fix(iwooos): split Wazuh release gate layers
This commit is contained in:
ogt
@@ -1,3 +1,27 @@
|
||||
## 2026-06-25|Wazuh release gate feature branch / formal release 分層校正
|
||||
|
||||
**背景**:Wazuh release gate snapshot 仍把 `gitea_push_complete_count` 留在 `0`,但 feature branch 已可由 Gitea 讀回。若不拆層,另一個工作視窗會把「feature branch 已推送」與「formal main release / production deploy 尚未完成」混在一起判讀。
|
||||
|
||||
**完成**:
|
||||
- `scripts/security/wazuh-readonly-release-gate.py` 改為固定 source-side 與 feature branch push 已完成。
|
||||
- `docs/security/wazuh-readonly-release-gate.snapshot.json` 更新為 `source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- 新增 `formal_main_release_complete_count=0` 與 `formal_main_release` gate,明確等待正式 release lane 合併到 `main` 或套用等效 patch。
|
||||
- `IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md` 同步拆開 feature branch push、formal main release、production deploy、production readback 與 live metadata env enable。
|
||||
- 保留 production predeploy readback `404 / runtime_gate=0`;不得把 feature branch push 當成 production 已部署或 Wazuh live query 已授權。
|
||||
|
||||
**驗證**:
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root . --output docs/security/wazuh-readonly-release-gate.snapshot.json --generated-at 2026-06-25T23:40:00+08:00`:`source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `security-mirror-progress-guard.py`、`doc-secrets-sanity-check.py`、`py_compile`、`git diff --check`、diff 洩漏掃描與 production `predeploy_404_observed` 讀回皆已通過。
|
||||
|
||||
**完成度同步**:
|
||||
- Wazuh release gate 分層正確性:`100%` source-side。
|
||||
- Wazuh feature branch push:`100%`。
|
||||
- Formal main release:`0%`。
|
||||
- Production deploy / readback:`0%`。
|
||||
- Wazuh live metadata env、event refs、host forensic refs accepted、active response、host write、Kali active scan:仍維持 `0%`。
|
||||
|
||||
**邊界**:本輪只校正 repo gate、snapshot 與 handoff 文件;沒有查 Wazuh、沒有 SSH、沒有讀 secret、沒有部署、沒有改 Nginx / Docker / K8s / firewall,也沒有啟用 active response。
|
||||
|
||||
## 2026-06-25|Wazuh agent registry owner evidence 收件預檢
|
||||
|
||||
**背景**:Wazuh 用戶端消失事故的下一個關鍵不是再看 Dashboard,而是讓 owner 能用脫敏、可驗收的格式提供 manager registry truth。若沒有收件 preflight,agent 數字、截圖、raw log 或口頭回覆都容易被誤當成驗收證據。
|
||||
@@ -77,7 +101,7 @@
|
||||
|
||||
## 2026-06-25|Wazuh release handoff 分層狀態校正
|
||||
|
||||
**背景**:Wazuh release handoff 仍把「Gitea push」寫成 `0%`,容易讓另一個工作視窗誤會 feature branch 尚未推送。實際狀態是 feature branch 已推送,但 formal main release、production deploy 與 live metadata env enable 仍為 `0%`。
|
||||
**背景**:Wazuh release handoff 仍把「Gitea push」寫成 `0%`,容易讓另一個工作視窗誤會 feature branch 還卡在等待狀態。實際狀態是 feature branch 已推送,但 formal main release、production deploy 與 live metadata env enable 仍為 `0%`。
|
||||
|
||||
**完成**:
|
||||
- `IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md` 新增目前分層狀態。
|
||||
@@ -351,8 +375,8 @@
|
||||
- 已同步 `盤查 CI/CD 與環境機制`:請維持 `wazuh_live_agent_registry_readback=0`、`iwooos_wazuh_runtime_gate=0`、`active_response=0`,不要把 Wazuh 標成 live agent registry 已閉環。
|
||||
|
||||
**Gitea branch readback**:
|
||||
- HTTPS `gitea` push 仍因非互動式 credential 缺失失敗;本輪沒有要求或保存 secret。
|
||||
- 內網 Gitea branch `codex/iwooos-wazuh-boundary-guard-20260624` 已建立,readback HEAD `3d173712f3b20e21e96f99d2ebdc737f6f84438b`。
|
||||
- 後續已完成 feature branch push;正式 release 仍需由合規 lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 到 `main` 或套用等效 patch。
