awoooi/docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-ACCEPTANCE.md

IwoooS Public Gateway Rendered Diff Acceptance 只讀帳本

項目	內容
日期	2026-06-14
狀態	rendered_diff_acceptance_ledger_ready_no_runtime_action
工具	scripts/security/public-gateway-rendered-diff-acceptance.py
輸入	docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json、docs/security/public-gateway-owner-response-acceptance.snapshot.json
Snapshot	docs/security/public-gateway-rendered-diff-acceptance.snapshot.json
runtime gate	0

1. 目的

Nginx public gateway 是公開網站、API、Webhook、WebSocket、TLS 與 ACME 的共同入口。前面已建立 live conf 匯出請求、redacted export 收件預檢、rendered diff gate draft 與 owner response acceptance；本文件補上下一層：未來 owner 已接受後，如何驗收 rendered diff、owner-provided nginx -t readback evidence 與 route smoke evidence。

這個帳本只處理證據格式、脫敏邊界、可追溯性與 reviewer 分流。它不是 owner response accepted、不是 rendered diff accepted、不是 nginx -t 授權、不是 Nginx reload、不是 route smoke、不是 DNS / TLS probe、不是 certbot renew、不是 host write，也不是 production write 或 runtime gate。

2. 摘要

指標	值	說明
diff acceptance candidate count	3	對應三份 public gateway config
C0 diff acceptance candidate count	2	188 all sites、188 internal tools HTTPS
C1 diff acceptance candidate count	1	110 Ollama proxy
diff acceptance field count	25	每份 evidence acceptance 欄位
required evidence field count	14	未來 owner evidence 必填欄位
reviewer check count	15	收件、隔離、拒收、補件與 reviewer acceptance 檢查
outcome lane count	8	從等待 owner accepted 到等待獨立 runtime approval
blocked action count	22	不可直接執行或不可誤讀的動作
owner response accepted	0	尚未收到 / 接受
rendered diff received / accepted	0 / 0	尚未收到 / 驗收
nginx test evidence received / accepted	0 / 0	尚未收到 / 驗收
route smoke evidence received / accepted	0 / 0	尚未收到 / 驗收
runtime gate / action button	0 / 0	未開啟

3. Acceptance 欄位

欄位	內容規則
diff_acceptance_id	固定對應 public gateway rendered diff acceptance
owner_response_acceptance_id	對應上一層 owner response acceptance candidate
diff_gate_id	對應 rendered diff gate draft
config_id	對應 public gateway config
control_tier	保留 C0 / C1 風險分級
host	只保留既有 host scope，不代表 SSH 授權
live_path	只保留預期 live path，不代表讀取 live conf
redacted_live_conf_ref	只可填脫敏 ref / hash / artifact pointer
rendered_diff_ref	只可填 ref，不得貼完整 diff payload
rendered_diff_hash_ref	指向 hash / checksum evidence
diff_scope_summary	摘要 affected routes / upstream / TLS / ACME 範圍
affected_routes	必須能對回 preflight inventory
nginx_test_evidence_ref	只可填 owner-provided readback ref
nginx_test_operator	操作者角色，不得是不可追溯個人暱稱
nginx_test_result	結果摘要，不得含 secret
route_smoke_matrix_ref	affected route smoke matrix ref
route_smoke_result_ref	route smoke readback ref
tls_acme_impact_ref	TLS / ACME 影響 ref
maintenance_window	維護窗口或明確禁止窗口
rollback_owner	rollback owner / team
rollback_ref	rollback plan / revision / artifact ref
postcheck_evidence_ref	post-check readback ref
reviewer_outcome	reviewer acceptance lane
followup_owner	補件或下一階段 owner
not_approval	必須為 true

