From 30af7e4db5b1f91b62b293af222d76d45abbc4a4 Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 24 Jun 2026 13:37:08 +0800 Subject: [PATCH] docs(ops): record MacBook AwoooGo workspace readback [skip ci] --- docs/LOGBOOK.md | 27 +++++++ ...BOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md | 62 ++++++++++++++++ ...book-awooogo-access-readback.snapshot.json | 70 +++++++++++++++++++ docs/runbooks/FULL-STACK-COLD-START-SOP.md | 10 +++ ...oot-cold-start-backup-recovery-workplan.md | 2 +- 5 files changed, 170 insertions(+), 1 deletion(-) create mode 100644 docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md create mode 100644 docs/operations/codex-macbook-awooogo-access-readback.snapshot.json diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 62351381..f502874f 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,30 @@ +## 2026-06-24|MacBook Pro AwoooGo Gitea SSH 與 dev workspace readback + +**背景**:上一輪 MacBook safe artifact sync 已清除 handoff artifact blocker,但 AwoooGo 在 MacBook 端仍因 Gitea auth / visibility gate 無法 clone。本輪只處理 MacBook 自己的 Gitea SSH public key 授權與 AwoooGo dev workspace,不複製 Mac Mini private key,不使用或保存密碼 / token,不同步 raw Codex App DB / auth / conversations / sessions、`.env`、runtime volume 或 raw `.git`。 + +**Readback**: +- 110 Gitea SQLite 已先備份為 `/data/gitea/gitea.db.pre-macbook-key-20260624`。 +- MacBook public key fingerprint `SHA256:tjOo7yMW427ge01WWohw+CulNsssU/GpCjHogm/aubo` 已授權到 Gitea user `wooo`,key name `MacBook Pro Codex 20260624`;`gitea admin regenerate keys` 已完成。 +- MacBook SSH to Gitea readback:Gitea 回應 `Hi there, wooo!` 並指出 key name `MacBook Pro Codex 20260624`。 +- MacBook `git ls-remote ssh://git@192.168.0.110:2222/wooo/AwoooGo.git` 回讀:`dev=8471b376d97c1436d4612ece17f51ba0950f114d`、`main=18be716e8578eaeefb1e31f9a2a2f467ca33b12a`。 +- MacBook AwoooGo workspace 已建立:`/Users/ooo/codex-workspaces/awooogo-dev`,branch `dev`,upstream `gitea/dev`,commit `8471b376d97c1436d4612ece17f51ba0950f114d`,dirty `0`。 +- MacBook project-window sync:projects `6`,ready `3`(AWOOOI、MOMO Pro、AwoooGo),blocked `3`(2026FIFA main-review、Agent Bounty main-review、AWOOOI main)。 +- Safe handoff artifacts `9/9` SHA-256 match;global registry remains products `11`,ready `3`,blocked `8`,latest dev on Gitea `3`,production on Gitea `8`。 + +**新增文件 / snapshot**: +- `docs/operations/codex-macbook-awooogo-access-readback.snapshot.json` +- `docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md` + +**階段性進度建議**: +- P0-009 Gitea / Codex 雙工作站版本一致性可由 `86%` 推進到 `88%`,因 MacBook 端第三個 dev workspace(AwoooGo)已 confirmed。 +- P1-006 Codex workstation bootstrap automation 可由 `80%` 推進到 `82%`,因 MacBook project-window scanner 與 Gitea SSH key path 已實際驗證。 +- P2-002 Mac Mini / MacBook Pro Codex 同步機制可由 `70%` 推進到 `72%`,但 formal scorecard 尚未更新,且 all-products ready 仍為 false。 + +**邊界**: +- 仍不能宣稱所有產品已完成雙機 Codex 開發環境;目前全產品 Gitea registry 仍 `ready=3`、`blocked=8`。 +- 仍不能同步 raw Codex App DB / auth / conversations / sessions、`.env`、runtime volumes 或 raw `.git`。 +- 2026FIFA / Agent Bounty 等產品仍需 owner response / dev branch gate,不能硬建 `dev` 或把 main-review 當正式 dev workspace。 + ## 2026-06-24|MacBook Pro Codex safe artifact sync readback **背景**:MacBook Pro `192.168.0.111` 已在外部環境開機且可 SSH,接續雙工作站 Codex / Gitea dev workflow,將共同開工入口與治理 snapshot 以白名單方式同步到 MacBook。這不是 raw Codex / ChatGPT 歷史聊天同步,也不是 product repo、`.env`、runtime volume 或 raw `.git` 複製。 diff --git a/docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md b/docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md new file mode 100644 index 00000000..73aaf871 --- /dev/null +++ b/docs/operations/CODEX-MACBOOK-AWOOOGO-ACCESS-READBACK-2026-06-24.md @@ -0,0 +1,62 @@ +# Codex MacBook AwoooGo Access Readback + +- generated_at: `2026-06-24T05:33:31Z` +- timezone: `Asia/Taipei` +- macbook_host: `192.168.0.111` +- gitea_host: `192.168.0.110` +- status: `AwoooGo MacBook dev workspace ready` + +## 結論 + +MacBook Pro 已可用自己的 SSH public key 存取 Gitea 上的 AwoooGo,並已建立乾淨的 Codex dev workspace: + +```text +/Users/ooo/codex-workspaces/awooogo-dev +branch=dev +upstream=gitea/dev +commit=8471b376d97c1436d4612ece17f51ba0950f114d +dirty=0 +``` + +這不是 Mac Mini 私鑰複製,不是密碼寫入,不是 raw Codex App 對話同步,也不是 raw `.git`、`.env` 或 runtime volume 複製。 + +## Readback + +| Gate | Result | +|------|--------| +| MacBook Gitea SSH auth | `Hi there, wooo! ... key named MacBook Pro Codex 20260624` | +| AwoooGo `dev` ref from MacBook | `8471b376d97c1436d4612ece17f51ba0950f114d` | +| AwoooGo `main` ref from MacBook | `18be716e8578eaeefb1e31f9a2a2f467ca33b12a` | +| MacBook workspace | `/Users/ooo/codex-workspaces/awooogo-dev` | +| Workspace branch / upstream | `dev` / `gitea/dev` | +| Dirty files | `0` | +| Handoff artifact SHA match | `9/9` | + +## MacBook Project Window Sync + +| Metric | Count | +|--------|------:| +| projects | `6` | +| ready | `3` | +| blocked | `3` | +| protected legacy | `0` | + +Ready projects: + +- `/Users/ooo/codex-workspaces/awoooi-dev` +- `/Users/ooo/codex-workspaces/momo-pro-dev` +- `/Users/ooo/codex-workspaces/awooogo-dev` + +Still blocked: + +- `/Users/ooo/codex-workspaces/2026fifa-main-review`: remote `dev` ref still missing. +- `/Users/ooo/codex-workspaces/agent-bounty-protocol-main-review`: remote `dev` ref still missing. +- `/Users/ooo/codex-workspaces/awoooi-main`: production branch checked out; not a Codex dev workspace. + +## 安全邊界 + +- 未複製 Mac Mini private key。 +- 未使用、未保存、未寫入任何密碼或 token。 +- 未同步 `~/.codex/auth.json`、`~/.codex/*.sqlite`、`~/.codex/sessions` 或 raw Codex / ChatGPT conversations。 +- 未同步 `.env`、runtime volumes 或 raw `.git` directories。 +- 不能宣稱所有產品都已雙機 ready:workspace registry 仍是 ready `3`、blocked `8`。 diff --git a/docs/operations/codex-macbook-awooogo-access-readback.snapshot.json b/docs/operations/codex-macbook-awooogo-access-readback.snapshot.json new file mode 100644 index 00000000..bb2f2764 --- /dev/null +++ b/docs/operations/codex-macbook-awooogo-access-readback.snapshot.json @@ -0,0 +1,70 @@ +{ + "schema_version": "codex_macbook_awooogo_access_readback_v1", + "generated_at": "2026-06-24T05:33:31Z", + "timezone": "Asia/Taipei", + "purpose": "Verify MacBook Pro can use its own SSH key to access AwoooGo on Gitea and open a Codex-ready dev workspace without copying raw Codex history, secrets, raw .git directories, or Mac Mini private keys.", + "gitea_host": "192.168.0.110", + "macbook_host": "192.168.0.111", + "ssh_key_authorization": { + "target_user": "wooo", + "key_name": "MacBook Pro Codex 20260624", + "public_key_fingerprint": "SHA256:tjOo7yMW427ge01WWohw+CulNsssU/GpCjHogm/aubo", + "private_key_copied": false, + "password_used_or_stored": false, + "secret_value_collected": false, + "gitea_sqlite_backup_path": "/data/gitea/gitea.db.pre-macbook-key-20260624", + "authorized_keys_regenerated": true, + "gitea_ssh_readback": "Hi there, wooo! You've successfully authenticated with the key named MacBook Pro Codex 20260624, but Gitea does not provide shell access." + }, + "repo_readback": { + "repo": "wooo/AwoooGo", + "url": "ssh://git@192.168.0.110:2222/wooo/AwoooGo.git", + "dev_ref": "8471b376d97c1436d4612ece17f51ba0950f114d", + "main_ref": "18be716e8578eaeefb1e31f9a2a2f467ca33b12a", + "ls_remote_from_macbook": true + }, + "macbook_workspace": { + "path": "/Users/ooo/codex-workspaces/awooogo-dev", + "branch": "dev", + "upstream": "gitea/dev", + "commit": "8471b376d97c1436d4612ece17f51ba0950f114d", + "dirty_file_count": 0, + "status": "ready_or_development_base" + }, + "macbook_project_window_sync": { + "project_count": 6, + "ready_project_count": 3, + "blocked_project_count": 3, + "protected_legacy_project_count": 0, + "ready_projects": [ + "/Users/ooo/codex-workspaces/awoooi-dev", + "/Users/ooo/codex-workspaces/momo-pro-dev", + "/Users/ooo/codex-workspaces/awooogo-dev" + ], + "blocked_projects": [ + "/Users/ooo/codex-workspaces/2026fifa-main-review", + "/Users/ooo/codex-workspaces/agent-bounty-protocol-main-review", + "/Users/ooo/codex-workspaces/awoooi-main" + ] + }, + "handoff_artifact_sync": { + "sha256_match_count": 9, + "sha256_total_count": 9, + "raw_codex_app_synced": false, + "raw_conversation_synced": false, + "auth_json_synced": false, + "sqlite_synced": false, + "env_synced": false, + "runtime_volume_synced": false, + "raw_git_directory_copied": false + }, + "overall_boundary": { + "workspace_registry_ready_count": 3, + "workspace_registry_blocked_count": 8, + "latest_dev_on_gitea_count": 3, + "production_on_gitea_count": 8, + "owner_preflight_ready_count": 0, + "owner_preflight_blocked_count": 2, + "all_products_ready": false + } +} diff --git a/docs/runbooks/FULL-STACK-COLD-START-SOP.md b/docs/runbooks/FULL-STACK-COLD-START-SOP.md index befefceb..1cba1e62 100644 --- a/docs/runbooks/FULL-STACK-COLD-START-SOP.md +++ b/docs/runbooks/FULL-STACK-COLD-START-SOP.md @@ -25,6 +25,16 @@ Allowed declaration: core hosts, routes, K3s, backup/exporter surfaces are recov Forbidden declaration: full-stack green, MOMO data current, DR complete, or runtime/security acceptance. Credential escrow evidence is still missing and must not be forged. ``` +2026-06-24 13:33 Codex workstation continuity readback: + +```text +MacBook Pro 192.168.0.111 can now authenticate to Gitea over SSH with its own public key named MacBook Pro Codex 20260624. +AwoooGo MacBook dev workspace is ready at /Users/ooo/codex-workspaces/awooogo-dev, branch dev, upstream gitea/dev, commit 8471b376d97c1436d4612ece17f51ba0950f114d, dirty=0. +MacBook project-window sync now reports projects=6, ready=3, blocked=3. Ready projects are AWOOOI, MOMO Pro, and AwoooGo. +Safe handoff artifacts still match 9/9 by SHA-256. Raw Codex App DB, auth, sessions, raw conversations, .env, runtime volumes, raw .git directories, passwords, tokens, and Mac Mini private keys were not copied. +This improves workstation continuity after host reboot / operator relocation, but does not change service cold-start status: full-stack green remains blocked by MOMO data freshness and DR remains blocked by credential escrow evidence. +``` + 2026-06-18 12:17 live readback supersedes older service-availability wording: ```text diff --git a/docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md b/docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md index 37d2a2d7..c91f722f 100644 --- a/docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md +++ b/docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md @@ -15,7 +15,7 @@ | P0 host / K3s recovery | DONE | 100% | 120 booted after console fsck at `2026-06-12 15:13`; latest 2026-06-14 18:15 readback shows 120 is reachable, K3s is active, `mon` and `mon1` are both `Ready control-plane`, and cold-start P0/P1 checks are green. | | P1 backup / alert / escrow | BLOCKED_DR_ESCROW | 96% | 2026-06-24 11:20 backup / alert readback shows 110 `13/13 fresh failed=0`, 188 `2/2 fresh failed=0`, `core_blockers=0`, `integrity_stale=0`, `offsite_fresh=1`, `rclone_gdrive_fresh=1`, `escrow_missing=5`。188 `node-exporter` textfile scrape、PostgreSQL exporter、Redis exporter、MinIO endpoint、Velero BSL and latest completed backup freshness are restored; `BackupHealthMonitorMissing188`、`PostgreSQLDown`、`RedisDown`、`VeleroBackupNotRun` and 110 disk-pressure alerts resolved. DR remains blocked on real non-secret credential escrow evidence IDs. | | P2 service / data truth | BLOCKED_MOMO_DATA_FRESHNESS | 96% | Public route/TLS, API/Web route, momo health `V10.639`, current-month parity `10936|10936|2026-06-01|2026-06-17|2026-06-01|2026-06-17`, backup exporters, schedules, K3s node readiness/storage conditions, VIP, and 110 / 188 runtime health are green. However MOMO latest business date is `2026-06-17`; stale age is `7` days as of 11:35. Drive pending folder has `0` matching files and archive latest `2026-06-18T01:30:39Z` is already imported by job `56`, so there is no safe newer source to import. | -| P3 docs / automation contracts | DONE_WITH_MOMO_SOURCE_ABSENCE_GATE | 100% | Workplan, SOP v1.32, BACKUP-STATUS, LOGBOOK, 120 console/fsck recovery, Gitea backup stale-dump hardening, reboot ledger/version-comparison SOP, escrow evidence audit, 188 nginx Ansible baseline, 110 cold-start detector script, startup judgment layers, GO/NO-GO tree, host recovery cards, explicit Plan B degraded-operation path, machine-readable `plan_b` baseline, readiness-audit Plan B guard, B0-B5 service levels, T+0/T+120 fallback timeline checks, host role / load-balancing assessment, CD `known_hosts` guardrail, `fwupd-refresh.timer` rollback note, K3s filesystem event blocker, AWOOOI backup no-direct-offsite-sync contract, 110/188 Ansible source-of-truth, Gitea self-hosted readiness validation workflow, post-CD no-regression readbacks, stale-vs-active K8s failed Job classification, 110 runaway browser / CI load AIOps exporter + alert + gated remediation PlayBook, Telegram / AI event packet mapping, healthy heartbeat Telegram suppression, MOMO scheduler / current-month detector fix, 188 node-exporter restore helper, 188 DB/Redis exporter restore helper, 188 MinIO/Velero restore helper, 110 Docker disk pressure cleanup boundary, MOMO Google Drive token userns readback, MOMO daily freshness blocker, MOMO Pro false-noise health monitor source-of-truth, docker-health direct Telegram fallback cooldown, Bitan public-content same-fingerprint cooldown, notification-noise readback, MOMO source-file absence GO/NO-GO gate, and MacBook Pro Codex safe artifact sync readback are updated. Production image `a84a5a0b` remains live with API `2/2`, Web `2/2`, Worker `1/1`; `7db7800e` is docs-only and does not require runtime image rebuild. | +| P3 docs / automation contracts | DONE_WITH_MOMO_SOURCE_ABSENCE_GATE | 100% | Workplan, SOP v1.32, BACKUP-STATUS, LOGBOOK, 120 console/fsck recovery, Gitea backup stale-dump hardening, reboot ledger/version-comparison SOP, escrow evidence audit, 188 nginx Ansible baseline, 110 cold-start detector script, startup judgment layers, GO/NO-GO tree, host recovery cards, explicit Plan B degraded-operation path, machine-readable `plan_b` baseline, readiness-audit Plan B guard, B0-B5 service levels, T+0/T+120 fallback timeline checks, host role / load-balancing assessment, CD `known_hosts` guardrail, `fwupd-refresh.timer` rollback note, K3s filesystem event blocker, AWOOOI backup no-direct-offsite-sync contract, 110/188 Ansible source-of-truth, Gitea self-hosted readiness validation workflow, post-CD no-regression readbacks, stale-vs-active K8s failed Job classification, 110 runaway browser / CI load AIOps exporter + alert + gated remediation PlayBook, Telegram / AI event packet mapping, healthy heartbeat Telegram suppression, MOMO scheduler / current-month detector fix, 188 node-exporter restore helper, 188 DB/Redis exporter restore helper, 188 MinIO/Velero restore helper, 110 Docker disk pressure cleanup boundary, MOMO Google Drive token userns readback, MOMO daily freshness blocker, MOMO Pro false-noise health monitor source-of-truth, docker-health direct Telegram fallback cooldown, Bitan public-content same-fingerprint cooldown, notification-noise readback, MOMO source-file absence GO/NO-GO gate, MacBook Pro Codex safe artifact sync readback, and MacBook Pro AwoooGo Gitea SSH / dev workspace readback are updated. Production image `a84a5a0b` remains live with API `2/2`, Web `2/2`, Worker `1/1`; `7db7800e` is docs-only and does not require runtime image rebuild. | Full cold-start service readiness may not be declared green for the latest verified evidence set. As of 2026-06-24 11:35, routes/hosts/K3s/backups/exporters/Velero are available, but the scorecard is `PASS=86 WARN=0 BLOCKED=1` because MOMO business data freshness is stale beyond 3 days and no newer legitimate source file is available. Do not declare DR scorecard complete while credential escrow evidence remains blocked.