407 lines
13 KiB
JSON
407 lines
13 KiB
JSON
{
|
|
"execution_boundaries": {
|
|
"action_buttons_allowed": false,
|
|
"active_scan_authorized": false,
|
|
"audit_event_emitted": false,
|
|
"dispatch_authorized": false,
|
|
"dns_tls_change_authorized": false,
|
|
"host_write_authorized": false,
|
|
"nginx_reload_authorized": false,
|
|
"not_authorization": true,
|
|
"production_write_authorized": false,
|
|
"recipient_confirmed": false,
|
|
"request_sent": false,
|
|
"reviewer_queue_write": false,
|
|
"runtime_execution_authorized": false,
|
|
"secret_value_collection_allowed": false,
|
|
"workflow_modification_authorized": false
|
|
},
|
|
"forbidden_payloads": [
|
|
"token",
|
|
"secret",
|
|
"private_key",
|
|
"cookie",
|
|
"session",
|
|
"authorization_header",
|
|
"runner_token",
|
|
"webhook_secret",
|
|
"db_dump",
|
|
"repo_archive",
|
|
"git_object_pack",
|
|
"raw_sensitive_live_config"
|
|
],
|
|
"generated_at": "2026-06-14T18:45:00+08:00",
|
|
"git_commit": "ddd9e433",
|
|
"handoff_envelope_fields": [
|
|
"request_id",
|
|
"stage_id",
|
|
"packet_id",
|
|
"recipient_role_or_team",
|
|
"sender_role_or_team",
|
|
"requested_response_window",
|
|
"allowed_response_format",
|
|
"redacted_evidence_refs",
|
|
"forbidden_payloads",
|
|
"followup_owner",
|
|
"not_approval"
|
|
],
|
|
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
|
|
"request_drafts": [
|
|
{
|
|
"accepted_response": false,
|
|
"action_buttons_allowed": false,
|
|
"affected_files": [
|
|
"scripts/ops/188-registry-certbot-fix.sh",
|
|
"scripts/ops/fix-188-registry-certbot-renewal.sh"
|
|
],
|
|
"allowed_response_format": {
|
|
"allowed_decisions": [
|
|
"confirm",
|
|
"defer",
|
|
"reject",
|
|
"request_more_evidence"
|
|
],
|
|
"fields": [
|
|
"owner_role_or_team",
|
|
"decision",
|
|
"decision_reason",
|
|
"affected_scope",
|
|
"redacted_evidence_refs",
|
|
"followup_owner",
|
|
"rollback_owner",
|
|
"maintenance_window",
|
|
"validation_plan"
|
|
],
|
|
"redacted_evidence_refs_only": true
|
|
},
|
|
"audit_event_emitted": false,
|
|
"blocked_requests": [
|
|
"repo_create",
|
|
"visibility_change",
|
|
"refs_sync",
|
|
"refs_delete",
|
|
"force_push",
|
|
"workflow_modify",
|
|
"runner_enable",
|
|
"secret_value_submit",
|
|
"ssh_host_modify",
|
|
"nginx_reload",
|
|
"dns_tls_modify",
|
|
"argocd_sync",
|
|
"kubectl_apply",
|
|
"active_scan",
|
|
"agent_bounty_runtime_execute",
|
|
"payout_or_withdrawal"
|
|
],
|
|
"category_id": "dns_tls_certbot",
|
|
"control_tier": "C0",
|
|
"followup_owner": "pending_followup_owner",
|
|
"forbidden_payloads": [
|
|
"token",
|
|
"secret",
|
|
"private_key",
|
|
"cookie",
|
|
"session",
|
|
"authorization_header",
|
|
"runner_token",
|
|
"webhook_secret",
|
|
"db_dump",
|
|
"repo_archive",
|
|
"git_object_pack",
|
|
"raw_sensitive_live_config"
|
|
],
|
|
"handoff_envelope_fields": [
|
|
"request_id",
|
|
"stage_id",
|
|
"packet_id",
|
|
"recipient_role_or_team",
|
|
"sender_role_or_team",
|
|
"requested_response_window",
|
|
"allowed_response_format",
|
|
"redacted_evidence_refs",
|
|
"forbidden_payloads",
|
|
"followup_owner",
|
|
"not_approval"
|
|
],
|
|
"label": "DNS / TLS / certbot / certificate path",
|
|
"not_approval": true,
|
|
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
|
|
"packet_id": "high_value_config_owner_packet:dns_tls_certbot",
|
|
"priority": "P0",
|
|
"production_write_authorized": false,
|
|
"received_response": false,
|
|
"recipient_confirmed": false,
|
|
"recipient_role_or_team": "pending_owner_role_or_team",
|
|
"redacted_evidence_refs": [
|
|
"docs/security/high-value-config-owner-packet.snapshot.json",
|
|
"docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json"
|
|
],
|
|
"rejected_response": false,
|
|
"request_id": "high_value_config_owner_request:dns_tls_certbot",
|
|
"request_sent": false,
|
|
"requested_response_window": "not_scheduled",
|
|
