Files
awoooi/docs/security/PUBLIC-GATEWAY-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 9b8ca2c509
All checks were successful
Code Review / ai-code-review (push) Successful in 24s
CD Pipeline / tests (push) Successful in 1m46s
CD Pipeline / build-and-deploy (push) Successful in 6m27s
CD Pipeline / post-deploy-checks (push) Successful in 2m59s
feat(iwooos): 強化 public gateway 緊急變更回補
2026-06-15 14:06:23 +08:00

170 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Public Gateway Owner Response Acceptance 只讀帳本
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/public-gateway-owner-response-acceptance.py` |
| Snapshot | `docs/security/public-gateway-owner-response-acceptance.snapshot.json` |
| 來源 | `public-gateway-live-conf-export-request.snapshot.json``public-gateway-redacted-export-intake-preflight.snapshot.json``public-gateway-rendered-diff-gate-draft.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
本文件把 Public Gateway live conf 匯出請求、redacted export 收件預檢、rendered diff / `nginx -t` gate 草稿串成 owner response acceptance 只讀帳本。目的不是執行 Nginx而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 rendered diff review。
本階段不讀 live Nginx conf、不 SSH、不執行 `nginx -t`、不 reload Nginx、不做 route smoke、不做 DNS / TLS probe、不 renew certbot、不改 Nginx / DNS / TLS 設定、不寫 production host、不開 action button。
2026-06-15 起,本帳本也負責處理手動或緊急 Public Gateway 變更的最小可追溯 metadata。任何疑似未授權 Nginx / route / upstream / port / proxy 變更,都必須先補脫敏 change actor/source ref、change time window、cross-project impact ref、communication sync ref、change intent / ticket ref、pre-change approval 或 break-glass reason ref、route health impact ref、rollback validation ref 與 post-change monitoring window這些欄位只用於責任、影響與回復追蹤不代表允許讀 live conf、reload 或改 route。
## 2. 摘要
| 指標 | 目前值 | 說明 |
|------|--------|------|
| source export request | `3` | 來自 live conf 匯出請求包 |
| source intake candidate | `3` | 來自 redacted export 收件預檢 |
| source diff gate candidate | `3` | 來自 rendered diff gate 草稿 |
| acceptance candidate | `3` | 對應三份 public gateway config |
| C0 / C1 acceptance candidate | `2 / 1` | 188 公開入口兩份為 C0110 Ollama proxy 為 C1 |
| acceptance field | `33` | 每份 acceptance candidate 固定欄位數 |
| required owner response field | `22` | owner 必須提供的最小欄位 |
| reviewer check | `22` | reviewer 收件前必檢項 |
| outcome lane | `8` | 等待、隔離、拒收、補件、review、只讀更新、緊急變更補件、等待 runtime gate |
| blocked action | `28` | 驗收前全部禁止 |
| owner response received / accepted | `0 / 0` | 不得假性拉高 |
| rendered diff / `nginx -t` / reload / route smoke | `0` | 未授權且未執行 |
| runtime gate / action button | `0 / 0` | 不開任何執行入口 |
## 3. Owner 必填欄位
| 欄位 | 說明 |
|------|------|
| `owner_role_or_team` | Public Gateway / Nginx owner role 或 team |
| `decision` | 對本 config scope 的回覆判定 |
| `decision_reason` | 決策理由,不得包含機敏值 |
| `affected_routes` | 受影響 domain / route / upstream scope |
| `redacted_live_conf_ref` | 脫敏 live conf evidence ref不得貼 raw conf |
| `source_to_live_rendered_diff_ref` | source-to-live rendered diff ref不得貼 raw diff payload |
| `nginx_test_plan_ref` | 後續 `nginx -t` 計畫或 evidence ref不代表已授權 |
| `route_smoke_plan_ref` | route smoke matrix ref |
| `maintenance_window` | 維護窗口或禁止窗口 |
| `rollback_owner` | rollback 負責人與 rollback ref |
| `postcheck_plan` | reload / route smoke 後的 post-check plan |
| `change_actor_or_source_ref` | 若有手動或緊急變更,提供脫敏 actor / source ref不得貼帳密或 raw shell history |
| `change_time_window` | 變更或事故時間窗,讓 route smoke、告警與跨專案影響能對齊 |
| `cross_project_impact_ref` | 跨產品 / 跨專案影響 ref避免只修單一路由卻造成其他服務中斷 |
| `communication_sync_ref` | 通知或協調 ref證明相關專案 owner 已收到影響與回復狀態 |
| `change_intent_or_ticket_ref` | 變更意圖、維護單、事故單或 ticket ref不得只用聊天口頭同意 |
| `pre_change_approval_ref` | 正常變更的事前批准 ref緊急變更不得用此欄偽造批准 |
| `break_glass_reason_ref` | 緊急變更的 break-glass 事由 ref只代表事後補件不代表已批准 |
| `route_health_impact_ref` | route health / service health impact ref需能對齊 affected routes |
| `rollback_validation_ref` | rollback validation ref需能追溯 rollback owner 與回滾後驗證方式 |
| `post_change_monitoring_window` | 事後觀察窗口讓告警、route smoke 與跨專案回復狀態能對齊 |
| `followup_owner` | 補件、隔離、拒收或下一步 review owner |
## 4. Reviewer Checks
| Check | 規則 |
|-------|------|
| `owner_identity_present` | owner role / team 必須可追溯 |
| `decision_reason_present` | decision 與 decision reason 必須同時存在 |
| `redacted_refs_only` | evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
