docs(logbook): 記錄 public gateway preflight 正式驗證 [skip ci]

This commit is contained in:
Your Name
2026-06-12 03:24:00 +08:00
parent b13af6b815
commit 2e9ba6f48e

View File

@@ -1,3 +1,57 @@
## 2026-06-12IwoooS P0 Public Gateway / Nginx Preflight 只讀清冊
**背景**:統帥要求所有重要配置都要納入資安控管,尤其 Nginx / public gateway / reverse proxy / TLS / route 常被變動,必須先有資安機制管住變更前置條件。本段延續「先建立框架、只讀證據、低摩擦流程,再階段性收攏」原則,只做 repo-only preflight 清冊與前台可視化,不讀 live 主機、不執行 `nginx -t`、不 reload、不改 DNS / TLS / ACME。
**完成**
- 新增 `public_gateway_preflight_inventory_v1` 產生器、schema、snapshot 與人讀文件,從既有 Nginx drift snapshot 與 DNS / TLS / certbot inventory snapshot 彙整 reload / route change 前置 Gate。
- 清冊固定 `3` 份 source config、`2` 份 C0 source config、`14` 個 managed domain、`14` 個 route impact、`14` 個 unique upstream、`10` 條 TLS certificate path、`7` 個 ACME challenge domain、`6` 個 WebSocket route domain、`1` 個 admin route domain。
- 固定 `12` 個 preflight gate其中 `2` 個只代表 repo-only ready`10` 個仍需 owner acceptanceowner response、owner-provided live conf、rendered diff、`nginx -t` evidence、route smoke、maintenance window、rollback owner、runtime gate 與 action button 全部仍為 `0`
- 高價值配置覆蓋矩陣的 `nginx_public_gateway``78%` 推進到 `84%`;全域高價值配置平均維持 `66%`needs-live-evidence 類別從 `6` 增為 `7`。這只代表 preflight 契約補齊,不代表 live config、reload 或 route change 已授權。
- IwoooS posture projection、schema、`security-mirror-progress-guard.py`、高價值配置文件、配置控管總清冊、Nginx drift 文件、DNS / TLS / certbot 文件與 `/zh-TW/iwooos` 前台卡已同步。
- `/zh-TW/iwooos` 新增 Public Gateway Preflight 卡,顯示 source config `3`、route impact `14`、preflight gate `12`、runtime gate `0`,並固定 `host_live_conf_read_authorized=false``nginx_test_authorized=false``nginx_reload_authorized=false``public_gateway_reload_authorized=false``public_route_change_authorized=false``admin_route_change_authorized=false``websocket_route_change_authorized=false``acme_challenge_change_authorized=false``route_smoke_authorized=false``rollback_executed=false``secret_value_collection_allowed=false``action_buttons_allowed=false` 等邊界;卡片內操作按鈕 `0`
**本地驗證**
- `python3 scripts/security/public-gateway-preflight-inventory.py --root . --generated-at 2026-06-12T10:30:00+08:00 --output docs/security/public-gateway-preflight-inventory.snapshot.json``PUBLIC_GATEWAY_PREFLIGHT_INVENTORY_OK configs=3 routes=14 gates=12 runtime_gate=0`
- `python3 scripts/security/high-value-config-control-coverage.py --root . --generated-at 2026-06-12T10:35:00+08:00 --output docs/security/high-value-config-control-coverage.snapshot.json``HIGH_VALUE_CONFIG_CONTROL_COVERAGE_OK categories=14 c0=8 avg=66 runtime_gate=0`
- JSON parsePublic Gateway preflight snapshot / schema、高價值覆蓋 snapshot、IwoooS posture projection snapshot / schema、`zh-TW.json``en.json` 通過。
- `cmp -s apps/web/messages/zh-TW.json apps/web/messages/en.json`:通過。
- `python3 -m py_compile scripts/security/public-gateway-preflight-inventory.py scripts/security/high-value-config-control-coverage.py scripts/security/security-mirror-progress-guard.py`:通過。
