137 lines
8.0 KiB
Markdown
137 lines
8.0 KiB
Markdown
# Public / Admin / API Runtime Config 變更證據驗收
|
||
|
||
> 本文件是 IwoooS 高價值配置控管的只讀驗收帳本。它定義未來 public route、admin/auth boundary、API / CORS、frontend env、i18n、callback 與 webhook runtime config 變更要如何收件、補件、拒收或進 reviewer acceptance。它不是 route 變更、CORS 變更、env 變更、auth 變更、webhook 變更、部署或 runtime gate 授權。
|
||
|
||
## 1. Snapshot
|
||
|
||
| 欄位 | 值 | 說明 |
|
||
|---|---:|---|
|
||
| `schema_version` | `public_runtime_config_change_evidence_acceptance_v1` | Public runtime config 變更證據驗收 |
|
||
| `change_evidence_candidate_count` | `6` | 六類 public / admin / API runtime config 候選 |
|
||
| `c0_change_evidence_candidate_count` | `5` | public route、admin/auth、API/CORS、frontend env、webhook/callback 為 C0 |
|
||
| `c1_change_evidence_candidate_count` | `1` | cross-product route scope 為 C1 |
|
||
| `write_capable_candidate_count` | `6` | 六類未來都可能引發 route、auth、CORS、env 或 callback 寫入 |
|
||
| `source_ref_count` | `20` | source refs 全部存在於 repo 內 |
|
||
| `required_evidence_field_count` | `21` | reviewer 前必填 evidence 欄位 |
|
||
| `reviewer_check_count` | `21` | reviewer 必檢條件 |
|
||
| `outcome_lane_count` | `8` | 收件後分流結果 |
|
||
| `blocked_action_count` | `32` | 本帳本明確禁止的 runtime / route / secret / deploy 動作 |
|
||
| `runtime_gate_count` | `0` | 沒有開啟 runtime gate |
|
||
|
||
來源 snapshot:`docs/security/public-runtime-config-change-evidence-acceptance.snapshot.json`
|
||
|
||
## 2. 變更候選
|
||
|
||
| 候選 | Tier | 風險 | 範圍 |
|
||
|---|---|---|---|
|
||
| `public_runtime_config_change_evidence:public_product_route_and_i18n_redaction` | C0 | HIGH | 公開產品頁、IwoooS / AwoooP / Tenants / Code Review 前台文案、raw identity 與內部協作文字防外洩 |
|
||
| `public_runtime_config_change_evidence:admin_auth_and_operator_console_boundary` | C0 | HIGH | AwoooP operator console、approvals、work-items、runs、admin auth / CSRF / owner guard |
|
||
| `public_runtime_config_change_evidence:api_cors_and_public_url_runtime_config` | C0 | HIGH | API base URL、CORS origins、NEXT_PUBLIC build-time config、public domain / internal IP boundary |
|
||
| `public_runtime_config_change_evidence:frontend_env_and_sentry_tunnel_runtime_config` | C0 | HIGH | Next.js middleware、Sentry tunnel、browser-facing env、health route 與 console error boundary |
|
||
| `public_runtime_config_change_evidence:webhook_callback_and_notification_runtime_config` | C0 | HIGH | webhook callback、proposal route、deep link、notification route 與 external send boundary |
|
||
| `public_runtime_config_change_evidence:cross_product_runtime_route_scope` | C1 | MEDIUM | VibeWork、agent-bounty-protocol、StockPlatform、官方形象網站、藥局網站與其他產品 runtime route scope |
|
||
|
||
## 3. 必收 Evidence
|
||
|
||
每筆候選進 reviewer acceptance 前,至少要有:
|
||
|
||
| Evidence | 必要性 |
|
||
|---|---|
|
||
| `proposed_runtime_config_change_ref` | 變更 ref,不能只有口頭同意 |
|
||
| `affected_route_refs` | public / admin / API / callback / webhook / frontend route 範圍 |
|
||
| `public_url_or_domain_ref` | public URL / domain 依據,禁止內網 IP 暴露 |
|
||
| `admin_auth_boundary_ref` | admin / operator / approval route 的 auth boundary |
|
||
| `api_contract_readback_ref` | API contract / public payload readback |
|
||
| `cors_origin_diff_ref` | CORS origin diff 或 owner-provided ref |
|
||
| `frontend_env_diff_ref` | NEXT_PUBLIC / browser-facing env diff |
|
||
| `i18n_redaction_review_ref` | 全繁中、無 raw identity、無內部對話的文案審查 |
|
||
| `webhook_callback_owner_ref` | callback / webhook / notification route owner |
|
||
| `desktop_mobile_smoke_ref` | desktop / mobile smoke、overflow 與必要文案 |
|
||
| `api_health_readback_ref` | health / API readback |
|
||
| `sensitive_string_scan_ref` | raw namespace、internal state code、內部協作語句、secret value 掃描 |
|
||
| `console_error_scan_ref` | console / page error 結果 |
