diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json index dc711f17..a7885c69 100644 --- a/apps/web/messages/en.json +++ b/apps/web/messages/en.json @@ -19047,12 +19047,12 @@ }, "wazuhReleaseGate": { "eyebrow": "Wazuh 正式釋出閘門", - "title": "分清功能分支已完成與正式環境尚未釋出", - "subtitle": "這張卡把 Wazuh 只讀路由的 source-side、功能分支、正式主線、正式部署與讀回拆成不同狀態;目前功能分支已完成,但正式主線、部署、讀回與即時中繼資料仍維持 0。", + "title": "分清正式路由已部署與 Wazuh 納管尚未驗收", + "subtitle": "這張卡把 Wazuh 只讀路由的 source-side、功能分支、正式主線、正式部署與讀回拆成不同狀態;目前正式路由已部署並讀回 200,但即時中繼資料、代理清單驗收與主機操作仍維持 0。", "checkLabel": "檢核", "stateLabel": "狀態", "boundaryTitle": "正式釋出邊界", - "boundaryIntro": "以下鍵值固定:功能分支可讀不等於正式主線已合併,也不等於正式站已部署、Wazuh 即時查詢已啟用或主機操作已授權。", + "boundaryIntro": "以下鍵值固定:正式路由已部署只代表 IwoooS 可以顯示 disabled owner gate,不等於 Wazuh 即時查詢已啟用、代理清單已恢復或主機操作已授權。", "summary": { "source": { "label": "原始碼", @@ -19064,11 +19064,11 @@ }, "main": { "label": "正式主線", - "detail": "尚未由正式釋出流程合併。" + "detail": "已由正式主線讀回。" }, "deploy": { "label": "部署讀回", - "detail": "正式站仍是部署前邊界。" + "detail": "正式路由已回 200 disabled owner gate。" } }, "items": { @@ -19078,15 +19078,15 @@ }, "featureBranch": { "title": "功能分支已可交接", - "body": "分支可讀只代表 patch 可交接,不代表正式主線、部署或即時查詢已完成。" + "body": "分支可讀與正式主線讀回已完成,但仍不能代表 Wazuh 即時查詢或代理清單已驗收。" }, "formalMain": { - "title": "正式主線仍待釋出", - "body": "必須由合規釋出流程合併到正式主線或套用等效 patch,不得強推或用明文憑證繞過。" + "title": "正式主線已釋出", + "body": "正式主線已包含 Wazuh 只讀路由與 no-false-green 邊界;仍不得強推或用明文憑證繞過後續 gate。" }, "productionReadback": { - "title": "正式站讀回仍未通過", - "body": "部署後要用正式讀回指令驗證不再 404;部署前 404 只能當邊界證據。" + "title": "正式站讀回已通過", + "body": "正式 API 已回 200 並停在 disabled owner gate;這不是 Wazuh manager registry 已恢復的證據。" }, "ownerGate": { "title": "負責人證據仍待收件", @@ -19162,7 +19162,7 @@ "summary": { "routeReadback": { "label": "路由讀回", - "detail": "正式部署後讀回尚未通過,因此仍不能啟用即時中繼資料。" + "detail": "正式路由已回 200,但仍停在 disabled owner gate。" }, "owner": { "label": "負責人回覆", @@ -19179,8 +19179,8 @@ }, "items": { "releaseReadback": { - "title": "先等正式路由不再 404", - "body": "部署後必須用正式讀回指令驗證 `/api/iwooos/wazuh`,不能用部署前 404 或閘道繞路當成功。" + "title": "正式路由已不再 404", + "body": "正式讀回已通過;下一步是 owner gate、機密中繼資料與 Wazuh manager registry readback,不是主機寫入。" }, "serverEnv": { "title": "伺服端環境變數需負責人", diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json index dc711f17..a7885c69 100644 --- a/apps/web/messages/zh-TW.json +++ b/apps/web/messages/zh-TW.json @@ -19047,12 +19047,12 @@ }, "wazuhReleaseGate": { "eyebrow": "Wazuh 正式釋出閘門", - "title": "分清功能分支已完成與正式環境尚未釋出", - "subtitle": "這張卡把 Wazuh 只讀路由的 source-side、功能分支、正式主線、正式部署與讀回拆成不同狀態;目前功能分支已完成,但正式主線、部署、讀回與即時中繼資料仍維持 0。", + "title": "分清正式路由已部署與 Wazuh 納管尚未驗收", + "subtitle": "這張卡把 Wazuh 只讀路由的 source-side、功能分支、正式主線、正式部署與讀回拆成不同狀態;目前正式路由已部署並讀回 200,但即時中繼資料、代理清單驗收與主機操作仍維持 0。", "checkLabel": "檢核", "stateLabel": "狀態", "boundaryTitle": "正式釋出邊界", - "boundaryIntro": "以下鍵值固定:功能分支可讀不等於正式主線已合併,也不等於正式站已部署、Wazuh 即時查詢已啟用或主機操作已授權。", + "boundaryIntro": "以下鍵值固定:正式路由已部署只代表 IwoooS 可以顯示 disabled owner gate,不等於 Wazuh 即時查詢已啟用、代理清單已恢復或主機操作已授權。", "summary": { "source": { "label": "原始碼", @@ -19064,11 +19064,11 @@ }, "main": { "label": "正式主線", - "detail": "尚未由正式釋出流程合併。" + "detail": "已由正式主線讀回。" }, "deploy": { "label": "部署讀回", - "detail": "正式站仍是部署前邊界。" + "detail": "正式路由已回 200 disabled owner gate。" } }, "items": { @@ -19078,15 +19078,15 @@ }, "featureBranch": { "title": "功能分支已可交接", - "body": "分支可讀只代表 patch 可交接,不代表正式主線、部署或即時查詢已完成。" + "body": "分支可讀與正式主線讀回已完成,但仍不能代表 Wazuh 即時查詢或代理清單已驗收。" }, "formalMain": { - "title": "正式主線仍待釋出", - "body": "必須由合規釋出流程合併到正式主線或套用等效 patch,不得強推或用明文憑證繞過。" + "title": "正式主線已釋出", + "body": "正式主線已包含 Wazuh 只讀路由與 no-false-green 邊界;仍不得強推或用明文憑證繞過後續 gate。" }, "productionReadback": { - "title": "正式站讀回仍未通過", - "body": "部署後要用正式讀回指令驗證不再 404;部署前 404 只能當邊界證據。" + "title": "正式站讀回已通過", + "body": "正式 API 已回 200 並停在 disabled owner gate;這不是 Wazuh manager registry 已恢復的證據。" }, "ownerGate": { "title": "負責人證據仍待收件", @@ -19162,7 +19162,7 @@ "summary": { "routeReadback": { "label": "路由讀回", - "detail": "正式部署後讀回尚未通過,因此仍不能啟用即時中繼資料。" + "detail": "正式路由已回 200,但仍停在 disabled owner gate。" }, "owner": { "label": "負責人回覆", @@ -19179,8 +19179,8 @@ }, "items": { "releaseReadback": { - "title": "先等正式路由不再 404", - "body": "部署後必須用正式讀回指令驗證 `/api/iwooos/wazuh`,不能用部署前 404 或閘道繞路當成功。" + "title": "正式路由已不再 404", + "body": "正式讀回已通過;下一步是 owner gate、機密中繼資料與 Wazuh manager registry readback,不是主機寫入。" }, "serverEnv": { "title": "伺服端環境變數需負責人", diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx index b7eaf650..4dde616e 100644 --- a/apps/web/src/app/[locale]/iwooos/page.tsx +++ b/apps/web/src/app/[locale]/iwooos/page.tsx @@ -2223,7 +2223,7 @@ const wazuhIntrusionReadbackBoundaries = [ ] as const const wazuhLiveMetadataEnvGateSummary = [ - { key: 'routeReadback', value: '0', icon: Route, tone: 'locked' }, + { key: 'routeReadback', value: '1', icon: Route, tone: 