docs(iwooos): 記錄 Nginx 事故回讀 gate [skip ci]

2026-06-16 10:46:22 +08:00
parent 21d502441a
commit dfee85c034
1 changed files with 62 additions and 0 deletions
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -1,3 +1,65 @@
+## 2026-06-16｜Public Gateway / Nginx 事故後回讀 Gate
+
+**背景**：Nginx / Public Gateway 控制公開網站、API、管理路由、Webhook、WebSocket、TLS / ACME 與 Ollama / AI provider proxy；近期端口與 gateway 類事故證明，route `200`、Nginx active、dashboard up、CD success 或 UI 可見都不能當成事故已驗收。本階段補上 Public Gateway / Nginx post-incident readback plan，只建立事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台 marker；不 SSH、不讀 live Nginx conf、不執行 `nginx -t`、不 reload、不做 route smoke、不改 DNS / TLS、不 renew cert、不寫主機。
+
+**完成項目**：
+- 新增 `scripts/security/public-gateway-post-incident-readback-plan.py` 與 `docs/security/public-gateway-post-incident-readback-plan.snapshot.json`。
+- 新增 `docs/security/PUBLIC-GATEWAY-POST-INCIDENT-READBACK-PLAN.md`，把 `host188_all_sites`、`host188_internal_tools_https`、`host110_ollama_proxy` 三個 gateway surface 轉成事故後回讀計畫。
+- Post-incident readback plan 固定為 candidates `3`、C0 candidates `2`、C1 candidates `1`、write-capable candidates `3`、readback fields `36`、required readback fields `30`、reviewer checks `28`、outcome lanes `10`、blocked actions `41`。
+- 必填回讀欄位包含 incident / change ref、actor attribution、change time window、change intent / break-glass、before / after route state、source-to-live diff、owner-provided `nginx -t` readback、reload / no-reload、route smoke、TLS / ACME、WebSocket、upstream、AI provider、monitoring、operator notification、cross-project sync、rollback validation、post-change monitoring、postcheck、recurrence guard 與 no-false-green attestation。
+- 所有 post-incident readback received / accepted、actor accepted、before / after route state accepted、source-live diff accepted、`nginx -t` accepted、reload / no-reload accepted、route smoke accepted、TLS / ACME accepted、WebSocket accepted、upstream accepted、AI provider accepted、monitoring accepted、cross-project sync accepted、runtime gate 與 action button 仍為 `0 / false`。
+- `nginx_public_gateway` 只讀成熟度從 `90%` 推進到 `92%`，狀態為 `post_incident_readback_plan_ready_needs_public_gateway_owner_evidence`。
+- 高價值配置平均成熟度維持 `71%`；needs-live-evidence 類別維持 `9`；IwoooS headline 維持 `64%`；active runtime gate 維持 `0`。
+- `/zh-TW/iwooos` 前台高價值配置卡片更新為 Nginx / Public Gateway `92% / readback 0`，並在展開邊界中保留 `public_gateway_post_incident_readback_plan_candidate_count=3`、`blocked_action_count=41`、`runtime_gate_count=0` 等 marker。
+- `/zh-TW/awooop/tenants` 維持脫敏資產台帳：前台只顯示產品 / 專案代號、脫敏範圍代號、控管狀態與閘門數，不顯示原始個人 namespace、原始 repo namespace、raw blocker 狀態或內部協作語句。
+
+**本地驗證**：
+- `python3 scripts/security/public-gateway-post-incident-readback-plan.py --root . --source-report docs/security/public-gateway-rendered-diff-acceptance.snapshot.json --output docs/security/public-gateway-post-incident-readback-plan.snapshot.json --generated-at 2026-06-15T22:10:00+08:00` → `PUBLIC_GATEWAY_POST_INCIDENT_READBACK_PLAN_OK candidates=3 c0=2 checks=28 lanes=10 accepted=0 runtime_gate=0`。
