awoooi/scripts/security/public-gateway-post-incident-readback-plan.py

#!/usr/bin/env python3
"""
IwoooS Public Gateway / Nginx post-incident readback 只讀計畫產生器。

本工具讀取 Public Gateway rendered diff acceptance snapshot，建立事故後回讀
計畫：誰改了 Nginx / public gateway、變更或事故時間窗、route / upstream /
WebSocket / ACME / AI provider / monitoring 影響、回滾與防再發。它不讀 live
conf、不執行 nginx -t、不 reload、不做 route smoke、不連 DNS / TLS、不
renew cert、不 SSH、不保存 raw conf / full diff / secret value。
"""

from __future__ import annotations

import argparse
import json
import subprocess
import sys
from datetime import datetime, timedelta, timezone
from pathlib import Path
from typing import Any


TAIPEI = timezone(timedelta(hours=8))

READBACK_FIELDS = [
    "post_incident_readback_candidate_id",
    "source_diff_acceptance_id",
    "owner_response_acceptance_id",
    "diff_gate_id",
    "config_id",
    "control_tier",
    "host",
    "live_path",
    "gateway_incident_or_change_ref",
    "actor_attribution_ref",
    "change_time_window_ref",
    "change_intent_or_break_glass_ref",
    "before_route_state_ref",
    "after_route_state_ref",
    "source_live_diff_state_ref",
    "nginx_test_readback_ref",
    "nginx_reload_or_no_reload_ref",
    "route_smoke_readback_ref",
    "tls_acme_readback_ref",
    "websocket_readback_ref",
    "upstream_health_ref",
    "public_admin_api_route_impact_ref",
    "ai_provider_impact_ref",
    "monitoring_alert_ref",
    "operator_notification_ref",
    "cross_project_sync_ref",
    "rollback_validation_ref",
    "post_change_monitoring_ref",
    "recovery_or_still_degraded_ref",
    "postcheck_readback_ref",
    "recurrence_guard_ref",
    "maintenance_window",
    "rollback_owner",
    "reviewer_outcome",
    "followup_owner",
    "not_approval",
]

REQUIRED_READBACK_FIELDS = [
    "gateway_incident_or_change_ref",
    "actor_attribution_ref",
    "change_time_window_ref",
    "change_intent_or_break_glass_ref",
    "before_route_state_ref",
    "after_route_state_ref",
    "source_live_diff_state_ref",
    "nginx_test_readback_ref",
    "nginx_reload_or_no_reload_ref",
    "route_smoke_readback_ref",
    "tls_acme_readback_ref",
    "websocket_readback_ref",
    "upstream_health_ref",
    "public_admin_api_route_impact_ref",
    "ai_provider_impact_ref",
    "monitoring_alert_ref",
    "operator_notification_ref",
    "cross_project_sync_ref",
    "rollback_validation_ref",
    "post_change_monitoring_ref",
    "recovery_or_still_degraded_ref",
    "postcheck_readback_ref",
    "recurrence_guard_ref",
    "maintenance_window",
    "rollback_owner",
    "followup_owner",
    "redacted_evidence_refs",
    "no_secret_value_attestation",
    "no_raw_live_conf_or_diff_attestation",
    "no_false_green_attestation",
]

