ops(reboot): add post-reboot readiness summary [skip ci]

2026-06-26 07:50:36 +08:00
parent 77aaeb7cab
commit 63545353dc
4 changed files with 283 additions and 3 deletions
--- a/docs/LOGBOOK.md
+++ b/docs/LOGBOOK.md
@@ -44899,3 +44899,50 @@ production browser smoke:

 **不得宣稱**：
 - 不得宣稱 `DR_COMPLETE`、credential escrow complete、188 host fully green、Wazuh registry recovered、runtime/security acceptance enabled、或所有主機衛生問題已解決。
+
+## 2026-06-26 — 07:47 machine-readable post-reboot readiness summary / SOP v1.67
+
+**時間與來源**：
+- 2026-06-26 07:45-07:47 Asia/Taipei。
+- 來源：新增 `scripts/reboot-recovery/post-reboot-readiness-summary.sh --no-color`，delegated logs 存於 `/tmp/awoooi-post-reboot-readiness-20260626-074702`。
+
+**完成內容**：
+- 新增 post-reboot 機器可讀摘要腳本，串接既有只讀 `post-start-quick-check.sh`、188 host hygiene checklist、Wazuh no-false-green repo gates。
+- 腳本不新增 runtime 修復能力，不會 restart / reload / repair / import / delete / patch / write remote state。
+- 輸出固定 key/value，讓 operator / AI agent 每次重啟後先判斷 `SERVICE_GREEN`、`PRODUCT_DATA_GREEN`、`BACKUP_CORE_GREEN`、`DR_ESCROW_BLOCKED`、`HOST_188_HYGIENE_BLOCKED`、`WAZUH_MANAGER_REGISTRY_ACCEPTED`、`RUNTIME_ACTION_AUTHORIZED` 與 `NEXT_REQUIRED_GATES`。
+
+**只讀驗證結果**：
+- `POST_START_RESULT=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`
+- `POST_START_PASS=38`
+- `POST_START_WARN=3`
+- `POST_START_BLOCKED=0`
+- `SERVICE_GREEN=1`
+- `PRODUCT_DATA_GREEN=1`
+- `BACKUP_CORE_GREEN=1`
+- `DR_ESCROW_BLOCKED=1`
+- `ESCROW_MISSING_COUNT=5`
+- `HOST_188_SERVICE_GREEN=1`
+- `HOST_188_HYGIENE_BLOCKED=1`
+- `WAZUH_ROUTE_CODE=200`
+- `WAZUH_TRANSPORT_COUNT=6`
+- `WAZUH_MANAGER_REGISTRY_ACCEPTED=0`
+- `WAZUH_RUNTIME_GATE=0`
+- `RUNTIME_ACTION_AUTHORIZED=0`
+- `OVERALL_DECLARATION=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`
+- `NEXT_REQUIRED_GATES=credential_escrow_evidence,host_188_hygiene_maintenance_window,wazuh_manager_registry_export`
+
+**做過的命令類型**：
+- 只讀：delegated post-start / cold-start / MOMO / Stock / backup / route / CPU readback、188 host hygiene readback、Wazuh repo-side guard。
+- 寫入：repo script / docs-only。
+- 未做：host / Docker / systemd / Nginx / firewall / K8s / DB / Wazuh runtime 寫操作；未讀 secret 明文；未執行 active response。
+
+**目前判定**：
+- Post-reboot summary automation：`0% -> 100%`。
+- Reboot service/data/backup readiness：`GREEN`。
+- Overall declaration remains `FULL_STACK_GREEN_DR_ESCROW_BLOCKED`。
+
+**仍 blocked / 不得宣稱**：
+- DR credential escrow evidence missing `5`。
+- 188 host hygiene 維護窗口仍未執行。
+- Wazuh manager registry accepted remains `0`。
+- 不得宣稱 `DR_COMPLETE`、188 host fully green、Wazuh registry recovered、runtime/security acceptance enabled。
--- a/docs/runbooks/FULL-STACK-COLD-START-SOP.md
+++ b/docs/runbooks/FULL-STACK-COLD-START-SOP.md
@@ -1,6 +1,6 @@
 # AWOOOI 全棧冷啟動與主機重啟 SOP

-> Version: v1.66
+> Version: v1.67
 > Last updated: 2026-06-26 Asia/Taipei
 > Scope: 110 / 120 / 121 / 188 full-stack reboot recovery. 112 Kali is recorded as P3 optional and is not part of this recovery path.

