Files
awoooi/docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 41f5ff1a38
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m40s
CD Pipeline / build-and-deploy (push) Successful in 6m17s
CD Pipeline / post-deploy-checks (push) Successful in 1m35s
feat(iwooos): 強化主機服務事故回補 gate
2026-06-15 14:51:25 +08:00

11 KiB
Raw Permalink Blame History

IwoooS Docker / systemd / 主機服務 Owner Response Acceptance

項目 內容
日期 2026-06-14
狀態 owner_response_acceptance_ledger_ready_no_runtime_action
工具 scripts/security/host-service-owner-response-acceptance.py
輸入 docs/security/host-service-config-inventory.snapshot.jsondocs/security/host-service-owner-request-draft.snapshot.json
Snapshot docs/security/host-service-owner-response-acceptance.snapshot.json
runtime gate 0

1. 目的

Docker / systemd / host service config 會直接影響 110 / 188 的 Compose stack、repair-bot、Ansible service role、host config backup 與服務 restart 邊界。既有 repo-only 清冊與 owner request draft 已完成,但若缺少 owner response acceptance 帳本,後續容易把未驗收回覆誤判成 live host read、docker composesystemctl、repair-bot、Ansible、sudo 或 host write 授權。

本文件只定義 owner response 如何收件、補證、隔離、拒收與進 reviewer review。它不是 request sent、不是 owner response received、不是 accepted response、不是 live host read、不是 Docker / systemd 操作,也不是 repair-bot、Ansible、SSH、host write、production write 或 runtime gate 授權。

2. 摘要

指標 說明
acceptance candidate count 9 9 個 host service surface
write-capable candidate count 3 Ansible role、110 repair-bot、188 repair-bot
live evidence required candidate count 8 local dev compose 之外都需 owner-provided live hash / disposition
acceptance field count 34 每份 candidate 的 metadata-only 欄位
required owner field count 18 owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch / source-of-truth / 依賴 / port / cold-start / incident / contention
reviewer check count 21 owner、scope、redaction、secret、live hash、restart window、rollback、post-check、事故回補、runtime request 檢查
outcome lane count 8 waiting、quarantine、reject、supplement、incident backfill、host service review、read-only update、waiting runtime gate
blocked action count 27 SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、silent restart、active scan 等
owner response received / accepted 0 / 0 尚未收到,尚未驗收
live host read / Docker / systemctl / repair-bot / Ansible 0 / 0 / 0 / 0 / 0 尚未批准且未執行
runtime gate / action button 0 / 0 未開啟

3. 九份驗收候選

Acceptance candidate Host scope 類型 驗收焦點
host_service_owner_response_acceptance:local_dev_compose local_dev_only Docker Compose dev-only disposition、不得誤用 production、secret placeholder policy
host_service_owner_response_acceptance:monitoring_110_compose 192.168.0.110 Docker Compose live hash ref、restart window、rollback owner、post-check 指標
host_service_owner_response_acceptance:monitoring_exporters_188_compose 192.168.0.188 Docker Compose exporter env source、live hash ref、rollback owner
host_service_owner_response_acceptance:sentry_110_reference_compose 192.168.0.110 reference compose actual source-of-truth、official revision、backup path、rollback owner
host_service_owner_response_acceptance:langfuse_110_compose 192.168.0.110 Docker Compose live hash ref、secret placeholder disposition、restart window、rollback owner
host_service_owner_response_acceptance:ansible_docker_compose_service_role multi_host Ansible executor role allowed service_dir、check-mode、人工 gate、rollback owner
host_service_owner_response_acceptance:repair_bot_110_whitelist 192.168.0.110 repair whitelist authorized_keys binding、disable switch、audit log、post-check
host_service_owner_response_acceptance:repair_bot_188_whitelist 192.168.0.188 repair whitelist systemd restart approval gate、sudoers boundary、disable switch、route smoke
host_service_owner_response_acceptance:config_backup_host_capture 110_188_120_121_cluster config backup capture latest backup status、restore drill owner、secret handling proof

