docs(iwooos): 記錄主機服務變更證據驗收 [skip ci]
This commit is contained in:
Your Name
@@ -1,3 +1,51 @@
|
||||
## 2026-06-15|Docker / systemd 主機服務變更證據驗收 Gate
|
||||
|
||||
**背景**:主控節點事故後,IwoooS 需要能回答「誰改了主機服務、何時改、改前改後狀態、是否影響 Docker / compose / systemd / port binding / public route / AI provider、是否通知相關專案」。本階段補上 Host Service Change Evidence Acceptance,只建立只讀證據收件、reviewer checks、outcome lanes、blocked actions 與前台可視化;不碰 live host、不 SSH、不讀 raw journal / raw config / raw env、不執行 Docker / systemctl / repair bot / Ansible、不做 route smoke 寫入、不 reload Nginx、不改 firewall、不 active scan。
|
||||
|
||||
**完成項目**:
|
||||
- 新增 `scripts/security/host-service-change-evidence-acceptance.py` 與 `docs/security/host-service-change-evidence-acceptance.snapshot.json`。
|
||||
- 新增 `docs/security/HOST-SERVICE-CHANGE-EVIDENCE-ACCEPTANCE.md`,把主機服務變更候選、證據欄位、人工驗收分流與禁止動作整理為繁中只讀規範。
|
||||
- Host service change evidence acceptance 固定為 change evidence candidates `9`、write-capable candidates `3`、change evidence fields `45`、required evidence fields `25`、reviewer checks `26`、outcome lanes `10`、blocked actions `39`。
|
||||
- 所有 owner evidence received / accepted、Docker daemon accepted、compose accepted、systemd accepted、failed unit accepted、port binding accepted、public route accepted、operator notification accepted、runtime gate 仍為 `0`。
|
||||
- `docker_compose_systemd_host_config` 只讀成熟度從 `58%` 推進到 `62%`,狀態為 `change_evidence_acceptance_ready_needs_host_service_owner_evidence`。
|
||||
- 高價值配置平均成熟度維持 `70%`;needs-live-evidence 類別維持 `10`。
|
||||
- `/zh-TW/iwooos` 前台高價值配置卡片更新為:AI provider / model routing `60%`、Docker / systemd 主機服務 `62%`、SSH / firewall / network access `62%`、K8s / ArgoCD GitOps `64%`;`en.json` 維持繁中鏡像。
|
||||
|
||||
**本地驗證**:
|
||||
- JSON parse 驗證 `docs/security/host-service-change-evidence-acceptance.snapshot.json`、`docs/security/high-value-config-control-coverage.snapshot.json`、`docs/security/iwooos-posture-projection.snapshot.json`、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` 通過。
|
||||
- `python3 scripts/security/iwooos-config-control-guard.py --root .` → `IWOOOS_CONFIG_CONTROL_GUARD_OK`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/security/public-frontend-env-guard.py --root .` → `OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .` → `PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=874`。
|
||||
- `python3 -m py_compile scripts/security/host-service-change-evidence-acceptance.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
|
||||
- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。
|
||||
- `git diff --check` 通過。
|
||||
|
||||
**Gitea / CD**:
|
||||
- Code commit:`8294a054 feat(iwooos): 新增主機服務變更證據驗收 gate`。
|
||||
- Code-review run:`3051`,輪詢結果為成功。
|
||||
- CD run:`3050`,已回寫 deploy marker;run detail 在只讀環境回 `404`,不讀 token、不收 secrets。
|
||||
- Deploy marker:`8d31202b chore(cd): deploy 8294a05 [skip ci]`。
|
||||
|
||||
**Production 驗證**:
|
||||
- Browser desktop `1280x720`:`/zh-TW/iwooos?_v=8d31202b-host-service-prod-desktop` 回 `200`,console error `0`,page error `0`,`horizontalOverflow=false`,必填文案缺漏 `0`,敏感字串命中 `0`。
|
||||
- Browser mobile `390x844`:`/zh-TW/iwooos?_v=8d31202b-host-service-prod-mobile` 回 `200`,console error `0`,page error `0`,`horizontalOverflow=false`,必填文案缺漏 `0`,敏感字串命中 `0`。
|
||||
- Browser mobile `390x844` 補充 route smoke:`/zh-TW/governance?tab=automation-inventory`、`/zh-TW/awooop/tenants`、`/zh-TW/code-review` 皆回 `200`、console error `0`、page error `0`、敏感字串命中 `0`、頁面級水平溢出 `false`。
|
||||
- Browser 截圖:
|
||||
- `/tmp/awoooi-iwooos-desktop-1280x720-8d31202b.png`
|
||||
- `/tmp/awoooi-iwooos-mobile-390x844-8d31202b.png`
|
||||
|
||||
**完成度與邊界**:
|
||||
- Host Service change evidence acceptance backfill:`0% -> 100%`。
|
||||
- Docker / systemd / host service config 只讀成熟度:`58% -> 62%`。
|
||||
- 高價值配置平均成熟度:維持 `70%`;needs-live-evidence 類別維持 `10`。
|
||||
- IwoooS headline 維持 `64%`;active runtime gate 維持 `0`。
|
||||
- owner evidence received / accepted、Docker daemon accepted、compose accepted、systemd accepted、failed unit accepted、port binding accepted、public route accepted、operator notification accepted、runtime gate 全部為 `0`。
|
||||
- 本輪未 SSH、未讀 live host / raw journal / raw config / raw env、未執行 Docker / systemctl / repair bot / Ansible、未 reload Nginx、未改 firewall / iptables、未執行 active scan、未收 secrets 明文、未 force push。
|
||||
- 同步狀態:等待本筆 LOGBOOK commit 完成後同步另一個 AwoooP Session;下一優先為 AI provider / model routing / Ollama proxy / cost privacy owner evidence gate(目前 `60%`)。
|
||||
|
||||
## 2026-06-15|Monitoring / Alerting / Observability no-false-green 回補 Gate
|
||||
|
||||
**背景**:事故後不能把 public route `200`、container up、dashboard 可見或前台 UI 可見誤判成告警鏈路健康。本階段補強 Monitoring / Alerting / Observability owner response acceptance,只建立只讀收件欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 reload Prometheus / Alertmanager、不送 Telegram / webhook 測試、不 fire alert、不讀 raw alert payload、不 SSH、不 kubectl、不改主機。
|
||||
|
||||
Reference in New Issue
Block a user