Files
awoooi/docs/security/PUBLIC-GATEWAY-LIVE-CONF-EXPORT-REQUEST.md

102 lines
5.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Public Gateway Live Conf 匯出請求包
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `live_conf_export_request_ready_not_dispatched` |
| 工具 | `scripts/security/public-gateway-live-conf-export-request.py` |
| 輸入 | `docs/security/public-gateway-preflight-inventory.snapshot.json` |
| Snapshot | `docs/security/public-gateway-live-conf-export-request.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
Nginx public gateway 是公開網站、API、Webhook、ACME 與 WebSocket 的共同入口。若 live Nginx conf 常被手動修改IwoooS 不能直接 SSH 去讀或覆寫 live conf第一步應先建立 owner-provided live conf 匯出請求包,明確規定只能收脫敏 export ref且不得保存 raw live conf。
本文件只定義匯出請求草稿、脫敏規則與送後不變條件。它不是 request sent、不是 live conf received、不是 rendered diff ready、不是 `nginx -t`、不是 reload、不是 route smoke也不是 production write 或 runtime gate 授權。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| export request count | `3` | 188 all sites、188 internal tools HTTPS、110 Ollama proxy |
| C0 export request count | `2` | 188 all sites 與 188 internal tools HTTPS |
| export request field count | `12` | 每份匯出請求的 handoff 欄位 |
| redaction rule count | `8` | raw live conf 與敏感資訊拒收規則 |
| request sent | `0` | 尚未送出匯出請求 |
| recipient confirmed | `0` | 尚未確認 owner / recipient |
| redacted export received | `0` | 尚未收到脫敏 export ref |
| raw live conf stored | `0` | 不允許保存 |
| rendered diff / nginx -t / route smoke | `0 / 0 / 0` | 尚未批准且未執行 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. Redaction Policy
1. 只收 owner 提供的脫敏 live conf export ref不收 raw live conf。
2. 不得包含 TLS private key、token、secret、cookie、session、authorization header 或 Basic Auth credential。
3. 若 upstream URL 含 credential必須整段遮罩為 `redacted_upstream_credential`
4. 若路徑含 private credential、query token 或 webhook secret必須整段遮罩。
5. 允許保留 server name、listen、location、proxy pass host / port、ACME path、TLS certificate path metadata。
6. 不得貼主機 shell history、完整環境變數、私鑰內容、DB URL 或未脫敏 log。
7. 疑似敏感 payload 只能記 quarantine metadata不得寫入 repo、LOGBOOK 或前端。
8. 匯出請求不等於 `nginx -t`、reload、route smoke、DNS / TLS probe 或 production write 授權。
## 4. 匯出請求欄位
| 欄位 | 內容規則 |
|------|----------|
| `export_request_id` | 固定對應 public gateway live conf export不建立 runtime action id |
| `config_id` | 對應 public gateway preflight row |
| `host` | 只記 host scope不代表可 SSH |
| `live_path` | 只記 owner 需提供的 live path metadata不代表已讀取 |
| `export_owner_role_or_team` | 只填 role / team不填私人憑證或聯絡資訊 |
| `export_method` | 固定 `owner_provided_redacted_export_only` |
| `redaction_policy_ref` | 指向本文件脫敏規則 |
| `redacted_live_conf_ref` | 未收到前為空;收到後只可填脫敏 ref |
| `source_snapshot_ref` | 指向 repo-only preflight snapshot |
| `intended_use` | 固定 `rendered_diff_and_route_change_preflight_only` |
| `followup_owner` | 後續補證或審查負責 role / team |
| `not_approval` | 必須為 `true` |
## 5. 三份請求
| Request | Control tier | Live path | 邊界 |
|---------|--------------|-----------|------|
| `public_gateway_live_conf_export:host188_all_sites` | `C0` | `/etc/nginx/sites-enabled/all-sites.conf` | 只請 owner 提供脫敏 export ref不代表 SSH 讀取、rendered diff、`nginx -t` 或 reload |
| `public_gateway_live_conf_export:host188_internal_tools_https` | `C0` | `owner_confirmation_required` | 只請 owner 確認 live path 與脫敏 export ref不代表 route change |
| `public_gateway_live_conf_export:host110_ollama_proxy` | `C1` | `/etc/nginx/sites-enabled/110-ollama-proxy.conf` | 只請 owner 提供脫敏 export ref不代表 Ollama proxy 改動或重啟 |
## 6. 送後不變條件
即使未來人工送出請求,也只能在有可稽核送件 metadata 後另行記錄 request sent。收到脫敏 export ref 後,仍需先做敏感 payload 隔離檢查;通過後才可進 rendered diff。Rendered diff 成立仍不代表 `nginx -t`、reload、route smoke 或 public route change 已授權。
2026-06-14 P0-16 已新增 `docs/security/PUBLIC-GATEWAY-REDACTED-EXPORT-INTAKE-PREFLIGHT.md``docs/security/public-gateway-redacted-export-intake-preflight.snapshot.json`,將三份 export request 轉成 redacted export 收件預檢候選。該預檢仍保持 request sent、recipient confirmed、redacted export received、accepted、quarantine、rejected、rendered diff、`nginx -t`、reload、route smoke、runtime gate 全部為 `0`
## 7. 指令
產生 committed snapshot
```bash
python3 scripts/security/public-gateway-live-conf-export-request.py \
--root . \
--preflight-report docs/security/public-gateway-preflight-inventory.snapshot.json \
--output docs/security/public-gateway-live-conf-export-request.snapshot.json \
--generated-at 2026-06-14T19:05:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| live conf export request artifact | `100%` | 產生器、snapshot 與文件已固定 |
| request dispatch | `0%` | 尚未送出 |
| redacted export received | `0%` | 尚未收到 |
| rendered diff / nginx -t / route smoke | `0%` | 尚未批准且未執行 |
| runtime reload / host write | `0%` | 未授權且未執行 |