docs(security): 新增 public gateway rendered diff gate 草稿 [skip ci]
This commit is contained in:
@@ -27,6 +27,12 @@ Public gateway 是所有產品、後台、API、callback、Webhook、ACME 與 We
|
||||
|
||||
目前固定為 `intake_candidate_count=3`、`c0_intake_candidate_count=2`、`validation_check_count=10`、`rejection_guard_count=12`、`reviewer_intake_lane_count=5`、`redacted_export_received_count=0`、`accepted_redacted_export_count=0`。此 artifact 只表示未來收到 ref 時的補件、隔離、拒收與 rendered diff preflight 分流,不代表 request sent、recipient confirmed、live conf received / accepted、raw live conf stored、rendered diff ready、`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew、host write 或 production write。
|
||||
|
||||
## 1.3 2026-06-14 Rendered Diff Gate Draft
|
||||
|
||||
已新增 `docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-GATE-DRAFT.md` 與 `docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json`,將三份 redacted export intake candidate 轉成 rendered diff、`nginx -t`、reload、route smoke 與 rollback / post-check 的分階段 gate 草稿。
|
||||
|
||||
目前固定為 `diff_gate_candidate_count=3`、`c0_diff_gate_candidate_count=2`、`preflight_stage_count=7`、`blocked_action_count=14`、`redacted_export_accepted_count=0`、`rendered_diff_ready_count=0`、`nginx_test_executed_count=0`、`runtime_gate_count=0`。此 artifact 只表示下一層 gate 的 required shape,不代表 live conf accepted、rendered diff produced、`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew、host write 或 production write。
|
||||
|
||||
## 2. repo-only 摘要
|
||||
|
||||
| 指標 | 值 |
|
||||
|
||||
@@ -91,6 +91,12 @@ P0-15 已建立 Public Gateway live conf 脫敏匯出請求包,但尚未送件
|
||||
| `reject_execution_request` | 夾帶執行要求時拒收 |
|
||||
| `ready_for_rendered_diff_preflight` | 欄位完整且只有脫敏 ref 時,才可進 rendered diff preflight |
|
||||
|
||||
## 6.1 2026-06-14 Rendered Diff Gate Draft
|
||||
|
||||
已新增 `docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-GATE-DRAFT.md` 與 `docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json`,將三份 redacted export intake candidate 轉成 rendered diff / `nginx -t` / reload / route smoke 分階段 gate 草稿。
|
||||
|
||||
目前固定為 `diff_gate_candidate_count=3`、`c0_diff_gate_candidate_count=2`、`preflight_stage_count=7`、`blocked_action_count=14`、`rendered_diff_ready_count=0`、`nginx_test_executed_count=0`、`runtime_gate_count=0`。此 artifact 只表示未來收件 accepted 後的下一層 gate 形狀,不代表 redacted export accepted、rendered diff ready、`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew、host write 或 production write。
|
||||
|
||||
## 7. 指令
|
||||
|
||||
產生 committed snapshot:
|
||||
|
||||
111
docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-GATE-DRAFT.md
Normal file
111
docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-GATE-DRAFT.md
Normal file
@@ -0,0 +1,111 @@
|
||||
# IwoooS Public Gateway Rendered Diff Gate 草稿
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-14 |
|
||||
| 狀態 | `rendered_diff_gate_draft_ready_no_runtime_action` |
|
||||
| 工具 | `scripts/security/public-gateway-rendered-diff-gate-draft.py` |
|
||||
| 輸入 | `docs/security/public-gateway-redacted-export-intake-preflight.snapshot.json` |
|
||||
| Snapshot | `docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json` |
|
||||
| runtime gate | `0` |
|
||||
|
||||
## 1. 目的
|
||||
|
||||
P0-16 已建立 redacted export 收件預檢,但即使未來收到並接受脫敏 ref,也不能直接進 `nginx -t`、reload 或 route smoke。P0-17 的目的,是先把 rendered diff、`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew、maintenance window、rollback owner 與 post-check 拆成分階段 gate 草稿。
|
||||
|
