wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
00a0f1ffc33d0f76d015b7e2bdc82ffb235d8d4d
awoooi/docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-ACCEPTANCE.md
Your Name a4998f915c
All checks were successful
Code Review / ai-code-review (push) Successful in 14s
Details
CD Pipeline / tests (push) Successful in 1m32s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m37s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m31s
Details
fix(iwooos): 新增 public gateway diff evidence acceptance
2026-06-15 00:12:53 +08:00

155 lines
8.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Public Gateway Rendered Diff Acceptance 只讀帳本
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `rendered_diff_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/public-gateway-rendered-diff-acceptance.py` |
| 輸入 | `docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json``docs/security/public-gateway-owner-response-acceptance.snapshot.json` |
| Snapshot | `docs/security/public-gateway-rendered-diff-acceptance.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
Nginx public gateway 是公開網站、API、Webhook、WebSocket、TLS 與 ACME 的共同入口。前面已建立 live conf 匯出請求、redacted export 收件預檢、rendered diff gate draft 與 owner response acceptance本文件補上下一層未來 owner 已接受後,如何驗收 `rendered diff`、owner-provided `nginx -t` readback evidence 與 route smoke evidence。
這個帳本只處理證據格式、脫敏邊界、可追溯性與 reviewer 分流。它不是 owner response accepted、不是 rendered diff accepted、不是 `nginx -t` 授權、不是 Nginx reload、不是 route smoke、不是 DNS / TLS probe、不是 certbot renew、不是 host write也不是 production write 或 runtime gate。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| diff acceptance candidate count | `3` | 對應三份 public gateway config |
| C0 diff acceptance candidate count | `2` | 188 all sites、188 internal tools HTTPS |
| C1 diff acceptance candidate count | `1` | 110 Ollama proxy |
| diff acceptance field count | `25` | 每份 evidence acceptance 欄位 |
| required evidence field count | `14` | 未來 owner evidence 必填欄位 |
| reviewer check count | `15` | 收件、隔離、拒收、補件與 reviewer acceptance 檢查 |
| outcome lane count | `8` | 從等待 owner accepted 到等待獨立 runtime approval |
| blocked action count | `22` | 不可直接執行或不可誤讀的動作 |
| owner response accepted | `0` | 尚未收到 / 接受 |
| rendered diff received / accepted | `0 / 0` | 尚未收到 / 驗收 |
| nginx test evidence received / accepted | `0 / 0` | 尚未收到 / 驗收 |
| route smoke evidence received / accepted | `0 / 0` | 尚未收到 / 驗收 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. Acceptance 欄位
| 欄位 | 內容規則 |
|------|----------|
| `diff_acceptance_id` | 固定對應 public gateway rendered diff acceptance |
| `owner_response_acceptance_id` | 對應上一層 owner response acceptance candidate |
| `diff_gate_id` | 對應 rendered diff gate draft |
| `config_id` | 對應 public gateway config |
| `control_tier` | 保留 C0 / C1 風險分級 |
| `host` | 只保留既有 host scope不代表 SSH 授權 |
| `live_path` | 只保留預期 live path不代表讀取 live conf |
| `redacted_live_conf_ref` | 只可填脫敏 ref / hash / artifact pointer |
| `rendered_diff_ref` | 只可填 ref不得貼完整 diff payload |
| `rendered_diff_hash_ref` | 指向 hash / checksum evidence |
| `diff_scope_summary` | 摘要 affected routes / upstream / TLS / ACME 範圍 |
| `affected_routes` | 必須能對回 preflight inventory |
| `nginx_test_evidence_ref` | 只可填 owner-provided readback ref |
| `nginx_test_operator` | 操作者角色,不得是不可追溯個人暱稱 |
| `nginx_test_result` | 結果摘要,不得含 secret |
| `route_smoke_matrix_ref` | affected route smoke matrix ref |
| `route_smoke_result_ref` | route smoke readback ref |
| `tls_acme_impact_ref` | TLS / ACME 影響 ref |
| `maintenance_window` | 維護窗口或明確禁止窗口 |
| `rollback_owner` | rollback owner / team |
| `rollback_ref` | rollback plan / revision / artifact ref |
| `postcheck_evidence_ref` | post-check readback ref |
| `reviewer_outcome` | reviewer acceptance lane |
