144 lines
7.3 KiB
Markdown
144 lines
7.3 KiB
Markdown
# IwoooS Backup / Restore / Escrow Owner Response Acceptance 只讀帳本
|
||
|
||
| 項目 | 內容 |
|
||
|------|------|
|
||
| 日期 | 2026-06-15 |
|
||
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
|
||
| 工具 | `scripts/security/backup-restore-owner-response-acceptance.py` |
|
||
| Snapshot | `docs/security/backup-restore-owner-response-acceptance.snapshot.json` |
|
||
| 來源 | `backup-restore-escrow-inventory.snapshot.json`、`backup-restore-owner-request-draft.snapshot.json` |
|
||
| runtime gate | `0` |
|
||
|
||
## 1. 目的
|
||
|
||
本文件把 Backup / Restore / Escrow repo-only 清冊與 owner request draft 串成 owner response acceptance 只讀帳本。目的不是執行備份、還原、offsite sync 或 retention change,而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 restore / retention review。
|
||
|
||
本階段不執行 backup、不 restore、不跑 restore drill、不 rclone sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不改 rclone config、不跑 Velero restore / backup、不 kubectl、不 SSH、不收 secret value、不寫 host、不 active scan、不開 action button。
|
||
|
||
## 2. 摘要
|
||
|
||
| 指標 | 目前值 | 說明 |
|
||
|------|--------|------|
|
||
| source surface | `38` | 來自 backup / restore / escrow 清冊 |
|
||
| source request draft | `38` | 承接 owner request draft |
|
||
| acceptance candidate | `38` | 每個 surface 一份候選 |
|
||
| write-capable acceptance candidate | `27` | 涉及 backup、restore、offsite、escrow、retention、Velero、health exporter 等 |
|
||
| live evidence required candidate | `38` | 全部都需 owner-provided redacted evidence |
|
||
| acceptance field | `24` | 每份 acceptance candidate 固定欄位數 |
|
||
| required owner field | `14` | 承接 owner request draft 的必填欄位 |
|
||
| reviewer check | `13` | reviewer 收件前必檢項 |
|
||
| outcome lane | `7` | 等待、隔離、拒收、補件、review、只讀更新、等待 runtime gate |
|
||
| blocked action | `22` | 驗收前全部禁止 |
|
||
| owner response received / accepted | `0 / 0` | 不得假性拉高 |
|
||
| backup / restore / offsite / retention | `0` | 未授權且未執行 |
|
||
| runtime gate / action button | `0 / 0` | 不開任何執行入口 |
|
||
|
||
## 3. Owner 必填欄位
|
||
|
||
| 欄位 | 說明 |
|
||
|------|------|
|
||
| `owner_role_or_team` | Backup / restore / offsite / escrow / retention owner role 或 team |
|
||
| `decision` | 對本 surface 的回覆判定 |
|
||
| `decision_reason` | 決策理由,不得包含機敏值 |
|
||
| `affected_scope` | 受影響服務、資料範圍、backup set、restore target 或 offsite scope |
|
||
| `redacted_evidence_refs` | 文件、hash、ticket、commit 或脫敏 artifact pointer |
|
||
| `latest_backup_status_ref` | 最新備份狀態 ref;不得讀 live backup store |
|
||
| `restore_drill_plan` | restore drill 計畫或 approval package,不代表已授權 |
|
||
| `offsite_sync_evidence_ref` | offsite sync evidence ref,不得包含 raw listing 或 secret path |
|
||
| `credential_escrow_evidence_ref` | credential escrow metadata / marker ref,不得包含 value |
|
||
| `maintenance_window` | 維護窗口或禁止窗口 |
|
||
| `rollback_owner` | rollback / stop owner 與撤回條件 |
|
||
| `validation_plan` | restore、freshness、checksum、alert、post-check plan |
|
||
| `retention_owner` | retention / prune owner |
|
||
| `followup_owner` | 補件、隔離、拒收或下一步 review owner |
|
||
|
||
## 4. Reviewer Checks
|
||
|
||
| Check | 規則 |
|
||
|-------|------|
|
||
| `owner_identity_present` | owner role / team 必須可追溯 |
|
||
| `decision_reason_present` | decision 與 decision reason 必須同時存在 |
|
||
| `affected_scope_matches_surface` | affected scope 必須能對回 committed surface_id |
|
||
| `redacted_refs_only` | evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
|
||
