fix(ci): record p0 priority readback
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 15s
CD Pipeline / post-deploy-checks (push) Has been cancelled
CD Pipeline / build-and-deploy (push) Has been cancelled

This commit is contained in:
Your Name
2026-06-29 12:11:53 +08:00
parent 7b9bb9442b
commit f4ec19a545
3 changed files with 191 additions and 5 deletions

View File

@@ -767,9 +767,9 @@ class HMACVerificationError(Exception):
async def verify_webhook_signature(
request: Request,
x_signature_256: str | None = Header(None, alias="X-Signature-256"),
x_webhook_timestamp: str | None = Header(None, alias="X-Webhook-Timestamp"),
x_webhook_nonce: str | None = Header(None, alias="X-Webhook-Nonce"),
x_signature_256: str | None = None,
x_webhook_timestamp: str | None = None,
x_webhook_nonce: str | None = None,
) -> bool:
"""
驗證 Webhook 請求的 HMAC-SHA256 簽章
@@ -1033,6 +1033,8 @@ async def receive_signal(
request: Request,
signal: SignalPayload,
x_signature_256: str | None = Header(None, alias="X-Signature-256"),
x_webhook_timestamp: str | None = Header(None, alias="X-Webhook-Timestamp"),
x_webhook_nonce: str | None = Header(None, alias="X-Webhook-Nonce"),
) -> SignalResponse:
"""
Phase 6.1: Event Bus Producer
@@ -1047,7 +1049,12 @@ async def receive_signal(
"""
# HMAC 驗證 (與 /alerts 相同邏輯)
try:
await verify_webhook_signature(request, x_signature_256)
await verify_webhook_signature(
request,
x_signature_256,
x_webhook_timestamp,
x_webhook_nonce,
)
except HMACVerificationError as e:
logger.warning("signal_hmac_rejected", error=str(e))
raise HTTPException(
@@ -1091,6 +1098,8 @@ async def receive_alert(
alert: AlertPayload,
background_tasks: BackgroundTasks,
x_signature_256: str | None = Header(None, alias="X-Signature-256"),
x_webhook_timestamp: str | None = Header(None, alias="X-Webhook-Timestamp"),
x_webhook_nonce: str | None = Header(None, alias="X-Webhook-Nonce"),
) -> AlertResponse:
"""
接收外部告警並觸發 OpenClaw AI 大腦分析
@@ -1107,7 +1116,12 @@ async def receive_alert(
# Phase 5 Step 0: HMAC 簽章驗證 (CISO 要求)
# ==========================================================================
try:
await verify_webhook_signature(request, x_signature_256)
await verify_webhook_signature(
request,
x_signature_256,
x_webhook_timestamp,
x_webhook_nonce,
)
except HMACVerificationError as e:
logger.warning("webhook_hmac_rejected", error=str(e))
raise HTTPException(