| `followup_owner` | 補件或下一階段 owner |
| `not_approval` | 必須為 `true` |
## 4. Reviewer Checks
| Check | 規則 |
|-------|------|
| `owner_response_accepted_first` | 必須先有 owner response accepted record |
| `redacted_live_conf_ref_only` | 不接受 raw live conf |
| `rendered_diff_ref_not_payload` | 不接受完整 diff payload |
| `diff_scope_matches_config_id` | diff scope 必須對回 config_id |
| `nginx_test_evidence_is_readback_only` | 本工具不得執行 `nginx -t` |
| `nginx_test_result_has_timestamp` | test result 需有時間、角色與結果摘要 |
| `route_smoke_matrix_complete` | smoke matrix 必須列 affected routes 與預期結果 |
| `tls_acme_impact_separated` | TLS / ACME 影響不可被 route smoke 取代 |
| `secret_value_absent` | 不得包含 secret value 或 derivative |
| `maintenance_window_present` | 未來 runtime action 前必須有窗口 |
| `rollback_owner_and_ref_present` | rollback owner 與 ref 必須存在 |
| `postcheck_plan_present` | post-check evidence ref 必須存在 |
| `no_execution_request_embedded` | evidence 不可夾帶執行要求 |
| `counts_transition_safe` | accepted / rejected 只能由 reviewer record 更新 |
| `action_button_absent` | 前台不得新增執行按鈕 |
## 5. Outcome Lanes
| Lane | 意義 |
|------|------|
| `waiting_owner_response_acceptance` | owner response 尚未 accepted |
| `waiting_rendered_diff_evidence` | 等待 rendered diff / nginx test / route smoke evidence ref |
| `quarantine_raw_conf_or_payload` | raw conf 或完整 payload 只能隔離 |
| `reject_secret_or_execution_request` | secret 或執行要求直接拒收 |
| `request_evidence_supplement` | 欄位不足或 route matrix 不完整需補件 |
| `ready_for_reviewer_acceptance` | metadata 合格後進 reviewer acceptance |
| `accepted_for_runtime_gate_planning` | 只可進下一層 runtime gate planning |
| `waiting_separate_runtime_approval` | `nginx -t` / reload / smoke 仍需獨立人工批准 |
## 6. Blocked Actions
| Action | 邊界 |
|--------|------|
| `read_live_conf_over_ssh` | 未授權不得執行 |
| `store_raw_live_conf` | 不得寫入 repo、LOGBOOK 或前端 |
| `store_full_rendered_diff_payload` | 不得保存完整 diff payload |
| `accept_unredacted_live_conf` | 不得接受 |
| `collect_secret_value` | 不得收 secret value |
| `accept_execution_request_inside_evidence` | evidence 內不得夾帶執行要求 |
| `mark_rendered_diff_accepted_without_owner_response` | 不得跳過 owner response accepted |
| `mark_rendered_diff_accepted_without_reviewer_record` | 不得跳過 reviewer record |
| `run_nginx_test_from_diff_acceptance` | 不得由本帳本執行 |
| `run_route_smoke_from_diff_acceptance` | 不得由本帳本執行 |
| `nginx_reload_from_diff_acceptance` | 不得由本帳本執行 |
| `dns_probe_from_diff_acceptance` | 不得由本帳本執行 |
| `tls_probe_from_diff_acceptance` | 不得由本帳本執行 |
| `certbot_renew_from_diff_acceptance` | 不得由本帳本執行 |
| `modify_nginx_conf` | 不得改 live conf |
| `modify_dns_tls_config` | 不得改 DNS / TLS / certbot |
| `change_public_route` | 不得改公開路由 |
| `change_admin_route` | 不得改 admin route |
| `change_websocket_route` | 不得改 WebSocket route |
| `write_production_host` | 不得主機寫入 |
| `open_runtime_gate` | 不得開 runtime gate |
| `add_action_button` | 不得新增操作按鈕 |
## 7. 指令
產生 committed snapshot
```bash
python3 scripts/security/public-gateway-rendered-diff-acceptance.py \
--root . \
--rendered-diff-gate-report docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json \
--owner-response-acceptance-report docs/security/public-gateway-owner-response-acceptance.snapshot.json \
--output docs/security/public-gateway-rendered-diff-acceptance.snapshot.json \
--generated-at 2026-06-14T23:58:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| rendered diff acceptance artifact | `100%` | 產生器、snapshot 與文件已固定 |
| owner response accepted | `0%` | 尚未收到 / 接受 |
| rendered diff evidence accepted | `0%` | 尚未收到 / 驗收 |
| nginx test evidence accepted | `0%` | 尚未收到 / 驗收 |
| route smoke evidence accepted | `0%` | 尚未收到 / 驗收 |
| runtime reload / host write | `0%` | 未授權且未執行 |
Reference in New Issue View Git Blame Copy Permalink