REVIEWER_CHECKS = [
    {"check_id": "source_diff_acceptance_current", "instruction": "來源 rendered diff acceptance snapshot 必須是目前版本。"},
    {"check_id": "incident_or_change_ref_present", "instruction": "必須有 incident、change、ticket 或 maintenance ref，不能只寫路由恢復。"},
    {"check_id": "actor_attribution_present", "instruction": "必須標示 actor role / team，不接受匿名 Nginx reload、shell 操作或未追蹤自動化。"},
    {"check_id": "change_time_window_present", "instruction": "必須有變更 / 事故時間窗，供 route、alert 與跨專案回讀對齊。"},
    {"check_id": "intent_or_break_glass_present", "instruction": "正常變更需有 change intent；緊急變更需有 break-glass reason，但 break-glass 不等於事前批准。"},
    {"check_id": "before_after_route_state_present", "instruction": "必須有 before / after route state ref，不得只看現在 200。"},
    {"check_id": "source_live_diff_state_present", "instruction": "必須說明 source-to-live diff 狀態；不得保存 raw live conf 或完整 diff payload。"},
    {"check_id": "nginx_test_readback_is_owner_provided", "instruction": "`nginx -t` 只能是 owner-provided readback ref，本工具不得執行。"},
    {"check_id": "reload_or_no_reload_called_out", "instruction": "需明確標示是否曾 reload；若未 reload 也需列原因與風險。"},
    {"check_id": "route_smoke_readback_present", "instruction": "route smoke readback 必須列 affected routes、status、TLS、WebSocket、ACME 或不適用原因。"},
    {"check_id": "tls_acme_readback_present", "instruction": "TLS / ACME impact 不可被 route 200 取代。"},
    {"check_id": "websocket_readback_present", "instruction": "WebSocket / streaming route 需獨立回讀，不得只用首頁 200。"},
    {"check_id": "upstream_health_present", "instruction": "upstream health / port / dependency 影響必須列 ref。"},
    {"check_id": "public_admin_api_route_impact_present", "instruction": "public、admin、API、callback 或 webhook route 受影響時需列 impact ref。"},
    {"check_id": "ai_provider_impact_present", "instruction": "Ollama、AI provider、model route 或 proxy 受影響時需列 impact ref。"},
    {"check_id": "monitoring_alert_present", "instruction": "需有 monitoring / alert / incident ref，不能只靠人工看頁面。"},
    {"check_id": "operator_notification_present", "instruction": "需提供已通知受影響產品、owner 或 Session 的脫敏 ref。"},
    {"check_id": "cross_project_sync_present", "instruction": "若影響 AwoooP、IwoooS、agent-bounty、StockPlatform、公開網站或監控，需有跨專案同步 ref。"},
    {"check_id": "rollback_validation_present", "instruction": "必須提供 rollback validation ref，包含 rollback owner 與回滾後驗證方式。"},
    {"check_id": "post_change_monitoring_present", "instruction": "必須有 post-change monitoring window，觀察 route、error、alert 與 upstream。"},
    {"check_id": "recovery_or_still_degraded_present", "instruction": "已恢復需提供恢復時間與證據；未恢復需提供 still-degraded ref。"},
    {"check_id": "postcheck_independent", "instruction": "post-check 必須獨立於原操作人與 UI 卡片。"},
    {"check_id": "recurrence_guard_present", "instruction": "必須提出防再發 guard、change freeze、owner review 或 automation block。"},
    {"check_id": "maintenance_window_present", "instruction": "後續任何 nginx -t、reload、route smoke 或 DNS / TLS 動作都需維護窗口。"},
    {"check_id": "no_false_green", "instruction": "不得只用 route 200、Nginx active、dashboard up、CD success 或 UI 可見當成事故已驗收。"},
    {"check_id": "raw_payload_absent", "instruction": "不得保存 raw live conf、完整 diff payload、private key、憑證內容、cookie、token 或未脫敏 screenshot。"},
    {"check_id": "runtime_stays_zero", "instruction": "readback plan 不得觸發 nginx -t、reload、route smoke、DNS / TLS probe、certbot renew 或 host write。"},
    {"check_id": "counts_transition_safe", "instruction": "只有 reviewer record 能更新 accepted count，且不得同時開 runtime gate。"},
]

OUTCOME_LANES = [
    {"lane_id": "waiting_post_incident_readback", "meaning": "尚未收到 Public Gateway / Nginx 事故回讀包；所有 accepted / runtime count 維持 0。"},
    {"lane_id": "request_actor_or_time_supplement", "meaning": "缺 actor、change time window、intent 或 break-glass reason 時要求補件。"},
    {"lane_id": "request_route_state_supplement", "meaning": "缺 before / after route、upstream、WebSocket、TLS / ACME 或 route smoke readback 時要求補件。"},
    {"lane_id": "request_diff_test_supplement", "meaning": "缺 source-live diff、nginx test readback、reload / no-reload 判定或 rollback validation 時要求補件。"},
    {"lane_id": "request_dependency_supplement", "meaning": "缺 AI provider、monitoring、public/admin/API route 或跨專案影響時要求補件。"},
    {"lane_id": "quarantine_raw_payload", "meaning": "收到 raw conf、完整 diff、secret、憑證、cookie、token 或未脫敏截圖時只能隔離。"},
    {"lane_id": "reject_false_green_claim", "meaning": "把 route 200、Nginx active、dashboard up、CD success 或 UI 可見當驗收時拒收。"},
    {"lane_id": "ready_for_gateway_post_incident_review", "meaning": "metadata 合格後，只能進 reviewer review。"},
    {"lane_id": "recurrence_guard_backfill_required", "meaning": "需補防再發 guard、owner review、change freeze 或 automation block。"},
    {"lane_id": "waiting_runtime_gate", "meaning": "即使 readback accepted，runtime gate 仍需獨立人工批准。"},
]

