Files
awoooi/docs/security/HOST-SERVICE-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 41f5ff1a38
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m40s
CD Pipeline / build-and-deploy (push) Successful in 6m17s
CD Pipeline / post-deploy-checks (push) Successful in 1m35s
feat(iwooos): 強化主機服務事故回補 gate
2026-06-15 14:51:25 +08:00

155 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Docker / systemd / 主機服務 Owner Response Acceptance
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/host-service-owner-response-acceptance.py` |
| 輸入 | `docs/security/host-service-config-inventory.snapshot.json``docs/security/host-service-owner-request-draft.snapshot.json` |
| Snapshot | `docs/security/host-service-owner-response-acceptance.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
Docker / systemd / host service config 會直接影響 110 / 188 的 Compose stack、repair-bot、Ansible service role、host config backup 與服務 restart 邊界。既有 repo-only 清冊與 owner request draft 已完成,但若缺少 owner response acceptance 帳本,後續容易把未驗收回覆誤判成 live host read、`docker compose``systemctl`、repair-bot、Ansible、sudo 或 host write 授權。
本文件只定義 owner response 如何收件、補證、隔離、拒收與進 reviewer review。它不是 request sent、不是 owner response received、不是 accepted response、不是 live host read、不是 Docker / systemd 操作,也不是 repair-bot、Ansible、SSH、host write、production write 或 runtime gate 授權。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| acceptance candidate count | `9` | 9 個 host service surface |
| write-capable candidate count | `3` | Ansible role、110 repair-bot、188 repair-bot |
| live evidence required candidate count | `8` | local dev compose 之外都需 owner-provided live hash / disposition |
| acceptance field count | `34` | 每份 candidate 的 metadata-only 欄位 |
| required owner field count | `18` | owner / decision / scope / redacted refs / live hash / windows / rollback / post-check / disable switch / source-of-truth / 依賴 / port / cold-start / incident / contention |
| reviewer check count | `21` | owner、scope、redaction、secret、live hash、restart window、rollback、post-check、事故回補、runtime request 檢查 |
| outcome lane count | `8` | waiting、quarantine、reject、supplement、incident backfill、host service review、read-only update、waiting runtime gate |
| blocked action count | `27` | SSH、Docker Compose、systemctl、repair-bot、Ansible、sudo、host write、silent restart、active scan 等 |
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
| live host read / Docker / systemctl / repair-bot / Ansible | `0 / 0 / 0 / 0 / 0` | 尚未批准且未執行 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. 九份驗收候選
| Acceptance candidate | Host scope | 類型 | 驗收焦點 |
|----------------------|------------|------|----------|
| `host_service_owner_response_acceptance:local_dev_compose` | `local_dev_only` | Docker Compose | dev-only disposition、不得誤用 production、secret placeholder policy |
| `host_service_owner_response_acceptance:monitoring_110_compose` | `192.168.0.110` | Docker Compose | live hash ref、restart window、rollback owner、post-check 指標 |
| `host_service_owner_response_acceptance:monitoring_exporters_188_compose` | `192.168.0.188` | Docker Compose | exporter env source、live hash ref、rollback owner |
| `host_service_owner_response_acceptance:sentry_110_reference_compose` | `192.168.0.110` | reference compose | actual source-of-truth、official revision、backup path、rollback owner |
| `host_service_owner_response_acceptance:langfuse_110_compose` | `192.168.0.110` | Docker Compose | live hash ref、secret placeholder disposition、restart window、rollback owner |
| `host_service_owner_response_acceptance:ansible_docker_compose_service_role` | `multi_host` | Ansible executor role | allowed service_dir、check-mode、人工 gate、rollback owner |
| `host_service_owner_response_acceptance:repair_bot_110_whitelist` | `192.168.0.110` | repair whitelist | authorized_keys binding、disable switch、audit log、post-check |
| `host_service_owner_response_acceptance:repair_bot_188_whitelist` | `192.168.0.188` | repair whitelist | systemd restart approval gate、sudoers boundary、disable switch、route smoke |
| `host_service_owner_response_acceptance:config_backup_host_capture` | `110_188_120_121_cluster` | config backup capture | latest backup status、restore drill owner、secret handling proof |
## 4. Owner response 必填欄位
| 欄位 | 規則 |
|------|------|
| `owner_role_or_team` | 只填角色或團隊,不填私人聯絡資料或 credential |
| `decision` | 允許 `confirm``defer``reject``request_more_evidence` |
| `decision_reason` | 摘要說明,不貼 raw compose、env dump、systemd unit、secret 或 log payload |
| `affected_scope` | 明確列出 host scope、service scope、repo source、runtime 影響範圍 |
| `redacted_evidence_refs` | 只接受脫敏 ref、ticket id、文件路徑、hash 或摘要 |
| `live_config_hash_ref` | 只能是 owner-provided metadata ref不得貼 raw live config |
| `maintenance_window` | 未來 live read、restart、repair-bot 或 Ansible 動作的窗口;本 response 不開執行權 |
| `restart_window` | restart / reload window 必須與 action 分離,不得自動執行 |
