349 lines
13 KiB
JSON
349 lines
13 KiB
JSON
{
|
||
"blocked_actions": [
|
||
"read_live_conf_over_ssh",
|
||
"store_raw_live_conf",
|
||
"render_diff_from_unredacted_payload",
|
||
"nginx_test_without_approval",
|
||
"nginx_reload_without_approval",
|
||
"route_smoke_without_plan",
|
||
"dns_probe_without_approval",
|
||
"tls_probe_without_approval",
|
||
"certbot_renew_without_approval",
|
||
"modify_nginx_conf",
|
||
"modify_dns_tls_config",
|
||
"change_public_route",
|
||
"write_production_host",
|
||
"open_runtime_gate"
|
||
],
|
||
"diff_gate_candidates": [
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"blocked_actions": [
|
||
"read_live_conf_over_ssh",
|
||
"store_raw_live_conf",
|
||
"render_diff_from_unredacted_payload",
|
||
"nginx_test_without_approval",
|
||
"nginx_reload_without_approval",
|
||
"route_smoke_without_plan",
|
||
"dns_probe_without_approval",
|
||
"tls_probe_without_approval",
|
||
"certbot_renew_without_approval",
|
||
"modify_nginx_conf",
|
||
"modify_dns_tls_config",
|
||
"change_public_route",
|
||
"write_production_host",
|
||
"open_runtime_gate"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"config_id": "host188_all_sites",
|
||
"control_tier": "C0",
|
||
"diff_gate_fields": [
|
||
"diff_gate_id",
|
||
"intake_id",
|
||
"export_request_id",
|
||
"config_id",
|
||
"control_tier",
|
||
"source_config_ref",
|
||
"redacted_live_conf_ref",
|
||
"rendered_diff_ref",
|
||
"nginx_test_plan_ref",
|
||
"route_smoke_plan_ref",
|
||
"rollback_owner",
|
||
"not_approval"
|
||
],
|
||
"diff_gate_id": "public_gateway_rendered_diff_gate:host188_all_sites",
|
||
"dns_tls_probe_authorized": false,
|
||
"export_request_id": "public_gateway_live_conf_export:host188_all_sites",
|
||
"host": "192.168.0.188",
|
||
"intake_id": "public_gateway_redacted_export_intake:host188_all_sites",
|
||
"live_path": "/etc/nginx/sites-enabled/all-sites.conf",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"nginx_test_plan_ref": null,
|
||
"not_approval": true,
|
||
"owner_gate": "public_gateway_owner_response_required",
|
||
"preflight_stages": [
|
||
"redacted_export_acceptance_required",
|
||
"normalize_without_raw_conf_storage",
|
||
"rendered_diff_owner_review_required",
|
||
"nginx_test_approval_package_required",
|
||
"reload_approval_separate",
|
||
"route_smoke_matrix_required",
|
||
"postcheck_and_rollback_required"
|
||
],
|
||
"production_write_authorized": false,
|
||
"redacted_export_accepted": false,
|
||
"redacted_live_conf_ref": null,
|
||
"rendered_diff_candidate": false,
|
||
"rendered_diff_ready": false,
|
||
"rendered_diff_ref": null,
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"route_smoke_plan_ref": null,
|
||
"runtime_gate": false,
|
||
"source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"status": "draft_waiting_redacted_export_acceptance"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"blocked_actions": [
|
||
"read_live_conf_over_ssh",
|
||
"store_raw_live_conf",
|
||
"render_diff_from_unredacted_payload",
|
||
"nginx_test_without_approval",
|
||
"nginx_reload_without_approval",
|
||
"route_smoke_without_plan",
|
||
"dns_probe_without_approval",
|
||
"tls_probe_without_approval",
|
||
"certbot_renew_without_approval",
|
||
"modify_nginx_conf",
|
||
"modify_dns_tls_config",
|
||
"change_public_route",
|
||
"write_production_host",
|
||
"open_runtime_gate"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"config_id": "host188_internal_tools_https",
|
||
"control_tier": "C0",
|
||
"diff_gate_fields": [
|
||
"diff_gate_id",
|
||
"intake_id",
|
||
"export_request_id",
|
||
"config_id",
|
||
"control_tier",
|
||
"source_config_ref",
|
||
"redacted_live_conf_ref",
|
||
"rendered_diff_ref",
|
||
"nginx_test_plan_ref",
|
||
"route_smoke_plan_ref",
|
||
"rollback_owner",
|
||
"not_approval"
|
||
],
|
||
"diff_gate_id": "public_gateway_rendered_diff_gate:host188_internal_tools_https",
|
||
