{ "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "execution_boundaries": { "action_buttons_allowed": false, "active_scan_authorized": false, "deploy_ssh_action_authorized": false, "firewall_change_authorized": false, "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "live_evidence_received": false, "live_host_read_authorized": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_authorization": true, "owner_response_accepted": false, "owner_response_received": false, "port_change_authorized": false, "recipient_confirmed": false, "request_sent": false, "runtime_execution_authorized": false, "secret_value_collection_allowed": false, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "sudo_action_authorized": false, "wireguard_change_authorized": false }, "generated_at": "2026-06-14T22:45:00+08:00", "git_commit": "4c847093", "next_steps": [ "人工送件前確認 network / firewall / deploy owner role 與回覆窗口。", "owner 只能提供脫敏 live access state、allowed source CIDR metadata、maintenance window、rollback owner 與 validation plan。", "收到回覆後先做欄位完整性、敏感 payload 隔離、port close/open 影響範圍與 rollback gate 檢查,不得直接改 firewall 或套用 NetworkPolicy。" ], "request_drafts": [ { "access_scope": [ "192.168.0.110", "192.168.0.111", "192.168.0.112", "192.168.0.120", "192.168.0.121", "192.168.0.188" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ssh_target_inventory", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "110_111_112_120_121_188", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Ansible inventory SSH targets", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "86108dce9174b5c0a794d240dd40518966d9c340950fc6306845b704f12e6536", "repo_source_path": "infra/ansible/inventory/hosts.yml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:ansible_inventory_ssh_targets", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 48, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "ansible_inventory_ssh_targets", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "StrictHostKeyChecking=accept-new", "ConnectTimeout=10" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ssh_client_policy", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "multi_host", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Ansible common SSH host key policy", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "c3d5cb63cf84dea98195aa075e69ca90be7422b5805c0cfc50c1d97b832ad86e", "repo_source_path": "infra/ansible/inventory/group_vars/all.yml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:ansible_common_ssh_args", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 20, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "ansible_common_ssh_args", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "192.168.0.110", "192.168.0.120", "192.168.0.121", "192.168.0.188" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "known_hosts_secret_workflow", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "110_120_121_188_known_hosts", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Gitea CD repair known_hosts secret", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593", "repo_source_path": ".gitea/workflows/cd.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:gitea_cd_known_hosts_secret", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 1562, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "gitea_cd_known_hosts_secret", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "K8S_SSH_HOST", "deploy_key", "kubectl apply", "ArgoCD sync" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ci_deploy_ssh", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "k8s_ssh_host", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Gitea CD K8s deploy SSH path", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593", "repo_source_path": ".gitea/workflows/cd.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:gitea_cd_deploy_ssh", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 1562, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "gitea_cd_deploy_ssh", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": true }, { "access_scope": [ "192.168.0.120", "deploy_key", "kubectl apply" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ci_deploy_ssh", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "192.168.0.120", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Gitea CD dev deploy SSH path", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "e344a4672cb543979c3bb8ea67967c103332587b4a52a939c837457aaeae686d", "repo_source_path": ".gitea/workflows/cd-dev.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:gitea_cd_dev_ssh", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 262, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "gitea_cd_dev_ssh", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": true }, { "access_scope": [ "192.168.0.110", "deploy alert scripts" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ci_deploy_ssh", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "192.168.0.110", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Deploy alerts SSH path", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "b0389fa65da643d411f6961928a276d555ad6a416366bf87f3f5c2c06ee45d13", "repo_source_path": ".gitea/workflows/deploy-alerts.