| `secret_value_absent` | 不得出現 token、private key、seed、rclone config、kubeconfig 或 credential derivative |
|
||
| `backup_status_ref_shape` | latest backup status 只能是 owner-provided redacted ref |
|
||
| `restore_drill_plan_present` | restore drill 必須是 plan / approval package,不得是執行請求 |
|
||
| `offsite_sync_ref_not_payload` | offsite sync evidence 只能是 ref |
|
||
| `credential_escrow_metadata_only` | credential escrow 只能是 metadata / marker ref |
|
||
| `retention_owner_present` | retention owner 與 retention decision 必須可追溯 |
|
||
| `maintenance_window_present` | 未來 backup / restore / prune / sync 都必須另有維護窗口 |
|
||
| `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 |
|
||
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate |
|
||
|
||
## 5. Outcome Lanes
|
||
|
||
| Lane | 意義 |
|
||
|------|------|
|
||
| `waiting_owner_response` | 尚未收到 owner response;所有 accepted / runtime count 維持 0 |
|
||
| `quarantine_raw_payload` | 收到 raw backup listing、secret、rclone config 或不可保存內容時只能隔離 |
|
||
| `reject_secret_or_credential_value` | 出現 secret value、credential derivative 或未脫敏 payload 時直接拒收 |
|
||
| `request_supplement` | 欄位不足、scope 不清、restore / retention owner 缺失時要求補件 |
|
||
| `ready_for_restore_review` | metadata 合格後,只能進 restore / retention reviewer review |
|
||
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
|
||
| `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
|
||
|
||
## 6. Blocked Actions
|
||
|
||
```text
|
||
backup_run
|
||
restore_run
|
||
restore_drill
|
||
offsite_sync
|
||
offsite_remote_delete
|
||
credential_escrow_marker_write
|
||
retention_change
|
||
restic_prune
|
||
rclone_config
|
||
velero_restore
|
||
velero_backup
|
||
kubectl_action
|
||
ssh_read
|
||
ssh_write
|
||
secret_value_collection
|
||
host_write
|
||
active_scan
|
||
runtime_gate_open
|
||
raw_backup_payload_storage
|
||
accept_secret_value_evidence
|
||
mark_owner_response_accepted_without_reviewer_record
|
||
add_action_button
|
||
```
|
||
|
||
## 7. 指令
|
||
|
||
固定 committed snapshot:
|
||
|
||
```bash
|
||
python3 scripts/security/backup-restore-owner-response-acceptance.py \
|
||
--root . \
|
||
--output docs/security/backup-restore-owner-response-acceptance.snapshot.json \
|
||
--generated-at 2026-06-15T00:18:00+08:00
|
||
```
|
||
|
||
只讀 guard:
|
||
|
||
```bash
|
||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||
python3 scripts/security/source-control-owner-response-guard.py --root .
|
||
```
|
||
|
||
## 8. 完成度
|
||
|
||
| 工作 | 完成度 | 說明 |
|
||
|------|--------|------|
|
||
| owner response acceptance ledger artifact | `100%` | 38 個 surface 已有只讀收件判定帳本 |
|
||
| owner response received / accepted | `0%` | 尚未收到或接受任何 owner response |
|
||
| live backup / offsite / escrow evidence | `0%` | 未讀 live backup、offsite 或 credential escrow |
|
||
| backup / restore / offsite / retention | `0%` | 未授權且未執行 |
|
||
| secret / host / production write | `0%` | 未收 secret、未寫 host |
|
||
| runtime gate / production write | `0%` | 無 action button,無 production write |
|
||
|
||
## 9. 邊界
|
||
|
||
這份帳本不是 live backup truth、不是 restore drill approval、不是 offsite sync approval、不是 credential escrow marker approval、不是 retention approval,也不是 backup / restore / Velero / rclone / SSH / kubectl / host write 授權。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以執行 backup、restore、offsite sync、remote delete、retention change、secret collection、active scan、production write 或 runtime gate。
|