From bae6423d72c2d430296c19cb624586273a65a5c1 Mon Sep 17 00:00:00 2001 From: ogt Date: Fri, 26 Jun 2026 06:36:51 +0800 Subject: [PATCH] docs(ops): show escrow gaps in reboot quick check [skip ci] --- docs/LOGBOOK.md | 2 ++ docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md | 2 ++ scripts/reboot-recovery/post-start-quick-check.sh | 8 ++++++++ 3 files changed, 12 insertions(+) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 1aed803e..59cf7855 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -15,11 +15,13 @@ **完成**: - `scripts/reboot-recovery/post-start-quick-check.sh` public route gate 新增 retry:預設 `ROUTE_RETRY_ATTEMPTS=3`、`ROUTE_RETRY_DELAY_SECONDS=2`。 - Retry 後恢復的 route 會列為 `evidence_warn recovered_after_attempt=`;只有連續失敗才算 `BLOCKED`。 +- Escrow 缺口存在時,wrapper 會只讀呼叫 `/backup/scripts/mark-credential-escrow-verified.sh --status` 並列出缺項;不寫 marker、不讀 secret。 - 更新 `FULL-STACK-COLD-START-SOP.md` v1.61、`REBOOT-POST-START-QUICK-CHECK.md` v1.6、recovery workplan 與 `BACKUP-STATUS.md`。 **驗證**: - `bash -n scripts/reboot-recovery/post-start-quick-check.sh` 通過。 - Route-only wrapper:`PASS=31 WARN=0 BLOCKED=0`,`RESULT=GREEN`。 +- Backup-only wrapper:`PASS=10 WARN=2 BLOCKED=0`,列出缺 `restic_repository_password`、`offsite_provider_credentials`、`break_glass_admin_credentials`、`dns_registrar_recovery`、`oauth_ai_provider_recovery`。 - Core wrapper with routes skipped:`PASS=15 WARN=2 BLOCKED=0`,warning split `SERVICE=0 BOUNDARY=1 EVIDENCE=1`,`RESULT=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`。 **做過的命令類型**: diff --git a/docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md b/docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md index 6e74672e..be7653ed 100644 --- a/docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md +++ b/docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md @@ -53,6 +53,8 @@ scripts/reboot-recovery/post-start-quick-check.sh --no-color Public route gate 自 v1.6 起會使用 `ROUTE_RETRY_ATTEMPTS`(預設 `3`)與 `ROUTE_RETRY_DELAY_SECONDS`(預設 `2`)重試。單次 `000` / timeout 若 retry 後恢復,應列為 evidence warning 或 transient route evidence,不可直接當成網站仍壞;只有連續失敗才是 service blocker。 +Credential escrow gate 自 v1.6 起在 `escrow_missing>0` 時,會只讀呼叫 `/backup/scripts/mark-credential-escrow-verified.sh --status` 並列出缺項。這只是 evidence readback,不會寫 marker、不會讀密碼、不會降低 DR blocker;用途是讓 operator 立即知道缺的是哪幾個非 secret evidence marker。 + Wrapper 必須先解析 cold-start summary,不可只看 cold-start exit code: - cold-start `BLOCKED>0`:wrapper 才可判定 `BLOCKED`。 diff --git a/scripts/reboot-recovery/post-start-quick-check.sh b/scripts/reboot-recovery/post-start-quick-check.sh index 889ca025..4109fb3d 100755 --- a/scripts/reboot-recovery/post-start-quick-check.sh +++ b/scripts/reboot-recovery/post-start-quick-check.sh @@ -345,6 +345,14 @@ if [[ "$RUN_BACKUP" -eq 1 ]]; then ok "credential escrow missing is 0" elif grep -Eq 'escrow_missing=[1-9]|ESCROW_MISSING_COUNT[ =][1-9]' "$backup_tmp"; then boundary_warn "credential escrow still missing; DR_COMPLETE is forbidden" + escrow_status_tmp="$(mktemp -t post-start-escrow-status.XXXXXX)" + if ssh_read "wooo@192.168.0.110" '/backup/scripts/mark-credential-escrow-verified.sh --status' >"$escrow_status_tmp" 2>&1; then + evidence_warn "credential escrow missing items follow" + else + evidence_warn "credential escrow missing item readback failed" + fi + cat "$escrow_status_tmp" + rm -f "$escrow_status_tmp" else evidence_warn "credential escrow count not found" fi