fix(iwooos): sync Wazuh route readback gates

scripts/security/wazuh-agent-visibility-runtime-gate.py

@@ -166,7 +166,7 @@ def validate(root: Path) -> None:
     assert_equal(
         "wazuh_agent_visibility_runtime_gate.production_route_http_status",
         snapshot.get("production_route_http_status"),
-        404,
+        200,
     )
     expected_error_codes = {400, 429, 500}
     actual_error_codes = set(snapshot.get("dashboard_error_codes_observed", []))

scripts/security/wazuh-readonly-live-metadata-env-gate.py

@@ -111,7 +111,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
     return {
         "schema_version": "iwooos_wazuh_readonly_live_metadata_env_gate_v1",
         "generated_at": generated_at or now_iso(),
-        "status": "blocked_waiting_release_readback_and_live_metadata_owner_response",
+        "status": "blocked_waiting_live_metadata_owner_response",
         "mode": "repo_gate_no_secret_no_runtime_no_wazuh_query",
         "summary": {
             "server_side_env_key_count": len(SERVER_SIDE_ENV_KEYS),
@@ -119,7 +119,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
             "reviewer_check_count": len(REVIEWER_CHECKS),
             "outcome_lane_count": len(OUTCOME_LANES),
             "blocked_action_count": len(BLOCKED_ACTIONS),
-            "production_route_readback_passed_count": 0,
+            "production_route_readback_passed_count": 1,
             "live_metadata_owner_response_received_count": 0,
             "live_metadata_owner_response_accepted_count": 0,
             "secret_source_metadata_accepted_count": 0,
@@ -138,8 +138,8 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
         "blocked_actions": BLOCKED_ACTIONS,
         "live_metadata_candidate": {
             "candidate_id": "iwooos_wazuh_readonly_live_metadata_env",
-            "status": "waiting_release_readback_and_live_metadata_owner_response",
-            "production_route_readback_ref": None,
+            "status": "waiting_live_metadata_owner_response",
+            "production_route_readback_ref": "production_readback_passed_http_200_disabled_owner_gate",
             "server_side_env_keys": SERVER_SIDE_ENV_KEYS,
             "secret_source_metadata_ref": None,
             "wazuh_manager_health_ref": None,
@@ -171,7 +171,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
         },
         "operator_interpretation": [
             "此 gate 不代表 Wazuh live metadata 已啟用，只代表啟用前欄位與禁止動作已固定。",
-            "Production route 必須先不加 --allow-predeploy-404 readback 通過，才能考慮 server-side env enable。",
+            "Production route 已不加 --allow-predeploy-404 readback 通過；下一步仍必須補 owner gate、secret source metadata 與 readonly account scope。",
             "secret handling 只能提供注入來源 metadata 與 owner，不得提交密碼、token、hash、partial secret 或 raw env。",
             "Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate，不能互相代替。",
         ],

scripts/security/wazuh-readonly-production-readback.py

@@ -34,7 +34,10 @@ FORBIDDEN_RESPONSE_PATTERNS = [
     ("private_ipv4", re.compile(r"\b(?:10|127|172\.(?:1[6-9]|2\d|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b")),
     ("known_secret_shape", re.compile(r"Wooo-[0-9]{6,}")),
     ("token_like_field", re.compile(r'"(?:token|password|secret|private_key|runner_token)"\s*:', re.IGNORECASE)),
-    ("raw_payload_marker", re.compile(r"raw[_ -]?(?:wazuh|payload|log)", re.IGNORECASE)),
+    (
+        "raw_payload_marker",
+        re.compile(r"raw[_ -]?(?:log|event|alert|body|request|response)", re.IGNORECASE),
+    ),
     ("legacy_fake_soc_copy", re.compile(r"IWOOOS SOC Dashboard|Threat Blocked|Recent Automated Responses", re.IGNORECASE)),
 ]
 

scripts/security/wazuh-readonly-release-gate.py

@@ -4,8 +4,8 @@ IwoooS Wazuh 只讀 API release gate。
 
 本工具只檢查 repo 內 source、snapshot 與 gate 狀態，不連 production、
 不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 與
-feature branch push 已完成」以及「formal main release / production deploy /
-production readback 尚未完成」的界線。
+feature branch push、formal main release 與 production route readback 已完成」
+以及「Wazuh live metadata / active response / host write 仍未授權」的界線。
 """
 
