273 lines
12 KiB
JSON
273 lines
12 KiB
JSON
{
|
||
"execution_boundaries": {
|
||
"action_buttons_allowed": false,
|
||
"certbot_renew_authorized": false,
|
||
"dns_query_executed": false,
|
||
"host_live_conf_read_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"not_authorization": true,
|
||
"production_write_authorized": false,
|
||
"raw_live_conf_storage_allowed": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_execution_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"ssh_read_authorized": false
|
||
},
|
||
"export_request_fields": [
|
||
"export_request_id",
|
||
"config_id",
|
||
"host",
|
||
"live_path",
|
||
"export_owner_role_or_team",
|
||
"export_method",
|
||
"redaction_policy_ref",
|
||
"redacted_live_conf_ref",
|
||
"source_snapshot_ref",
|
||
"intended_use",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"export_requests": [
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"config_id": "host188_all_sites",
|
||
"control_tier": "C0",
|
||
"export_method": "owner_provided_redacted_export_only",
|
||
"export_owner_role_or_team": "pending_owner_role_or_team",
|
||
"export_request_fields": [
|
||
"export_request_id",
|
||
"config_id",
|
||
"host",
|
||
"live_path",
|
||
"export_owner_role_or_team",
|
||
"export_method",
|
||
"redaction_policy_ref",
|
||
"redacted_live_conf_ref",
|
||
"source_snapshot_ref",
|
||
"intended_use",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"export_request_id": "public_gateway_live_conf_export:host188_all_sites",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host": "192.168.0.188",
|
||
"intended_use": "rendered_diff_and_route_change_preflight_only",
|
||
"live_path": "/etc/nginx/sites-enabled/all-sites.conf",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"not_approval": true,
|
||
"owner_gate": "public_gateway_owner_response_required",
|
||
"production_write_authorized": false,
|
||
"raw_live_conf_stored": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_export_received": false,
|
||
"redacted_live_conf_ref": null,
|
||
"redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy",
|
||
"redaction_rules": [
|
||
"只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。",
|
||
"不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。",
|
||
"若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。",
|
||
"若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。",
|
||
"允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。",
|
||
"不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。",
|
||
"疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。",
|
||
"匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。"
|
||
],
|
||
"rendered_diff_ready": false,
|
||
"repo_source_path": "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2",
|
||
"request_sent": false,
|
||
"role": "public_gateway_all_sites",
|
||
"route_impact_summary": {
|
||
"acme_route_count": 2,
|
||
"admin_route_count": 2,
|
||
"server_name_count": 9,
|
||
"tls_certificate_path_count": 7,
|
||
"upstream_count": 10,
|
||
"websocket_route_count": 5
|
||
},
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"config_id": "host188_internal_tools_https",
|
||
"control_tier": "C0",
|
||
"export_method": "owner_provided_redacted_export_only",
|
||
"export_owner_role_or_team": "pending_owner_role_or_team",
|
||
"export_request_fields": [
|
||
"export_request_id",
|
||
"config_id",
|
||
"host",
|
||
"live_path",
|
||
"export_owner_role_or_team",
|
||
"export_method",
|
||
"redaction_policy_ref",
|
||
"redacted_live_conf_ref",
|
||
"source_snapshot_ref",
|
||
"intended_use",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"export_request_id": "public_gateway_live_conf_export:host188_internal_tools_https",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host": "192.168.0.188",
|
||
"intended_use": "rendered_diff_and_route_change_preflight_only",
|
||
"live_path": "owner_confirmation_required",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"not_approval": true,
|
||
"owner_gate": "public_tools_owner_response_required",
|
||
"production_write_authorized": false,
|
||
"raw_live_conf_stored": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_export_received": false,
|
||
"redacted_live_conf_ref": null,
|
||
"redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy",
|
||
"redaction_rules": [
|
||
"只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。",
|
||
"不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。",
|
||
"若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。",
|
||
"若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。",
|
||
"允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。",
|
||
