804 lines
28 KiB
JSON
804 lines
28 KiB
JSON
{
|
||
"acceptance_candidates": [
|
||
{
|
||
"acceptance_candidate_id": "domain_tls_certbot_owner_response_acceptance:gitea.wooo.work",
|
||
"acceptance_fields": [
|
||
"acceptance_candidate_id",
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_response_ref",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"reviewer_outcome",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"acme_challenge_route_owner": "pending_owner_response",
|
||
"acme_route_owner_accepted": false,
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_owner_response",
|
||
"blocked_actions": [
|
||
"perform_dns_query",
|
||
"perform_live_tls_probe",
|
||
"run_certbot_renew",
|
||
"run_nginx_reload",
|
||
"run_route_smoke",
|
||
"read_tls_private_key",
|
||
"store_raw_certificate_payload",
|
||
"store_dns_provider_credential",
|
||
"store_certbot_account_key",
|
||
"collect_secret_value",
|
||
"accept_unredacted_certbot_log",
|
||
"accept_shell_history_or_env_dump",
|
||
"mark_owner_response_accepted_without_reviewer_record",
|
||
"mark_certificate_coverage_confirmed_without_ref",
|
||
"modify_dns_record",
|
||
"modify_tls_certificate_path",
|
||
"modify_acme_challenge_route",
|
||
"write_production_host",
|
||
"open_runtime_gate",
|
||
"add_action_button"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_coverage_basis_ref": null,
|
||
"certificate_coverage_confirmed": false,
|
||
"certificate_expiry_metadata_accepted": false,
|
||
"certificate_expiry_metadata_ref": null,
|
||
"certificate_path_domains": [
|
||
"sentry.wooo.work"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_response",
|
||
"decision_reason": "pending_owner_response",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "gitea.wooo.work",
|
||
"followup_owner": "pending_owner_response",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_owner_response",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"outcome_lanes": [
|
||
"waiting_owner_response",
|
||
"quarantine_raw_certificate_or_secret",
|
||
"reject_execution_request",
|
||
"request_supplement",
|
||
"ready_for_certificate_coverage_review",
|
||
"owner_review_only_update",
|
||
"waiting_runtime_gate"
|
||
],
|
||
"owner_response_accepted": false,
|
||
"owner_response_quarantined": false,
|
||
"owner_response_received": false,
|
||
"owner_response_ref": null,
|
||
"owner_response_rejected": false,
|
||
"owner_role_or_team": "pending_owner_response",
|
||
"production_write_authorized": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"renewal_owner": "pending_owner_response",
|
||
"renewal_owner_accepted": false,
|
||
"request_id": "domain_tls_certbot_owner_confirmation:gitea.wooo.work",
|
||
"request_sent": false,
|
||
"required_owner_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"followup_owner"
|
||
],
|
||
"reviewer_checks": [
|
||
"owner_identity_present",
|
||
"decision_and_reason_present",
|
||
"redacted_refs_only",
|
||
"raw_certificate_absent",
|
||
"secret_value_absent",
|
||
"coverage_basis_ref_present",
|
||
"expiry_metadata_ref_not_probe",
|
||
"renewal_owner_separate_from_action",
|
||
"acme_route_owner_present",
|
||
"maintenance_window_present",
|
||
"rollback_owner_present",
|
||
"validation_plan_present",
|
||
"counts_transition_safe"
|
||
],
|
||
"reviewer_outcome": "waiting_owner_response",
|
||
"rollback_owner": "pending_owner_response",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"status": "waiting_owner_response",
|
||
"supplement_requested": false,
|
||
"validation_plan": "pending_owner_response"
|
||
},
|
||
{
|
||
"acceptance_candidate_id": "domain_tls_certbot_owner_response_acceptance:langfuse.wooo.work",
|
||
"acceptance_fields": [
|
||
"acceptance_candidate_id",
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_response_ref",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"reviewer_outcome",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"acme_challenge_route_owner": "pending_owner_response",
|
||
"acme_route_owner_accepted": false,
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_owner_response",
|
||
"blocked_actions": [
|
||
"perform_dns_query",
|
||
