fix(iwooos): redact public wazuh reviewer copy [skip ci]

2026-06-28 02:44:50 +08:00
parent 5e37777c87
commit d45a9f9ec3
2 changed files with 45 additions and 37 deletions
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -36,6 +36,7 @@ import Link from 'next/link'
 import { useTranslations } from 'next-intl'
 import { useEffect, useRef, useState, type ReactNode } from 'react'
 import { AppLayout } from '@/components/layout'
+import { publicBoundaryText } from '@/lib/public-security-redaction'
 import {
  apiClient,
  type IwoooSHighValueConfigControlCoverageCategory,
@@ -2936,7 +2937,7 @@ const ownerEvidenceIntakePreflightFallbackItems: OwnerEvidenceIntakePreflightDis
    rank: 'P0',
    title: '機密中繼資料 / 工作流程 / 執行器',
    state: 'coverage-derived candidate',
-    body: '只收 secret name、workflow diff、runner attestation、run readback 與 log redaction；secret value / runner token 拒收。',
+    body: '只收機密名稱、工作流程差異、執行器證明、run 讀回與日誌遮罩證據；機密明文與執行器憑證一律拒收。',
    icon: Lock,
    tone: 'locked',
  },
@@ -9959,11 +9960,11 @@ function IwoooSWazuhManagerRegistryReviewerValidationBoard() {
              }}
            >
              <code style={{ fontSize: 11, color: '#2f6265', fontWeight: 700, overflowWrap: 'anywhere' }}>{slot.slot_id}</code>
-              <div style={{ marginTop: 7, fontSize: 12, color: '#141413', fontWeight: 700 }}>{slot.title}</div>
+              <div style={{ marginTop: 7, fontSize: 12, color: '#141413', fontWeight: 700 }}>{publicBoundaryText(slot.title)}</div>
              <div style={{ marginTop: 7, display: 'grid', gap: 4, fontSize: 11, color: '#45686a' }}>
                <span>{t('slotReceivedLabel')}：{slot.received ? '1' : '0'}</span>
                <span>{t('slotAcceptedLabel')}：{slot.accepted ? '1' : '0'}</span>
-                <span>{t('slotNextGateLabel')}：{slot.next_gate}</span>
+                <span>{t('slotNextGateLabel')}：{publicBoundaryText(slot.next_gate)}</span>
              </div>
            </div>
          )) : (
@@ -9988,12 +9989,12 @@ function IwoooSWazuhManagerRegistryReviewerValidationBoard() {
                <span style={{ color: '#2f6265', fontSize: 12, fontWeight: 700 }}>{check.check_id}</span>
                <ListChecks size={16} color="#2d7478" />
              </div>
-              <div style={{ marginTop: 7, fontSize: 12, color: '#141413', fontWeight: 700 }}>{check.title}</div>
+              <div style={{ marginTop: 7, fontSize: 12, color: '#141413', fontWeight: 700 }}>{publicBoundaryText(check.title)}</div>
              <p style={{ margin: '6px 0 0', fontSize: 11, color: '#45686a', lineHeight: 1.45, ...textWrap }}>
-                {check.required_evidence}
+                {publicBoundaryText(check.required_evidence)}
              </p>
              <code style={{ display: 'block', marginTop: 7, fontSize: 10.5, color: '#2f6265', overflowWrap: 'anywhere' }}>
-                {check.failure_lane}
+                {publicBoundaryText(check.failure_lane)}
              </code>
            </div>
          )) : (
@@ -10034,7 +10035,7 @@ function IwoooSWazuhManagerRegistryReviewerValidationBoard() {
                  overflowWrap: 'anywhere',
                }}
              >
-                {item}
+                {publicBoundaryText(item)}
              </code>
            ))}
          </div>
--- a/apps/web/src/lib/public-security-redaction.ts
+++ b/apps/web/src/lib/public-security-redaction.ts
@@ -1,4 +1,11 @@
 export function publicBoundaryText(value: string): string {
+  const redacted = value
+    .replace(/live Wazuh/gi, "只讀管理端")
+    .replace(/runtime action/gi, "執行期變更")
+    .replace(/host write/gi, "主機變更")
+    .replace(/active response/gi, "主動回應流程")
+    .replace(/secret value/gi, "機密明文")
+    .replace(/raw secret/gi, "原始機密");
  const labels: Record<string, string> = {
    "security_compliance_route_preserved=true": "安全合規路由已保留，並整合到 IwoooS 權威入口。",
    "security_compliance_removed=false": "安全合規頁沒有被移除，但不再作為孤立入口。",
@@ -16,44 +23,44 @@ export function publicBoundaryText(value: string): string {
    "security_compliance_rollout_runtime_phase_enabled=false": "執行期階段尚未開放。",
    "security_compliance_rollout_enforcement_enabled=false": "強制執行尚未開放。",
  };
-  if (labels[value]) return labels[value];
-  if (value.includes("runtime_execution_authorized=false")) return "執行期操作未授權。";
-  if (value.includes("action_buttons_allowed=false")) return "此頁不提供可執行操作按鈕。";
-  if (value.includes("active_runtime_gate_count=0")) return "執行期閘門維持關閉。";
-  if (value.includes("owner_response_validation_received_count=0")) return "負責人回覆尚未收到。";
-  if (value.includes("owner_response_validation_accepted_count=0")) return "負責人回覆尚未接受。";
-  if (value.includes("owner_response_validation_rejected_count=0")) return "目前沒有正式拒收紀錄。";
-  if (value.includes("repo_creation_authorized=false")) return "未核准建立專案庫或修改可見性。";
