docs(logbook): record wazuh runtime preflight production readback [skip ci]

This commit is contained in:
Your Name
2026-06-28 10:55:29 +08:00
parent 46faf9cb6b
commit 392c1741ca

View File

@@ -48404,3 +48404,41 @@ production browser smoke:
**仍維持**
- regular `awoooi-cd-lane.service` masked/inactivelegacy direct runner units fail-closed。
- 不讀 `.runner`、SQLite、raw session、auth、`.env`;只驗 systemd、capacity/labels 與 binary kind。
## 2026-06-28 — 10:54 Wazuh runtime controlled apply preflight production 完成
**時間與來源**
- 2026-06-28 10:17-10:54 Asia/Taipei。
- 來源feature commit `b010afdbf feat(iwooos): add wazuh controlled apply preflight`、Gitea main deploy trigger `9b9f1cf38`、deploy marker `104546308`、CD `cd.yaml #3792`
- 追加確認時 main 已前進到 `46faf9cb6`;本段 production readback 以已部署 `#3792 / 104546308` 為證據,且 Wazuh API contract 已包含於最新 main。
**完成內容**
- 新增 `GET /api/v1/iwooos/wazuh-runtime-controlled-apply-preflight`,回傳公開安全 target selector、source-of-truth diff、check-mode / dry-run、rollback、post-apply verifier、KM / PlayBook writeback 與 runtime gate 邊界。
- 新增 `POST /api/v1/iwooos/wazuh-runtime-controlled-apply-preflight/validate-controlled-apply-packet`,只做 redacted controlled-apply packet no-persist validation可分流 accepted / quarantine sensitive payload / reject runtime action。
- `GET /api/v1/iwooos/runtime-security-readback` 納入 Wazuh runtime controlled apply preflight lane`source_snapshot_count=11``p0_lane_count=10``wazuh_runtime_apply_preflight_ready_count=1``wazuh_runtime_apply_runtime_gate_count=0`
- `/zh-TW/iwooos` 新增對應前台讀回與 i18n前台仍只顯示公開安全摘要不顯示 raw Wazuh payload、內網位址、secret 或 raw session 文字。
**驗證結果**
- 本地:`py_compile`、ruff format/check、focused API tests、完整 API tests `3477 passed, 23 skipped`、web `tsc --noEmit`、JSON validation、`git diff --check` 均通過。
- Gitea`cd.yaml #3792` build/deploy job `Job succeeded`API / web image build push 完成api / web rollout 成功。
- Production GET preflightHTTP 200schema `iwooos_wazuh_runtime_controlled_apply_preflight_readback_v1`
- Production GET runtime-securityHTTP 200schema `iwooos_runtime_security_readback_v1``source_snapshot_count=11``p0_lane_count=10`
- Production POST valid redacted packetHTTP 200status `accepted_for_controlled_apply_preflight_review_only``payload_persisted=false``runtime_execution_authorized=false``runtime_gate_open=false`
- Production POST sensitive dummy packetHTTP 200status `quarantine_sensitive_payload`,未 echo dummy `10.1.2.3` 或 dummy bearer string。
- Production POST runtime-action packetHTTP 200status `reject_runtime_action_request``runtime_gate_count=0`
- POST 後 GET preflight counters 仍全 `0`received / accepted / quarantined / runtime action rejected / runtime gate / live Wazuh query / active response / host write / secret collection。
- Browser smoke `/zh-TW/iwooos`desktop `1440x1100`、mobile `390x664` 皆 HTTP 200、console error `0`、page error `0`、horizontal overflow `false`、forbidden hits `0`
**仍維持 0 / false**
- `runtime_gate_count=0``wazuh_api_live_query_authorized_count=0``wazuh_active_response_authorized_count=0``host_write_authorized_count=0``secret_value_collection_allowed_count=0`
- `payload_persisted=false``runtime_execution_authorized=false``runtime_gate_open=false`
- 此段是 controlled apply preflight / review readiness不是 live Wazuh query、agent restart、active response、host write 或 runtime gate 開啟。
**未做**
- 沒有 live Wazuh API query、沒有 host / Docker / systemd / Nginx / firewall / K8s node / DB / Wazuh runtime 寫操作。
- 沒有讀 secret 明文、沒有讀 `.env`、沒有讀 raw sessions / SQLite / auth、沒有 force push。
- 沒有繞過 110 runner / direct CD lane 壓力事故例外;沒有把 pressure gate 改成 warn-only。
**下一個 P0**
- 將 Wazuh runtime gate owner review packet 從 no-persist validation 推進為 committed review readback保留 redacted evidence refs、target selector、source diff、check-mode / dry-run、rollback、post-apply verifier 與 KM writeback仍不得查 live Wazuh 或做 host write。
- 若要進一步打開 runtime gate必須逐 target 以 check-mode / dry-run、rollback owner、maintenance window 與 post-apply verifier 收斂,並在 production readback 中證明沒有 secret/raw payload 外洩。