wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
b2b51ecbf2f68bdff918f286b76ec7b7afa4d039
awoooi/docs/security/BACKUP-RESTORE-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 0359020212
All checks were successful
Code Review / ai-code-review (push) Successful in 14s
Details
CD Pipeline / tests (push) Successful in 1m37s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m47s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m30s
Details
feat(iwooos): 強化備份復原金庫回補 gate
2026-06-15 15:22:30 +08:00

173 lines
9.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Backup / Restore / Escrow Owner Response Acceptance 只讀帳本
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/backup-restore-owner-response-acceptance.py` |
| Snapshot | `docs/security/backup-restore-owner-response-acceptance.snapshot.json` |
| 來源 | `backup-restore-escrow-inventory.snapshot.json``backup-restore-owner-request-draft.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
本文件把 Backup / Restore / Escrow repo-only 清冊與 owner request draft 串成 owner response acceptance 只讀帳本。目的不是執行備份、還原、offsite sync 或 retention change而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 restore / retention review。
本階段不執行 backup、不 restore、不跑 restore drill、不 rclone sync、不 remote delete、不寫 credential escrow marker、不改 retention、不 restic prune、不改 rclone config、不跑 Velero restore / backup、不 kubectl、不 SSH、不收 secret value、不寫 host、不 active scan、不開 action button。
## 2. 摘要
| 指標 | 目前值 | 說明 |
|------|--------|------|
| source surface | `38` | 來自 backup / restore / escrow 清冊 |
| source request draft | `38` | 承接 owner request draft |
| acceptance candidate | `38` | 每個 surface 一份候選 |
| write-capable acceptance candidate | `27` | 涉及 backup、restore、offsite、escrow、retention、Velero、health exporter 等 |
| live evidence required candidate | `38` | 全部都需 owner-provided redacted evidence |
| acceptance field | `33` | 每份 acceptance candidate 固定欄位數 |
| required owner field | `23` | 承接 owner request draft並追加 restore recovery / freshness / remote delete / retention / no-false-green 欄位 |
| reviewer check | `22` | reviewer 收件前必檢項 |
| outcome lane | `9` | 等待、隔離、拒收、補件、review、只讀更新、restore 回補、remote delete / retention review、等待 runtime gate |
| blocked action | `31` | 驗收前全部禁止 |
| owner response received / accepted | `0 / 0` | 不得假性拉高 |
| backup / restore / offsite / retention | `0` | 未授權且未執行 |
| runtime gate / action button | `0 / 0` | 不開任何執行入口 |
## 3. Owner 必填欄位
| 欄位 | 說明 |
|------|------|
| `owner_role_or_team` | Backup / restore / offsite / escrow / retention owner role 或 team |
| `decision` | 對本 surface 的回覆判定 |
| `decision_reason` | 決策理由,不得包含機敏值 |
| `affected_scope` | 受影響服務、資料範圍、backup set、restore target 或 offsite scope |
| `redacted_evidence_refs` | 文件、hash、ticket、commit 或脫敏 artifact pointer |
| `latest_backup_status_ref` | 最新備份狀態 ref不得讀 live backup store |
| `restore_drill_plan` | restore drill 計畫或 approval package不代表已授權 |
| `offsite_sync_evidence_ref` | offsite sync evidence ref不得包含 raw listing 或 secret path |
| `credential_escrow_evidence_ref` | credential escrow metadata / marker ref不得包含 value |
| `freshness_slo_ref` | 備份 freshness SLO / RPO ref不得只用 latest 字樣取代 |
| `restore_target_isolation_ref` | restore drill 隔離目標或 no-production-write 邊界 |
| `backup_dependency_map_ref` | 資料庫、物件儲存、repo、配置、憑證與告警復原依賴圖 |
| `data_classification_ref` | 備份集資料分級;不得要求 raw customer data、payload 或 unredacted listing |
| `remote_delete_guard_ref` | offsite sync / latest-only policy 的 remote delete guard 與 owner ref |
| `retention_runway_ref` | retention / prune 的可恢復窗口、runway 與撤回條件 |
| `restore_observer_stop_condition_ref` | restore drill observer、stop condition 與 rollback owner |
| `credential_recovery_drill_ref` | credential recovery non-secret proof / evidence id不得包含 value、hash、seed 或 recovery code |
| `backup_health_no_false_green_ref` | backup health / textfile / alert no-false-green review ref |
| `maintenance_window` | 維護窗口或禁止窗口 |
| `rollback_owner` | rollback / stop owner 與撤回條件 |
| `validation_plan` | restore、freshness、checksum、alert、post-check plan |
| `retention_owner` | retention / prune owner |
| `followup_owner` | 補件、隔離、拒收或下一步 review owner |
## 4. Reviewer Checks
| Check | 規則 |
|-------|------|
| `owner_identity_present` | owner role / team 必須可追溯 |
| `decision_reason_present` | decision 與 decision reason 必須同時存在 |
| `affected_scope_matches_surface` | affected scope 必須能對回 committed surface_id |
