Files
awoooi/docs/security/PUBLIC-GATEWAY-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 9b8ca2c509
All checks were successful
Code Review / ai-code-review (push) Successful in 24s
CD Pipeline / tests (push) Successful in 1m46s
CD Pipeline / build-and-deploy (push) Successful in 6m27s
CD Pipeline / post-deploy-checks (push) Successful in 2m59s
feat(iwooos): 強化 public gateway 緊急變更回補
2026-06-15 14:06:23 +08:00

10 KiB
Raw Blame History

IwoooS Public Gateway Owner Response Acceptance 只讀帳本

項目 內容
日期 2026-06-15
狀態 owner_response_acceptance_ledger_ready_no_runtime_action
工具 scripts/security/public-gateway-owner-response-acceptance.py
Snapshot docs/security/public-gateway-owner-response-acceptance.snapshot.json
來源 public-gateway-live-conf-export-request.snapshot.jsonpublic-gateway-redacted-export-intake-preflight.snapshot.jsonpublic-gateway-rendered-diff-gate-draft.snapshot.json
runtime gate 0

1. 目的

本文件把 Public Gateway live conf 匯出請求、redacted export 收件預檢、rendered diff / nginx -t gate 草稿串成 owner response acceptance 只讀帳本。目的不是執行 Nginx而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 rendered diff review。

本階段不讀 live Nginx conf、不 SSH、不執行 nginx -t、不 reload Nginx、不做 route smoke、不做 DNS / TLS probe、不 renew certbot、不改 Nginx / DNS / TLS 設定、不寫 production host、不開 action button。

2026-06-15 起,本帳本也負責處理手動或緊急 Public Gateway 變更的最小可追溯 metadata。任何疑似未授權 Nginx / route / upstream / port / proxy 變更,都必須先補脫敏 change actor/source ref、change time window、cross-project impact ref、communication sync ref、change intent / ticket ref、pre-change approval 或 break-glass reason ref、route health impact ref、rollback validation ref 與 post-change monitoring window這些欄位只用於責任、影響與回復追蹤不代表允許讀 live conf、reload 或改 route。

2. 摘要

指標 目前值 說明
source export request 3 來自 live conf 匯出請求包
source intake candidate 3 來自 redacted export 收件預檢
source diff gate candidate 3 來自 rendered diff gate 草稿
acceptance candidate 3 對應三份 public gateway config
C0 / C1 acceptance candidate 2 / 1 188 公開入口兩份為 C0110 Ollama proxy 為 C1
acceptance field 33 每份 acceptance candidate 固定欄位數
required owner response field 22 owner 必須提供的最小欄位
reviewer check 22 reviewer 收件前必檢項
outcome lane 8 等待、隔離、拒收、補件、review、只讀更新、緊急變更補件、等待 runtime gate
blocked action 28 驗收前全部禁止
owner response received / accepted 0 / 0 不得假性拉高
rendered diff / nginx -t / reload / route smoke 0 未授權且未執行
runtime gate / action button 0 / 0 不開任何執行入口

3. Owner 必填欄位

欄位 說明
owner_role_or_team Public Gateway / Nginx owner role 或 team
decision 對本 config scope 的回覆判定
decision_reason 決策理由,不得包含機敏值
affected_routes 受影響 domain / route / upstream scope
redacted_live_conf_ref 脫敏 live conf evidence ref不得貼 raw conf
source_to_live_rendered_diff_ref source-to-live rendered diff ref不得貼 raw diff payload
nginx_test_plan_ref 後續 nginx -t 計畫或 evidence ref不代表已授權
route_smoke_plan_ref route smoke matrix ref
maintenance_window 維護窗口或禁止窗口
rollback_owner rollback 負責人與 rollback ref
postcheck_plan reload / route smoke 後的 post-check plan
change_actor_or_source_ref 若有手動或緊急變更,提供脫敏 actor / source ref不得貼帳密或 raw shell history
change_time_window 變更或事故時間窗,讓 route smoke、告警與跨專案影響能對齊
cross_project_impact_ref 跨產品 / 跨專案影響 ref避免只修單一路由卻造成其他服務中斷
communication_sync_ref 通知或協調 ref證明相關專案 owner 已收到影響與回復狀態
change_intent_or_ticket_ref 變更意圖、維護單、事故單或 ticket ref不得只用聊天口頭同意
pre_change_approval_ref 正常變更的事前批准 ref緊急變更不得用此欄偽造批准
break_glass_reason_ref 緊急變更的 break-glass 事由 ref只代表事後補件不代表已批准
route_health_impact_ref route health / service health impact ref需能對齊 affected routes
rollback_validation_ref rollback validation ref需能追溯 rollback owner 與回滾後驗證方式
post_change_monitoring_window 事後觀察窗口讓告警、route smoke 與跨專案回復狀態能對齊
followup_owner 補件、隔離、拒收或下一步 review owner

