9.8 KiB
9.8 KiB
IwoooS Backup / Restore / Escrow Owner Response Acceptance 只讀帳本
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-15 |
| 狀態 | owner_response_acceptance_ledger_ready_no_runtime_action |
| 工具 | scripts/security/backup-restore-owner-response-acceptance.py |
| Snapshot | docs/security/backup-restore-owner-response-acceptance.snapshot.json |
| 來源 | backup-restore-escrow-inventory.snapshot.json、backup-restore-owner-request-draft.snapshot.json |
| runtime gate | 0 |
1. 目的
本文件把 Backup / Restore / Escrow repo-only 清冊與 owner request draft 串成 owner response acceptance 只讀帳本。目的不是執行備份、還原、offsite sync 或 retention change,而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 restore / retention review。
本階段不執行 backup、不 restore、不跑 restore drill、不 rclone sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不改 rclone config、不跑 Velero restore / backup、不 kubectl、不 SSH、不收 secret value、不寫 host、不 active scan、不開 action button。
2. 摘要
| 指標 | 目前值 | 說明 |
|---|---|---|
| source surface | 38 |
來自 backup / restore / escrow 清冊 |
| source request draft | 38 |
承接 owner request draft |
| acceptance candidate | 38 |
每個 surface 一份候選 |
| write-capable acceptance candidate | 27 |
涉及 backup、restore、offsite、escrow、retention、Velero、health exporter 等 |
| live evidence required candidate | 38 |
全部都需 owner-provided redacted evidence |
| acceptance field | 33 |
每份 acceptance candidate 固定欄位數 |
| required owner field | 23 |
承接 owner request draft,並追加 restore recovery / freshness / remote delete / retention / no-false-green 欄位 |
| reviewer check | 22 |
reviewer 收件前必檢項 |
| outcome lane | 9 |
等待、隔離、拒收、補件、review、只讀更新、restore 回補、remote delete / retention review、等待 runtime gate |
| blocked action | 31 |
驗收前全部禁止 |
| owner response received / accepted | 0 / 0 |
不得假性拉高 |
| backup / restore / offsite / retention | 0 |
未授權且未執行 |
| runtime gate / action button | 0 / 0 |
不開任何執行入口 |
3. Owner 必填欄位
| 欄位 | 說明 |
|---|---|
owner_role_or_team |
Backup / restore / offsite / escrow / retention owner role 或 team |
decision |
對本 surface 的回覆判定 |
decision_reason |
決策理由,不得包含機敏值 |
affected_scope |
受影響服務、資料範圍、backup set、restore target 或 offsite scope |
redacted_evidence_refs |
文件、hash、ticket、commit 或脫敏 artifact pointer |
latest_backup_status_ref |
最新備份狀態 ref;不得讀 live backup store |
restore_drill_plan |
restore drill 計畫或 approval package,不代表已授權 |
offsite_sync_evidence_ref |
offsite sync evidence ref,不得包含 raw listing 或 secret path |
credential_escrow_evidence_ref |
credential escrow metadata / marker ref,不得包含 value |
freshness_slo_ref |
備份 freshness SLO / RPO ref;不得只用 latest 字樣取代 |
restore_target_isolation_ref |
restore drill 隔離目標或 no-production-write 邊界 |
backup_dependency_map_ref |
資料庫、物件儲存、repo、配置、憑證與告警復原依賴圖 |
data_classification_ref |
備份集資料分級;不得要求 raw customer data、payload 或 unredacted listing |
remote_delete_guard_ref |
offsite sync / latest-only policy 的 remote delete guard 與 owner ref |
retention_runway_ref |
retention / prune 的可恢復窗口、runway 與撤回條件 |
restore_observer_stop_condition_ref |
restore drill observer、stop condition 與 rollback owner |
credential_recovery_drill_ref |
credential recovery non-secret proof / evidence id;不得包含 value、hash、seed 或 recovery code |
backup_health_no_false_green_ref |
backup health / textfile / alert no-false-green review ref |
maintenance_window |
維護窗口或禁止窗口 |
rollback_owner |
rollback / stop owner 與撤回條件 |
validation_plan |
restore、freshness、checksum、alert、post-check plan |
retention_owner |
retention / prune owner |
followup_owner |
補件、隔離、拒收或下一步 review owner |
4. Reviewer Checks
| Check | 規則 |
|---|---|
owner_identity_present |
owner role / team 必須可追溯 |
decision_reason_present |
decision 與 decision reason 必須同時存在 |
affected_scope_matches_surface |
affected scope 必須能對回 committed surface_id |
redacted_refs_only |
evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
secret_value_absent |
不得出現 token、private key、seed、rclone config、kubeconfig 或 credential derivative |
backup_status_ref_shape |
latest backup status 只能是 owner-provided redacted ref |
