Files
awoooi/docs/security/HOST-SERVICE-CHANGE-EVIDENCE-ACCEPTANCE.md
Your Name 8294a05456
All checks were successful
Code Review / ai-code-review (push) Successful in 22s
CD Pipeline / tests (push) Successful in 1m35s
CD Pipeline / build-and-deploy (push) Successful in 3m53s
CD Pipeline / post-deploy-checks (push) Successful in 1m26s
feat(iwooos): 新增主機服務變更證據驗收 gate
2026-06-15 18:16:34 +08:00

10 KiB
Raw Blame History

IwoooS Docker / systemd / 主機服務變更證據驗收

項目 內容
日期 2026-06-15
狀態 change_evidence_acceptance_ready_no_runtime_action
工具 scripts/security/host-service-change-evidence-acceptance.py
輸入 docs/security/host-service-owner-response-acceptance.snapshot.json
Snapshot docs/security/host-service-change-evidence-acceptance.snapshot.json
runtime gate 0

1. 目的

Docker / systemd / host service 事故不能只看「服務又起來了」。主機重啟、Docker daemon starting、compose stack 退出、systemd failed unit、repair-bot / runner 競爭、cold-start recovery 或 port binding 漂移,都可能讓公開 route 短暫恢復但根因仍未驗收。

本文件只定義變更 / 事故證據如何收件、補證、隔離、拒收與進 reviewer review。它不是 live host read、不是 SSH、不是 Docker / systemd 操作、不是 repair-bot、不是 Ansible、不是 route smoke也不是 production write 或 runtime gate 授權。

2. 摘要

指標 說明
change evidence candidate count 9 對應 9 個 host service surface
write-capable candidate count 3 Ansible role、110 repair-bot、188 repair-bot
live evidence required candidate count 8 local dev compose 之外都需 owner-provided live metadata
change evidence field count 45 每份 candidate 的 metadata-only 欄位
required evidence field count 25 actor、before / after、daemon、compose、systemd、port、dependency、route、post-check 等
reviewer check count 26 actor、service state、daemon、compose、systemd、dependency、route recovery、no-false-green 等
outcome lane count 10 waiting、quarantine、reject、supplement、incident backfill、no-false-green supplement、review、maintenance、runtime gate
blocked action count 39 SSH、Docker、systemctl、repair-bot、Ansible、route smoke、raw log storage、runtime gate 等
change evidence received / accepted 0 / 0 尚未收到,尚未驗收
runtime gate / action button 0 / 0 未開啟

3. 驗收候選

Candidate Host scope 類型 變更證據焦點
host_service_change_evidence:local_dev_compose local_dev_only Docker Compose dev-only disposition、不得誤用 production、secret placeholder policy
host_service_change_evidence:monitoring_110_compose host_110 Docker Compose Docker daemon、compose stack、route recovery、Alertmanager / Prometheus 影響
host_service_change_evidence:monitoring_exporters_188_compose host_188 Docker Compose exporter state、DB / Redis dependency、compose recovery 與 post-check
host_service_change_evidence:sentry_110_reference_compose host_110 reference compose source-of-truth、official revision、backup / rollback path
host_service_change_evidence:langfuse_110_compose host_110 Docker Compose compose state、secret placeholder disposition、route recovery
host_service_change_evidence:ansible_docker_compose_service_role multi_host Ansible executor role check-mode、allowed service_dir、人工 gate、rollback owner
host_service_change_evidence:repair_bot_110_whitelist host_110 repair whitelist actor、disable switch、audit log ref、post-check、runner contention
host_service_change_evidence:repair_bot_188_whitelist host_188 repair whitelist systemd restart approval gate、sudoers boundary、route smoke plan
host_service_change_evidence:config_backup_host_capture host_cluster config backup capture latest backup status、restore drill owner、secret handling proof

上表使用 host alias不把內網位址放進前台產品文案。Snapshot 內若保留既有 repo-only scope仍不得把它當成可公開文案或 live host 授權。