'steady' }, { key: 'owner', value: '0', icon: ClipboardCheck, tone: 'locked' }, { key: 'secretMeta', value: '0', icon: Lock, tone: 'locked' }, { key: 'liveQuery', value: '0', icon: Radar, tone: 'locked' }, @@ -2232,15 +2232,15 @@ const wazuhLiveMetadataEnvGateSummary = [ const wazuhReleaseGateSummary = [ { key: 'source', value: '1', icon: CheckCircle2, tone: 'steady' }, { key: 'branch', value: '1', icon: GitBranch, tone: 'steady' }, - { key: 'main', value: '0', icon: Lock, tone: 'locked' }, - { key: 'deploy', value: '0', icon: Route, tone: 'locked' }, + { key: 'main', value: '1', icon: CheckCircle2, tone: 'steady' }, + { key: 'deploy', value: '1', icon: Route, tone: 'steady' }, ] as const const wazuhReleaseGateItems: WazuhReleaseGateItem[] = [ { key: 'sourceGuard', check: 'REL-1', state: '已完成', icon: CheckCircle2, tone: 'steady' }, { key: 'featureBranch', check: 'REL-2', state: '已推送', icon: GitBranch, tone: 'steady' }, - { key: 'formalMain', check: 'REL-3', state: '待正式釋出', icon: Lock, tone: 'locked' }, - { key: 'productionReadback', check: 'REL-4', state: '仍為部署前', icon: Route, tone: 'locked' }, + { key: 'formalMain', check: 'REL-3', state: '已正式釋出', icon: CheckCircle2, tone: 'steady' }, + { key: 'productionReadback', check: 'REL-4', state: '已讀回 200', icon: Route, tone: 'steady' }, { key: 'ownerGate', check: 'REL-5', state: '待負責人', icon: ClipboardCheck, tone: 'warn' }, { key: 'runtimeBoundary', check: 'REL-6', state: '0 / false', icon: FileWarning, tone: 'locked' }, ] as const @@ -2249,10 +2249,10 @@ const wazuhReleaseGateBoundaries = [ 'wazuh_readonly_release_gate_visible=true', 'wazuh_readonly_release_gate_source_side_fix_complete_count=1', 'wazuh_readonly_release_gate_gitea_feature_branch_push_complete_count=1', - 'wazuh_readonly_release_gate_formal_main_release_complete_count=0', - 'wazuh_readonly_release_gate_production_deploy_complete_count=0', - 'wazuh_readonly_release_gate_production_readback_passed_count=0', - 'wazuh_readonly_release_gate_predeploy_404_observed_count=1', + 'wazuh_readonly_release_gate_formal_main_release_complete_count=1', + 'wazuh_readonly_release_gate_production_deploy_complete_count=1', + 'wazuh_readonly_release_gate_production_readback_passed_count=1', + 'wazuh_readonly_release_gate_predeploy_404_observed_count=0', 'wazuh_readonly_release_gate_wazuh_live_metadata_env_enabled_count=0', 'wazuh_readonly_release_gate_runtime_gate_count=0', 'force_push_allowed=false', @@ -2264,7 +2264,7 @@ const wazuhReleaseGateBoundaries = [ ] as const const wazuhLiveMetadataEnvGateItems: WazuhLiveMetadataEnvGateItem[] = [ - { key: 'releaseReadback', check: 'ENV-1', state: '待部署驗證', icon: Route, tone: 'locked' }, + { key: 'releaseReadback', check: 'ENV-1', state: '路由已讀回', icon: Route, tone: 'steady' }, { key: 'serverEnv', check: 'ENV-2', state: '待負責人', icon: Server, tone: 'warn' }, { key: 'secretMetadata', check: 'ENV-3', state: '只收中繼資料', icon: Lock, tone: 'locked' }, { key: 'managerHealth', check: 'ENV-4', state: '待健康參照', icon: Activity, tone: 'warn' }, @@ -2279,7 +2279,7 @@ const wazuhLiveMetadataEnvGateBoundaries = [ 'wazuh_live_metadata_env_gate_reviewer_check_count=15', 'wazuh_live_metadata_env_gate_outcome_lane_count=10', 'wazuh_live_metadata_env_gate_blocked_action_count=23', - 'wazuh_live_metadata_env_gate_production_route_readback_passed_count=0', + 'wazuh_live_metadata_env_gate_production_route_readback_passed_count=1', 'wazuh_live_metadata_env_gate_live_metadata_owner_response_accepted_count=0', 'wazuh_live_metadata_env_gate_secret_source_metadata_accepted_count=0', 'wazuh_live_metadata_env_gate_wazuh_manager_health_ref_accepted_count=0', diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index bffc70ce..1297816b 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,26 @@ +## 2026-06-25|Wazuh release / route readback 狀態收斂與 agent registry 未完成邊界 + +**背景**:Wazuh 用戶端消失事故的關鍵狀態已從「IwoooS production route 仍 404」前進到「route 已部署但 Wazuh live metadata / agent registry 尚未驗收」。本輪同步前台、release gate、live metadata env gate、handoff 與 LOGBOOK,避免 operator 或平行工作視窗把 route 200、agent transport、service active 或 UI 可見誤判成所有主機已納回 Wazuh。 + +**完成**: +- `/zh-TW/iwooos` 的 Wazuh release gate 卡片改為顯示 source、feature branch、formal main release、production deploy 與 production readback 皆為 `1`。 +- 同一張卡保留 `wazuh_live_metadata_env_enabled_count=0`、`runtime_gate_count=0`、`wazuh_active_response_authorized=false`、`host_write_authorized=false`。 +- Wazuh live metadata env gate 改為 `route_readback=1 owner=0 secret_meta=0 live_query=0 runtime_gate=0`;下一步從修 404 改成 owner gate、secret source metadata、readonly account scope、manager registry 讀回與 Dashboard stored API / RBAC / TLS 修復。 +- `IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md` 更新為正式 route 已讀回 `200 disabled_waiting_iwooos_wazuh_owner_gate`,並明確標示 Wazuh manager agent registry accepted 仍為 `0%`。 +- `wazuh-readonly-production-readback.py` 調整 raw payload pattern,避免把安全邊界字串 `raw_wazuh_payload_storage_allowed=false` 誤判成 raw payload 洩漏;仍會阻擋 raw log / raw event / raw alert / raw request / raw response。 + +**目前真相**: +- IwoooS production Wazuh route readback:`100%`,`/api/iwooos/wazuh` 回 `200 disabled_waiting_iwooos_wazuh_owner_gate`。 +- Wazuh release / deploy / readback gate:`100%` source + production route 層。 +- Wazuh live metadata env enable:`0%`,未啟用 server-side Wazuh API 查詢。 +- Wazuh manager agent registry accepted:`0%`,尚未取得可驗收的 manager registry truth。 +- Dashboard stored API / RBAC / run_as / rate-limit / TLS 修復:`0%`,仍是下一個 P0。 +- Active response / host write / agent re-enroll / Wazuh restart / Kali active scan:`0%`,維持禁止。 + +**驗證待跑**:本段提交前需重跑 production readback、Wazuh release gate、live metadata env gate、agent visibility runtime gate、frontend display redaction guard、security mirror progress guard、i18n JSON / mirror、TypeScript typecheck、diff check 與 production page 脫敏讀回。 + +**邊界**:本輪只修 repo / 前台 / 文件 / guard 狀態一致性;沒有讀 Wazuh secret、沒有保存 raw log、沒有重新註冊 agent、沒有重啟 Wazuh、沒有修改 Dashboard stored API、RBAC、TLS、Nginx、Docker、K8s、firewall 或 host config,也沒有 active response 或 Kali active scan。 + ## 2026-06-25|Wazuh agent 消失事故二次只讀定位與 no-false-green 加嚴 **背景**:使用者追問 Wazuh 為什麼仍未把所有主機納回監控、原本已納管為何又不見,以及為什麼尚未修復。本輪暫停前台 release gate 收尾,優先做 112 / Wazuh runtime 只讀定位與 repo guard 加嚴。 diff --git a/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md b/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md index 31555c30..258915e9 100644 --- a/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md +++ b/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md @@ -1,19 +1,20 @@ # IwoooS Wazuh 只讀 API Release Handoff -> 狀態:source-side 修補完成,feature branch 已推送;仍等待具備正式 release 權限的 lane 合併到主線並部署。 +> 狀態:source-side 修補、feature branch、正式主線、deploy marker 與 production route readback 已完成;仍等待 Wazuh live metadata owner gate、manager registry 驗收與 Dashboard stored API / RBAC / TLS 修復。 > 本文件不包含 secret、token、內網 Wazuh URL、raw log、raw Wazuh payload 或工作視窗逐字稿。 ## 目前分層狀態 - feature branch:`codex/iwooos-wazuh-boundary-guard-20260624` 已推送到 Gitea;精確 HEAD 請用 `git ls-remote` 讀回,不在本文件硬寫避免文件 commit 後自我漂移。 -- formal main release:`0%`,尚未合併到 `main`。 -- production deploy:`0%`,正式 API 仍為部署前 404 邊界。 +- formal main release:`100%`,Wazuh 只讀 route / no-false-green patch 已進正式主線。 +- production deploy:`100%`,正式 API 已讀回 `200 disabled_waiting_iwooos_wazuh_owner_gate`。 - Wazuh live metadata env enable:`0%`,尚未收到正式負責人回覆、機密來源中繼資料、唯讀帳號範圍與 post-enable readback。 +- Wazuh manager agent registry accepted:`0%`,尚未取得可驗收的 manager registry 只讀讀回。 - active response / host write / Kali active scan:`0%`,必須維持關閉。 ## 根因判定 -`https://awoooi.wooo.work/api/iwooos/wazuh` production 目前回 `404 {"detail":"Not Found"}`,同時 `https://awoooi.wooo.work/zh-TW/iwooos` 回 `200`。 +正式釋出前,`https://awoooi.wooo.work/api/iwooos/wazuh` 曾回 `404 {"detail":"Not Found"}`,同時 `https://awoooi.wooo.work/zh-TW/iwooos` 回 `200`。 判定根因: @@ -21,6 +22,7 @@ - 既有 `apps/web/src/app/api/iwooos/wazuh/route.ts` 是 Next.js route,沒有被 public gateway 暴露到這條 production path。 - FastAPI 後端原本沒有 `/api/iwooos/wazuh` 相容 route,因此回 404。 - 這個 404 不能被解讀成 Wazuh manager 一定故障,也不能被解讀成 Wazuh 已未安裝。 +- 正式釋出後,production route 已讀回 `200 disabled_waiting_iwooos_wazuh_owner_gate`;這只代表 IwoooS route 已部署,不代表 Wazuh manager registry 已恢復或所有 agent 已納管。 ## Source-Side 修補 @@ -66,7 +68,7 @@ - 不回傳 raw Wazuh payload、agent 原名、內網 IP、token、password 或 secret。 - 新增 source guard,阻擋硬編 Wazuh 內網 URL / port、帳密、關 TLS、假 SOC dashboard、假 CVE、raw payload 與 legacy dashboard component 回流。 - 新增 production readback 腳本,部署後可直接驗證 public API 不再 404、schema / status / boundary 正確,且沒有 raw payload、內網 IP、agent 原名或 secret 洩漏。 -- 新增 release gate snapshot 與 guard,固定 source-side 與 feature branch push 已完成,但 formal main release / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。 +- 新增 release gate snapshot 與 guard,固定 source-side、feature branch push、formal main release、production deploy 與 production route readback 已完成;同時保留 Wazuh live metadata / manager registry / active response / host write 仍未授權,避免後續把 route 200 誤判成 Wazuh 納管恢復。 - 新增 release lane preflight snapshot 與 guard,固定正式 release 前必須選擇 `formal_gitea_merge`、`formal_patch_apply` 或 `maintainer_local_push_with_safe_credential` 其中一條合規 lane,且 owner ack / evidence 未到齊前不得推主線、deploy、force push、使用明文 token workaround 或改 runtime。 - 新增 release owner request 草稿與 owner response acceptance 帳本,將 required ack flags、required evidence fields、allowed release methods、blocked actions、forbidden payloads 與 reviewer checks 機器可讀化;目前 request sent、response received / accepted、release ready、runtime gate 全部維持 `0`。 - 新增 live metadata env gate,固定部署後要先通過 production route readback、server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope、post-enable readback、rollback 與 no-secret / no-raw-payload attestation;目前 live query authorized 仍為 `0`。 @@ -98,11 +100,11 @@ NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 S - `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`6 passed`。 - `wazuh-readonly-route-boundary-guard`:`route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。 -- `wazuh-readonly-release-gate`:`source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 +- `wazuh-readonly-release-gate`:`source=1 push=1 main=1 deploy=1 readback=1 runtime_gate=0`。 - `wazuh-readonly-release-lane-preflight`:`ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。 - `wazuh-readonly-release-owner-request`:`drafts=1 sent=0 accepted=0 runtime_gate=0`。 - `wazuh-readonly-release-owner-response-acceptance`:`received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`。 -- `wazuh-readonly-live-metadata-env-gate`:`route_readback=0 owner=0 secret_meta=0 live_query=0 runtime_gate=0`。 +- `wazuh-readonly-live-metadata-env-gate`:`route_readback=1 owner=0 secret_meta=0 live_query=0 runtime_gate=0`。 - `security-mirror-progress-guard`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。 - `doc-secrets-sanity-check`:`DOC_SECRET_SANITY_OK scanned_files=973`。 - `py_compile`:通過。 @@ -129,39 +131,38 @@ git am /private/tmp/awoooi-iwooos-wazuh-boundary-release-patch-/*.pat - `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`6 passed`。 - `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .`:`WAZUH_READONLY_ROUTE_BOUNDARY_GUARD_OK route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。 -- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 +- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=1 deploy=1 readback=1 runtime_gate=0`。 - `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .`:`WAZUH_READONLY_RELEASE_LANE_PREFLIGHT_OK ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。 - `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。 - `python3 scripts/ops/doc-secrets-sanity-check.py ...`:`DOC_SECRET_SANITY_OK scanned_files=973`。 - `python3 -m py_compile ...`:通過。 - `git diff --check`:通過。 -尚未部署前的 production 現況記錄: +正式部署後的 production 現況記錄: ```bash -python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy-404 --json +python3 scripts/security/wazuh-readonly-production-readback.py --json ``` -預期只可回 `status=predeploy_404_observed`。正式部署驗收不得加 `--allow-predeploy-404`。 +預期只可回 IwoooS Wazuh read-only route 的安全邊界狀態;目前尚未啟用 Wazuh live metadata,因此不得顯示綠燈。 目前實測: ```json -{"http_status": 404, "runtime_gate_count": 0, "schema_version": "iwooos_wazuh_production_readback_v1", "status": "predeploy_404_observed"} +{"api_status":"disabled_waiting_iwooos_wazuh_owner_gate","configured":false,"http_status":200,"runtime_gate_count":0,"schema_version":"iwooos_wazuh_production_readback_v1","status":"production_readback_passed"} ``` -不加 `--allow-predeploy-404` 時會正確阻擋:`BLOCKED production readback returned 404; Wazuh FastAPI compatibility route is not deployed`。 +這個讀回不代表 Wazuh manager registry 已恢復;它只代表 route 部署完成且目前仍正確停在 owner gate。 ## Release 前 Gate -合併 / 部署前需確認: +下一階段 gate 需確認: -- 使用具備正式權限的 Gitea lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch;不得 force push。 -- release lane preflight 目前固定 `formal_release_lane_ready_count=0`、`accepted_ack_flag_count=0/6`、`accepted_evidence_field_count=0/6`;不得把一般「批准繼續」當成 release lane owner response。 -- feature branch 已推送完成;正式 release 仍必須由合規 lane 合併到 `main` 或套用等效 patch,不得用明文 token、舊 credential 或 force push 繞過。 +- Wazuh live metadata env gate 目前固定 `owner=0`、`secret_meta=0`、`live_query=0`;不得把一般「批准繼續」當成 server-side env owner response。 +- route 已部署完成;下一步不是再修 404,而是建立 Wazuh manager registry 只讀驗收、Dashboard stored API / RBAC / TLS 修復與 post-enable readback。 - 不得複製舊 workspace 的內嵌明文 Gitea token。 - 不得把 Wazuh URL、帳密、token、cookie、private key、runner token 或 webhook secret 寫入 repo。 -- 不得為了讓 API 變 200 而直接改 Nginx、Docker、K8s、firewall、Wazuh manager、Wazuh rule、Wazuh decoder 或 Wazuh active response。 +- 不得為了讓 agent 顯示回來而直接改 Nginx、Docker、K8s、firewall、Wazuh manager、Wazuh rule、Wazuh decoder、stored API、RBAC、TLS 或 Wazuh active response。 - 若要啟用 live metadata query,必須由正式 secrets / env 注入 `IWOOOS_WAZUH_READONLY_ENABLED=true` 與 Wazuh server-side env,且要先有 owner gate。 ## Production Readback 預期 @@ -207,25 +208,25 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json | Wazuh public API 404 source-side 修補 | `100%` | 已完成本地分支 HEAD | | Wazuh route boundary source guard | `100%` | 已納入 `security-mirror-progress-guard` | | Production readback 驗收腳本 | `100%` | 已完成;正式部署後不得接受 404 | -| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 feature branch push 已完成,formal main release / deploy / readback 仍 blocked | +| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 source / feature branch / main / deploy / readback 已完成,live metadata 仍 blocked | | Wazuh release lane preflight | `100%` | 已完成;owner acks `0/6`、evidence `0/6`、正式 release ready `0` | | Wazuh release owner request / acceptance | `100%` | 已完成只讀草稿與收件帳本;request sent `0`、response accepted `0` | -| Wazuh live metadata env gate | `100%` | 已完成只讀 gate;route readback / owner / secret metadata / live query 仍 `0` | +| Wazuh live metadata env gate | `100%` | 已完成只讀 gate;route readback `1`,owner / secret metadata / live query 仍 `0` | | Wazuh agent registry no-false-green | `100%` | source-side 已能區分 registry 空與低於預期;production live registry accepted 仍 `0` | -| IwoooS 前台 Wazuh live metadata env gate 卡片 | `100%` | source-side 與本機桌機 / 手機驗證完成;production deploy 仍 `0` | +| IwoooS 前台 Wazuh live metadata env gate 卡片 | `100%` | source-side 與本機桌機 / 手機驗證完成;production route readback 已完成,live metadata 仍 `0` | | 乾淨套用 proof | `100%` | patch set 可落在最新 `gitea/main` 並通過同組 guard;最終 hash 以 release 前 readback 為準 | | Gitea feature branch push | `100%` | `codex/iwooos-wazuh-boundary-guard-20260624` 已推送;精確 HEAD 以 release 前讀回為準 | -| Formal main release | `0%` | 尚未由正式 release lane 合併到 `main` | -| Production deploy / readback | `0%` | 等待 release lane | +| Formal main release | `100%` | 已進正式主線 | +| Production deploy / readback | `100%` | 已回 `200 disabled_waiting_iwooos_wazuh_owner_gate` | | Wazuh server-side env enable | `0%` | 等待 owner gate 與 secrets 注入 | +| Wazuh manager agent registry accepted | `0%` | 尚未取得可驗收 registry truth | | Wazuh event refs / host forensic refs accepted | `0%` | 尚未收到合格證據 | | Wazuh active response / host write / Kali active scan | `0%` | 必須維持 false | ## 下一步優先序 -1. 先依 `wazuh-readonly-release-owner-request.snapshot.json` 補 release lane owner response:選擇 formal merge、formal patch apply 或安全 credential push,並補 6 個 ack 與 6 個 evidence 欄位。 -2. 解決受控 workspace Gitea HTTPS push 認證,或由正式 release lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD。 -3. 部署後先驗證 `/api/iwooos/wazuh` 不再 404,且預設 disabled 邊界正確。 -4. 另依 `wazuh-readonly-live-metadata-env-gate.snapshot.json` 補 server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope 與 post-enable readback,才可考慮啟用 Wazuh read-only metadata query。 -5. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof。 -6. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。 +1. 依 `wazuh-readonly-live-metadata-env-gate.snapshot.json` 補 server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope 與 post-enable readback,才可考慮啟用 Wazuh read-only metadata query。 +2. 取得 Wazuh manager agent registry 的脫敏、可驗收只讀讀回:總數、在線、離線、從未連線、最後連線時間窗與 Dashboard API 狀態參照。 +3. 修復 Dashboard stored API / RBAC / run_as / rate-limit / TLS trust 退化;修復前不得把 Dashboard 看不到 agent 解讀成 agent 全部消失,也不得把 transport count 解讀成 agent registry 恢復。 +4. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof。 +5. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。 diff --git a/docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json b/docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json index ed25a62e..8727b12b 100644 --- a/docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json +++ b/docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json @@ -1,6 +1,6 @@ { "schema_version": "wazuh_agent_visibility_runtime_gate_v1", - "generated_at": "2026-06-25T10:45:00+08:00", + "generated_at": "2026-06-25T11:19:38+08:00", "status": "blocked_waiting_manager_agent_registry_readback", "mode": "snapshot_only_no_runtime_no_secret_collection", "incident_id": "wazuh-agent-visibility-20260624", @@ -22,13 +22,13 @@ "dashboard_api_tls_client_cert_unknown_observed": true, "manager_registry_cli_permission_blocked": true, "manager_registry_cli_requires_privilege": true, - "production_route_http_status": 404, - "observed_at_taipei": "2026-06-25T10:43:16+08:00", + "production_route_http_status": 200, + "observed_at_taipei": "2026-06-25T11:19:38+08:00", "observed_layers": { "iwooos_production_route": { - "status": "blocked", - "evidence": "正式站 Wazuh 只讀 API 路由在部署前仍回 404", - "completion_percent": 0 + "status": "deployed_owner_gate_disabled", + "evidence": "正式站 Wazuh 只讀 API 路由已回 200,狀態為 disabled_waiting_iwooos_wazuh_owner_gate;這代表 route 已部署,但尚未取得 Wazuh manager registry live metadata", + "completion_percent": 65 }, "wazuh_control_plane": { "status": "observed_active", @@ -147,7 +147,7 @@ "next_priority_order": [ "P0-A manager agent registry 只讀計數", "P0-B dashboard stored API 與 rate-limit 根因", - "P0-C IwoooS 正式站 Wazuh 路由讀回", + "P0-C IwoooS Wazuh server-side owner gate 與 live metadata 啟用", "P0-D dashboard/API mismatch 的 AI 自動化告警卡", "P0-E owner response 與 rollback owner" ] diff --git a/docs/security/wazuh-readonly-live-metadata-env-gate.snapshot.json b/docs/security/wazuh-readonly-live-metadata-env-gate.snapshot.json index e9249283..ccc8a460 100644 --- a/docs/security/wazuh-readonly-live-metadata-env-gate.snapshot.json +++ b/docs/security/wazuh-readonly-live-metadata-env-gate.snapshot.json @@ -41,14 +41,14 @@ "wazuh_active_response_authorized": false, "wazuh_api_live_query_authorized": false }, - "generated_at": "2026-06-24T22:48:00+08:00", + "generated_at": "2026-06-25T11:19:38+08:00", "live_metadata_candidate": { "candidate_id": "iwooos_wazuh_readonly_live_metadata_env", "not_authorization": true, "owner_response_accepted": false, "owner_response_received": false, "post_enable_readback_command": "python3 scripts/security/wazuh-readonly-production-readback.py --json", - "production_route_readback_ref": null, + "production_route_readback_ref": "production_readback_passed_http_200_disabled_owner_gate", "readonly_account_scope_ref": null, "runtime_gate": false, "secret_source_metadata_ref": null, @@ -58,7 +58,7 @@ "WAZUH_API_USERNAME", "WAZUH_API_PASSWORD" ], - "status": "waiting_release_readback_and_live_metadata_owner_response", + "status": "waiting_live_metadata_owner_response", "wazuh_active_response_authorized": false, "wazuh_api_live_query_authorized": false, "wazuh_manager_health_ref": null @@ -66,7 +66,7 @@ "mode": "repo_gate_no_secret_no_runtime_no_wazuh_query", "operator_interpretation": [ "此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位與禁止動作已固定。", - "Production route 必須先不加 --allow-predeploy-404 readback 通過,才能考慮 server-side env enable。", + "Production route 已不加 --allow-predeploy-404 readback 通過;下一步仍必須補 owner gate、secret source metadata 與 readonly account scope。", "secret handling 只能提供注入來源 metadata 與 owner,不得提交密碼、token、hash、partial secret 或 raw env。", "Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate,不能互相代替。" ], @@ -123,7 +123,7 @@ "WAZUH_API_USERNAME", "WAZUH_API_PASSWORD" ], - "status": "blocked_waiting_release_readback_and_live_metadata_owner_response", + "status": "blocked_waiting_live_metadata_owner_response", "summary": { "blocked_action_count": 23, "host_write_authorized_count": 0, @@ -131,7 +131,7 @@ "live_metadata_owner_response_received_count": 0, "outcome_lane_count": 10, "post_enable_readback_passed_count": 0, - "production_route_readback_passed_count": 0, + "production_route_readback_passed_count": 1, "readonly_account_scope_accepted_count": 0, "required_owner_field_count": 15, "reviewer_check_count": 15, diff --git a/docs/security/wazuh-readonly-release-gate.snapshot.json b/docs/security/wazuh-readonly-release-gate.snapshot.json index eddce029..18fc0e69 100644 --- a/docs/security/wazuh-readonly-release-gate.snapshot.json +++ b/docs/security/wazuh-readonly-release-gate.snapshot.json @@ -14,13 +14,13 @@ "wazuh_active_response_authorized": false, "wazuh_api_live_query_authorized": false }, - "generated_at": "2026-06-25T23:40:00+08:00", + "generated_at": "2026-06-25T11:19:38+08:00", "missing_required_source_paths": [], "mode": "repo_release_gate_no_runtime_no_secret_collection", "operator_interpretation": [ - "此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。", - "正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。", - "乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。", + "此 gate 通過代表 source-side、feature branch、main release、deploy marker 與 production route readback 已完成。", + "production route 回 200 只代表 IwoooS Wazuh read-only route 已部署;目前狀態仍為 disabled_waiting_iwooos_wazuh_owner_gate。", + "不得把 route 200、UI 可見、agent transport 或 service active 當成 Wazuh manager registry 已驗收。", "live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。" ], "release_gates": [ @@ -56,21 +56,21 @@ }, { "gate_id": "formal_main_release", - "required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push", + "required_evidence": "main 已快轉到包含 Wazuh fix 的 commit;不得 force push", "runtime_authorized": false, - "status": "blocked_waiting_formal_release_lane" + "status": "passed_main_fast_forward_readback" }, { "gate_id": "production_deploy", - "required_evidence": "Gitea CD / deploy marker 指向已合併 Wazuh fix 的 commit", + "required_evidence": "Gitea CD deploy marker 指向已合併 Wazuh fix 的 commit", "runtime_authorized": false, - "status": "blocked_waiting_release_lane" + "status": "passed_deploy_marker_readback" }, { "gate_id": "production_readback", "required_evidence": "python3 scripts/security/wazuh-readonly-production-readback.py --json 通過且不回 404", "runtime_authorized": false, - "status": "blocked_waiting_deploy" + "status": "passed_disabled_owner_gate_readback" }, { "gate_id": "wazuh_live_metadata_env", @@ -84,7 +84,7 @@ "base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit", "base_ref": "gitea/main", "feature_branch_push_status": "completed_readback_required_before_release", - "production_readback_status": "predeploy_404_observed", + "production_readback_status": "production_readback_passed", "release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file", "source_branch": "codex/iwooos-wazuh-boundary-guard-20260624", "source_fix_commit_readback": "run