restore_drill_plan_present |
restore drill 必須是 plan / approval package,不得是執行請求 |
offsite_sync_ref_not_payload |
offsite sync evidence 只能是 ref |
credential_escrow_metadata_only |
credential escrow 只能是 metadata / marker ref |
retention_owner_present |
retention owner 與 retention decision 必須可追溯 |
maintenance_window_present |
未來 backup / restore / prune / sync 都必須另有維護窗口 |
rollback_owner_present |
rollback owner 與 rollback ref 必須存在 |
counts_transition_safe |
只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate |
freshness_slo_present |
必須有備份 freshness SLO / RPO ref |
restore_target_isolation_present |
restore drill 必須有隔離目標或 no-production-write 邊界 |
backup_dependency_map_present |
必須列出 DB、物件儲存、repo、配置、憑證與告警復原依賴圖 |
data_classification_present |
必須標示備份集資料分級;不得要求 raw payload |
remote_delete_guard_present |
offsite sync / latest-only policy 必須有 remote delete guard |
retention_runway_present |
retention / prune 必須有可恢復窗口、runway 與撤回條件 |
restore_observer_stop_condition_present |
restore drill 必須有 observer、stop condition 與 rollback owner |
credential_recovery_drill_metadata_only |
credential recovery 只能收 non-secret proof / evidence id |
backup_health_no_false_green_reviewed |
backup health / textfile / alert evidence 必須防止 false-green |
5. Outcome Lanes
| Lane | 意義 |
|---|---|
waiting_owner_response |
尚未收到 owner response;所有 accepted / runtime count 維持 0 |
quarantine_raw_payload |
收到 raw backup listing、secret、rclone config 或不可保存內容時只能隔離 |
reject_secret_or_credential_value |
出現 secret value、credential derivative 或未脫敏 payload 時直接拒收 |
request_supplement |
欄位不足、scope 不清、restore / retention owner 缺失時要求補件 |
ready_for_restore_review |
metadata 合格後,只能進 restore / retention reviewer review |
owner_review_only_update |
只允許更新只讀 owner review ledger |
restore_recovery_backfill_required |
restore / cold-start / incident recovery 資料不足時只要求補件 |
remote_delete_retention_review_required |
offsite remote delete、latest-only 與 restic prune 必須進 retention reviewer review |
waiting_runtime_gate |
即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
6. Blocked Actions
backup_run
restore_run
restore_drill
offsite_sync
offsite_remote_delete
credential_escrow_marker_write
retention_change
restic_prune
rclone_config
velero_restore
velero_backup
kubectl_action
ssh_read
ssh_write
secret_value_collection
host_write
active_scan
runtime_gate_open
raw_backup_payload_storage
accept_secret_value_evidence
mark_owner_response_accepted_without_reviewer_record
accept_backup_without_freshness_slo
accept_restore_without_isolated_target
accept_offsite_without_remote_delete_guard
accept_retention_without_runway
accept_credential_recovery_without_non_secret_proof
accept_backup_health_false_green
skip_dependency_map_review
skip_data_classification_review
store_raw_restore_payload
add_action_button
7. 指令
固定 committed snapshot:
python3 scripts/security/backup-restore-owner-response-acceptance.py \
--root . \
--output docs/security/backup-restore-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T15:35:00+08:00
只讀 guard:
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .
8. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| owner response acceptance ledger artifact | 100% |
38 個 surface 已有只讀收件判定帳本 |
| owner response received / accepted | 0% |
尚未收到或接受任何 owner response |
| live backup / offsite / escrow evidence | 0% |
未讀 live backup、offsite 或 credential escrow |
| backup / restore / offsite / retention | 0% |
未授權且未執行 |
| secret / host / production write | 0% |
未收 secret、未寫 host |
| runtime gate / production write | 0% |
無 action button,無 production write |
9. 邊界
這份帳本不是 live backup truth、不是 restore drill approval、不是 offsite sync approval、不是 credential escrow marker approval、不是 retention approval,也不是 backup / restore / Velero / rclone / SSH / kubectl / host write 授權。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以執行 backup、restore、offsite sync、remote delete、retention change、secret collection、active scan、production write 或 runtime gate。