docs(ops): record MacBook AwoooGo workspace readback [skip ci]

docs/LOGBOOK.md

@@ -1,3 +1,30 @@
+## 2026-06-24｜MacBook Pro AwoooGo Gitea SSH 與 dev workspace readback
+
+**背景**：上一輪 MacBook safe artifact sync 已清除 handoff artifact blocker，但 AwoooGo 在 MacBook 端仍因 Gitea auth / visibility gate 無法 clone。本輪只處理 MacBook 自己的 Gitea SSH public key 授權與 AwoooGo dev workspace，不複製 Mac Mini private key，不使用或保存密碼 / token，不同步 raw Codex App DB / auth / conversations / sessions、`.env`、runtime volume 或 raw `.git`。
+
+**Readback**：
+- 110 Gitea SQLite 已先備份為 `/data/gitea/gitea.db.pre-macbook-key-20260624`。
+- MacBook public key fingerprint `SHA256:tjOo7yMW427ge01WWohw+CulNsssU/GpCjHogm/aubo` 已授權到 Gitea user `wooo`，key name `MacBook Pro Codex 20260624`；`gitea admin regenerate keys` 已完成。
+- MacBook SSH to Gitea readback：Gitea 回應 `Hi there, wooo!` 並指出 key name `MacBook Pro Codex 20260624`。
+- MacBook `git ls-remote ssh://git@192.168.0.110:2222/wooo/AwoooGo.git` 回讀：`dev=8471b376d97c1436d4612ece17f51ba0950f114d`、`main=18be716e8578eaeefb1e31f9a2a2f467ca33b12a`。
+- MacBook AwoooGo workspace 已建立：`/Users/ooo/codex-workspaces/awooogo-dev`，branch `dev`，upstream `gitea/dev`，commit `8471b376d97c1436d4612ece17f51ba0950f114d`，dirty `0`。
+- MacBook project-window sync：projects `6`，ready `3`（AWOOOI、MOMO Pro、AwoooGo），blocked `3`（2026FIFA main-review、Agent Bounty main-review、AWOOOI main）。
+- Safe handoff artifacts `9/9` SHA-256 match；global registry remains products `11`，ready `3`，blocked `8`，latest dev on Gitea `3`，production on Gitea `8`。
+
+**新增文件 / snapshot**：
+- `docs/operations/codex-macbook-awooogo-access-readback.snapshot.json`
+- `docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md`
+
+**階段性進度建議**：
+- P0-009 Gitea / Codex 雙工作站版本一致性可由 `86%` 推進到 `88%`，因 MacBook 端第三個 dev workspace（AwoooGo）已 confirmed。
+- P1-006 Codex workstation bootstrap automation 可由 `80%` 推進到 `82%`，因 MacBook project-window scanner 與 Gitea SSH key path 已實際驗證。
+- P2-002 Mac Mini / MacBook Pro Codex 同步機制可由 `70%` 推進到 `72%`，但 formal scorecard 尚未更新，且 all-products ready 仍為 false。
+
+**邊界**：
+- 仍不能宣稱所有產品已完成雙機 Codex 開發環境；目前全產品 Gitea registry 仍 `ready=3`、`blocked=8`。
+- 仍不能同步 raw Codex App DB / auth / conversations / sessions、`.env`、runtime volumes 或 raw `.git`。
+- 2026FIFA / Agent Bounty 等產品仍需 owner response / dev branch gate，不能硬建 `dev` 或把 main-review 當正式 dev workspace。
+
 ## 2026-06-24｜MacBook Pro Codex safe artifact sync readback
 
 **背景**：MacBook Pro `192.168.0.111` 已在外部環境開機且可 SSH，接續雙工作站 Codex / Gitea dev workflow，將共同開工入口與治理 snapshot 以白名單方式同步到 MacBook。這不是 raw Codex / ChatGPT 歷史聊天同步，也不是 product repo、`.env`、runtime volume 或 raw `.git` 複製。

docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md

@@ -0,0 +1,62 @@
+# Codex MacBook AwoooGo Access Readback
+
+- generated_at: `2026-06-24T05:33:31Z`
+- timezone: `Asia/Taipei`
+- macbook_host: `192.168.0.111`
+- gitea_host: `192.168.0.110`
+- status: `AwoooGo MacBook dev workspace ready`
+
+## 結論
+
+MacBook Pro 已可用自己的 SSH public key 存取 Gitea 上的 AwoooGo，並已建立乾淨的 Codex dev workspace：
+
+```text
+/Users/ooo/codex-workspaces/awooogo-dev
+branch=dev
+upstream=gitea/dev
+commit=8471b376d97c1436d4612ece17f51ba0950f114d
+dirty=0
+```
+
+這不是 Mac Mini 私鑰複製，不是密碼寫入，不是 raw Codex App 對話同步，也不是 raw `.git`、`.env` 或 runtime volume 複製。
+
+## Readback
+
+| Gate | Result |
+|------|--------|
+| MacBook Gitea SSH auth | `Hi there, wooo! ... key named MacBook Pro Codex 20260624` |
+| AwoooGo `dev` ref from MacBook | `8471b376d97c1436d4612ece17f51ba0950f114d` |
+| AwoooGo `main` ref from MacBook | `18be716e8578eaeefb1e31f9a2a2f467ca33b12a` |
+| MacBook workspace | `/Users/ooo/codex-workspaces/awooogo-dev` |
+| Workspace branch / upstream | `dev` / `gitea/dev` |
+| Dirty files | `0` |
+| Handoff artifact SHA match | `9/9` |
+
+## MacBook Project Window Sync
+
+| Metric | Count |
+|--------|------:|
+| projects | `6` |
+| ready | `3` |
+| blocked | `3` |
+| protected legacy | `0` |
+
+Ready projects:
+
+- `/Users/ooo/codex-workspaces/awoooi-dev`
+- `/Users/ooo/codex-workspaces/momo-pro-dev`
+- `/Users/ooo/codex-workspaces/awooogo-dev`
+
+Still blocked:
+
+- `/Users/ooo/codex-workspaces/2026fifa-main-review`: remote `dev` ref still missing.
+- `/Users/ooo/codex-workspaces/agent-bounty-protocol-main-review`: remote `dev` ref still missing.
+- `/Users/ooo/codex-workspaces/awoooi-main`: production branch checked out; not a Codex dev workspace.
+
+## 安全邊界
+
+- 未複製 Mac Mini private key。
+- 未使用、未保存、未寫入任何密碼或 token。
+- 未同步 `~/.codex/auth.json`、`~/.codex/*.sqlite`、`~/.codex/sessions` 或 raw Codex / ChatGPT conversations。
+- 未同步 `.env`、runtime volumes 或 raw `.git` directories。
+- 不能宣稱所有產品都已雙機 ready：workspace registry 仍是 ready `3`、blocked `8`。

docs/operations/codex-macbook-awooogo-access-readback.snapshot.json

@@ -0,0 +1,70 @@
+{
+  "schema_version": "codex_macbook_awooogo_access_readback_v1",
+  "generated_at": "2026-06-24T05:33:31Z",
+  "timezone": "Asia/Taipei",
+  "purpose": "Verify MacBook Pro can use its own SSH key to access AwoooGo on Gitea and open a Codex-ready dev workspace without copying raw Codex history, secrets, raw .git directories, or Mac Mini private keys.",
+  "gitea_host": "192.168.0.110",
+  "macbook_host": "192.168.0.111",
+  "ssh_key_authorization": {
+    "target_user": "wooo",
+    "key_name": "MacBook Pro Codex 20260624",
+    "public_key_fingerprint": "SHA256:tjOo7yMW427ge01WWohw+CulNsssU/GpCjHogm/aubo",
+    "private_key_copied": false,
+    "password_used_or_stored": false,
+    "secret_value_collected": false,
+    "gitea_sqlite_backup_path": "/data/gitea/gitea.db.pre-macbook-key-20260624",
+    "authorized_keys_regenerated": true,
+    "gitea_ssh_readback": "Hi there, wooo! You've successfully authenticated with the key named MacBook Pro Codex 20260624, but Gitea does not provide shell access."
+  },
+  "repo_readback": {
+    "repo": "wooo/AwoooGo",
+    "url": "ssh://git@192.168.0.110:2222/wooo/AwoooGo.git",
+    "dev_ref": "8471b376d97c1436d4612ece17f51ba0950f114d",
+    "main_ref": "18be716e8578eaeefb1e31f9a2a2f467ca33b12a",
+    "ls_remote_from_macbook": true
+  },
+  "macbook_workspace": {
+    "path": "/Users/ooo/codex-workspaces/awooogo-dev",
+    "branch": "dev",
+    "upstream": "gitea/dev",
+    "commit": "8471b376d97c1436d4612ece17f51ba0950f114d",
+    "dirty_file_count": 0,
+    "status": "ready_or_development_base"
+  },
+  "macbook_project_window_sync": {
+    "project_count": 6,
+    "ready_project_count": 3,
+    "blocked_project_count": 3,
+    "protected_legacy_project_count": 0,
+    "ready_projects": [
+      "/Users/ooo/codex-workspaces/awoooi-dev",
+      "/Users/ooo/codex-workspaces/momo-pro-dev",
+      "/Users/ooo/codex-workspaces/awooogo-dev"
+    ],
+    "blocked_projects": [
+      "/Users/ooo/codex-workspaces/2026fifa-main-review",
+      "/Users/ooo/codex-workspaces/agent-bounty-protocol-main-review",
+      "/Users/ooo/codex-workspaces/awoooi-main"
+    ]
+  },
+  "handoff_artifact_sync": {
+    "sha256_match_count": 9,
+    "sha256_total_count": 9,
+    "raw_codex_app_synced": false,
+    "raw_conversation_synced": false,
+    "auth_json_synced": false,
+    "sqlite_synced": false,
+    "env_synced": false,
+    "runtime_volume_synced": false,
+    "raw_git_directory_copied": false
+  },
+  "overall_boundary": {
+    "workspace_registry_ready_count": 3,
+    "workspace_registry_blocked_count": 8,
+    "latest_dev_on_gitea_count": 3,
+    "production_on_gitea_count": 8,
+    "owner_preflight_ready_count": 0,
+    "owner_preflight_blocked_count": 2,
+    "all_products_ready": false
+  }
+}