"perform_live_tls_probe",
|
||
"run_certbot_renew",
|
||
"run_nginx_reload",
|
||
"run_route_smoke",
|
||
"read_tls_private_key",
|
||
"store_raw_certificate_payload",
|
||
"store_dns_provider_credential",
|
||
"store_certbot_account_key",
|
||
"collect_secret_value",
|
||
"accept_unredacted_certbot_log",
|
||
"accept_shell_history_or_env_dump",
|
||
"mark_owner_response_accepted_without_reviewer_record",
|
||
"mark_certificate_coverage_confirmed_without_ref",
|
||
"modify_dns_record",
|
||
"modify_tls_certificate_path",
|
||
"modify_acme_challenge_route",
|
||
"write_production_host",
|
||
"open_runtime_gate",
|
||
"add_action_button"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_coverage_basis_ref": null,
|
||
"certificate_coverage_confirmed": false,
|
||
"certificate_expiry_metadata_accepted": false,
|
||
"certificate_expiry_metadata_ref": null,
|
||
"certificate_path_domains": [
|
||
"sentry.wooo.work"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_response",
|
||
"decision_reason": "pending_owner_response",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "langfuse.wooo.work",
|
||
"followup_owner": "pending_owner_response",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_owner_response",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"outcome_lanes": [
|
||
"waiting_owner_response",
|
||
"quarantine_raw_certificate_or_secret",
|
||
"reject_execution_request",
|
||
"request_supplement",
|
||
"ready_for_certificate_coverage_review",
|
||
"owner_review_only_update",
|
||
"waiting_runtime_gate"
|
||
],
|
||
"owner_response_accepted": false,
|
||
"owner_response_quarantined": false,
|
||
"owner_response_received": false,
|
||
"owner_response_ref": null,
|
||
"owner_response_rejected": false,
|
||
"owner_role_or_team": "pending_owner_response",
|
||
"production_write_authorized": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"renewal_owner": "pending_owner_response",
|
||
"renewal_owner_accepted": false,
|
||
"request_id": "domain_tls_certbot_owner_confirmation:langfuse.wooo.work",
|
||
"request_sent": false,
|
||
"required_owner_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"followup_owner"
|
||
],
|
||
"reviewer_checks": [
|
||
"owner_identity_present",
|
||
"decision_and_reason_present",
|
||
"redacted_refs_only",
|
||
"raw_certificate_absent",
|
||
"secret_value_absent",
|
||
"coverage_basis_ref_present",
|
||
"expiry_metadata_ref_not_probe",
|
||
"renewal_owner_separate_from_action",
|
||
"acme_route_owner_present",
|
||
"maintenance_window_present",
|
||
"rollback_owner_present",
|
||
"validation_plan_present",
|
||
"counts_transition_safe"
|
||
],
|
||
"reviewer_outcome": "waiting_owner_response",
|
||
"rollback_owner": "pending_owner_response",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"status": "waiting_owner_response",
|
||
"supplement_requested": false,
|
||
"validation_plan": "pending_owner_response"
|
||
},
|
||
{
|
||
"acceptance_candidate_id": "domain_tls_certbot_owner_response_acceptance:signoz.wooo.work",
|
||
"acceptance_fields": [
|
||
"acceptance_candidate_id",
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_response_ref",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"reviewer_outcome",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"acme_challenge_route_owner": "pending_owner_response",
|
||
"acme_route_owner_accepted": false,
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_owner_response",
|
||
"blocked_actions": [
|
||
"perform_dns_query",
|
||
"perform_live_tls_probe",
|
||
"run_certbot_renew",
|
||
"run_nginx_reload",
|
||
"run_route_smoke",
|
||
"read_tls_private_key",
|
||
"store_raw_certificate_payload",
|
||
"store_dns_provider_credential",
|
||
"store_certbot_account_key",
|
||
"collect_secret_value",
|
||
"accept_unredacted_certbot_log",
|
||
"accept_shell_history_or_env_dump",
|
||
"mark_owner_response_accepted_without_reviewer_record",
|
||
"mark_certificate_coverage_confirmed_without_ref",
|
||
"modify_dns_record",
|
||
"modify_tls_certificate_path",
|
||
"modify_acme_challenge_route",
|
||
"write_production_host",
|
||
"open_runtime_gate",
|
||