||||
本文件只定義 future gate draft。它不是 redacted export accepted、不是 rendered diff ready、不是 `nginx -t` 授權、不是 Nginx reload、不是 route smoke、不是 DNS / TLS probe、不是 certbot renew、不是 host write,也不是 production write 或 runtime gate。
|
||||
|
||||
## 2. 摘要
|
||||
|
||||
| 指標 | 值 | 說明 |
|
||||
|------|----|------|
|
||||
| diff gate candidate count | `3` | 對應三份 redacted export intake candidate |
|
||||
| C0 diff gate candidate count | `2` | 188 all sites、188 internal tools HTTPS |
|
||||
| diff gate field count | `12` | 每份 diff gate 草稿欄位 |
|
||||
| preflight stage count | `7` | redacted export accepted 到 rollback / post-check 的分段 gate |
|
||||
| blocked action count | `14` | 不可直接執行或不可誤讀的動作 |
|
||||
| redacted export accepted | `0` | 尚未收到 / 接受 |
|
||||
| rendered diff candidate / ready | `0 / 0` | 尚未產生 |
|
||||
| nginx test authorized / executed | `0 / 0` | 尚未批准且未執行 |
|
||||
| reload authorized / executed | `0 / 0` | 尚未批准且未執行 |
|
||||
| route smoke authorized / executed | `0 / 0` | 尚未批准且未執行 |
|
||||
| DNS / TLS probe、certbot renew | `0 / 0` | 尚未批准且未執行 |
|
||||
| maintenance window / rollback owner | `0 / 0` | 尚未接受 |
|
||||
| runtime gate / action button | `0 / 0` | 未開啟 |
|
||||
|
||||
## 3. Diff Gate 欄位
|
||||
|
||||
| 欄位 | 內容規則 |
|
||||
|------|----------|
|
||||
| `diff_gate_id` | 固定對應 public gateway rendered diff gate,不建立 runtime action |
|
||||
| `intake_id` | 對應 P0-16 redacted export intake candidate |
|
||||
| `export_request_id` | 對應 P0-15 live conf export request |
|
||||
| `config_id` | 對應 public gateway preflight row |
|
||||
| `control_tier` | 保留 C0 / C1 風險分級 |
|
||||
| `source_config_ref` | 指向 repo-only source config snapshot |
|
||||
| `redacted_live_conf_ref` | 未接受前為空 |
|
||||
| `rendered_diff_ref` | 未產生前為空 |
|
||||
| `nginx_test_plan_ref` | 未批准前為空 |
|
||||
| `route_smoke_plan_ref` | 未批准前為空 |
|
||||
| `rollback_owner` | 未指定前為 `pending_rollback_owner` |
|
||||
| `not_approval` | 必須為 `true` |
|
||||
|
||||
## 4. Preflight Stages
|
||||
|
||||
| Stage | 規則 |
|
||||
|-------|------|
|
||||
| `redacted_export_acceptance_required` | 必須先有合格 redacted export accepted metadata |
|
||||
| `normalize_without_raw_conf_storage` | 只可在隔離工作區以脫敏 ref 產生 normalized diff |
|
||||
| `rendered_diff_owner_review_required` | rendered diff 只可成為 owner review candidate |
|
||||
| `nginx_test_approval_package_required` | `nginx -t` 必須另有人工批准包、rollback owner 與維護窗口 |
|
||||
| `reload_approval_separate` | reload 與 public route change 必須獨立批准 |
|
||||
| `route_smoke_matrix_required` | route smoke 需列 affected routes、預期 status、TLS / WebSocket / ACME checks |
|
||||
| `postcheck_and_rollback_required` | 未來執行前需 rollback owner、post-check 與失敗撤回條件 |
|
||||
|
||||
## 5. Blocked Actions
|
||||
|
||||
| Action | 邊界 |
|
||||
|--------|------|
|
||||
| `read_live_conf_over_ssh` | 未授權不得執行 |
|
||||
| `store_raw_live_conf` | 不得寫入 repo、LOGBOOK 或前端 |
|
||||
| `render_diff_from_unredacted_payload` | 必須拒收或隔離 |
|
||||
| `nginx_test_without_approval` | 不得執行 |
|
||||
| `nginx_reload_without_approval` | 不得執行 |
|
||||
| `route_smoke_without_plan` | 不得執行 |
|
||||
| `dns_probe_without_approval` | 不得執行 |
|
||||
| `tls_probe_without_approval` | 不得執行 |
|
||||
| `certbot_renew_without_approval` | 不得執行 |
|
||||
| `modify_nginx_conf` | 不得改 live conf |
|
||||
| `modify_dns_tls_config` | 不得改 DNS / TLS / certbot |
|
||||
| `change_public_route` | 不得變更公開路由 |
|
||||
| `write_production_host` | 不得主機寫入 |
|
||||
| `open_runtime_gate` | 不得開 runtime gate |