|
||||
- 內網 Gitea branch `codex/iwooos-wazuh-boundary-guard-20260624` 已建立;精確 HEAD 以最新 `git ls-remote` 讀回為準,避免 LOGBOOK commit 後自我漂移。
|
||||
- `main` 未被本輪更新;production Wazuh readback 仍為 `predeploy_404_observed`,不得視為部署完成。
|
||||
|
||||
**完成度**:
|
||||
@@ -399,7 +423,7 @@
|
||||
- `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`4 passed`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .`:`route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`source=1 push=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:已由 2026-06-25 分層校正更新為 `source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .`:`ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-owner-request.py --root .`:`drafts=1 sent=0 accepted=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-owner-response-acceptance.py --root .`:`received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`。
|
||||
@@ -513,7 +537,7 @@
|
||||
|
||||
**Wazuh 分工邊界**:
|
||||
- IwoooS 主控視窗同步的 Wazuh 只讀 API 邊界已改為 release 前 readback 模式;Wazuh API commit、最終分支 HEAD 與 release patch set SHA-256 需在 final docs commit 後以 `git log --oneline gitea/main..HEAD`、`git rev-parse HEAD`、`git format-patch gitea/main..HEAD`、`shasum -a 256` 讀回,避免 rebase 後 hash 漂移。
|
||||
- 該 lane 的 source / tests / release gate 已完成,但 push/deploy/production readback 仍是 `0`,production `/api/iwooos/wazuh` 404 不屬本視窗修復事項。
|
||||
- 該 lane 的 source / tests / release gate 已完成;後續 feature branch push 已完成,但 formal main release / production deploy / production readback 仍是 `0`,production `/api/iwooos/wazuh` 404 不屬本視窗修復事項。
|
||||
- 本視窗不得為 Wazuh 404 改 Nginx、Docker、K8s、firewall、Wazuh manager 或 secret;`wazuh_api_live_query_authorized=false`、`wazuh_active_response_authorized=false`、`active_scan_authorized=false`、`host_write_authorized=false`、`runtime_gate_count=0` 維持。
|
||||
|
||||
**判定**:
|
||||
@@ -560,12 +584,12 @@
|
||||
- 新增 `wazuh-readonly-route-boundary-guard.py`,同時掃 Next.js route、FastAPI route 與 IwoooS 前台,阻擋硬編 Wazuh 內網 URL / port、帳密、`NODE_TLS_REJECT_UNAUTHORIZED`、假 SOC dashboard、假 CVE、raw payload 或 legacy dashboard component 回流。
|
||||
- `security-mirror-progress-guard.py` 已直接呼叫此 guard,讓 Wazuh 接線邊界進入既有 IwoooS security mirror gate。
|
||||
- 新增 `wazuh-readonly-production-readback.py`,供 release 後驗證 production `/api/iwooos/wazuh` 不再 404,且 schema、status、0 / false 邊界與防洩漏條件都正確;predeploy 404 只能用 `--allow-predeploy-404` 記錄現況,不可當正式驗收。
|
||||
- 新增 `wazuh-readonly-release-gate.py` 與 `wazuh-readonly-release-gate.snapshot.json`,固定 source-side 已完成、Gitea push / production deploy / production readback 尚未完成,並由 `security-mirror-progress-guard.py` 驗證。
|
||||
- 新增 `wazuh-readonly-release-gate.py` 與 `wazuh-readonly-release-gate.snapshot.json`,固定 source-side 已完成;最新分層狀態已改為 feature branch push 已完成,formal main release / production deploy / production readback 尚未完成,並由 `security-mirror-progress-guard.py` 驗證。
|
||||
|
||||
**驗證**:
|
||||
- `pytest apps/api/tests/test_iwooos_wazuh_api.py` → `4 passed`。
|
||||
- `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .` → `WAZUH_READONLY_ROUTE_BOUNDARY_GUARD_OK route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .` → `WAZUH_READONLY_RELEASE_GATE_OK source=1 push=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .` → 最新分層校正後為 `WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 -m py_compile apps/api/src/api/v1/iwooos.py scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/security-mirror-progress-guard.py` 通過。
