docs(logbook): record 188 readonly ansible proof [skip ci]

This commit is contained in:
Your Name
2026-05-31 15:18:49 +08:00
parent 05e87fa91f
commit eedc69909e

View File

@@ -91,6 +91,94 @@ production /zh-TW/iwooos:
- runtime ingestion / GitHub primary / AwoooP production landing 約 `40-45%`
- active runtime gate 仍為 `0`;本輪沒有 Kali scan、SSH、主機更新、repo/refs/workflow/secret 變更、GitHub primary 切換或 Gitea 停用。
## 2026-05-31188 read-only Ansible check-mode 路徑接通
**背景**
- 上一階段已把 Ansible check-mode transport 從 repair-bot forced-command 改為 `ssh_mcp`,但 188 `ansible:188-ai-web` 仍使用 root 收斂 playbook `188-ai-web.yml`,在 Gathering Facts 即卡 `Incorrect sudo password`
- 直接給 `ollama` 無限制 NOPASSWD 不符合最小權限,也會把 read-only 診斷與 root apply 混在一起。
**本次調整**
- 新增 `infra/ansible/playbooks/188-ai-web-readonly.yml`
- `become: false`
- `gather_facts: false`
- 全部任務為 read-only command/stat/debug
- 可收集 Docker container、restarting container、MOMO backup script/helper/backup dir、ollama crontab。
- `ansible:188-ai-web` catalog 保留正式 `playbook_path=infra/ansible/playbooks/188-ai-web.yml`,新增 `check_mode_playbook_path=infra/ansible/playbooks/188-ai-web-readonly.yml`
- `build_ansible_check_mode_claim_input()` 現在把舊候選的正式 playbook 轉成 read-only check-mode playbook並保留
- `catalog_playbook_path`
- `source_candidate_playbook_path`
- `check_mode_playbook_path`
- apply 仍鎖住:`auto_apply_enabled=false``apply_enabled=false``approval_required_before_apply=true`
**Verification**
```text
Local:
YAML.load_file(188-ai-web-readonly.yml) -> yaml ok
py_compile ansible services/tests -> pass
ruff E9/F401/F821 ansible services/tests -> pass
pytest test_awooop_truth_chain_service.py -> 42 passed
pytest test_telegram_message_templates.py test_awooop_operator_timeline_labels.py -> 102 passed
git diff --check -> pass
Production pre-deploy probe from API pod:
ansible-playbook --syntax-check /tmp/188-ai-web-readonly.yml -> pass
ansible-playbook --check --diff --limit host_188 /tmp/188-ai-web-readonly.yml -> rc=0
recap -> ok=9 changed=0 failed=0
Gitea / deploy:
commit -> f615ac50 fix(awooop): add read-only 188 ansible check-mode
included in deployed main -> 50c9d51 feat(web): 整合 IwoooS 安全合規菜單
run 3339 -> success
api/worker/web image -> 192.168.0.110:5000/awoooi/*:50c9d51...
rollout api/worker/web -> success
/api/v1/health -> healthy, prod, mock_mode=false
ollama_route_order -> GCP-A, GCP-B, local
Production canary:
inserted explicit ansible_candidate_matched canary for INC-20260531-D6A3C4
worker_result -> claimed=1 completed=1 failed=0 blockers=[]
check row -> 1cee309e-b6d1-4d5d-97d8-1c3c7ad414da
catalog_id -> ansible:188-ai-web
playbook_path -> infra/ansible/playbooks/188-ai-web-readonly.yml
catalog_playbook_path -> infra/ansible/playbooks/188-ai-web.yml
source_candidate_playbook_path -> infra/ansible/playbooks/188-ai-web.yml
check_mode_playbook_path -> infra/ansible/playbooks/188-ai-web-readonly.yml
returncode -> 0
apply_executed -> false
```
**Production read-only evidence**
```text
remote_user=ollama
restarting_containers=
missing_expected_containers=
pg_backup_exists=True
pg_backup_executable=False
notify_helper_exists=True
notify_helper_executable=True
backup_dir_exists=True
cron_has_pg_backup=False
```
**判讀 / 下一步**
- 188 的低風險 Ansible check-mode 已接通;未來 `ansible:188-ai-web` 的 check-mode 不再因 `sudo` 卡死。
- 這仍不是自動修復完成:`ansible_apply_total=0``verified_auto_repair_total=0``production_claim.can_claim_full_auto_repair=false`
- 新揭露的 188 技術債:
- `/home/ollama/momo-pro/scripts/pg_backup.sh` 存在但不可執行。
- ollama crontab 未看到 `/home/ollama/momo-pro/scripts/pg_backup.sh`
- 下一階段應優先做「MOMO backup 非 root 修復」:若檔案 owner/權限允許,由 `ollama` 帳號以受控 Ansible apply 或 explicit approval 修 `chmod +x` 與 user crontabroot-owned 變更仍留在人工審批 / 最小 sudoers 設計。
- 進度:
- AwoooP truth-chain 可見性96%
- Ansible check-mode 接線82%110 成功188 read-only 成功root apply 還未開)
- Telegram / 前台真相語意90%
- 自動 apply / 自動修復閉環0%
- 整體 AI 自動化飛輪63%
## 2026-05-31AwoooP Ansible check-mode truth-chain 接通188 sudo 邊界成為新紅燈
**背景**