|
||||
|
||||
## 6. 指令
|
||||
|
||||
產生 committed snapshot:
|
||||
|
||||
```bash
|
||||
python3 scripts/security/public-gateway-rendered-diff-gate-draft.py \
|
||||
--root . \
|
||||
--intake-preflight-report docs/security/public-gateway-redacted-export-intake-preflight.snapshot.json \
|
||||
--output docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json \
|
||||
--generated-at 2026-06-14T20:05:00+08:00
|
||||
```
|
||||
|
||||
驗證 guard:
|
||||
|
||||
```bash
|
||||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||||
```
|
||||
|
||||
## 7. 完成度
|
||||
|
||||
| 工作 | 完成度 | 說明 |
|
||||
|------|--------|------|
|
||||
| rendered diff gate draft artifact | `100%` | 產生器、snapshot 與文件已固定 |
|
||||
| redacted export accepted | `0%` | 尚未收到 / 接受 |
|
||||
| rendered diff candidate / ready | `0%` | 尚未產生 |
|
||||
| nginx test / reload / route smoke | `0%` | 尚未批准且未執行 |
|
||||
| DNS / TLS / certbot | `0%` | 尚未批准且未執行 |
|
||||
| runtime reload / host write | `0%` | 未授權且未執行 |
|
||||
@@ -7,7 +7,7 @@
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
|
||||
| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 |
|
||||
| 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 |
|
||||
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`;Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`;Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
|
||||
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`;Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`;Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`;Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
|
||||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||||
| P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` |
|
||||
|
||||
@@ -391,6 +391,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
|
||||
| 高價值配置 Owner Request 草稿包 | 本地完成 | `high-value-config-owner-request-draft.snapshot.json` 已固定 `request_draft_count=3`、`c0_request_draft_count=2`、`handoff_envelope_field_count=11`、`required_owner_field_total=27`、`forbidden_payload_count=12`、`request_sent_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 request ids、handoff fields 與 false flags | 這是人工送件前草稿與 handoff envelope,不是 request sent、recipient confirmed、audit event emitted、owner response received / accepted、reviewer queue write、Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| Public Gateway live conf 匯出請求包 | 本地完成 | `public-gateway-live-conf-export-request.snapshot.json` 已固定 `export_request_count=3`、`c0_export_request_count=2`、`redaction_rule_count=8`、`redacted_export_received_count=0`、`raw_live_conf_stored_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 export ids、redaction rules 與 false flags | 這是 owner-provided redacted export request draft,不是 request sent、live conf received、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| Public Gateway redacted export 收件預檢 | 本地完成 | `public-gateway-redacted-export-intake-preflight.snapshot.json` 已固定 `intake_candidate_count=3`、`c0_intake_candidate_count=2`、`validation_check_count=10`、`rejection_guard_count=12`、`reviewer_intake_lane_count=5`、`redacted_export_received_count=0`、`accepted_redacted_export_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 intake ids、validation checks、rejection guards、reviewer lanes 與 false flags | 這是 redacted export 收件前預檢,不是 request sent、recipient confirmed、redacted export received / accepted、raw live conf stored、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| Public