feat(iwooos): mark wazuh reviewer post-enable readback
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
Code Review / ai-code-review (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
Code Review / ai-code-review (push) Has been cancelled
CD Pipeline / tests (push) Has been cancelled
Ansible / Reboot Recovery Contract / validate (push) Has been cancelled
This commit is contained in:
Your Name
@@ -29577,6 +29577,7 @@ def validate(root: Path) -> None:
|
||||
"wazuh_manager_registry_reviewer_validation_owner_registry_export_received_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_owner_registry_export_accepted_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_passed_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_post_enable_readback_passed_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_manager_registry_accepted_count=0",
|
||||
"wazuh_manager_registry_reviewer_validation_runtime_gate_count=0",
|
||||
]:
|
||||
@@ -29606,6 +29607,7 @@ def validate(root: Path) -> None:
|
||||
"wazuh_manager_registry_reviewer_validation_owner_registry_export_received_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_owner_registry_export_accepted_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_passed_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_post_enable_readback_passed_count=1",
|
||||
"wazuh_manager_registry_reviewer_validation_manager_registry_accepted_count=0",
|
||||
"wazuh_manager_registry_reviewer_validation_runtime_gate_count=0",
|
||||
]:
|
||||
|
||||
@@ -128,9 +128,9 @@ REVIEWER_VALIDATION_CHECKS = [
|
||||
},
|
||||
{
|
||||
"check_id": "RV-10",
|
||||
"title": "Post-enable IwoooS readback 仍是下一關",
|
||||
"required_evidence": "即使 reviewer 未來接受 evidence,也只能進 read-only posture;必須另有 post-enable readback 才能更新 runtime truth。",
|
||||
"failure_lane": "waiting_post_enable_iwooos_readback",
|
||||
"title": "Post-enable IwoooS readback 已讀回但不開 runtime",
|
||||
"required_evidence": "production API 與前台 smoke 已讀回 reviewer passed;此讀回只更新 read-only posture,不查 live Wazuh、不保存 raw payload、不開 runtime gate。",
|
||||
"failure_lane": "post_enable_iwooos_readback_passed_no_runtime",
|
||||
},
|
||||
]
|
||||
|
||||
@@ -147,7 +147,8 @@ OUTCOME_LANES = [
|
||||
"reject_runtime_action_request",
|
||||
"ready_for_reviewer_validation",
|
||||
"accepted_for_readonly_posture_only",
|
||||
"waiting_post_enable_iwooos_readback",
|
||||
"post_enable_iwooos_readback_passed",
|
||||
"manager_registry_acceptance_evidence_review",
|
||||
]
|
||||
|
||||
EVIDENCE_SLOTS = [
|
||||
@@ -292,8 +293,8 @@ def build_snapshot(generated_at: str) -> dict[str, Any]:
|
||||
return {
|
||||
"schema_version": SCHEMA_VERSION,
|
||||
"generated_at": generated_at,
|
||||
"status": "accepted_for_readonly_posture_only",
|
||||
"mode": "committed_validation_passed_readback_no_runtime_no_secret_collection",
|
||||
"status": "post_enable_iwooos_readback_passed_no_runtime_no_secret_collection",
|
||||
"mode": "committed_post_enable_iwooos_readback_passed_no_runtime_no_secret_collection",
|
||||
"scope": "wazuh_manager_registry_owner_export_reviewer_validation",
|
||||
"source_refs": [
|
||||
"docs/security/wazuh-agent-visibility-owner-evidence-preflight.snapshot.json",
|
||||
@@ -315,7 +316,7 @@ def build_snapshot(generated_at: str) -> dict[str, Any]:
|
||||
"reviewer_validation_failed_count": 0,
|
||||
"reviewer_validation_quarantined_count": 0,
|
||||
"manager_registry_accepted_count": 0,
|
||||
"post_enable_readback_passed_count": 0,
|
||||
"post_enable_readback_passed_count": 1,
|
||||
"runtime_gate_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"active_response_authorized_count": 0,
|
||||
@@ -332,7 +333,7 @@ def build_snapshot(generated_at: str) -> dict[str, Any]:
|
||||
"received": True,
|
