# IwoooS Public Gateway Owner Response Acceptance 只讀帳本 | 項目 | 內容 | |------|------| | 日期 | 2026-06-15 | | 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` | | 工具 | `scripts/security/public-gateway-owner-response-acceptance.py` | | Snapshot | `docs/security/public-gateway-owner-response-acceptance.snapshot.json` | | 來源 | `public-gateway-live-conf-export-request.snapshot.json`、`public-gateway-redacted-export-intake-preflight.snapshot.json`、`public-gateway-rendered-diff-gate-draft.snapshot.json` | | runtime gate | `0` | ## 1. 目的 本文件把 Public Gateway live conf 匯出請求、redacted export 收件預檢、rendered diff / `nginx -t` gate 草稿串成 owner response acceptance 只讀帳本。目的不是執行 Nginx,而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 rendered diff review。 本階段不讀 live Nginx conf、不 SSH、不執行 `nginx -t`、不 reload Nginx、不做 route smoke、不做 DNS / TLS probe、不 renew certbot、不改 Nginx / DNS / TLS 設定、不寫 production host、不開 action button。 2026-06-15 起,本帳本也負責處理手動或緊急 Public Gateway 變更的最小可追溯 metadata。任何疑似未授權 Nginx / route / upstream / port / proxy 變更,都必須先補脫敏 change actor/source ref、change time window、cross-project impact ref、communication sync ref、change intent / ticket ref、pre-change approval 或 break-glass reason ref、route health impact ref、rollback validation ref 與 post-change monitoring window;這些欄位只用於責任、影響與回復追蹤,不代表允許讀 live conf、reload 或改 route。 ## 2. 摘要 | 指標 | 目前值 | 說明 | |------|--------|------| | source export request | `3` | 來自 live conf 匯出請求包 | | source intake candidate | `3` | 來自 redacted export 收件預檢 | | source diff gate candidate | `3` | 來自 rendered diff gate 草稿 | | acceptance candidate | `3` | 對應三份 public gateway config | | C0 / C1 acceptance candidate | `2 / 1` | 188 公開入口兩份為 C0,110 Ollama proxy 為 C1 | | acceptance field | `33` | 每份 acceptance candidate 固定欄位數 | | required owner response field | `22` | owner 必須提供的最小欄位 | | reviewer check | `22` | reviewer 收件前必檢項 | | outcome lane | `8` | 等待、隔離、拒收、補件、review、只讀更新、緊急變更補件、等待 runtime gate | | blocked action | `28` | 驗收前全部禁止 | | owner response received / accepted | `0 / 0` | 不得假性拉高 | | rendered diff / `nginx -t` / reload / route smoke | `0` | 未授權且未執行 | | runtime gate / action button | `0 / 0` | 不開任何執行入口 | ## 3. Owner 必填欄位 | 欄位 | 說明 | |------|------| | `owner_role_or_team` | Public Gateway / Nginx owner role 或 team | | `decision` | 對本 config scope 的回覆判定 | | `decision_reason` | 決策理由,不得包含機敏值 | | `affected_routes` | 受影響 domain / route / upstream scope | | `redacted_live_conf_ref` | 脫敏 live conf evidence ref;不得貼 raw conf | | `source_to_live_rendered_diff_ref` | source-to-live rendered diff ref;不得貼 raw diff payload | | `nginx_test_plan_ref` | 後續 `nginx -t` 計畫或 evidence ref;不代表已授權 | | `route_smoke_plan_ref` | route smoke matrix ref | | `maintenance_window` | 維護窗口或禁止窗口 | | `rollback_owner` | rollback 負責人與 rollback ref | | `postcheck_plan` | reload / route smoke 後的 post-check plan | | `change_actor_or_source_ref` | 若有手動或緊急變更,提供脫敏 actor / source ref,不得貼帳密或 raw shell history | | `change_time_window` | 變更或事故時間窗,讓 route smoke、告警與跨專案影響能對齊 | | `cross_project_impact_ref` | 跨產品 / 跨專案影響 ref,避免只修單一路由卻造成其他服務中斷 | | `communication_sync_ref` | 通知或協調 ref,證明相關專案 owner 已收到影響與回復狀態 | | `change_intent_or_ticket_ref` | 變更意圖、維護單、事故單或 ticket ref;不得只用聊天口頭同意 | | `pre_change_approval_ref` | 正常變更的事前批准 ref;緊急變更不得用此欄偽造批准 | | `break_glass_reason_ref` | 緊急變更的 break-glass 事由 ref;只代表事後補件,不代表已批准 | | `route_health_impact_ref` | route health / service health impact ref,需能對齊 affected routes | | `rollback_validation_ref` | rollback validation ref,需能追溯 rollback owner 與回滾後驗證方式 | | `post_change_monitoring_window` | 事後觀察窗口,讓告警、route smoke 與跨專案回復狀態能對齊 | | `followup_owner` | 補件、隔離、拒收或下一步 review owner | ## 4. Reviewer Checks | Check | 規則 | |-------|------| | `owner_identity_present` | owner role / team 必須可追溯 | | `decision_reason_present` | decision 與 decision reason 必須同時存在 | | `redacted_refs_only` | evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer | | `raw_conf_absent` | 不得出現 raw live Nginx conf、完整 upstream payload 或未遮蔽 host secret | | `secret_value_absent` | 不得出現 token、cookie、private key、完整憑證內容或 secret derivative | | `route_scope_matches_snapshot` | affected routes 必須能對回 committed public gateway snapshot | | `rendered_diff_ref_not_payload` | rendered