565 lines
20 KiB
JSON
565 lines
20 KiB
JSON
{
|
||
"confirmation_questions": [
|
||
{
|
||
"gate_effect": "不得增加 request sent / received / accepted / runtime gate。",
|
||
"instruction": "請 owner 說明 certificate path domain 與 service domain 不同時,是否由 SAN、wildcard 或共用憑證合法覆蓋。",
|
||
"question_id": "certificate_coverage_basis",
|
||
"required": true
|
||
},
|
||
{
|
||
"gate_effect": "不得增加 request sent / received / accepted / runtime gate。",
|
||
"instruction": "若需提供憑證狀態,只能提供脫敏 metadata ref;不得貼 raw certificate、private key 或 certbot account 內容。",
|
||
"question_id": "certificate_expiry_metadata_ref",
|
||
"required": true
|
||
},
|
||
{
|
||
"gate_effect": "不得增加 request sent / received / accepted / runtime gate。",
|
||
"instruction": "請確認未來 renewal owner、工具路徑與責任邊界;不得在本 request 夾帶 certbot renew 要求。",
|
||
"question_id": "renewal_owner_and_method",
|
||
"required": true
|
||
},
|
||
{
|
||
"gate_effect": "不得增加 request sent / received / accepted / runtime gate。",
|
||
"instruction": "若 domain 依賴 HTTP-01 ACME route,請確認 challenge path owner 與 route smoke 負責人。",
|
||
"question_id": "acme_challenge_route_owner",
|
||
"required": true
|
||
},
|
||
{
|
||
"gate_effect": "不得增加 request sent / received / accepted / runtime gate。",
|
||
"instruction": "請提供後續若要 probe、renew 或 reload 時的 validation plan、rollback owner 與維護窗口。",
|
||
"question_id": "postcheck_and_rollback_owner",
|
||
"required": true
|
||
}
|
||
],
|
||
"execution_boundaries": {
|
||
"action_buttons_allowed": false,
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"host_write_authorized": false,
|
||
"host_write_executed": false,
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_authorization": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"production_write_authorized": false,
|
||
"recipient_confirmed": false,
|
||
"request_sent": false,
|
||
"runtime_execution_authorized": false,
|
||
"secret_value_collection_allowed": false
|
||
},
|
||
"generated_at": "2026-06-14T20:35:00+08:00",
|
||
"git_commit": "757f6a53",
|
||
"next_steps": [
|
||
"人工送件前先確認 recipient role / team 與本 snapshot 版本,送件後也只可更新 request metadata。",
|
||
"收到 owner 回覆後先做敏感 payload 隔離與欄位完整性檢查,不可直接開 DNS / TLS probe。",
|
||
"若未來要 certbot renew、Nginx reload 或 route smoke,必須另開 maintenance window、rollback owner 與 post-check gate。"
|
||
],
|
||
"owner_confirmation_requests": [
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_affected_scope",
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_path_domains": [
|
||
"sentry.wooo.work"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
|
||
],
|
||
"config_ids": [
|
||
"host188_internal_tools_https"
|
||
],
|
||
"confirmation_questions": [
|
||
"certificate_coverage_basis",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner_and_method",
|
||
"acme_challenge_route_owner",
|
||
"postcheck_and_rollback_owner"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_decision",
|
||
"decision_reason": "pending_decision_reason",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "gitea.wooo.work",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_paths": [
|
||
"owner_confirmation_required"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_maintenance_window",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"owner_response_rejected": false,
|
||
"owner_review_status": "repo_only_owner_confirmation_required",
|
||
"owner_role_or_team": "pending_owner_role_or_team",
|
||
"production_write_authorized": false,
|
||
"quarantine_written": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"rejection_guards": [
|
||
"tls_private_key_or_raw_cert_payload",
|
||
"certbot_account_key_or_credentials",
|
||
"dns_provider_or_registrar_credential",
|
||
"token_secret_cookie_session",
|
||
"authorization_header_or_basic_auth",
|
||
"unredacted_certbot_log_or_env_dump",
|
||
"shell_history_or_private_key_path_dump",
|
||
"dns_query_or_tls_probe_request",
|
||
"certbot_renew_execution_request",
|
||
"nginx_reload_or_route_change_request",
|
||
"ssh_host_write_or_runtime_request",
|
||
"production_write_or_action_button_request"
|
||
],
|
||
"request_fields": [
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan",
|
||
"not_approval"
|
||
],
|
||
"request_id": "domain_tls_certbot_owner_confirmation:gitea.wooo.work",
|
||
"request_sent": false,
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan"
|
||
],
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_paths": [
|
||
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
|
||
],
|
||
"source_snapshot_ref": "docs/security/domain-tls-certbot-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched",
|
||
"tls_certificate_path_present": true,
|
||
"validation_plan": "pending_validation_plan"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_affected_scope",
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_path_domains": [
|
||
"sentry.wooo.work"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
|
||
],
|
||
