wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
2a2cb16c135fd7e5b159d94de9b5ff04f6cf31f5
awoooi/docs/runbooks/AWOOOP-RLS-CANARY-WAVE1.md
Your Name 1617b73a9d docs(rls): 記錄 canary wave1 production apply
2026-05-12 20:55:40 +08:00

104 lines
2.7 KiB
Markdown
Raw Blame History

# AwoooP RLS Canary Wave 1
This wave enables fail-closed RLS on tables that were empty in the production
preflight.
Status: applied to production on 2026-05-12.
Apply script:
```bash
scripts/ops/awooop-rls-canary-wave1-empty-tables.sql
```
Rollback script:
```bash
scripts/ops/awooop-rls-canary-wave1-empty-tables-rollback.sql
```
## Scope
Wave 1 targets only tables that had `total_rows=0` and
`null_project_id_rows=0` on 2026-05-12:
- `awooop_contract_revisions`
- `awooop_conversation_event`
- `awooop_mcp_credential_refs`
- `awooop_mcp_gateway_audit`
- `awooop_mcp_grants`
- `budget_ledger`
The SQL aborts if any target now has rows, is missing, lacks `project_id`, or
contains NULL `project_id`.
## Pre-Apply Gate
Run these before any production apply:
```bash
python3 scripts/ops/awooop-rls-access-audit.py
python3 scripts/ops/awooop-rls-manual-script-audit.py
bash scripts/ops/awooop-rls-preflight.sh --exact-counts
```
Expected before wave1 apply:
- Runtime access audit: `BLOCKED=0`.
- Manual script audit: `BLOCKED=0`; review items acknowledged.
- RLS preflight: still blocked only because policies are not enabled.
- Exact counts for the six wave1 target tables remain `total_rows=0`.
## Apply
Run with a migration/operator role in a reviewed maintenance window:
```bash
psql "$DATABASE_URL" -v ON_ERROR_STOP=1 \
-f scripts/ops/awooop-rls-canary-wave1-empty-tables.sql
```
Then rerun:
```bash
bash scripts/ops/awooop-rls-preflight.sh --exact-counts
curl -fsS https://awoooi.wooo.work/api/v1/health
```
The global preflight will still be blocked until later waves cover the remaining
tables. The six wave1 tables should show `rls=true`, `force=true`, and
`policies=1`, with no fail-open policy expression.
## 2026-05-12 Production Evidence
Apply completed with `COMMIT` through the 188 postgres/operator socket path.
Post-apply preflight:
- `awooop_contract_revisions`: `rls=true`, `force=true`, `policies=1`
- `awooop_conversation_event`: `rls=true`, `force=true`, `policies=1`
- `awooop_mcp_credential_refs`: `rls=true`, `force=true`, `policies=1`
- `awooop_mcp_gateway_audit`: `rls=true`, `force=true`, `policies=1`
- `awooop_mcp_grants`: `rls=true`, `force=true`, `policies=1`
- `budget_ledger`: `rls=true`, `force=true`, `policies=1`
All six showed `fail_open_null=false` and `fail_open_empty=false`.
Rollback-only behavior test from the API pod:
```text
budget_ledger_no_context=InsufficientPrivilegeError
budget_ledger_with_context=allowed_and_rolled_back
budget_ledger_count_after=0
```
## Rollback
```bash
psql "$DATABASE_URL" -v ON_ERROR_STOP=1 \
-f scripts/ops/awooop-rls-canary-wave1-empty-tables-rollback.sql
```
Rollback disables RLS and removes only the wave1 policies on the six canary
tables. It does not modify data.
Reference in New Issue View Git Blame Copy Permalink