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:deploy_alerts_ssh_path", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 72, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "deploy_alerts_ssh_path", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": true }, { "access_scope": [ "192.168.0.110", "192.168.0.188", "docker ps" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ssh_discovery_script", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "110_188_docker_hosts", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Monitoring Docker discovery SSH scanner", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "563faf8efcfdbd5a79cc87e0d43c2ba11bebf755a773c97b9c0778f1f0634a15", "repo_source_path": "ops/monitoring/discover_docker.py", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:monitoring_discover_docker_ssh", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 314, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "monitoring_discover_docker_ssh", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "192.168.0.188", "scp", "docker compose up -d" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "monitoring_ssh_deploy_script", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "192.168.0.188", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Monitoring exporter deploy SSH script", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "dbcbca21cf6fd5083177cb8a12c008c1aefed8e6ed05b70d738b3db37699cef3", "repo_source_path": "ops/monitoring/deploy-exporters.sh", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:monitoring_exporter_deploy_ssh", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 76, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "monitoring_exporter_deploy_ssh", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": true }, { "access_scope": [ "/etc/ssh", "/etc/nginx", "systemd", "docker", "k8s" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "ssh_backup_capture", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "110_188_120_121_cluster", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Backup config SSH capture", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "d24301cff44e464bd19ce0792362be16916ccde8c92f92351a19ef4ee988f15e", "repo_source_path": "scripts/backup/backup-configs.sh", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:backup_config_ssh_capture", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 359, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "backup_config_ssh_capture", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "awoooi-hosts-add", "docker kill SIGHUP", "promtool", "amtool" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "sudoers_policy", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "host_ops_minimal_sudo", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Host ops sudoers wrapper", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "eff02c67402d2f5b2ac8d112dca26a15dc34f03593ca490a0682a6dfa9b0394d", "repo_source_path": "scripts/host-ops/awoooi-wrapper.sudoers", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:host_ops_sudoers_wrapper", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 27, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "host_ops_sudoers_wrapper", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": true }, { "access_scope": [ "default deny", "ingress", "egress", "SSH egress", "Ollama", "monitoring" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "k8s_network_policy", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "awoooi_prod_namespace", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "K8s production NetworkPolicy", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "f5ea6a9f5fb0cc44664d97a3ed639fa4b43ffd9bcfd70a1f6b44640791b7859f", "repo_source_path": "k8s/awoooi-prod/02-network-policy.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:k8s_prod_network_policy", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 306, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "k8s_prod_network_policy", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "192.168.0.188", "argocd metrics", "192.168.0.0/24 UI" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "k8s_network_policy", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "argocd_namespace", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "ArgoCD metrics NetworkPolicy", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "41ccd0bb22410c48adc84eae74391106c3f28fe181786cfe4128a07f99d2942c", "repo_source_path": "k8s/argocd/argocd-metrics-network-policy.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:argocd_metrics_network_policy", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 80, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "argocd_metrics_network_policy", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "nodePort 30882", "nodePort 30883" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "k8s_nodeport_service", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "argocd_nodeport_30882_30883", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "ArgoCD metrics NodePort", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "7f4a8f09206ce0afc185fe11d5e55265bb553b671471724cdcd83c259ec7d266", "repo_source_path": "k8s/argocd/argocd-metrics-nodeport.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:argocd_metrics_nodeport", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 47, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "argocd_metrics_nodeport", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "nodePort 30885", "backup metrics" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "k8s_nodeport_service", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "velero_nodeport_30885", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Velero metrics NodePort", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "684959def32b792e2bca34b477afcdfe2b0c6dfd0cb90f4b681a514922d62b75", "repo_source_path": "k8s/velero/velero-metrics-service.