"add_action_button"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_coverage_basis_ref": null,
|
||
"certificate_coverage_confirmed": false,
|
||
"certificate_expiry_metadata_accepted": false,
|
||
"certificate_expiry_metadata_ref": null,
|
||
"certificate_path_domains": [
|
||
"sentry.wooo.work"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_response",
|
||
"decision_reason": "pending_owner_response",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "signoz.wooo.work",
|
||
"followup_owner": "pending_owner_response",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_owner_response",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"outcome_lanes": [
|
||
"waiting_owner_response",
|
||
"quarantine_raw_certificate_or_secret",
|
||
"reject_execution_request",
|
||
"request_supplement",
|
||
"ready_for_certificate_coverage_review",
|
||
"owner_review_only_update",
|
||
"waiting_runtime_gate"
|
||
],
|
||
"owner_response_accepted": false,
|
||
"owner_response_quarantined": false,
|
||
"owner_response_received": false,
|
||
"owner_response_ref": null,
|
||
"owner_response_rejected": false,
|
||
"owner_role_or_team": "pending_owner_response",
|
||
"production_write_authorized": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"renewal_owner": "pending_owner_response",
|
||
"renewal_owner_accepted": false,
|
||
"request_id": "domain_tls_certbot_owner_confirmation:signoz.wooo.work",
|
||
"request_sent": false,
|
||
"required_owner_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"followup_owner"
|
||
],
|
||
"reviewer_checks": [
|
||
"owner_identity_present",
|
||
"decision_and_reason_present",
|
||
"redacted_refs_only",
|
||
"raw_certificate_absent",
|
||
"secret_value_absent",
|
||
"coverage_basis_ref_present",
|
||
"expiry_metadata_ref_not_probe",
|
||
"renewal_owner_separate_from_action",
|
||
"acme_route_owner_present",
|
||
"maintenance_window_present",
|
||
"rollback_owner_present",
|
||
"validation_plan_present",
|
||
"counts_transition_safe"
|
||
],
|
||
"reviewer_outcome": "waiting_owner_response",
|
||
"rollback_owner": "pending_owner_response",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"status": "waiting_owner_response",
|
||
"supplement_requested": false,
|
||
"validation_plan": "pending_owner_response"
|
||
},
|
||
{
|
||
"acceptance_candidate_id": "domain_tls_certbot_owner_response_acceptance:tsenyang.com",
|
||
"acceptance_fields": [
|
||
"acceptance_candidate_id",
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_response_ref",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"reviewer_outcome",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"acme_challenge_route_owner": "pending_owner_response",
|
||
"acme_route_owner_accepted": false,
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_owner_response",
|
||
"blocked_actions": [
|
||
"perform_dns_query",
|
||
"perform_live_tls_probe",
|
||
"run_certbot_renew",
|
||
"run_nginx_reload",
|
||
"run_route_smoke",
|
||
"read_tls_private_key",
|
||
"store_raw_certificate_payload",
|
||
"store_dns_provider_credential",
|
||
"store_certbot_account_key",
|
||
"collect_secret_value",
|
||
"accept_unredacted_certbot_log",
|
||
"accept_shell_history_or_env_dump",
|
||
"mark_owner_response_accepted_without_reviewer_record",
|
||
"mark_certificate_coverage_confirmed_without_ref",
|
||
"modify_dns_record",
|
||
"modify_tls_certificate_path",
|
||
"modify_acme_challenge_route",
|
||
"write_production_host",
|
||
"open_runtime_gate",
|
||
"add_action_button"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_coverage_basis_ref": null,
|
||
"certificate_coverage_confirmed": false,
|
||
"certificate_expiry_metadata_accepted": false,
|
||
"certificate_expiry_metadata_ref": null,
|
||
"certificate_path_domains": [
|
||
"www.tsenyang.com"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_response",
|
||
"decision_reason": "pending_owner_response",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "tsenyang.com",
|
||
"followup_owner": "pending_owner_response",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_owner_response",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"outcome_lanes": [
|
||
"waiting_owner_response",