@@ -10,7 +10,9 @@

 本節是每次接手、開機、關機、重啟後的第一個判定錨點。若日期不是今天，必須先重跑 live check，再更新本節與 `docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md`。

-若只是重啟後要快速判斷能不能宣稱恢復，先跑一頁式總檢查：`scripts/reboot-recovery/post-start-quick-check.sh --no-color`，並以 `docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md` 作為人工 fallback。長 SOP 保留完整背景、例外處理與 Plan B；短版 wrapper / checklist 負責每次 T+10 分鐘內的固定判定。
+若只是重啟後要快速判斷能不能宣稱恢復，先跑機器可讀摘要：`scripts/reboot-recovery/post-reboot-readiness-summary.sh --no-color`。此腳本會呼叫一頁式總檢查、188 host hygiene checklist 與 Wazuh no-false-green repo gates，並把 delegated logs 留在 `/tmp/awoooi-post-reboot-readiness-*`。需要人工展開時，再跑 `scripts/reboot-recovery/post-start-quick-check.sh --no-color` 並以 `docs/runbooks/REBOOT-POST-START-QUICK-CHECK.md` 作為 fallback。長 SOP 保留完整背景、例外處理與 Plan B；短版 wrapper / checklist 負責每次 T+10 分鐘內的固定判定。
+
+2026-06-26 07:47 machine-readable readiness summary：`scripts/reboot-recovery/post-reboot-readiness-summary.sh --no-color` 已驗證可用，artifact dir `/tmp/awoooi-post-reboot-readiness-20260626-074702`。摘要輸出 `POST_START_RESULT=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`、`POST_START_PASS=38`、`POST_START_WARN=3`、`POST_START_BLOCKED=0`、`SERVICE_GREEN=1`、`PRODUCT_DATA_GREEN=1`、`BACKUP_CORE_GREEN=1`、`DR_ESCROW_BLOCKED=1`、`ESCROW_MISSING_COUNT=5`、`HOST_188_SERVICE_GREEN=1`、`HOST_188_HYGIENE_BLOCKED=1`、`WAZUH_ROUTE_CODE=200`、`WAZUH_TRANSPORT_COUNT=6`、`WAZUH_MANAGER_REGISTRY_ACCEPTED=0`、`WAZUH_RUNTIME_GATE=0`、`RUNTIME_ACTION_AUTHORIZED=0`。目前 `OVERALL_DECLARATION=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`，`NEXT_REQUIRED_GATES=credential_escrow_evidence,host_188_hygiene_maintenance_window,wazuh_manager_registry_export`。這是每次重啟後的第一層 operator / AI agent 判定格式。

 2026-06-26 07:39 live quick-check refresh：`scripts/reboot-recovery/post-start-quick-check.sh --no-color` 完整跑完，四主機 ping / SSH 全部 OK，delegated cold-start 為 `PASS=89 WARN=0 BLOCKED=0`，wrapper 總結為 `POST_START_QUICK_CHECK PASS=38 WARN=3 BLOCKED=0`、warning split `SERVICE=0 BOUNDARY=1 EVIDENCE=2`、`RESULT=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`。MOMO health `V10.701`，daily snapshot `109061` rows / `2025-07-01..2026-06-24`，current-month parity `15383|15383|2026-06-01|2026-06-24|2026-06-01|2026-06-24`，latest import job `57 completed`。StockPlatform freshness `status=ok`、latest trading date `2026-06-25`，price / chips / margin / AI recommendations 均為 `2026-06-25`。Backup-status 07:39 顯示 110 `13/13 fresh failed=0`、188 `2/2 fresh failed=0`、`core_blockers=0`、offsite/rclone fresh、`last_backup_all=2026-06-26 02:31:02`、`escrow_missing=5`。Public routes extended list 全部回 expected 2xx/3xx。110 CPU attribution 顯示 load 約 `5.19 / 4.66 / 4.91`，CPU idle 多數樣本 `80%+`，目前負載來自 Gitea / ClickHouse / Docker / Kafka / StockPlatform / AWOOOI API / Sentry 等正常平台工作，不是 orphan Chrome。這一輪 allowed declaration：主機、K3s、服務、網站、產品資料 freshness、備份核心與 offsite freshness 綠；forbidden declaration：DR complete、credential escrow complete、188 host fully green、Wazuh registry recovered。

--- a/docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md
+++ b/docs/workplans/2026-06-04-reboot-cold-start-backup-recovery-workplan.md
@@ -15,7 +15,9 @@
 | P0 host / K3s recovery | DONE | 100% | 120 booted after console fsck at `2026-06-12 15:13`; latest 2026-06-26 07:19 readback shows 120 and 121 reachable, K3s active, `mon` and `mon1` both `Ready control-plane`, AWOOOI API/Web replicas split across both nodes, ArgoCD `awoooi-prod Synced / Healthy` at revision `1fd5e2a8b0f18d24eed16aa2a44286bcbf230603`, and `km-vectorize` official 03:00 台北時間 run succeeded with `lastSuccess=2026-06-25T19:00:14Z`. |
