7.3 KiB
7.3 KiB
IwoooS Backup / Restore / Escrow Owner Response Acceptance 只讀帳本
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-15 |
| 狀態 | owner_response_acceptance_ledger_ready_no_runtime_action |
| 工具 | scripts/security/backup-restore-owner-response-acceptance.py |
| Snapshot | docs/security/backup-restore-owner-response-acceptance.snapshot.json |
| 來源 | backup-restore-escrow-inventory.snapshot.json、backup-restore-owner-request-draft.snapshot.json |
| runtime gate | 0 |
1. 目的
本文件把 Backup / Restore / Escrow repo-only 清冊與 owner request draft 串成 owner response acceptance 只讀帳本。目的不是執行備份、還原、offsite sync 或 retention change,而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 restore / retention review。
本階段不執行 backup、不 restore、不跑 restore drill、不 rclone sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不改 rclone config、不跑 Velero restore / backup、不 kubectl、不 SSH、不收 secret value、不寫 host、不 active scan、不開 action button。
2. 摘要
| 指標 | 目前值 | 說明 |
|---|---|---|
| source surface | 38 |
來自 backup / restore / escrow 清冊 |
| source request draft | 38 |
承接 owner request draft |
| acceptance candidate | 38 |
每個 surface 一份候選 |
| write-capable acceptance candidate | 27 |
涉及 backup、restore、offsite、escrow、retention、Velero、health exporter 等 |
| live evidence required candidate | 38 |
全部都需 owner-provided redacted evidence |
| acceptance field | 24 |
每份 acceptance candidate 固定欄位數 |
| required owner field | 14 |
承接 owner request draft 的必填欄位 |
| reviewer check | 13 |
reviewer 收件前必檢項 |
| outcome lane | 7 |
等待、隔離、拒收、補件、review、只讀更新、等待 runtime gate |
| blocked action | 22 |
驗收前全部禁止 |
| owner response received / accepted | 0 / 0 |
不得假性拉高 |
| backup / restore / offsite / retention | 0 |
未授權且未執行 |
| runtime gate / action button | 0 / 0 |
不開任何執行入口 |
3. Owner 必填欄位
| 欄位 | 說明 |
|---|---|
owner_role_or_team |
Backup / restore / offsite / escrow / retention owner role 或 team |
decision |
對本 surface 的回覆判定 |
decision_reason |
決策理由,不得包含機敏值 |
affected_scope |
受影響服務、資料範圍、backup set、restore target 或 offsite scope |
redacted_evidence_refs |
文件、hash、ticket、commit 或脫敏 artifact pointer |
latest_backup_status_ref |
最新備份狀態 ref;不得讀 live backup store |
restore_drill_plan |
restore drill 計畫或 approval package,不代表已授權 |
offsite_sync_evidence_ref |
offsite sync evidence ref,不得包含 raw listing 或 secret path |
credential_escrow_evidence_ref |
credential escrow metadata / marker ref,不得包含 value |
maintenance_window |
維護窗口或禁止窗口 |
rollback_owner |
rollback / stop owner 與撤回條件 |
validation_plan |
restore、freshness、checksum、alert、post-check plan |
retention_owner |
retention / prune owner |
followup_owner |
補件、隔離、拒收或下一步 review owner |
4. Reviewer Checks
| Check | 規則 |
|---|---|
owner_identity_present |
owner role / team 必須可追溯 |
decision_reason_present |
decision 與 decision reason 必須同時存在 |
affected_scope_matches_surface |
affected scope 必須能對回 committed surface_id |
redacted_refs_only |
evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
secret_value_absent |
不得出現 token、private key、seed、rclone config、kubeconfig 或 credential derivative |
backup_status_ref_shape |
latest backup status 只能是 owner-provided redacted ref |
restore_drill_plan_present |
restore drill 必須是 plan / approval package,不得是執行請求 |
offsite_sync_ref_not_payload |
offsite sync evidence 只能是 ref |
credential_escrow_metadata_only |
credential escrow 只能是 metadata / marker ref |
retention_owner_present |
retention owner 與 retention decision 必須可追溯 |
maintenance_window_present |
未來 backup / restore / prune / sync 都必須另有維護窗口 |
rollback_owner_present |
rollback owner 與 rollback ref 必須存在 |
counts_transition_safe |
只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate |
5. Outcome Lanes
| Lane | 意義 |
|---|---|
waiting_owner_response |
尚未收到 owner response;所有 accepted / runtime count 維持 0 |
quarantine_raw_payload |
收到 raw backup listing、secret、rclone config 或不可保存內容時只能隔離 |
reject_secret_or_credential_value |
出現 secret value、credential derivative 或未脫敏 payload 時直接拒收 |
request_supplement |
欄位不足、scope 不清、restore / retention owner 缺失時要求補件 |
ready_for_restore_review |
metadata 合格後,只能進 restore / retention reviewer review |
owner_review_only_update |
只允許更新只讀 owner review ledger |
waiting_runtime_gate |
即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
6. Blocked Actions
backup_run
restore_run
restore_drill
offsite_sync
offsite_remote_delete
credential_escrow_marker_write
retention_change
restic_prune
rclone_config
velero_restore
velero_backup
kubectl_action
ssh_read
ssh_write
secret_value_collection
host_write
active_scan
runtime_gate_open
raw_backup_payload_storage
accept_secret_value_evidence
mark_owner_response_accepted_without_reviewer_record
add_action_button
7. 指令
固定 committed snapshot:
python3 scripts/security/backup-restore-owner-response-acceptance.py \
--root . \
--output docs/security/backup-restore-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T00:18:00+08:00
只讀 guard:
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .
8. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| owner response acceptance ledger artifact | 100% |
38 個 surface 已有只讀收件判定帳本 |
| owner response received / accepted | 0% |
尚未收到或接受任何 owner response |
| live backup / offsite / escrow evidence | 0% |
未讀 live backup、offsite 或 credential escrow |
| backup / restore / offsite / retention | 0% |
未授權且未執行 |
| secret / host / production write | 0% |
未收 secret、未寫 host |
| runtime gate / production write | 0% |
無 action button,無 production write |
9. 邊界
這份帳本不是 live backup truth、不是 restore drill approval、不是 offsite sync approval、不是 credential escrow marker approval、不是 retention approval,也不是 backup / restore / Velero / rclone / SSH / kubectl / host write 授權。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以執行 backup、restore、offsite sync、remote delete、retention change、secret collection、active scan、production write 或 runtime gate。