|
||
"quarantine_raw_certificate_or_secret",
|
||
"reject_execution_request",
|
||
"request_supplement",
|
||
"ready_for_certificate_coverage_review",
|
||
"owner_review_only_update",
|
||
"waiting_runtime_gate"
|
||
],
|
||
"owner_response_accepted": false,
|
||
"owner_response_quarantined": false,
|
||
"owner_response_received": false,
|
||
"owner_response_ref": null,
|
||
"owner_response_rejected": false,
|
||
"owner_role_or_team": "pending_owner_response",
|
||
"production_write_authorized": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"renewal_owner": "pending_owner_response",
|
||
"renewal_owner_accepted": false,
|
||
"request_id": "domain_tls_certbot_owner_confirmation:tsenyang.com",
|
||
"request_sent": false,
|
||
"required_owner_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"followup_owner"
|
||
],
|
||
"reviewer_checks": [
|
||
"owner_identity_present",
|
||
"decision_and_reason_present",
|
||
"redacted_refs_only",
|
||
"raw_certificate_absent",
|
||
"secret_value_absent",
|
||
"coverage_basis_ref_present",
|
||
"expiry_metadata_ref_not_probe",
|
||
"renewal_owner_separate_from_action",
|
||
"acme_route_owner_present",
|
||
"maintenance_window_present",
|
||
"rollback_owner_present",
|
||
"validation_plan_present",
|
||
"counts_transition_safe"
|
||
],
|
||
"reviewer_outcome": "waiting_owner_response",
|
||
"rollback_owner": "pending_owner_response",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"status": "waiting_owner_response",
|
||
"supplement_requested": false,
|
||
"validation_plan": "pending_owner_response"
|
||
}
|
||
],
|
||
"acceptance_fields": [
|
||
"acceptance_candidate_id",
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_response_ref",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"reviewer_outcome",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"blocked_actions": [
|
||
"perform_dns_query",
|
||
"perform_live_tls_probe",
|
||
"run_certbot_renew",
|
||
"run_nginx_reload",
|
||
"run_route_smoke",
|
||
"read_tls_private_key",
|
||
"store_raw_certificate_payload",
|
||
"store_dns_provider_credential",
|
||
"store_certbot_account_key",
|
||
"collect_secret_value",
|
||
"accept_unredacted_certbot_log",
|
||
"accept_shell_history_or_env_dump",
|
||
"mark_owner_response_accepted_without_reviewer_record",
|
||
"mark_certificate_coverage_confirmed_without_ref",
|
||
"modify_dns_record",
|
||
"modify_tls_certificate_path",
|
||
"modify_acme_challenge_route",
|
||
"write_production_host",
|
||
"open_runtime_gate",
|
||
"add_action_button"
|
||
],
|
||
"execution_boundaries": {
|
||
"action_buttons_allowed": false,
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"host_write_authorized": false,
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"production_write_authorized": false,
|
||
"raw_certificate_storage_allowed": false,
|
||
"request_dispatch_authorized": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_execution_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"tls_private_key_read_authorized": false
|
||
},
|
||
"generated_at": "2026-06-14T23:05:00+08:00",
|
||
"git_commit": "d26f3bef",
|
||
"next_steps": [
|
||
"等待 owner response;未收到前不得更新 accepted count。",
|
||
"收到回覆後先走 raw cert / private key / credential / execution request 檢查,不合格即隔離、拒收或補件。",
|
||
"metadata 合格也只能進 certificate coverage reviewer review;DNS query、TLS probe、certbot renew、Nginx reload 與 route smoke 仍需獨立人工批准。"
|
||
],
|
||
"outcome_lanes": [
|
||
{
|
||
"lane_id": "waiting_owner_response",
|
||
"meaning": "尚未收到 owner response;所有 accepted / runtime count 維持 0。"
|
||
},
|
||
{
|
||
"lane_id": "quarantine_raw_certificate_or_secret",
|
||
"meaning": "收到 raw cert、private key、DNS credential 或 certbot account 內容時,只能隔離。"
|
||
},
|
||
{
|
||
"lane_id": "reject_execution_request",
|
||
"meaning": "夾帶 DNS query、TLS probe、certbot renew、Nginx reload 或 host write 要求時拒收。"
|
||
},
|
||
{
|
||
"lane_id": "request_supplement",
|
||
"meaning": "欄位不足、scope 不清或 evidence ref 不可追溯時要求補件。"
|
||
},
|
||
{
|
||
"lane_id": "ready_for_certificate_coverage_review",
|
||
"meaning": "metadata 合格後,只能進憑證覆蓋關係 reviewer review,不自動 probe。"
|
||
},
|
||
{
|
||
