Files
awoooi/docs/security/high-value-config-owner-request-draft.snapshot.json

407 lines
13 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"execution_boundaries": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"audit_event_emitted": false,
"dispatch_authorized": false,
"dns_tls_change_authorized": false,
"host_write_authorized": false,
"nginx_reload_authorized": false,
"not_authorization": true,
"production_write_authorized": false,
"recipient_confirmed": false,
"request_sent": false,
"reviewer_queue_write": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"workflow_modification_authorized": false
},
"forbidden_payloads": [
"token",
"secret",
"private_key",
"cookie",
"session",
"authorization_header",
"runner_token",
"webhook_secret",
"db_dump",
"repo_archive",
"git_object_pack",
"raw_sensitive_live_config"
],
"generated_at": "2026-06-14T18:45:00+08:00",
"git_commit": "ddd9e433",
"handoff_envelope_fields": [
"request_id",
"stage_id",
"packet_id",
"recipient_role_or_team",
"sender_role_or_team",
"requested_response_window",
"allowed_response_format",
"redacted_evidence_refs",
"forbidden_payloads",
"followup_owner",
"not_approval"
],
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
"request_drafts": [
{
"accepted_response": false,
"action_buttons_allowed": false,
"affected_files": [
"scripts/ops/188-registry-certbot-fix.sh",
"scripts/ops/fix-188-registry-certbot-renewal.sh"
],
"allowed_response_format": {
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"redacted_evidence_refs_only": true
},
"audit_event_emitted": false,
"blocked_requests": [
"repo_create",
"visibility_change",
"refs_sync",
"refs_delete",
"force_push",
"workflow_modify",
"runner_enable",
"secret_value_submit",
"ssh_host_modify",
"nginx_reload",
"dns_tls_modify",
"argocd_sync",
"kubectl_apply",
"active_scan",
"agent_bounty_runtime_execute",
"payout_or_withdrawal"
],
"category_id": "dns_tls_certbot",
"control_tier": "C0",
"followup_owner": "pending_followup_owner",
"forbidden_payloads": [
"token",
"secret",
"private_key",
"cookie",
"session",
"authorization_header",
"runner_token",
"webhook_secret",
"db_dump",
"repo_archive",
"git_object_pack",
"raw_sensitive_live_config"
],
"handoff_envelope_fields": [
"request_id",
"stage_id",
"packet_id",
"recipient_role_or_team",
"sender_role_or_team",
"requested_response_window",
"allowed_response_format",
"redacted_evidence_refs",
"forbidden_payloads",
"followup_owner",
"not_approval"
],
"label": "DNS / TLS / certbot / certificate path",
"not_approval": true,
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
"packet_id": "high_value_config_owner_packet:dns_tls_certbot",
"priority": "P0",
"production_write_authorized": false,
"received_response": false,
"recipient_confirmed": false,
"recipient_role_or_team": "pending_owner_role_or_team",
"redacted_evidence_refs": [
"docs/security/high-value-config-owner-packet.snapshot.json",
"docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json"
],
"rejected_response": false,
"request_id": "high_value_config_owner_request:dns_tls_certbot",
"request_sent": false,
"requested_response_window": "not_scheduled",
"required_gate": "domain_tls_owner_response_required",
"required_validation": [
"domain_inventory",
"certificate_path_check",
"renewal_window",
"acme_path_smoke",
"public_https_smoke",
"rollback_ref"
],
"reviewer_queue_write": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"sender_role_or_team": "iwooos_security_reviewer",
"stage_id": "P0-14",
"status": "draft_not_dispatched"
},
{
"accepted_response": false,
"action_buttons_allowed": false,
"affected_files": [
"k8s/nginx/awoooi-prod.conf"
],
"allowed_response_format": {
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"redacted_evidence_refs_only": true
},
"audit_event_emitted": false,
"blocked_requests": [
"repo_create",
"visibility_change",
"refs_sync",
"refs_delete",
"force_push",
"workflow_modify",
"runner_enable",
"secret_value_submit",
"ssh_host_modify",
"nginx_reload",
"dns_tls_modify",
"argocd_sync",
"kubectl_apply",
"active_scan",
"agent_bounty_runtime_execute",
"payout_or_withdrawal"
],
"category_id": "nginx_public_gateway",
"control_tier": "C0",
"followup_owner": "pending_followup_owner",
"forbidden_payloads": [
"token",
"secret",
"private_key",
"cookie",
"session",
"authorization_header",
"runner_token",
"webhook_secret",
"db_dump",
"repo_archive",
"git_object_pack",
"raw_sensitive_live_config"
],
"handoff_envelope_fields": [
"request_id",
"stage_id",
"packet_id",
"recipient_role_or_team",
"sender_role_or_team",
"requested_response_window",
"allowed_response_format",
"redacted_evidence_refs",
"forbidden_payloads",
"followup_owner",
