只接受脫敏 ref、ticket id、文件路徑、hash 或摘要 | | `live_config_hash_ref` | 只能是 owner-provided metadata ref,不得貼 raw live config | | `maintenance_window` | 未來 live read、restart、repair-bot 或 Ansible 動作的窗口;本 response 不開執行權 | | `restart_window` | restart / reload window 必須與 action 分離,不得自動執行 | | `rollback_owner` | 未來若進變更的 rollback owner | | `post_check_plan` | 服務健康、route、queue、log、error budget 與 rollback 停止條件 | | `disable_switch` | repair-bot、Ansible role 或 service config 的停用方式 / freeze rule | | `config_source_of_truth_ref` | repo source、live source、runner source 與 backup source 的脫敏真相來源 ref | | `service_dependency_map_ref` | 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref | | `port_binding_inventory_ref` | host port、container port、proxy 與 firewall exposure inventory ref | | `cold_start_sequence_ref` | Docker daemon、compose stack、systemd unit、runner 與 post-check 的冷啟動 / recovery 順序 ref | | `incident_recovery_evidence_ref` | 服務異常、重啟或端口事故的恢復時間、服務健康、route health 與 operator notice ref | | `daemon_runner_contention_ref` | Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 的競爭風險 ref | | `followup_owner` | 後續補證、reviewer 或 runtime gate 負責角色 | ## 5. Reviewer checks | Check | 說明 | |-------|------| | `owner_identity_present` | owner role / team 必須可追溯 | | `decision_reason_present` | decision 與 reason 必須同時存在 | | `affected_scope_matches_surface` | affected scope 必須能對回 committed surface_id | | `redacted_refs_only` | evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要 | | `secret_value_absent` | 不得出現 token、password、cookie、private key、env dump 或 partial secret | | `live_config_hash_metadata_only` | live config hash 只能是 metadata ref,不得貼 raw live config | | `maintenance_window_present` | 未來 host read、restart、repair-bot 或 Ansible 動作需獨立維護窗口 | | `restart_window_separate_from_action` | restart window 與 docker / systemctl action 必須分離 | | `rollback_owner_present` | rollback owner、rollback ref 或 disable path 必須存在 | | `post_check_plan_present` | post-check 必須列服務健康、route、queue、log 與 rollback 停止條件 | | `disable_switch_present` | repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule | | `config_source_of_truth_present` | 必須提供 repo / live / runner / backup source-of-truth ref | | `service_dependency_map_present` | 必須提供服務依賴圖 ref | | `port_binding_inventory_present` | 必須提供 host / container / proxy / firewall port binding inventory ref | | `cold_start_sequence_present` | 必須提供 cold-start / recovery sequence ref | | `incident_recovery_evidence_present` | 涉及服務異常、重啟或端口事故時必須提供恢復與健康證據 ref | | `daemon_runner_contention_reviewed` | 必須說明 Docker daemon、iptables、runner、repair-bot、backup job 或 compose action 是否競爭 | | `silent_restart_not_accepted` | 沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的 restart / reload 不可接受 | | `write_capable_requires_extra_review` | write-capable surface 必須進額外 reviewer review | | `no_runtime_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 | | `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected,且不得開 runtime gate | ## 6. Outcome lanes | Lane | 意義 | |------|------| | `waiting_owner_response` | 尚未收到 owner response | | `quarantine_secret_or_raw_payload` | 收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離 | | `reject_execution_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 | | `request_supplement` | 欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件 | | `incident_recovery_backfill_required` | 涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補 | | `ready_for_host_service_review` | metadata 合格後,只能進 host service reviewer review | | `owner_review_only_update` | 只允許更新只讀 owner review ledger | | `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 | ## 7. 禁止事項 1. 不 SSH read / write。 2. 不執行 `docker compose up/down/pull`。 3. 不執行 `systemctl restart/reload`。 4. 不呼叫 repair-bot。 5. 不跑 Ansible apply。 6. 不做 sudo action、host file write 或 firewall change。 7. 不保存 raw live config、env dump、secret value、未脫敏 log 或 shell history。 8. 不把 restart window、maintenance window 或 owner response 當成 runtime approval。 9. 不開 runtime gate,不建立 action button。 10. 不接受靜默 restart / reload。 11. 不把服務目前 healthy 當成 config 已驗收。 12. 不跳過 source-of-truth、服務依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。 ## 8. 指令 產生 committed snapshot: ```bash python3 scripts/security/host-service-owner-response-acceptance.py \ --root . \ --inventory-report docs/security/host-service-config-inventory.snapshot.json \ --owner-request-report docs/security/host-service-owner-request-draft.snapshot.json \ --output docs/security/host-service-owner-response-acceptance.snapshot.json \ --generated-at 2026-06-15T14:45:00+08:00 ``` 驗證 guard: ```bash python3 scripts/security/security-mirror-progress-guard.py --root . ``` ## 9. 完成度 | 工作 | 完成度 | 說明 | |------|--------|------| | owner response acceptance ledger artifact | `100%` | 產生器、snapshot 與文件已固定 | | Docker / systemd / host service 只讀治理成熟度 | `54% -> 58%` | 事故恢復、依賴圖、port binding、cold-start、source-of-truth 與 daemon / runner 競爭回補已納入;不代表 live evidence 或 runtime action | | owner response received / accepted | `0%` | 尚未收到,尚未驗收 | | live config hash accepted | `0%` | 尚未收到 owner-provided metadata ref | | live host read / SSH | `0%` | 尚未批准且未執行 | | Docker / systemd / repair-bot / Ansible | `0%` | 尚未批准且未執行 | | runtime gate / host write | `0%` | 未授權且未執行 |