"不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。",
|
||
"疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。",
|
||
"匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。"
|
||
],
|
||
"rendered_diff_ready": false,
|
||
"repo_source_path": "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2",
|
||
"request_sent": false,
|
||
"role": "public_internal_tools_https",
|
||
"route_impact_summary": {
|
||
"acme_route_count": 1,
|
||
"admin_route_count": 0,
|
||
"server_name_count": 7,
|
||
"tls_certificate_path_count": 4,
|
||
"upstream_count": 6,
|
||
"websocket_route_count": 2
|
||
},
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"config_id": "host110_ollama_proxy",
|
||
"control_tier": "C1",
|
||
"export_method": "owner_provided_redacted_export_only",
|
||
"export_owner_role_or_team": "pending_owner_role_or_team",
|
||
"export_request_fields": [
|
||
"export_request_id",
|
||
"config_id",
|
||
"host",
|
||
"live_path",
|
||
"export_owner_role_or_team",
|
||
"export_method",
|
||
"redaction_policy_ref",
|
||
"redacted_live_conf_ref",
|
||
"source_snapshot_ref",
|
||
"intended_use",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"export_request_id": "public_gateway_live_conf_export:host110_ollama_proxy",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host": "192.168.0.110",
|
||
"intended_use": "rendered_diff_and_route_change_preflight_only",
|
||
"live_path": "/etc/nginx/sites-enabled/110-ollama-proxy.conf",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"not_approval": true,
|
||
"owner_gate": "ai_provider_proxy_owner_response_required",
|
||
"production_write_authorized": false,
|
||
"raw_live_conf_stored": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_export_received": false,
|
||
"redacted_live_conf_ref": null,
|
||
"redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy",
|
||
"redaction_rules": [
|
||
"只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。",
|
||
"不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。",
|
||
"若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。",
|
||
"若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。",
|
||
"允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。",
|
||
"不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。",
|
||
"疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。",
|
||
"匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。"
|
||
],
|
||
"rendered_diff_ready": false,
|
||
"repo_source_path": "infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2",
|
||
"request_sent": false,
|
||
"role": "ollama_proxy_gateway",
|
||
"route_impact_summary": {
|
||
"acme_route_count": 0,
|
||
"admin_route_count": 0,
|
||
"server_name_count": 0,
|
||
"tls_certificate_path_count": 0,
|
||
"upstream_count": 3,
|
||
"websocket_route_count": 0
|
||
},
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched"
|
||
}
|
||
],
|
||
"generated_at": "2026-06-14T19:05:00+08:00",
|
||
"git_commit": "0a4766dd",
|
||
"next_steps": [
|
||
"若 owner 願意提供,只能提供脫敏 live conf export ref,不得提供 raw conf。",
|
||
"收到 export ref 後先做敏感 payload 隔離檢查,再進 rendered diff。",
|
||
"rendered diff 成立仍不代表 nginx -t、reload 或 route smoke 已授權。"
|
||
],
|
||
"redaction_rules": [
|
||
"只收 owner 提供的脫敏 live conf export ref,不收 raw live conf。",
|
||
"不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。",
|
||
"若 upstream URL 含 credential,必須整段遮罩為 redacted_upstream_credential。",
|
||
"若路徑含 private credential、query token 或 webhook secret,必須整段遮罩。",
|
||
"允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。",
|
||
"不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。",
|
||
"疑似敏感 payload 只能記 quarantine metadata,不得寫入 repo、LOGBOOK 或前端。",
|
||
"匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。"
|
||
],
|
||
"schema_version": "public_gateway_live_conf_export_request_v1",
|
||
"source_preflight_schema_version": "public_gateway_preflight_inventory_v1",
|
||
"source_preflight_status": "repo_only_preflight_contract_ready",
|
||
"status": "live_conf_export_request_ready_not_dispatched",
|
||
"summary": {
|
||
"action_button_count": 0,
|
||
"c0_export_request_count": 2,
|
||
"c1_export_request_count": 1,
|
||
"export_request_count": 3,
|
||
"export_request_field_count": 12,
|
||
"nginx_reload_authorized_count": 0,
|
||
"nginx_test_authorized_count": 0,
|
||
"nginx_test_executed_count": 0,
|
||
"raw_live_conf_stored_count": 0,
|
||
"recipient_confirmed_count": 0,
|
||
"redacted_export_received_count": 0,
|
||
"redaction_rule_count": 8,
|
||
"rendered_diff_ready_count": 0,
|
||
"request_sent_count": 0,
|
||
"route_smoke_authorized_count": 0,
|
||
"route_smoke_executed_count": 0,
|
||
"runtime_gate_count": 0
|
||
}
|
||
}
|