"lane_id": "owner_review_only_update",
|
||
"meaning": "只允許更新只讀 owner review ledger,不得修改 DNS、TLS、certbot 或 Nginx。"
|
||
},
|
||
{
|
||
"lane_id": "waiting_runtime_gate",
|
||
"meaning": "即使 owner response accepted,DNS / TLS / certbot runtime gate 仍等待獨立人工批准。"
|
||
}
|
||
],
|
||
"required_owner_response_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"certificate_coverage_basis_ref",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner",
|
||
"acme_challenge_route_owner",
|
||
"maintenance_window",
|
||
"rollback_owner",
|
||
"validation_plan",
|
||
"followup_owner"
|
||
],
|
||
"reviewer_checks": [
|
||
{
|
||
"check_id": "owner_identity_present",
|
||
"instruction": "owner role / team 必須可追溯,不能只寫個人暱稱或聊天同意。"
|
||
},
|
||
{
|
||
"check_id": "decision_and_reason_present",
|
||
"instruction": "decision 與 decision reason 必須同時存在,且不得包含機敏值。"
|
||
},
|
||
{
|
||
"check_id": "redacted_refs_only",
|
||
"instruction": "evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要。"
|
||
},
|
||
{
|
||
"check_id": "raw_certificate_absent",
|
||
"instruction": "不得出現 raw certificate payload、完整 SAN dump、private key 或 ACME account key。"
|
||
},
|
||
{
|
||
"check_id": "secret_value_absent",
|
||
"instruction": "不得出現 DNS credential、registrar credential、token、cookie、authorization header 或 Basic Auth。"
|
||
},
|
||
{
|
||
"check_id": "coverage_basis_ref_present",
|
||
"instruction": "SAN、wildcard 或共用憑證覆蓋依據必須是 metadata ref,不得貼 raw cert。"
|
||
},
|
||
{
|
||
"check_id": "expiry_metadata_ref_not_probe",
|
||
"instruction": "憑證到期資訊只能是 owner-provided metadata ref;不得由本帳本觸發 live probe。"
|
||
},
|
||
{
|
||
"check_id": "renewal_owner_separate_from_action",
|
||
"instruction": "renewal owner 可以被記錄,但 certbot renew 需另開人工批准包。"
|
||
},
|
||
{
|
||
"check_id": "acme_route_owner_present",
|
||
"instruction": "HTTP-01 ACME path 與 route smoke owner 必須清楚,且不得自動 route smoke。"
|
||
},
|
||
{
|
||
"check_id": "maintenance_window_present",
|
||
"instruction": "任何未來 probe、renew、reload 都必須有維護窗口或明確禁止窗口。"
|
||
},
|
||
{
|
||
"check_id": "rollback_owner_present",
|
||
"instruction": "rollback owner 與 rollback ref 必須存在,且不可指向 raw secret。"
|
||
},
|
||
{
|
||
"check_id": "validation_plan_present",
|
||
"instruction": "validation plan 必須列 DNS / TLS / ACME / route post-check 指標,但不授權執行。"
|
||
},
|
||
{
|
||
"check_id": "counts_transition_safe",
|
||
"instruction": "只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate。"
|
||
}
|
||
],
|
||
"schema_version": "domain_tls_certbot_owner_response_acceptance_v1",
|
||
"source_owner_confirmation_request_schema_version": "domain_tls_certbot_owner_confirmation_request_v1",
|
||
"source_owner_confirmation_request_status": "owner_confirmation_request_ready_not_dispatched",
|
||
"status": "owner_response_acceptance_ledger_ready_no_runtime_action",
|
||
"summary": {
|
||
"acceptance_candidate_count": 4,
|
||
"acceptance_field_count": 23,
|
||
"acme_route_owner_accepted_count": 0,
|
||
"action_button_count": 0,
|
||
"blocked_action_count": 20,
|
||
"c0_acceptance_candidate_count": 4,
|
||
"certbot_renew_authorized_count": 0,
|
||
"certbot_renew_executed_count": 0,
|
||
"certificate_coverage_confirmed_count": 0,
|
||
"certificate_expiry_metadata_accepted_count": 0,
|
||
"dns_query_authorized_count": 0,
|
||
"dns_query_executed_count": 0,
|
||
"host_write_authorized_count": 0,
|
||
"live_tls_probe_authorized_count": 0,
|
||
"live_tls_probe_executed_count": 0,
|
||
"maintenance_window_accepted_count": 0,
|
||
"nginx_reload_authorized_count": 0,
|
||
"nginx_reload_executed_count": 0,
|
||
"outcome_lane_count": 7,
|
||
"owner_response_accepted_count": 0,
|
||
"owner_response_quarantined_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"owner_response_rejected_count": 0,
|
||
"recipient_confirmed_count": 0,
|
||
"renewal_owner_accepted_count": 0,
|
||
"request_sent_count": 0,
|
||
"required_owner_response_field_count": 13,
|
||
"reviewer_check_count": 13,
|
||
"rollback_owner_accepted_count": 0,
|
||
"route_smoke_authorized_count": 0,
|
||
"route_smoke_executed_count": 0,
|
||
"runtime_gate_count": 0,
|
||
"source_owner_confirmation_request_count": 4,
|
||
"supplement_requested_count": 0
|
||
}
|
||
}
|