||||
"accepted": True,
|
||||
"quarantined": False,
|
||||
"next_gate": "post_enable_iwooos_readback",
|
||||
"next_gate": "manager_registry_acceptance_evidence_review",
|
||||
}
|
||||
for slot in EVIDENCE_SLOTS
|
||||
],
|
||||
@@ -355,6 +356,7 @@ def build_snapshot(generated_at: str) -> dict[str, Any]:
|
||||
},
|
||||
"no_false_green_rules": [
|
||||
"reviewer validation passed 只代表脫敏 owner export refs 通過 no-persist 驗證。",
|
||||
"post-enable IwoooS readback passed 只代表 production API / 前台已讀回 reviewer passed,不代表 live Wazuh 查詢或 runtime action。",
|
||||
"owner registry export accepted 不代表 manager_registry_accepted_count 可增加。",
|
||||
"Dashboard 可見、index pattern 三綠勾、HTTP 200 或 transport observed 不可替代 manager registry counts。",
|
||||
"reviewer accepted 只可更新只讀 posture;active response、agent restart、reenroll、host write、secret rotation 或掃描仍需獨立 runtime gate。",
|
||||
@@ -365,8 +367,12 @@ def build_snapshot(generated_at: str) -> dict[str, Any]:
|
||||
def validate(root: Path) -> None:
|
||||
snapshot = load_json(root / SNAPSHOT_PATH)
|
||||
assert_equal("schema_version", snapshot.get("schema_version"), SCHEMA_VERSION)
|
||||
assert_equal("status", snapshot.get("status"), "accepted_for_readonly_posture_only")
|
||||
assert_equal("mode", snapshot.get("mode"), "committed_validation_passed_readback_no_runtime_no_secret_collection")
|
||||
assert_equal("status", snapshot.get("status"), "post_enable_iwooos_readback_passed_no_runtime_no_secret_collection")
|
||||
assert_equal(
|
||||
"mode",
|
||||
snapshot.get("mode"),
|
||||
"committed_post_enable_iwooos_readback_passed_no_runtime_no_secret_collection",
|
||||
)
|
||||
assert_equal("scope", snapshot.get("scope"), "wazuh_manager_registry_owner_export_reviewer_validation")
|
||||
assert_equal("expected_scope_aliases", snapshot.get("expected_scope_aliases"), EXPECTED_SCOPE_ALIASES)
|
||||
assert_equal("required_owner_fields", snapshot.get("required_owner_fields"), REQUIRED_OWNER_FIELDS)
|
||||
@@ -394,13 +400,13 @@ def validate(root: Path) -> None:
|
||||
"owner_registry_export_accepted_count",
|
||||
"reviewer_validation_ready_count",
|
||||
"reviewer_validation_passed_count",
|
||||
"post_enable_readback_passed_count",
|
||||
]:
|
||||
assert_equal(f"summary.{key}", summary.get(key), 1)
|
||||
for key in [
|
||||
"reviewer_validation_failed_count",
|
||||
"reviewer_validation_quarantined_count",
|
||||
"manager_registry_accepted_count",
|
||||
"post_enable_readback_passed_count",
|
||||
"runtime_gate_count",
|
||||
"host_write_authorized_count",
|
||||
"active_response_authorized_count",
|
||||
@@ -415,7 +421,11 @@ def validate(root: Path) -> None:
|
||||
assert_equal(f"evidence_slots.{slot.get('slot_id')}.received", slot.get("received"), True)
|
||||
assert_equal(f"evidence_slots.{slot.get('slot_id')}.accepted", slot.get("accepted"), True)
|
||||
assert_false(f"evidence_slots.{slot.get('slot_id')}.quarantined", slot.get("quarantined"))
|
||||
assert_equal(f"evidence_slots.{slot.get('slot_id')}.next_gate", slot.get("next_gate"), "post_enable_iwooos_readback")
|
||||
assert_equal(
|
||||
f"evidence_slots.{slot.get('slot_id')}.next_gate",
|
||||
slot.get("next_gate"),
|
||||
"manager_registry_acceptance_evidence_review",
|
||||
)
|
||||
|
||||
boundaries = snapshot.get("execution_boundaries", {})
|
||||
for key, value in boundaries.items():
|
||||
@@ -454,6 +464,7 @@ def main() -> None:
|
||||
f"slots={summary['evidence_slot_count']} "
|
||||
f"received={summary['owner_registry_export_received_count']} "
|
||||
f"accepted={summary['owner_registry_export_accepted_count']} "
|
||||
f"post_enable={summary['post_enable_readback_passed_count']} "
|
||||
f"runtime_gate={summary['runtime_gate_count']}"
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user