4. 必填證據欄位

欄位 規則
change_or_incident_ref 可追溯 change / incident / ticket ref
actor_role_or_team 只填角色或團隊,不填私人聯絡資料或 credential
decision / decision_reason 說明 confirm、defer、reject 或 request_more_evidence 的理由
affected_scope 明確列出 host alias、service scope、route / agent / monitoring 影響
boot_or_restart_window_ref boot、restart、kill、cold-start 或 recovery 時間 ref
before_service_state_ref / after_service_state_ref 變更前後服務狀態 ref不能只寫「已恢復」
docker_daemon_state_ref Docker daemon active / starting / failed / socket / contention metadata ref
compose_stack_state_ref compose stack / container state 摘要 ref不保存 raw docker ps dump
systemd_unit_state_ref systemd unit、failed unit 或 degraded state 摘要 ref
failed_unit_review_ref failed unit 是否與事故或恢復相關的 review ref
port_binding_state_ref host port、container port、proxy、gateway / firewall exposure 摘要 ref
dependency_impact_ref 上游、下游、資料庫、queue、registry、AI provider 與 public route 依賴 ref
cold_start_sequence_ref Docker daemon、compose stack、systemd unit、runner 與 post-check 順序 ref
runner_or_repair_bot_contention_ref runner、repair-bot、backup job、iptables / xtables 或 compose action 競爭 ref
public_route_recovery_refs / admin_route_recovery_refs route 恢復 ref無影響需說明不適用
agent_provider_health_refs AI provider、agent、webhook 或 proxy 健康 ref
monitoring_alert_refs alert / incident / monitoring ref避免人工觀察 false green
operator_notification_refs / cross_project_sync_ref 跨產品 / Session / owner 同步 ref
restoration_time_ref 已恢復事故的恢復時間;未恢復則提供 still-degraded ref
rollback_owner / rollback_plan_ref 回復責任與 plan
postcheck_evidence_refs service、route、agent、queue、monitoring 與 rollback stop condition

5. Reviewer checks

Check 說明
change_ref_present 必須有可追溯 change / incident ref
actor_role_traceable 不接受匿名 restart、kill、compose action 或 daemon 操作
decision_reason_present decision 與 reason 必須同時存在
affected_scope_matches_surface affected scope 必須能對回 host service surface
boot_or_restart_window_present 重啟、cold-start 或恢復需有時間 ref
before_after_service_state_present 需有 before / after service state ref
docker_daemon_state_present Docker daemon state 必須有脫敏 metadata ref
compose_stack_state_present compose / container state 不保存 raw dump
systemd_unit_state_present systemd unit / failed unit / degraded state 必須可追溯
failed_unit_review_present failed unit 是否相關必須 review
port_binding_state_present port / proxy / gateway / firewall exposure 必須一致性 review
dependency_impact_present 必須列上游、下游、queue、registry、AI provider、public route 與 monitoring 影響
cold_start_sequence_present 必須提供 cold-start / recovery sequence ref
runner_repair_bot_contention_present 必須確認 runner、repair-bot、backup job 或 xtables 競爭
route_recovery_evidence_present route 受影響時需有恢復 ref
agent_provider_health_present AI provider、agent 或 webhook 受影響時需有健康 ref
monitoring_alert_ref_present 需列 monitoring / alert / incident ref
operator_notification_present 需提供已通知受影響 owner / Session 的脫敏 ref
cross_project_sync_present 跨專案影響需有同步 ref
restoration_time_present 已恢復事故需提供恢復時間或 still-degraded ref
rollback_owner_present rollback owner 與 rollback plan 必須存在
postcheck_evidence_present post-check 必須覆蓋 service、route、agent、queue、monitoring 與 stop condition
secret_or_raw_payload_absent 不得包含 secret、env dump、raw docker logs、raw journal、private key 或 cookie
no_false_green_service_health 不得把 healthy、route 200、container up 或 dashboard up 當成驗收完成
no_runtime_authorization 證據驗收不授權 SSH、Docker、systemctl、repair-bot、Ansible 或 host write
counts_transition_safe 只有 reviewer record 可更新 accepted count且不得開 runtime gate

6. 禁止事項

  1. 不 SSH read / write。
  2. 不讀 live host、live Docker、live systemd 或 live journal。
  3. 不執行 docker compose up/down/pulldocker restartdocker kill
  4. 不執行 systemctl restart/reload/kill
  5. 不呼叫 repair-bot不跑 Ansible apply。
  6. 不做 sudo action、host file write、firewall / port change 或 route smoke。
  7. 不保存 raw live config、raw docker log、raw journal、raw env dump、secret value 或 private key。
  8. 不把服務 healthy、route 200、container up 或 dashboard up 當成 recovery / config 已驗收。
  9. 不跳過 source-of-truth、依賴圖、port binding、cold-start sequence 或 daemon / runner contention review。
  10. 不開 runtime gate不建立 action button。

7. 指令

產生 committed snapshot

python3 scripts/security/host-service-change-evidence-acceptance.py \
  --root . \
  --owner-response-report docs/security/host-service-owner-response-acceptance.snapshot.json \
  --output docs/security/host-service-change-evidence-acceptance.snapshot.json \
  --generated-at 2026-06-15T18:50:00+08:00

驗證 guard

python3 scripts/security/security-mirror-progress-guard.py --root .

8. 完成度

工作 完成度 說明
host service change evidence acceptance artifact 100% 產生器、snapshot 與文件已固定
Docker / systemd / host service 只讀治理成熟度 58% -> 62% 事故 / 變更證據、重啟 actor、before / after、daemon、compose、systemd、port、dependency、route recovery、operator notice 與 no-false-green 已納入
change evidence received / accepted 0% 尚未收到,尚未驗收
live host read / SSH 0% 尚未批准且未執行
Docker / systemd / repair-bot / Ansible 0% 尚未批准且未執行
runtime gate / host write 0% 未授權且未執行