 | P1 backup / alert / escrow | BLOCKED_DR_ESCROW | 97% | 2026-06-26 06:58 backup readback shows 110 `13/13 fresh failed=0`, 188 `2/2 fresh failed=0`, `core_blockers=0`, `integrity_stale=0`, `offsite_fresh=1`, `rclone_gdrive_fresh=1`, `escrow_missing=5`, last aggregate `2026-06-26 02:31:02`。DR remains blocked on real non-secret credential escrow evidence IDs; do not write placeholder markers or paste secret values. |
 | P2 service / data truth | DONE | 100% | Service routes and core runtime are available, 110 current CPU pressure is attributable to active AWOOOI Web `turbo build` / Docker buildx, and previous orphan Chrome groups remain cleared. 2026-06-26 07:19 StockPlatform `/api/v1/system/freshness` returned `200`; 07:01 freshness payload was `status=ok`, `latest_trading_date=2026-06-25`, blockers `[]`; price / chips / margin / AI recommendations are all on `2026-06-25`. `ai.recommendations` row count is `2868`; `core.margin_short_daily` row count is `1976`. MOMO health `V10.699`, current-month parity `15383|15383|2026-06-01|2026-06-24|2026-06-01|2026-06-24`, and `MOMO_DAILY_FRESHNESS 1|2026-06-24` are green; expanded public routes are green. |
-| P3 docs / automation contracts | DONE_WITH_ROUTE_RETRY_V166 | 100% | Workplan, SOP v1.66, one-page post-start quick check v1.6, route retry gate, deploy warmup classification, expanded public route list, StockPlatform freshness gate, StockPlatform cron-source recovery evidence, StockPlatform natural schedule green evidence, 110 orphan Chrome recurrence cleanup evidence, 188 fail-closed startup data recovery gate, 188 host hygiene read-only checklist, baseline `stockplatform_system_freshness_ok`, BACKUP-STATUS, LOGBOOK, 120 console/fsck recovery, Gitea backup stale-dump hardening, reboot ledger/version-comparison SOP, escrow evidence audit, 188 nginx Ansible baseline, 110 cold-start detector script, startup judgment layers, GO/NO-GO tree, host recovery cards, explicit Plan B degraded-operation path, machine-readable `plan_b` baseline, readiness-audit Plan B guard, B0-B5 service levels, T+0/T+120 fallback timeline checks, host role / load-balancing assessment, CD `known_hosts` guardrail, `fwupd-refresh.timer` rollback note, K3s filesystem event blocker, AWOOOI backup no-direct-offsite-sync contract, 110/188 Ansible source-of-truth, Gitea self-hosted readiness validation workflow, post-CD no-regression readbacks, stale-vs-active K8s failed Job classification, 110 runaway browser / CI load AIOps exporter + alert + gated remediation PlayBook, Telegram / AI event packet mapping, healthy heartbeat Telegram suppression, MOMO scheduler / current-month detector fix, exporter restore helpers, 110 Docker disk pressure cleanup boundary, notification-noise readback, MOMO import-boundary / Drive-auth fail-closed deploys, product version/readback matrix, and stricter product-data / route retry gates are updated. Live 110 script sync remains a separate approved live-write gate; do not claim it here. |
+| P3 docs / automation contracts | DONE_WITH_MACHINE_READINESS_V167 | 100% | Workplan, SOP v1.67, machine-readable post-reboot readiness summary, one-page post-start quick check v1.6, route retry gate, deploy warmup classification, expanded public route list, StockPlatform freshness gate, StockPlatform cron-source recovery evidence, StockPlatform natural schedule green evidence, 110 orphan Chrome recurrence cleanup evidence, 188 fail-closed startup data recovery gate, 188 host hygiene read-only checklist, baseline `stockplatform_system_freshness_ok`, BACKUP-STATUS, LOGBOOK, 120 console/fsck recovery, Gitea backup stale-dump hardening, reboot ledger/version-comparison SOP, escrow evidence audit, 188 nginx Ansible baseline, 110 cold-start detector script, startup judgment layers, GO/NO-GO tree, host recovery cards, explicit Plan B degraded-operation path, machine-readable `plan_b` baseline, readiness-audit Plan B guard, B0-B5 service levels, T+0/T+120 fallback timeline checks, host role / load-balancing assessment, CD `known_hosts` guardrail, `fwupd-refresh.timer` rollback note, K3s filesystem event blocker, AWOOOI backup no-direct-offsite-sync contract, 110/188 Ansible source-of-truth, Gitea self-hosted readiness validation workflow, post-CD no-regression readbacks, stale-vs-active K8s failed Job classification, 110 runaway browser / CI load AIOps exporter + alert + gated remediation PlayBook, Telegram / AI event packet mapping, healthy heartbeat Telegram suppression, MOMO scheduler / current-month detector fix, exporter restore helpers, 110 Docker disk pressure cleanup boundary, notification-noise readback, MOMO import-boundary / Drive-auth fail-closed deploys, product version/readback matrix, and stricter product-data / route retry gates are updated. Live 110 script sync remains a separate approved live-write gate; do not claim it here. |
+
+2026-06-26 07:47 machine-readable summary baseline: `scripts/reboot-recovery/post-reboot-readiness-summary.sh --no-color` stores delegated logs under `/tmp/awoooi-post-reboot-readiness-20260626-074702` and returns `SERVICE_GREEN=1`, `PRODUCT_DATA_GREEN=1`, `BACKUP_CORE_GREEN=1`, `DR_ESCROW_BLOCKED=1`, `ESCROW_MISSING_COUNT=5`, `HOST_188_SERVICE_GREEN=1`, `HOST_188_HYGIENE_BLOCKED=1`, `WAZUH_ROUTE_CODE=200`, `WAZUH_TRANSPORT_COUNT=6`, `WAZUH_MANAGER_REGISTRY_ACCEPTED=0`, `WAZUH_RUNTIME_GATE=0`, `RUNTIME_ACTION_AUTHORIZED=0`, `OVERALL_DECLARATION=FULL_STACK_GREEN_DR_ESCROW_BLOCKED`, and `NEXT_REQUIRED_GATES=credential_escrow_evidence,host_188_hygiene_maintenance_window,wazuh_manager_registry_export`. This is now the preferred first operator/AI-agent entrypoint after reboot because it separates service health from DR, host hygiene, and security registry evidence.

 2026-06-26 07:39 live quick-check refresh supersedes the 07:19 row for current operator status. `scripts/reboot-recovery/post-start-quick-check.sh --no-color` returned `POST_START_QUICK_CHECK PASS=38 WARN=3 BLOCKED=0`, warning split `SERVICE=0 BOUNDARY=1 EVIDENCE=2`, result `FULL_STACK_GREEN_DR_ESCROW_BLOCKED`. Delegated cold-start returned `PASS=89 WARN=0 BLOCKED=0`; four reboot-scope hosts ping/SSH were OK; AWOOOI / VibeWork / AwoooGo / 2026FIFA / Agent Bounty / MOMO / Stock / Bitan / TsenYang / VTuber / Gitea / Harbor / Registry / Sentry / SigNoz / Langfuse / AIOps routes returned expected 2xx/3xx. MOMO `V10.701` has job `57 completed`, daily freshness `1|2026-06-24`, and current-month parity `15383|15383|2026-06-01|2026-06-24|2026-06-01|2026-06-24`. StockPlatform freshness is `ok` through `2026-06-25` with price / chips / margin / AI recommendations current. Backup core remains green: 110 `13/13 fresh failed=0`, 188 `2/2 fresh failed=0`, `core_blockers=0`, offsite/rclone fresh, `last_backup_all=2026-06-26 02:31:02`; DR still has `escrow_missing=5`. 110 load around `5.19 / 4.66 / 4.91` is attributable to normal platform processes, not orphan Chrome. 188 host hygiene remains blocked by failed host PostgreSQL / certbot / startup units and must use the dedicated maintenance runbook and read-only checklist.

