6.7 KiB
Delta D1–D8 合并卷
生成日期: 2026-06-04 · 源文件 8 篇 · 原文
docs/archive/audits/2026-06-04-delta/
批次索引
audit-delta-2026-06-04-waveD1.md
Phase 1 Delta 审计 — Wave D1(同步/后台)
登记
Step 3 — 规则扫描 H(摘要)
入口表(sync_v2.py API)
Closure 表
len(H)=19, Closure=19
FINDING(本波)
无 P0/P1 新 FINDING。RISK 项与既有运维/单人决策一致,不阻塞。
DoD
- len(H) == Closure
- FINDING 含行号
验证
audit-delta-2026-06-04-waveD2.md
Phase 1 Delta 审计 — Wave D2(认证 / 安装 / WS / Agent)
登记
入口表
install.py
auth.py
websocket.py
agent.py
Closure 表
len(H)=22, Closure=22
FINDING
无 P0/P1 新 FINDING。RISK:WS query JWT、Agent global key — 见 docs/project/risk-acceptance-single-operator.md。
DoD
audit-delta-2026-06-04-waveD3.md
Phase 1 Delta 审计 — Wave D3(服务器 / 设置 / 脚本 / WebSSH)
登记
入口表(摘要)
webssh.py
servers.py(主要写操作)
settings.py
scripts.py
Closure 表
len(H)=24, Closure=24
FINDING
无 P0/P1 新 FINDING。
DoD
audit-delta-2026-06-04-waveD4.md
Phase 1 Delta 审计 — Wave D4(前端 Push)
登记
Step 3 — 规则扫描 H(摘要)
入口表(前端 → API)
Closure 表
len(H)=17, Closure=17
FINDING
无 P0/P1 新 FINDING。
DoD
- len(H) == Closure
验证
audit-delta-2026-06-04-waveD5.md
Phase 1 Delta 审计 — Wave D5(前端 Files / Terminal)
登记
Step 3 — 规则扫描 H(摘要)
入口表(前端 → API / WS)
Closure 表
len(H)=18, Closure=18
FINDING
无 P0/P1 新 FINDING。
DoD
- len(H) == Closure
验证
audit-delta-2026-06-04-waveD6.md
Phase 1 Delta 审计 — Wave D6(认证链 / Login)
登记
Step 3 — 规则扫描 H(摘要)
入口表
Closure 表
len(H)=19, Closure=19
FINDING
无 P0/P1 新 FINDING。
DoD
- len(H) == Closure
验证
audit-delta-2026-06-04-waveD7.md
Phase 1 Delta 审计 — Wave D7(Deploy / 本地验证脚本)
标准: 变更审查(运维/门控;非业务 API 8 步,沿用 Closure 表格式)
登记
Step 3 — 规则扫描 H(摘要)
入口表(脚本调用链)
Closure 表
len(H)=16, Closure=16
FINDING
无 P0/P1 新 FINDING。
DoD
- len(H) == Closure
验证
audit-delta-2026-06-04-waveD8-closure.md
Phase 1 Delta 审计 — Wave D8(汇总 Closure)
标准: Phase 1 收尾 DoD
汇总表
| 波次 | 主题 | 文件数 | H | P0/P1 | 报告 |
已接受 RISK(跨波重复,不重复开 FINDING)
Registry 更新
Step 3 / Closure / DoD
- len(H) 汇总 = 135,各波 Closure 均已 100% 对齐
- 无 P0/P1 待修项进入 Phase 2
下一步(计划 Phase 2 / L3)
验证
Closure 摘录(合并)
| 1 | server/api/sync_v2.py | Python | 1656 | 1–200, 680–1080, 1280–1657 + 全文件 @router/grep H |
| 2 | server/application/services/sync_engine_v2.py | Python | 552 | 1–552 全文 |
| 3 | server/background/schedule_runner.py | Python | 262 | 1–262 全文 |
| 4 | server/background/retry_runner.py | Python | 169 | 1–169 全文 |
| 5 | server/background/heartbeat_flush.py | Python | 101 | 1–101 全文 |
| H | 文件:行号 | 判定 | 理由 |
| H-Install-lock | install.py:344-350 | SAFE | _reject_if_locked 阻断突变 |
| H-Install-token | install.py:314-327 | SAFE | secrets.compare_digest 一次性 token |
| H-Install-token | install.py:601 | SAFE | create-admin 必须 token |
| H-Install-SQL | install.py:540-544 | SAFE | 参数化 INSERT settings |
