{ "execution_boundaries": { "action_buttons_allowed": false, "certbot_renew_authorized": false, "dns_query_executed": false, "host_live_conf_read_authorized": false, "live_tls_probe_executed": false, "nginx_reload_authorized": false, "nginx_reload_executed": false, "nginx_test_authorized": false, "nginx_test_executed": false, "not_authorization": true, "production_write_authorized": false, "raw_live_conf_storage_allowed": false, "route_smoke_authorized": false, "route_smoke_executed": false, "runtime_execution_authorized": false, "secret_value_collection_allowed": false, "ssh_read_authorized": false }, "export_request_fields": [ "export_request_id", "config_id", "host", "live_path", "export_owner_role_or_team", "export_method", "redaction_policy_ref", "redacted_live_conf_ref", "source_snapshot_ref", "intended_use", "followup_owner", "not_approval" ], "export_requests": [ { "action_buttons_allowed": false, "config_id": "host188_all_sites", "control_tier": "C0", "export_method": "owner_provided_redacted_export_only", "export_owner_role_or_team": "pending_owner_role_or_team", "export_request_fields": [ "export_request_id", "config_id", "host", "live_path", "export_owner_role_or_team", "export_method", "redaction_policy_ref", "redacted_live_conf_ref", "source_snapshot_ref", "intended_use", "followup_owner", "not_approval" ], "export_request_id": "public_gateway_live_conf_export:host188_all_sites", "followup_owner": "pending_followup_owner", "host": "192.168.0.188", "intended_use": "rendered_diff_and_route_change_preflight_only", "live_path": "/etc/nginx/sites-enabled/all-sites.conf", "nginx_reload_authorized": false, "nginx_test_authorized": false, "nginx_test_executed": false, "not_approval": true, "owner_gate": "public_gateway_owner_response_required", "production_write_authorized": false, "raw_live_conf_stored": false, "recipient_confirmed": false, "redacted_export_received": false, "redacted_live_conf_ref": null, "redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy", "redaction_rules": [ "只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。", "不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。", "若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。", "若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。", "允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。", "不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。", "疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。", "匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。" ], "rendered_diff_ready": false, "repo_source_path": "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2", "request_sent": false, "role": "public_gateway_all_sites", "route_impact_summary": { "acme_route_count": 2, "admin_route_count": 2, "server_name_count": 9, "tls_certificate_path_count": 7, "upstream_count": 10, "websocket_route_count": 5 }, "route_smoke_authorized": false, "route_smoke_executed": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json", "status": "draft_not_dispatched" }, { "action_buttons_allowed": false, "config_id": "host188_internal_tools_https", "control_tier": "C0", "export_method": "owner_provided_redacted_export_only", "export_owner_role_or_team": "pending_owner_role_or_team", "export_request_fields": [ "export_request_id", "config_id", "host", "live_path", "export_owner_role_or_team", "export_method", "redaction_policy_ref", "redacted_live_conf_ref", "source_snapshot_ref", "intended_use", "followup_owner", "not_approval" ], "export_request_id": "public_gateway_live_conf_export:host188_internal_tools_https", "followup_owner": "pending_followup_owner", "host": "192.168.0.188", "intended_use": "rendered_diff_and_route_change_preflight_only", "live_path": "owner_confirmation_required", "nginx_reload_authorized": false, "nginx_test_authorized": false, "nginx_test_executed": false, "not_approval": true, "owner_gate": "public_tools_owner_response_required", "production_write_authorized": false, "raw_live_conf_stored": false, "recipient_confirmed": false, "redacted_export_received": false, "redacted_live_conf_ref": null, "redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy", "redaction_rules": [ "只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。", "不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。", "若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。", "若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。", "允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。", "不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。", "疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。", "匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。" ], "rendered_diff_ready": false, "repo_source_path": "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2", "request_sent": false, "role": "public_internal_tools_https", "route_impact_summary": { "acme_route_count": 1, "admin_route_count": 0, "server_name_count": 7, "tls_certificate_path_count": 4, "upstream_count": 6, "websocket_route_count": 2 }, "route_smoke_authorized": false, "route_smoke_executed": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json", "status": "draft_not_dispatched" }, { "action_buttons_allowed": false, "config_id": "host110_ollama_proxy", "control_tier": "C1", "export_method": "owner_provided_redacted_export_only", "export_owner_role_or_team": "pending_owner_role_or_team", "export_request_fields": [ "export_request_id", "config_id", "host", "live_path", "export_owner_role_or_team", "export_method", "redaction_policy_ref", "redacted_live_conf_ref", "source_snapshot_ref", "intended_use", "followup_owner", "not_approval" ], "export_request_id": "public_gateway_live_conf_export:host110_ollama_proxy", "followup_owner": "pending_followup_owner", "host": "192.168.0.110", "intended_use": "rendered_diff_and_route_change_preflight_only", "live_path": "/etc/nginx/sites-enabled/110-ollama-proxy.conf", "nginx_reload_authorized": false, "nginx_test_authorized": false, "nginx_test_executed": false, "not_approval": true, "owner_gate": "ai_provider_proxy_owner_response_required", "production_write_authorized": false, "raw_live_conf_stored": false, "recipient_confirmed": false, "redacted_export_received": false, "redacted_live_conf_ref": null, "redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy", "redaction_rules": [ "只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。", "不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。", "若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。", "若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。", "允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。", "不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。", "疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。", "匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。" ], "rendered_diff_ready": false, "repo_source_path": "infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2", "request_sent": false, "role": "ollama_proxy_gateway", "route_impact_summary": { "acme_route_count": 0, "admin_route_count": 0, "server_name_count": 0, "tls_certificate_path_count": 0, "upstream_count": 3, "websocket_route_count": 0 }, "route_smoke_authorized": false, "route_smoke_executed": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json", "status": "draft_not_dispatched" } ], "generated_at": "2026-06-14T19:05:00+08:00", "git_commit": "0a4766dd", "next_steps": [ "若 owner 願意提供,只能提供脫敏 live conf export ref,不得提供 raw conf。", "收到 export ref 後先做敏感 payload 隔離檢查,再進 rendered diff。", "rendered diff 成立仍不代表 nginx -t、reload 或 route smoke 已授權。" ], "redaction_rules": [ "只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。", "不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。", "若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。", "若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。", "允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。", "不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。", "疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。", "匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。" ], "schema_version": "public_gateway_live_conf_export_request_v1", "source_preflight_schema_version": "public_gateway_preflight_inventory_v1", "source_preflight_status": "repo_only_preflight_contract_ready", "status": "live_conf_export_request_ready_not_dispatched", "summary": { "action_button_count": 0, "c0_export_request_count": 2, "c1_export_request_count": 1, "export_request_count": 3, "export_request_field_count": 12, "nginx_reload_authorized_count": 0, "nginx_test_authorized_count": 0, "nginx_test_executed_count": 0, "raw_live_conf_stored_count": 0, "recipient_confirmed_count": 0, "redacted_export_received_count": 0, "redaction_rule_count": 8, "rendered_diff_ready_count": 0, "request_sent_count": 0, "route_smoke_authorized_count": 0, "route_smoke_executed_count": 0, "runtime_gate_count": 0 } }