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `python3 scripts/security/source-control-owner-response-guard.py --root .``SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea``DOC_SECRET_SANITY_OK scanned_files=703`
- `pnpm --filter @awoooi/web typecheck`:通過;驗證產生的 `apps/web/tsconfig.tsbuildinfo` 暫態變更已排除。
- `git diff --check` / `git diff --cached --check`:通過。
- 前台目標檔與語系檔針對內部溝通片語掃描:命中 `0`
**Gitea / deploy**
- Code commit`62397125 feat(security): 新增 public gateway preflight 只讀清冊`
- 後續同步另一個 Session`bcb7328b fix(governance): 修正 post-write verifier package 標籤``4a9f8d94 fix(web): 補齊 P2-403H 治理頁翻譯``c3858b9e docs(logbook): 記錄 P2-403H 正式驗證 [skip ci]`
- 本段原始 runs 因後續 main push 被取代code-review `#2754` 已取消、CD `#2753` 已取消,未見紅燈。
- 收斂後成功 runsCD `#2755` 部署 `bcb7328b` 成功並產生 deploy marker `a794714d chore(cd): deploy bcb7328 [skip ci]`;最新 CD `#2757` 部署 `4a9f8d94` 成功並產生 deploy marker `1ffabb50 chore(cd): deploy 4a9f8d9 [skip ci]`;最新 code-review `#2758` 成功。
**正式站驗證**
- Curl`https://awoooi.wooo.work/zh-TW/iwooos?_v=4a9f8d94-public-gateway-prod-curl-after-cd` 可讀到 `publicGatewayPreflight``Nginx 入口變更前置 Gate``public_gateway_preflight_gate_count=12``public_gateway_reload_authorized=false`
- Desktop `1440x1000``https://awoooi.wooo.work/zh-TW/iwooos?_v=1ffabb50-public-gateway-prod-desktop``data-testid="iwooos-public-gateway-preflight-board"``data-testid="iwooos-public-gateway-preflight-boundaries"` 存在且可見。
- Desktop DOM標題、source config `3`、route impact `14`、preflight gate `12`、runtime gate `0``public_gateway_preflight_gate_count=12``public_gateway_preflight_runtime_gate_count=0``public_gateway_reload_authorized=false` 均可見;卡內 button `0``scrollWidth - clientWidth = 0`;前台內部溝通片語命中 `0`
- Mobile `390x844``https://awoooi.wooo.work/zh-TW/iwooos?_v=1ffabb50-public-gateway-prod-mobile`,同樣可見 Public Gateway 卡、邊界、`12` 個 gate、runtime gate `0` 與 reload false boundary卡內 button `0``scrollWidth - clientWidth = 0`;前台內部溝通片語命中 `0`
- 截圖:`/tmp/awoooi-iwooos-public-gateway-prod-desktop-1ffabb50.png``/tmp/awoooi-iwooos-public-gateway-prod-mobile-1ffabb50.png`
- 驗證後已還原 in-app browser viewport 至預設。
**完成度同步**
- Public Gateway preflight repo-only 清冊:`100%`
- Nginx public gateway 高價值配置成熟度:`78% -> 84%`
- 全域高價值配置平均只讀成熟度:維持 `66%`
- needs-live-evidence 類別:`6 -> 7`
- owner response / live conf / rendered diff / `nginx -t` / route smoke / maintenance window / rollback owner / runtime gate / action button全部仍為 `0%`
- IwoooS 整體仍維持 `64%`active runtime gate 仍 `0`
**邊界**:本段未 SSH、未讀 live Nginx conf、未執行 `nginx -t`、未 reload Nginx、未改 reverse proxy、未改 DNS、未做 TLS probe、未執行 certbot renew、未改 ACME challenge、未跑 route smoke、未改主機、未收 secret value、未新增任何前端執行按鈕。
## 2026-06-12P2-403H Governance UI / i18n 顯示修補
**背景**P2-403H Post-write Verifier Package API 已在正式站回傳新快照後,治理頁正式 DOM / console 驗證發現兩個顯示層缺口:`postWriteVerifierPackage.verifier_package.owner_agent` 不存在但前端仍嘗試渲染,造成 `redisDryRunGate.agents.undefined`P2-402 proactive approval gate 新增多個 gate id但訊息檔尚未補齊造成 `MISSING_MESSAGE`