| `raw_conf_absent` | 不得出現 raw live Nginx conf、完整 upstream payload 或未遮蔽 host secret |
| `secret_value_absent` | 不得出現 token、cookie、private key、完整憑證內容或 secret derivative |
| `route_scope_matches_snapshot` | affected routes 必須能對回 committed public gateway snapshot |
| `rendered_diff_ref_not_payload` | rendered diff 只能是 ref不得把 payload 直接貼進 owner response |
| `nginx_test_separate_approval` | `nginx -t` 必須另走人工批准,不得自動觸發 |
| `route_smoke_plan_present` | route smoke plan 必須列 affected routes、預期 status、TLS / WebSocket / ACME checks |
| `maintenance_window_present` | 必須有維護窗口或明確禁止窗口 |
| `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 |
| `change_actor_or_source_ref_present` | 手動或緊急變更必須有脫敏 actor / source ref |
| `change_time_window_present` | 必須提供變更或事故時間窗 |
| `cross_project_impact_review_present` | 必須提供跨產品 / 跨專案影響 ref |
| `communication_sync_ref_present` | 必須提供通知或協調 ref |
| `change_intent_or_ticket_ref_present` | 每次 Public Gateway / Nginx 變更都必須有 change intent、ticket、incident 或 maintenance ref |
| `pre_change_approval_or_break_glass_present` | 正常變更需有 pre-change approval ref緊急變更需有 break-glass reason ref且不得把 break-glass 當成事前批准 |
| `route_health_impact_present` | 必須提供 route health / service health impact ref確認受影響 domain、upstream、WebSocket、ACME 與 API 是否恢復 |
| `rollback_validation_present` | 必須提供 rollback validation ref證明回滾路徑、回滾 owner 與回滾後驗證方式可追溯 |
| `post_change_monitoring_window_present` | 必須提供 post-change monitoring window |
| `manual_change_not_silent` | 任何手動或緊急 gateway 變更不得靜默收件;缺 actor、意圖、影響、通知或回滾驗證就必須補件或拒收 |
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected不得同時開 runtime gate |
## 5. Outcome Lanes
| Lane | 意義 |
|------|------|
| `waiting_owner_response` | 尚未收到 owner response所有 accepted / runtime count 維持 0 |
| `quarantine_raw_payload` | 收到 raw conf、payload 或不可保存內容時只能隔離 |
| `reject_secret_or_unredacted_conf` | 出現 secret value、未脫敏 live conf 或 credential derivative 時直接拒收 |
| `request_supplement` | 欄位不足、scope 不清或 evidence ref 不可追溯時要求補件 |
| `ready_for_rendered_diff_review` | metadata 合格後,只能進 rendered diff reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
| `emergency_change_backfill_required` | 手動或緊急 gateway 變更只能進事後補件,不得因 break-glass 而自動接受或開 runtime gate |
| `waiting_runtime_gate` | 即使 owner response acceptedruntime gate 仍等待獨立人工批准 |
## 6. Blocked Actions
```text
read_live_conf_over_ssh
store_raw_live_conf
accept_unredacted_live_conf
collect_secret_value
render_diff_from_unredacted_payload
mark_owner_response_accepted_without_reviewer_record
nginx_test_without_separate_approval
nginx_reload_without_separate_approval
route_smoke_without_matrix
dns_probe_without_approval
tls_probe_without_approval
certbot_renew_without_approval
modify_nginx_conf
modify_dns_tls_config
change_public_route
write_production_host
accept_unknown_change_actor
accept_missing_change_time_window
skip_cross_project_impact_review
skip_incident_communication_sync
accept_silent_manual_nginx_change
treat_break_glass_as_approval
mark_gateway_change_resolved_without_route_health
skip_rollback_validation
skip_post_change_monitoring
hide_cross_project_route_impact
open_runtime_gate
add_action_button
```
## 7. 指令
固定 committed snapshot
```bash
python3 scripts/security/public-gateway-owner-response-acceptance.py \
--root . \
--output docs/security/public-gateway-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T14:10:00+08:00
```
只讀 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .
```
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 3 份 public gateway config 已有只讀收件判定帳本 |
| 手動 / 緊急 gateway 變更 metadata gate | `100%` | 已要求 actor/source、time window、cross-project impact、communication sync、change intent、approval / break-glass、route health impact、rollback validation 與 post-change monitoring不收 raw payload |
| owner response received / accepted | `0%` | 尚未收到或接受任何 owner response |
| rendered diff / `nginx -t` / reload / route smoke | `0%` | 未授權且未執行 |
| DNS / TLS / certbot | `0%` | 未授權且未執行 |
| runtime gate / production write | `0%` | 無 action button無 host write |
## 9. 邊界
這份帳本不是 live gateway truth、不是 Nginx 變更批准、不是 `nginx -t` 授權、不是 reload 授權、不是 DNS / TLS / certbot 授權,也不是 route smoke 或 runtime gate。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以讀 live conf、改 Nginx、改公開路由、收 secret、寫 production host、開 action button 或執行任何 gateway 操作。