fix(governance): 避免狀態清理儀表板曝光本機路徑

2026-06-24 23:48:18 +08:00
parent e4c13530fd
commit 9f3a5cdcdd
5 changed files with 33 additions and 13 deletions
--- a/apps/api/tests/test_awoooi_status_cleanup_dashboard.py
+++ b/apps/api/tests/test_awoooi_status_cleanup_dashboard.py
@@ -54,6 +54,9 @@ def test_load_latest_awoooi_status_cleanup_dashboard_reads_committed_snapshot():
    assert "live_metadata_env_gate=owner0_secret_metadata0_push0_deploy0_readback0_runtime0" in data["wazuh_handoff"]["boundary"]
    assert "wazuh_live_agent_registry_readback=0" in data["wazuh_handoff"]["boundary"]
    assert "manager_agent_registry_readback_passed=false" in data["wazuh_handoff"]["boundary"]
+    serialized = json.dumps(data, ensure_ascii=False)
+    assert "/Users/ogt" not in serialized
+    assert ".claude/projects" not in serialized
    assert {item["gate_id"] for item in data["gate_cards"]} >= {
        "status_cleanup_preflight",
        "owner_review_package",
--- a/docs/operations/AWOOOI-STATUS-CLEANUP-DASHBOARD-2026-06-24.md
+++ b/docs/operations/AWOOOI-STATUS-CLEANUP-DASHBOARD-2026-06-24.md
@@ -85,7 +85,7 @@
 - `owner_response_preflight:update_section_not_approved:iwooos_wazuh_boundary`
 - `owner_response_preflight:update_section_not_approved:latest_logbook_heading`
 - `owner_response_preflight:update_section_not_approved:operation_boundaries`
- `owner_response_preflight:target_path_not_approved:/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md`
+- `owner_response_preflight:target_path_not_approved:awoooi_memory/project_current_status.md`
 - `owner_response_preflight:boundary_not_acknowledged:memory_write_authorized=false`
 - `owner_response_preflight:boundary_not_acknowledged:refs_sync_authorized=false`
 - `owner_response_preflight:boundary_not_acknowledged:repo_creation_authorized=false`
@@ -105,7 +105,7 @@
 - `apply_gate:final_flag_not_accepted:confirm_post_apply_validation`
 - `apply_gate:final_flag_not_accepted:confirm_no_runtime_or_wazuh_deploy`
 - `apply_gate:command_preview_not_confirmed`
- `apply_gate:target_path_not_confirmed:/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md`
+- `apply_gate:target_path_not_confirmed:awoooi_memory/project_current_status.md`
 - `wazuh_boundary:Wazuh route / production 404 由另一受控 branch 處理；branch=codex/iwooos-wazuh-boundary-guard-20260624 base=b540fc0c commits=38dc3c2f,9a53d3e1,e9972d47,758d419e,04db4b8a,8eec298e,325f262a patch_sha_1=08f8b36d7261b0dde6bfb0c47597bd0727d578dec3335c5ff7ded2bcaa2b7eb4 patch_sha_2=e6ec8f8d10e8a2bd711c399fa14ba0ab2dfb22f8ab6a733402944302eec7da7c patch_sha_3=7e99bd5284a25519313aea05bb314d3386454b91ce86241424385752d358900d patch_sha_4=f4ffbaecd94d3696660766cc6f4a6bd195762bc533d9502f8edfed2bb8379fab patch_sha_5=9035d6c411bf86d0857970b69dd33631f052aa90de27e52d82d448d4b8e4cec5 patch_sha_6=d3bb98711a3ebf91b9936b41bc232b689befc68a4a7cec38bf9cab4c8d015827 patch_sha_7=5aa3e69fee9624d0ff3f2bfad90595a81eb9306ad6387d640690a85a2f8038d7 apply_proof=release_apply_check_20260624_2248 release_gate=source1_push0_deploy0_readback0_runtime0 release_lane_preflight=ready0_acks0of6_evidence0of6_push0_deploy0_readback0_runtime0 owner_gate=request_sent0_response_accepted0_acks0of6_evidence0of6_push0_deploy0_readback0_runtime0 live_metadata_env_gate=owner0_secret_metadata0_push0_deploy0_readback0_runtime0；wazuh_live_agent_registry_readback=0 manager_agent_registry_readback_passed=false iwooos_live_route_readback_passed=false dashboard_agent_list_recovered=false iwooos_wazuh_runtime_gate=0 active_response=0；push_blocked=missing_noninteractive_gitea_https_credential；本視窗不改 runtime / Nginx / Docker / K8s / firewall / Wazuh secret。 agent_visibility_status=blocked_waiting_manager_agent_registry_readback agent_visibility_runtime_gate_count=0`