--- a/scripts/reboot-recovery/post-reboot-readiness-summary.sh
+++ b/scripts/reboot-recovery/post-reboot-readiness-summary.sh
@@ -0,0 +1,229 @@
+#!/usr/bin/env bash
+# AWOOOI post-reboot machine-readable readiness summary.
+# Read-only by design: this script never restarts, reloads, repairs, imports,
+# deletes, patches, or writes remote runtime state.
+
+set -uo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+NO_COLOR_FLAG=0
+SHOW_LOGS=0
+RUN_188_HYGIENE=1
+RUN_WAZUH_GATES=1
+ARTIFACT_DIR="${ARTIFACT_DIR:-/tmp/awoooi-post-reboot-readiness-$(date '+%Y%m%d-%H%M%S')}"
+
+usage() {
+  cat <<'USAGE'
+Usage: post-reboot-readiness-summary.sh [options]
+
+Runs the existing read-only post-reboot checks and prints a stable key/value
+summary for operators and AI agents.
+
+Options:
+  --no-color             Disable color in delegated checks.
+  --show-logs            Print delegated check logs after the summary.
+  --skip-188-hygiene     Skip the 188 host hygiene boundary checklist.
+  --skip-wazuh-gates     Skip repo-side Wazuh no-false-green gates.
+  -h, --help             Show this help.
+
+Exit codes:
+  0 = core services are green. Boundary blockers may still be present.
+  2 = core service blocker observed.
+
+This script stores read-only evidence logs under ARTIFACT_DIR.
+USAGE
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --no-color)
+      NO_COLOR_FLAG=1
+      ;;
+    --show-logs)
+      SHOW_LOGS=1
+      ;;
+    --skip-188-hygiene)
+      RUN_188_HYGIENE=0
+      ;;
+    --skip-wazuh-gates)
+      RUN_WAZUH_GATES=0
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      printf 'Unknown argument: %s\n' "$1" >&2
+      usage >&2
+      exit 2
+      ;;
+  esac
+  shift
+done
+
+mkdir -p "$ARTIFACT_DIR"
+
+extract_key() {
+  local key="$1"
+  local file="$2"
+  awk -F= -v key="$key" '$1 == key {value=$2; found=1} END {if (found) print value; else print ""}' "$file"
+}
+
+extract_summary_number() {
+  local label="$1"
+  local line="$2"
+  sed -nE "s/.*${label}=([0-9]+).*/\\1/p" <<<"$line" | tail -n 1
+}
+
+extract_named_token() {
+  local name="$1"
+  local line="$2"
+  tr ' ' '\n' <<<"$line" | awk -F= -v name="$name" '$1 == name {print $2; found=1} END {if (!found) print ""}'
+}
+
+post_start_log="$ARTIFACT_DIR/post-start-quick-check.log"
+post_start_args=(--no-color)
+if [[ "$NO_COLOR_FLAG" -eq 1 ]]; then
+  post_start_args=(--no-color)
+fi
+
+post_start_rc=0
+bash "$ROOT_DIR/scripts/reboot-recovery/post-start-quick-check.sh" "${post_start_args[@]}" >"$post_start_log" 2>&1 || post_start_rc=$?