+- JSON parse 驗證 `docs/security/public-gateway-post-incident-readback-plan.snapshot.json`、`docs/security/high-value-config-control-coverage.snapshot.json`、`docs/security/iwooos-posture-projection.snapshot.json`、`docs/schemas/iwooos_posture_projection_v1.schema.json`、`apps/web/messages/zh-TW.json`、`apps/web/messages/en.json` 通過。
+- `python3 -m py_compile scripts/security/public-gateway-post-incident-readback-plan.py scripts/security/high-value-config-control-coverage.py scripts/security/iwooos-config-control-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
+- `python3 scripts/security/iwooos-config-control-guard.py --root .` → `IWOOOS_CONFIG_CONTROL_GUARD_OK`。
+- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。
+- `python3 scripts/security/public-frontend-env-guard.py --root .` → `OK public frontend sensitive surface guard files=225 patterns=12 allowlisted=2 violations=0 runtime_gate=0`。
+- `python3 scripts/security/source-control-owner-response-guard.py --root .` → `SOURCE_CONTROL_OWNER_RESPONSE_GUARD_OK`。
+- `python3 scripts/security/package-supply-chain-owner-policy-guard.py --root .` → `PACKAGE_SUPPLY_CHAIN_OWNER_POLICY_GUARD_OK`。
+- `python3 scripts/ops/doc-secrets-sanity-check.py docs .gitea` → `DOC_SECRET_SANITY_OK scanned_files=885`。
+- `pnpm --filter @awoooi/web typecheck` 通過；`apps/web/tsconfig.tsbuildinfo` 只屬 typecheck 快取副作用，未納入提交。
+- `git diff --check` 通過；前端敏感顯示面掃描 raw namespace、raw blocker、工作視窗片語與內部協作字串命中 `0`。
+
+**Gitea / CD**：
+- Code commit：`5254a0c8 feat(iwooos): 新增 Nginx 事故回讀 gate`。
+- Code-review run：`3064`，公開 Actions 頁顯示成功。
+- CD run：`3063`，公開 Actions 頁顯示成功。
+- Deploy marker：`21d50244 chore(cd): deploy 5254a0c [skip ci]`。
+- API health：`https://awoooi.wooo.work/api/v1/health` healthy；postgres、redis、openclaw、signoz、ollama route、`ollama_gcp_a`、`ollama_gcp_b`、`ollama_local` 均回報 up。
+
+**Production 驗證**：
+- 內建瀏覽器自動化通道 attach 逾時兩次，改用本機 Google Chrome headless 對相同 production URL 做只讀 smoke；未使用登入 token、未讀 secrets、未進行寫操作。
+- HTML readback：`/zh-TW/iwooos?_v=21d50244-nginx-readback-prod-probe` 回 `200`，Nginx readback 必要字串缺漏 `0`，敏感 / 內部協作片語命中 `0`。
+- HTML readback：`/zh-TW/awooop/tenants?_v=21d50244-nginx-readback-prod-probe` 回 `200`，租戶 / IwoooS / AWOOOI 可見，敏感 / 內部協作片語命中 `0`。
+- Chrome desktop `1440x1100`：`/zh-TW/iwooos?_v=21d50244-nginx-readback-prod-desktop` 回 `200`，`Nginx 公開入口` 與 `92% / readback 0` 可見，敏感 / 內部協作片語命中 `0`，`horizontalOverflow=false`，`scrollWidth=1440`，`clientWidth=1440`。
+- Chrome mobile `390x844`：`/zh-TW/iwooos?_v=21d50244-nginx-readback-prod-mobile` 回 `200`，`Nginx 公開入口` 與 `92% / readback 0` 可見，敏感 / 內部協作片語命中 `0`，`horizontalOverflow=false`，`scrollWidth=390`，`clientWidth=390`。