-  if (value.includes("refs_mutation_authorized=false") || value.includes("refs_sync_authorized=false")) {
+  if (labels[redacted]) return labels[redacted];
+  if (redacted.includes("runtime_execution_authorized=false")) return "執行期操作未授權。";
+  if (redacted.includes("action_buttons_allowed=false")) return "此頁不提供可執行操作按鈕。";
+  if (redacted.includes("active_runtime_gate_count=0")) return "執行期閘門維持關閉。";
+  if (redacted.includes("owner_response_validation_received_count=0")) return "負責人回覆尚未收到。";
+  if (redacted.includes("owner_response_validation_accepted_count=0")) return "負責人回覆尚未接受。";
+  if (redacted.includes("owner_response_validation_rejected_count=0")) return "目前沒有正式拒收紀錄。";
+  if (redacted.includes("repo_creation_authorized=false")) return "未核准建立專案庫或修改可見性。";
+  if (redacted.includes("refs_mutation_authorized=false") || redacted.includes("refs_sync_authorized=false")) {
    return "未核准同步、刪除或強制推送分支 / 標籤。";
  }
-  if (value.includes("workflow_modification_authorized=false") || value.includes("workflow_secret_modification_authorized=false")) {
+  if (redacted.includes("workflow_modification_authorized=false") || redacted.includes("workflow_secret_modification_authorized=false")) {
    return "未核准修改工作流程、runner 或機密設定。";
  }
-  if (value.includes("secret_value_collection_allowed=false")) return "不得收集或顯示任何機密明文值。";
-  if (value.includes("github_primary_switch_authorized=false")) return "GitHub primary 尚未核准切換。";
-  if (value.includes("gitea_disablement_authorized=false")) return "Gitea 不得停用，仍是目前 CI/CD 來源。";
-  if (value.includes("execution_router_linked=false")) return "尚未連接執行路由。";
-  if (value.includes("security_run_created=false") || value.includes("github_primary_run_created=false")) {
+  if (redacted.includes("secret_value_collection_allowed=false")) return "不得收集或顯示任何機密明文值。";
+  if (redacted.includes("github_primary_switch_authorized=false")) return "GitHub primary 尚未核准切換。";
+  if (redacted.includes("gitea_disablement_authorized=false")) return "Gitea 不得停用，仍是目前 CI/CD 來源。";
+  if (redacted.includes("execution_router_linked=false")) return "尚未連接執行路由。";
+  if (redacted.includes("security_run_created=false") || redacted.includes("github_primary_run_created=false")) {
    return "目前沒有建立資安執行 run。";
  }
-  if (value.includes("approval_record_created=false") || value.includes("security_approval_record_created=false")) {
+  if (redacted.includes("approval_record_created=false") || redacted.includes("security_approval_record_created=false")) {
    return "目前沒有建立審批紀錄。";
  }
-  if (value.includes("platform_run_creation_authorized=false")) return "未核准建立平台 run。";
-  if (value.includes("not_authorization=true")) return "此區塊僅為只讀證據，不代表授權。";
-  if (value.includes("contract_publish_authorized=false")) return "未核准發布或改版合約。";
-  if (value.includes("contract_mutation_authorized=false")) return "未核准修改合約內容。";
-  if (value.includes("send_owner_request_allowed=false")) return "未核准送出負責人請求。";
-  if (value.includes("mark_received_allowed=false")) return "未核准標記已收到。";
-  if (value.includes("mark_accepted_allowed=false")) return "未核准標記已接受。";
-  if (value.includes("nginx_reload_authorized=false")) return "未核准 Nginx reload 或公開入口變更。";
-  if (value.includes("agent_bounty_runtime_authorized=false")) return "agent-bounty-protocol 執行期維持關閉。";
-  if (value.includes("github_primary_approval_granted=false")) return "GitHub primary 尚未獲得審批。";
-  if (value.includes("owner_response_accepted_count=0")) return "負責人回覆接受數仍為 0。";
-  if (value.includes("_count=0")) return "目前計數仍為 0，僅供只讀觀測。";
-  if (value.includes("=false")) return "目前狀態為未授權，僅供只讀觀測。";
-  return value;
+  if (redacted.includes("platform_run_creation_authorized=false")) return "未核准建立平台 run。";
+  if (redacted.includes("not_authorization=true")) return "此區塊僅為只讀證據，不代表授權。";
+  if (redacted.includes("contract_publish_authorized=false")) return "未核准發布或改版合約。";
+  if (redacted.includes("contract_mutation_authorized=false")) return "未核准修改合約內容。";
+  if (redacted.includes("send_owner_request_allowed=false")) return "未核准送出負責人請求。";
+  if (redacted.includes("mark_received_allowed=false")) return "未核准標記已收到。";
+  if (redacted.includes("mark_accepted_allowed=false")) return "未核准標記已接受。";
+  if (redacted.includes("nginx_reload_authorized=false")) return "未核准 Nginx reload 或公開入口變更。";
+  if (redacted.includes("agent_bounty_runtime_authorized=false")) return "agent-bounty-protocol 執行期維持關閉。";
+  if (redacted.includes("github_primary_approval_granted=false")) return "GitHub primary 尚未獲得審批。";
+  if (redacted.includes("owner_response_accepted_count=0")) return "負責人回覆接受數仍為 0。";
+  if (redacted.includes("_count=0")) return "目前計數仍為 0，僅供只讀觀測。";
+  if (redacted.includes("=false")) return "目前狀態為未授權，僅供只讀觀測。";
+  return redacted;
 }

 export function publicContractText(value: string): string {