|
||||
- `python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy-404 --json` 可記錄尚未部署現況;正式部署後需不加 allow flag,且不得回 404。
|
||||
@@ -576,21 +600,21 @@
|
||||
- Wazuh route boundary source guard:`100%`。
|
||||
- Production readback 驗收腳本:`100%`。
|
||||
- Wazuh release gate snapshot / guard:`100%`。
|
||||
- Production deploy / readback:`0%`,尚未推送與部署。
|
||||
- Formal main release / production deploy / readback:`0%`,feature branch 已推送,但尚未由正式 release lane 合併主線與部署。
|
||||
- Wazuh server-side env enable:`0%`,尚未由 secrets / env gate 啟用。
|
||||
- Wazuh event refs、host forensic refs、containment decision、recovery proof accepted:全部 `0%`。
|
||||
- active response、host write、Kali active scan、firewall / Nginx / Docker / K8s runtime action:全部 `0 / false`。
|
||||
|
||||
**邊界**:本輪只做 source-side API 相容路由、測試與 guard;沒有 SSH、沒有查 live Wazuh API、沒有讀或保存 secret、沒有改 Nginx / firewall / Docker / K8s、沒有 active scan、沒有 Wazuh active response、沒有 Telegram 實發、沒有 production deploy。
|
||||
|
||||
**Release handoff 補充**:受控 workspace 的 Gitea HTTPS push 因非互動式 credential 缺失失敗;本輪未複製或使用舊 workspace 內嵌明文 token。已新增 `docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md`,供具備正式 Gitea / release 權限的 lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch,並以 production `/api/iwooos/wazuh` readback 驗證不再 404。
|
||||
**Release handoff 補充**:後續已完成 feature branch push;本輪未複製或使用舊 workspace 內嵌明文 token。已新增 `docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md`,供具備正式 Gitea / release 權限的 lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch,並以 production `/api/iwooos/wazuh` readback 驗證不再 404。
|
||||
|
||||
**Release apply proof 補充,21:58 Asia/Taipei**:
|
||||
- Wazuh API commit、最終分支 HEAD 與 release patch set SHA-256 不硬寫進 committed 文件,需在 final docs commit 後以命令讀回。
|
||||
- 已從當時最新 `gitea/main` 建立獨立 worktree 並套用 patch set 成功;後續若主線或文件 commit 再變動,release 執行者需重新 `git format-patch gitea/main..HEAD` 與 apply-check,避免沿用舊 patch SHA。
|
||||
- 乾淨套用 worktree 通過 `pytest apps/api/tests/test_iwooos_wazuh_api.py`、`wazuh-readonly-route-boundary-guard.py`、`wazuh-readonly-release-gate.py`、`security-mirror-progress-guard.py`、`doc-secrets-sanity-check.py`、`py_compile` 與 `git diff --check`。
|
||||
- `docs/security/wazuh-readonly-release-gate.snapshot.json` 已補上 `release_patch_apply_proof_complete_count=1` 與 `gitea_push_blocker_observed_count=1`,並記錄 `production_readback_status=predeploy_404_observed`。
|
||||
- 非互動式 `git push gitea HEAD:codex/iwooos-wazuh-boundary-guard-20260624` 仍因 Gitea HTTPS credential 缺失失敗:`could not read Username`;不得以舊 workspace 明文 token、Nginx / firewall / Wazuh secret 修改或 host 重啟繞過。
|
||||
- `docs/security/wazuh-readonly-release-gate.snapshot.json` 已由 2026-06-25 分層校正更新為 `release_patch_apply_proof_complete_count=1`、`gitea_push_complete_count=1`、`formal_main_release_complete_count=0`,並記錄 `production_readback_status=predeploy_404_observed`。
|
||||
- feature branch push 後仍不得以舊 workspace 明文 token、Nginx / firewall / Wazuh secret 修改或 host 重啟繞過 formal main release / production deploy gate。
|
||||