BLOCKED_ACTIONS = [
    "ssh_read_live_nginx_conf",
    "store_raw_live_conf",
    "store_full_rendered_diff_payload",
    "collect_secret_value",
    "collect_private_key",
    "collect_certificate_body",
    "collect_cookie_or_token",
    "run_nginx_test",
    "reload_nginx",
    "restart_nginx",
    "change_nginx_site_enabled",
    "change_public_route",
    "change_admin_route",
    "change_api_route",
    "change_websocket_route",
    "change_acme_challenge_route",
    "change_upstream",
    "change_dns_record",
    "tls_probe",
    "dns_probe",
    "certbot_renew",
    "certbot_reconfigure",
    "route_smoke",
    "websocket_smoke",
    "host_write",
    "firewall_change",
    "docker_restart",
    "systemd_restart",
    "argocd_sync",
    "kubectl_apply",
    "accept_route_200_as_all_green",
    "accept_nginx_active_as_all_green",
    "accept_dashboard_up_as_security_acceptance",
    "accept_cd_success_as_security_acceptance",
    "skip_cross_project_sync",
    "skip_operator_notification",
    "skip_rollback_validation",
    "skip_post_change_monitoring",
    "mark_readback_accepted_without_reviewer_record",
    "open_runtime_gate",
    "add_action_button",
]


def git_short_sha(root: Path) -> str:
    try:
        result = subprocess.run(
            ["git", "rev-parse", "--short", "HEAD"],
            cwd=root,
            check=True,
            capture_output=True,
            text=True,
        )
        return result.stdout.strip()
    except Exception:
        return "unknown"


def load_json(path: Path) -> dict[str, Any]:
    return json.loads(path.read_text(encoding="utf-8"))


def build_candidate(source: dict[str, Any]) -> dict[str, Any]:
    config_id = source["config_id"]
    return {
        "post_incident_readback_candidate_id": f"public_gateway_post_incident_readback:{config_id}",
        "status": "waiting_post_incident_readback",
        "source_diff_acceptance_id": source["diff_acceptance_id"],
        "owner_response_acceptance_id": source["owner_response_acceptance_id"],
        "diff_gate_id": source["diff_gate_id"],
        "config_id": config_id,
        "control_tier": source["control_tier"],
        "host": source["host"],
        "live_path": source["live_path"],
        "write_capable": True,
        "gateway_incident_or_change_ref": None,
        "actor_attribution_ref": None,
        "change_time_window_ref": None,
        "change_intent_or_break_glass_ref": None,
        "before_route_state_ref": None,
        "after_route_state_ref": None,
        "source_live_diff_state_ref": None,
        "nginx_test_readback_ref": None,
        "nginx_reload_or_no_reload_ref": None,
        "route_smoke_readback_ref": None,
        "tls_acme_readback_ref": None,
        "websocket_readback_ref": None,
        "upstream_health_ref": None,
        "public_admin_api_route_impact_ref": None,
        "ai_provider_impact_ref": None,
        "monitoring_alert_ref": None,
        "operator_notification_ref": None,
        "cross_project_sync_ref": None,
        "rollback_validation_ref": None,
        "post_change_monitoring_ref": None,
        "recovery_or_still_degraded_ref": None,
        "postcheck_readback_ref": None,
        "recurrence_guard_ref": None,
        "maintenance_window": "pending_post_incident_readback",
        "rollback_owner": "pending_post_incident_readback",
        "reviewer_outcome": "waiting_post_incident_readback",
        "followup_owner": "pending_post_incident_readback",
        "readback_fields": READBACK_FIELDS,
        "required_readback_fields": REQUIRED_READBACK_FIELDS,
        "reviewer_checks": [item["check_id"] for item in REVIEWER_CHECKS],
        "outcome_lanes": [item["lane_id"] for item in OUTCOME_LANES],
        "blocked_actions": BLOCKED_ACTIONS,
        "not_approval": True,
        "post_incident_readback_received": False,
        "post_incident_readback_accepted": False,
        "actor_attribution_accepted": False,
        "change_time_window_accepted": False,
        "intent_or_break_glass_accepted": False,
        "before_after_route_state_accepted": False,
        "source_live_diff_state_accepted": False,
        "nginx_test_readback_accepted": False,
        "nginx_reload_or_no_reload_accepted": False,
        "route_smoke_readback_accepted": False,
        "tls_acme_readback_accepted": False,
        "websocket_readback_accepted": False,
        "upstream_health_accepted": False,
        "public_admin_api_route_impact_accepted": False,
        "ai_provider_impact_accepted": False,
        "monitoring_alert_accepted": False,
        "operator_notification_accepted": False,
        "cross_project_sync_accepted": False,
        "rollback_validation_accepted": False,
        "post_change_monitoring_accepted": False,
        "recovery_or_still_degraded_accepted": False,
        "postcheck_readback_accepted": False,
        "recurrence_guard_accepted": False,
        "no_false_green_accepted": False,
        "host_live_conf_read_authorized": False,
        "nginx_test_authorized": False,
        "nginx_test_executed": False,
        "nginx_reload_authorized": False,
        "nginx_reload_executed": False,
        "public_gateway_reload_authorized": False,
        "route_smoke_authorized": False,
        "route_smoke_executed": False,
        "dns_tls_probe_authorized": False,
        "certbot_renew_authorized": False,
        "public_route_change_authorized": False,
        "admin_route_change_authorized": False,
        "websocket_route_change_authorized": False,
        "acme_challenge_change_authorized": False,
        "production_write_authorized": False,
        "runtime_gate": False,
        "action_buttons_allowed": False,
    }


