From a192e5f56b2e99f87b46ff0f88b6022ada46c14f Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 31 May 2026 12:26:07 +0800 Subject: [PATCH] fix(web): avoid stale iwooos deploy evidence --- apps/web/messages/en.json | 2 +- apps/web/messages/zh-TW.json | 2 +- apps/web/src/app/[locale]/iwooos/page.tsx | 2 +- docs/LOGBOOK.md | 25 +++++++++++++ .../IWOOOS-PRODUCTION-LANDING-EVIDENCE.md | 13 ++++++- .../security-mirror-progress-guard.py | 35 +++++++++++++++++++ 6 files changed, 75 insertions(+), 4 deletions(-) diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index 986474e5..58e1ea29 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -4905,7 +4905,7 @@ }, "productionEvidence": { "title": "正式部署證據", - "body": "最新主線包含 IwoooS 任務板 commit;Gitea CD run 3261 的 tests、build-and-deploy、post-deploy-checks 皆完成。" + "body": "正式證據改以最新 Gitea main deploy marker 與 post-deploy success 為準,不再綁死單一舊 CD run。" }, "progressBoundary": { "title": "整體進度邊界", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index 7d43fc8a..c90bebc5 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -4906,7 +4906,7 @@ }, "productionEvidence": { "title": "正式部署證據", - "body": "最新主線包含 IwoooS 任務板 commit;Gitea CD run 3261 的 tests、build-and-deploy、post-deploy-checks 皆完成。" + "body": "正式證據改以最新 Gitea main deploy marker 與 post-deploy success 為準,不再綁死單一舊 CD run。" }, "progressBoundary": { "title": "整體進度邊界", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index d62ff088..f1c7a47e 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -628,7 +628,7 @@ const operatorNextTasks: IwoooSOperatorNextTask[] = [ const stageCompletionReportItems: IwoooSStageCompletionReportItem[] = [ { key: 'stageClosed', value: '完成', icon: CheckCircle2, tone: 'steady' }, - { key: 'productionEvidence', value: 'CD 3261', icon: Radar, tone: 'steady' }, + { key: 'productionEvidence', value: 'deploy marker', icon: Radar, tone: 'steady' }, { key: 'progressBoundary', value: '61%', icon: Activity, tone: 'warn' }, { key: 'runtimeBoundary', value: 'Gate 0', icon: Lock, tone: 'locked' }, ] diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 6dc12aa3..091a8baf 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,28 @@ +## 2026-05-31|IwoooS 部署證據去固定化 + +**背景**: + +- IwoooS「階段完成回報」原本把正式部署證據寫成固定 `CD 3261`,但 Gitea main 會由多個 Session 持續推進,固定舊 run id 很快會變成過期資訊。 +- 本段只修正證據語意與 guard;不啟用 Kali、SSH、runtime gate、repo / refs / workflow / GitHub primary 或 Gitea 停用。 + +**本次調整**: + +- `/zh-TW/iwooos` 階段完成回報的正式證據改為 `deploy marker`。 +- 文案改成以「最新 Gitea main deploy marker + post-deploy success」作為正式部署證據,而不是綁死單一舊 CD run。 +- `security-mirror-progress-guard.py` 新增防退化檢查,若 IwoooS stage report 頁面或 message 再出現 `CD 3261`,guard 會阻擋。 + +**目前邊界**: + +```text +headline_percent=61 +framework=86-88% +runtime_landing=40-45% +active_runtime_gate_count=0 +runtime_execution_authorized=false +repo_creation_authorized=false +deployment_evidence_rule=latest_gitea_main_deploy_marker_plus_post_deploy_success +``` + ## 2026-05-29|NoAlertsReceived2Hours 誤報與 Prometheus canonical drift 修復 **背景**: diff --git a/docs/security/IWOOOS-PRODUCTION-LANDING-EVIDENCE.md b/docs/security/IWOOOS-PRODUCTION-LANDING-EVIDENCE.md index 290b2dfe..c03c6d4f 100644 --- a/docs/security/IWOOOS-PRODUCTION-LANDING-EVIDENCE.md +++ b/docs/security/IWOOOS-PRODUCTION-LANDING-EVIDENCE.md @@ -94,7 +94,7 @@ gitea_disablement_authorized=false | 回報項目 | 目前值 | 說明 | |----------|--------|------| | 本階段已收斂 | `完成` | IwoooS 已完成摘要收斂與下一步任務板,使用者可在預設展開區直接看到目前資安工作狀態。 | -| 正式部署證據 | `CD 3261` | 最新主線包含 IwoooS 任務板 commit;Gitea CD run `3261` 的 tests、build-and-deploy、post-deploy-checks 皆完成。 | +| 正式部署證據 | `deploy marker` | 正式證據以最新 Gitea main deploy marker 與 post-deploy success 為準,不再綁死單一舊 CD run。 | | 整體進度邊界 | `61%` | 目前整體 `61%`、框架 `86-88%`、落地 `40-45%`。 | | 執行期仍關閉 | `Gate 0` | Kali、主機、repo、workflow 與 GitHub primary 仍停在 observe / readiness。 | @@ -106,3 +106,14 @@ active_runtime_gate_count=0 runtime_execution_authorized=false repo_creation_authorized=false ``` + +## 9. 部署證據去固定化 + +2026-05-31 追加防退化規則:IwoooS 階段完成回報不得再固定舊 CD run id。正式部署證據應以最新 `gitea/main` deploy marker 與 `post-deploy-checks` success 為準,避免多 Session 連續推進時頁面顯示過期證據。 + +```text +deployment_evidence_rule=latest_gitea_main_deploy_marker_plus_post_deploy_success +stale_cd_run_literal_forbidden=CD 3261 +runtime_execution_authorized=false +repo_creation_authorized=false +``` diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py index d3d63c48..e9e3f8c8 100755 --- a/scripts/security/security-mirror-progress-guard.py +++ b/scripts/security/security-mirror-progress-guard.py @@ -7680,6 +7680,41 @@ def validate(root: Path) -> None: iwooos_projection_page, 'data-testid="iwooos-stage-completion-report-board"', ) + assert_text_not_contains( + "iwooos_page.stage_completion_report_stale_cd_run", + iwooos_projection_page, + "CD 3261", + ) + stage_report_messages_zh = json.dumps( + web_messages_zh["iwooos"]["stageCompletionReport"], + ensure_ascii=False, + sort_keys=True, + ) + stage_report_messages_en = json.dumps( + web_messages_en["iwooos"]["stageCompletionReport"], + ensure_ascii=False, + sort_keys=True, + ) + assert_text_not_contains( + "iwooos_messages.stage_completion_report_stale_cd_run_zh", + stage_report_messages_zh, + "CD 3261", + ) + assert_text_not_contains( + "iwooos_messages.stage_completion_report_stale_cd_run_en", + stage_report_messages_en, + "CD 3261", + ) + assert_text_contains( + "iwooos_messages.stage_completion_report_deploy_marker_zh", + stage_report_messages_zh, + "deploy marker", + ) + assert_text_contains( + "iwooos_messages.stage_completion_report_deploy_marker_en", + stage_report_messages_en, + "deploy marker", + ) for text in [ "headline_percent_after_this_stage=61", "headline_movement_signal_count=1",