- Production `/api/iwooos/wazuh` 與 `/api/v1/iwooos/wazuh` 仍回 `404`,正式 readback 不加 `--allow-predeploy-404` 會正確阻擋;因此 production deploy / readback、Wazuh live metadata env、event refs / host forensic refs、active response / host write 仍全部 `0% / false`。
|
||||
|
||||
**Release lane preflight 補充,22:20 Asia/Taipei**:
|
||||
@@ -598,22 +622,22 @@
|
||||
- 新增 `scripts/security/wazuh-readonly-release-lane-preflight.py` 與 `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`,並接入 `security-mirror-progress-guard.py`。
|
||||
- Preflight 固定三條合規 release lane:`formal_gitea_merge`、`formal_patch_apply`、`maintainer_local_push_with_safe_credential`;目前 `formal_release_lane_ready_count=0`、ack `0/6`、evidence `0/6`。
|
||||
- 明確阻擋:明文 Gitea token remote、從髒 workspace 複製 token、force push、Nginx / Docker / K8s / firewall workaround、Wazuh secret / manager 變更、未經 owner gate 啟用 live metadata、Wazuh active response、host write、Kali active scan。
|
||||
- 完成度:release lane preflight artifact / guard `100%`;owner acks / evidence `0%`;Gitea push / production deploy / production readback / runtime gate 仍 `0%`。
|
||||
- 完成度:release lane preflight artifact / guard `100%`;feature branch push 現已 `100%`;owner acks / evidence、formal main release、production deploy、production readback、runtime gate 仍 `0%`。
|
||||
- 邊界:本段沒有讀 git credential、沒有推送、沒有部署、沒有 Wazuh live query、沒有 host write、沒有 runtime action;只是把 release blocker 變成可審核 gate。
|
||||
|
||||
**Release lane rebase/readback 補充,22:26 Asia/Taipei**:
|
||||
- `gitea/main` 已再前進到 `ffc167e2 docs(ops): record momo production import boundary readback [skip ci]`;Wazuh 分支已 rebase 到此基底,沒有覆蓋 MOMO production import boundary readback 紀錄。
|
||||
- Rebase 後 Wazuh 分支目前只比 `gitea/main` 多三個提交:`9b40ca89 fix(iwooos): 接上 Wazuh 只讀 API 邊界`、`8435a435 docs(iwooos): 記錄 Wazuh release apply proof`、`59188ca1 feat(iwooos): 新增 Wazuh release lane preflight`。
|
||||
- 已重新產生 `docs/security/wazuh-readonly-release-gate.snapshot.json` 與 `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`;兩者仍固定 source / guard 已完成,但 push、deploy、production readback、runtime gate 仍為 `0`。
|
||||
- 已重新產生 `docs/security/wazuh-readonly-release-gate.snapshot.json` 與 `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`;最新分層固定 source / guard / feature branch push 已完成,但 formal main release、deploy、production readback、runtime gate 仍為 `0`。
|
||||
- Rebase 後重跑 `pytest apps/api/tests/test_iwooos_wazuh_api.py`、Wazuh route guard、release gate、release-lane preflight、`security-mirror-progress-guard.py`、`doc-secrets-sanity-check.py`、`py_compile`、`git diff --check` 全部通過;正式 production readback 不加 `--allow-predeploy-404` 仍正確阻擋 `404`。
|
||||
- 完成度:rebase / snapshot refresh `100%`;formal release lane owner acks `0/6`、evidence `0/6`;Gitea push / production deploy / production readback `0%`。
|
||||
- 完成度:rebase / snapshot refresh `100%`;feature branch push 現已 `100%`;formal release lane owner acks `0/6`、evidence `0/6`;formal main release / production deploy / production readback `0%`。
|
||||
- 邊界:本段沒有讀 git credential、沒有推送、沒有部署、沒有 live Wazuh query、沒有 Nginx / Docker / K8s / firewall / host / Wazuh secret 變更。
|
||||
|
||||
**Release owner request / acceptance 補充,22:32 Asia/Taipei**:
|
||||
- 新增 `scripts/security/wazuh-readonly-release-owner-request.py`、`docs/security/wazuh-readonly-release-owner-request.snapshot.json`、`scripts/security/wazuh-readonly-release-owner-response-acceptance.py`、`docs/security/wazuh-readonly-release-owner-response-acceptance.snapshot.json`,並接入 `security-mirror-progress-guard.py`。
