wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
9c33f4b0ac7ff35e8282fc105affcae9dc02b87c
awoooi/docs/security/ssh-network-owner-request-draft.snapshot.json

2015 lines
67 KiB
JSON
Raw Blame History

{
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"execution_boundaries": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"deploy_ssh_action_authorized": false,
"firewall_change_authorized": false,
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"live_evidence_received": false,
"live_host_read_authorized": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"port_change_authorized": false,
"recipient_confirmed": false,
"request_sent": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"sudo_action_authorized": false,
"wireguard_change_authorized": false
},
"generated_at": "2026-06-14T22:45:00+08:00",
"git_commit": "4c847093",
"next_steps": [
"人工送件前確認 network / firewall / deploy owner role 與回覆窗口。",
"owner 只能提供脫敏 live access state、allowed source CIDR metadata、maintenance window、rollback owner 與 validation plan。",
"收到回覆後先做欄位完整性、敏感 payload 隔離、port close/open 影響範圍與 rollback gate 檢查,不得直接改 firewall 或套用 NetworkPolicy。"
],
"request_drafts": [
{
"access_scope": [
"192.168.0.110",
"192.168.0.111",
"192.168.0.112",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ssh_target_inventory",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "110_111_112_120_121_188",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Ansible inventory SSH targets",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "86108dce9174b5c0a794d240dd40518966d9c340950fc6306845b704f12e6536",
"repo_source_path": "infra/ansible/inventory/hosts.yml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:ansible_inventory_ssh_targets",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 48,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "ansible_inventory_ssh_targets",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"StrictHostKeyChecking=accept-new",
"ConnectTimeout=10"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ssh_client_policy",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "multi_host",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Ansible common SSH host key policy",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "c3d5cb63cf84dea98195aa075e69ca90be7422b5805c0cfc50c1d97b832ad86e",
"repo_source_path": "infra/ansible/inventory/group_vars/all.yml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:ansible_common_ssh_args",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 20,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "ansible_common_ssh_args",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"192.168.0.110",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "known_hosts_secret_workflow",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "110_120_121_188_known_hosts",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Gitea CD repair known_hosts secret",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593",
"repo_source_path": ".gitea/workflows/cd.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:gitea_cd_known_hosts_secret",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 1562,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "gitea_cd_known_hosts_secret",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"K8S_SSH_HOST",
"deploy_key",
"kubectl apply",
"ArgoCD sync"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "k8s_ssh_host",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Gitea CD K8s deploy SSH path",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593",
"repo_source_path": ".gitea/workflows/cd.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:gitea_cd_deploy_ssh",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 1562,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "gitea_cd_deploy_ssh",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": true
},
{
"access_scope": [
"192.168.0.120",
"deploy_key",
"kubectl apply"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "192.168.0.120",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Gitea CD dev deploy SSH path",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "e344a4672cb543979c3bb8ea67967c103332587b4a52a939c837457aaeae686d",
"repo_source_path": ".gitea/workflows/cd-dev.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:gitea_cd_dev_ssh",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 262,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "gitea_cd_dev_ssh",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": true
},
{
"access_scope": [
"192.168.0.110",
"deploy alert scripts"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "192.168.0.110",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Deploy alerts SSH path",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "b0389fa65da643d411f6961928a276d555ad6a416366bf87f3f5c2c06ee45d13",
"repo_source_path": ".gitea/workflows/deploy-alerts.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:deploy_alerts_ssh_path",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 72,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "deploy_alerts_ssh_path",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": true
},
{
"access_scope": [
"192.168.0.110",
"192.168.0.188",