diff 只能是 ref,不得把 payload 直接貼進 owner response | | `nginx_test_separate_approval` | `nginx -t` 必須另走人工批准,不得自動觸發 | | `route_smoke_plan_present` | route smoke plan 必須列 affected routes、預期 status、TLS / WebSocket / ACME checks | | `maintenance_window_present` | 必須有維護窗口或明確禁止窗口 | | `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 | | `change_actor_or_source_ref_present` | 手動或緊急變更必須有脫敏 actor / source ref | | `change_time_window_present` | 必須提供變更或事故時間窗 | | `cross_project_impact_review_present` | 必須提供跨產品 / 跨專案影響 ref | | `communication_sync_ref_present` | 必須提供通知或協調 ref | | `change_intent_or_ticket_ref_present` | 每次 Public Gateway / Nginx 變更都必須有 change intent、ticket、incident 或 maintenance ref | | `pre_change_approval_or_break_glass_present` | 正常變更需有 pre-change approval ref;緊急變更需有 break-glass reason ref,且不得把 break-glass 當成事前批准 | | `route_health_impact_present` | 必須提供 route health / service health impact ref,確認受影響 domain、upstream、WebSocket、ACME 與 API 是否恢復 | | `rollback_validation_present` | 必須提供 rollback validation ref,證明回滾路徑、回滾 owner 與回滾後驗證方式可追溯 | | `post_change_monitoring_window_present` | 必須提供 post-change monitoring window | | `manual_change_not_silent` | 任何手動或緊急 gateway 變更不得靜默收件;缺 actor、意圖、影響、通知或回滾驗證就必須補件或拒收 | | `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate | ## 5. Outcome Lanes | Lane | 意義 | |------|------| | `waiting_owner_response` | 尚未收到 owner response;所有 accepted / runtime count 維持 0 | | `quarantine_raw_payload` | 收到 raw conf、payload 或不可保存內容時只能隔離 | | `reject_secret_or_unredacted_conf` | 出現 secret value、未脫敏 live conf 或 credential derivative 時直接拒收 | | `request_supplement` | 欄位不足、scope 不清或 evidence ref 不可追溯時要求補件 | | `ready_for_rendered_diff_review` | metadata 合格後,只能進 rendered diff reviewer review | | `owner_review_only_update` | 只允許更新只讀 owner review ledger | | `emergency_change_backfill_required` | 手動或緊急 gateway 變更只能進事後補件,不得因 break-glass 而自動接受或開 runtime gate | | `waiting_runtime_gate` | 即使 owner response accepted,runtime gate 仍等待獨立人工批准 | ## 6. Blocked Actions ```text read_live_conf_over_ssh store_raw_live_conf accept_unredacted_live_conf collect_secret_value render_diff_from_unredacted_payload mark_owner_response_accepted_without_reviewer_record nginx_test_without_separate_approval nginx_reload_without_separate_approval route_smoke_without_matrix dns_probe_without_approval tls_probe_without_approval certbot_renew_without_approval modify_nginx_conf modify_dns_tls_config change_public_route write_production_host accept_unknown_change_actor accept_missing_change_time_window skip_cross_project_impact_review skip_incident_communication_sync accept_silent_manual_nginx_change treat_break_glass_as_approval mark_gateway_change_resolved_without_route_health skip_rollback_validation skip_post_change_monitoring hide_cross_project_route_impact open_runtime_gate add_action_button ``` ## 7. 指令 固定 committed snapshot: ```bash python3 scripts/security/public-gateway-owner-response-acceptance.py \ --root . \ --output docs/security/public-gateway-owner-response-acceptance.snapshot.json \ --generated-at 2026-06-15T14:10:00+08:00 ``` 只讀 guard: ```bash python3 scripts/security/security-mirror-progress-guard.py --root . python3 scripts/security/source-control-owner-response-guard.py --root . ``` ## 8. 完成度 | 工作 | 完成度 | 說明 | |------|--------|------| | owner response acceptance ledger artifact | `100%` | 3 份 public gateway config 已有只讀收件判定帳本 | | 手動 / 緊急 gateway 變更 metadata gate | `100%` | 已要求 actor/source、time window、cross-project impact、communication sync、change intent、approval / break-glass、route health impact、rollback validation 與 post-change monitoring;不收 raw payload | | owner response received / accepted | `0%` | 尚未收到或接受任何 owner response | | rendered diff / `nginx -t` / reload / route smoke | `0%` | 未授權且未執行 | | DNS / TLS / certbot | `0%` | 未授權且未執行 | | runtime gate / production write | `0%` | 無 action button,無 host write | ## 9. 邊界 這份帳本不是 live gateway truth、不是 Nginx 變更批准、不是 `nginx -t` 授權、不是 reload 授權、不是 DNS / TLS / certbot 授權,也不是 route smoke 或 runtime gate。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以讀 live conf、改 Nginx、改公開路由、收 secret、寫 production host、開 action button 或執行任何 gateway 操作。