Gateway rendered diff / nginx gate 草稿 | 本地完成 | `public-gateway-rendered-diff-gate-draft.snapshot.json` 已固定 `diff_gate_candidate_count=3`、`c0_diff_gate_candidate_count=2`、`preflight_stage_count=7`、`blocked_action_count=14`、`redacted_export_accepted_count=0`、`rendered_diff_ready_count=0`、`nginx_test_executed_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 diff gate ids、preflight stages、blocked actions 與 false flags | 這是 rendered diff / nginx / route smoke 分階段 gate 草稿,不是 redacted export accepted、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate |
|
||||
| S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item |
|
||||
| S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 |
|
||||
|
||||
@@ -0,0 +1,348 @@
|
||||
{
|
||||
"blocked_actions": [
|
||||
"read_live_conf_over_ssh",
|
||||
"store_raw_live_conf",
|
||||
"render_diff_from_unredacted_payload",
|
||||
"nginx_test_without_approval",
|
||||
"nginx_reload_without_approval",
|
||||
"route_smoke_without_plan",
|
||||
"dns_probe_without_approval",
|
||||
"tls_probe_without_approval",
|
||||
"certbot_renew_without_approval",
|
||||
"modify_nginx_conf",
|
||||
"modify_dns_tls_config",
|
||||
"change_public_route",
|
||||
"write_production_host",
|
||||
"open_runtime_gate"
|
||||
],
|
||||
"diff_gate_candidates": [
|
||||
{
|
||||
"action_buttons_allowed": false,
|
||||
"blocked_actions": [
|
||||
"read_live_conf_over_ssh",
|
||||
"store_raw_live_conf",
|
||||
"render_diff_from_unredacted_payload",
|
||||
"nginx_test_without_approval",
|
||||
"nginx_reload_without_approval",
|
||||
"route_smoke_without_plan",
|
||||
"dns_probe_without_approval",
|
||||
"tls_probe_without_approval",
|
||||
"certbot_renew_without_approval",
|
||||
"modify_nginx_conf",
|
||||
"modify_dns_tls_config",
|
||||
"change_public_route",
|
||||
"write_production_host",
|
||||
"open_runtime_gate"
|
||||
],
|
||||
"certbot_renew_authorized": false,
|
||||
"config_id": "host188_all_sites",
|
||||
"control_tier": "C0",
|
||||
"diff_gate_fields": [
|
||||
"diff_gate_id",
|
||||
"intake_id",
|
||||
"export_request_id",
|
||||
"config_id",
|
||||
"control_tier",
|
||||
"source_config_ref",
|
||||
"redacted_live_conf_ref",
|
||||
"rendered_diff_ref",
|
||||
"nginx_test_plan_ref",
|
||||
"route_smoke_plan_ref",
|
||||
"rollback_owner",
|
||||
"not_approval"
|
||||
],
|
||||
"diff_gate_id": "public_gateway_rendered_diff_gate:host188_all_sites",
|
||||
"dns_tls_probe_authorized": false,
|
||||
"export_request_id": "public_gateway_live_conf_export:host188_all_sites",
|
||||
"host": "192.168.0.188",
|
||||
"intake_id": "public_gateway_redacted_export_intake:host188_all_sites",
|
||||
"live_path": "/etc/nginx/sites-enabled/all-sites.conf",
|
||||
"maintenance_window_accepted": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"nginx_reload_executed": false,
|
||||
"nginx_test_authorized": false,
|
||||
"nginx_test_executed": false,
|
||||
"nginx_test_plan_ref": null,
|
||||
"not_approval": true,
|
||||
"owner_gate": "public_gateway_owner_response_required",
|
||||
"preflight_stages": [
|
||||
"redacted_export_acceptance_required",
|
||||
"normalize_without_raw_conf_storage",
|
||||
"rendered_diff_owner_review_required",
|
||||
"nginx_test_approval_package_required",
|
||||
"reload_approval_separate",
|
||||
"route_smoke_matrix_required",
|
||||
"postcheck_and_rollback_required"
|
||||
],
|
||||
"production_write_authorized": false,
