Files
awoooi/docs/evaluations/backup_dr_readiness_matrix_2026-06-04.json
Your Name 750e269ffb
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Failing after 31s
CD Pipeline / build-and-deploy (push) Has been skipped
CD Pipeline / post-deploy-checks (push) Has been skipped
AI 技術雷達監控 / ai-technology-watch (push) Successful in 41s
fix(api): close stale backup config blocker
2026-06-30 01:58:08 +08:00

334 lines
16 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"schema_version": "backup_dr_readiness_matrix_v1",
"generated_at": "2026-06-04T15:46:59+08:00",
"source_target_inventory_ref": "docs/evaluations/backup_dr_target_inventory_2026-06-04.json",
"source_refs": [
"docs/runbooks/BACKUP-STATUS.md",
"docs/evaluations/backup_dr_target_inventory_2026-06-04.json",
"scripts/backup/backup-status.sh",
"scripts/backup/verify-offsite-full-sync.sh",
"scripts/reboot-recovery/post-reboot-credential-escrow-intake-scorecard.py"
],
"program_status": {
"overall_completion_percent": 97,
"current_priority": "P1",
"current_task_id": "P1-102",
"next_task_id": "P1-201",
"read_only_mode": true
},
"rollups": {
"total_rows": 17,
"by_overall_readiness": {
"ready": 13,
"action_required": 2,
"blocked": 1,
"deferred": 1
},
"by_restore_drill_status": {
"approval_required": 14,
"blocked": 1,
"deferred": 1,
"not_applicable": 1
},
"by_offsite_status": {
"verified": 14,
"needs_metric_binding": 1,
"deferred": 1,
"not_applicable": 1
},
"blocked_row_ids": [
"credential_escrow_markers"
],
"action_required_row_ids": [
"signoz",
"velero_k8s_resources"
],
"credential_escrow_intake_scorecard_schema_version": "awoooi_post_reboot_credential_escrow_intake_scorecard_v1",
"credential_escrow_intake_scorecard_verifier": "scripts/reboot-recovery/post-reboot-credential-escrow-intake-scorecard.py --summary-file <summary.txt> --owner-packet-file <owner-packets.json> --response-file <owner-response.json> --offsite-report-file <offsite-report.txt> --escrow-status-file <escrow-status.txt> --json",
"credential_escrow_intake_status": "blocked_waiting_non_secret_credential_escrow_evidence",
"credential_escrow_active_gate_present": true,
"credential_escrow_preflight_status": "blocked_waiting_owner_response_content",
"credential_escrow_required_item_count": 5,
"credential_escrow_effective_missing_count": 5,
"credential_escrow_owner_response_received_count": 0,
"credential_escrow_owner_response_accepted_count": 0,
"credential_escrow_runtime_gate_count": 0,
"credential_escrow_secret_value_collection_allowed": false,
"credential_marker_write_authorized_count": 0,
"credential_escrow_forbidden_true_field_count": 0
},
"readiness_rows": [
{
"target_id": "gitea",
"display_name": "Gitea DB + repository dump",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "success 不即時洗版failure / action-required 才通知。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-gitea.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 freshness / offsite ready 證據卡。"
},
{
"target_id": "momo_postgresql",
"display_name": "MOMO PostgreSQL",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-momo.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 188 pull freshness 與 SSH reachability。"
},
{
"target_id": "harbor",
"display_name": "Harbor registry + DB",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-harbor.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 registry readiness。"
},
{
"target_id": "awoooi_postgresql_daily",
"display_name": "AWOOOI PostgreSQL daily full",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "critical failure must alertsuccess 不即時洗版。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-awoooi.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 24h full backup 與 6h frequent backup。"
},
{
"target_id": "awoooi_postgresql_frequent",
"display_name": "AWOOOI PostgreSQL frequent core",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "critical failure must alertsuccess 不即時洗版。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-awoooi-frequent.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 6h RPO。"
},
{
"target_id": "langfuse",
"display_name": "Langfuse AI trace DB",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-langfuse.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 AI trace backup freshness。"
},
{
"target_id": "monitoring",
"display_name": "Prometheus / Grafana / Alertmanager",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-monitoring.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 monitoring backup 與 alert-rule coverage。"
},
{
"target_id": "signoz",
"display_name": "SignOz ClickHouse + SQLite",
"overall_readiness": "action_required",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "committed_script",
"evidence_refs": ["scripts/backup/backup-signoz.sh", "docs/runbooks/BACKUP-STATUS.md"],
"blocker_summary": "備份腳本會短暫停止 collectorAgent 不得任意觸發UI 需標示 disruptive backup guard。",
"next_action": "P1-104 顯示 disruptive backup guard。"
},
{
"target_id": "open_webui",
"display_name": "Open-WebUI volume",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-open-webui.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 Open-WebUI readiness。"
},
{
"target_id": "clawbot_redis",
"display_name": "ClawBot Redis volume",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-clawbot.sh"],
"blocker_summary": "無 target-level blockerrestore 仍需人工批准。",
"next_action": "P1-104 顯示 Redis backup readiness。"
},
{
"target_id": "configs_capture",
"display_name": "Host / service / K8s configuration capture",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "action-required 必須告警;成功不即時洗版。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-configs.sh", "docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md"],
"blocker_summary": "2026-06-12 post-120 recovery and later backup status readbacks show config capture recovered; full DR remains gated by independent restore / escrow controls.",
"next_action": "Keep config capture on normal backup cadence; restore drill still requires approval."
