diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index cfae56bd..cf256e95 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -91,6 +91,94 @@ production /zh-TW/iwooos: - runtime ingestion / GitHub primary / AwoooP production landing 約 `40-45%`。 - active runtime gate 仍為 `0`;本輪沒有 Kali scan、SSH、主機更新、repo/refs/workflow/secret 變更、GitHub primary 切換或 Gitea 停用。 +## 2026-05-31|188 read-only Ansible check-mode 路徑接通 + +**背景**: + +- 上一階段已把 Ansible check-mode transport 從 repair-bot forced-command 改為 `ssh_mcp`,但 188 `ansible:188-ai-web` 仍使用 root 收斂 playbook `188-ai-web.yml`,在 Gathering Facts 即卡 `Incorrect sudo password`。 +- 直接給 `ollama` 無限制 NOPASSWD 不符合最小權限,也會把 read-only 診斷與 root apply 混在一起。 + +**本次調整**: + +- 新增 `infra/ansible/playbooks/188-ai-web-readonly.yml`: + - `become: false` + - `gather_facts: false` + - 全部任務為 read-only command/stat/debug + - 可收集 Docker container、restarting container、MOMO backup script/helper/backup dir、ollama crontab。 +- `ansible:188-ai-web` catalog 保留正式 `playbook_path=infra/ansible/playbooks/188-ai-web.yml`,新增 `check_mode_playbook_path=infra/ansible/playbooks/188-ai-web-readonly.yml`。 +- `build_ansible_check_mode_claim_input()` 現在把舊候選的正式 playbook 轉成 read-only check-mode playbook,並保留: + - `catalog_playbook_path` + - `source_candidate_playbook_path` + - `check_mode_playbook_path` +- apply 仍鎖住:`auto_apply_enabled=false`、`apply_enabled=false`、`approval_required_before_apply=true`。 + +**Verification**: + +```text +Local: + YAML.load_file(188-ai-web-readonly.yml) -> yaml ok + py_compile ansible services/tests -> pass + ruff E9/F401/F821 ansible services/tests -> pass + pytest test_awooop_truth_chain_service.py -> 42 passed + pytest test_telegram_message_templates.py test_awooop_operator_timeline_labels.py -> 102 passed + git diff --check -> pass + +Production pre-deploy probe from API pod: + ansible-playbook --syntax-check /tmp/188-ai-web-readonly.yml -> pass + ansible-playbook --check --diff --limit host_188 /tmp/188-ai-web-readonly.yml -> rc=0 + recap -> ok=9 changed=0 failed=0 + +Gitea / deploy: + commit -> f615ac50 fix(awooop): add read-only 188 ansible check-mode + included in deployed main -> 50c9d51 feat(web): 整合 IwoooS 安全合規菜單 + run 3339 -> success + api/worker/web image -> 192.168.0.110:5000/awoooi/*:50c9d51... + rollout api/worker/web -> success + /api/v1/health -> healthy, prod, mock_mode=false + ollama_route_order -> GCP-A, GCP-B, local + +Production canary: + inserted explicit ansible_candidate_matched canary for INC-20260531-D6A3C4 + worker_result -> claimed=1 completed=1 failed=0 blockers=[] + check row -> 1cee309e-b6d1-4d5d-97d8-1c3c7ad414da + catalog_id -> ansible:188-ai-web + playbook_path -> infra/ansible/playbooks/188-ai-web-readonly.yml + catalog_playbook_path -> infra/ansible/playbooks/188-ai-web.yml + source_candidate_playbook_path -> infra/ansible/playbooks/188-ai-web.yml + check_mode_playbook_path -> infra/ansible/playbooks/188-ai-web-readonly.yml + returncode -> 0 + apply_executed -> false +``` + +**Production read-only evidence**: + +```text +remote_user=ollama +restarting_containers= +missing_expected_containers= +pg_backup_exists=True +pg_backup_executable=False +notify_helper_exists=True +notify_helper_executable=True +backup_dir_exists=True +cron_has_pg_backup=False +``` + +**判讀 / 下一步**: + +- 188 的低風險 Ansible check-mode 已接通;未來 `ansible:188-ai-web` 的 check-mode 不再因 `sudo` 卡死。 +- 這仍不是自動修復完成:`ansible_apply_total=0`、`verified_auto_repair_total=0`、`production_claim.can_claim_full_auto_repair=false`。 +- 新揭露的 188 技術債: + - `/home/ollama/momo-pro/scripts/pg_backup.sh` 存在但不可執行。 + - ollama crontab 未看到 `/home/ollama/momo-pro/scripts/pg_backup.sh`。 +- 下一階段應優先做「MOMO backup 非 root 修復」:若檔案 owner/權限允許,由 `ollama` 帳號以受控 Ansible apply 或 explicit approval 修 `chmod +x` 與 user crontab;root-owned 變更仍留在人工審批 / 最小 sudoers 設計。 +- 進度: + - AwoooP truth-chain 可見性:96% + - Ansible check-mode 接線:82%(110 成功;188 read-only 成功;root apply 還未開) + - Telegram / 前台真相語意:90% + - 自動 apply / 自動修復閉環:0% + - 整體 AI 自動化飛輪:63% + ## 2026-05-31|AwoooP Ansible check-mode truth-chain 接通,188 sudo 邊界成為新紅燈 **背景**: