chore(delivery): refresh production deploy readback blocker

apps/api/tests/test_delivery_closure_workbench_api.py

@@ -25,7 +25,7 @@ def test_delivery_closure_workbench_endpoint_returns_product_summary():
     assert data["summary"]["refs_sync_authorized"] is True
     assert data["summary"]["workflow_trigger_authorized"] is True
     assert data["summary"]["production_deploy_status"] == (
-        "blocked_waiting_authorized_gitea_workflow_dispatch"
+        "blocked_waiting_authorized_gitea_workflow_dispatch_and_runner_queue"
     )
     assert data["summary"]["production_deploy_source_control_main_ready"] is True
     assert data["summary"]["production_deploy_image_tag_matches_main"] is False
@@ -34,8 +34,8 @@ def test_delivery_closure_workbench_endpoint_returns_product_summary():
         data["summary"]["production_deploy_authorized_dispatch_channel_ready"]
         is False
     )
-    assert data["summary"]["production_deploy_hard_blocker_count"] == 1
-    assert data["summary"]["production_deploy_latest_visible_cd_run_id"] == "3848"
+    assert data["summary"]["production_deploy_hard_blocker_count"] == 2
+    assert data["summary"]["production_deploy_latest_visible_cd_run_id"] == "3853"
     assert data["summary"]["github_write_channel_ready"] is False
     assert data["summary"]["github_account_status"] == "suspended"
     assert data["summary"]["github_account_suspended"] is True
@@ -74,12 +74,12 @@ def test_delivery_closure_workbench_endpoint_returns_product_summary():
     assert lanes["release"]["metric"]["total"] == 5
     assert lanes["production_deploy"]["metric"]["kind"] == "deploy_readback"
     assert lanes["production_deploy"]["status"] == (
-        "blocked_waiting_authorized_gitea_workflow_dispatch"
+        "blocked_waiting_authorized_gitea_workflow_dispatch_and_runner_queue"
     )
-    assert lanes["production_deploy"]["blocker_count"] == 1
+    assert lanes["production_deploy"]["blocker_count"] == 2
     assert lanes["production_deploy"]["metric"][
         "observed_source_control_main_short_sha"
-    ] == "718a5d04ad4f"
+    ] == "3900b0b7a779"
     assert lanes["production_deploy"]["metric"][
         "production_image_tag_short_sha"
     ] == "af45811e87"
@@ -92,7 +92,7 @@ def test_delivery_closure_workbench_endpoint_returns_product_summary():
         lanes["production_deploy"]["metric"]["authorized_dispatch_channel_ready"]
         is False
     )
-    assert lanes["production_deploy"]["metric"]["latest_visible_cd_run_id"] == "3848"
+    assert lanes["production_deploy"]["metric"]["latest_visible_cd_run_id"] == "3853"
     assert lanes["github"]["metric"]["kind"] == "private_backup_verified"
     assert lanes["gitea"]["metric"]["kind"] == "workflow_count"
     assert lanes["runtime"]["metric"]["kind"] == "surface_count"

docs/LOGBOOK.md

@@ -1,3 +1,15 @@
+## 2026-06-28 — 20:28 production deploy readback snapshot refresh
+
+**完成內容**：
+- 刷新 `docs/operations/awoooi-production-deploy-readback-blocker.snapshot.json`，將 Gitea main 觀測 SHA 更新為 `3900b0b7a779`，並記錄 public Gitea CD `#3853` 仍停在 `Waiting`、jobs API `total_count=0`。
+- 保留 production truth：public API 仍為舊版 `source_count=5`，Delivery Workbench production 欄位與 GitHub internal governance 欄位尚未出現在 production response，production image tag 仍為 `af45811e87`。
+- 將 blocker 收斂為兩項：已授權 Gitea `workflow_dispatch` channel 缺席、runner queue runtime 尚未接走可見 run；仍不得讀 token/cookie/session，不得碰 host / Docker / K8s / runner service，不得使用 GitHub。
+
+**驗證結果**：
+- `python3.11 ops/runner/guard-gitea-runner-pressure.py --root .`：通過。
+- `python3.11 -m pytest ops/runner/test_guard_gitea_runner_pressure.py -q`：4 passed。
+- `DATABASE_URL=sqlite:///test.db PYTHONPATH=apps/api python3.11 -m pytest apps/api/tests/test_delivery_closure_workbench_api.py apps/api/tests/test_github_target_private_backup_evidence_gate.py apps/api/tests/test_github_target_private_backup_evidence_gate_api.py -q`：20 passed。
+
 ## 2026-06-28 — 20:02 110 fail-closed regression 再封堵與 non-110 runner readiness gate
 