"config_ids": [
|
||
"host188_internal_tools_https"
|
||
],
|
||
"confirmation_questions": [
|
||
"certificate_coverage_basis",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner_and_method",
|
||
"acme_challenge_route_owner",
|
||
"postcheck_and_rollback_owner"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_decision",
|
||
"decision_reason": "pending_decision_reason",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "langfuse.wooo.work",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_paths": [
|
||
"owner_confirmation_required"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_maintenance_window",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"owner_response_rejected": false,
|
||
"owner_review_status": "repo_only_owner_confirmation_required",
|
||
"owner_role_or_team": "pending_owner_role_or_team",
|
||
"production_write_authorized": false,
|
||
"quarantine_written": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"rejection_guards": [
|
||
"tls_private_key_or_raw_cert_payload",
|
||
"certbot_account_key_or_credentials",
|
||
"dns_provider_or_registrar_credential",
|
||
"token_secret_cookie_session",
|
||
"authorization_header_or_basic_auth",
|
||
"unredacted_certbot_log_or_env_dump",
|
||
"shell_history_or_private_key_path_dump",
|
||
"dns_query_or_tls_probe_request",
|
||
"certbot_renew_execution_request",
|
||
"nginx_reload_or_route_change_request",
|
||
"ssh_host_write_or_runtime_request",
|
||
"production_write_or_action_button_request"
|
||
],
|
||
"request_fields": [
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan",
|
||
"not_approval"
|
||
],
|
||
"request_id": "domain_tls_certbot_owner_confirmation:langfuse.wooo.work",
|
||
"request_sent": false,
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan"
|
||
],
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_paths": [
|
||
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
|
||
],
|
||
"source_snapshot_ref": "docs/security/domain-tls-certbot-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched",
|
||
"tls_certificate_path_present": true,
|
||
"validation_plan": "pending_validation_plan"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_affected_scope",
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_path_domains": [
|
||
"sentry.wooo.work"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/sentry.wooo.work/fullchain.pem"
|
||
],
|
||
"config_ids": [
|
||
"host188_all_sites",
|
||
"host188_internal_tools_https"
|
||
],
|
||
"confirmation_questions": [
|
||
"certificate_coverage_basis",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner_and_method",
|
||
"acme_challenge_route_owner",
|
||
"postcheck_and_rollback_owner"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_decision",
|
||
"decision_reason": "pending_decision_reason",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "signoz.wooo.work",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_paths": [
|
||
"/etc/nginx/sites-enabled/all-sites.conf",
|
||
"owner_confirmation_required"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_maintenance_window",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"owner_response_rejected": false,
|
||
"owner_review_status": "repo_only_owner_confirmation_required",
|
||
"owner_role_or_team": "pending_owner_role_or_team",
|
||
"production_write_authorized": false,
|
||
"quarantine_written": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"rejection_guards": [
|
||
"tls_private_key_or_raw_cert_payload",
|
||
"certbot_account_key_or_credentials",
|
||
"dns_provider_or_registrar_credential",
|
||
"token_secret_cookie_session",
|
||
"authorization_header_or_basic_auth",
|
||
"unredacted_certbot_log_or_env_dump",
|
||
"shell_history_or_private_key_path_dump",
|
||
"dns_query_or_tls_probe_request",
|
||
"certbot_renew_execution_request",
|
||
"nginx_reload_or_route_change_request",
|
||
"ssh_host_write_or_runtime_request",
|
||
"production_write_or_action_button_request"
|
||
],
|
||
"request_fields": [
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan",
|
||
"not_approval"
|
||
],
|
||
"request_id": "domain_tls_certbot_owner_confirmation:signoz.wooo.work",
|
||
"request_sent": false,
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan"
|
||
],
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_paths": [
|
||
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2",
|
||
"infra/ansible/roles/nginx/templates/188-internal-tools-https.conf.j2"
|
||
],
|
||
"source_snapshot_ref": "docs/security/domain-tls-certbot-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched",
|
||
"tls_certificate_path_present": true,
|
||
"validation_plan": "pending_validation_plan"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"affected_scope": "pending_affected_scope",
|
||
"certbot_renew_authorized": false,
|
||
"certbot_renew_executed": false,
|
||
"certificate_path_domains": [
|
||
"www.tsenyang.com"
|
||
],
|