View File

@@ -14,6 +14,28 @@
**邊界**:未讀 token / `.runner` 內容 / cookie / session / secret / auth / `.env`;未使用 GitHub未操作 host / Docker / K8s未修改 workflow未 force push。
## 2026-06-29 — 12:06 P0 priority work order readback / cold-start truth
**完成內容**
- 依全域 scorecard 與 live readback 重排目前工作順序,不再以單一 CD run 當主線P0-001 full-host runtime / cold-start truth → P0-005 product data / backup DR evidence → P0-004 CI/CD baseline source readiness → P0-003 Gitea private inventory → P0-006 source-to-runtime drift。
- P0-001 live full-stack cold-start`scripts/reboot-recovery/full-stack-cold-start-check.sh --monitor-read-only --no-color` 讀回 110 / 120 / 121 / 188 ping + SSH 全通188 PostgreSQL / Redis / MOMO / SigNoz 通110 legacy runner fail-closedK3s 120 / 121 Readypublic routes / TLS 通summary `PASS=91 WARN=2 BLOCKED=0`,結果為 warning-only `DEGRADED`,不是 hard block。
- P0-001 machine-readable summary artifact `/tmp/awoooi-post-reboot-readiness-20260629-115730/summary.txt``SERVICE_GREEN=1``PRODUCT_DATA_GREEN=1``STOCK_FRESHNESS_STATUS=ok``STOCK_LATEST_TRADING_DATE=2026-06-26``BACKUP_CORE_GREEN=1``HOST_188_HYGIENE_BLOCKED=0``WAZUH_MANAGER_REGISTRY_ACCEPTED=6``RUNTIME_ACTION_AUTHORIZED=0``OVERALL_DECLARATION=FULL_STACK_GREEN_DR_ESCROW_BLOCKED``NEXT_REQUIRED_GATES=credential_escrow_evidence`
- P0-005 no-secret credential escrow chain 已刷新owner packet / placeholder response / preflight / offsite report / marker status / scorecard 皆產出;`status=blocked_waiting_non_secret_credential_escrow_evidence``effective_escrow_missing_count=5``owner_response_received_count=0``owner_response_accepted_count=0``runtime_gate_count=0``secret_value_collection_allowed=0``credential_marker_write_authorized_count=0`。五項 missing`restic_repository_password``offsite_provider_credentials``break_glass_admin_credentials``dns_registrar_recovery``oauth_ai_provider_recovery`
- P0-004 CI/CD production closureGitea public queue 讀回 `cd.yaml #3868` / commit `2a50505ee3c55ae99d37eaa52f6c96072f7ca715` / `Success`deploy marker `96d1f1403 chore(cd): deploy 2a50505 [skip ci]`production Delivery Workbench 讀回 `production_deploy_status=closure_verified``production_deploy_image_tag_matches_main=true``production_deploy_governance_fields_present=true`
- P0-004 source-readiness 只讀投影已進 Gitea main `f06bc0b49 feat(delivery): expose p0 cicd baseline readiness``p0_cicd_baseline_source_readiness_v1` 目前 `blocked_required_sources_missing`、required `11`、present `3`、missing `8`、readiness `27%`;下一步是補回 warning-step / onboarding source files 與測試,不得直接啟用 workflow。
- `cd.yaml #3869``f06bc0b49` 讀回 `Failure`,但 public queue 顯示 `no_matching_runner_visible=false`;本輪補上 P0-004 priority snapshot / HMAC focused test 的 controlled-runtime profile並修正 `verify_webhook_signature()` 在手動 helper 呼叫時把 FastAPI `Header(...)` default 當成 timestamp/nonce 的 CI baseline bug。
- 新增 `docs/operations/awoooi-priority-work-order-readback.snapshot.json`,固定目前完成 / blocked / stopped / 下一步順序,避免後續被舊 scorecard 或單點 CD 狀態帶偏。
**驗證結果**
- `PYTHONPATH=apps/api python3.11 -m pytest apps/api/tests/test_p0_cicd_baseline_source_readiness_api.py apps/api/tests/test_delivery_closure_workbench_api.py -q``4 passed`
- `PYTHONPATH=apps/api python3.11 -m pytest apps/api/tests/e2e_network_test.py::TestHMACVerification::test_valid_hmac_signature -q -v --tb=short -p no:cacheprovider``1 passed`
- `python3.11 -m pytest scripts/reboot-recovery/tests/test_post_reboot_credential_escrow_intake_scorecard.py scripts/reboot-recovery/tests/test_post_reboot_owner_response_template.py scripts/reboot-recovery/tests/test_post_start_smoke_process_classifier.py scripts/reboot-recovery/tests/test_momo_source_arrival_gate.py -q``12 passed`
- `python3 -m py_compile apps/api/src/services/p0_cicd_baseline_source_readiness.py apps/api/src/services/delivery_closure_workbench.py apps/api/src/api/v1/agents.py scripts/reboot-recovery/post-reboot-credential-escrow-intake-scorecard.py scripts/reboot-recovery/post-reboot-next-gate-owner-packets.py scripts/reboot-recovery/post-reboot-owner-response-template.py scripts/reboot-recovery/post-reboot-owner-response-preflight.py`:通過。
- `python3 ops/runner/guard-gitea-runner-pressure.py --root .``GITEA_RUNNER_PRESSURE_GUARD_OK workflow_files=10 scheduled_workflows=3 auto_branch_events_on_110=0 generic_runner_labels=0`
- `jq empty docs/operations/p0-cicd-baseline-source-readiness.snapshot.json docs/operations/awoooi-priority-work-order-readback.snapshot.json``bash -n scripts/reboot-recovery/post-reboot-next-gate-dispatch.sh scripts/reboot-recovery/full-stack-cold-start-check.sh scripts/reboot-recovery/post-reboot-readiness-summary.sh``git diff --check`:通過。
**邊界**:未使用 GitHub / `gh` / GitHub API未 workflow_dispatch未讀 token / `.runner` 內容 / cookie / session / secret / auth / `.env`;未寫 credential marker未操作 host / Docker / Nginx / firewall / K3s / DB未重啟任何服務。
## 2026-06-29 — 11:35 non-110 CD closure production readback verified
**完成內容**

