From 7c415e5eaaaf45c356dcdd8dc8d48092aca5e845 Mon Sep 17 00:00:00 2001 From: Your Name Date: Mon, 15 Jun 2026 17:57:18 +0800 Subject: [PATCH] =?UTF-8?q?docs(iwooos):=20=E8=A8=98=E9=8C=84=E5=91=8A?= =?UTF-8?q?=E8=AD=A6=E9=8F=88=E8=B7=AF=20no-false-green=20=E9=A9=97?= =?UTF-8?q?=E8=AD=89=20[skip=20ci]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/LOGBOOK.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 09ddbe02..0143a232 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,52 @@ +## 2026-06-15|Monitoring / Alerting / Observability no-false-green 回補 Gate + +**背景**:事故後不能把 public route `200`、container up、dashboard 可見或前台 UI 可見誤判成告警鏈路健康。本階段補強 Monitoring / Alerting / Observability owner response acceptance,只建立只讀收件欄位、reviewer checks、outcome lanes、blocked actions 與前台可視化;不 reload Prometheus / Alertmanager、不送 Telegram / webhook 測試、不 fire alert、不讀 raw alert payload、不 SSH、不 kubectl、不改主機。 + +**完成項目**: +- `scripts/security/monitoring-owner-response-acceptance.py` 追加 incident context、alert chain health、receiver receipt proof、stale alert review、silence / dedup review、false-green risk review、post-reload readback plan 與 cross-project notification ref 欄位。 +- Monitoring owner response acceptance 固定為 acceptance fields `38`、required owner response fields `14`、reviewer checks `23`、outcome lanes `12`、blocked actions `34`。 +- 新增 no-false-green reviewer checks,明確阻擋「只用 route `200`、container up、dashboard up 或 UI 可見代表告警鏈路 up」。 +- 所有 incident context、alert chain health、receiver receipt、stale alert、silence / dedup、false-green risk、post-reload readback 與 cross-project notification accepted count 仍為 `0`;runtime gate 仍為 `0`。 +- `high-value-config-control-coverage` 將 `monitoring_alerting_observability` 只讀成熟度從 `66%` 推進到 `68%`,狀態為 `alert_chain_no_false_green_backfill_ready_needs_live_evidence_receipt`。 +- 高價值配置平均成熟度維持 `70%`;needs-live-evidence 類別維持 `10`。 +- `/zh-TW/iwooos` 前台顯示 `監控與告警設定`、`68%`、`no-false-green`、`23 個 reviewer checks`、`12 條 outcome lanes`、`34 類 blocked action`,並保持 `false-green accepted`、receiver receipt、stale alert、silence / dedup、post-reload readback accepted 全部為 `0`;`en.json` 維持繁中鏡像。 + +**本地驗證**: +- `python3 scripts/security/iwooos-config-control-guard.py --root .` → `IWOOOS_CONFIG_CONTROL_GUARD_OK`。 +- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。 +- `python3 scripts/security/public-frontend-env-guard.py --root .` → `OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`。 +- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。 +- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .` → `PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`。 +- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=872`。 +- `python3 -m py_compile scripts/security/monitoring-owner-response-acceptance.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。 +- `python3 -m json.tool docs/security/iwooos-posture-projection.snapshot.json > /dev/null` 通過。 +- `pnpm --filter @awoooi/web typecheck` 通過;`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用,未納入提交。 +- `git diff --check` 通過。 + +**Gitea / CD**: +- Code commit:`8c1f9dca feat(iwooos): 強化告警鏈路 no-false-green gate`。 +- Code-review run:`3049`,成功。 +- CD run:`3048`,成功。 +- Deploy marker:`28f34c60 chore(cd): deploy 8c1f9dc [skip ci]`。 + +**Production 驗證**: +- HTML readback:`/zh-TW/iwooos?_v=28f34c60-monitoring-nfg-readback` 顯示 IwoooS、`70%`、`監控與告警設定`、`68%`、`no-false-green`、receiver receipt 與 false-green 相關文字;工作視窗文字、內部協作片段、raw blocker、原始 owner / repo namespace 與內網位址禁字命中 `0`。 +- Browser desktop `1280x720`:`/zh-TW/iwooos?_v=28f34c60-monitoring-nfg-fixed-desktop` 回 `200`,console error `0`,page error `0`,`horizontalOverflow=false`,必填文案缺漏 `0`,敏感字串命中 `0`。 +- Browser mobile `390x844`:`/zh-TW/iwooos?_v=28f34c60-monitoring-nfg-fixed-mobile` 回 `200`,console error `0`,page error `0`,`horizontalOverflow=false`,必填文案缺漏 `0`,敏感字串命中 `0`。 +- Browser mobile `390x844` 補充 route smoke:`/zh-TW/governance?tab=automation-inventory`、`/zh-TW/awooop/tenants`、`/zh-TW/code-review` 皆回 `200`、console error `0`、page error `0`、敏感字串命中 `0`;Tenants 手機版表格使用內部捲動容器,整頁 `scrollWidth=390`,無頁面級水平溢出。 +- Browser 截圖: + - `/tmp/awoooi-iwooos-desktop-1280x720-28f34c60.png` + - `/tmp/awoooi-iwooos-mobile-390x844-28f34c60.png` + +**完成度與邊界**: +- Monitoring / Alerting / Observability no-false-green owner response acceptance backfill:`0% -> 100%`。 +- Monitoring / alerting / observability 只讀成熟度:`66% -> 68%`。 +- 高價值配置平均成熟度:維持 `70%`;needs-live-evidence 類別維持 `10`。 +- IwoooS headline 維持 `64%`;active runtime gate 維持 `0`。 +- route `200` alert chain health accepted、receiver health without receipt accepted、false-green acceptance authorized、raw alert payload storage allowed 全部為 `false`。 +- incident context、alert chain health、receiver receipt、stale alert、silence / dedup、false-green risk、post-reload readback、cross-project notification accepted count 全部為 `0`。 +- 本輪未 SSH、未讀 live conf raw payload、未改 Nginx、未 reload Prometheus / Alertmanager、未送 Telegram / webhook 測試、未 fire alert、未改 Docker / service、未修改 firewall / iptables、未執行 active scan、未收 secrets 明文、未 force push。 + ## 2026-06-15|前台敏感資訊防洩漏 Guard 與 public runtime config 可視化 **背景**:AwoooP / IwoooS 前台不可暴露原始 owner / repo namespace、內部 blocked 狀態、工作視窗溝通內容、內網 IP 或可識別個人資訊。本階段把前台敏感資訊檢查從人工掃描提升為可重跑 guard 與 snapshot,並將 public / admin / API runtime config 的防洩漏成熟度放到 IwoooS 前台;仍只做只讀驗證,不授權 route / CORS / env / deploy / runtime 變更。