+- Chrome desktop expanded `1440x1100`：`/zh-TW/iwooos?_v=21d50244-nginx-readback-expanded` 展開所有 `details` 後，三個 Public Gateway post-incident marker 缺漏 `0`，敏感 / 內部協作片語命中 `0`，`horizontalOverflow=false`。
+- Chrome mobile expanded `390x844`：`/zh-TW/iwooos?_v=21d50244-nginx-readback-expanded-mobile` 展開所有 `details` 後，三個 Public Gateway post-incident marker 缺漏 `0`，敏感 / 內部協作片語命中 `0`，`horizontalOverflow=false`，`scrollWidth=390`，`clientWidth=390`。
+- Chrome desktop `1440x1100`：`/zh-TW/awooop/tenants?_v=21d50244-nginx-readback-prod-desktop` 回 `200`，必要文案缺漏 `0`，敏感 / 內部協作片語命中 `0`，`horizontalOverflow=false`，`scrollWidth=1440`。
+- Chrome mobile `390x844`：`/zh-TW/awooop/tenants?_v=21d50244-nginx-readback-prod-mobile` 回 `200`，必要文案缺漏 `0`，敏感 / 內部協作片語命中 `0`，`horizontalOverflow=false`，`scrollWidth=390`。
+- Chrome 截圖：
+  - `/tmp/iwooos-desktop-21d50244.png`
+  - `/tmp/iwooos-mobile-21d50244.png`
+  - `/tmp/iwooos-desktop-expanded-21d50244.png`
+  - `/tmp/iwooos-mobile-expanded-21d50244.png`
+  - `/tmp/tenants-desktop-21d50244.png`
+  - `/tmp/tenants-mobile-21d50244.png`
+
+**完成度與邊界**：
+- Public Gateway / Nginx post-incident readback plan：`0% -> 100%`。
+- Nginx / Public Gateway 只讀成熟度：`90% -> 92%`。
+- 高價值配置平均成熟度：維持 `71%`；needs-live-evidence 類別：維持 `9`。
+- IwoooS headline 維持 `64%`；active runtime gate 維持 `0`。
+- post-incident readback received / accepted、actor accepted、before / after route state accepted、source-live diff accepted、`nginx -t` readback accepted、reload / no-reload accepted、route smoke accepted、TLS / ACME accepted、WebSocket accepted、upstream accepted、AI provider accepted、monitoring accepted、cross-project sync accepted、no-false-green accepted、live conf read、`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew、host write、runtime gate 與 action buttons 全部維持 `0 / false`。
+- 本輪未 SSH、未讀 live Nginx conf、未執行 `nginx -t`、未 reload、未改 route、未做 route smoke、未 DNS / TLS probe、未 certbot renew、未 host write、未 Docker / systemd / firewall / ArgoCD / K8s live action、未 active scan、未收 secrets 明文、未 force push。
+- 下一優先：收 Public Gateway / Nginx owner evidence 與事故後回讀包；同時持續推進 S4.9 owner response、Backup / Restore / Escrow、Monitoring / Alerting / Observability、Workflow / runner / deploy secret injection 的 owner evidence gate，且不得用 route 200、Nginx active、CD success、UI 可見或 smoke pass 當成資安 runtime 授權。
+
 ## 2026-06-15｜K8s / ArgoCD 事故後回讀 Gate

 **背景**：110 端口異動、ArgoCD degraded、workload pending、image pull / scheduling 類事故證明，K8s manifest、ArgoCD Application、Secret、NetworkPolicy、RBAC、CronJob、PrometheusRule 與 public route 之間會互相影響。IwoooS 不能把 `Synced`、route `200`、pod 起來、CD success 或 UI 可見誤判成 GitOps / runtime 已授權；本階段補上 K8s / ArgoCD post-incident readback plan，只建立事故後回讀候選、必填欄位、reviewer checks、outcome lanes、blocked actions 與前台 marker；不連 ArgoCD、不 `kubectl`、不 `helm`、不 live patch、不改 NetworkPolicy / RBAC / NodePort / Secret、不做 route smoke 授權。