docs/runbooks/FULL-STACK-COLD-START-SOP.md

@@ -25,6 +25,16 @@ Allowed declaration: core hosts, routes, K3s, backup/exporter surfaces are recov
 Forbidden declaration: full-stack green, MOMO data current, DR complete, or runtime/security acceptance. Credential escrow evidence is still missing and must not be forged.
 ```
 
+2026-06-24 13:33 Codex workstation continuity readback:
+
+```text
+MacBook Pro 192.168.0.111 can now authenticate to Gitea over SSH with its own public key named MacBook Pro Codex 20260624.
+AwoooGo MacBook dev workspace is ready at /Users/ooo/codex-workspaces/awooogo-dev, branch dev, upstream gitea/dev, commit 8471b376d97c1436d4612ece17f51ba0950f114d, dirty=0.
+MacBook project-window sync now reports projects=6, ready=3, blocked=3. Ready projects are AWOOOI, MOMO Pro, and AwoooGo.
+Safe handoff artifacts still match 9/9 by SHA-256. Raw Codex App DB, auth, sessions, raw conversations, .env, runtime volumes, raw .git directories, passwords, tokens, and Mac Mini private keys were not copied.
+This improves workstation continuity after host reboot / operator relocation, but does not change service cold-start status: full-stack green remains blocked by MOMO data freshness and DR remains blocked by credential escrow evidence.
+```
+
 2026-06-18 12:17 live readback supersedes older service-availability wording:
 