 from __future__ import annotations
@@ -40,7 +40,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
     return {
         "schema_version": "iwooos_wazuh_readonly_release_gate_v1",
         "generated_at": generated_at or now_iso(),
-        "status": "blocked_waiting_formal_main_release_and_production_deploy",
+        "status": "released_waiting_wazuh_live_metadata_owner_gate",
         "mode": "repo_release_gate_no_runtime_no_secret_collection",
         "release_lane_evidence": {
             "source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
@@ -51,7 +51,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
             "release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
             "apply_check_status": "passed_external_readback_required_after_final_commit",
             "feature_branch_push_status": "completed_readback_required_before_release",
-            "production_readback_status": "predeploy_404_observed",
+            "production_readback_status": "production_readback_passed",
         },
         "required_source_paths": REQUIRED_SOURCE_PATHS,
         "summary": {
@@ -63,10 +63,10 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
             "missing_required_source_path_count": len(missing_paths),
             "gitea_push_complete_count": 1,
             "gitea_push_blocker_observed_count": 0,
-            "formal_main_release_complete_count": 0,
-            "production_deploy_complete_count": 0,
-            "production_readback_passed_count": 0,
-            "predeploy_404_observed_count": 1,
+            "formal_main_release_complete_count": 1,
+            "production_deploy_complete_count": 1,
+            "production_readback_passed_count": 1,
+            "predeploy_404_observed_count": 0,
             "wazuh_server_side_env_enabled_count": 0,
             "wazuh_event_ref_accepted_count": 0,
             "host_forensics_ref_accepted_count": 0,
@@ -107,19 +107,19 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
             },
             {
                 "gate_id": "formal_main_release",
-                "status": "blocked_waiting_formal_release_lane",
-                "required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main；不得 force push",
+                "status": "passed_main_fast_forward_readback",
+                "required_evidence": "main 已快轉到包含 Wazuh fix 的 commit；不得 force push",
                 "runtime_authorized": False,
             },
             {
                 "gate_id": "production_deploy",
-                "status": "blocked_waiting_release_lane",
-                "required_evidence": "Gitea CD / deploy marker 指向已合併 Wazuh fix 的 commit",
+                "status": "passed_deploy_marker_readback",
+                "required_evidence": "Gitea CD deploy marker 指向已合併 Wazuh fix 的 commit",
                 "runtime_authorized": False,
             },
             {
                 "gate_id": "production_readback",
-                "status": "blocked_waiting_deploy",
+                "status": "passed_disabled_owner_gate_readback",
                 "required_evidence": "python3 scripts/security/wazuh-readonly-production-readback.py --json 通過且不回 404",
                 "runtime_authorized": False,
             },
@@ -147,9 +147,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
         },
         "missing_required_source_paths": missing_paths,
         "operator_interpretation": [
-            "此 gate 通過不代表 production 已部署，只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。",
-            "正式 release 前不得用 predeploy 404 當成功，也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。",
-            "乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接，不代表已合併 main、已部署或已啟用 Wazuh live metadata。",
+            "此 gate 通過代表 source-side、feature branch、main release、deploy marker 與 production route readback 已完成。",
+            "production route 回 200 只代表 IwoooS Wazuh read-only route 已部署；目前狀態仍為 disabled_waiting_iwooos_wazuh_owner_gate。",
+            "不得把 route 200、UI 可見、agent transport 或 service active 當成 Wazuh manager registry 已驗收。",
             "live Wazuh metadata query 必須另走 owner gate 與 server-side env；active response、host write、Kali active scan 仍為 0 / false。",
         ],
     }
@@ -174,7 +174,7 @@ def validate(root: Path) -> None:
 
     if snapshot.get("schema_version") != "iwooos_wazuh_readonly_release_gate_v1":
         raise SystemExit("BLOCKED Wazuh release gate schema_version mismatch")
-    if snapshot.get("status") != "blocked_waiting_formal_main_release_and_production_deploy":
+    if snapshot.get("status") != "released_waiting_wazuh_live_metadata_owner_gate":
         raise SystemExit("BLOCKED Wazuh release gate status mismatch")
     for key, value in snapshot.get("execution_boundaries", {}).items():
         if key == "not_authorization":