||
"certificate_paths": [
|
||
"/etc/letsencrypt/live/www.tsenyang.com/fullchain.pem"
|
||
],
|
||
"config_ids": [
|
||
"host188_all_sites"
|
||
],
|
||
"confirmation_questions": [
|
||
"certificate_coverage_basis",
|
||
"certificate_expiry_metadata_ref",
|
||
"renewal_owner_and_method",
|
||
"acme_challenge_route_owner",
|
||
"postcheck_and_rollback_owner"
|
||
],
|
||
"control_tier": "C0",
|
||
"decision": "pending_owner_decision",
|
||
"decision_reason": "pending_decision_reason",
|
||
"dns_query_authorized": false,
|
||
"dns_query_executed": false,
|
||
"domain": "tsenyang.com",
|
||
"followup_owner": "pending_followup_owner",
|
||
"host_write_authorized": false,
|
||
"hosts": [
|
||
"192.168.0.188"
|
||
],
|
||
"live_paths": [
|
||
"/etc/nginx/sites-enabled/all-sites.conf"
|
||
],
|
||
"live_tls_probe_authorized": false,
|
||
"live_tls_probe_executed": false,
|
||
"maintenance_window": "pending_maintenance_window",
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"not_approval": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"owner_response_rejected": false,
|
||
"owner_review_status": "repo_only_owner_confirmation_required",
|
||
"owner_role_or_team": "pending_owner_role_or_team",
|
||
"production_write_authorized": false,
|
||
"quarantine_written": false,
|
||
"recipient_confirmed": false,
|
||
"redacted_evidence_refs": [],
|
||
"rejection_guards": [
|
||
"tls_private_key_or_raw_cert_payload",
|
||
"certbot_account_key_or_credentials",
|
||
"dns_provider_or_registrar_credential",
|
||
"token_secret_cookie_session",
|
||
"authorization_header_or_basic_auth",
|
||
"unredacted_certbot_log_or_env_dump",
|
||
"shell_history_or_private_key_path_dump",
|
||
"dns_query_or_tls_probe_request",
|
||
"certbot_renew_execution_request",
|
||
"nginx_reload_or_route_change_request",
|
||
"ssh_host_write_or_runtime_request",
|
||
"production_write_or_action_button_request"
|
||
],
|
||
"request_fields": [
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan",
|
||
"not_approval"
|
||
],
|
||
"request_id": "domain_tls_certbot_owner_confirmation:tsenyang.com",
|
||
"request_sent": false,
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan"
|
||
],
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"runtime_gate": false,
|
||
"secret_value_collection_allowed": false,
|
||
"source_paths": [
|
||
"infra/ansible/roles/nginx/templates/188-all-sites.conf.j2"
|
||
],
|
||
"source_snapshot_ref": "docs/security/domain-tls-certbot-inventory.snapshot.json",
|
||
"status": "draft_not_dispatched",
|
||
"tls_certificate_path_present": true,
|
||
"validation_plan": "pending_validation_plan"
|
||
}
|
||
],
|
||
"rejection_guards": [
|
||
"tls_private_key_or_raw_cert_payload",
|
||
"certbot_account_key_or_credentials",
|
||
"dns_provider_or_registrar_credential",
|
||
"token_secret_cookie_session",
|
||
"authorization_header_or_basic_auth",
|
||
"unredacted_certbot_log_or_env_dump",
|
||
"shell_history_or_private_key_path_dump",
|
||
"dns_query_or_tls_probe_request",
|
||
"certbot_renew_execution_request",
|
||
"nginx_reload_or_route_change_request",
|
||
"ssh_host_write_or_runtime_request",
|
||
"production_write_or_action_button_request"
|
||
],
|
||
"request_fields": [
|
||
"request_id",
|
||
"domain",
|
||
"control_tier",
|
||
"hosts",
|
||
"certificate_path_domains",
|
||
"certificate_paths",
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan",
|
||
"not_approval"
|
||
],
|
||
"required_owner_fields": [
|
||
"owner_role_or_team",
|
||
"decision",
|
||
"decision_reason",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"followup_owner",
|
||
"rollback_owner",
|
||
"maintenance_window",
|
||
"validation_plan"
|
||
],
|
||
"schema_version": "domain_tls_certbot_owner_confirmation_request_v1",
|
||
"source_inventory_schema_version": "domain_tls_certbot_inventory_v1",
|
||
"source_inventory_status": "repo_only_from_nginx_source_of_truth",
|
||
"status": "owner_confirmation_request_ready_not_dispatched",
|
||
"summary": {
|
||
"action_button_count": 0,
|
||
"c0_owner_confirmation_request_count": 4,
|
||
"c1_owner_confirmation_request_count": 0,
|
||
"certbot_renew_authorized_count": 0,
|
||
"certbot_renew_executed_count": 0,
|
||
"confirmation_question_count": 5,
|
||
"dns_query_authorized_count": 0,
|
||
"dns_query_executed_count": 0,
|
||
"host_write_authorized_count": 0,
|
||
"live_tls_probe_authorized_count": 0,
|
||
"live_tls_probe_executed_count": 0,
|
||
"nginx_reload_authorized_count": 0,
|
||
"nginx_reload_executed_count": 0,
|
||
"owner_confirmation_request_count": 4,
|
||
"owner_response_accepted_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"owner_response_rejected_count": 0,
|
||
"quarantined_payload_count": 0,
|
||
"recipient_confirmed_count": 0,
|
||
"rejection_guard_count": 12,
|
||
"request_field_count": 16,
|
||
"request_sent_count": 0,
|
||
"required_owner_field_count": 9,
|
||
"runtime_gate_count": 0
|
||
}
|
||
}
|