 ## 強制閘門
--- a/docs/operations/AWOOOI-STATUS-CLEANUP-DASHBOARD.md
+++ b/docs/operations/AWOOOI-STATUS-CLEANUP-DASHBOARD.md
@@ -85,7 +85,7 @@
 - `owner_response_preflight:update_section_not_approved:iwooos_wazuh_boundary`
 - `owner_response_preflight:update_section_not_approved:latest_logbook_heading`
 - `owner_response_preflight:update_section_not_approved:operation_boundaries`
- `owner_response_preflight:target_path_not_approved:/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md`
+- `owner_response_preflight:target_path_not_approved:awoooi_memory/project_current_status.md`
 - `owner_response_preflight:boundary_not_acknowledged:memory_write_authorized=false`
 - `owner_response_preflight:boundary_not_acknowledged:refs_sync_authorized=false`
 - `owner_response_preflight:boundary_not_acknowledged:repo_creation_authorized=false`
@@ -105,7 +105,7 @@
 - `apply_gate:final_flag_not_accepted:confirm_post_apply_validation`
 - `apply_gate:final_flag_not_accepted:confirm_no_runtime_or_wazuh_deploy`
 - `apply_gate:command_preview_not_confirmed`
- `apply_gate:target_path_not_confirmed:/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md`
+- `apply_gate:target_path_not_confirmed:awoooi_memory/project_current_status.md`
 - `wazuh_boundary:Wazuh route / production 404 由另一受控 branch 處理；branch=codex/iwooos-wazuh-boundary-guard-20260624 base=b540fc0c commits=38dc3c2f,9a53d3e1,e9972d47,758d419e,04db4b8a,8eec298e,325f262a patch_sha_1=08f8b36d7261b0dde6bfb0c47597bd0727d578dec3335c5ff7ded2bcaa2b7eb4 patch_sha_2=e6ec8f8d10e8a2bd711c399fa14ba0ab2dfb22f8ab6a733402944302eec7da7c patch_sha_3=7e99bd5284a25519313aea05bb314d3386454b91ce86241424385752d358900d patch_sha_4=f4ffbaecd94d3696660766cc6f4a6bd195762bc533d9502f8edfed2bb8379fab patch_sha_5=9035d6c411bf86d0857970b69dd33631f052aa90de27e52d82d448d4b8e4cec5 patch_sha_6=d3bb98711a3ebf91b9936b41bc232b689befc68a4a7cec38bf9cab4c8d015827 patch_sha_7=5aa3e69fee9624d0ff3f2bfad90595a81eb9306ad6387d640690a85a2f8038d7 apply_proof=release_apply_check_20260624_2248 release_gate=source1_push0_deploy0_readback0_runtime0 release_lane_preflight=ready0_acks0of6_evidence0of6_push0_deploy0_readback0_runtime0 owner_gate=request_sent0_response_accepted0_acks0of6_evidence0of6_push0_deploy0_readback0_runtime0 live_metadata_env_gate=owner0_secret_metadata0_push0_deploy0_readback0_runtime0；wazuh_live_agent_registry_readback=0 manager_agent_registry_readback_passed=false iwooos_live_route_readback_passed=false dashboard_agent_list_recovered=false iwooos_wazuh_runtime_gate=0 active_response=0；push_blocked=missing_noninteractive_gitea_https_credential；本視窗不改 runtime / Nginx / Docker / K8s / firewall / Wazuh secret。 agent_visibility_status=blocked_waiting_manager_agent_registry_readback agent_visibility_runtime_gate_count=0`

