# IwoooS Public Gateway Rendered Diff Acceptance 只讀帳本

| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `rendered_diff_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/public-gateway-rendered-diff-acceptance.py` |
| 輸入 | `docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json`、`docs/security/public-gateway-owner-response-acceptance.snapshot.json` |
| Snapshot | `docs/security/public-gateway-rendered-diff-acceptance.snapshot.json` |
| runtime gate | `0` |

## 1. 目的

Nginx public gateway 是公開網站、API、Webhook、WebSocket、TLS 與 ACME 的共同入口。前面已建立 live conf 匯出請求、redacted export 收件預檢、rendered diff gate draft 與 owner response acceptance；本文件補上下一層：未來 owner 已接受後，如何驗收 `rendered diff`、owner-provided `nginx -t` readback evidence 與 route smoke evidence。

這個帳本只處理證據格式、脫敏邊界、可追溯性與 reviewer 分流。它不是 owner response accepted、不是 rendered diff accepted、不是 `nginx -t` 授權、不是 Nginx reload、不是 route smoke、不是 DNS / TLS probe、不是 certbot renew、不是 host write，也不是 production write 或 runtime gate。

## 2. 摘要

| 指標 | 值 | 說明 |
|------|----|------|
| diff acceptance candidate count | `3` | 對應三份 public gateway config |
| C0 diff acceptance candidate count | `2` | 188 all sites、188 internal tools HTTPS |
| C1 diff acceptance candidate count | `1` | 110 Ollama proxy |
| diff acceptance field count | `25` | 每份 evidence acceptance 欄位 |
| required evidence field count | `14` | 未來 owner evidence 必填欄位 |
| reviewer check count | `15` | 收件、隔離、拒收、補件與 reviewer acceptance 檢查 |
| outcome lane count | `8` | 從等待 owner accepted 到等待獨立 runtime approval |
| blocked action count | `22` | 不可直接執行或不可誤讀的動作 |
| owner response accepted | `0` | 尚未收到 / 接受 |
| rendered diff received / accepted | `0 / 0` | 尚未收到 / 驗收 |
| nginx test evidence received / accepted | `0 / 0` | 尚未收到 / 驗收 |
| route smoke evidence received / accepted | `0 / 0` | 尚未收到 / 驗收 |
| runtime gate / action button | `0 / 0` | 未開啟 |

## 3. Acceptance 欄位

| 欄位 | 內容規則 |
|------|----------|
| `diff_acceptance_id` | 固定對應 public gateway rendered diff acceptance |
| `owner_response_acceptance_id` | 對應上一層 owner response acceptance candidate |
| `diff_gate_id` | 對應 rendered diff gate draft |
| `config_id` | 對應 public gateway config |
| `control_tier` | 保留 C0 / C1 風險分級 |
| `host` | 只保留既有 host scope，不代表 SSH 授權 |
| `live_path` | 只保留預期 live path，不代表讀取 live conf |
| `redacted_live_conf_ref` | 只可填脫敏 ref / hash / artifact pointer |
| `rendered_diff_ref` | 只可填 ref，不得貼完整 diff payload |
| `rendered_diff_hash_ref` | 指向 hash / checksum evidence |
| `diff_scope_summary` | 摘要 affected routes / upstream / TLS / ACME 範圍 |
| `affected_routes` | 必須能對回 preflight inventory |
| `nginx_test_evidence_ref` | 只可填 owner-provided readback ref |
| `nginx_test_operator` | 操作者角色，不得是不可追溯個人暱稱 |
| `nginx_test_result` | 結果摘要，不得含 secret |
| `route_smoke_matrix_ref` | affected route smoke matrix ref |
| `route_smoke_result_ref` | route smoke readback ref |
| `tls_acme_impact_ref` | TLS / ACME 影響 ref |
| `maintenance_window` | 維護窗口或明確禁止窗口 |
| `rollback_owner` | rollback owner / team |
| `rollback_ref` | rollback plan / revision / artifact ref |
| `postcheck_evidence_ref` | post-check readback ref |
| `reviewer_outcome` | reviewer acceptance lane |
| `followup_owner` | 補件或下一階段 owner |
| `not_approval` | 必須為 `true` |