def build_report(root: Path, source_report: dict[str, Any], generated_at: str | None) -> dict[str, Any]:
    report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds")
    candidates = [build_candidate(item) for item in source_report.get("diff_acceptance_candidates", [])]
    c0_candidates = [item for item in candidates if item["control_tier"] == "C0"]
    c1_candidates = [item for item in candidates if item["control_tier"] == "C1"]
    source_summary = source_report.get("summary", {})

    return {
        "schema_version": "public_gateway_post_incident_readback_plan_v1",
        "generated_at": report_time,
        "git_commit": git_short_sha(root),
        "source_schema_version": source_report.get("schema_version"),
        "source_status": source_report.get("status"),
        "status": "post_incident_readback_plan_ready_no_runtime_action",
        "summary": {
            "source_diff_acceptance_candidate_count": source_summary.get("diff_acceptance_candidate_count", 0),
            "source_c0_diff_acceptance_candidate_count": source_summary.get(
                "c0_diff_acceptance_candidate_count", 0
            ),
            "source_c1_diff_acceptance_candidate_count": source_summary.get(
                "c1_diff_acceptance_candidate_count", 0
            ),
            "source_required_evidence_field_count": source_summary.get("required_evidence_field_count", 0),
            "source_reviewer_check_count": source_summary.get("reviewer_check_count", 0),
            "source_blocked_action_count": source_summary.get("blocked_action_count", 0),
            "source_rendered_diff_accepted_count": source_summary.get("rendered_diff_accepted_count", 0),
            "source_nginx_test_evidence_accepted_count": source_summary.get(
                "nginx_test_evidence_accepted_count", 0
            ),
            "source_route_smoke_result_accepted_count": source_summary.get(
                "route_smoke_result_accepted_count", 0
            ),
            "source_runtime_gate_count": source_summary.get("runtime_gate_count", 0),
            "readback_candidate_count": len(candidates),
            "c0_readback_candidate_count": len(c0_candidates),
            "c1_readback_candidate_count": len(c1_candidates),
            "write_capable_readback_candidate_count": len(candidates),
            "route_health_review_required_candidate_count": len(candidates),
            "upstream_websocket_tls_review_required_candidate_count": len(candidates),
            "ai_monitoring_cross_project_review_required_candidate_count": len(candidates),
            "no_false_green_required_candidate_count": len(candidates),
            "readback_field_count": len(READBACK_FIELDS),
            "required_readback_field_count": len(REQUIRED_READBACK_FIELDS),
            "reviewer_check_count": len(REVIEWER_CHECKS),
            "outcome_lane_count": len(OUTCOME_LANES),
            "blocked_action_count": len(BLOCKED_ACTIONS),
            "post_incident_readback_received_count": 0,
            "post_incident_readback_accepted_count": 0,
            "actor_attribution_accepted_count": 0,
            "change_time_window_accepted_count": 0,
            "intent_or_break_glass_accepted_count": 0,
            "before_after_route_state_accepted_count": 0,
            "source_live_diff_state_accepted_count": 0,
            "nginx_test_readback_accepted_count": 0,
            "nginx_reload_or_no_reload_accepted_count": 0,
            "route_smoke_readback_accepted_count": 0,
            "tls_acme_readback_accepted_count": 0,
            "websocket_readback_accepted_count": 0,
            "upstream_health_accepted_count": 0,
            "public_admin_api_route_impact_accepted_count": 0,
            "ai_provider_impact_accepted_count": 0,
            "monitoring_alert_accepted_count": 0,
            "operator_notification_accepted_count": 0,
            "cross_project_sync_accepted_count": 0,
            "rollback_validation_accepted_count": 0,
            "post_change_monitoring_accepted_count": 0,
            "recovery_or_still_degraded_accepted_count": 0,
            "postcheck_readback_accepted_count": 0,
            "recurrence_guard_accepted_count": 0,
            "no_false_green_accepted_count": 0,
            "host_live_conf_read_authorized_count": 0,
            "nginx_test_authorized_count": 0,
            "nginx_test_executed_count": 0,
            "nginx_reload_authorized_count": 0,
            "nginx_reload_executed_count": 0,
            "public_gateway_reload_authorized_count": 0,
            "route_smoke_authorized_count": 0,
            "route_smoke_executed_count": 0,
            "dns_tls_probe_authorized_count": 0,
            "certbot_renew_authorized_count": 0,
            "public_route_change_authorized_count": 0,
            "admin_route_change_authorized_count": 0,
            "websocket_route_change_authorized_count": 0,
            "acme_challenge_change_authorized_count": 0,
            "runtime_gate_count": 0,
            "action_button_count": 0,
            "coverage_percent_after_readback_plan": 92,
        },
        "readback_candidates": candidates,
        "required_readback_fields": REQUIRED_READBACK_FIELDS,
        "reviewer_checks": REVIEWER_CHECKS,
        "outcome_lanes": OUTCOME_LANES,
        "blocked_actions": BLOCKED_ACTIONS,
        "execution_boundaries": {
            "not_authorization": True,
            "host_live_conf_read_authorized": False,
            "nginx_test_authorized": False,
            "nginx_test_executed": False,
            "nginx_reload_authorized": False,
            "nginx_reload_executed": False,
            "public_gateway_reload_authorized": False,
            "route_smoke_authorized": False,
            "route_smoke_executed": False,
            "dns_tls_probe_authorized": False,
            "certbot_renew_authorized": False,
            "public_route_change_authorized": False,
            "admin_route_change_authorized": False,
            "websocket_route_change_authorized": False,
            "acme_challenge_change_authorized": False,
            "production_write_authorized": False,
            "runtime_gate": False,
            "action_buttons_allowed": False,
        },
        "source_paths": [
            "docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-ACCEPTANCE.md",
            "docs/security/public-gateway-rendered-diff-acceptance.snapshot.json",
            "docs/security/PUBLIC-GATEWAY-OWNER-RESPONSE-ACCEPTANCE.md",
            "docs/security/public-gateway-owner-response-acceptance.snapshot.json",
            "docs/security/PUBLIC-GATEWAY-PREFLIGHT-INVENTORY.md",
            "docs/security/public-gateway-preflight-inventory.snapshot.json",
        ],
        "mode": "metadata_only_no_live_conf_no_nginx_reload",
        "operator_interpretation": [
            "此計畫只定義 Public Gateway / Nginx 事故後回讀欄位，不代表 live conf 已讀取或可讀取。",
            "route 200、Nginx active、dashboard up、CD success、UI 可見都不能單獨當成 gateway 事故驗收。",
            "未來若要 nginx -t、reload、route smoke、DNS / TLS probe、certbot renew 或 host write，必須另有維護窗口、rollback owner 與人工批准。",
        ],
    }