 ## 強制閘門
--- a/docs/operations/awoooi-status-cleanup-dashboard.snapshot.json
+++ b/docs/operations/awoooi-status-cleanup-dashboard.snapshot.json
@@ -297,7 +297,7 @@
    "owner_response_preflight:update_section_not_approved:iwooos_wazuh_boundary",
    "owner_response_preflight:update_section_not_approved:latest_logbook_heading",
    "owner_response_preflight:update_section_not_approved:operation_boundaries",
-    "owner_response_preflight:target_path_not_approved:/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md",
+    "owner_response_preflight:target_path_not_approved:awoooi_memory/project_current_status.md",
    "owner_response_preflight:boundary_not_acknowledged:memory_write_authorized=false",
    "owner_response_preflight:boundary_not_acknowledged:refs_sync_authorized=false",
    "owner_response_preflight:boundary_not_acknowledged:repo_creation_authorized=false",
@@ -317,7 +317,7 @@
    "apply_gate:final_flag_not_accepted:confirm_post_apply_validation",
    "apply_gate:final_flag_not_accepted:confirm_no_runtime_or_wazuh_deploy",
    "apply_gate:command_preview_not_confirmed",
-    "apply_gate:target_path_not_confirmed:/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md",
+    "apply_gate:target_path_not_confirmed:awoooi_memory/project_current_status.md",
    "wazuh_boundary:Wazuh route / production 404 由另一受控 branch 處理；branch=codex/iwooos-wazuh-boundary-guard-20260624 base=b540fc0c commits=38dc3c2f,9a53d3e1,e9972d47,758d419e,04db4b8a,8eec298e,325f262a patch_sha_1=08f8b36d7261b0dde6bfb0c47597bd0727d578dec3335c5ff7ded2bcaa2b7eb4 patch_sha_2=e6ec8f8d10e8a2bd711c399fa14ba0ab2dfb22f8ab6a733402944302eec7da7c patch_sha_3=7e99bd5284a25519313aea05bb314d3386454b91ce86241424385752d358900d patch_sha_4=f4ffbaecd94d3696660766cc6f4a6bd195762bc533d9502f8edfed2bb8379fab patch_sha_5=9035d6c411bf86d0857970b69dd33631f052aa90de27e52d82d448d4b8e4cec5 patch_sha_6=d3bb98711a3ebf91b9936b41bc232b689befc68a4a7cec38bf9cab4c8d015827 patch_sha_7=5aa3e69fee9624d0ff3f2bfad90595a81eb9306ad6387d640690a85a2f8038d7 apply_proof=release_apply_check_20260624_2248 release_gate=source1_push0_deploy0_readback0_runtime0 release_lane_preflight=ready0_acks0of6_evidence0of6_push0_deploy0_readback0_runtime0 owner_gate=request_sent0_response_accepted0_acks0of6_evidence0of6_push0_deploy0_readback0_runtime0 live_metadata_env_gate=owner0_secret_metadata0_push0_deploy0_readback0_runtime0；wazuh_live_agent_registry_readback=0 manager_agent_registry_readback_passed=false iwooos_live_route_readback_passed=false dashboard_agent_list_recovered=false iwooos_wazuh_runtime_gate=0 active_response=0；push_blocked=missing_noninteractive_gitea_https_credential；本視窗不改 runtime / Nginx / Docker / K8s / firewall / Wazuh secret。 agent_visibility_status=blocked_waiting_manager_agent_registry_readback agent_visibility_runtime_gate_count=0"
  ],
  "next_actions": [
--- a/scripts/dev/awoooi-status-cleanup-dashboard.py
+++ b/scripts/dev/awoooi-status-cleanup-dashboard.py
@@ -20,6 +20,10 @@ from typing import Any


 TARGET_ROUTE = "/workspace/status-cleanup"
+PRIVATE_PROJECT_STATUS_PATH = (
+    "/Users/ogt/.claude/projects/-Users-ogt-awoooi/memory/project_current_status.md"
+)
+PUBLIC_PROJECT_STATUS_REF = "awoooi_memory/project_current_status.md"


 def utc_now_iso() -> str:
@@ -63,6 +67,10 @@ def append_boundary_tokens(boundary: str, tokens: list[str]) -> str:
    return " ".join(parts)


+def public_blocker_text(value: str) -> str:
+    return value.replace(PRIVATE_PROJECT_STATUS_PATH, PUBLIC_PROJECT_STATUS_REF)
+
+
 def section_value(owner_package: dict[str, Any], section_id: str) -> str:
    for item in owner_package.get("required_update_sections", []):
        if item.get("section_id") == section_id:
@@ -345,13 +353,22 @@ def build_payload(
            + str(wazuh_visibility.get("runtime_gate_count", 0)),
        ],
    )
-    blockers = unique_strings(
-        preflight.get("hard_gates", []),
-        [f"owner_response_preflight:{item}" for item in owner_response_preflight.get("blocking_reasons", [])],
-        [f"execution_plan_blocked_until:{item}" for item in execution_plan.get("blocked_until", [])],
-        [f"apply_gate:{item}" for item in apply_gate.get("blocking_reasons", [])],
-        [f"wazuh_boundary:{wazuh_boundary}"] if wazuh_boundary else [],
-    )
+    blockers = [
+        public_blocker_text(item)
+        for item in unique_strings(
+            preflight.get("hard_gates", []),
+            [
+                f"owner_response_preflight:{item}"
+                for item in owner_response_preflight.get("blocking_reasons", [])
+            ],
+            [
+                f"execution_plan_blocked_until:{item}"
+                for item in execution_plan.get("blocked_until", [])
+            ],
+            [f"apply_gate:{item}" for item in apply_gate.get("blocking_reasons", [])],
+            [f"wazuh_boundary:{wazuh_boundary}"] if wazuh_boundary else [],
+        )
+    ]
    actions = next_actions(owner_response_preflight, apply_gate)
    metrics = metric_cards(
        preflight,