{ "execution_boundaries": { "action_buttons_allowed": false, "active_scan_authorized": false, "audit_event_emitted": false, "dispatch_authorized": false, "dns_tls_change_authorized": false, "host_write_authorized": false, "nginx_reload_authorized": false, "not_authorization": true, "production_write_authorized": false, "recipient_confirmed": false, "request_sent": false, "reviewer_queue_write": false, "runtime_execution_authorized": false, "secret_value_collection_allowed": false, "workflow_modification_authorized": false }, "forbidden_payloads": [ "token", "secret", "private_key", "cookie", "session", "authorization_header", "runner_token", "webhook_secret", "db_dump", "repo_archive", "git_object_pack", "raw_sensitive_live_config" ], "generated_at": "2026-06-14T18:45:00+08:00", "git_commit": "ddd9e433", "handoff_envelope_fields": [ "request_id", "stage_id", "packet_id", "recipient_role_or_team", "sender_role_or_team", "requested_response_window", "allowed_response_format", "redacted_evidence_refs", "forbidden_payloads", "followup_owner", "not_approval" ], "not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。", "request_drafts": [ { "accepted_response": false, "action_buttons_allowed": false, "affected_files": [ "scripts/ops/188-registry-certbot-fix.sh", "scripts/ops/fix-188-registry-certbot-renewal.sh" ], "allowed_response_format": { "allowed_decisions": [ "confirm", "defer", "reject", "request_more_evidence" ], "fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "followup_owner", "rollback_owner", "maintenance_window", "validation_plan" ], "redacted_evidence_refs_only": true }, "audit_event_emitted": false, "blocked_requests": [ "repo_create", "visibility_change", "refs_sync", "refs_delete", "force_push", "workflow_modify", "runner_enable", "secret_value_submit", "ssh_host_modify", "nginx_reload", "dns_tls_modify", "argocd_sync", "kubectl_apply", "active_scan", "agent_bounty_runtime_execute", "payout_or_withdrawal" ], "category_id": "dns_tls_certbot", "control_tier": "C0", "followup_owner": "pending_followup_owner", "forbidden_payloads": [ "token", "secret", "private_key", "cookie", "session", "authorization_header", "runner_token", "webhook_secret", "db_dump", "repo_archive", "git_object_pack", "raw_sensitive_live_config" ], "handoff_envelope_fields": [ "request_id", "stage_id", "packet_id", "recipient_role_or_team", "sender_role_or_team", "requested_response_window", "allowed_response_format", "redacted_evidence_refs", "forbidden_payloads", "followup_owner", "not_approval" ], "label": "DNS / TLS / certbot / certificate path", "not_approval": true, "not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。", "packet_id": "high_value_config_owner_packet:dns_tls_certbot", "priority": "P0", "production_write_authorized": false, "received_response": false, "recipient_confirmed": false, "recipient_role_or_team": "pending_owner_role_or_team", "redacted_evidence_refs": [ "docs/security/high-value-config-owner-packet.snapshot.json", "docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json" ], "rejected_response": false, "request_id": "high_value_config_owner_request:dns_tls_certbot", "request_sent": false, "requested_response_window": "not_scheduled", "required_gate": "domain_tls_owner_response_required", "required_validation": [ "domain_inventory", "certificate_path_check", "renewal_window", "acme_path_smoke", "public_https_smoke", "rollback_ref" ], "reviewer_queue_write": false, "runtime_gate": false, "secret_value_collection_allowed": false, "sender_role_or_team": "iwooos_security_reviewer", "stage_id": "P0-14", "status": "draft_not_dispatched" }, { "accepted_response": false, "action_buttons_allowed": false, "affected_files": [ "k8s/nginx/awoooi-prod.conf" ], "allowed_response_format": { "allowed_decisions": [ "confirm", "defer", "reject", "request_more_evidence" ], "fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "followup_owner", "rollback_owner", "maintenance_window", "validation_plan" ], "redacted_evidence_refs_only": true }, "audit_event_emitted": false, "blocked_requests": [ "repo_create", "visibility_change", "refs_sync", "refs_delete", "force_push", "workflow_modify", "runner_enable", "secret_value_submit", "ssh_host_modify", "nginx_reload", "dns_tls_modify", "argocd_sync", "kubectl_apply", "active_scan", "agent_bounty_runtime_execute", "payout_or_withdrawal" ], "category_id": "nginx_public_gateway", "control_tier": "C0", "followup_owner": "pending_followup_owner", "forbidden_payloads": [ "token", "secret", "private_key", "cookie", "session", "authorization_header", "runner_token", "webhook_secret", "db_dump", "repo_archive", "git_object_pack", "raw_sensitive_live_config" ], "handoff_envelope_fields": [ "request_id", "stage_id", "packet_id", "recipient_role_or_team", "sender_role_or_team", "requested_response_window", "allowed_response_format", "redacted_evidence_refs", "forbidden_payloads", "followup_owner", "not_approval" ], "label": "Nginx / reverse proxy / public route", "not_approval": true, "not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。", "packet_id": "high_value_config_owner_packet:nginx_public_gateway", "priority": "P0", "production_write_authorized": false, "received_response": false, "recipient_confirmed": false, "recipient_role_or_team": "pending_owner_role_or_team", "redacted_evidence_refs": [ "docs/security/high-value-config-owner-packet.snapshot.json", "docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json" ], "rejected_response": false, "request_id": "high_value_config_owner_request:nginx_public_gateway", "request_sent": false, "requested_response_window": "not_scheduled", "required_gate": "public_gateway_owner_response_required", "required_validation": [ "rendered_diff", "nginx_t", "affected_route_smoke", "admin_route_smoke_if_affected", "acme_path_smoke_if_affected", "rollback_ref" ], "reviewer_queue_write": false, "runtime_gate": false, "secret_value_collection_allowed": false, "sender_role_or_team": "iwooos_security_reviewer", "stage_id": "P0-14", "status": "draft_not_dispatched" }, { "accepted_response": false, "action_buttons_allowed": false, "affected_files": [ "docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md", "docs/security/high-value-config-change-gate.snapshot.json", "scripts/security/high-value-config-change-gate.py" ], "allowed_response_format": { "allowed_decisions": [ "confirm", "defer", "reject", "request_more_evidence" ], "fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "followup_owner", "rollback_owner", "maintenance_window", "validation_plan" ], "redacted_evidence_refs_only": true }, "audit_event_emitted": false, "blocked_requests": [ "repo_create", "visibility_change", "refs_sync", "refs_delete", "force_push", "workflow_modify", "runner_enable", "secret_value_submit", "ssh_host_modify", "nginx_reload", "dns_tls_modify", "argocd_sync", "kubectl_apply", "active_scan", "agent_bounty_runtime_execute", "payout_or_withdrawal" ], "category_id": "security_evidence_tooling", "control_tier": "C3", "followup_owner": "pending_followup_owner", "forbidden_payloads": [ "token", "secret", "private_key", "cookie", "session", "authorization_header", "runner_token", "webhook_secret", "db_dump", "repo_archive", "git_object_pack", "raw_sensitive_live_config" ], "handoff_envelope_fields": [ "request_id", "stage_id", "packet_id", "recipient_role_or_team", "sender_role_or_team", "requested_response_window", "allowed_response_format", "redacted_evidence_refs", "forbidden_payloads", "followup_owner", "not_approval" ], "label": "Security evidence / snapshot / guard tooling", "not_approval": true, "not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。", "packet_id": "high_value_config_owner_packet:security_evidence_tooling", "priority": "P3", "production_write_authorized": false, "received_response": false, "recipient_confirmed": false, "recipient_role_or_team": "pending_owner_role_or_team", "redacted_evidence_refs": [ "docs/security/high-value-config-owner-packet.snapshot.json", "docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json" ], "rejected_response": false, "request_id": "high_value_config_owner_request:security_evidence_tooling", "request_sent": false, "requested_response_window": "not_scheduled", "required_gate": "security_evidence_owner_review_required", "required_validation": [ "snapshot_parse", "guard_smoke", "doc_secret_sanity", "no_runtime_gate_increase" ], "reviewer_queue_write": false, "runtime_gate": false, "secret_value_collection_allowed": false, "sender_role_or_team": "iwooos_security_reviewer", "stage_id": "P0-14", "status": "draft_not_dispatched" } ], "schema_version": "high_value_config_owner_request_draft_v1", "send_after_conditions": [ "必須先重新確認 gitea/main、P0 總帳與另一個 AwoooP Session 基線。", "只能送出脫敏欄位與禁止條款,不得附 secret value、raw payload 或執行命令。", "只有真實人工送件 metadata 存在時,才能另行記錄 request_sent_count。", "送件後不得同步拉高 received / accepted / rejected / reviewer queue / runtime gate。" ], "source_intake_preflight_schema_version": "high_value_config_owner_packet_intake_preflight_v1", "source_intake_preflight_status": "request_dispatch_preflight_ready", "status": "owner_request_draft_ready_not_dispatched", "summary": { "accepted_response_count": 0, "action_button_count": 0, "audit_event_emitted_count": 0, "blocked_request_count": 16, "c0_request_draft_count": 2, "c1_request_draft_count": 0, "dispatch_preflight_check_count": 9, "forbidden_payload_count": 12, "handoff_envelope_field_count": 11, "received_response_count": 0, "recipient_confirmed_count": 0, "rejected_response_count": 0, "request_draft_count": 3, "request_sent_count": 0, "required_owner_field_total": 27, "reviewer_intake_lane_count": 5, "reviewer_queue_write_count": 0, "runtime_gate_count": 0 } }