 **背景**：最新 `gitea-ssh/main` 出現 `09a0ee209 Revert "fix(recovery): restore failclosed authority source [skip ci]"` 與 `ba92daa92 fix(ci): allow controlled cd push trigger`，再次移除 fail-closed authority source 並允許 controlled CD push trigger。20:00 live 110 讀回 `awoooi-cd-lane-drain.service` 已變成 `activating/enabled`，`awoooi-runner-failclosed-authority.timer` 反而 `masked/inactive`。

docs/operations/awoooi-production-deploy-readback-blocker.snapshot.json

@@ -1,12 +1,12 @@
 {
   "schema_version": "awoooi_production_deploy_readback_blocker_v1",
-  "generated_at": "2026-06-28T19:28:54+08:00",
-  "status": "blocked_waiting_authorized_gitea_workflow_dispatch",
+  "generated_at": "2026-06-28T20:27:56+08:00",
+  "status": "blocked_waiting_authorized_gitea_workflow_dispatch_and_runner_queue",
   "priority": "P0",
   "scope": "awoooi_production_truth",
   "readback": {
-    "observed_source_control_main_sha": "718a5d04ad4f594ab28e15c528413cbf2714f3ed",
-    "observed_source_control_main_short_sha": "718a5d04ad4f",
+    "observed_source_control_main_sha": "3900b0b7a779bcca533ee625f3e8b301fc47764a",
+    "observed_source_control_main_short_sha": "3900b0b7a779",
     "governance_closure_merge_sha": "27b96f0450d0e3ca6651d6b5f274a341dd727ef2",
     "governance_closure_commit_sha": "9e3e7fbb6ba3ffd324b45abf3ad1e7b6ec826b22",
     "production_image_tag_sha": "af45811e876fda322ee63c036fbc39c9f07ffd76",
@@ -16,8 +16,10 @@
     "production_workbench_http_status": 200,
     "production_internal_governance_writeback_present": false,
     "production_workbench_governance_ready_present": false,
-    "latest_visible_cd_run_id": "3848",
-    "latest_visible_cd_run_commit_short_sha": "af45811e87",
+    "latest_visible_cd_run_id": "3853",
+    "latest_visible_cd_run_status": "Waiting",
+    "latest_visible_cd_run_jobs_total_count": 0,
+    "latest_visible_cd_run_commit_short_sha": "1e68f9ff27",
     "current_main_cd_run_visible": false,
     "manual_run_button_visible": false,
     "gitea_sign_in_required": true,
@@ -30,19 +32,28 @@
       "id": "authorized_gitea_workflow_dispatch_channel_missing",
       "kind": "external_authorized_control_channel",
       "severity": "P0",
-      "description": "Source 已進 Gitea main，但 production image tag 仍停在舊 SHA；目前沒有可用的已授權 Gitea workflow_dispatch channel 觸發 CD。",
+      "description": "Source 已進 Gitea main，但 production image tag 仍停在舊 SHA；目前沒有可用的已授權 Gitea workflow_dispatch channel 觸發最新 cd.yaml。",
       "blocked_action": "deploy_current_gitea_main_to_production",
       "safe_boundary": "不得讀 token/cookie/session，不得改 workflow 為 push trigger，不得手改 K8s tag，不得重開 110 runner 或 host/K8s runtime。"
+    },
+    {
+      "id": "gitea_cd_runner_queue_not_accepting_visible_run",
+      "kind": "runner_queue_runtime_readback",
+      "severity": "P0",
+      "description": "Public Gitea readback 顯示 CD run #3853 仍為 Waiting，jobs API 回 total_count=0；尚未有 runner 接走可見 run。",
+      "blocked_action": "complete_cd_run_and_update_production_image_tag",
+      "safe_boundary": "只允許讀 public Gitea/status 與 source verifier；不得登入、讀 token、操作 host、Docker、K8s 或 runner service。"
     }
   ],
   "next_actions": [
-    "使用已授權的 Gitea manual workflow_dispatch channel 觸發 cd.yaml ref=main。",
+    "等 non-110 或硬限制 runner readiness channel 成立後，使用已授權的 Gitea workflow_dispatch channel 觸發 cd.yaml ref=main。",
+    "若 #3853 仍 Waiting 且 jobs_total_count=0，先不要重推或手改 K8s tag；改以 runner readiness verifier 的非 secret readback 建立可用 runner channel。",
     "CD 完成後讀回 production image tag，確認不再是 af45811e87。",
     "重新讀回 /api/v1/agents/github-target-controlled-execution-preflight 與 /api/v1/agents/delivery-closure-workbench，確認 internal_governance_writeback 與 KM / PlayBook counters 出現。"
   ],
   "rollups": {
-    "hard_blocker_count": 1,
-    "next_action_count": 3,
+    "hard_blocker_count": 2,
+    "next_action_count": 4,
     "source_control_main_ready": true,
     "production_image_tag_matches_main": false,
     "production_governance_fields_present": false,