 ```text

docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md

@@ -15,7 +15,7 @@
 | P0 host / K3s recovery | DONE | 100% | 120 booted after console fsck at `2026-06-12 15:13`; latest 2026-06-14 18:15 readback shows 120 is reachable, K3s is active, `mon` and `mon1` are both `Ready control-plane`, and cold-start P0/P1 checks are green. |
 | P1 backup / alert / escrow | BLOCKED_DR_ESCROW | 96% | 2026-06-24 11:20 backup / alert readback shows 110 `13/13 fresh failed=0`, 188 `2/2 fresh failed=0`, `core_blockers=0`, `integrity_stale=0`, `offsite_fresh=1`, `rclone_gdrive_fresh=1`, `escrow_missing=5`。188 `node-exporter` textfile scrape、PostgreSQL exporter、Redis exporter、MinIO endpoint、Velero BSL and latest completed backup freshness are restored; `BackupHealthMonitorMissing188`、`PostgreSQLDown`、`RedisDown`、`VeleroBackupNotRun` and 110 disk-pressure alerts resolved. DR remains blocked on real non-secret credential escrow evidence IDs. |
 | P2 service / data truth | BLOCKED_MOMO_DATA_FRESHNESS | 96% | Public route/TLS, API/Web route, momo health `V10.639`, current-month parity `10936|10936|2026-06-01|2026-06-17|2026-06-01|2026-06-17`, backup exporters, schedules, K3s node readiness/storage conditions, VIP, and 110 / 188 runtime health are green. However MOMO latest business date is `2026-06-17`; stale age is `7` days as of 11:35. Drive pending folder has `0` matching files and archive latest `2026-06-18T01:30:39Z` is already imported by job `56`, so there is no safe newer source to import. |
-| P3 docs / automation contracts | DONE_WITH_MOMO_SOURCE_ABSENCE_GATE | 100% | Workplan, SOP v1.32, BACKUP-STATUS, LOGBOOK, 120 console/fsck recovery, Gitea backup stale-dump hardening, reboot ledger/version-comparison SOP, escrow evidence audit, 188 nginx Ansible baseline, 110 cold-start detector script, startup judgment layers, GO/NO-GO tree, host recovery cards, explicit Plan B degraded-operation path, machine-readable `plan_b` baseline, readiness-audit Plan B guard, B0-B5 service levels, T+0/T+120 fallback timeline checks, host role / load-balancing assessment, CD `known_hosts` guardrail, `fwupd-refresh.timer` rollback note, K3s filesystem event blocker, AWOOOI backup no-direct-offsite-sync contract, 110/188 Ansible source-of-truth, Gitea self-hosted readiness validation workflow, post-CD no-regression readbacks, stale-vs-active K8s failed Job classification, 110 runaway browser / CI load AIOps exporter + alert + gated remediation PlayBook, Telegram / AI event packet mapping, healthy heartbeat Telegram suppression, MOMO scheduler / current-month detector fix, 188 node-exporter restore helper, 188 DB/Redis exporter restore helper, 188 MinIO/Velero restore helper, 110 Docker disk pressure cleanup boundary, MOMO Google Drive token userns readback, MOMO daily freshness blocker, MOMO Pro false-noise health monitor source-of-truth, docker-health direct Telegram fallback cooldown, Bitan public-content same-fingerprint cooldown, notification-noise readback, MOMO source-file absence GO/NO-GO gate, and MacBook Pro Codex safe artifact sync readback are updated. Production image `a84a5a0b` remains live with API `2/2`, Web `2/2`, Worker `1/1`; `7db7800e` is docs-only and does not require runtime image rebuild. |
+| P3 docs / automation contracts | DONE_WITH_MOMO_SOURCE_ABSENCE_GATE | 100% | Workplan, SOP v1.32, BACKUP-STATUS, LOGBOOK, 120 console/fsck recovery, Gitea backup stale-dump hardening, reboot ledger/version-comparison SOP, escrow evidence audit, 188 nginx Ansible baseline, 110 cold-start detector script, startup judgment layers, GO/NO-GO tree, host recovery cards, explicit Plan B degraded-operation path, machine-readable `plan_b` baseline, readiness-audit Plan B guard, B0-B5 service levels, T+0/T+120 fallback timeline checks, host role / load-balancing assessment, CD `known_hosts` guardrail, `fwupd-refresh.timer` rollback note, K3s filesystem event blocker, AWOOOI backup no-direct-offsite-sync contract, 110/188 Ansible source-of-truth, Gitea self-hosted readiness validation workflow, post-CD no-regression readbacks, stale-vs-active K8s failed Job classification, 110 runaway browser / CI load AIOps exporter + alert + gated remediation PlayBook, Telegram / AI event packet mapping, healthy heartbeat Telegram suppression, MOMO scheduler / current-month detector fix, 188 node-exporter restore helper, 188 DB/Redis exporter restore helper, 188 MinIO/Velero restore helper, 110 Docker disk pressure cleanup boundary, MOMO Google Drive token userns readback, MOMO daily freshness blocker, MOMO Pro false-noise health monitor source-of-truth, docker-health direct Telegram fallback cooldown, Bitan public-content same-fingerprint cooldown, notification-noise readback, MOMO source-file absence GO/NO-GO gate, MacBook Pro Codex safe artifact sync readback, and MacBook Pro AwoooGo Gitea SSH / dev workspace readback are updated. Production image `a84a5a0b` remains live with API `2/2`, Web `2/2`, Worker `1/1`; `7db7800e` is docs-only and does not require runtime image rebuild. |
 
 Full cold-start service readiness may not be declared green for the latest verified evidence set. As of 2026-06-24 11:35, routes/hosts/K3s/backups/exporters/Velero are available, but the scorecard is `PASS=86 WARN=0 BLOCKED=1` because MOMO business data freshness is stale beyond 3 days and no newer legitimate source file is available. Do not declare DR scorecard complete while credential escrow evidence remains blocked.