10 KiB
IwoooS Public Gateway Owner Response Acceptance 只讀帳本
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-15 |
| 狀態 | owner_response_acceptance_ledger_ready_no_runtime_action |
| 工具 | scripts/security/public-gateway-owner-response-acceptance.py |
| Snapshot | docs/security/public-gateway-owner-response-acceptance.snapshot.json |
| 來源 | public-gateway-live-conf-export-request.snapshot.json、public-gateway-redacted-export-intake-preflight.snapshot.json、public-gateway-rendered-diff-gate-draft.snapshot.json |
| runtime gate | 0 |
1. 目的
本文件把 Public Gateway live conf 匯出請求、redacted export 收件預檢、rendered diff / nginx -t gate 草稿串成 owner response acceptance 只讀帳本。目的不是執行 Nginx,而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 rendered diff review。
本階段不讀 live Nginx conf、不 SSH、不執行 nginx -t、不 reload Nginx、不做 route smoke、不做 DNS / TLS probe、不 renew certbot、不改 Nginx / DNS / TLS 設定、不寫 production host、不開 action button。
2026-06-15 起,本帳本也負責處理手動或緊急 Public Gateway 變更的最小可追溯 metadata。任何疑似未授權 Nginx / route / upstream / port / proxy 變更,都必須先補脫敏 change actor/source ref、change time window、cross-project impact ref、communication sync ref、change intent / ticket ref、pre-change approval 或 break-glass reason ref、route health impact ref、rollback validation ref 與 post-change monitoring window;這些欄位只用於責任、影響與回復追蹤,不代表允許讀 live conf、reload 或改 route。
2. 摘要
| 指標 | 目前值 | 說明 |
|---|---|---|
| source export request | 3 |
來自 live conf 匯出請求包 |
| source intake candidate | 3 |
來自 redacted export 收件預檢 |
| source diff gate candidate | 3 |
來自 rendered diff gate 草稿 |
| acceptance candidate | 3 |
對應三份 public gateway config |
| C0 / C1 acceptance candidate | 2 / 1 |
188 公開入口兩份為 C0,110 Ollama proxy 為 C1 |
| acceptance field | 33 |
每份 acceptance candidate 固定欄位數 |
| required owner response field | 22 |
owner 必須提供的最小欄位 |
| reviewer check | 22 |
reviewer 收件前必檢項 |
| outcome lane | 8 |
等待、隔離、拒收、補件、review、只讀更新、緊急變更補件、等待 runtime gate |
| blocked action | 28 |
驗收前全部禁止 |
| owner response received / accepted | 0 / 0 |
不得假性拉高 |
rendered diff / nginx -t / reload / route smoke |
0 |
未授權且未執行 |
| runtime gate / action button | 0 / 0 |
不開任何執行入口 |
3. Owner 必填欄位
| 欄位 | 說明 |
|---|---|
owner_role_or_team |
Public Gateway / Nginx owner role 或 team |
decision |
對本 config scope 的回覆判定 |
decision_reason |
決策理由,不得包含機敏值 |
affected_routes |
受影響 domain / route / upstream scope |
redacted_live_conf_ref |
脫敏 live conf evidence ref;不得貼 raw conf |
source_to_live_rendered_diff_ref |
source-to-live rendered diff ref;不得貼 raw diff payload |
nginx_test_plan_ref |
後續 nginx -t 計畫或 evidence ref;不代表已授權 |
route_smoke_plan_ref |
route smoke matrix ref |
maintenance_window |
維護窗口或禁止窗口 |
rollback_owner |
rollback 負責人與 rollback ref |
postcheck_plan |
reload / route smoke 後的 post-check plan |
change_actor_or_source_ref |
若有手動或緊急變更,提供脫敏 actor / source ref,不得貼帳密或 raw shell history |
change_time_window |
變更或事故時間窗,讓 route smoke、告警與跨專案影響能對齊 |
cross_project_impact_ref |
跨產品 / 跨專案影響 ref,避免只修單一路由卻造成其他服務中斷 |
communication_sync_ref |
通知或協調 ref,證明相關專案 owner 已收到影響與回復狀態 |
change_intent_or_ticket_ref |
變更意圖、維護單、事故單或 ticket ref;不得只用聊天口頭同意 |
pre_change_approval_ref |
正常變更的事前批准 ref;緊急變更不得用此欄偽造批准 |
break_glass_reason_ref |
緊急變更的 break-glass 事由 ref;只代表事後補件,不代表已批准 |
route_health_impact_ref |
route health / service health impact ref,需能對齊 affected routes |
rollback_validation_ref |
rollback validation ref,需能追溯 rollback owner 與回滾後驗證方式 |
post_change_monitoring_window |
事後觀察窗口,讓告警、route smoke 與跨專案回復狀態能對齊 |
followup_owner |
補件、隔離、拒收或下一步 review owner |
4. Reviewer Checks
| Check | 規則 |
|---|---|
owner_identity_present |
owner role / team 必須可追溯 |
decision_reason_present |
decision 與 decision reason 必須同時存在 |
redacted_refs_only |
evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer |
raw_conf_absent |
不得出現 raw live Nginx conf、完整 upstream payload 或未遮蔽 host secret |
secret_value_absent |
不得出現 token、cookie、private key、完整憑證內容或 secret derivative |
route_scope_matches_snapshot |
affected routes 必須能對回 committed public gateway snapshot |