},
{
"target_id": "ai_artifacts",
"display_name": "AI artifacts / Ollama manifests",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-ai-artifacts.sh"],
"blocker_summary": "manifest-only policy大型 model blobs 不預設備份。",
"next_action": "P1-104 顯示 manifest-only backup policy。"
},
{
"target_id": "public_routes",
"display_name": "Public routes / DNS / TLS evidence",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "approval_required",
"offsite_status": "verified",
"notification_policy": "failure-only escalationsuccess 由每日摘要承載。",
"gate_status": "restore_approval_required",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-public-routes.sh"],
"blocker_summary": "provider token / TLS private key 不在此目標輸出。",
"next_action": "P1-104 顯示 public route reconstruction evidence。"
},
{
"target_id": "sentry",
"display_name": "Sentry backup repo",
"overall_readiness": "deferred",
"freshness_status": "deferred",
"integrity_status": "deferred",
"restore_drill_status": "deferred",
"offsite_status": "deferred",
"notification_policy": "deferred until service active。",
"gate_status": "deferred_until_service_active",
"evidence_level": "deferred",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/backup-sentry.sh"],
"blocker_summary": "Sentry 目前未 active重新部署後再評估。",
"next_action": "服務 active 後重新納入 P1-102 readiness。"
},
{
"target_id": "offsite_rclone_full_sync",
"display_name": "Google Drive / rclone offsite mirror",
"overall_readiness": "ready",
"freshness_status": "verified",
"integrity_status": "verified",
"restore_drill_status": "not_applicable",
"offsite_status": "verified",
"notification_policy": "offsite success 不即時洗版verify failure 必須 action-required。",
"gate_status": "read_only_allowed",
"evidence_level": "runbook_live_refresh",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/sync-offsite-backups.sh", "scripts/backup/verify-offsite-full-sync.sh"],
"blocker_summary": "無 target-level blockersync execution 仍不可由 Agent 自動觸發。",
"next_action": "P1-104 顯示 latest-only remote verify。"
},
{
"target_id": "credential_escrow_markers",
"display_name": "Credential escrow evidence markers",
"overall_readiness": "blocked",
"freshness_status": "blocked",
"integrity_status": "not_applicable",
"restore_drill_status": "blocked",
"offsite_status": "not_applicable",
"notification_policy": "missing markers must stay action-required不得成功洗版。",
"gate_status": "credential_approval_required",
"evidence_level": "blocked_live_evidence",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "scripts/backup/mark-credential-escrow-verified.sh", "scripts/backup/offsite-escrow-evidence-report.sh", "scripts/reboot-recovery/post-reboot-credential-escrow-intake-scorecard.py"],
"blocker_summary": "Five evidence markers missing不得自動寫 marker、不得讀或暴露 credential value可收斂 redacted non-secret evidence refs。",
"next_action": "用 credential escrow intake scorecard 收斂 no-secret evidence refspreflight 通過前維持 marker write/runtime gate 為 0。"
},
{
"target_id": "velero_k8s_resources",
"display_name": "Velero K8s resource snapshots",
"overall_readiness": "action_required",
"freshness_status": "needs_metric_binding",
"integrity_status": "needs_metric_binding",
"restore_drill_status": "approval_required",
"offsite_status": "needs_metric_binding",
"notification_policy": "restore drill / Velero failure 必須 action-required。",
"gate_status": "restore_approval_required",
"evidence_level": "committed_script",
"evidence_refs": ["docs/runbooks/BACKUP-STATUS.md", "k8s/awoooi-prod/16-cronjob-backup-restore-test.yaml"],
"blocker_summary": "Velero / MinIO freshness 與 independent offsite 仍需 metric bindingrestore drill 需人工批准。",
"next_action": "P1-104 顯示 Velero metric gapP1-105 產生 restore drill 批准包。"
}
],
"operation_boundaries": {
"read_only_api_allowed": true,
"backup_execution_allowed": false,
"restore_execution_allowed": false,
"offsite_sync_execution_allowed": false,
"credential_marker_write_allowed": false,
"schedule_change_allowed": false,
"destructive_prune_allowed": false
},
"approval_boundaries": {
"sdk_installation_allowed": false,
"paid_api_call_allowed": false,
"shadow_or_canary_allowed": false,
"production_routing_allowed": false,
"destructive_operation_allowed": false
}
}