Files
awoooi/docs/security/DOMAIN-TLS-CERTBOT-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 066bf5d1be
All checks were successful
Code Review / ai-code-review (push) Successful in 15s
fix(iwooos): 新增 dns tls owner acceptance ledger
2026-06-14 22:46:40 +08:00

131 lines
8.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS DNS / TLS / certbot Owner Response Acceptance
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/domain-tls-certbot-owner-response-acceptance.py` |
| 輸入 | `docs/security/domain-tls-certbot-owner-confirmation-request.snapshot.json` |
| Snapshot | `docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
DNS / TLS / certbot 屬於 C0 公開入口配置。既有 owner confirmation request 已把 4 個 certificate path 需確認關係列出,但若缺少 owner response acceptance 帳本,後續容易把 SAN / wildcard / 共用憑證覆蓋確認、renewal owner 或 ACME route owner 誤判成 DNS query、TLS probe、certbot renew、Nginx reload 或 route smoke 授權。
本文件只定義 owner response 如何收件、補證、隔離、拒收與進 reviewer review。它不是 request sent、不是 owner response received、不是 accepted response、不是 DNS query、不是 live TLS probe、不是 certbot renew、不是 Nginx reload、不是 route smoke也不是 host write、production write 或 runtime gate 授權。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| acceptance candidate count | `4` | 4 個 domain / certificate path relation candidate |
| C0 acceptance candidate count | `4` | 全部位於 188 public gateway / internal tools HTTPS 範圍 |
| acceptance field count | `23` | 每份 candidate 的 metadata-only 欄位 |
| required owner response field count | `13` | owner / decision / scope / redacted refs / coverage / expiry / renewal / ACME / window / rollback / validation |
| reviewer check count | `13` | raw cert、private key、credential、execution request、coverage ref 與 runtime gate 檢查 |
| outcome lane count | `7` | waiting、quarantine、reject、supplement、coverage review、read-only update、waiting runtime gate |
| blocked action count | `20` | DNS query、TLS probe、certbot renew、Nginx reload、route smoke、secret collection 等 |
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
| DNS query / TLS probe / certbot renew / Nginx reload / route smoke | `0 / 0 / 0 / 0 / 0` | 尚未批准且未執行 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. 四份驗收候選
| Acceptance candidate | Control tier | 來源 request | 驗收焦點 |
|----------------------|--------------|--------------|----------|
| `domain_tls_certbot_owner_response_acceptance:gitea.wooo.work` | `C0` | `domain_tls_certbot_owner_confirmation:gitea.wooo.work` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
| `domain_tls_certbot_owner_response_acceptance:langfuse.wooo.work` | `C0` | `domain_tls_certbot_owner_confirmation:langfuse.wooo.work` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
| `domain_tls_certbot_owner_response_acceptance:signoz.wooo.work` | `C0` | `domain_tls_certbot_owner_confirmation:signoz.wooo.work` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
| `domain_tls_certbot_owner_response_acceptance:tsenyang.com` | `C0` | `domain_tls_certbot_owner_confirmation:tsenyang.com` | 憑證覆蓋依據 ref、到期 metadata ref、renewal owner、ACME route owner、維護窗口與 rollback owner |
## 4. Owner response 必填欄位
| 欄位 | 規則 |
|------|------|
| `owner_role_or_team` | 只填角色或團隊,不填私人聯絡資料或 credential |
| `decision` | 允許 `confirm``defer``reject``request_more_evidence` |
| `decision_reason` | 摘要說明,不貼 raw cert、private key、certbot log 或 DNS credential |
| `affected_scope` | 明確列出 domain、certificate path metadata、ACME / route 影響範圍 |