|
||
| `blast_radius` | 產品、route、API、admin/auth、public domain、callback、webhook 與使用者影響 |
|
||
| `maintenance_window` | 未來 runtime config 變更窗口或不適用理由 |
|
||
| `rollback_owner` | 回復負責人 |
|
||
| `rollback_plan_ref` | 回復方式 |
|
||
| `postcheck_evidence_ref` | API readback、browser smoke、bundle scan 或 alert silence review |
|
||
| `redacted_evidence_refs` | 只允許脫敏 evidence refs |
|
||
| `reviewer_outcome` | reviewer 結果 |
|
||
| `not_approval` | 明確標示不是 runtime 授權 |
|
||
|
||
## 4. Reviewer Checks
|
||
|
||
Reviewer 必須確認:
|
||
|
||
1. 有 proposed runtime config change ref。
|
||
2. affected route refs 明確。
|
||
3. public URL 不使用內網 IP。
|
||
4. admin auth boundary 與 owner 明確。
|
||
5. public API 不暴露 raw owner namespace、repo slug 或內部狀態碼。
|
||
6. CORS 只收 diff / owner ref,不直接改白名單。
|
||
7. frontend env 有 diff 與 bundle sensitive scan。
|
||
8. i18n 文案全繁中,無內部對話、抱怨語句或 raw identity。
|
||
9. webhook / callback route 有 owner 與回復方式。
|
||
10. desktop / mobile smoke 含 overflow 結果。
|
||
11. API / backend runtime config 有 health 或 contract readback。
|
||
12. sensitive string scan 至少檢查 raw namespace、internal state code、internal transcript、secret value。
|
||
13. console / page error 結果已標明。
|
||
14. 沒有 cookie、token、secret value、hash、partial token 或 raw payload。
|
||
15. security header、cookie、CSRF、rate limit 或 middleware 影響有說明。
|
||
16. blast radius 明確。
|
||
17. maintenance window 明確。
|
||
18. rollback owner 明確。
|
||
19. post-check evidence 明確。
|
||
20. 不把本帳本、UI 可見、CD success、AwoooP approval 或 smoke pass 當資安批准。
|
||
21. 影響跨專案時有同步 ref。
|
||
|
||
## 5. Outcome Lanes
|
||
|
||
| Lane | 意義 |
|
||
|---|---|
|
||
| `waiting_change_evidence` | 尚未收到 runtime config 變更證據 |
|
||
| `quarantine_sensitive_payload` | 收到敏感 payload,只能隔離 |
|
||
| `reject_unredacted_or_runtime_claim` | 未脫敏或誤稱已批准,直接拒收 |
|
||
| `request_supplement` | 缺 route scope、auth、CORS、smoke、rollback 或 post-check,要求補件 |
|
||
| `ready_for_reviewer_acceptance` | metadata 合格後進 reviewer acceptance |
|
||
| `ready_for_runtime_approval_package` | reviewer 接受後形成 runtime approval package |
|
||
| `waiting_maintenance_window` | 未來 runtime config 變更仍需維護窗口 |
|
||
| `waiting_runtime_gate` | runtime gate 仍等待獨立人工批准 |
|
||
|
||
## 6. 明確禁止
|
||
|
||
本帳本不得被解讀為以下動作的授權:
|
||
|
||
- 改 public route、admin route、API route、CORS、NEXT_PUBLIC env、callback URL 或 webhook secret。
|
||
- 改 middleware auth、關閉 CSRF、關閉 rate limit、改 cookie policy 或 security headers。
|
||
- 在前台、public API、HTML、bundle 或 messages 放入 raw owner namespace、repo slug、內部狀態碼、內部對話、內部協作語句或 secret value。
|
||
- 部署 frontend / API、改 Nginx route、改 OpenAPI contract、跑 migration、發送 webhook、active scan、force push 或切 GitHub primary。
|
||
|
||
## 7. 目前邊界
|
||
|
||
| 欄位 | 值 |
|
||
|---|---:|
|
||
| `change_evidence_received_count` | `0` |
|
||
| `change_evidence_accepted_count` | `0` |
|
||
| `route_scope_accepted_count` | `0` |
|
||
| `admin_auth_boundary_accepted_count` | `0` |
|
||
| `api_contract_readback_accepted_count` | `0` |
|
||
| `cors_origin_diff_accepted_count` | `0` |
|
||
| `frontend_env_diff_accepted_count` | `0` |
|
||
| `i18n_redaction_review_accepted_count` | `0` |
|
||
| `webhook_callback_owner_accepted_count` | `0` |
|
||
| `desktop_mobile_smoke_accepted_count` | `0` |
|
||
| `sensitive_string_scan_accepted_count` | `0` |
|
||
| `postcheck_evidence_accepted_count` | `0` |
|
||
| `runtime_approval_package_ready_count` | `0` |
|
||
| `runtime_gate_count` | `0` |
|
||
| `action_button_count` | `0` |
|
||
|
||
## 8. 完成度
|
||
|
||
- Public / admin / API runtime config 變更證據驗收 artifact:`100%`。
|
||
- `public_admin_api_runtime_config` 只讀治理成熟度:`62% -> 64%`。
|
||
- Active runtime gate:`0`。
|
||
|
||
此完成度只代表規範、snapshot、guard 與前台 marker 可驗證;不代表任何 route、CORS、env、auth、callback、webhook、部署或 runtime 動作已授權。
|