|
||||
"redacted_export_accepted": false,
|
||||
"redacted_live_conf_ref": null,
|
||||
"rendered_diff_candidate": false,
|
||||
"rendered_diff_ready": false,
|
||||
"rendered_diff_ref": null,
|
||||
"rollback_owner": "pending_rollback_owner",
|
||||
"rollback_owner_accepted": false,
|
||||
"route_smoke_authorized": false,
|
||||
"route_smoke_executed": false,
|
||||
"route_smoke_plan_ref": null,
|
||||
"runtime_gate": false,
|
||||
"source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||||
"status": "draft_waiting_redacted_export_acceptance"
|
||||
},
|
||||
{
|
||||
"action_buttons_allowed": false,
|
||||
"blocked_actions": [
|
||||
"read_live_conf_over_ssh",
|
||||
"store_raw_live_conf",
|
||||
"render_diff_from_unredacted_payload",
|
||||
"nginx_test_without_approval",
|
||||
"nginx_reload_without_approval",
|
||||
"route_smoke_without_plan",
|
||||
"dns_probe_without_approval",
|
||||
"tls_probe_without_approval",
|
||||
"certbot_renew_without_approval",
|
||||
"modify_nginx_conf",
|
||||
"modify_dns_tls_config",
|
||||
"change_public_route",
|
||||
"write_production_host",
|
||||
"open_runtime_gate"
|
||||
],
|
||||
"certbot_renew_authorized": false,
|
||||
"config_id": "host188_internal_tools_https",
|
||||
"control_tier": "C0",
|
||||
"diff_gate_fields": [
|
||||
"diff_gate_id",
|
||||
"intake_id",
|
||||
"export_request_id",
|
||||
"config_id",
|
||||
"control_tier",
|
||||
"source_config_ref",
|
||||
"redacted_live_conf_ref",
|
||||
"rendered_diff_ref",
|
||||
"nginx_test_plan_ref",
|
||||
"route_smoke_plan_ref",
|
||||
"rollback_owner",
|
||||
"not_approval"
|
||||
],
|
||||
"diff_gate_id": "public_gateway_rendered_diff_gate:host188_internal_tools_https",
|
||||
"dns_tls_probe_authorized": false,
|
||||
"export_request_id": "public_gateway_live_conf_export:host188_internal_tools_https",
|
||||
"host": "192.168.0.188",
|
||||
"intake_id": "public_gateway_redacted_export_intake:host188_internal_tools_https",
|
||||
"live_path": "owner_confirmation_required",
|
||||
"maintenance_window_accepted": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"nginx_reload_executed": false,
|
||||
"nginx_test_authorized": false,
|
||||
"nginx_test_executed": false,
|
||||
"nginx_test_plan_ref": null,
|
||||
"not_approval": true,
|
||||
"owner_gate": "public_tools_owner_response_required",
|
||||
"preflight_stages": [
|
||||
"redacted_export_acceptance_required",
|
||||
"normalize_without_raw_conf_storage",
|
||||
"rendered_diff_owner_review_required",
|
||||
"nginx_test_approval_package_required",
|
||||
"reload_approval_separate",
|
||||
"route_smoke_matrix_required",
|
||||
"postcheck_and_rollback_required"
|
||||
],
|
||||
"production_write_authorized": false,
|
||||
"redacted_export_accepted": false,
|
||||
"redacted_live_conf_ref": null,
|
||||
"rendered_diff_candidate": false,
|
||||
"rendered_diff_ready": false,
|
||||
"rendered_diff_ref": null,
|
||||
"rollback_owner": "pending_rollback_owner",
|
||||
"rollback_owner_accepted": false,
|
||||
"route_smoke_authorized": false,
|
||||
"route_smoke_executed": false,
|
||||
"route_smoke_plan_ref": null,
|
||||
"runtime_gate": false,
|
||||
"source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||||
"status": "draft_waiting_redacted_export_acceptance"
|
||||
},
|
||||
{
|
||||
"action_buttons_allowed": false,
|
||||
"blocked_actions": [
|
||||
"read_live_conf_over_ssh",
|
||||
"store_raw_live_conf",
|
||||