git log --oneline gitea/main..HEAD before release; do not hardcode a rebase-sensitive commit hash", @@ -99,18 +99,18 @@ "scripts/security/wazuh-readonly-route-boundary-guard.py" ], "schema_version": "iwooos_wazuh_readonly_release_gate_v1", - "status": "blocked_waiting_formal_main_release_and_production_deploy", + "status": "released_waiting_wazuh_live_metadata_owner_gate", "summary": { "active_response_authorized_count": 0, - "formal_main_release_complete_count": 0, + "formal_main_release_complete_count": 1, "gitea_push_blocker_observed_count": 0, "gitea_push_complete_count": 1, "host_forensics_ref_accepted_count": 0, "host_write_authorized_count": 0, "missing_required_source_path_count": 0, - "predeploy_404_observed_count": 1, - "production_deploy_complete_count": 0, - "production_readback_passed_count": 0, + "predeploy_404_observed_count": 0, + "production_deploy_complete_count": 1, + "production_readback_passed_count": 1, "production_readback_script_complete_count": 1, "release_handoff_complete_count": 1, "release_patch_apply_proof_complete_count": 1, diff --git a/scripts/security/wazuh-agent-visibility-runtime-gate.py b/scripts/security/wazuh-agent-visibility-runtime-gate.py index 18e35341..ac80c3aa 100644 --- a/scripts/security/wazuh-agent-visibility-runtime-gate.py +++ b/scripts/security/wazuh-agent-visibility-runtime-gate.py @@ -166,7 +166,7 @@ def validate(root: Path) -> None: assert_equal( "wazuh_agent_visibility_runtime_gate.production_route_http_status", snapshot.get("production_route_http_status"), - 404, + 200, ) expected_error_codes = {400, 429, 500} actual_error_codes = set(snapshot.get("dashboard_error_codes_observed", [])) diff --git a/scripts/security/wazuh-readonly-live-metadata-env-gate.py b/scripts/security/wazuh-readonly-live-metadata-env-gate.py index 1255c618..dd3b34ca 100644 --- a/scripts/security/wazuh-readonly-live-metadata-env-gate.py +++ b/scripts/security/wazuh-readonly-live-metadata-env-gate.py @@ -111,7 +111,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]: return { "schema_version": "iwooos_wazuh_readonly_live_metadata_env_gate_v1", "generated_at": generated_at or now_iso(), - "status": "blocked_waiting_release_readback_and_live_metadata_owner_response", + "status": "blocked_waiting_live_metadata_owner_response", "mode": "repo_gate_no_secret_no_runtime_no_wazuh_query", "summary": { "server_side_env_key_count": len(SERVER_SIDE_ENV_KEYS), @@ -119,7 +119,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]: "reviewer_check_count": len(REVIEWER_CHECKS), "outcome_lane_count": len(OUTCOME_LANES), "blocked_action_count": len(BLOCKED_ACTIONS), - "production_route_readback_passed_count": 0, + "production_route_readback_passed_count": 1, "live_metadata_owner_response_received_count": 0, "live_metadata_owner_response_accepted_count": 0, "secret_source_metadata_accepted_count": 0, @@ -138,8 +138,8 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]: "blocked_actions": BLOCKED_ACTIONS, "live_metadata_candidate": { "candidate_id": "iwooos_wazuh_readonly_live_metadata_env", - "status": "waiting_release_readback_and_live_metadata_owner_response", - "production_route_readback_ref": None, + "status": "waiting_live_metadata_owner_response", + "production_route_readback_ref": "production_readback_passed_http_200_disabled_owner_gate", "server_side_env_keys": SERVER_SIDE_ENV_KEYS, "secret_source_metadata_ref": None, "wazuh_manager_health_ref": None, @@ -171,7 +171,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]: }, "operator_interpretation": [ "此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位與禁止動作已固定。", - "Production route 必須先不加 --allow-predeploy-404 readback 通過,才能考慮 server-side env enable。", + "Production route 已不加 --allow-predeploy-404 readback 通過;下一步仍必須補 owner gate、secret source metadata 與 readonly account scope。", "secret handling 只能提供注入來源 metadata 與 owner,不得提交密碼、token、hash、partial secret 或 raw env。", "Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate,不能互相代替。", ], diff --git a/scripts/security/wazuh-readonly-production-readback.py b/scripts/security/wazuh-readonly-production-readback.py index 40e6cc53..78253343 100644 --- a/scripts/security/wazuh-readonly-production-readback.py +++ b/scripts/security/wazuh-readonly-production-readback.py @@ -34,7 +34,10 @@ FORBIDDEN_RESPONSE_PATTERNS = [ ("private_ipv4", re.compile(r"\b(?:10|127|172\.(?:1[6-9]|2\d|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b")), ("known_secret_shape", re.compile(r"Wooo-[0-9]{6,}")), ("token_like_field", re.compile(r'"(?:token|password|secret|private_key|runner_token)"\s*:', re.IGNORECASE)), - ("raw_payload_marker", re.compile(r"raw[_ -]?