wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
7d032eabe62085d99f63a7aa12f2aa32cd7ea9a5
awoooi/docs/security/BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md
Your Name 1b9d44cfa7
All checks were successful
Code Review / ai-code-review (push) Successful in 12s
Details
CD Pipeline / tests (push) Successful in 1m39s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m8s
Details
CD Pipeline / post-deploy-checks (push) Successful in 3m59s
Details
feat(iwooos): 新增備份復原事故回讀 gate
2026-06-18 09:11:39 +08:00

128 lines
8.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Backup / Restore / Escrow 事故後回讀計畫
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-18 |
| 狀態 | `post_incident_readback_plan_ready_no_runtime_action` |
| 工具 | `scripts/security/backup-restore-post-incident-readback-plan.py` |
| Snapshot | `docs/security/backup-restore-post-incident-readback-plan.snapshot.json` |
| 來源 | `docs/security/backup-restore-owner-response-acceptance.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
此計畫把 Backup / Restore / Escrow 的事故後回讀從「有備份狀態」推進成可重跑、可補件、可隔離、可拒收的只讀帳本。
它處理的風險不是替正式備份系統下指令,而是先定義未來 owner 必須提供哪些脫敏 ref才能說明誰動了 backup / restore / offsite / escrow / retention何時異常改前改後 freshness 與 restore / offsite / retention 狀態如何,是否有隔離 restore target、credential escrow non-secret proof、rollback、post-change monitoring、recurrence guard 與 no-false-green 檢查。
本 artifact 不執行 backup、不 restore、不跑 offsite sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不讀 rclone config、不跑 Velero、不 kubectl、不 SSH、不讀 secret value、不保存 raw backup listing、不保存 raw restore payload、不寫 production。
## 2. 固定數字
| 指標 | 數值 |
|------|------|
| readback candidate | `38` |
| write-capable candidate | `27` |
| live evidence required candidate | `38` |
| restore drill readback required candidate | `38` |
| offsite / escrow readback required candidate | `20` |
| retention / remote delete readback required candidate | `17` |
| required readback fields | `34` |
| reviewer checks | `32` |
| outcome lanes | `11` |
| blocked actions | `51` |
| post-incident readback received / accepted | `0 / 0` |
| runtime gate | `0` |
## 3. 必填回讀欄位
每一個候選都必須補齊以下 metadata-only refs才能進入 reviewer review
1. incident / change / outage ref。
2. actor role / team attribution ref。
3. change / outage time window ref。
4. change intent 或 break-glass reason ref。
5. before / after backup freshness state refs。
6. backup status readback ref。
7. restore drill readback ref。
8. restore target isolation readback ref。
9. offsite sync readback ref。
10. offsite remote delete guard readback ref。
11. credential escrow non-secret readback ref。
12. credential recovery drill metadata ref。
13. retention runway readback ref。
14. retention 或 prune decision ref。
15. backup dependency map ref。
16. data classification ref。
17. restore observer / stop condition ref。
18. backup health no-false-green readback ref。
19. alert textfile readback ref。
20. cold-start / DR scorecard ref。
21. cross-project sync ref。
22. rollback validation ref。
23. post-change monitoring ref。
24. independent postcheck readback ref。
25. recurrence guard ref。
26. maintenance window、rollback owner、followup owner。
27. redacted evidence refs。
28. no-secret-value、no-raw-backup-payload、no-production-restore 與 no-false-green attestation。
## 4. Reviewer 檢查
Reviewer 必須確認來源 snapshot 是目前版本,並逐項檢查 actor、時間窗、變更意圖、before / after freshness、backup status、restore drill、restore target isolation、offsite sync、remote delete guard、credential escrow non-secret proof、credential recovery metadata、retention runway、retention / prune decision、dependency map、data classification、restore observer、backup health no-false-green、alert textfile、cold-start scorecard、cross-project sync、rollback、post-change monitoring、independent postcheck、recurrence guard、maintenance window、脫敏 ref、secret absence、raw payload absence、runtime stays zero 與 count transition safe。