4. Reviewer Checks

Check	規則
owner_response_accepted_first	必須先有 owner response accepted record
redacted_live_conf_ref_only	不接受 raw live conf
rendered_diff_ref_not_payload	不接受完整 diff payload
diff_scope_matches_config_id	diff scope 必須對回 config_id
nginx_test_evidence_is_readback_only	本工具不得執行 nginx -t
nginx_test_result_has_timestamp	test result 需有時間、角色與結果摘要
route_smoke_matrix_complete	smoke matrix 必須列 affected routes 與預期結果
tls_acme_impact_separated	TLS / ACME 影響不可被 route smoke 取代
secret_value_absent	不得包含 secret value 或 derivative
maintenance_window_present	未來 runtime action 前必須有窗口
rollback_owner_and_ref_present	rollback owner 與 ref 必須存在
postcheck_plan_present	post-check evidence ref 必須存在
no_execution_request_embedded	evidence 不可夾帶執行要求
counts_transition_safe	accepted / rejected 只能由 reviewer record 更新
action_button_absent	前台不得新增執行按鈕

5. Outcome Lanes

Lane	意義
waiting_owner_response_acceptance	owner response 尚未 accepted
waiting_rendered_diff_evidence	等待 rendered diff / nginx test / route smoke evidence ref
quarantine_raw_conf_or_payload	raw conf 或完整 payload 只能隔離
reject_secret_or_execution_request	secret 或執行要求直接拒收
request_evidence_supplement	欄位不足或 route matrix 不完整需補件
ready_for_reviewer_acceptance	metadata 合格後進 reviewer acceptance
accepted_for_runtime_gate_planning	只可進下一層 runtime gate planning
waiting_separate_runtime_approval	nginx -t / reload / smoke 仍需獨立人工批准

6. Blocked Actions

Action	邊界
read_live_conf_over_ssh	未授權不得執行
store_raw_live_conf	不得寫入 repo、LOGBOOK 或前端
store_full_rendered_diff_payload	不得保存完整 diff payload
accept_unredacted_live_conf	不得接受
collect_secret_value	不得收 secret value
accept_execution_request_inside_evidence	evidence 內不得夾帶執行要求
mark_rendered_diff_accepted_without_owner_response	不得跳過 owner response accepted
mark_rendered_diff_accepted_without_reviewer_record	不得跳過 reviewer record
run_nginx_test_from_diff_acceptance	不得由本帳本執行
run_route_smoke_from_diff_acceptance	不得由本帳本執行
nginx_reload_from_diff_acceptance	不得由本帳本執行
dns_probe_from_diff_acceptance	不得由本帳本執行
tls_probe_from_diff_acceptance	不得由本帳本執行
certbot_renew_from_diff_acceptance	不得由本帳本執行
modify_nginx_conf	不得改 live conf
modify_dns_tls_config	不得改 DNS / TLS / certbot
change_public_route	不得改公開路由
change_admin_route	不得改 admin route
change_websocket_route	不得改 WebSocket route
write_production_host	不得主機寫入
open_runtime_gate	不得開 runtime gate
add_action_button	不得新增操作按鈕

7. 指令

產生 committed snapshot：

python3 scripts/security/public-gateway-rendered-diff-acceptance.py \
  --root . \
  --rendered-diff-gate-report docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json \
  --owner-response-acceptance-report docs/security/public-gateway-owner-response-acceptance.snapshot.json \
  --output docs/security/public-gateway-rendered-diff-acceptance.snapshot.json \
  --generated-at 2026-06-14T23:58:00+08:00

驗證 guard：

python3 scripts/security/security-mirror-progress-guard.py --root .

8. 完成度

工作	完成度	說明
rendered diff acceptance artifact	100%	產生器、snapshot 與文件已固定
owner response accepted	0%	尚未收到 / 接受
rendered diff evidence accepted	0%	尚未收到 / 驗收
nginx test evidence accepted	0%	尚未收到 / 驗收
route smoke evidence accepted	0%	尚未收到 / 驗收
runtime reload / host write	0%	未授權且未執行