"dns_tls_probe_authorized": false,
|
||
"export_request_id": "public_gateway_live_conf_export:host188_internal_tools_https",
|
||
"host": "192.168.0.188",
|
||
"intake_id": "public_gateway_redacted_export_intake:host188_internal_tools_https",
|
||
"live_path": "owner_confirmation_required",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"nginx_test_plan_ref": null,
|
||
"not_approval": true,
|
||
"owner_gate": "public_tools_owner_response_required",
|
||
"preflight_stages": [
|
||
"redacted_export_acceptance_required",
|
||
"normalize_without_raw_conf_storage",
|
||
"rendered_diff_owner_review_required",
|
||
"nginx_test_approval_package_required",
|
||
"reload_approval_separate",
|
||
"route_smoke_matrix_required",
|
||
"postcheck_and_rollback_required"
|
||
],
|
||
"production_write_authorized": false,
|
||
"redacted_export_accepted": false,
|
||
"redacted_live_conf_ref": null,
|
||
"rendered_diff_candidate": false,
|
||
"rendered_diff_ready": false,
|
||
"rendered_diff_ref": null,
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"route_smoke_plan_ref": null,
|
||
"runtime_gate": false,
|
||
"source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"status": "draft_waiting_redacted_export_acceptance"
|
||
},
|
||
{
|
||
"action_buttons_allowed": false,
|
||
"blocked_actions": [
|
||
"read_live_conf_over_ssh",
|
||
"store_raw_live_conf",
|
||
"render_diff_from_unredacted_payload",
|
||
"nginx_test_without_approval",
|
||
"nginx_reload_without_approval",
|
||
"route_smoke_without_plan",
|
||
"dns_probe_without_approval",
|
||
"tls_probe_without_approval",
|
||
"certbot_renew_without_approval",
|
||
"modify_nginx_conf",
|
||
"modify_dns_tls_config",
|
||
"change_public_route",
|
||
"write_production_host",
|
||
"open_runtime_gate"
|
||
],
|
||
"certbot_renew_authorized": false,
|
||
"config_id": "host110_ollama_proxy",
|
||
"control_tier": "C1",
|
||
"diff_gate_fields": [
|
||
"diff_gate_id",
|
||
"intake_id",
|
||
"export_request_id",
|
||
"config_id",
|
||
"control_tier",
|
||
"source_config_ref",
|
||
"redacted_live_conf_ref",
|
||
"rendered_diff_ref",
|
||
"nginx_test_plan_ref",
|
||
"route_smoke_plan_ref",
|
||
"rollback_owner",
|
||
"not_approval"
|
||
],
|
||
"diff_gate_id": "public_gateway_rendered_diff_gate:host110_ollama_proxy",
|
||
"dns_tls_probe_authorized": false,
|
||
"export_request_id": "public_gateway_live_conf_export:host110_ollama_proxy",
|
||
"host": "192.168.0.110",
|
||
"intake_id": "public_gateway_redacted_export_intake:host110_ollama_proxy",
|
||
"live_path": "/etc/nginx/sites-enabled/110-ollama-proxy.conf",
|
||
"maintenance_window_accepted": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"nginx_test_plan_ref": null,
|
||
"not_approval": true,
|
||
"owner_gate": "ai_provider_proxy_owner_response_required",
|
||
"preflight_stages": [
|
||
"redacted_export_acceptance_required",
|
||
"normalize_without_raw_conf_storage",
|
||
"rendered_diff_owner_review_required",
|
||
"nginx_test_approval_package_required",
|
||
"reload_approval_separate",
|
||
"route_smoke_matrix_required",
|
||
"postcheck_and_rollback_required"
|
||
],
|
||
"production_write_authorized": false,
|
||
"redacted_export_accepted": false,
|
||
"redacted_live_conf_ref": null,
|
||
"rendered_diff_candidate": false,
|
||
"rendered_diff_ready": false,
|
||
"rendered_diff_ref": null,
|
||
"rollback_owner": "pending_rollback_owner",
|
||
"rollback_owner_accepted": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"route_smoke_plan_ref": null,
|
||
"runtime_gate": false,
|
||
"source_config_ref": "docs/security/public-gateway-preflight-inventory.snapshot.json",
|
||
"status": "draft_waiting_redacted_export_acceptance"
|
||
}
|
||
],
|
||
"diff_gate_fields": [
|
||
"diff_gate_id",
|
||
"intake_id",
|
||
"export_request_id",
|
||
"config_id",
|
||
"control_tier",
|
||
"source_config_ref",
|
||
"redacted_live_conf_ref",
|
||
"rendered_diff_ref",