+
+post_summary="$(grep -E '^POST_START_QUICK_CHECK PASS=[0-9]+ WARN=[0-9]+ BLOCKED=[0-9]+' "$post_start_log" | tail -n 1 || true)"
+post_warning_summary="$(grep -E '^POST_START_QUICK_CHECK_WARNINGS SERVICE=[0-9]+ BOUNDARY=[0-9]+ EVIDENCE=[0-9]+' "$post_start_log" | tail -n 1 || true)"
+post_result="$(grep -E '^RESULT=' "$post_start_log" | tail -n 1 | cut -d= -f2- || true)"
+
+post_pass="$(extract_summary_number PASS "$post_summary")"
+post_warn="$(extract_summary_number WARN "$post_summary")"
+post_blocked="$(extract_summary_number BLOCKED "$post_summary")"
+service_warn="$(extract_named_token SERVICE "$post_warning_summary")"
+boundary_warn="$(extract_named_token BOUNDARY "$post_warning_summary")"
+evidence_warn="$(extract_named_token EVIDENCE "$post_warning_summary")"
+
+service_green=0
+if [[ "${post_blocked:-999}" == "0" && "${service_warn:-999}" == "0" ]]; then
+  service_green=1
+fi
+
+backup_core_green=0
+grep -q 'OK backup core blockers are 0' "$post_start_log" && backup_core_green=1
+
+product_data_green=0
+if grep -q '^STOCK_FRESHNESS_STATUS ok$' "$post_start_log" \
+  && grep -q '^DB_DAILY_FRESHNESS ' "$post_start_log"; then
+  product_data_green=1
+fi
+
+escrow_missing_count="$(grep -Eo 'escrow_missing=[0-9]+' "$post_start_log" | tail -n 1 | cut -d= -f2 || true)"
+dr_escrow_blocked=0
+if [[ -n "$escrow_missing_count" && "$escrow_missing_count" != "0" ]]; then
+  dr_escrow_blocked=1
+elif [[ "$post_result" == "FULL_STACK_GREEN_DR_ESCROW_BLOCKED" ]]; then
+  dr_escrow_blocked=1
+fi
+
+host_188_hygiene_blocked="unknown"
+host_188_service_green="unknown"
+host_188_runtime_action="0"
+host_188_result="skipped"
+host_188_rc=0
+if [[ "$RUN_188_HYGIENE" -eq 1 ]]; then
+  host_188_log="$ARTIFACT_DIR/188-host-hygiene.log"
+  bash "$ROOT_DIR/scripts/reboot-recovery/188-host-hygiene-maintenance-checklist.sh" --no-color >"$host_188_log" 2>&1 || host_188_rc=$?
+  host_188_hygiene_blocked="$(extract_key HOST_HYGIENE_BLOCKED "$host_188_log")"
+  host_188_service_green="$(extract_key SERVICE_GREEN "$host_188_log")"
+  host_188_runtime_action="$(extract_key RUNTIME_ACTION_AUTHORIZED "$host_188_log")"
+  host_188_result="$(grep -E '^Result:' "$host_188_log" | tail -n 1 | sed 's/^Result: //')"
+fi
+
+wazuh_registry_accepted="unknown"
+wazuh_route_code="unknown"
+wazuh_transport_count="unknown"
+wazuh_dashboard_degraded="unknown"
+wazuh_runtime_gate="0"
+if [[ "$RUN_WAZUH_GATES" -eq 1 ]]; then
+  wazuh_coverage_log="$ARTIFACT_DIR/wazuh-managed-host-coverage.log"
+  wazuh_runtime_log="$ARTIFACT_DIR/wazuh-runtime-gate.log"
+  python3 "$ROOT_DIR/scripts/security/wazuh-managed-host-coverage-gate.py" --root "$ROOT_DIR" >"$wazuh_coverage_log" 2>&1 || true
+  python3 "$ROOT_DIR/scripts/security/wazuh-agent-visibility-runtime-gate.py" --root "$ROOT_DIR" >"$wazuh_runtime_log" 2>&1 || true
+  coverage_line="$(tail -n 1 "$wazuh_coverage_log" || true)"
+  runtime_line="$(tail -n 1 "$wazuh_runtime_log" || true)"
+  wazuh_registry_accepted="$(extract_named_token registry "$coverage_line")"