View File

@@ -0,0 +1,150 @@
{
"schema_version": "awoooi_priority_work_order_readback_v1",
"generated_at": "2026-06-29T12:12:00+08:00",
"status": "p0_order_reestablished_ci_baseline_fix_in_progress",
"source_refs": {
"global_scorecard": "~/.codex/product-runtime-governance-completion-scorecard.snapshot.json",
"workstation_dashboard": "~/.codex/codex-workstation-sync-dashboard.snapshot.json",
"post_reboot_summary": "/tmp/awoooi-post-reboot-readiness-20260629-115730/summary.txt",
"full_stack_cold_start_check": "scripts/reboot-recovery/full-stack-cold-start-check.sh --monitor-read-only --no-color",
"delivery_closure_workbench": "https://awoooi.wooo.work/api/v1/agents/delivery-closure-workbench",
"public_gitea_queue_readback": "ops/runner/read-public-gitea-actions-queue.py --json",
"credential_escrow_scorecard": "/tmp/awoooi-credential-escrow-intake-scorecard-20260629-1200-priority.json"
},
"current_head": {
"gitea_main_sha": "f06bc0b49149e3be4d83ae752bffcf2741f4ab63",
"latest_successful_deploy_marker": "96d1f1403 chore(cd): deploy 2a50505 [skip ci]",
"latest_successful_deployed_source_sha": "2a50505ee3c55ae99d37eaa52f6c96072f7ca715",
"latest_source_readiness_commit_sha": "f06bc0b49149e3be4d83ae752bffcf2741f4ab63",
"latest_source_readiness_cd_run_id": "3869",
"latest_source_readiness_cd_run_status": "Failure",
"source_readiness_ci_fix_required": true,
"no_matching_runner_visible": false
},
"completed_in_priority_order": [
{
"workplan_id": "P0-001",
"title": "建立主機 runtime inventory 權威資料",
"status": "core_green_with_warnings",
"evidence": {
"hosts_checked": [
"192.168.0.110",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"full_stack_pass": 91,
"full_stack_warn": 2,
"full_stack_blocked": 0,
"post_start_pass": 43,
"post_start_warn": 5,
"post_start_blocked": 0,
"service_green": true,
"host_188_hygiene_blocked": false,
"wazuh_manager_registry_accepted": 6,
"runtime_action_authorized": false
},
"warnings_kept_visible": [
"110 systemd failed units remain",
"188 momo daily sales stale but source preflight has no hard blocker"
]
},
{
"workplan_id": "P0-004",
"title": "補 dev / prod CI/CD baseline",
"status": "production_deploy_closure_verified",
"evidence": {
"non110_runner_ready": true,
"latest_cd_run_id": "3868",
"latest_cd_run_status": "Success",
"production_deploy_status": "closure_verified",
"production_image_tag_matches_main": true,
"production_governance_fields_present": true,
"runner_pressure_guard_ok": true
}
}
],
"in_progress_or_blocked_in_priority_order": [
{
"workplan_id": "P0-005",
"title": "產品資料與備份 contract",
"status": "blocked_waiting_non_secret_credential_escrow_evidence",
"reason": "Backup core and product freshness are green, but DR completion still requires five non-secret credential escrow evidence markers.",
"evidence": {
"product_data_green": true,
"stock_freshness_status": "ok",
"stock_latest_trading_date": "2026-06-26",
"backup_core_green": true,
"dr_escrow_blocked": true,
"summary_escrow_missing_count": 5,
"offsite_configured": true,
"rclone_configured": true,
"script_missing_count": 0,
"credential_marker_write_authorized_count": 0,
"secret_value_collection_allowed": false
},
"missing_items": [
"restic_repository_password",
"offsite_provider_credentials",
"break_glass_admin_credentials",
"dns_registrar_recovery",
"oauth_ai_provider_recovery"
],
"safe_next_step": "collect_redacted_non_secret_evidence_refs_then_rerun_preflight"
},
{
"workplan_id": "P0-004-source-readiness",
"title": "P0-004 CI/CD baseline source readiness",
"status": "blocked_required_sources_missing",
"reason": "Committed source readiness snapshot is now exposed, but warning-step/onboarding source files are still missing.",
"evidence": {
"required_source_count": 11,
"present_required_source_count": 3,
"missing_required_source_count": 8,
"source_readiness_percent": 27
},
"safe_next_step": "restore_or_recreate_tracked_warning_step_source_before_workflow_enablement"
},
{
"workplan_id": "P0-003",
"title": "取得 Gitea private inventory 權限",
"status": "blocked_external_or_authenticated_inventory_required",
"reason": "Global scorecard still reports private/internal inventory incomplete; GitHub remains stopped and must not be used as a fallback."
},
{
"workplan_id": "P0-006",
"title": "清理 source-to-runtime drift 與 stale routes",
"status": "pending_after_p0_005_and_p0_004_source_readiness",
"reason": "Do not expand into route/source drift until the active P0 escrow and CI/CD source-readiness gates are recorded."
}
],
"stopped_or_do_not_use": [
{
"workplan_id": "P0-003A",
"title": "GitHub 全產品備援鏡像",
"status": "removed_deleted_do_not_use",
"allowed_actions": 0
}
],
"operation_boundaries": {
"github_api_used": false,
"github_cli_used": false,
"workflow_dispatch_performed": false,
"runner_registration_performed": false,
"secret_or_runner_token_read": false,
"credential_secret_value_read": false,
"credential_marker_written": false,
"host_write_performed": false,
"docker_restart_performed": false,
"nginx_restart_performed": false,
"firewall_change_performed": false,
"k3s_restart_or_node_drain_performed": false,
"database_write_or_restore_performed": false
},
"next_execution_order": [
"P0-005: keep credential_escrow_evidence blocked until real redacted non-secret evidence refs exist; do not read or write secrets.",
"P0-004-source-readiness: restore or recreate missing warning-step/onboarding source files with tests, without enabling workflows.",
"P0-003: continue Gitea-only private/internal inventory readback when authorized source exists; do not use GitHub.",
"P0-006: source-to-runtime drift cleanup after the active P0 gates above are stable."
]
}