Update T-028 task card - baa-conductor@a95557b

commit: a95557b
parent: 353854b
author: im_wower
date: 2026-03-22 03:30:00 +0800 CST

Update T-028 task card

1 files changed, +3, -1

M coordination/tasks/T-028-real-rollout.md

+3, -1

 1@@ -22,7 +22,7 @@ write_scope:
 2   - apps/control-api-worker/**
 3   - scripts/ops/**
 4   - scripts/runtime/**
 5-updated_at: 2026-03-22T03:27:00+0800
 6+updated_at: 2026-03-22T03:29:42+0800
 7 ---
 8 
 9 # T-028 真实 Cloudflare / VPS 上线执行
10@@ -121,6 +121,7 @@ updated_at: 2026-03-22T03:27:00+0800
11 - Cloudflare DNS 改为 DNS-only：`scripts/ops/cloudflare-dns-plan.sh --env /Users/george/.config/baa-conductor/ops.env --fetch-current --emit-shell .tmp/ops/cloudflare-dns-proxy-off.sh --output .tmp/ops/cloudflare-dns-plan-proxy-off.json`、`bash /Users/george/code/baa-conductor-T028-v2/.tmp/ops/cloudflare-dns-proxy-off.sh`
12 - 验收：`curl -H "Authorization: Bearer $CONTROL_API_OPS_ADMIN_TOKEN" https://control-api.makefile.so/v1/system/state`、`curl --resolve conductor.makefile.so:443:192.210.137.113 https://conductor.makefile.so/healthz`、`curl --resolve conductor.makefile.so:443:192.210.137.113 https://conductor.makefile.so/rolez`、`curl -u conductor-ops:... --resolve mini-conductor.makefile.so:443:192.210.137.113 https://mini-conductor.makefile.so/rolez`、`curl -u conductor-ops:... --resolve mac-conductor.makefile.so:443:192.210.137.113 https://mac-conductor.makefile.so/rolez`
13 - 收尾校验：`bash -n scripts/ops/*.sh scripts/runtime/*.sh`、`git diff --check`
14+- 提交与推送：`git commit -m "Complete T-028 real rollout"`、`git push -u origin feat/T-028-real-rollout-v2`
15 
16 ## result
17 
18@@ -131,6 +132,7 @@ updated_at: 2026-03-22T03:27:00+0800
19 - Cloudflare DNS 已真实切换。三条 conductor 记录最终状态为 `A -> 192.210.137.113 proxied=false`；Cloudflare API 回读计划为 `noop`，权威 NS `giancarlo.ns.cloudflare.com` 对三个 host 都返回 `192.210.137.113`。
20 - 公网验收闭环完成：`https://control-api.makefile.so/v1/system/state` 返回 `ok=true` 且 `holder_id=mini-main`；`conductor.makefile.so` 入口返回 `healthz=ok`、`rolez=leader`；`mini-conductor.makefile.so` / `mac-conductor.makefile.so` 未认证为 `401`，带 Basic Auth 后分别返回 `leader` / `standby`。
21 - 为了让 Tailscale rollout 的静态校验真实可用，本分支顺手修复了 `scripts/runtime/check-node.sh`，让它把 `--local-api-allowed-hosts` 和 `--status-api-host` 正确传给 `check-launchd.sh`。
22+- 分支已推送：`origin/feat/T-028-real-rollout-v2`
23 
24 ## risks
25