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:velero_metrics_nodeport", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 26, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "velero_metrics_nodeport", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "10.77.114.0/24", "51820/udp", "GCP-A", "GCP-B" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "wireguard_runbook", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "110_111_120_121_gcp_a_gcp_b", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "GCP Ollama WireGuard mesh runbook", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "0af082698c727176ca82c79f95f3950f4c32ed6aabc91c88aff41831fbf0c044", "repo_source_path": "docs/runbooks/GCP-OLLAMA-WIREGUARD-MESH.md", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:wireguard_mesh_runbook", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 280, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "wireguard_mesh_runbook", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": false }, { "access_scope": [ "ssh_diagnose", "docker restart", "systemctl restart", "docker compose", "docker prune" ], "action_buttons_allowed": false, "active_scan_authorized": false, "affected_scope": "pending_affected_scope", "allowed_source_cidrs_ref": null, "blocked_actions": [ "ssh_read", "ssh_write", "host_keyscan", "known_hosts_patch", "firewall_change", "port_close", "port_open", "network_policy_apply", "nodeport_change", "wireguard_change", "sudo_action", "deploy_ssh_action", "secret_value_collection", "ssh_key_collection", "active_scan", "runtime_gate_open" ], "break_glass_owner": "pending_break_glass_owner", "change_freeze_rule": "pending_change_freeze_rule", "config_kind": "alert_ssh_action_rules", "control_tier": "C1", "decision": "pending_owner_decision", "decision_reason": "pending_decision_reason", "deploy_ssh_action_authorized": false, "expected_scope": "ssh_mcp_action_catalog", "firewall_change_authorized": false, "followup_owner": "pending_followup_owner", "host_keyscan_authorized": false, "host_write_authorized": false, "known_hosts_patch_authorized": false, "label": "Alert rules SSH action surface", "live_access_state_ref": null, "live_evidence_received": false, "maintenance_window": "pending_maintenance_window", "maintenance_window_accepted": false, "network_policy_apply_authorized": false, "nodeport_change_authorized": false, "not_approval": true, "owner_response_accepted": false, "owner_response_received": false, "owner_role_or_team": "pending_owner_role_or_team", "port_change_authorized": false, "recipient_confirmed": false, "redacted_evidence_refs": [], "repo_sha256": "5786505aa05073bbb2069203a443a75c8337a289dc015630792d0c201c85cafb", "repo_source_path": "apps/api/alert_rules.yaml", "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "request_id": "ssh_network_owner_request:alert_rules_ssh_actions", "request_sent": false, "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "requires_live_evidence": true, "rollback_owner": "pending_rollback_owner", "rollback_owner_accepted": false, "runtime_gate": false, "secret_value_collection_allowed": false, "source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json", "source_line_count": 889, "ssh_key_collection_allowed": false, "ssh_read_authorized": false, "ssh_write_authorized": false, "status": "draft_not_dispatched", "sudo_action_authorized": false, "surface_id": "alert_rules_ssh_actions", "validation_plan": "pending_validation_plan", "validation_plan_accepted": false, "wireguard_change_authorized": false, "write_capable_surface": true } ], "request_fields": [ "request_id", "surface_id", "label", "expected_scope", "config_kind", "access_scope", "control_tier", "repo_source_path", "repo_sha256", "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner", "not_approval" ], "required_owner_fields": [ "owner_role_or_team", "decision", "decision_reason", "affected_scope", "redacted_evidence_refs", "live_access_state_ref", "allowed_source_cidrs_ref", "maintenance_window", "rollback_owner", "validation_plan", "break_glass_owner", "change_freeze_rule", "followup_owner" ], "schema_version": "ssh_network_owner_request_draft_v1", "source_inventory_schema_version": "ssh_network_access_inventory_v1", "source_inventory_status": "repo_only_inventory_ready", "status": "owner_request_draft_ready_not_dispatched", "summary": { "action_button_count": 0, "active_scan_authorized_count": 0, "blocked_action_count": 16, "deploy_ssh_action_authorized_count": 0, "firewall_change_authorized_count": 0, "host_keyscan_authorized_count": 0, "host_write_authorized_count": 0, "known_hosts_patch_authorized_count": 0, "live_evidence_received_count": 0, "live_evidence_required_request_count": 16, "maintenance_window_accepted_count": 0, "network_policy_apply_authorized_count": 0, "nodeport_change_authorized_count": 0, "owner_response_accepted_count": 0, "owner_response_received_count": 0, "port_change_authorized_count": 0, "recipient_confirmed_count": 0, "request_draft_count": 16, "request_field_count": 23, "request_sent_count": 0, "required_owner_field_count": 13, "rollback_owner_accepted_count": 0, "runtime_gate_count": 0, "secret_value_collection_allowed_count": 0, "ssh_key_collection_allowed_count": 0, "ssh_read_authorized_count": 0, "ssh_write_authorized_count": 0, "sudo_action_authorized_count": 0, "validation_plan_accepted_count": 0, "wireguard_change_authorized_count": 0, "write_capable_request_draft_count": 6 } }