| `rollback_owner` | 未來若進變更的 rollback owner |
| `post_check_plan` | 服務健康、route、queue、log、error budget 與 rollback 停止條件 |
| `disable_switch` | repair-bot、Ansible role 或 service config 的停用方式 / freeze rule |
| `config_source_of_truth_ref` | repo source、live source、runner source 與 backup source 的脫敏真相來源 ref |
| `service_dependency_map_ref` | 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref |
| `port_binding_inventory_ref` | host port、container port、proxy 與 firewall exposure inventory ref |
| `cold_start_sequence_ref` | Docker daemon、compose stack、systemd unit、runner 與 post-check 的冷啟動 / recovery 順序 ref |
| `incident_recovery_evidence_ref` | 服務異常、重啟或端口事故的恢復時間、服務健康、route health 與 operator notice ref |
| `daemon_runner_contention_ref` | Docker daemon、iptables / xtables、runner、repair-bot、backup job 或 compose action 的競爭風險 ref |
| `followup_owner` | 後續補證、reviewer 或 runtime gate 負責角色 |
## 5. Reviewer checks
| Check | 說明 |
|-------|------|
| `owner_identity_present` | owner role / team 必須可追溯 |
| `decision_reason_present` | decision 與 reason 必須同時存在 |
| `affected_scope_matches_surface` | affected scope 必須能對回 committed surface_id |
| `redacted_refs_only` | evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要 |
| `secret_value_absent` | 不得出現 token、password、cookie、private key、env dump 或 partial secret |
| `live_config_hash_metadata_only` | live config hash 只能是 metadata ref不得貼 raw live config |
| `maintenance_window_present` | 未來 host read、restart、repair-bot 或 Ansible 動作需獨立維護窗口 |
| `restart_window_separate_from_action` | restart window 與 docker / systemctl action 必須分離 |
| `rollback_owner_present` | rollback owner、rollback ref 或 disable path 必須存在 |
| `post_check_plan_present` | post-check 必須列服務健康、route、queue、log 與 rollback 停止條件 |
| `disable_switch_present` | repair-bot、Ansible role 或 service config 需有 disable switch 或 freeze rule |
| `config_source_of_truth_present` | 必須提供 repo / live / runner / backup source-of-truth ref |
| `service_dependency_map_present` | 必須提供服務依賴圖 ref |
| `port_binding_inventory_present` | 必須提供 host / container / proxy / firewall port binding inventory ref |
| `cold_start_sequence_present` | 必須提供 cold-start / recovery sequence ref |
| `incident_recovery_evidence_present` | 涉及服務異常、重啟或端口事故時必須提供恢復與健康證據 ref |
| `daemon_runner_contention_reviewed` | 必須說明 Docker daemon、iptables、runner、repair-bot、backup job 或 compose action 是否競爭 |
| `silent_restart_not_accepted` | 沒有 actor、原因、依賴圖、port inventory、回滾與 post-check 的 restart / reload 不可接受 |
| `write_capable_requires_extra_review` | write-capable surface 必須進額外 reviewer review |
| `no_runtime_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 |
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected且不得開 runtime gate |
## 6. Outcome lanes
| Lane | 意義 |
|------|------|
| `waiting_owner_response` | 尚未收到 owner response |
| `quarantine_secret_or_raw_payload` | 收到 secret、env dump、raw compose、raw systemd unit 或未脫敏 host config 時隔離 |
| `reject_execution_request` | 夾帶 SSH、Docker、systemctl、repair-bot、Ansible、sudo 或 host write 要求時拒收 |
| `request_supplement` | 欄位不足、scope 不清、live hash ref / rollback / post-check 缺失時要求補件 |
| `incident_recovery_backfill_required` | 涉及服務異常、靜默重啟、端口事故或 cold-start recovery 時,必須進事故回補 |
| `ready_for_host_service_review` | metadata 合格後,只能進 host service reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
| `waiting_runtime_gate` | 即使 owner response acceptedruntime gate 仍等待獨立人工批准 |
## 7. 禁止事項
1. 不 SSH read / write。
2. 不執行 `docker compose up/down/pull`
3. 不執行 `systemctl restart/reload`
4. 不呼叫 repair-bot。
5. 不跑 Ansible apply。
6. 不做 sudo action、host file write 或 firewall change。
7. 不保存 raw live config、env dump、secret value、未脫敏 log 或 shell history。
8. 不把 restart window、maintenance window 或 owner response 當成 runtime approval。
9. 不開 runtime gate不建立 action button。
10. 不接受靜默 restart / reload。
11. 不把服務目前 healthy 當成 config 已驗收。
12. 不跳過 source-of-truth、服務依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。
## 8. 指令
產生 committed snapshot
```bash
python3 scripts/security/host-service-owner-response-acceptance.py \
--root . \
--inventory-report docs/security/host-service-config-inventory.snapshot.json \
--owner-request-report docs/security/host-service-owner-request-draft.snapshot.json \
--output docs/security/host-service-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T14:45:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 9. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 產生器、snapshot 與文件已固定 |
| Docker / systemd / host service 只讀治理成熟度 | `54% -> 58%` | 事故恢復、依賴圖、port binding、cold-start、source-of-truth 與 daemon / runner 競爭回補已納入;不代表 live evidence 或 runtime action |
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
| live config hash accepted | `0%` | 尚未收到 owner-provided metadata ref |
| live host read / SSH | `0%` | 尚未批准且未執行 |
| Docker / systemd / repair-bot / Ansible | `0%` | 尚未批准且未執行 |
| runtime gate / host write | `0%` | 未授權且未執行 |