rendered_diff_ref_not_payload |
rendered diff 只能是 ref,不得把 payload 直接貼進 owner response |
nginx_test_separate_approval |
nginx -t 必須另走人工批准,不得自動觸發 |
route_smoke_plan_present |
route smoke plan 必須列 affected routes、預期 status、TLS / WebSocket / ACME checks |
maintenance_window_present |
必須有維護窗口或明確禁止窗口 |
rollback_owner_present |
rollback owner 與 rollback ref 必須存在 |
change_actor_or_source_ref_present |
手動或緊急變更必須有脫敏 actor / source ref |
change_time_window_present |
必須提供變更或事故時間窗 |
cross_project_impact_review_present |
必須提供跨產品 / 跨專案影響 ref |
communication_sync_ref_present |
必須提供通知或協調 ref |
change_intent_or_ticket_ref_present |
每次 Public Gateway / Nginx 變更都必須有 change intent、ticket、incident 或 maintenance ref |
pre_change_approval_or_break_glass_present |
正常變更需有 pre-change approval ref;緊急變更需有 break-glass reason ref,且不得把 break-glass 當成事前批准 |
route_health_impact_present |
必須提供 route health / service health impact ref,確認受影響 domain、upstream、WebSocket、ACME 與 API 是否恢復 |
rollback_validation_present |
必須提供 rollback validation ref,證明回滾路徑、回滾 owner 與回滾後驗證方式可追溯 |
post_change_monitoring_window_present |
必須提供 post-change monitoring window |
manual_change_not_silent |
任何手動或緊急 gateway 變更不得靜默收件;缺 actor、意圖、影響、通知或回滾驗證就必須補件或拒收 |
counts_transition_safe |
只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate |
5. Outcome Lanes
| Lane | 意義 |
|---|---|
waiting_owner_response |
尚未收到 owner response;所有 accepted / runtime count 維持 0 |
quarantine_raw_payload |
收到 raw conf、payload 或不可保存內容時只能隔離 |
reject_secret_or_unredacted_conf |
出現 secret value、未脫敏 live conf 或 credential derivative 時直接拒收 |
request_supplement |
欄位不足、scope 不清或 evidence ref 不可追溯時要求補件 |
ready_for_rendered_diff_review |
metadata 合格後,只能進 rendered diff reviewer review |
owner_review_only_update |
只允許更新只讀 owner review ledger |
emergency_change_backfill_required |
手動或緊急 gateway 變更只能進事後補件,不得因 break-glass 而自動接受或開 runtime gate |
waiting_runtime_gate |
即使 owner response accepted,runtime gate 仍等待獨立人工批准 |
6. Blocked Actions
read_live_conf_over_ssh
store_raw_live_conf
accept_unredacted_live_conf
collect_secret_value
render_diff_from_unredacted_payload
mark_owner_response_accepted_without_reviewer_record
nginx_test_without_separate_approval
nginx_reload_without_separate_approval
route_smoke_without_matrix
dns_probe_without_approval
tls_probe_without_approval
certbot_renew_without_approval
modify_nginx_conf
modify_dns_tls_config
change_public_route
write_production_host
accept_unknown_change_actor
accept_missing_change_time_window
skip_cross_project_impact_review
skip_incident_communication_sync
accept_silent_manual_nginx_change
treat_break_glass_as_approval
mark_gateway_change_resolved_without_route_health
skip_rollback_validation
skip_post_change_monitoring
hide_cross_project_route_impact
open_runtime_gate
add_action_button
7. 指令
固定 committed snapshot:
python3 scripts/security/public-gateway-owner-response-acceptance.py \
--root . \
--output docs/security/public-gateway-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T14:10:00+08:00
只讀 guard:
python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .
8. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| owner response acceptance ledger artifact | 100% |
3 份 public gateway config 已有只讀收件判定帳本 |
| 手動 / 緊急 gateway 變更 metadata gate | 100% |
已要求 actor/source、time window、cross-project impact、communication sync、change intent、approval / break-glass、route health impact、rollback validation 與 post-change monitoring;不收 raw payload |
| owner response received / accepted | 0% |
尚未收到或接受任何 owner response |
rendered diff / nginx -t / reload / route smoke |
0% |
未授權且未執行 |
| DNS / TLS / certbot | 0% |
未授權且未執行 |
| runtime gate / production write | 0% |
無 action button,無 host write |
9. 邊界
這份帳本不是 live gateway truth、不是 Nginx 變更批准、不是 nginx -t 授權、不是 reload 授權、不是 DNS / TLS / certbot 授權,也不是 route smoke 或 runtime gate。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以讀 live conf、改 Nginx、改公開路由、收 secret、寫 production host、開 action button 或執行任何 gateway 操作。