Files
Nexus/docs/project/production-verification-checklist.md
T
Your Name aa65f10c52 docs: Phase 2 audit records, project memory, WSL guide
Audit docs:
- docs/reports/audit-phase-2{a-j}-line-walk.md: per-file line walk findings
- docs/reports/audit-phase-2-findings-matrix.md: 63 findings (52 fixed, 3 partial, 7 accepted)
- docs/reports/2026-05-23-full-audit-report.md: full audit consolidation
- docs/reports/audit-full-vs-phase2-reconciliation.md: cross-reference
- docs/reports/audit-phase-2-walk-closure.md: closure sign-off

Project docs:
- docs/project/phase-2-audit-remediation.md: SSOT for all fixes
- docs/project/alert-push-policy.md: dashboard alert design decisions
- docs/project/production-verification-checklist.md: first-deploy checklist
- docs/project/script-execution.md: script platform design
- docs/project/wsl-integration-test.md: WSL code-only verification guide
- docs/project/line-walk-audit-standard.md: audit methodology
- docs/project/mysql-mcp-setup.md: MCP config guide

Changelogs: 18 entries (2026-05-22 to 2026-05-23)
Project memory: CLAUDE.md, AGENTS.md updated to reflect current state
Deploy: nginx_https.conf template updated

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-23 15:27:40 +08:00

99 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Nexus 6.0 — 首次部署验证清单
**用途****首次部署到 staging / 生产** 时逐项勾选(非日常开发阻塞)。
**环境**:目标域名(如 `api.synaglobal.vip`)或本地 WSL 全链路联调。
> **2026-05-23**:项目仍在开发、**尚未部署**,无 API Key 轮换包袱。清单在 **first deploy** 时使用;开发阶段以 `pytest tests/test_security_unit.py` 为主。
---
## 0. 首次部署前
- [ ] 通过 **install 向导** 生成全新 `API_KEY` / `SECRET_KEY`(勿用压测脚本或文档示例)
- [ ] 确认 `web/app/vendor/` 已随仓库部署(或运行 `python scripts/sync_frontend_vendor.py`
- [ ] `supervisorctl restart nexus` + `nginx -s reload`(含 `deploy/nginx_https.conf``/ws/` 专用 access_log
- [ ] 确认 `web/app/vendor/*.js` 可被 Nginx/`/app/` 静态访问(返回 200
---
## 1. 认证与会话
| # | 步骤 | 预期 |
|---|------|------|
| 1.1 | 未登录访问 `GET /api/servers/` | **401**(全局 JWT 中间件) |
| 1.2 | `POST /api/auth/login` 正确密码 | 200 + `access_token` |
| 1.3 | 带 Bearer 访问 `GET /api/auth/me` | 200 + 用户名 |
| 1.4 | 修改密码后旧 access_token | **401** |
| 1.5 | 安装完成后 `POST /api/install/init-db` | **403**`GET /api/install/status` 仍可用 |
---
## 2. 前端静态资源(F2e-06
| # | 步骤 | 预期 |
|---|------|------|
| 2.1 | 浏览器打开 `/app/index.html`Network 无 `cdn.jsdelivr.net` | 仅 `/app/vendor/*` |
| 2.2 | 仪表盘样式、Alpine 交互正常 | 侧栏、统计卡片可点 |
| 2.3 | `/app/settings.html` TOTP 二维码 | qrious 本地脚本加载成功 |
| 2.4 | `/app/terminal.html` WebSSH | xterm 本地脚本 + 终端可连 |
---
## 3. 告警与 Telegram(见 `alert-push-policy.md`
| # | 步骤 | 预期 |
|---|------|------|
| 3.1 | 子机 CPU 超阈值 | Telegram 收到告警;**浏览器无声音** |
| 3.2 | 指标恢复 | Telegram 恢复通知 |
| 3.3 | 仪表盘 WS 连接 | 仅刷新运行状态/统计,无告警列表弹窗 |
| 3.4 | 人为断开 MySQL 30s+ | Telegram 固定文案「MySQL 连接异常」;**不含**连接串 |
---
## 4. Agent 与子机
| # | 步骤 | 预期 |
|---|------|------|
| 4.1 | 错误 API Key 心跳 | 401 |
| 4.2 | 子机 `alert_thresholds` 与中心 settings 一致 | 加急心跳与中心告警同步 |
| 4.3 | 子机 `/exec/kill` 非本进程 pid | **404** |
---
## 5. WebSSH
| # | 步骤 | 预期 |
|---|------|------|
| 5.1 | `POST /api/auth/webssh-token` + `server_id` | 200 + 短票 |
| 5.2 | 用该票连 `/ws/terminal/{server_id}` | 终端正常 |
| 5.3 | 同一票连其他 `server_id` | 关闭码 **4003** |
---
## 6. 脚本执行
| # | 步骤 | 预期 |
|---|------|------|
| 6.1 | 执行含 `rm -rf` 的脚本 | **400** 危险命令拦截 |
| 6.2 | 长任务进度 | HTTP 轮询(非 WS 换票) |
| 6.3 | 重试任务 | 新 execution id + 响应含 `parent_execution_id` |
---
## 7. 守护与健康
| # | 步骤 | 预期 |
|---|------|------|
| 7.1 | `GET /health` | 200 |
| 7.2 | `kill` Python 进程 | Supervisor 自动拉起 |
| 7.3 | cron `health_monitor.sh` | 连续失败后重启 + Telegram(文案无敏感信息) |
---
## 签署
| 角色 | 姓名 | 日期 | 备注 |
|------|------|------|------|
| 运维 | | | |
| 开发 | | | |