{ "blocked_actions": [ "read_live_conf_over_ssh", "store_raw_live_conf", "render_diff_from_unredacted_payload", "nginx_test_without_approval", "nginx_reload_without_approval", "route_smoke_without_plan", "dns_probe_without_approval", "tls_probe_without_approval", "certbot_renew_without_approval", "modify_nginx_conf", "modify_dns_tls_config", "change_public_route", "write_production_host", "open_runtime_gate" ], "diff_gate_candidates": [ { "action_buttons_allowed": false, "blocked_actions": [ "read_live_conf_over_ssh", "store_raw_live_conf", "render_diff_from_unredacted_payload", "nginx_test_without_approval", "nginx_reload_without_approval", "route_smoke_without_plan", "dns_probe_without_approval", "tls_probe_without_approval", "certbot_renew_without_approval", "modify_nginx_conf", "modify_dns_tls_config", "change_public_route", "write_production_host", "open_runtime_gate" ], "certbot_renew_authorized": false, "config_id": "host188_all_sites", "control_tier": "C0", "diff_gate_fields": [ "diff_gate_id", "intake_id", "export_request_id", "config_id", "control_tier", "source_config_ref", "redacted_live_conf_ref", "rendered_diff_ref", "nginx_test_plan_ref", "route_smoke_plan_ref", "rollback_owner", "not_approval" ], "diff_gate_id": "public_gateway_rendered_diff_gate:host188_all_sites", "dns_tls_probe_authorized": false, "export_request_id": "public_gateway_live_conf_export:host188_all_sites", "host": "192.168.0.188", "intake_id": "public_gateway_redacted_export_intake:host188_all_sites", "live_path": "/etc/nginx/sites-enabled/all-sites.conf", "maintenance_window_accepted": false, "nginx_reload_authorized": false, "nginx_reload_executed": false, "nginx_test_authorized": false, "nginx_test_executed": false, "nginx_test_plan_ref": null, "not_approval": true, "owner_gate": "public_gateway_owner_response_required", "preflight_stages": [ "redacted_export_acceptance_required", "normalize_without_raw_conf_storage", "rendered_diff_owner_review_required", "nginx_test_approval_package_required", "reload_approval_separate", "route_smoke_matrix_required", "postcheck_and_rollback_required" ], "production_write_authorized": false, "redacted_export_accepted": false, "redacted_live_conf_ref": null, "rendered_diff_candidate": false, "rendered_diff_ready": false, "rendered_diff_ref": null, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "route_smoke_authorized": false, "route_smoke_executed": false, "route_smoke_plan_ref": null, "runtime_gate": false, "source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json", "status": "draft_waiting_redacted_export_acceptance" }, { "action_buttons_allowed": false, "blocked_actions": [ "read_live_conf_over_ssh", "store_raw_live_conf", "render_diff_from_unredacted_payload", "nginx_test_without_approval", "nginx_reload_without_approval", "route_smoke_without_plan", "dns_probe_without_approval", "tls_probe_without_approval", "certbot_renew_without_approval", "modify_nginx_conf", "modify_dns_tls_config", "change_public_route", "write_production_host", "open_runtime_gate" ], "certbot_renew_authorized": false, "config_id": "host188_internal_tools_https", "control_tier": "C0", "diff_gate_fields": [ "diff_gate_id", "intake_id", "export_request_id", "config_id", "control_tier", "source_config_ref", "redacted_live_conf_ref", "rendered_diff_ref", "nginx_test_plan_ref", "route_smoke_plan_ref", "rollback_owner", "not_approval" ], "diff_gate_id": "public_gateway_rendered_diff_gate:host188_internal_tools_https", "dns_tls_probe_authorized": false, "export_request_id": "public_gateway_live_conf_export:host188_internal_tools_https", "host": "192.168.0.188", "intake_id": "public_gateway_redacted_export_intake:host188_internal_tools_https", "live_path": "owner_confirmation_required", "maintenance_window_accepted": false, "nginx_reload_authorized": false, "nginx_reload_executed": false, "nginx_test_authorized": false, "nginx_test_executed": false, "nginx_test_plan_ref": null, "not_approval": true, "owner_gate": "public_tools_owner_response_required", "preflight_stages": [ "redacted_export_acceptance_required", "normalize_without_raw_conf_storage", "rendered_diff_owner_review_required", "nginx_test_approval_package_required", "reload_approval_separate", "route_smoke_matrix_required", "postcheck_and_rollback_required" ], "production_write_authorized": false, "redacted_export_accepted": false, "redacted_live_conf_ref": null, "rendered_diff_candidate": false, "rendered_diff_ready": false, "rendered_diff_ref": null, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "route_smoke_authorized": false, "route_smoke_executed": false, "route_smoke_plan_ref": null, "runtime_gate": false, "source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json", "status": "draft_waiting_redacted_export_acceptance" }, { "action_buttons_allowed": false, "blocked_actions": [ "read_live_conf_over_ssh", "store_raw_live_conf", "render_diff_from_unredacted_payload", "nginx_test_without_approval", "nginx_reload_without_approval", "route_smoke_without_plan", "dns_probe_without_approval", "tls_probe_without_approval", "certbot_renew_without_approval", "modify_nginx_conf", "modify_dns_tls_config", "change_public_route", "write_production_host", "open_runtime_gate" ], "certbot_renew_authorized": false, "config_id": "host110_ollama_proxy", "control_tier": "C1", "diff_gate_fields": [ "diff_gate_id", "intake_id", "export_request_id", "config_id", "control_tier", "source_config_ref", "redacted_live_conf_ref", "rendered_diff_ref", "nginx_test_plan_ref", "route_smoke_plan_ref", "rollback_owner", "not_approval" ], "diff_gate_id": "public_gateway_rendered_diff_gate:host110_ollama_proxy", "dns_tls_probe_authorized": false, "export_request_id": "public_gateway_live_conf_export:host110_ollama_proxy", "host": "192.168.0.110", "intake_id": "public_gateway_redacted_export_intake:host110_ollama_proxy", "live_path": "/etc/nginx/sites-enabled/110-ollama-proxy.conf", "maintenance_window_accepted": false, "nginx_reload_authorized": false, "nginx_reload_executed": false, "nginx_test_authorized": false, "nginx_test_executed": false, "nginx_test_plan_ref": null, "not_approval": true, "owner_gate": "ai_provider_proxy_owner_response_required", "preflight_stages": [ "redacted_export_acceptance_required", "normalize_without_raw_conf_storage", "rendered_diff_owner_review_required", "nginx_test_approval_package_required", "reload_approval_separate", "route_smoke_matrix_required", "postcheck_and_rollback_required" ], "production_write_authorized": false, "redacted_export_accepted": false, "redacted_live_conf_ref": null, "rendered_diff_candidate": false, "rendered_diff_ready": false, "rendered_diff_ref": null, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "route_smoke_authorized": false, "route_smoke_executed": false, "route_smoke_plan_ref": null, "runtime_gate": false, "source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json", "status": "draft_waiting_redacted_export_acceptance" } ], "diff_gate_fields": [ "diff_gate_id", "intake_id", "export_request_id", "config_id", "control_tier", "source_config_ref", "redacted_live_conf_ref", "rendered_diff_ref", "nginx_test_plan_ref", "route_smoke_plan_ref", "rollback_owner", "not_approval" ], "execution_boundaries": { "action_buttons_allowed": false, "certbot_renew_authorized": false, "dns_tls_probe_authorized": false, "nginx_reload_authorized": false, "nginx_reload_executed": false, "nginx_test_authorized": false, "nginx_test_executed": false, "not_authorization": true, "production_write_authorized": false, "read_live_conf_over_ssh": false, "rendered_diff_authorized": false, "route_smoke_authorized": false, "route_smoke_executed": false, "runtime_execution_authorized": false, "store_raw_live_conf": false }, "generated_at": "2026-06-14T20:05:00+08:00", "git_commit": "f856df1c", "next_steps": [ "等待 redacted export accepted metadata;沒有 accepted metadata 前不得產生 rendered diff。", "rendered diff candidate 必須另走 reviewer / owner review,不得自動進 nginx -t。", "`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew 與 production write 都必須另行人工批准。" ], "preflight_stages": [ { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "必須先有合格 redacted export accepted metadata,否則不得產生 rendered diff。", "stage_id": "redacted_export_acceptance_required", "status": "required_before_runtime_action" }, { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "只可在隔離工作區以脫敏 ref 產生 normalized diff,不得把 raw live conf 寫入 repo。", "stage_id": "normalize_without_raw_conf_storage", "status": "required_before_runtime_action" }, { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "rendered diff 只可成為 owner review candidate,不自動批准。", "stage_id": "rendered_diff_owner_review_required", "status": "required_before_runtime_action" }, { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "`nginx -t` 必須另有人工批准包、rollback owner 與維護窗口。", "stage_id": "nginx_test_approval_package_required", "status": "required_before_runtime_action" }, { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "reload 與 public route change 必須獨立於 rendered diff 與 nginx -t。", "stage_id": "reload_approval_separate", "status": "required_before_runtime_action" }, { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "route smoke 需列出 affected routes、預期 status、TLS / WebSocket / ACME checks。", "stage_id": "route_smoke_matrix_required", "status": "required_before_runtime_action" }, { "gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。", "instruction": "任何未來執行前都需 rollback owner、post-check 與失敗撤回條件。", "stage_id": "postcheck_and_rollback_required", "status": "required_before_runtime_action" } ], "schema_version": "public_gateway_rendered_diff_gate_draft_v1", "source_intake_preflight_schema_version": "public_gateway_redacted_export_intake_preflight_v1", "source_intake_preflight_status": "redacted_export_intake_preflight_ready_no_payload_received", "status": "rendered_diff_gate_draft_ready_no_runtime_action", "summary": { "action_button_count": 0, "blocked_action_count": 14, "c0_diff_gate_candidate_count": 2, "c1_diff_gate_candidate_count": 1, "certbot_renew_authorized_count": 0, "diff_gate_candidate_count": 3, "diff_gate_field_count": 12, "dns_tls_probe_authorized_count": 0, "maintenance_window_accepted_count": 0, "nginx_reload_authorized_count": 0, "nginx_reload_executed_count": 0, "nginx_test_authorized_count": 0, "nginx_test_executed_count": 0, "preflight_stage_count": 7, "redacted_export_accepted_count": 0, "rendered_diff_candidate_count": 0, "rendered_diff_ready_count": 0, "rollback_owner_accepted_count": 0, "route_smoke_authorized_count": 0, "route_smoke_executed_count": 0, "runtime_gate_count": 0 } }