Files
awoooi/docs/security/PUBLIC-RUNTIME-CONFIG-CHANGE-EVIDENCE-ACCEPTANCE.md
Your Name 5f9a11e6b2
All checks were successful
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / tests (push) Successful in 1m29s
CD Pipeline / build-and-deploy (push) Successful in 4m22s
CD Pipeline / post-deploy-checks (push) Successful in 1m40s
fix(iwooos): 新增 public runtime config 驗收與 tenants 防洩漏
2026-06-15 04:29:54 +08:00

137 lines
8.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Public / Admin / API Runtime Config 變更證據驗收
> 本文件是 IwoooS 高價值配置控管的只讀驗收帳本。它定義未來 public route、admin/auth boundary、API / CORS、frontend env、i18n、callback 與 webhook runtime config 變更要如何收件、補件、拒收或進 reviewer acceptance。它不是 route 變更、CORS 變更、env 變更、auth 變更、webhook 變更、部署或 runtime gate 授權。
## 1. Snapshot
| 欄位 | 值 | 說明 |
|---|---:|---|
| `schema_version` | `public_runtime_config_change_evidence_acceptance_v1` | Public runtime config 變更證據驗收 |
| `change_evidence_candidate_count` | `6` | 六類 public / admin / API runtime config 候選 |
| `c0_change_evidence_candidate_count` | `5` | public route、admin/auth、API/CORS、frontend env、webhook/callback 為 C0 |
| `c1_change_evidence_candidate_count` | `1` | cross-product route scope 為 C1 |
| `write_capable_candidate_count` | `6` | 六類未來都可能引發 route、auth、CORS、env 或 callback 寫入 |
| `source_ref_count` | `20` | source refs 全部存在於 repo 內 |
| `required_evidence_field_count` | `21` | reviewer 前必填 evidence 欄位 |
| `reviewer_check_count` | `21` | reviewer 必檢條件 |
| `outcome_lane_count` | `8` | 收件後分流結果 |
| `blocked_action_count` | `32` | 本帳本明確禁止的 runtime / route / secret / deploy 動作 |
| `runtime_gate_count` | `0` | 沒有開啟 runtime gate |
來源 snapshot`docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json`
## 2. 變更候選
| 候選 | Tier | 風險 | 範圍 |
|---|---|---|---|
| `public_runtime_config_change_evidence:public_product_route_and_i18n_redaction` | C0 | HIGH | 公開產品頁、IwoooS / AwoooP / Tenants / Code Review 前台文案、raw identity 與內部協作文字防外洩 |
| `public_runtime_config_change_evidence:admin_auth_and_operator_console_boundary` | C0 | HIGH | AwoooP operator console、approvals、work-items、runs、admin auth / CSRF / owner guard |
| `public_runtime_config_change_evidence:api_cors_and_public_url_runtime_config` | C0 | HIGH | API base URL、CORS origins、NEXT_PUBLIC build-time config、public domain / internal IP boundary |
| `public_runtime_config_change_evidence:frontend_env_and_sentry_tunnel_runtime_config` | C0 | HIGH | Next.js middleware、Sentry tunnel、browser-facing env、health route 與 console error boundary |
| `public_runtime_config_change_evidence:webhook_callback_and_notification_runtime_config` | C0 | HIGH | webhook callback、proposal route、deep link、notification route 與 external send boundary |
| `public_runtime_config_change_evidence:cross_product_runtime_route_scope` | C1 | MEDIUM | VibeWork、agent-bounty-protocol、StockPlatform、官方形象網站、藥局網站與其他產品 runtime route scope |
## 3. 必收 Evidence
每筆候選進 reviewer acceptance 前,至少要有:
| Evidence | 必要性 |
|---|---|
| `proposed_runtime_config_change_ref` | 變更 ref不能只有口頭同意 |
| `affected_route_refs` | public / admin / API / callback / webhook / frontend route 範圍 |
| `public_url_or_domain_ref` | public URL / domain 依據,禁止內網 IP 暴露 |
| `admin_auth_boundary_ref` | admin / operator / approval route 的 auth boundary |
| `api_contract_readback_ref` | API contract / public payload readback |
| `cors_origin_diff_ref` | CORS origin diff 或 owner-provided ref |
| `frontend_env_diff_ref` | NEXT_PUBLIC / browser-facing env diff |
| `i18n_redaction_review_ref` | 全繁中、無 raw identity、無內部對話的文案審查 |
| `webhook_callback_owner_ref` | callback / webhook / notification route owner |
