docs(iwooos): 記錄 Wazuh release apply proof

scripts/security/wazuh-readonly-release-gate.py

@@ -41,14 +41,27 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
         "generated_at": generated_at or now_iso(),
         "status": "blocked_waiting_gitea_push_and_production_deploy",
         "mode": "repo_release_gate_no_runtime_no_secret_collection",
+        "release_lane_evidence": {
+            "source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
+            "source_fix_commit": "47d36e85",
+            "source_head_readback": "run git rev-parse HEAD after the final docs commit; do not hardcode a self-referential commit hash",
+            "base_ref": "gitea/main",
+            "base_commit": "80604403",
+            "release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
+            "apply_check_status": "passed_external_readback_required_after_final_commit",
+            "production_readback_status": "predeploy_404_observed",
+            "gitea_push_blocker": "https_noninteractive_credential_required",
+        },
         "required_source_paths": REQUIRED_SOURCE_PATHS,
         "summary": {
             "source_side_fix_complete_count": 1 if source_ready else 0,
             "route_boundary_guard_complete_count": 1 if (root / "scripts/security/wazuh-readonly-route-boundary-guard.py").exists() else 0,
             "production_readback_script_complete_count": 1 if (root / "scripts/security/wazuh-readonly-production-readback.py").exists() else 0,
             "release_handoff_complete_count": 1 if (root / "docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md").exists() else 0,
+            "release_patch_apply_proof_complete_count": 1,
             "missing_required_source_path_count": len(missing_paths),
             "gitea_push_complete_count": 0,
+            "gitea_push_blocker_observed_count": 1,
             "production_deploy_complete_count": 0,
             "production_readback_passed_count": 0,
             "predeploy_404_observed_count": 1,
@@ -78,6 +91,12 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
                 "required_evidence": "wazuh-readonly-production-readback.py 可在 release 後不接受 404",
                 "runtime_authorized": False,
             },
+            {
+                "gate_id": "release_patch_apply_proof",
+                "status": "passed",
+                "required_evidence": "同等 patch 已可乾淨套用到最新 gitea/main 並通過同組 guard",
+                "runtime_authorized": False,
+            },
             {
                 "gate_id": "gitea_branch_push",
                 "status": "blocked_credential_required",
@@ -122,6 +141,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
         "operator_interpretation": [
             "此 gate 通過不代表 production 已部署，只代表 source-side Wazuh read-only API 與 guard 可交接。",
             "正式 release 前不得用 predeploy 404 當成功，也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。",
+            "乾淨套用 proof 通過只代表 release patch 可落在最新主線，不代表已 push、已部署或已啟用 Wazuh live metadata。",
             "live Wazuh metadata query 必須另走 owner gate 與 server-side env；active response、host write、Kali active scan 仍為 0 / false。",
         ],
     }