docs(iwooos): 記錄告警鏈路 no-false-green 驗證 [skip ci]
This commit is contained in:
Your Name
@@ -1,3 +1,52 @@
|
||||
## 2026-06-15|Monitoring / Alerting / Observability no-false-green 回補 Gate
|
||||
|
||||
**背景**:事故後不能把 public route `200`、container up、dashboard 可見或前台 UI 可見誤判成告警鏈路健康。本階段補強 Monitoring / Alerting / Observability owner response acceptance,只建立只讀收件欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 reload Prometheus / Alertmanager、不送 Telegram / webhook 測試、不 fire alert、不讀 raw alert payload、不 SSH、不 kubectl、不改主機。
|
||||
|
||||
**完成項目**:
|
||||
- `scripts/security/monitoring-owner-response-acceptance.py` 追加 incident context、alert chain health、receiver receipt proof、stale alert review、silence / dedup review、false-green risk review、post-reload readback plan 與 cross-project notification ref 欄位。
|
||||
- Monitoring owner response acceptance 固定為 acceptance fields `38`、required owner response fields `14`、reviewer checks `23`、outcome lanes `12`、blocked actions `34`。
|
||||
- 新增 no-false-green reviewer checks,明確阻擋「只用 route `200`、container up、dashboard up 或 UI 可見代表告警鏈路 up」。
|
||||
- 所有 incident context、alert chain health、receiver receipt、stale alert、silence / dedup、false-green risk、post-reload readback 與 cross-project notification accepted count 仍為 `0`;runtime gate 仍為 `0`。
|
||||
- `high-value-config-control-coverage` 將 `monitoring_alerting_observability` 只讀成熟度從 `66%` 推進到 `68%`,狀態為 `alert_chain_no_false_green_backfill_ready_needs_live_evidence_receipt`。
|
||||
- 高價值配置平均成熟度維持 `70%`;needs-live-evidence 類別維持 `10`。
|
||||
- `/zh-TW/iwooos` 前台顯示 `監控與告警設定`、`68%`、`no-false-green`、`23 個 reviewer checks`、`12 條 outcome lanes`、`34 類 blocked action`,並保持 `false-green accepted`、receiver receipt、stale alert、silence / dedup、post-reload readback accepted 全部為 `0`;`en.json` 維持繁中鏡像。
|
||||
|
||||
**本地驗證**:
|
||||
- `python3 scripts/security/iwooos-config-control-guard.py --root .` → `IWOOOS_CONFIG_CONTROL_GUARD_OK`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/security/public-frontend-env-guard.py --root .` → `OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
|
||||
- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .` → `PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=872`。
|
||||
- `python3 -m py_compile scripts/security/monitoring-owner-response-acceptance.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
|
||||
- `python3 -m json.tool docs/security/iwooos-posture-projection.snapshot.json > /dev/null` 通過。
|
||||
- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。
|
||||
- `git diff --check` 通過。
|
||||
|
||||
**Gitea / CD**:
|
||||
- Code commit:`8c1f9dca feat(iwooos): 強化告警鏈路 no-false-green gate`。
|
||||
- Code-review run:`3049`,成功。
|
||||
- CD run:`3048`,成功。
|
||||
- Deploy marker:`28f34c60 chore(cd): deploy 8c1f9dc [skip ci]`。
|
||||
|
||||
**Production 驗證**:
|
||||
- HTML readback:`/zh-TW/iwooos?_v=28f34c60-monitoring-nfg-readback` 顯示 IwoooS、`70%`、`監控與告警設定`、`68%`、`no-false-green`、receiver receipt 與 false-green 相關文字;工作視窗文字、內部協作片段、raw blocker、原始 owner / repo namespace 與內網位址禁字命中 `0`。
|
||||
- Browser desktop `1280x720`:`/zh-TW/iwooos?_v=28f34c60-monitoring-nfg-fixed-desktop` 回 `200`,console error `0`,page error `0`,`horizontalOverflow=false`,必填文案缺漏 `0`,敏感字串命中 `0`。
|
||||
- Browser mobile `390x844`:`/zh-TW/iwooos?_v=28f34c60-monitoring-nfg-fixed-mobile` 回 `200`,console error `0`,page error `0`,`horizontalOverflow=false`,必填文案缺漏 `0`,敏感字串命中 `0`。
|
||||
- Browser mobile `390x844` 補充 route smoke:`/zh-TW/governance?tab=automation-inventory`、`/zh-TW/awooop/tenants`、`/zh-TW/code-review` 皆回 `200`、console error `0`、page error `0`、敏感字串命中 `0`;Tenants 手機版表格使用內部捲動容器,整頁 `scrollWidth=390`,無頁面級水平溢出。
|
||||
- Browser 截圖:
|
||||
- `/tmp/awoooi-iwooos-desktop-1280x720-28f34c60.png`
|
||||
- `/tmp/awoooi-iwooos-mobile-390x844-28f34c60.png`
|
||||
|
||||
**完成度與邊界**:
|
||||
- Monitoring / Alerting / Observability no-false-green owner response acceptance backfill:`0% -> 100%`。
|
||||
- Monitoring / alerting / observability 只讀成熟度:`66% -> 68%`。
|
||||
- 高價值配置平均成熟度:維持 `70%`;needs-live-evidence 類別維持 `10`。
|
||||
- IwoooS headline 維持 `64%`;active runtime gate 維持 `0`。
|
||||
- route `200` alert chain health accepted、receiver health without receipt accepted、false-green acceptance authorized、raw alert payload storage allowed 全部為 `false`。
|
||||
- incident context、alert chain health、receiver receipt、stale alert、silence / dedup、false-green risk、post-reload readback、cross-project notification accepted count 全部為 `0`。
|
||||
- 本輪未 SSH、未讀 live conf raw payload、未改 Nginx、未 reload Prometheus / Alertmanager、未送 Telegram / webhook 測試、未 fire alert、未改 Docker / service、未修改 firewall / iptables、未執行 active scan、未收 secrets 明文、未 force push。
|
||||
|
||||
## 2026-06-15|前台敏感資訊防洩漏 Guard 與 public runtime config 可視化
|
||||
|
||||
**背景**:AwoooP / IwoooS 前台不可暴露原始 owner / repo namespace、內部 blocked 狀態、工作視窗溝通內容、內網 IP 或可識別個人資訊。本階段把前台敏感資訊檢查從人工掃描提升為可重跑 guard 與 snapshot,並將 public / admin / API runtime config 的防洩漏成熟度放到 IwoooS 前台;仍只做只讀驗證,不授權 route / CORS / env / deploy / runtime 變更。
|
||||
|
||||
Reference in New Issue
Block a user