Files
awoooi/docs/security/PUBLIC-GATEWAY-RENDERED-DIFF-GATE-DRAFT.md

112 lines
5.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS Public Gateway Rendered Diff Gate 草稿
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `rendered_diff_gate_draft_ready_no_runtime_action` |
| 工具 | `scripts/security/public-gateway-rendered-diff-gate-draft.py` |
| 輸入 | `docs/security/public-gateway-redacted-export-intake-preflight.snapshot.json` |
| Snapshot | `docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
P0-16 已建立 redacted export 收件預檢,但即使未來收到並接受脫敏 ref也不能直接進 `nginx -t`、reload 或 route smoke。P0-17 的目的,是先把 rendered diff、`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew、maintenance window、rollback owner 與 post-check 拆成分階段 gate 草稿。
本文件只定義 future gate draft。它不是 redacted export accepted、不是 rendered diff ready、不是 `nginx -t` 授權、不是 Nginx reload、不是 route smoke、不是 DNS / TLS probe、不是 certbot renew、不是 host write也不是 production write 或 runtime gate。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| diff gate candidate count | `3` | 對應三份 redacted export intake candidate |
| C0 diff gate candidate count | `2` | 188 all sites、188 internal tools HTTPS |
| diff gate field count | `12` | 每份 diff gate 草稿欄位 |
| preflight stage count | `7` | redacted export accepted 到 rollback / post-check 的分段 gate |
| blocked action count | `14` | 不可直接執行或不可誤讀的動作 |
| redacted export accepted | `0` | 尚未收到 / 接受 |
| rendered diff candidate / ready | `0 / 0` | 尚未產生 |
| nginx test authorized / executed | `0 / 0` | 尚未批准且未執行 |
| reload authorized / executed | `0 / 0` | 尚未批准且未執行 |
| route smoke authorized / executed | `0 / 0` | 尚未批准且未執行 |
| DNS / TLS probe、certbot renew | `0 / 0` | 尚未批准且未執行 |
| maintenance window / rollback owner | `0 / 0` | 尚未接受 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. Diff Gate 欄位
| 欄位 | 內容規則 |
|------|----------|
| `diff_gate_id` | 固定對應 public gateway rendered diff gate不建立 runtime action |
| `intake_id` | 對應 P0-16 redacted export intake candidate |
| `export_request_id` | 對應 P0-15 live conf export request |
| `config_id` | 對應 public gateway preflight row |
| `control_tier` | 保留 C0 / C1 風險分級 |
| `source_config_ref` | 指向 repo-only source config snapshot |
| `redacted_live_conf_ref` | 未接受前為空 |
| `rendered_diff_ref` | 未產生前為空 |
| `nginx_test_plan_ref` | 未批准前為空 |
| `route_smoke_plan_ref` | 未批准前為空 |
| `rollback_owner` | 未指定前為 `pending_rollback_owner` |
| `not_approval` | 必須為 `true` |
## 4. Preflight Stages
| Stage | 規則 |
|-------|------|
| `redacted_export_acceptance_required` | 必須先有合格 redacted export accepted metadata |
| `normalize_without_raw_conf_storage` | 只可在隔離工作區以脫敏 ref 產生 normalized diff |
| `rendered_diff_owner_review_required` | rendered diff 只可成為 owner review candidate |
| `nginx_test_approval_package_required` | `nginx -t` 必須另有人工批准包、rollback owner 與維護窗口 |
| `reload_approval_separate` | reload 與 public route change 必須獨立批准 |
| `route_smoke_matrix_required` | route smoke 需列 affected routes、預期 status、TLS / WebSocket / ACME checks |
| `postcheck_and_rollback_required` | 未來執行前需 rollback owner、post-check 與失敗撤回條件 |
## 5. Blocked Actions
| Action | 邊界 |
|--------|------|
| `read_live_conf_over_ssh` | 未授權不得執行 |
| `store_raw_live_conf` | 不得寫入 repo、LOGBOOK 或前端 |
| `render_diff_from_unredacted_payload` | 必須拒收或隔離 |
| `nginx_test_without_approval` | 不得執行 |
| `nginx_reload_without_approval` | 不得執行 |
| `route_smoke_without_plan` | 不得執行 |
| `dns_probe_without_approval` | 不得執行 |
| `tls_probe_without_approval` | 不得執行 |
| `certbot_renew_without_approval` | 不得執行 |
| `modify_nginx_conf` | 不得改 live conf |
| `modify_dns_tls_config` | 不得改 DNS / TLS / certbot |
| `change_public_route` | 不得變更公開路由 |
| `write_production_host` | 不得主機寫入 |
| `open_runtime_gate` | 不得開 runtime gate |
## 6. 指令
產生 committed snapshot
```bash
python3 scripts/security/public-gateway-rendered-diff-gate-draft.py \
--root . \
--intake-preflight-report docs/security/public-gateway-redacted-export-intake-preflight.snapshot.json \
--output docs/security/public-gateway-rendered-diff-gate-draft.snapshot.json \
--generated-at 2026-06-14T20:05:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 7. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| rendered diff gate draft artifact | `100%` | 產生器、snapshot 與文件已固定 |
| redacted export accepted | `0%` | 尚未收到 / 接受 |
| rendered diff candidate / ready | `0%` | 尚未產生 |
| nginx test / reload / route smoke | `0%` | 尚未批准且未執行 |
| DNS / TLS / certbot | `0%` | 尚未批准且未執行 |
| runtime reload / host write | `0%` | 未授權且未執行 |