Files
awoooi/docs/security/public-gateway-live-conf-export-request.snapshot.json

273 lines
12 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"execution_boundaries": {
"action_buttons_allowed": false,
"certbot_renew_authorized": false,
"dns_query_executed": false,
"host_live_conf_read_authorized": false,
"live_tls_probe_executed": false,
"nginx_reload_authorized": false,
"nginx_reload_executed": false,
"nginx_test_authorized": false,
"nginx_test_executed": false,
"not_authorization": true,
"production_write_authorized": false,
"raw_live_conf_storage_allowed": false,
"route_smoke_authorized": false,
"route_smoke_executed": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"ssh_read_authorized": false
},
"export_request_fields": [
"export_request_id",
"config_id",
"host",
"live_path",
"export_owner_role_or_team",
"export_method",
"redaction_policy_ref",
"redacted_live_conf_ref",
"source_snapshot_ref",
"intended_use",
"followup_owner",
"not_approval"
],
"export_requests": [
{
"action_buttons_allowed": false,
"config_id": "host188_all_sites",
"control_tier": "C0",
"export_method": "owner_provided_redacted_export_only",
"export_owner_role_or_team": "pending_owner_role_or_team",
"export_request_fields": [
"export_request_id",
"config_id",
"host",
"live_path",
"export_owner_role_or_team",
"export_method",
"redaction_policy_ref",
"redacted_live_conf_ref",
"source_snapshot_ref",
"intended_use",
"followup_owner",
"not_approval"
],
"export_request_id": "public_gateway_live_conf_export:host188_all_sites",
"followup_owner": "pending_followup_owner",
"host": "192.168.0.188",
"intended_use": "rendered_diff_and_route_change_preflight_only",
"live_path": "/etc/nginx/sites-enabled/all-sites.conf",
"nginx_reload_authorized": false,
"nginx_test_authorized": false,
"nginx_test_executed": false,
"not_approval": true,
"owner_gate": "public_gateway_owner_response_required",
"production_write_authorized": false,
"raw_live_conf_stored": false,
"recipient_confirmed": false,
"redacted_export_received": false,
"redacted_live_conf_ref": null,
"redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy",
"redaction_rules": [
"只收 owner 提供的脫敏 live conf export ref不收 raw live conf。",
"不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。",
"若 upstream URL 含 credential必須整段遮罩為 redacted_upstream_credential。",
"若路徑含 private credential、query token 或 webhook secret必須整段遮罩。",
"允許保留 server_name、listen、location、proxy_pass host / port、ACME path、TLS certificate path metadata。",
"不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。",
"疑似敏感 payload 只能記 quarantine metadata不得寫入 repo、LOGBOOK 或前端。",
"匯出請求不等於 nginx -t、reload、route smoke、DNS / TLS probe 或 production write 授權。"
],
"rendered_diff_ready": false,
"repo_source_path": "infra/ansible/roles/nginx/templates/188-all-sites.conf.j2",
"request_sent": false,
"role": "public_gateway_all_sites",
"route_impact_summary": {
"acme_route_count": 2,
"admin_route_count": 2,
"server_name_count": 9,
"tls_certificate_path_count": 7,
"upstream_count": 10,
"websocket_route_count": 5
},
"route_smoke_authorized": false,
"route_smoke_executed": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
"status": "draft_not_dispatched"
},
{
"action_buttons_allowed": false,
"config_id": "host188_internal_tools_https",
"control_tier": "C0",
"export_method": "owner_provided_redacted_export_only",
"export_owner_role_or_team": "pending_owner_role_or_team",
"export_request_fields": [
"export_request_id",
"config_id",
"host",
"live_path",
"export_owner_role_or_team",
"export_method",
"redaction_policy_ref",
"redacted_live_conf_ref",
"source_snapshot_ref",
"intended_use",
"followup_owner",
"not_approval"
],
"export_request_id": "public_gateway_live_conf_export:host188_internal_tools_https",
"followup_owner": "pending_followup_owner",
"host": "192.168.0.188",
"intended_use": "rendered_diff_and_route_change_preflight_only",
"live_path": "owner_confirmation_required",
"nginx_reload_authorized": false,
"nginx_test_authorized": false,
"nginx_test_executed": false,
"not_approval": true,
"owner_gate": "public_tools_owner_response_required",
"production_write_authorized": false,
"raw_live_conf_stored": false,
"recipient_confirmed": false,
"redacted_export_received": false,
"redacted_live_conf_ref": null,
"redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy",
"redaction_rules": [
"只收 owner 提供的脫敏 live conf export ref不收 raw live conf。",
"不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。",
" upstream URL credential redacted_upstream_credential",