"not_approval"
],
"label": "Nginx / reverse proxy / public route",
"not_approval": true,
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
"packet_id": "high_value_config_owner_packet:nginx_public_gateway",
"priority": "P0",
"production_write_authorized": false,
"received_response": false,
"recipient_confirmed": false,
"recipient_role_or_team": "pending_owner_role_or_team",
"redacted_evidence_refs": [
"docs/security/high-value-config-owner-packet.snapshot.json",
"docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json"
],
"rejected_response": false,
"request_id": "high_value_config_owner_request:nginx_public_gateway",
"request_sent": false,
"requested_response_window": "not_scheduled",
"required_gate": "public_gateway_owner_response_required",
"required_validation": [
"rendered_diff",
"nginx_t",
"affected_route_smoke",
"admin_route_smoke_if_affected",
"acme_path_smoke_if_affected",
"rollback_ref"
],
"reviewer_queue_write": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"sender_role_or_team": "iwooos_security_reviewer",
"stage_id": "P0-14",
"status": "draft_not_dispatched"
},
{
"accepted_response": false,
"action_buttons_allowed": false,
"affected_files": [
"docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md",
"docs/security/high-value-config-change-gate.snapshot.json",
"scripts/security/high-value-config-change-gate.py"
],
"allowed_response_format": {
"allowed_decisions": [
"confirm",
"defer",
"reject",
"request_more_evidence"
],
"fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"followup_owner",
"rollback_owner",
"maintenance_window",
"validation_plan"
],
"redacted_evidence_refs_only": true
},
"audit_event_emitted": false,
"blocked_requests": [
"repo_create",
"visibility_change",
"refs_sync",
"refs_delete",
"force_push",
"workflow_modify",
"runner_enable",
"secret_value_submit",
"ssh_host_modify",
"nginx_reload",
"dns_tls_modify",
"argocd_sync",
"kubectl_apply",
"active_scan",
"agent_bounty_runtime_execute",
"payout_or_withdrawal"
],
"category_id": "security_evidence_tooling",
"control_tier": "C3",
"followup_owner": "pending_followup_owner",
"forbidden_payloads": [
"token",
"secret",
"private_key",
"cookie",
"session",
"authorization_header",
"runner_token",
"webhook_secret",
"db_dump",
"repo_archive",
"git_object_pack",
"raw_sensitive_live_config"
],
"handoff_envelope_fields": [
"request_id",
"stage_id",
"packet_id",
"recipient_role_or_team",
"sender_role_or_team",
"requested_response_window",
"allowed_response_format",
"redacted_evidence_refs",
"forbidden_payloads",
"followup_owner",
"not_approval"
],
"label": "Security evidence / snapshot / guard tooling",
"not_approval": true,
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
"packet_id": "high_value_config_owner_packet:security_evidence_tooling",
"priority": "P3",
"production_write_authorized": false,
"received_response": false,
"recipient_confirmed": false,
"recipient_role_or_team": "pending_owner_role_or_team",
"redacted_evidence_refs": [
"docs/security/high-value-config-owner-packet.snapshot.json",
"docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json"
],
"rejected_response": false,
"request_id": "high_value_config_owner_request:security_evidence_tooling",
"request_sent": false,
"requested_response_window": "not_scheduled",
"required_gate": "security_evidence_owner_review_required",
"required_validation": [
"snapshot_parse",
"guard_smoke",
"doc_secret_sanity",
"no_runtime_gate_increase"
],
"reviewer_queue_write": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"sender_role_or_team": "iwooos_security_reviewer",
"stage_id": "P0-14",
"status": "draft_not_dispatched"
}
],
"schema_version": "high_value_config_owner_request_draft_v1",
"send_after_conditions": [
" gitea/mainP0 AwoooP Session ",
" secret valueraw payload ",
" metadata request_sent_count",
" received / accepted / rejected / reviewer queue / runtime gate"
],
"source_intake_preflight_schema_version": "high_value_config_owner_packet_intake_preflight_v1",
"source_intake_preflight_status": "request_dispatch_preflight_ready",
"status": "owner_request_draft_ready_not_dispatched",
"summary": {
"accepted_response_count": 0,
"action_button_count": 0,
"audit_event_emitted_count": 0,
"blocked_request_count": 16,
"c0_request_draft_count": 2,
"c1_request_draft_count": 0,
"dispatch_preflight_check_count": 9,
"forbidden_payload_count": 12,
"handoff_envelope_field_count": 11,
"received_response_count": 0,
"recipient_confirmed_count": 0,
"rejected_response_count": 0,
"request_draft_count": 3,
"request_sent_count": 0,
"required_owner_field_total": 27,
"reviewer_intake_lane_count": 5,
"reviewer_queue_write_count": 0,
"runtime_gate_count": 0
}
}