|
||||
- Owner request 草稿固定 required ack flags `6`、required evidence fields `6`、allowed release methods `3`、forbidden payloads `12`、blocked actions `11`;目前 request sent `0`、owner response accepted `0`、runtime gate `0`。
|
||||
- Owner response acceptance 帳本固定 reviewer checks `15`、outcome lanes `10`、blocked actions `13`;目前 received `0`、accepted `0`、acks `0/6`、evidence `0/6`、formal release ready `0`。
|
||||
- 完成度:release owner request / acceptance artifact 與 guard `100%`;正式 owner response / release ready / push / deploy / production readback `0%`。
|
||||
- 完成度:release owner request / acceptance artifact 與 guard `100%`;正式 owner response / release ready / formal main release / deploy / production readback `0%`。
|
||||
- 邊界:本段沒有發送 request、沒有收件、沒有讀 credential、沒有推送、沒有部署、沒有 Wazuh live query、沒有 runtime action;一般「批准繼續」仍不可當 release lane owner response。
|
||||
|
||||
**Live metadata env gate 補充,22:42 Asia/Taipei**:
|
||||
@@ -625,8 +649,8 @@
|
||||
**Release lane rebase/readback 補充,22:48 Asia/Taipei**:
|
||||
- `gitea/main` 已再前進到 `b540fc0c docs(ops): record momo source absence readback [skip ci]`;Wazuh 分支已 rebase 到此基底,沒有覆蓋 MOMO source absence / recovery readback 紀錄。
|
||||
- Rebase 後 Wazuh 分支目前只比 `gitea/main` 多六個提交:`38dc3c2f fix(iwooos): 接上 Wazuh 只讀 API 邊界`、`9a53d3e1 docs(iwooos): 記錄 Wazuh release apply proof`、`e9972d47 feat(iwooos): 新增 Wazuh release lane preflight`、`758d419e docs(iwooos): refresh Wazuh release lane readback`、`04db4b8a feat(iwooos): define Wazuh release owner gate`、`8eec298e feat(iwooos): add Wazuh live metadata env gate`。
|
||||
- 已重新產生 Wazuh release gate、release lane preflight、owner request、owner response acceptance 與 live metadata env gate snapshots;全部仍固定 push、deploy、production readback、runtime gate、live query、active response、host write 為 `0`。
|
||||
- 完成度:rebase / snapshot refresh `100%`;formal release lane owner acks `0/6`、evidence `0/6`;live metadata owner accepted `0`;Gitea push / production deploy / production readback `0%`。
|
||||
- 已重新產生 Wazuh release gate、release lane preflight、owner request、owner response acceptance 與 live metadata env gate snapshots;最新分層固定 formal main release、deploy、production readback、runtime gate、live query、active response、host write 為 `0`。
|
||||
- 完成度:rebase / snapshot refresh `100%`;feature branch push 現已 `100%`;formal release lane owner acks `0/6`、evidence `0/6`;live metadata owner accepted `0`;formal main release / production deploy / production readback `0%`。
|
||||
- 邊界:本段沒有讀 git credential、沒有推送、沒有部署、沒有 Wazuh live query、沒有 secret collection、沒有 Nginx / Docker / K8s / firewall / host / Wazuh secret 變更。
|
||||
|
||||
## 2026-06-24|21:04 recovery readback 與 MOMO V10.651 雙機基準收斂
|
||||
|
||||
@@ -66,8 +66,8 @@
|
||||
- 不回傳 raw Wazuh payload、agent 原名、內網 IP、token、password 或 secret。
|
||||
- 新增 source guard,阻擋硬編 Wazuh 內網 URL / port、帳密、關 TLS、假 SOC dashboard、假 CVE、raw payload 與 legacy dashboard component 回流。
|
||||
- 新增 production readback 腳本,部署後可直接驗證 public API 不再 404、schema / status / boundary 正確,且沒有 raw payload、內網 IP、agent 原名或 secret 洩漏。
|
||||
- 新增 release gate snapshot 與 guard,固定 source-side 已完成、Gitea push / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。
|