4. Reviewer Checks

Check 規則
owner_identity_present owner role / team 必須可追溯
decision_reason_present decision 與 decision reason 必須同時存在
redacted_refs_only evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer
raw_conf_absent 不得出現 raw live Nginx conf、完整 upstream payload 或未遮蔽 host secret
secret_value_absent 不得出現 token、cookie、private key、完整憑證內容或 secret derivative
route_scope_matches_snapshot affected routes 必須能對回 committed public gateway snapshot
rendered_diff_ref_not_payload rendered diff 只能是 ref不得把 payload 直接貼進 owner response
nginx_test_separate_approval nginx -t 必須另走人工批准,不得自動觸發
route_smoke_plan_present route smoke plan 必須列 affected routes、預期 status、TLS / WebSocket / ACME checks
maintenance_window_present 必須有維護窗口或明確禁止窗口
rollback_owner_present rollback owner 與 rollback ref 必須存在
change_actor_or_source_ref_present 手動或緊急變更必須有脫敏 actor / source ref
change_time_window_present 必須提供變更或事故時間窗
cross_project_impact_review_present 必須提供跨產品 / 跨專案影響 ref
communication_sync_ref_present 必須提供通知或協調 ref
change_intent_or_ticket_ref_present 每次 Public Gateway / Nginx 變更都必須有 change intent、ticket、incident 或 maintenance ref
pre_change_approval_or_break_glass_present 正常變更需有 pre-change approval ref緊急變更需有 break-glass reason ref且不得把 break-glass 當成事前批准
route_health_impact_present 必須提供 route health / service health impact ref確認受影響 domain、upstream、WebSocket、ACME 與 API 是否恢復
rollback_validation_present 必須提供 rollback validation ref證明回滾路徑、回滾 owner 與回滾後驗證方式可追溯
post_change_monitoring_window_present 必須提供 post-change monitoring window
manual_change_not_silent 任何手動或緊急 gateway 變更不得靜默收件;缺 actor、意圖、影響、通知或回滾驗證就必須補件或拒收
counts_transition_safe 只有 reviewer record 可更新 received / accepted / rejected不得同時開 runtime gate

5. Outcome Lanes

Lane 意義
waiting_owner_response 尚未收到 owner response所有 accepted / runtime count 維持 0
quarantine_raw_payload 收到 raw conf、payload 或不可保存內容時只能隔離
reject_secret_or_unredacted_conf 出現 secret value、未脫敏 live conf 或 credential derivative 時直接拒收
request_supplement 欄位不足、scope 不清或 evidence ref 不可追溯時要求補件
ready_for_rendered_diff_review metadata 合格後,只能進 rendered diff reviewer review
owner_review_only_update 只允許更新只讀 owner review ledger
emergency_change_backfill_required 手動或緊急 gateway 變更只能進事後補件,不得因 break-glass 而自動接受或開 runtime gate
waiting_runtime_gate 即使 owner response acceptedruntime gate 仍等待獨立人工批准

6. Blocked Actions

read_live_conf_over_ssh
store_raw_live_conf
accept_unredacted_live_conf
collect_secret_value
render_diff_from_unredacted_payload
mark_owner_response_accepted_without_reviewer_record
nginx_test_without_separate_approval
nginx_reload_without_separate_approval
route_smoke_without_matrix
dns_probe_without_approval
tls_probe_without_approval
certbot_renew_without_approval
modify_nginx_conf
modify_dns_tls_config
change_public_route
write_production_host
accept_unknown_change_actor
accept_missing_change_time_window
skip_cross_project_impact_review
skip_incident_communication_sync
accept_silent_manual_nginx_change
treat_break_glass_as_approval
mark_gateway_change_resolved_without_route_health
skip_rollback_validation
skip_post_change_monitoring
hide_cross_project_route_impact
open_runtime_gate
add_action_button

7. 指令

固定 committed snapshot

python3 scripts/security/public-gateway-owner-response-acceptance.py \
  --root . \
  --output docs/security/public-gateway-owner-response-acceptance.snapshot.json \
  --generated-at 2026-06-15T14:10:00+08:00

只讀 guard

python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .

8. 完成度

工作 完成度 說明
owner response acceptance ledger artifact 100% 3 份 public gateway config 已有只讀收件判定帳本
手動 / 緊急 gateway 變更 metadata gate 100% 已要求 actor/source、time window、cross-project impact、communication sync、change intent、approval / break-glass、route health impact、rollback validation 與 post-change monitoring不收 raw payload
owner response received / accepted 0% 尚未收到或接受任何 owner response
rendered diff / nginx -t / reload / route smoke 0% 未授權且未執行
DNS / TLS / certbot 0% 未授權且未執行
runtime gate / production write 0% 無 action button無 host write

9. 邊界

這份帳本不是 live gateway truth、不是 Nginx 變更批准、不是 nginx -t 授權、不是 reload 授權、不是 DNS / TLS / certbot 授權,也不是 route smoke 或 runtime gate。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以讀 live conf、改 Nginx、改公開路由、收 secret、寫 production host、開 action button 或執行任何 gateway 操作。