wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
9c33f4b0ac7ff35e8282fc105affcae9dc02b87c
awoooi/docs/security/BACKUP-RESTORE-POST-INCIDENT-READBACK-PLAN.md
Your Name 1b9d44cfa7
All checks were successful
Code Review / ai-code-review (push) Successful in 12s
Details
CD Pipeline / tests (push) Successful in 1m39s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m8s
Details
CD Pipeline / post-deploy-checks (push) Successful in 3m59s
Details
feat(iwooos): 新增備份復原事故回讀 gate
2026-06-18 09:11:39 +08:00

8.0 KiB
Raw Blame History

IwoooS Backup / Restore / Escrow 事故後回讀計畫

項目 內容
日期 2026-06-18
狀態 post_incident_readback_plan_ready_no_runtime_action
工具 scripts/security/backup-restore-post-incident-readback-plan.py
Snapshot docs/security/backup-restore-post-incident-readback-plan.snapshot.json
來源 docs/security/backup-restore-owner-response-acceptance.snapshot.json
runtime gate 0

1. 目的

此計畫把 Backup / Restore / Escrow 的事故後回讀從「有備份狀態」推進成可重跑、可補件、可隔離、可拒收的只讀帳本。

它處理的風險不是替正式備份系統下指令,而是先定義未來 owner 必須提供哪些脫敏 ref才能說明誰動了 backup / restore / offsite / escrow / retention何時異常改前改後 freshness 與 restore / offsite / retention 狀態如何,是否有隔離 restore target、credential escrow non-secret proof、rollback、post-change monitoring、recurrence guard 與 no-false-green 檢查。

本 artifact 不執行 backup、不 restore、不跑 offsite sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不讀 rclone config、不跑 Velero、不 kubectl、不 SSH、不讀 secret value、不保存 raw backup listing、不保存 raw restore payload、不寫 production。

2. 固定數字

指標 數值
readback candidate 38
write-capable candidate 27
live evidence required candidate 38
restore drill readback required candidate 38
offsite / escrow readback required candidate 20
retention / remote delete readback required candidate 17
required readback fields 34
reviewer checks 32
outcome lanes 11
blocked actions 51
post-incident readback received / accepted 0 / 0
runtime gate 0

3. 必填回讀欄位

每一個候選都必須補齊以下 metadata-only refs才能進入 reviewer review

  1. incident / change / outage ref。
  2. actor role / team attribution ref。
  3. change / outage time window ref。
  4. change intent 或 break-glass reason ref。
  5. before / after backup freshness state refs。
  6. backup status readback ref。
  7. restore drill readback ref。
  8. restore target isolation readback ref。
  9. offsite sync readback ref。
  10. offsite remote delete guard readback ref。
  11. credential escrow non-secret readback ref。
  12. credential recovery drill metadata ref。
  13. retention runway readback ref。
  14. retention 或 prune decision ref。
  15. backup dependency map ref。
  16. data classification ref。
  17. restore observer / stop condition ref。
  18. backup health no-false-green readback ref。
  19. alert textfile readback ref。
  20. cold-start / DR scorecard ref。
  21. cross-project sync ref。
  22. rollback validation ref。
  23. post-change monitoring ref。
  24. independent postcheck readback ref。
  25. recurrence guard ref。
  26. maintenance window、rollback owner、followup owner。
  27. redacted evidence refs。
  28. no-secret-value、no-raw-backup-payload、no-production-restore 與 no-false-green attestation。

4. Reviewer 檢查

Reviewer 必須確認來源 snapshot 是目前版本,並逐項檢查 actor、時間窗、變更意圖、before / after freshness、backup status、restore drill、restore target isolation、offsite sync、remote delete guard、credential escrow non-secret proof、credential recovery metadata、retention runway、retention / prune decision、dependency map、data classification、restore observer、backup health no-false-green、alert textfile、cold-start scorecard、cross-project sync、rollback、post-change monitoring、independent postcheck、recurrence guard、maintenance window、脫敏 ref、secret absence、raw payload absence、runtime stays zero 與 count transition safe。