| `desktop_mobile_smoke_ref` | desktop / mobile smoke、overflow 與必要文案 |
| `api_health_readback_ref` | health / API readback |
| `sensitive_string_scan_ref` | raw namespace、internal state code、內部協作語句、secret value 掃描 |
| `console_error_scan_ref` | console / page error 結果 |
| `blast_radius` | 產品、route、API、admin/auth、public domain、callback、webhook 與使用者影響 |
| `maintenance_window` | 未來 runtime config 變更窗口或不適用理由 |
| `rollback_owner` | 回復負責人 |
| `rollback_plan_ref` | 回復方式 |
| `postcheck_evidence_ref` | API readback、browser smoke、bundle scan 或 alert silence review |
| `redacted_evidence_refs` | 只允許脫敏 evidence refs |
| `reviewer_outcome` | reviewer 結果 |
| `not_approval` | 明確標示不是 runtime 授權 |
## 4. Reviewer Checks
Reviewer 必須確認:
1. 有 proposed runtime config change ref。
2. affected route refs 明確。
3. public URL 不使用內網 IP。
4. admin auth boundary 與 owner 明確。
5. public API 不暴露 raw owner namespace、repo slug 或內部狀態碼。
6. CORS 只收 diff / owner ref不直接改白名單。
7. frontend env 有 diff 與 bundle sensitive scan。
8. i18n 文案全繁中,無內部對話、抱怨語句或 raw identity。
9. webhook / callback route 有 owner 與回復方式。
10. desktop / mobile smoke 含 overflow 結果。
11. API / backend runtime config 有 health 或 contract readback。
12. sensitive string scan 至少檢查 raw namespace、internal state code、internal transcript、secret value。
13. console / page error 結果已標明。
14. 沒有 cookie、token、secret value、hash、partial token 或 raw payload。
15. security header、cookie、CSRF、rate limit 或 middleware 影響有說明。
16. blast radius 明確。
17. maintenance window 明確。
18. rollback owner 明確。
19. post-check evidence 明確。
20. 不把本帳本、UI 可見、CD success、AwoooP approval 或 smoke pass 當資安批准。
21. 影響跨專案時有同步 ref。
## 5. Outcome Lanes
| Lane | 意義 |
|---|---|
| `waiting_change_evidence` | 尚未收到 runtime config 變更證據 |
| `quarantine_sensitive_payload` | 收到敏感 payload只能隔離 |
| `reject_unredacted_or_runtime_claim` | 未脫敏或誤稱已批准,直接拒收 |
| `request_supplement` | 缺 route scope、auth、CORS、smoke、rollback 或 post-check要求補件 |
| `ready_for_reviewer_acceptance` | metadata 合格後進 reviewer acceptance |
| `ready_for_runtime_approval_package` | reviewer 接受後形成 runtime approval package |
| `waiting_maintenance_window` | 未來 runtime config 變更仍需維護窗口 |
| `waiting_runtime_gate` | runtime gate 仍等待獨立人工批准 |
## 6. 明確禁止
本帳本不得被解讀為以下動作的授權:
- 改 public route、admin route、API route、CORS、NEXT_PUBLIC env、callback URL 或 webhook secret。
- 改 middleware auth、關閉 CSRF、關閉 rate limit、改 cookie policy 或 security headers。
- 在前台、public API、HTML、bundle 或 messages 放入 raw owner namespace、repo slug、內部狀態碼、內部對話、內部協作語句或 secret value。
- 部署 frontend / API、改 Nginx route、改 OpenAPI contract、跑 migration、發送 webhook、active scan、force push 或切 GitHub primary。
## 7. 目前邊界
| 欄位 | 值 |
|---|---:|
| `change_evidence_received_count` | `0` |
| `change_evidence_accepted_count` | `0` |
| `route_scope_accepted_count` | `0` |
| `admin_auth_boundary_accepted_count` | `0` |
| `api_contract_readback_accepted_count` | `0` |
| `cors_origin_diff_accepted_count` | `0` |
| `frontend_env_diff_accepted_count` | `0` |
| `i18n_redaction_review_accepted_count` | `0` |
| `webhook_callback_owner_accepted_count` | `0` |
| `desktop_mobile_smoke_accepted_count` | `0` |
| `sensitive_string_scan_accepted_count` | `0` |
| `postcheck_evidence_accepted_count` | `0` |
| `runtime_approval_package_ready_count` | `0` |
| `runtime_gate_count` | `0` |
| `action_button_count` | `0` |
## 8. 完成度
- Public / admin / API runtime config 變更證據驗收 artifact`100%`
- `public_admin_api_runtime_config` 只讀治理成熟度:`62% -> 64%`
- Active runtime gate`0`
此完成度只代表規範、snapshot、guard 與前台 marker 可驗證;不代表任何 route、CORS、env、auth、callback、webhook、部署或 runtime 動作已授權。