## 4. Reviewer Checks

| Check | 規則 |
|-------|------|
| `owner_response_accepted_first` | 必須先有 owner response accepted record |
| `redacted_live_conf_ref_only` | 不接受 raw live conf |
| `rendered_diff_ref_not_payload` | 不接受完整 diff payload |
| `diff_scope_matches_config_id` | diff scope 必須對回 config_id |
| `nginx_test_evidence_is_readback_only` | 本工具不得執行 `nginx -t` |
| `nginx_test_result_has_timestamp` | test result 需有時間、角色與結果摘要 |
| `route_smoke_matrix_complete` | smoke matrix 必須列 affected routes 與預期結果 |
| `tls_acme_impact_separated` | TLS / ACME 影響不可被 route smoke 取代 |
| `secret_value_absent` | 不得包含 secret value 或 derivative |
| `maintenance_window_present` | 未來 runtime action 前必須有窗口 |
| `rollback_owner_and_ref_present` | rollback owner 與 ref 必須存在 |
| `postcheck_plan_present` | post-check evidence ref 必須存在 |
| `no_execution_request_embedded` | evidence 不可夾帶執行要求 |
| `counts_transition_safe` | accepted / rejected 只能由 reviewer record 更新 |
| `action_button_absent` | 前台不得新增執行按鈕 |

## 5. Outcome Lanes

| Lane | 意義 |
|------|------|
| `waiting_owner_response_acceptance` | owner response 尚未 accepted |
| `waiting_rendered_diff_evidence` | 等待 rendered diff / nginx test / route smoke evidence ref |
| `quarantine_raw_conf_or_payload` | raw conf 或完整 payload 只能隔離 |
| `reject_secret_or_execution_request` | secret 或執行要求直接拒收 |
| `request_evidence_supplement` | 欄位不足或 route matrix 不完整需補件 |
| `ready_for_reviewer_acceptance` | metadata 合格後進 reviewer acceptance |
| `accepted_for_runtime_gate_planning` | 只可進下一層 runtime gate planning |
| `waiting_separate_runtime_approval` | `nginx -t` / reload / smoke 仍需獨立人工批准 |

## 6. Blocked Actions

| Action | 邊界 |
|--------|------|
| `read_live_conf_over_ssh` | 未授權不得執行 |
| `store_raw_live_conf` | 不得寫入 repo、LOGBOOK 或前端 |
| `store_full_rendered_diff_payload` | 不得保存完整 diff payload |
| `accept_unredacted_live_conf` | 不得接受 |
| `collect_secret_value` | 不得收 secret value |
| `accept_execution_request_inside_evidence` | evidence 內不得夾帶執行要求 |
| `mark_rendered_diff_accepted_without_owner_response` | 不得跳過 owner response accepted |
| `mark_rendered_diff_accepted_without_reviewer_record` | 不得跳過 reviewer record |
| `run_nginx_test_from_diff_acceptance` | 不得由本帳本執行 |
| `run_route_smoke_from_diff_acceptance` | 不得由本帳本執行 |
| `nginx_reload_from_diff_acceptance` | 不得由本帳本執行 |
| `dns_probe_from_diff_acceptance` | 不得由本帳本執行 |
| `tls_probe_from_diff_acceptance` | 不得由本帳本執行 |
| `certbot_renew_from_diff_acceptance` | 不得由本帳本執行 |
| `modify_nginx_conf` | 不得改 live conf |
| `modify_dns_tls_config` | 不得改 DNS / TLS / certbot |
| `change_public_route` | 不得改公開路由 |
| `change_admin_route` | 不得改 admin route |
| `change_websocket_route` | 不得改 WebSocket route |
| `write_production_host` | 不得主機寫入 |
| `open_runtime_gate` | 不得開 runtime gate |
| `add_action_button` | 不得新增操作按鈕 |

## 7. 指令

產生 committed snapshot：

```bash
python3 scripts/security/public-gateway-rendered-diff-acceptance.py \
  --root . \
  --rendered-diff-gate-report docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json \
  --owner-response-acceptance-report docs/security/public-gateway-owner-response-acceptance.snapshot.json \
  --output docs/security/public-gateway-rendered-diff-acceptance.snapshot.json \
  --generated-at 2026-06-14T23:58:00+08:00
```

驗證 guard：

```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```

## 8. 完成度

| 工作 | 完成度 | 說明 |
|------|--------|------|
| rendered diff acceptance artifact | `100%` | 產生器、snapshot 與文件已固定 |
| owner response accepted | `0%` | 尚未收到 / 接受 |
| rendered diff evidence accepted | `0%` | 尚未收到 / 驗收 |
| nginx test evidence accepted | `0%` | 尚未收到 / 驗收 |
| route smoke evidence accepted | `0%` | 尚未收到 / 驗收 |
| runtime reload / host write | `0%` | 未授權且未執行 |