# IwoooS Backup / Restore / Escrow Owner Response Acceptance 只讀帳本

| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/backup-restore-owner-response-acceptance.py` |
| Snapshot | `docs/security/backup-restore-owner-response-acceptance.snapshot.json` |
| 來源 | `backup-restore-escrow-inventory.snapshot.json`、`backup-restore-owner-request-draft.snapshot.json` |
| runtime gate | `0` |

## 1. 目的

本文件把 Backup / Restore / Escrow repo-only 清冊與 owner request draft 串成 owner response acceptance 只讀帳本。目的不是執行備份、還原、offsite sync 或 retention change，而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 restore / retention review。

本階段不執行 backup、不 restore、不跑 restore drill、不 rclone sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不改 rclone config、不跑 Velero restore / backup、不 kubectl、不 SSH、不收 secret value、不寫 host、不 active scan、不開 action button。

## 2. 摘要

| 指標 | 目前值 | 說明 |
|------|--------|------|
| source surface | `38` | 來自 backup / restore / escrow 清冊 |
| source request draft | `38` | 承接 owner request draft |
| acceptance candidate | `38` | 每個 surface 一份候選 |
| write-capable acceptance candidate | `27` | 涉及 backup、restore、offsite、escrow、retention、Velero、health exporter 等 |
| live evidence required candidate | `38` | 全部都需 owner-provided redacted evidence |
| acceptance field | `33` | 每份 acceptance candidate 固定欄位數 |
| required owner field | `23` | 承接 owner request draft，並追加 restore recovery / freshness / remote delete / retention / no-false-green 欄位 |
| reviewer check | `22` | reviewer 收件前必檢項 |
| outcome lane | `9` | 等待、隔離、拒收、補件、review、只讀更新、restore 回補、remote delete / retention review、等待 runtime gate |
| blocked action | `31` | 驗收前全部禁止 |
| owner response received / accepted | `0 / 0` | 不得假性拉高 |
| backup / restore / offsite / retention | `0` | 未授權且未執行 |
| runtime gate / action button | `0 / 0` | 不開任何執行入口 |

## 3. Owner 必填欄位

| 欄位 | 說明 |
|------|------|
| `owner_role_or_team` | Backup / restore / offsite / escrow / retention owner role 或 team |
| `decision` | 對本 surface 的回覆判定 |
| `decision_reason` | 決策理由，不得包含機敏值 |
| `affected_scope` | 受影響服務、資料範圍、backup set、restore target 或 offsite scope |
| `redacted_evidence_refs` | 文件、hash、ticket、commit 或脫敏 artifact pointer |
| `latest_backup_status_ref` | 最新備份狀態 ref；不得讀 live backup store |
| `restore_drill_plan` | restore drill 計畫或 approval package，不代表已授權 |
| `offsite_sync_evidence_ref` | offsite sync evidence ref，不得包含 raw listing 或 secret path |
| `credential_escrow_evidence_ref` | credential escrow metadata / marker ref，不得包含 value |
| `freshness_slo_ref` | 備份 freshness SLO / RPO ref；不得只用 latest 字樣取代 |
| `restore_target_isolation_ref` | restore drill 隔離目標或 no-production-write 邊界 |
| `backup_dependency_map_ref` | 資料庫、物件儲存、repo、配置、憑證與告警復原依賴圖 |
| `data_classification_ref` | 備份集資料分級；不得要求 raw customer data、payload 或 unredacted listing |
| `remote_delete_guard_ref` | offsite sync / latest-only policy 的 remote delete guard 與 owner ref |
| `retention_runway_ref` | retention / prune 的可恢復窗口、runway 與撤回條件 |
| `restore_observer_stop_condition_ref` | restore drill observer、stop condition 與 rollback owner |
| `credential_recovery_drill_ref` | credential recovery non-secret proof / evidence id；不得包含 value、hash、seed 或 recovery code |
| `backup_health_no_false_green_ref` | backup health / textfile / alert no-false-green review ref |
| `maintenance_window` | 維護窗口或禁止窗口 |
| `rollback_owner` | rollback / stop owner 與撤回條件 |
| `validation_plan` | restore、freshness、checksum、alert、post-check plan |
| `retention_owner` | retention / prune owner |
| `followup_owner` | 補件、隔離、拒收或下一步 review owner |