"docker ps"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ssh_discovery_script",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "110_188_docker_hosts",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Monitoring Docker discovery SSH scanner",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "563faf8efcfdbd5a79cc87e0d43c2ba11bebf755a773c97b9c0778f1f0634a15",
"repo_source_path": "ops/monitoring/discover_docker.py",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:monitoring_discover_docker_ssh",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 314,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "monitoring_discover_docker_ssh",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"192.168.0.188",
"scp",
"docker compose up -d"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "monitoring_ssh_deploy_script",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "192.168.0.188",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Monitoring exporter deploy SSH script",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "dbcbca21cf6fd5083177cb8a12c008c1aefed8e6ed05b70d738b3db37699cef3",
"repo_source_path": "ops/monitoring/deploy-exporters.sh",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:monitoring_exporter_deploy_ssh",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 76,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "monitoring_exporter_deploy_ssh",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": true
},
{
"access_scope": [
"/etc/ssh",
"/etc/nginx",
"systemd",
"docker",
"k8s"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "ssh_backup_capture",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "110_188_120_121_cluster",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Backup config SSH capture",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "d24301cff44e464bd19ce0792362be16916ccde8c92f92351a19ef4ee988f15e",
"repo_source_path": "scripts/backup/backup-configs.sh",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:backup_config_ssh_capture",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 359,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "backup_config_ssh_capture",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"awoooi-hosts-add",
"docker kill SIGHUP",
"promtool",
"amtool"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "sudoers_policy",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "host_ops_minimal_sudo",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Host ops sudoers wrapper",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "eff02c67402d2f5b2ac8d112dca26a15dc34f03593ca490a0682a6dfa9b0394d",
"repo_source_path": "scripts/host-ops/awoooi-wrapper.sudoers",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:host_ops_sudoers_wrapper",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 27,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "host_ops_sudoers_wrapper",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": true
},
{
"access_scope": [
"default deny",
"ingress",
"egress",
"SSH egress",
"Ollama",
"monitoring"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "k8s_network_policy",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "awoooi_prod_namespace",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "K8s production NetworkPolicy",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "f5ea6a9f5fb0cc44664d97a3ed639fa4b43ffd9bcfd70a1f6b44640791b7859f",
"repo_source_path": "k8s/awoooi-prod/02-network-policy.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:k8s_prod_network_policy",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 306,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "k8s_prod_network_policy",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"192.168.0.188",
"argocd metrics",
"192.168.0.0/24 UI"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "k8s_network_policy",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "argocd_namespace",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "ArgoCD metrics NetworkPolicy",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "41ccd0bb22410c48adc84eae74391106c3f28fe181786cfe4128a07f99d2942c",
"repo_source_path": "k8s/argocd/argocd-metrics-network-policy.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:argocd_metrics_network_policy",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 80,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "argocd_metrics_network_policy",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"nodePort 30882",
"nodePort 30883"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "k8s_nodeport_service",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "argocd_nodeport_30882_30883",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "ArgoCD metrics NodePort",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "7f4a8f09206ce0afc185fe11d5e55265bb553b671471724cdcd83c259ec7d266",
"repo_source_path": "k8s/argocd/argocd-metrics-nodeport.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:argocd_metrics_nodeport",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 47,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "argocd_metrics_nodeport",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"nodePort 30885",
"backup metrics"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "k8s_nodeport_service",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "velero_nodeport_30885",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Velero metrics NodePort",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "684959def32b792e2bca34b477afcdfe2b0c6dfd0cb90f4b681a514922d62b75",