"required_gate": "domain_tls_owner_response_required",
|
|
"required_validation": [
|
|
"domain_inventory",
|
|
"certificate_path_check",
|
|
"renewal_window",
|
|
"acme_path_smoke",
|
|
"public_https_smoke",
|
|
"rollback_ref"
|
|
],
|
|
"reviewer_queue_write": false,
|
|
"runtime_gate": false,
|
|
"secret_value_collection_allowed": false,
|
|
"sender_role_or_team": "iwooos_security_reviewer",
|
|
"stage_id": "P0-14",
|
|
"status": "draft_not_dispatched"
|
|
},
|
|
{
|
|
"accepted_response": false,
|
|
"action_buttons_allowed": false,
|
|
"affected_files": [
|
|
"k8s/nginx/awoooi-prod.conf"
|
|
],
|
|
"allowed_response_format": {
|
|
"allowed_decisions": [
|
|
"confirm",
|
|
"defer",
|
|
"reject",
|
|
"request_more_evidence"
|
|
],
|
|
"fields": [
|
|
"owner_role_or_team",
|
|
"decision",
|
|
"decision_reason",
|
|
"affected_scope",
|
|
"redacted_evidence_refs",
|
|
"followup_owner",
|
|
"rollback_owner",
|
|
"maintenance_window",
|
|
"validation_plan"
|
|
],
|
|
"redacted_evidence_refs_only": true
|
|
},
|
|
"audit_event_emitted": false,
|
|
"blocked_requests": [
|
|
"repo_create",
|
|
"visibility_change",
|
|
"refs_sync",
|
|
"refs_delete",
|
|
"force_push",
|
|
"workflow_modify",
|
|
"runner_enable",
|
|
"secret_value_submit",
|
|
"ssh_host_modify",
|
|
"nginx_reload",
|
|
"dns_tls_modify",
|
|
"argocd_sync",
|
|
"kubectl_apply",
|
|
"active_scan",
|
|
"agent_bounty_runtime_execute",
|
|
"payout_or_withdrawal"
|
|
],
|
|
"category_id": "nginx_public_gateway",
|
|
"control_tier": "C0",
|
|
"followup_owner": "pending_followup_owner",
|
|
"forbidden_payloads": [
|
|
"token",
|
|
"secret",
|
|
"private_key",
|
|
"cookie",
|
|
"session",
|
|
"authorization_header",
|
|
"runner_token",
|
|
"webhook_secret",
|
|
"db_dump",
|
|
"repo_archive",
|
|
"git_object_pack",
|
|
"raw_sensitive_live_config"
|
|
],
|
|
"handoff_envelope_fields": [
|
|
"request_id",
|
|
"stage_id",
|
|
"packet_id",
|
|
"recipient_role_or_team",
|
|
"sender_role_or_team",
|
|
"requested_response_window",
|
|
"allowed_response_format",
|
|
"redacted_evidence_refs",
|
|
"forbidden_payloads",
|
|
"followup_owner",
|
|
"not_approval"
|
|
],
|
|
"label": "Nginx / reverse proxy / public route",
|
|
"not_approval": true,
|
|
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
|
|
"packet_id": "high_value_config_owner_packet:nginx_public_gateway",
|
|
"priority": "P0",
|
|
"production_write_authorized": false,
|
|
"received_response": false,
|
|
"recipient_confirmed": false,
|
|
"recipient_role_or_team": "pending_owner_role_or_team",
|
|
"redacted_evidence_refs": [
|
|
"docs/security/high-value-config-owner-packet.snapshot.json",
|
|
"docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json"
|
|
],
|
|
"rejected_response": false,
|
|
"request_id": "high_value_config_owner_request:nginx_public_gateway",
|
|
"request_sent": false,
|
|
"requested_response_window": "not_scheduled",
|
|
"required_gate": "public_gateway_owner_response_required",
|
|
"required_validation": [
|
|
"rendered_diff",
|
|
"nginx_t",
|
|
"affected_route_smoke",
|
|
"admin_route_smoke_if_affected",
|
|
"acme_path_smoke_if_affected",
|
|
"rollback_ref"
|
|
],
|
|
"reviewer_queue_write": false,
|
|
"runtime_gate": false,
|
|
"secret_value_collection_allowed": false,
|
|
"sender_role_or_team": "iwooos_security_reviewer",
|
|
"stage_id": "P0-14",
|
|
"status": "draft_not_dispatched"
|
|
},
|
|
{
|
|
"accepted_response": false,
|
|
"action_buttons_allowed": false,
|
|
"affected_files": [
|
|
"docs/security/HIGH-VALUE-CONFIG-CHANGE-GATE.md",
|
|
"docs/security/high-value-config-change-gate.snapshot.json",
|
|
"scripts/security/high-value-config-change-gate.py"
|
|
],
|
|
"allowed_response_format": {
|
|
"allowed_decisions": [
|
|
"confirm",
|
|
"defer",
|
|
"reject",
|
|
"request_more_evidence"
|
|
],
|
|
"fields": [
|
|
"owner_role_or_team",
|
|
"decision",
|
|
"decision_reason",
|
|
"affected_scope",
|
|