不能把 backup success、route 200、dashboard up、alert quiet、textfile present、UI 可見、CD success 或 latest 字樣視為 DR / backup 驗收。

5. 分流

lane 用途
waiting_post_incident_readback 尚未收到回讀包;所有 accepted / runtime count 維持 0
request_actor_or_time_supplement 缺 actor、時間窗、intent 或 break-glass reason
request_backup_freshness_supplement 缺 before / after freshness、backup status、alert textfile 或 scorecard
request_restore_isolation_supplement 缺 restore drill、隔離目標、observer、stop condition 或 rollback validation
request_offsite_retention_supplement 缺 offsite sync、remote delete guard、retention runway 或 prune decision
request_escrow_non_secret_supplement 缺 credential escrow non-secret proof 或 recovery drill metadata
quarantine_raw_payload 收到 secret、raw backup listing、raw restore payload、raw DB dump、rclone config 或未脫敏截圖時隔離
reject_false_green_claim 把 backup success、route 200、dashboard up、alert quiet、textfile present 或 UI 可見當驗收時拒收
ready_for_backup_restore_post_incident_review metadata 合格後只能進 reviewer review
recurrence_guard_backfill_required 需補防再發 guard、retention freeze、remote-delete block、owner review 或 automation block
waiting_runtime_gate 即使 readback acceptedruntime gate 仍需獨立人工批准

6. 固定禁止動作

本階段明確阻擋 backup_runrestore_runrestore_drillproduction_restoreoffsite_syncoffsite_remote_deletecredential_escrow_marker_writecredential_recovery_executionretention_changeretention_prunerestic_prunerclone_config_readrclone_config_changevelero_restorevelero_backupkubectl_actionssh_readssh_writesecret_value_collectionsecret_hash_collectionpartial_token_collectionrestic_password_collectionrclone_token_collectionkubeconfig_collectionhost_writeactive_scanproduction_writeruntime_gate_open、raw backup / restore / object listing / DB dump storage、接受 secret 或 credential derivative evidence、無 reviewer record 標記 accepted、接受 false green、跳過 dependency / data classification / observer / cross-project / rollback / post-change monitoring review、偽造 credential escrow evidence 與任何 action button。

7. 目前邊界

此 artifact 只代表事故後回讀計畫已建立。post_incident_readback_received_countpost_incident_readback_accepted_countbackup_status_readback_accepted_countrestore_drill_readback_accepted_countoffsite_sync_readback_accepted_countcredential_escrow_non_secret_readback_accepted_countretention_runway_readback_accepted_countbackup_health_no_false_green_readback_accepted_countbackup_run_authorized_countrestore_run_authorized_countoffsite_sync_authorized_countcredential_escrow_marker_write_authorized_countretention_change_authorized_countruntime_gate_countaction_button_count 仍全部維持 0

8. 指令

產生 committed snapshot

python3 scripts/security/backup-restore-post-incident-readback-plan.py \
  --root . \
  --generated-at 2026-06-18T10:30:00+08:00 \
  --output docs/security/backup-restore-post-incident-readback-plan.snapshot.json

只讀 guard

python3 scripts/security/iwooos-config-control-guard.py --root .
python3 scripts/security/security-mirror-progress-guard.py --root .

9. 完成度

工作 完成度 說明
post-incident readback plan artifact 100% 38 個候選已建立只讀回讀計畫
post-incident readback received / accepted 0% 尚未收到或驗收任何事故後回讀包
live backup / offsite / escrow evidence 0% 未讀 live backup、offsite、credential escrow 或 secret
backup / restore / offsite / retention 0% 未授權且未執行
secret / host / production write 0% 未收 secret、未 SSH、未寫 host
runtime gate / action button 0% 無 action button無 production write
Reference in New Issue View Git Blame Copy Permalink