"repo_source_path": "k8s/velero/velero-metrics-service.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:velero_metrics_nodeport",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 26,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "velero_metrics_nodeport",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"10.77.114.0/24",
"51820/udp",
"GCP-A",
"GCP-B"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "wireguard_runbook",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "110_111_120_121_gcp_a_gcp_b",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "GCP Ollama WireGuard mesh runbook",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "0af082698c727176ca82c79f95f3950f4c32ed6aabc91c88aff41831fbf0c044",
"repo_source_path": "docs/runbooks/GCP-OLLAMA-WIREGUARD-MESH.md",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:wireguard_mesh_runbook",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 280,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "wireguard_mesh_runbook",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": false
},
{
"access_scope": [
"ssh_diagnose",
"docker restart",
"systemctl restart",
"docker compose",
"docker prune"
],
"action_buttons_allowed": false,
"active_scan_authorized": false,
"affected_scope": "pending_affected_scope",
"allowed_source_cidrs_ref": null,
"blocked_actions": [
"ssh_read",
"ssh_write",
"host_keyscan",
"known_hosts_patch",
"firewall_change",
"port_close",
"port_open",
"network_policy_apply",
"nodeport_change",
"wireguard_change",
"sudo_action",
"deploy_ssh_action",
"secret_value_collection",
"ssh_key_collection",
"active_scan",
"runtime_gate_open"
],
"break_glass_owner": "pending_break_glass_owner",
"change_freeze_rule": "pending_change_freeze_rule",
"config_kind": "alert_ssh_action_rules",
"control_tier": "C1",
"decision": "pending_owner_decision",
"decision_reason": "pending_decision_reason",
"deploy_ssh_action_authorized": false,
"expected_scope": "ssh_mcp_action_catalog",
"firewall_change_authorized": false,
"followup_owner": "pending_followup_owner",
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"label": "Alert rules SSH action surface",
"live_access_state_ref": null,
"live_evidence_received": false,
"maintenance_window": "pending_maintenance_window",
"maintenance_window_accepted": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"not_approval": true,
"owner_response_accepted": false,
"owner_response_received": false,
"owner_role_or_team": "pending_owner_role_or_team",
"port_change_authorized": false,
"recipient_confirmed": false,
"redacted_evidence_refs": [],
"repo_sha256": "5786505aa05073bbb2069203a443a75c8337a289dc015630792d0c201c85cafb",
"repo_source_path": "apps/api/alert_rules.yaml",
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"request_id": "ssh_network_owner_request:alert_rules_ssh_actions",
"request_sent": false,
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"requires_live_evidence": true,
"rollback_owner": "pending_rollback_owner",
"rollback_owner_accepted": false,
"runtime_gate": false,
"secret_value_collection_allowed": false,
"source_inventory_ref": "docs/security/ssh-network-access-inventory.snapshot.json",
"source_line_count": 889,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"status": "draft_not_dispatched",
"sudo_action_authorized": false,
"surface_id": "alert_rules_ssh_actions",
"validation_plan": "pending_validation_plan",
"validation_plan_accepted": false,
"wireguard_change_authorized": false,
"write_capable_surface": true
}
],
"request_fields": [
"request_id",
"surface_id",
"label",
"expected_scope",
"config_kind",
"access_scope",
"control_tier",
"repo_source_path",
"repo_sha256",
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner",
"not_approval"
],
"required_owner_fields": [
"owner_role_or_team",
"decision",
"decision_reason",
"affected_scope",
"redacted_evidence_refs",
"live_access_state_ref",
"allowed_source_cidrs_ref",
"maintenance_window",
"rollback_owner",
"validation_plan",
"break_glass_owner",
"change_freeze_rule",
"followup_owner"
],
"schema_version": "ssh_network_owner_request_draft_v1",
"source_inventory_schema_version": "ssh_network_access_inventory_v1",
"source_inventory_status": "repo_only_inventory_ready",
"status": "owner_request_draft_ready_not_dispatched",
"summary": {
"action_button_count": 0,
"active_scan_authorized_count": 0,
"blocked_action_count": 16,
"deploy_ssh_action_authorized_count": 0,
"firewall_change_authorized_count": 0,
"host_keyscan_authorized_count": 0,
"host_write_authorized_count": 0,
"known_hosts_patch_authorized_count": 0,
"live_evidence_received_count": 0,
"live_evidence_required_request_count": 16,
"maintenance_window_accepted_count": 0,
"network_policy_apply_authorized_count": 0,
"nodeport_change_authorized_count": 0,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"port_change_authorized_count": 0,
"recipient_confirmed_count": 0,
"request_draft_count": 16,
"request_field_count": 23,
"request_sent_count": 0,
"required_owner_field_count": 13,
"rollback_owner_accepted_count": 0,
"runtime_gate_count": 0,
"secret_value_collection_allowed_count": 0,
"ssh_key_collection_allowed_count": 0,
"ssh_read_authorized_count": 0,
"ssh_write_authorized_count": 0,
"sudo_action_authorized_count": 0,
"validation_plan_accepted_count": 0,
"wireguard_change_authorized_count": 0,
"write_capable_request_draft_count": 6
}
}
Reference in New Issue View Git Blame Copy Permalink