## 4. Reviewer Checks

| Check | 規則 |
|-------|------|
| `owner_identity_present` | owner role / team 必須可追溯 |
| `decision_reason_present` | decision 與 decision reason 必須同時存在 |
| `affected_scope_matches_surface` | affected scope 必須能對回 committed surface_id |
| `redacted_refs_only` | evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
| `secret_value_absent` | 不得出現 token、private key、seed、rclone config、kubeconfig 或 credential derivative |
| `backup_status_ref_shape` | latest backup status 只能是 owner-provided redacted ref |
| `restore_drill_plan_present` | restore drill 必須是 plan / approval package，不得是執行請求 |
| `offsite_sync_ref_not_payload` | offsite sync evidence 只能是 ref |
| `credential_escrow_metadata_only` | credential escrow 只能是 metadata / marker ref |
| `retention_owner_present` | retention owner 與 retention decision 必須可追溯 |
| `maintenance_window_present` | 未來 backup / restore / prune / sync 都必須另有維護窗口 |
| `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 |
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected；不得同時開 runtime gate |
| `freshness_slo_present` | 必須有備份 freshness SLO / RPO ref |
| `restore_target_isolation_present` | restore drill 必須有隔離目標或 no-production-write 邊界 |
| `backup_dependency_map_present` | 必須列出 DB、物件儲存、repo、配置、憑證與告警復原依賴圖 |
| `data_classification_present` | 必須標示備份集資料分級；不得要求 raw payload |
| `remote_delete_guard_present` | offsite sync / latest-only policy 必須有 remote delete guard |
| `retention_runway_present` | retention / prune 必須有可恢復窗口、runway 與撤回條件 |
| `restore_observer_stop_condition_present` | restore drill 必須有 observer、stop condition 與 rollback owner |
| `credential_recovery_drill_metadata_only` | credential recovery 只能收 non-secret proof / evidence id |
| `backup_health_no_false_green_reviewed` | backup health / textfile / alert evidence 必須防止 false-green |

## 5. Outcome Lanes

| Lane | 意義 |
|------|------|
| `waiting_owner_response` | 尚未收到 owner response；所有 accepted / runtime count 維持 0 |
| `quarantine_raw_payload` | 收到 raw backup listing、secret、rclone config 或不可保存內容時只能隔離 |
| `reject_secret_or_credential_value` | 出現 secret value、credential derivative 或未脫敏 payload 時直接拒收 |
| `request_supplement` | 欄位不足、scope 不清、restore / retention owner 缺失時要求補件 |
| `ready_for_restore_review` | metadata 合格後，只能進 restore / retention reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
| `restore_recovery_backfill_required` | restore / cold-start / incident recovery 資料不足時只要求補件 |
| `remote_delete_retention_review_required` | offsite remote delete、latest-only 與 restic prune 必須進 retention reviewer review |
| `waiting_runtime_gate` | 即使 owner response accepted，runtime gate 仍等待獨立人工批准 |

## 6. Blocked Actions

```text
backup_run
restore_run
restore_drill
offsite_sync
offsite_remote_delete
credential_escrow_marker_write
retention_change
restic_prune
rclone_config
velero_restore
velero_backup
kubectl_action
ssh_read
ssh_write
secret_value_collection
host_write
active_scan
runtime_gate_open
raw_backup_payload_storage
accept_secret_value_evidence
mark_owner_response_accepted_without_reviewer_record
accept_backup_without_freshness_slo
accept_restore_without_isolated_target
accept_offsite_without_remote_delete_guard
accept_retention_without_runway
accept_credential_recovery_without_non_secret_proof
accept_backup_health_false_green
skip_dependency_map_review
skip_data_classification_review
store_raw_restore_payload
add_action_button
```

## 7. 指令

固定 committed snapshot：

```bash
python3 scripts/security/backup-restore-owner-response-acceptance.py \
  --root . \
  --output docs/security/backup-restore-owner-response-acceptance.snapshot.json \
  --generated-at 2026-06-15T15:35:00+08:00
```

只讀 guard：

```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .
```

## 8. 完成度

| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 38 個 surface 已有只讀收件判定帳本 |
| owner response received / accepted | `0%` | 尚未收到或接受任何 owner response |
| live backup / offsite / escrow evidence | `0%` | 未讀 live backup、offsite 或 credential escrow |
| backup / restore / offsite / retention | `0%` | 未授權且未執行 |
| secret / host / production write | `0%` | 未收 secret、未寫 host |
| runtime gate / production write | `0%` | 無 action button，無 production write |

## 9. 邊界

這份帳本不是 live backup truth、不是 restore drill approval、不是 offsite sync approval、不是 credential escrow marker approval、不是 retention approval，也不是 backup / restore / Velero / rclone / SSH / kubectl / host write 授權。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以執行 backup、restore、offsite sync、remote delete、retention change、secret collection、active scan、production write 或 runtime gate。