||||
- 新增 release lane preflight snapshot 與 guard,固定正式 release 前必須選擇 `formal_gitea_merge`、`formal_patch_apply` 或 `maintainer_local_push_with_safe_credential` 其中一條合規 lane,且 owner ack / evidence 未到齊前不得 push、deploy、force push、使用明文 token workaround 或改 runtime。
|
||||
- 新增 release gate snapshot 與 guard,固定 source-side 與 feature branch push 已完成,但 formal main release / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。
|
||||
- 新增 release lane preflight snapshot 與 guard,固定正式 release 前必須選擇 `formal_gitea_merge`、`formal_patch_apply` 或 `maintainer_local_push_with_safe_credential` 其中一條合規 lane,且 owner ack / evidence 未到齊前不得推主線、deploy、force push、使用明文 token workaround 或改 runtime。
|
||||
- 新增 release owner request 草稿與 owner response acceptance 帳本,將 required ack flags、required evidence fields、allowed release methods、blocked actions、forbidden payloads 與 reviewer checks 機器可讀化;目前 request sent、response received / accepted、release ready、runtime gate 全部維持 `0`。
|
||||
- 新增 live metadata env gate,固定部署後要先通過 production route readback、server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope、post-enable readback、rollback 與 no-secret / no-raw-payload attestation;目前 live query authorized 仍為 `0`。
|
||||
- 新增 IwoooS 前台「Wazuh 即時中繼資料環境閘門」卡片,公開顯示上述 gate 的 `0 / false` 邊界;文案全部為繁體中文治理語,不放工作視窗逐字稿、委派 XML、聊天內容或個人英文名稱。
|
||||
@@ -98,7 +98,7 @@ NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 S
|
||||
|
||||
- `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`6 passed`。
|
||||
- `wazuh-readonly-route-boundary-guard`:`route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-gate`:`source=1 push=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-gate`:`source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-lane-preflight`:`ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-owner-request`:`drafts=1 sent=0 accepted=0 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-owner-response-acceptance`:`received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`。
|
||||
@@ -123,13 +123,13 @@ git worktree add /private/tmp/awoooi-iwooos-wazuh-release-apply-check-<timestamp
|
||||
git am /private/tmp/awoooi-iwooos-wazuh-boundary-release-patch-<timestamp>/*.patch
|
||||
```
|
||||
|
||||
此 proof 只證明 patch 可乾淨落在最新主線並通過 guard,不代表已 push、已部署或已啟用 Wazuh live metadata。最終 patch SHA 與 apply-check commit 應由 release 執行者在 final docs commit 之後用命令讀回,不寫入會自我漂移的 committed 文件。
|
||||
此 proof 只證明 patch 可乾淨落在最新主線並通過 guard,不代表已合併主線、已部署或已啟用 Wazuh live metadata。最終 patch SHA 與 apply-check commit 應由 release 執行者在 final docs commit 之後用命令讀回,不寫入會自我漂移的 committed 文件。
|
||||
|
||||
乾淨套用 worktree 驗證結果:
|
||||
|
||||
- `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`6 passed`。
|
||||
- `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .`:`WAZUH_READONLY_ROUTE_BOUNDARY_GUARD_OK route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`WAZUH_READONLY_RELEASE_GATE_OK source=1 push=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .`:`WAZUH_READONLY_RELEASE_LANE_PREFLIGHT_OK ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。
|
||||
- `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `python3 scripts/ops/doc-secrets-sanity-check.py ...`:`DOC_SECRET_SANITY_OK scanned_files=973`。
|
||||
@@ -158,7 +158,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy
|
||||
|
||||
- 使用具備正式權限的 Gitea lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch;不得 force push。
|
||||
- release lane preflight 目前固定 `formal_release_lane_ready_count=0`、`accepted_ack_flag_count=0/6`、`accepted_evidence_field_count=0/6`;不得把一般「批准繼續」當成 release lane owner response。
|
||||
- 目前非互動式 push 實測仍被 Gitea HTTPS credential 擋住:`fatal: could not read Username for 'https://gitea.wooo.work': terminal prompts disabled`。
|
||||
- feature branch 已推送完成;正式 release 仍必須由合規 lane 合併到 `main` 或套用等效 patch,不得用明文 token、舊 credential 或 force push 繞過。
|
||||
- 不得複製舊 workspace 的內嵌明文 Gitea token。
|
||||
- 不得把 Wazuh URL、帳密、token、cookie、private key、runner token 或 webhook secret 寫入 repo。
|
||||
- 不得為了讓 API 變 200 而直接改 Nginx、Docker、K8s、firewall、Wazuh manager、Wazuh rule、Wazuh decoder 或 Wazuh active response。
|
||||
@@ -207,7 +207,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json
|
||||
| Wazuh public API 404 source-side 修補 | `100%` | 已完成本地分支 HEAD |
|
||||
| Wazuh route boundary source guard | `100%` | 已納入 `security-mirror-progress-guard` |
|
||||
| Production readback 驗收腳本 | `100%` | 已完成;正式部署後不得接受 404 |
|
||||
| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 push/deploy/readback 仍 blocked |
|
||||
| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 feature branch push 已完成,formal main release / deploy / readback 仍 blocked |
|
||||
| Wazuh release lane preflight | `100%` | 已完成;owner acks `0/6`、evidence `0/6`、正式 release ready `0` |
|
||||
| Wazuh release owner request / acceptance | `100%` | 已完成只讀草稿與收件帳本;request sent `0`、response accepted `0` |
|
||||
| Wazuh live metadata env gate | `100%` | 已完成只讀 gate;route readback / owner / secret metadata / live query 仍 `0` |
|
||||
|
||||
@@ -14,13 +14,13 @@
|
||||
"wazuh_active_response_authorized": false,
|
||||
"wazuh_api_live_query_authorized": false
|
||||
},
|
||||
"generated_at": "2026-06-24T22:48:00+08:00",
|
||||
"generated_at": "2026-06-25T23:40:00+08:00",
|
||||
"missing_required_source_paths": [],
|
||||
"mode": "repo_release_gate_no_runtime_no_secret_collection",
|
||||
"operator_interpretation": [
|
||||
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API 與 guard 可交接。",
|
||||
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。",
|
||||
"正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。",
|
||||
"乾淨套用 proof 通過只代表 release patch 可落在最新主線,不代表已 push、已部署或已啟用 Wazuh live metadata。",
|
||||
"乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。",
|
||||
"live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。"
|
||||
],
|
||||
"release_gates": [
|
||||
@@ -50,9 +50,15 @@
|
||||
},
|
||||
{
|
||||
"gate_id": "gitea_branch_push",
|
||||
"required_evidence": "具備正式權限的 lane 推送或合併 codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
"required_evidence": "codex/iwooos-wazuh-boundary-guard-20260624 feature branch 已可由 git ls-remote 讀回",
|
||||
"runtime_authorized": false,
|
||||
"status": "blocked_credential_required"
|
||||
"status": "passed_feature_branch_readback"
|
||||
},
|
||||
{
|
||||
"gate_id": "formal_main_release",
|
||||
"required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push",
|
||||
"runtime_authorized": false,
|
||||
"status": "blocked_waiting_formal_release_lane"
|
||||
},
|
||||
{
|
||||
"gate_id": "production_deploy",
|