"render_diff_from_unredacted_payload",
|
||||
"nginx_test_without_approval",
|
||||
"nginx_reload_without_approval",
|
||||
"route_smoke_without_plan",
|
||||
"dns_probe_without_approval",
|
||||
"tls_probe_without_approval",
|
||||
"certbot_renew_without_approval",
|
||||
"modify_nginx_conf",
|
||||
"modify_dns_tls_config",
|
||||
"change_public_route",
|
||||
"write_production_host",
|
||||
"open_runtime_gate"
|
||||
],
|
||||
"certbot_renew_authorized": false,
|
||||
"config_id": "host110_ollama_proxy",
|
||||
"control_tier": "C1",
|
||||
"diff_gate_fields": [
|
||||
"diff_gate_id",
|
||||
"intake_id",
|
||||
"export_request_id",
|
||||
"config_id",
|
||||
"control_tier",
|
||||
"source_config_ref",
|
||||
"redacted_live_conf_ref",
|
||||
"rendered_diff_ref",
|
||||
"nginx_test_plan_ref",
|
||||
"route_smoke_plan_ref",
|
||||
"rollback_owner",
|
||||
"not_approval"
|
||||
],
|
||||
"diff_gate_id": "public_gateway_rendered_diff_gate:host110_ollama_proxy",
|
||||
"dns_tls_probe_authorized": false,
|
||||
"export_request_id": "public_gateway_live_conf_export:host110_ollama_proxy",
|
||||
"host": "192.168.0.110",
|
||||
"intake_id": "public_gateway_redacted_export_intake:host110_ollama_proxy",
|
||||
"live_path": "/etc/nginx/sites-enabled/110-ollama-proxy.conf",
|
||||
"maintenance_window_accepted": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"nginx_reload_executed": false,
|
||||
"nginx_test_authorized": false,
|
||||
"nginx_test_executed": false,
|
||||
"nginx_test_plan_ref": null,
|
||||
"not_approval": true,
|
||||
"owner_gate": "ai_provider_proxy_owner_response_required",
|
||||
"preflight_stages": [
|
||||
"redacted_export_acceptance_required",
|
||||
"normalize_without_raw_conf_storage",
|
||||
"rendered_diff_owner_review_required",
|
||||
"nginx_test_approval_package_required",
|
||||
"reload_approval_separate",
|
||||
"route_smoke_matrix_required",
|
||||
"postcheck_and_rollback_required"
|
||||
],
|
||||
"production_write_authorized": false,
|
||||
"redacted_export_accepted": false,
|
||||
"redacted_live_conf_ref": null,
|
||||
"rendered_diff_candidate": false,
|
||||
"rendered_diff_ready": false,
|
||||
"rendered_diff_ref": null,
|
||||
"rollback_owner": "pending_rollback_owner",
|
||||
"rollback_owner_accepted": false,
|
||||
"route_smoke_authorized": false,
|
||||
"route_smoke_executed": false,
|
||||
"route_smoke_plan_ref": null,
|
||||
"runtime_gate": false,
|
||||
"source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||||
"status": "draft_waiting_redacted_export_acceptance"
|
||||
}
|
||||
],
|
||||
"diff_gate_fields": [
|
||||
"diff_gate_id",
|
||||
"intake_id",
|
||||
"export_request_id",
|
||||
"config_id",
|
||||
"control_tier",
|
||||
"source_config_ref",
|
||||
"redacted_live_conf_ref",
|
||||
"rendered_diff_ref",
|
||||
"nginx_test_plan_ref",
|
||||
"route_smoke_plan_ref",
|
||||
"rollback_owner",
|
||||
"not_approval"
|
||||
],
|
||||
"execution_boundaries": {
|
||||
"action_buttons_allowed": false,
|
||||
"certbot_renew_authorized": false,
|
||||
"dns_tls_probe_authorized": false,
|
||||
"nginx_reload_authorized": false,
|
||||
"nginx_reload_executed": false,
|
||||
"nginx_test_authorized": false,
|
||||
"nginx_test_executed": false,
|
||||
"not_authorization": true,
|
||||
"production_write_authorized": false,
|
||||
"read_live_conf_over_ssh": false,
|
||||
"rendered_diff_authorized": false,
|
||||
"route_smoke_authorized": false,
|
