Files
Nexus/docs/archive/audits/2026-06-04-delta-merged.md
T

184 lines
6.7 KiB
Markdown
Raw Normal View History

# Delta D1D8 合并卷
> 生成日期: 2026-06-04 · 源文件 8 篇 · 原文 `docs/archive/audits/2026-06-04-delta/`
## 批次索引
### `audit-delta-2026-06-04-waveD1.md`
# Phase 1 Delta 审计 — Wave D1(同步/后台)
## 登记
## Step 3 — 规则扫描 H(摘要)
## 入口表(sync_v2.py API
## Closure 表
**len(H)=19, Closure=19**
## FINDING(本波)
无 P0/P1 新 FINDING。RISK 项与既有运维/单人决策一致,不阻塞。
## DoD
- [x] len(H) == Closure
- [x] FINDING 含行号
## 验证
### `audit-delta-2026-06-04-waveD2.md`
# Phase 1 Delta 审计 — Wave D2(认证 / 安装 / WS / Agent
## 登记
## 入口表
### install.py
### auth.py
### websocket.py
### agent.py
## Closure 表
**len(H)=22, Closure=22**
## FINDING
无 P0/P1 新 FINDING。RISKWS query JWT、Agent global key — 见 `docs/project/risk-acceptance-single-operator.md`
## DoD
### `audit-delta-2026-06-04-waveD3.md`
# Phase 1 Delta 审计 — Wave D3(服务器 / 设置 / 脚本 / WebSSH
## 登记
## 入口表(摘要)
### webssh.py
### servers.py(主要写操作)
### settings.py
### scripts.py
## Closure 表
**len(H)=24, Closure=24**
## FINDING
无 P0/P1 新 FINDING。
## DoD
### `audit-delta-2026-06-04-waveD4.md`
# Phase 1 Delta 审计 — Wave D4(前端 Push
## 登记
## Step 3 — 规则扫描 H(摘要)
## 入口表(前端 → API
## Closure 表
**len(H)=17, Closure=17**
## FINDING
无 P0/P1 新 FINDING。
## DoD
- [x] len(H) == Closure
## 验证
### `audit-delta-2026-06-04-waveD5.md`
# Phase 1 Delta 审计 — Wave D5(前端 Files / Terminal
## 登记
## Step 3 — 规则扫描 H(摘要)
## 入口表(前端 → API / WS
## Closure 表
**len(H)=18, Closure=18**
## FINDING
无 P0/P1 新 FINDING。
## DoD
- [x] len(H) == Closure
## 验证
### `audit-delta-2026-06-04-waveD6.md`
# Phase 1 Delta 审计 — Wave D6(认证链 / Login
## 登记
## Step 3 — 规则扫描 H(摘要)
## 入口表
## Closure 表
**len(H)=19, Closure=19**
## FINDING
无 P0/P1 新 FINDING。
## DoD
- [x] len(H) == Closure
## 验证
### `audit-delta-2026-06-04-waveD7.md`
# Phase 1 Delta 审计 — Wave D7Deploy / 本地验证脚本)
**标准**: 变更审查(运维/门控;非业务 API 8 步,沿用 Closure 表格式)
## 登记
## Step 3 — 规则扫描 H(摘要)
## 入口表(脚本调用链)
## Closure 表
**len(H)=16, Closure=16**
## FINDING
无 P0/P1 新 FINDING。
## DoD
- [x] len(H) == Closure
## 验证
### `audit-delta-2026-06-04-waveD8-closure.md`
# Phase 1 Delta 审计 — Wave D8(汇总 Closure
**标准**: Phase 1 收尾 DoD
## 汇总表
| 波次 | 主题 | 文件数 | H | P0/P1 | 报告 |
## 已接受 RISK(跨波重复,不重复开 FINDING)
## Registry 更新
## Step 3 / Closure / DoD
- **len(H) 汇总** = 135,各波 Closure 均已 100% 对齐
- **无 P0/P1** 待修项进入 Phase 2
## 下一步(计划 Phase 2 / L3
## 验证
## Closure 摘录(合并)
| 1 | `server/api/sync_v2.py` | Python | 1656 | 1200, 6801080, 12801657 + 全文件 `@router`/grep H |
| 2 | `server/application/services/sync_engine_v2.py` | Python | 552 | 1552 全文 |
| 3 | `server/background/schedule_runner.py` | Python | 262 | 1262 全文 |
| 4 | `server/background/retry_runner.py` | Python | 169 | 1169 全文 |
| 5 | `server/background/heartbeat_flush.py` | Python | 101 | 1101 全文 |
| H | 文件:行号 | 判定 | 理由 |
| H-Install-lock | install.py:344-350 | SAFE | `_reject_if_locked` 阻断突变 |
| H-Install-token | install.py:314-327 | SAFE | `secrets.compare_digest` 一次性 token |
