fix(security): 補高價值配置 Gate P0 路徑覆蓋 [skip ci]

This commit is contained in:
Your Name
2026-06-14 17:11:44 +08:00
parent 14be52ca77
commit dd8c2c0924
7 changed files with 141 additions and 106 deletions

View File

@@ -74,6 +74,7 @@
| P0-7 | Telegram 批准後執行真相鏈止血 | 100% | no-action approval 不再顯示批准 / 執行中;可執行修復 approval 會寫入 `auto_repair_executions`、KM 與 verifier下一步補 MCP evidence / PlayBook trust 產生真正修復候選 | 目標 pytest `125 passed`、py_compile、guard、production health、API / worker rollout、production pod classifier readback |
| P0-8 | Telegram no-action 人工處置包與操作入口 | 100% | no-action 卡片已新增人工處置包、證據補齊清單、AwoooP 修復候選建立步驟、verifier / KM / PlayBook 回寫提醒,並改成 `處置包``重診``歷史``靜默``真相鏈``Runs` 鍵盤;舊訊息不 retroactive 改寫 | 目標 pytest `64 passed + 44 passed`、py_compile、guard、production health、API / worker rollout、production pod render / keyboard smoke |
| P0-9 | MCP evidence -> PlayBook 修復候選產生 | D5 `88%` | 已補 webhook fallback 先建立 incident再收 MCP evidence、查 approved PlayBook、檢查 trust / command safety、產生 medium approval candidate 與 verifier planD1 追加通用兜底 PlayBook / 診斷型命令不可誤當修復、阻擋理由繁中化D2 在缺候選時產生 `repair_candidate_draft_package_v1``playbook_draft_required`、下一步與必填欄位D3 新增 `awooop_repair_candidate_draft_work_item_v1` read-only projection 與 Telegram `工作項目` deeplinkD4 讓 AwoooP Work Items 詳細呈現 PlayBook 草案處置板、必填欄位、阻擋原因、下一步、Runs / 審批連結D5 新增 `repair_candidate_coverage_gap_v1`,讓 blocked result 帶出 coverage key、target kind、blocking stage、必收 MCP evidence refs、PlayBook template fields 與 runtime 0 / false 邊界;下一步要補 MCP tool call/result 詳細證據面與真實告警 approval -> execution -> verifier -> KM / PlayBook 回寫 | 目標 pytest `7 passed`、py_compile、guard、diff check後續部署後需補 production health、API / worker rollout 與 production pod metadata render smokestatus-chain 後續仍必須看到 tool call、PlayBook id、risk gate、repair candidate、verifier plan |
| P0-10 | 高價值配置 Gate path coverage 補強 | 100% | 已將 `k8s/nginx/**``scripts/ops/**/*cert*``scripts/ops/**/*tls*` 納入 `high-value-config-change-gate.py`,讓 Nginx public gateway 與 DNS / TLS / certbot 既有路徑命中 P0 / C0owner evidence 仍未提供runtime execution 仍 false | `high-value-config-change-gate.py` sample補強後 `changed_files=6 matched=6 categories=3 c0=2 c1=0``py_compile`、snapshot JSON parse、progress guard、owner response guard、doc secret sanity、diff check |
## 3. S4.9 Owner Response Gate 規範