||||
"route_smoke_executed": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"store_raw_live_conf": false
|
||||
},
|
||||
"generated_at": "2026-06-14T20:05:00+08:00",
|
||||
"git_commit": "f856df1c",
|
||||
"next_steps": [
|
||||
"等待 redacted export accepted metadata;沒有 accepted metadata 前不得產生 rendered diff。",
|
||||
"rendered diff candidate 必須另走 reviewer / owner review,不得自動進 nginx -t。",
|
||||
"`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew 與 production write 都必須另行人工批准。"
|
||||
],
|
||||
"preflight_stages": [
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "必須先有合格 redacted export accepted metadata,否則不得產生 rendered diff。",
|
||||
"stage_id": "redacted_export_acceptance_required",
|
||||
"status": "required_before_runtime_action"
|
||||
},
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "只可在隔離工作區以脫敏 ref 產生 normalized diff,不得把 raw live conf 寫入 repo。",
|
||||
"stage_id": "normalize_without_raw_conf_storage",
|
||||
"status": "required_before_runtime_action"
|
||||
},
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "rendered diff 只可成為 owner review candidate,不自動批准。",
|
||||
"stage_id": "rendered_diff_owner_review_required",
|
||||
"status": "required_before_runtime_action"
|
||||
},
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "`nginx -t` 必須另有人工批准包、rollback owner 與維護窗口。",
|
||||
"stage_id": "nginx_test_approval_package_required",
|
||||
"status": "required_before_runtime_action"
|
||||
},
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "reload 與 public route change 必須獨立於 rendered diff 與 nginx -t。",
|
||||
"stage_id": "reload_approval_separate",
|
||||
"status": "required_before_runtime_action"
|
||||
},
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "route smoke 需列出 affected routes、預期 status、TLS / WebSocket / ACME checks。",
|
||||
"stage_id": "route_smoke_matrix_required",
|
||||
"status": "required_before_runtime_action"
|
||||
},
|
||||
{
|
||||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||||
"instruction": "任何未來執行前都需 rollback owner、post-check 與失敗撤回條件。",
|
||||
"stage_id": "postcheck_and_rollback_required",
|
||||
"status": "required_before_runtime_action"
|
||||
}
|
||||
],
|
||||
"schema_version": "public_gateway_rendered_diff_gate_draft_v1",
|
||||
"source_intake_preflight_schema_version": "public_gateway_redacted_export_intake_preflight_v1",
|
||||
"source_intake_preflight_status": "redacted_export_intake_preflight_ready_no_payload_received",
|
||||
"status": "rendered_diff_gate_draft_ready_no_runtime_action",
|
||||
"summary": {
|
||||
"action_button_count": 0,
|
||||
"blocked_action_count": 14,
|
||||
"c0_diff_gate_candidate_count": 2,
|
||||
"c1_diff_gate_candidate_count": 1,
|
||||
"certbot_renew_authorized_count": 0,
|
||||
"diff_gate_candidate_count": 3,
|
||||
"diff_gate_field_count": 12,
|
||||
"dns_tls_probe_authorized_count": 0,
|
||||
"maintenance_window_accepted_count": 0,
|
||||
"nginx_reload_authorized_count": 0,
|
||||
"nginx_reload_executed_count": 0,
|
||||
"nginx_test_authorized_count": 0,
|
||||
"nginx_test_executed_count": 0,
|
||||
"preflight_stage_count": 7,
|
||||
"redacted_export_accepted_count": 0,
|
||||
"rendered_diff_candidate_count": 0,
|
||||
"rendered_diff_ready_count": 0,
|
||||
"rollback_owner_accepted_count": 0,
|
||||
"route_smoke_authorized_count": 0,
|
||||
"route_smoke_executed_count": 0,
|
||||
"runtime_gate_count": 0
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user