4. Owner response 必填欄位

欄位 規則
owner_role_or_team 只填角色或團隊,不填私人聯絡資料或 credential
decision 允許 confirmdeferrejectrequest_more_evidence
decision_reason 摘要說明,不貼 raw compose、env dump、systemd unit、secret 或 log payload
affected_scope 明確列出 host scope、service scope、repo source、runtime 影響範圍
redacted_evidence_refs 只接受脫敏 ref、ticket id、文件路徑、hash 或摘要
live_config_hash_ref 只能是 owner-provided metadata ref不得貼 raw live config
maintenance_window 未來 live read、restart、repair-bot 或 Ansible 動作的窗口;本 response 不開執行權
restart_window restart / reload window 必須與 action 分離,不得自動執行
rollback_owner 未來若進變更的 rollback owner
post_check_plan 服務健康、route、queue、log、error budget 與 rollback 停止條件
disable_switch repair-bot、Ansible role 或 service config 的停用方式 / freeze rule
config_source_of_truth_ref repo source、live source、runner source 與 backup source 的脫敏真相來源 ref
service_dependency_map_ref 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref
port_binding_inventory_ref host port、container port、proxy 與 firewall exposure inventory ref
cold_start_sequence_ref Docker daemon、compose stack、systemd unit、runner 與 post-check 的冷啟動 / recovery 順序 ref
incident_recovery_evidence_ref 服務異常、重啟或端口事故的恢復時間、服務健康、route health 與 operator notice ref
daemon_runner_contention_ref Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 的競爭風險 ref
followup_owner 後續補證、reviewer 或 runtime gate 負責角色

5. Reviewer checks

Check 說明
owner_identity_present owner role / team 必須可追溯
decision_reason_present decision 與 reason 必須同時存在
affected_scope_matches_surface affected scope 必須能對回 committed surface_id
redacted_refs_only evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要
secret_value_absent 不得出現 token、password、cookie、private key、env dump 或 partial secret
live_config_hash_metadata_only live config hash 只能是 metadata ref不得貼 raw live config
maintenance_window_present 未來 host read、restart、repair-bot 或 Ansible 動作需獨立維護窗口
restart_window_separate_from_action restart window 與 docker / systemctl action 必須分離
rollback_owner_present rollback owner、rollback ref 或 disable path 必須存在
post_check_plan_present post-check 必須列服務健康、route、queue、log 與 rollback 停止條件
disable_switch_present repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule
config_source_of_truth_present 必須提供 repo / live / runner / backup source-of-truth ref
service_dependency_map_present 必須提供服務依賴圖 ref
port_binding_inventory_present 必須提供 host / container / proxy / firewall port binding inventory ref
cold_start_sequence_present 必須提供 cold-start / recovery sequence ref
incident_recovery_evidence_present 涉及服務異常、重啟或端口事故時必須提供恢復與健康證據 ref
daemon_runner_contention_reviewed 必須說明 Docker daemon、iptables、runner、repair-bot、backup job 或 compose action 是否競爭
silent_restart_not_accepted 沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的 restart / reload 不可接受
write_capable_requires_extra_review write-capable surface 必須進額外 reviewer review
no_runtime_request 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收
counts_transition_safe 只有 reviewer record 可更新 received / accepted / rejected且不得開 runtime gate

6. Outcome lanes

Lane 意義
waiting_owner_response 尚未收到 owner response
quarantine_secret_or_raw_payload 收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離
reject_execution_request 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收
request_supplement 欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件
incident_recovery_backfill_required 涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補
ready_for_host_service_review metadata 合格後,只能進 host service reviewer review
owner_review_only_update 只允許更新只讀 owner review ledger
waiting_runtime_gate 即使 owner response acceptedruntime gate 仍等待獨立人工批准

7. 禁止事項

  1. 不 SSH read / write。
  2. 不執行 docker compose up/down/pull
  3. 不執行 systemctl restart/reload
  4. 不呼叫 repair-bot。
  5. 不跑 Ansible apply。
  6. 不做 sudo action、host file write 或 firewall change。
  7. 不保存 raw live config、env dump、secret value、未脫敏 log 或 shell history。
  8. 不把 restart window、maintenance window 或 owner response 當成 runtime approval。
  9. 不開 runtime gate不建立 action button。
  10. 不接受靜默 restart / reload。
  11. 不把服務目前 healthy 當成 config 已驗收。
  12. 不跳過 source-of-truth、服務依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。

8. 指令

產生 committed snapshot

python3 scripts/security/host-service-owner-response-acceptance.py \
  --root . \
  --inventory-report docs/security/host-service-config-inventory.snapshot.json \
  --owner-request-report docs/security/host-service-owner-request-draft.snapshot.json \
  --output docs/security/host-service-owner-response-acceptance.snapshot.json \
  --generated-at 2026-06-15T14:45:00+08:00

驗證 guard

python3 scripts/security/security-mirror-progress-guard.py --root .

9. 完成度

工作 完成度 說明
owner response acceptance ledger artifact 100% 產生器、snapshot 與文件已固定
Docker / systemd / host service 只讀治理成熟度 54% -> 58% 事故恢復、依賴圖、port binding、cold-start、source-of-truth 與 daemon / runner 競爭回補已納入;不代表 live evidence 或 runtime action
owner response received / accepted 0% 尚未收到,尚未驗收
live config hash accepted 0% 尚未收到 owner-provided metadata ref
live host read / SSH 0% 尚未批准且未執行
Docker / systemd / repair-bot / Ansible 0% 尚未批准且未執行
runtime gate / host write 0% 未授權且未執行