| H-Install-DDL | install.py:489-503 | SAFE | DDL 幂等 except pass |
| H-Install-subprocess | install.py:273-293 | SAFE | crontab/supervisor 固定 argv |
| H-Auth-brute | auth.py:125-138 | SAFE | 429/202 由 AuthService |
| H-Auth-cookie | auth.py:38-54 | SAFE | HttpOnly + Secure(HTTPS) + SameSite=Lax |
| H-Auth-TOTP-IDOR | auth.py:223-259 | SAFE | admin_id 必须等于 JWT sub |
| H-Auth-password | auth.py:288-305 | SAFE | bcrypt + token_version 失效 |
| H-Auth-webssh | auth.py:330-349 | SAFE | 短效 server-bound token |
| H-JWT-middleware | auth_jwt.py:78-146 | SAFE | ASGI 层拦截 /api/* |
| H-JWT-public | auth_jwt.py:38-50 | SAFE | 公开前缀含 agent/install/ws |
| H-JWT-tv | auth_jwt.py:222-226 | SAFE | token_version 精确匹配 |
| H-WS-auth | websocket.py:303-311 | SAFE | 无 token → 4001;无效 → 4401 |
| H-WS-auth | websocket.py:366-407 | SAFE | tv + updated_at 双检 |
| H-WS-ADR011 | websocket.py:9,300 | RISK | JWT 在 query;单人运维已接受 ADR-011 |
| H-Agent-key | agent.py:40-57 | SAFE | compare_digest;handler 二次验 per-server |
| H-Agent-unknown | agent.py:193-199 | SAFE | 未知 server 200 discard,不写入 |
| H-Agent-global | agent.py:84-92 | RISK | legacy global API_KEY;risk-acceptance 文档 |
| H-Agent-callback | agent.py:324-347 | SAFE | rate limit + job secret |
| H-Agent-no-exec | agent.py:378 | SAFE | 控制面无 shell exec |
| POST | /{id}/install-agent 等 | JWT + SSH |
| 文件 | H 命中 |
| usePushForm.ts | H-Auth, H-Upload, H-Path |
| usePushPreview.ts | H-Auth, H-Path |
| usePushProgress.ts | H-Auth, H-WS, H-Batch |
| PushZipUpload.vue | H-Upload, H-XSS |
| PushServerGrid.vue | H-XSS |
| useFilesActions.ts | H-Auth, H-Path, H-Delete, H-Upload |
| useFilesEditor.ts | H-Auth, H-Size |
| useFilesPermissions.ts | H-Auth, H-Sudo |
| useTerminalSessions.ts | H-Auth, H-WS, H-Path, H-Cmd |
| useTerminalCmdBar.ts | H-Storage, H-Cmd |
| LoginPage.vue | H-Secret, H-Redirect, H-Lockout, H-XSS |
| auth.ts | H-Token, H-Refresh, H-Profile |
| api/index.ts | H-Auth, H-Refresh, H-401 |
| router/index.ts | H-Guard, H-Redirect |
| wsUrl.ts | H-WS |
| pre_deploy_check.sh | H-Gate, H-Secret, H-Git |
| local_verify.sh | H-Chain |
| local_integration_smoke.sh | H-Health, H-Auth |
| start-dev.sh | H-DevBind, H-Env |
| docker-compose.yml | H-Port, H-DefaultCreds |
| 波次 | 主题 | 文件数 | H | P0/P1 | 报告 |
| D1 | sync/后台 | 5 | 19 | 0 | waveD1 |
| D2 | auth/agent/ws | 5 | 22 | 0 | waveD2 |
| D3 | servers/settings/scripts/webssh | 5 | 24 | 0 | waveD3 |
| D4 | 前端 Push | 5 | 17 | 0 | waveD4 |
| D5 | 前端 Files/Terminal | 5 | 18 | 0 | waveD5 |
| D6 | 认证链 Login | 5 | 19 | 0 | waveD6 |
| D7 | Deploy/本地脚本 | 5 | 16 | 0 | waveD7 |
| 合计 | | 35 | 135 | 0 | |