|
||
"nginx_test_plan_ref",
|
||
"route_smoke_plan_ref",
|
||
"rollback_owner",
|
||
"not_approval"
|
||
],
|
||
"execution_boundaries": {
|
||
"action_buttons_allowed": false,
|
||
"certbot_renew_authorized": false,
|
||
"dns_tls_probe_authorized": false,
|
||
"nginx_reload_authorized": false,
|
||
"nginx_reload_executed": false,
|
||
"nginx_test_authorized": false,
|
||
"nginx_test_executed": false,
|
||
"not_authorization": true,
|
||
"production_write_authorized": false,
|
||
"read_live_conf_over_ssh": false,
|
||
"rendered_diff_authorized": false,
|
||
"route_smoke_authorized": false,
|
||
"route_smoke_executed": false,
|
||
"runtime_execution_authorized": false,
|
||
"store_raw_live_conf": false
|
||
},
|
||
"generated_at": "2026-06-14T20:05:00+08:00",
|
||
"git_commit": "f856df1c",
|
||
"next_steps": [
|
||
"等待 redacted export accepted metadata;沒有 accepted metadata 前不得產生 rendered diff。",
|
||
"rendered diff candidate 必須另走 reviewer / owner review,不得自動進 nginx -t。",
|
||
"`nginx -t`、reload、route smoke、DNS / TLS probe、certbot renew 與 production write 都必須另行人工批准。"
|
||
],
|
||
"preflight_stages": [
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "必須先有合格 redacted export accepted metadata,否則不得產生 rendered diff。",
|
||
"stage_id": "redacted_export_acceptance_required",
|
||
"status": "required_before_runtime_action"
|
||
},
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "只可在隔離工作區以脫敏 ref 產生 normalized diff,不得把 raw live conf 寫入 repo。",
|
||
"stage_id": "normalize_without_raw_conf_storage",
|
||
"status": "required_before_runtime_action"
|
||
},
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "rendered diff 只可成為 owner review candidate,不自動批准。",
|
||
"stage_id": "rendered_diff_owner_review_required",
|
||
"status": "required_before_runtime_action"
|
||
},
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "`nginx -t` 必須另有人工批准包、rollback owner 與維護窗口。",
|
||
"stage_id": "nginx_test_approval_package_required",
|
||
"status": "required_before_runtime_action"
|
||
},
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "reload 與 public route change 必須獨立於 rendered diff 與 nginx -t。",
|
||
"stage_id": "reload_approval_separate",
|
||
"status": "required_before_runtime_action"
|
||
},
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "route smoke 需列出 affected routes、預期 status、TLS / WebSocket / ACME checks。",
|
||
"stage_id": "route_smoke_matrix_required",
|
||
"status": "required_before_runtime_action"
|
||
},
|
||
{
|
||
"gate_effect": "不增加 rendered_diff / nginx_test / reload / route_smoke / runtime gate。",
|
||
"instruction": "任何未來執行前都需 rollback owner、post-check 與失敗撤回條件。",
|
||
"stage_id": "postcheck_and_rollback_required",
|
||
"status": "required_before_runtime_action"
|
||
}
|
||
],
|
||
"schema_version": "public_gateway_rendered_diff_gate_draft_v1",
|
||
"source_intake_preflight_schema_version": "public_gateway_redacted_export_intake_preflight_v1",
|
||
"source_intake_preflight_status": "redacted_export_intake_preflight_ready_no_payload_received",
|
||
"status": "rendered_diff_gate_draft_ready_no_runtime_action",
|
||
"summary": {
|
||
"action_button_count": 0,
|
||
"blocked_action_count": 14,
|
||
"c0_diff_gate_candidate_count": 2,
|
||
"c1_diff_gate_candidate_count": 1,
|
||
"certbot_renew_authorized_count": 0,
|
||
"diff_gate_candidate_count": 3,
|
||
"diff_gate_field_count": 12,
|
||
"dns_tls_probe_authorized_count": 0,
|
||
"maintenance_window_accepted_count": 0,
|
||
"nginx_reload_authorized_count": 0,
|
||
"nginx_reload_executed_count": 0,
|
||
"nginx_test_authorized_count": 0,
|
||
"nginx_test_executed_count": 0,
|
||
"preflight_stage_count": 7,
|
||
"redacted_export_accepted_count": 0,
|
||
"rendered_diff_candidate_count": 0,
|
||
"rendered_diff_ready_count": 0,
|
||
"rollback_owner_accepted_count": 0,
|
||
"route_smoke_authorized_count": 0,
|
||
"route_smoke_executed_count": 0,
|
||
"runtime_gate_count": 0
|
||
}
|
||
}
|