+  wazuh_route_code="$(extract_named_token route "$runtime_line")"
+  wazuh_transport_count="$(extract_named_token transport "$runtime_line")"
+  wazuh_dashboard_degraded="$(extract_named_token dashboard_degraded "$runtime_line")"
+  wazuh_runtime_gate="$(extract_named_token runtime_gate "$runtime_line")"
+fi
+
+runtime_action_authorized=0
+if [[ "$host_188_runtime_action" =~ ^[1-9][0-9]*$ || "$wazuh_runtime_gate" =~ ^[1-9][0-9]*$ ]]; then
+  runtime_action_authorized=1
+fi
+
+overall_declaration="GREEN"
+if [[ "$service_green" != "1" ]]; then
+  overall_declaration="SERVICE_BLOCKED"
+elif [[ "$dr_escrow_blocked" == "1" ]]; then
+  overall_declaration="FULL_STACK_GREEN_DR_ESCROW_BLOCKED"
+elif [[ "$host_188_hygiene_blocked" == "1" ]]; then
+  overall_declaration="FULL_STACK_GREEN_HOST_HYGIENE_BLOCKED"
+elif [[ "$wazuh_registry_accepted" == "0" ]]; then
+  overall_declaration="FULL_STACK_GREEN_SECURITY_REGISTRY_BLOCKED"
+elif [[ "$evidence_warn" != "0" && -n "$evidence_warn" ]]; then
+  overall_declaration="GREEN_WITH_EVIDENCE_WARNINGS"
+fi
+
+next_required_gates=()
+[[ "$dr_escrow_blocked" == "1" ]] && next_required_gates+=("credential_escrow_evidence")
+[[ "$host_188_hygiene_blocked" == "1" ]] && next_required_gates+=("host_188_hygiene_maintenance_window")
+[[ "$wazuh_registry_accepted" == "0" ]] && next_required_gates+=("wazuh_manager_registry_export")
+if [[ "${#next_required_gates[@]}" -eq 0 ]]; then
+  next_required_gates_csv="none"
+else
+  next_required_gates_csv="$(IFS=,; echo "${next_required_gates[*]}")"
+fi
+
+cat <<SUMMARY
+AWOOOI_POST_REBOOT_READINESS_SUMMARY=1
+TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S %Z')
+ARTIFACT_DIR=$ARTIFACT_DIR
+POST_START_RC=$post_start_rc
+POST_START_RESULT=${post_result:-unknown}
+POST_START_PASS=${post_pass:-unknown}
+POST_START_WARN=${post_warn:-unknown}
+POST_START_BLOCKED=${post_blocked:-unknown}
+POST_START_SERVICE_WARNINGS=${service_warn:-unknown}
+POST_START_BOUNDARY_WARNINGS=${boundary_warn:-unknown}
+POST_START_EVIDENCE_WARNINGS=${evidence_warn:-unknown}
+SERVICE_GREEN=$service_green
+PRODUCT_DATA_GREEN=$product_data_green
+BACKUP_CORE_GREEN=$backup_core_green
+DR_ESCROW_BLOCKED=$dr_escrow_blocked
+ESCROW_MISSING_COUNT=${escrow_missing_count:-unknown}
+HOST_188_SERVICE_GREEN=$host_188_service_green
+HOST_188_HYGIENE_BLOCKED=$host_188_hygiene_blocked
+HOST_188_CHECK_RC=$host_188_rc
+HOST_188_RESULT=$host_188_result
+WAZUH_ROUTE_CODE=$wazuh_route_code
+WAZUH_TRANSPORT_COUNT=$wazuh_transport_count
+WAZUH_DASHBOARD_DEGRADED=$wazuh_dashboard_degraded
+WAZUH_MANAGER_REGISTRY_ACCEPTED=$wazuh_registry_accepted
+WAZUH_RUNTIME_GATE=$wazuh_runtime_gate
+RUNTIME_ACTION_AUTHORIZED=$runtime_action_authorized
+OVERALL_DECLARATION=$overall_declaration
+NEXT_REQUIRED_GATES=$next_required_gates_csv
+SUMMARY
+
+if [[ "$SHOW_LOGS" -eq 1 ]]; then
+  for log_file in "$ARTIFACT_DIR"/*.log; do
+    printf '\n=== %s ===\n' "$log_file"
+    cat "$log_file"
+  done
+fi
+
+if [[ "$service_green" != "1" ]]; then
+  exit 2
+fi
+
+exit 0