fix(k8s): Bug #11+#12 — SSH egress 白名單 + repair-ssh-key 讀取權限

Bug #11 (NetworkPolicy): allow-required-egress 缺少 192.168.0.110:22
  - K8s Pod 到 110 的 SSH port 22 被 default-deny-all 封鎖
  - 自動修復的 SSH_COMMAND Playbook 必然 Connection refused
  - 修正: 加入 port 22 到 110 的 egress 白名單

Bug #12 (Deployment): repair-ssh-key Secret defaultMode=0400 (root-only)
  - Pod 以 appuser(UID 1000) 跑，無法讀取 root-owned 的 SSH key
  - ssh 報錯: "Load key: Permission denied"
  - 修正: 加入 securityContext.fsGroup=1000，讓 appuser 透過 group read 存取
  - 已驗證: Pod 內 ssh → repair-bot-110 → REPAIR_OK:sentry ✅

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

k8s/awoooi-prod/02-network-policy.yaml

@@ -121,9 +121,10 @@ spec:
         - protocol: TCP
           port: 11434
 
-    # 允許訪問 192.168.0.110 DevOps 金庫 (Harbor + Sentry + Langfuse)
+    # 允許訪問 192.168.0.110 DevOps 金庫 (Harbor + Sentry + Langfuse + SSH Repair)
     # 2026-03-24 新增: Sentry Self-Hosted
     # 2026-03-26 新增: Langfuse LLMOps (Phase 15.1)
+    # 2026-04-09 新增: SSH port 22 — repair-bot-110.sh 自動修復 (Bug #11 修正)
     - to:
         - ipBlock:
             cidr: 192.168.0.110/32
@@ -137,6 +138,10 @@ spec:
         # Langfuse LLMOps (Phase 15.1)
         - protocol: TCP
           port: 3100
+        # SSH — repair-bot-110.sh 自動修復執行路徑
+        # ADR-062: SSH_COMMAND Playbook 需要 K8s Pod → 110:22 的 egress
+        - protocol: TCP
+          port: 22
 
     # 允許訪問 192.168.0.112 安全掃描服務
     - to:

k8s/awoooi-prod/06-deployment-api.yaml

@@ -36,6 +36,11 @@ spec:
       # Phase 7: 使用 RBAC ServiceAccount (最小權限)
       serviceAccountName: awoooi-executor
       automountServiceAccountToken: true
+      # 2026-04-09 Claude Sonnet 4.6 Asia/Taipei: Bug #12 修正
+      # fsGroup=1000 讓 appuser(1000) 可讀取 defaultMode=0400 的 repair-ssh-key Secret
+      # SSH 要求 key 必須是 owner-only (0400/0600)，0444 會被拒絕
+      securityContext:
+        fsGroup: 1000
       containers:
         - name: api
           # 映像標籤由 CI/CD 動態注入 (格式: {sha}-{run_id})