| `redacted_evidence_refs` | 只接受脫敏 ref、ticket id、文件路徑、hash 或摘要 |
| `certificate_coverage_basis_ref` | SAN / wildcard / 共用憑證覆蓋依據的脫敏 ref |
| `certificate_expiry_metadata_ref` | 憑證到期資訊只能是 owner-provided metadata ref不得貼 raw cert |
| `renewal_owner` | 未來 renewal 負責角色;不代表可執行 certbot renew |
| `acme_challenge_route_owner` | HTTP-01 ACME path 與 route smoke owner |
| `maintenance_window` | 未來 probe / renew / reload 的維護窗口;本 response 不開執行權 |
| `rollback_owner` | 未來若進變更的 rollback owner |
| `validation_plan` | DNS / TLS / ACME / route post-check 指標,不授權執行 |
| `followup_owner` | 後續補證、reviewer 或 runtime gate 負責角色 |
## 5. Reviewer checks
| Check | 說明 |
|-------|------|
| `owner_identity_present` | owner role / team 必須可追溯 |
| `decision_and_reason_present` | decision 與 reason 必須同時存在 |
| `redacted_refs_only` | evidence 只能是脫敏 ref、ticket、hash、文件路徑或摘要 |
| `raw_certificate_absent` | 不得出現 raw certificate payload、完整 SAN dump、private key 或 ACME account key |
| `secret_value_absent` | 不得出現 DNS credential、registrar credential、token、cookie、authorization header 或 Basic Auth |
| `coverage_basis_ref_present` | 覆蓋依據必須是 metadata ref |
| `expiry_metadata_ref_not_probe` | 到期資訊不得由本帳本觸發 live probe |
| `renewal_owner_separate_from_action` | renewal owner 與 certbot renew action 必須分離 |
| `acme_route_owner_present` | ACME path 與 route smoke owner 必須清楚 |
| `maintenance_window_present` | 未來執行期操作需維護窗口或明確禁止窗口 |
| `rollback_owner_present` | rollback owner 與 rollback ref 必須存在 |
| `validation_plan_present` | validation plan 只列 post-check不授權執行 |
| `counts_transition_safe` | 只有 reviewer record 可更新 received / accepted / rejected且不得開 runtime gate |
## 6. Outcome lanes
| Lane | 意義 |
|------|------|
| `waiting_owner_response` | 尚未收到 owner response |
| `quarantine_raw_certificate_or_secret` | 收到 raw cert、private key、DNS credential 或 certbot account 內容時隔離 |
| `reject_execution_request` | 夾帶 DNS query、TLS probe、certbot renew、Nginx reload 或 host write 要求時拒收 |
| `request_supplement` | 欄位不足、scope 不清或 evidence ref 不可追溯時要求補件 |
| `ready_for_certificate_coverage_review` | metadata 合格後,只能進憑證覆蓋關係 reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger |
| `waiting_runtime_gate` | 即使 owner response acceptedruntime gate 仍等待獨立人工批准 |
## 7. 禁止事項
1. 不做 DNS query。
2. 不做 live TLS probe。
3. 不執行 certbot renew。
4. 不 reload Nginx。
5. 不執行 route smoke。
6. 不讀 TLS private key。
7. 不保存 raw certificate payload、DNS credential、certbot account key、secret value、未脫敏 certbot log、shell history 或 env dump。
8. 不修改 DNS record、TLS certificate path、ACME challenge route 或 production host。
9. 不開 runtime gate不建立 action button。
## 8. 指令
產生 committed snapshot
```bash
python3 scripts/security/domain-tls-certbot-owner-response-acceptance.py \
--root . \
--owner-confirmation-request-report docs/security/domain-tls-certbot-owner-confirmation-request.snapshot.json \
--output docs/security/domain-tls-certbot-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-14T23:05:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 9. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 產生器、snapshot 與文件已固定 |
| DNS / TLS / certbot 只讀治理成熟度 | `74% -> 78%` | 收件驗收帳本更完整;不代表 live evidence 或 runtime action |
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
| certificate coverage confirmed | `0%` | 尚未收到 owner-provided metadata ref |
| DNS query / TLS probe | `0%` | 尚未批准且未執行 |
| certbot renew / Nginx reload / route smoke | `0%` | 尚未批准且未執行 |
| runtime gate / host write | `0%` | 未授權且未執行 |