" private credentialquery token webhook secret",
" server_namelistenlocationproxy_pass host / portACME pathTLS certificate path metadata",
" shell historyDB URL log",
" payload quarantine metadata repoLOGBOOK ",
" nginx -treloadroute smokeDNS / TLS probe production write "
],
"rendered_diff_ready": false,
"repo_source_path": "infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2",
"request_sent": false,
"role": "public_internal_tools_https",
"route_impact_summary": {
"acme_route_count": 1,
"admin_route_count": 0,
"server_name_count": 7,
"tls_certificate_path_count": 4,
"upstream_count": 6,
"websocket_route_count": 2
},
"route_smoke_authorized": false,
"route_smoke_executed": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
"status": "draft_not_dispatched"
},
{
"action_buttons_allowed": false,
"config_id": "host110_ollama_proxy",
"control_tier": "C1",
"export_method": "owner_provided_redacted_export_only",
"export_owner_role_or_team": "pending_owner_role_or_team",
"export_request_fields": [
"export_request_id",
"config_id",
"host",
"live_path",
"export_owner_role_or_team",
"export_method",
"redaction_policy_ref",
"redacted_live_conf_ref",
"source_snapshot_ref",
"intended_use",
"followup_owner",
"not_approval"
],
"export_request_id": "public_gateway_live_conf_export:host110_ollama_proxy",
"followup_owner": "pending_followup_owner",
"host": "192.168.0.110",
"intended_use": "rendered_diff_and_route_change_preflight_only",
"live_path": "/etc/nginx/sites-enabled/110-ollama-proxy.conf",
"nginx_reload_authorized": false,
"nginx_test_authorized": false,
"nginx_test_executed": false,
"not_approval": true,
"owner_gate": "ai_provider_proxy_owner_response_required",
"production_write_authorized": false,
"raw_live_conf_stored": false,
"recipient_confirmed": false,
"redacted_export_received": false,
"redacted_live_conf_ref": null,
"redaction_policy_ref": "docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md#3-redaction-policy",
"redaction_rules": [
" owner live conf export ref raw live conf",
" TLS private keytokensecretcookiesessionauthorization header Basic Auth credential",
" upstream URL credential redacted_upstream_credential",
" private credentialquery token webhook secret",
" server_namelistenlocationproxy_pass host / portACME pathTLS certificate path metadata",
" shell historyDB URL log",
" payload quarantine metadata repoLOGBOOK ",
" nginx -treloadroute smokeDNS / TLS probe production write "
],
"rendered_diff_ready": false,
"repo_source_path": "infra/ansible/roles/nginx/templates/110-ollama-proxy.conf.j2",
"request_sent": false,
"role": "ollama_proxy_gateway",
"route_impact_summary": {
"acme_route_count": 0,
"admin_route_count": 0,
"server_name_count": 0,
"tls_certificate_path_count": 0,
"upstream_count": 3,
"websocket_route_count": 0
},
"route_smoke_authorized": false,
"route_smoke_executed": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_snapshot_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
"status": "draft_not_dispatched"
}
],
"generated_at": "2026-06-14T19:05:00+08:00",
"git_commit": "0a4766dd",
"next_steps": [
" owner live conf export ref raw conf",
" export ref payload rendered diff",
"rendered diff nginx -treload route smoke "
],
"redaction_rules": [
" owner live conf export ref raw live conf",
" TLS private keytokensecretcookiesessionauthorization header Basic Auth credential",
" upstream URL credential redacted_upstream_credential",
" private credentialquery token webhook secret",
" server_namelistenlocationproxy_pass host / portACME pathTLS certificate path metadata",
" shell historyDB URL log",
" payload quarantine metadata repoLOGBOOK ",
" nginx -treloadroute smokeDNS / TLS probe production write "
],
"schema_version": "public_gateway_live_conf_export_request_v1",
"source_preflight_schema_version": "public_gateway_preflight_inventory_v1",
"source_preflight_status": "repo_only_preflight_contract_ready",
"status": "live_conf_export_request_ready_not_dispatched",
"summary": {
"action_button_count": 0,
"c0_export_request_count": 2,
"c1_export_request_count": 1,
"export_request_count": 3,
"export_request_field_count": 12,
"nginx_reload_authorized_count": 0,
"nginx_test_authorized_count": 0,
"nginx_test_executed_count": 0,
"raw_live_conf_stored_count": 0,
"recipient_confirmed_count": 0,
"redacted_export_received_count": 0,
"redaction_rule_count": 8,
"rendered_diff_ready_count": 0,
"request_sent_count": 0,
"route_smoke_authorized_count": 0,
"route_smoke_executed_count": 0,
"runtime_gate_count": 0
}
}