def main() -> int:
    parser = argparse.ArgumentParser(description="IwoooS Public Gateway / Nginx 事故後回讀只讀計畫產生器")
    parser.add_argument("--root", default=".", help="repo root")
    parser.add_argument(
        "--source-report",
        default="docs/security/public-gateway-rendered-diff-acceptance.snapshot.json",
        help="public-gateway-rendered-diff-acceptance.py 輸出的 JSON",
    )
    parser.add_argument("--output", help="寫出 JSON 報告")
    parser.add_argument("--generated-at", help="固定報告時間，供 committed snapshot 使用")
    args = parser.parse_args()

    root = Path(args.root).resolve()
    source_report = load_json(root / args.source_report)
    report = build_report(root, source_report, args.generated_at)
    payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True)

    if args.output:
        output = Path(args.output)
        output.parent.mkdir(parents=True, exist_ok=True)
        output.write_text(payload + "\n", encoding="utf-8")
    else:
        print(payload)

    summary = report["summary"]
    print(
        "PUBLIC_GATEWAY_POST_INCIDENT_READBACK_PLAN_OK "
        f"candidates={summary['readback_candidate_count']} "
        f"c0={summary['c0_readback_candidate_count']} "
        f"checks={summary['reviewer_check_count']} "
        f"lanes={summary['outcome_lane_count']} "
        f"accepted={summary['post_incident_readback_accepted_count']} "
        f"runtime_gate={summary['runtime_gate_count']}",
        file=sys.stderr,
    )
    return 0


if __name__ == "__main__":
    sys.exit(main())