| H-Install-token | install.py:601 | SAFE | create-admin 必须 token |
| H-Install-SQL | install.py:540-544 | SAFE | 参数化 INSERT settings |
| H-Install-DDL | install.py:489-503 | SAFE | DDL 幂等 except pass |
| H-Install-subprocess | install.py:273-293 | SAFE | crontab/supervisor 固定 argv |
| H-Auth-brute | auth.py:125-138 | SAFE | 429/202 由 AuthService |
| H-Auth-cookie | auth.py:38-54 | SAFE | HttpOnly + Secure(HTTPS) + SameSite=Lax |
| H-Auth-TOTP-IDOR | auth.py:223-259 | SAFE | admin_id 必须等于 JWT sub |
| H-Auth-password | auth.py:288-305 | SAFE | bcrypt + token_version 失效 |
| H-Auth-webssh | auth.py:330-349 | SAFE | 短效 server-bound token |
| H-JWT-middleware | auth_jwt.py:78-146 | SAFE | ASGI 层拦截 /api/* |
| H-JWT-public | auth_jwt.py:38-50 | SAFE | 公开前缀含 agent/install/ws |
| H-JWT-tv | auth_jwt.py:222-226 | SAFE | token_version 精确匹配 |
| H-WS-auth | websocket.py:303-311 | SAFE | 无 token → 4001;无效 → 4401 |
| H-WS-auth | websocket.py:366-407 | SAFE | tv + updated_at 双检 |
| H-WS-ADR011 | websocket.py:9,300 | RISK | JWT 在 query;单人运维已接受 ADR-011 |
| H-Agent-key | agent.py:40-57 | SAFE | compare_digesthandler 二次验 per-server |
| H-Agent-unknown | agent.py:193-199 | SAFE | 未知 server 200 discard,不写入 |
| H-Agent-global | agent.py:84-92 | RISK | legacy global API_KEYrisk-acceptance 文档 |
| H-Agent-callback | agent.py:324-347 | SAFE | rate limit + job secret |
| H-Agent-no-exec | agent.py:378 | SAFE | 控制面无 shell exec |
| POST | `/{id}/install-agent` 等 | JWT + SSH |
| 文件 | H 命中 |
| usePushForm.ts | H-Auth, H-Upload, H-Path |
| usePushPreview.ts | H-Auth, H-Path |
| usePushProgress.ts | H-Auth, H-WS, H-Batch |
| PushZipUpload.vue | H-Upload, H-XSS |
| PushServerGrid.vue | H-XSS |
| useFilesActions.ts | H-Auth, H-Path, H-Delete, H-Upload |
| useFilesEditor.ts | H-Auth, H-Size |
| useFilesPermissions.ts | H-Auth, H-Sudo |
| useTerminalSessions.ts | H-Auth, H-WS, H-Path, H-Cmd |
| useTerminalCmdBar.ts | H-Storage, H-Cmd |
| LoginPage.vue | H-Secret, H-Redirect, H-Lockout, H-XSS |
| auth.ts | H-Token, H-Refresh, H-Profile |
| api/index.ts | H-Auth, H-Refresh, H-401 |
| router/index.ts | H-Guard, H-Redirect |
| wsUrl.ts | H-WS |
| pre_deploy_check.sh | H-Gate, H-Secret, H-Git |
| local_verify.sh | H-Chain |
| local_integration_smoke.sh | H-Health, H-Auth |
| start-dev.sh | H-DevBind, H-Env |
| docker-compose.yml | H-Port, H-DefaultCreds |
| 波次 | 主题 | 文件数 | H | P0/P1 | 报告 |
| D1 | sync/后台 | 5 | 19 | 0 | [waveD1](audit-delta-2026-06-04-waveD1.md) |
| D2 | auth/agent/ws | 5 | 22 | 0 | [waveD2](audit-delta-2026-06-04-waveD2.md) |
| D3 | servers/settings/scripts/webssh | 5 | 24 | 0 | [waveD3](audit-delta-2026-06-04-waveD3.md) |
| D4 | 前端 Push | 5 | 17 | 0 | [waveD4](audit-delta-2026-06-04-waveD4.md) |
| D5 | 前端 Files/Terminal | 5 | 18 | 0 | [waveD5](audit-delta-2026-06-04-waveD5.md) |
| D6 | 认证链 Login | 5 | 19 | 0 | [waveD6](audit-delta-2026-06-04-waveD6.md) |
| D7 | Deploy/本地脚本 | 5 | 16 | 0 | [waveD7](audit-delta-2026-06-04-waveD7.md) |
| **合计** | | **35** | **135** | **0** | |