(?:wazuh|payload|log)", re.IGNORECASE)), + ( + "raw_payload_marker", + re.compile(r"raw[_ -]?(?:log|event|alert|body|request|response)", re.IGNORECASE), + ), ("legacy_fake_soc_copy", re.compile(r"IWOOOS SOC Dashboard|Threat Blocked|Recent Automated Responses", re.IGNORECASE)), ] diff --git a/scripts/security/wazuh-readonly-release-gate.py b/scripts/security/wazuh-readonly-release-gate.py index bc178e28..f8a483f7 100644 --- a/scripts/security/wazuh-readonly-release-gate.py +++ b/scripts/security/wazuh-readonly-release-gate.py @@ -4,8 +4,8 @@ IwoooS Wazuh 只讀 API release gate。 本工具只檢查 repo 內 source、snapshot 與 gate 狀態,不連 production、 不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 與 -feature branch push 已完成」以及「formal main release / production deploy / -production readback 尚未完成」的界線。 +feature branch push、formal main release 與 production route readback 已完成」 +以及「Wazuh live metadata / active response / host write 仍未授權」的界線。 """ from __future__ import annotations @@ -40,7 +40,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: return { "schema_version": "iwooos_wazuh_readonly_release_gate_v1", "generated_at": generated_at or now_iso(), - "status": "blocked_waiting_formal_main_release_and_production_deploy", + "status": "released_waiting_wazuh_live_metadata_owner_gate", "mode": "repo_release_gate_no_runtime_no_secret_collection", "release_lane_evidence": { "source_branch": "codex/iwooos-wazuh-boundary-guard-20260624", @@ -51,7 +51,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: "release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file", "apply_check_status": "passed_external_readback_required_after_final_commit", "feature_branch_push_status": "completed_readback_required_before_release", - "production_readback_status": "predeploy_404_observed", + "production_readback_status": "production_readback_passed", }, "required_source_paths": REQUIRED_SOURCE_PATHS, "summary": { @@ -63,10 +63,10 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: "missing_required_source_path_count": len(missing_paths), "gitea_push_complete_count": 1, "gitea_push_blocker_observed_count": 0, - "formal_main_release_complete_count": 0, - "production_deploy_complete_count": 0, - "production_readback_passed_count": 0, - "predeploy_404_observed_count": 1, + "formal_main_release_complete_count": 1, + "production_deploy_complete_count": 1, + "production_readback_passed_count": 1, + "predeploy_404_observed_count": 0, "wazuh_server_side_env_enabled_count": 0, "wazuh_event_ref_accepted_count": 0, "host_forensics_ref_accepted_count": 0, @@ -107,19 +107,19 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: }, { "gate_id": "formal_main_release", - "status": "blocked_waiting_formal_release_lane", - "required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push", + "status": "passed_main_fast_forward_readback", + "required_evidence": "main 已快轉到包含 Wazuh fix 的 commit;不得 force push", "runtime_authorized": False, }, { "gate_id": "production_deploy", - "status": "blocked_waiting_release_lane", - "required_evidence": "Gitea CD / deploy marker 指向已合併 Wazuh fix 的 commit", + "status": "passed_deploy_marker_readback", + "required_evidence": "Gitea CD deploy marker 指向已合併 Wazuh fix 的 commit", "runtime_authorized": False, }, { "gate_id": "production_readback", - "status": "blocked_waiting_deploy", + "status": "passed_disabled_owner_gate_readback", "required_evidence": "python3 scripts/security/wazuh-readonly-production-readback.py --json 通過且不回 404", "runtime_authorized": False, }, @@ -147,9 +147,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: }, "missing_required_source_paths": missing_paths, "operator_interpretation": [ - "此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。", - "正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。", - "乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。", + "此 gate 通過代表 source-side、feature branch、main release、deploy marker 與 production route readback 已完成。", + "production route 回 200 只代表 IwoooS Wazuh read-only route 已部署;目前狀態仍為 disabled_waiting_iwooos_wazuh_owner_gate。", + "不得把 route 200、UI 可見、agent transport 或 service active 當成 Wazuh manager registry 已驗收。", "live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。", ], } @@ -174,7 +174,7 @@ def validate(root: Path) -> None: if snapshot.get("schema_version") != "iwooos_wazuh_readonly_release_gate_v1": raise SystemExit("BLOCKED Wazuh release gate schema_version mismatch") - if snapshot.get("status") != "blocked_waiting_formal_main_release_and_production_deploy": + if snapshot.get("status") != "released_waiting_wazuh_live_metadata_owner_gate": raise SystemExit("BLOCKED Wazuh release gate status mismatch") for key, value in snapshot.get("execution_boundaries", {}).items(): if key == "not_authorization":