"redacted_evidence_refs",
|
|
"followup_owner",
|
|
"rollback_owner",
|
|
"maintenance_window",
|
|
"validation_plan"
|
|
],
|
|
"redacted_evidence_refs_only": true
|
|
},
|
|
"audit_event_emitted": false,
|
|
"blocked_requests": [
|
|
"repo_create",
|
|
"visibility_change",
|
|
"refs_sync",
|
|
"refs_delete",
|
|
"force_push",
|
|
"workflow_modify",
|
|
"runner_enable",
|
|
"secret_value_submit",
|
|
"ssh_host_modify",
|
|
"nginx_reload",
|
|
"dns_tls_modify",
|
|
"argocd_sync",
|
|
"kubectl_apply",
|
|
"active_scan",
|
|
"agent_bounty_runtime_execute",
|
|
"payout_or_withdrawal"
|
|
],
|
|
"category_id": "security_evidence_tooling",
|
|
"control_tier": "C3",
|
|
"followup_owner": "pending_followup_owner",
|
|
"forbidden_payloads": [
|
|
"token",
|
|
"secret",
|
|
"private_key",
|
|
"cookie",
|
|
"session",
|
|
"authorization_header",
|
|
"runner_token",
|
|
"webhook_secret",
|
|
"db_dump",
|
|
"repo_archive",
|
|
"git_object_pack",
|
|
"raw_sensitive_live_config"
|
|
],
|
|
"handoff_envelope_fields": [
|
|
"request_id",
|
|
"stage_id",
|
|
"packet_id",
|
|
"recipient_role_or_team",
|
|
"sender_role_or_team",
|
|
"requested_response_window",
|
|
"allowed_response_format",
|
|
"redacted_evidence_refs",
|
|
"forbidden_payloads",
|
|
"followup_owner",
|
|
"not_approval"
|
|
],
|
|
"label": "Security evidence / snapshot / guard tooling",
|
|
"not_approval": true,
|
|
"not_approval_statement": "本草稿不是 request sent、不是 owner response received、不是 reviewer accepted、不是 Nginx reload、DNS / TLS change、workflow 修改、host write、active scan、production write 或 runtime gate 授權。",
|
|
"packet_id": "high_value_config_owner_packet:security_evidence_tooling",
|
|
"priority": "P3",
|
|
"production_write_authorized": false,
|
|
"received_response": false,
|
|
"recipient_confirmed": false,
|
|
"recipient_role_or_team": "pending_owner_role_or_team",
|
|
"redacted_evidence_refs": [
|
|
"docs/security/high-value-config-owner-packet.snapshot.json",
|
|
"docs/security/high-value-config-owner-packet-intake-preflight.snapshot.json"
|
|
],
|
|
"rejected_response": false,
|
|
"request_id": "high_value_config_owner_request:security_evidence_tooling",
|
|
"request_sent": false,
|
|
"requested_response_window": "not_scheduled",
|
|
"required_gate": "security_evidence_owner_review_required",
|
|
"required_validation": [
|
|
"snapshot_parse",
|
|
"guard_smoke",
|
|
"doc_secret_sanity",
|
|
"no_runtime_gate_increase"
|
|
],
|
|
"reviewer_queue_write": false,
|
|
"runtime_gate": false,
|
|
"secret_value_collection_allowed": false,
|
|
"sender_role_or_team": "iwooos_security_reviewer",
|
|
"stage_id": "P0-14",
|
|
"status": "draft_not_dispatched"
|
|
}
|
|
],
|
|
"schema_version": "high_value_config_owner_request_draft_v1",
|
|
"send_after_conditions": [
|
|
"必須先重新確認 gitea/main、P0 總帳與另一個 AwoooP Session 基線。",
|
|
"只能送出脫敏欄位與禁止條款,不得附 secret value、raw payload 或執行命令。",
|
|
"只有真實人工送件 metadata 存在時,才能另行記錄 request_sent_count。",
|
|
"送件後不得同步拉高 received / accepted / rejected / reviewer queue / runtime gate。"
|
|
],
|
|
"source_intake_preflight_schema_version": "high_value_config_owner_packet_intake_preflight_v1",
|
|
"source_intake_preflight_status": "request_dispatch_preflight_ready",
|
|
"status": "owner_request_draft_ready_not_dispatched",
|
|
"summary": {
|
|
"accepted_response_count": 0,
|
|
"action_button_count": 0,
|
|
"audit_event_emitted_count": 0,
|
|
"blocked_request_count": 16,
|
|
"c0_request_draft_count": 2,
|
|
"c1_request_draft_count": 0,
|
|
"dispatch_preflight_check_count": 9,
|
|
"forbidden_payload_count": 12,
|
|
"handoff_envelope_field_count": 11,
|
|
"received_response_count": 0,
|
|
"recipient_confirmed_count": 0,
|
|
"rejected_response_count": 0,
|
|
"request_draft_count": 3,
|
|
"request_sent_count": 0,
|
|
"required_owner_field_total": 27,
|
|
"reviewer_intake_lane_count": 5,
|
|
"reviewer_queue_write_count": 0,
|
|
"runtime_gate_count": 0
|
|
}
|
|
}
|