不能把 backup success、route `200`、dashboard up、alert quiet、textfile present、UI 可見、CD success 或 latest 字樣視為 DR / backup 驗收。
## 5. 分流
| lane | 用途 |
|------|------|
| `waiting_post_incident_readback` | 尚未收到回讀包;所有 accepted / runtime count 維持 `0` |
| `request_actor_or_time_supplement` | 缺 actor、時間窗、intent 或 break-glass reason |
| `request_backup_freshness_supplement` | 缺 before / after freshness、backup status、alert textfile 或 scorecard |
| `request_restore_isolation_supplement` | 缺 restore drill、隔離目標、observer、stop condition 或 rollback validation |
| `request_offsite_retention_supplement` | 缺 offsite sync、remote delete guard、retention runway 或 prune decision |
| `request_escrow_non_secret_supplement` | 缺 credential escrow non-secret proof 或 recovery drill metadata |
| `quarantine_raw_payload` | 收到 secret、raw backup listing、raw restore payload、raw DB dump、rclone config 或未脫敏截圖時隔離 |
| `reject_false_green_claim` | 把 backup success、route 200、dashboard up、alert quiet、textfile present 或 UI 可見當驗收時拒收 |
| `ready_for_backup_restore_post_incident_review` | metadata 合格後只能進 reviewer review |
| `recurrence_guard_backfill_required` | 需補防再發 guard、retention freeze、remote-delete block、owner review 或 automation block |
| `waiting_runtime_gate` | 即使 readback acceptedruntime gate 仍需獨立人工批准 |
## 6. 固定禁止動作
本階段明確阻擋 `backup_run``restore_run``restore_drill``production_restore``offsite_sync``offsite_remote_delete``credential_escrow_marker_write``credential_recovery_execution``retention_change``retention_prune``restic_prune``rclone_config_read``rclone_config_change``velero_restore``velero_backup``kubectl_action``ssh_read``ssh_write``secret_value_collection``secret_hash_collection``partial_token_collection``restic_password_collection``rclone_token_collection``kubeconfig_collection``host_write``active_scan``production_write``runtime_gate_open`、raw backup / restore / object listing / DB dump storage、接受 secret 或 credential derivative evidence、無 reviewer record 標記 accepted、接受 false green、跳過 dependency / data classification / observer / cross-project / rollback / post-change monitoring review、偽造 credential escrow evidence 與任何 action button。
## 7. 目前邊界
此 artifact 只代表事故後回讀計畫已建立。`post_incident_readback_received_count``post_incident_readback_accepted_count``backup_status_readback_accepted_count``restore_drill_readback_accepted_count``offsite_sync_readback_accepted_count``credential_escrow_non_secret_readback_accepted_count``retention_runway_readback_accepted_count``backup_health_no_false_green_readback_accepted_count``backup_run_authorized_count``restore_run_authorized_count``offsite_sync_authorized_count``credential_escrow_marker_write_authorized_count``retention_change_authorized_count``runtime_gate_count``action_button_count` 仍全部維持 `0`
## 8. 指令
產生 committed snapshot
```bash
python3 scripts/security/backup-restore-post-incident-readback-plan.py \
--root . \
--generated-at 2026-06-18T10:30:00+08:00 \
--output docs/security/backup-restore-post-incident-readback-plan.snapshot.json
```
只讀 guard
```bash
python3 scripts/security/iwooos-config-control-guard.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 9. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| post-incident readback plan artifact | `100%` | 38 個候選已建立只讀回讀計畫 |
| post-incident readback received / accepted | `0%` | 尚未收到或驗收任何事故後回讀包 |
| live backup / offsite / escrow evidence | `0%` | 未讀 live backup、offsite、credential escrow 或 secret |
| backup / restore / offsite / retention | `0%` | 未授權且未執行 |
| secret / host / production write | `0%` | 未收 secret、未 SSH、未寫 host |
| runtime gate / action button | `0%` | 無 action button無 production write |
Reference in New Issue View Git Blame Copy Permalink