| `redacted_refs_only` | evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
| `secret_value_absent` | 不得出現 token、private key、seed、rclone config、kubeconfig 或 credential derivative |
| `backup_status_ref_shape` | latest backup status 只能是 owner-provided redacted ref |
| `restore_drill_plan_present` | restore drill 必須是 plan / approval package不得是執行請求 |
| `offsite_sync_ref_not_payload` | offsite sync evidence 只能是 ref |
| `credential_escrow_metadata_only` | credential escrow 只能是 metadata / marker ref |
| `retention_owner_present` | retention owner 與 retention decision 必須可追溯 |
| `maintenance_window_present` | 未來 backup / restore / prune / sync 都必須另有維護窗口 |
| `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 |
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected不得同時開 runtime gate |
| `freshness_slo_present` | 必須有備份 freshness SLO / RPO ref |
| `restore_target_isolation_present` | restore drill 必須有隔離目標或 no-production-write 邊界 |
| `backup_dependency_map_present` | 必須列出 DB、物件儲存、repo、配置、憑證與告警復原依賴圖 |
| `data_classification_present` | 必須標示備份集資料分級;不得要求 raw payload |
| `remote_delete_guard_present` | offsite sync / latest-only policy 必須有 remote delete guard |
| `retention_runway_present` | retention / prune 必須有可恢復窗口、runway 與撤回條件 |
| `restore_observer_stop_condition_present` | restore drill 必須有 observer、stop condition 與 rollback owner |
| `credential_recovery_drill_metadata_only` | credential recovery 只能收 non-secret proof / evidence id |
| `backup_health_no_false_green_reviewed` | backup health / textfile / alert evidence 必須防止 false-green |
## 5. Outcome Lanes
| Lane | 意義 |
|------|------|
| `waiting_owner_response` | 尚未收到 owner response所有 accepted / runtime count 維持 0 |
| `quarantine_raw_payload` | 收到 raw backup listing、secret、rclone config 或不可保存內容時只能隔離 |
| `reject_secret_or_credential_value` | 出現 secret value、credential derivative 或未脫敏 payload 時直接拒收 |
| `request_supplement` | 欄位不足、scope 不清、restore / retention owner 缺失時要求補件 |
| `ready_for_restore_review` | metadata 合格後,只能進 restore / retention reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
| `restore_recovery_backfill_required` | restore / cold-start / incident recovery 資料不足時只要求補件 |
| `remote_delete_retention_review_required` | offsite remote delete、latest-only 與 restic prune 必須進 retention reviewer review |
| `waiting_runtime_gate` | 即使 owner response acceptedruntime gate 仍等待獨立人工批准 |
## 6. Blocked Actions
```text
backup_run
restore_run
restore_drill
offsite_sync
offsite_remote_delete
credential_escrow_marker_write
retention_change
restic_prune
rclone_config
velero_restore
velero_backup
kubectl_action
ssh_read
ssh_write
secret_value_collection
host_write
active_scan
runtime_gate_open
raw_backup_payload_storage
accept_secret_value_evidence
mark_owner_response_accepted_without_reviewer_record
accept_backup_without_freshness_slo
accept_restore_without_isolated_target
accept_offsite_without_remote_delete_guard
accept_retention_without_runway
accept_credential_recovery_without_non_secret_proof
accept_backup_health_false_green
skip_dependency_map_review
skip_data_classification_review
store_raw_restore_payload
add_action_button
```
## 7. 指令
固定 committed snapshot
```bash
python3 scripts/security/backup-restore-owner-response-acceptance.py \
--root . \
--output docs/security/backup-restore-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T15:35:00+08:00
```
只讀 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .
```
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 38 個 surface 已有只讀收件判定帳本 |
| owner response received / accepted | `0%` | 尚未收到或接受任何 owner response |
| live backup / offsite / escrow evidence | `0%` | 未讀 live backup、offsite 或 credential escrow |
| backup / restore / offsite / retention | `0%` | 未授權且未執行 |
| secret / host / production write | `0%` | 未收 secret、未寫 host |
| runtime gate / production write | `0%` | 無 action button無 production write |
## 9. 邊界
這份帳本不是 live backup truth、不是 restore drill approval、不是 offsite sync approval、不是 credential escrow marker approval、不是 retention approval也不是 backup / restore / Velero / rclone / SSH / kubectl / host write 授權。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以執行 backup、restore、offsite sync、remote delete、retention change、secret collection、active scan、production write 或 runtime gate。
Reference in New Issue View Git Blame Copy Permalink