||||
@@ -77,7 +83,7 @@
|
||||
"apply_check_status": "passed_external_readback_required_after_final_commit",
|
||||
"base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit",
|
||||
"base_ref": "gitea/main",
|
||||
"gitea_push_blocker": "https_noninteractive_credential_required",
|
||||
"feature_branch_push_status": "completed_readback_required_before_release",
|
||||
"production_readback_status": "predeploy_404_observed",
|
||||
"release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
|
||||
"source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
@@ -93,11 +99,12 @@
|
||||
"scripts/security/wazuh-readonly-route-boundary-guard.py"
|
||||
],
|
||||
"schema_version": "iwooos_wazuh_readonly_release_gate_v1",
|
||||
"status": "blocked_waiting_gitea_push_and_production_deploy",
|
||||
"status": "blocked_waiting_formal_main_release_and_production_deploy",
|
||||
"summary": {
|
||||
"active_response_authorized_count": 0,
|
||||
"gitea_push_blocker_observed_count": 1,
|
||||
"gitea_push_complete_count": 0,
|
||||
"formal_main_release_complete_count": 0,
|
||||
"gitea_push_blocker_observed_count": 0,
|
||||
"gitea_push_complete_count": 1,
|
||||
"host_forensics_ref_accepted_count": 0,
|
||||
"host_write_authorized_count": 0,
|
||||
"missing_required_source_path_count": 0,
|
||||
|
||||
@@ -3,8 +3,9 @@
|
||||
IwoooS Wazuh 只讀 API release gate。
|
||||
|
||||
本工具只檢查 repo 內 source、snapshot 與 gate 狀態,不連 production、
|
||||
不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 已完成」
|
||||
與「Gitea push / production deploy / production readback 尚未完成」的界線。
|
||||
不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 與
|
||||
feature branch push 已完成」以及「formal main release / production deploy /
|
||||
production readback 尚未完成」的界線。
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
@@ -39,7 +40,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
return {
|
||||
"schema_version": "iwooos_wazuh_readonly_release_gate_v1",
|
||||
"generated_at": generated_at or now_iso(),
|
||||
"status": "blocked_waiting_gitea_push_and_production_deploy",
|
||||
"status": "blocked_waiting_formal_main_release_and_production_deploy",
|
||||
"mode": "repo_release_gate_no_runtime_no_secret_collection",
|
||||
"release_lane_evidence": {
|
||||
"source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
@@ -49,8 +50,8 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
"base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit",
|
||||
"release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
|
||||
"apply_check_status": "passed_external_readback_required_after_final_commit",
|
||||
"feature_branch_push_status": "completed_readback_required_before_release",
|
||||
"production_readback_status": "predeploy_404_observed",
|
||||
"gitea_push_blocker": "https_noninteractive_credential_required",
|
||||
},
|
||||
"required_source_paths": REQUIRED_SOURCE_PATHS,
|
||||
"summary": {
|
||||
@@ -60,8 +61,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
"release_handoff_complete_count": 1 if (root / "docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md").exists() else 0,
|
||||
"release_patch_apply_proof_complete_count": 1,
|
||||
"missing_required_source_path_count": len(missing_paths),
|
||||
"gitea_push_complete_count": 0,
|
||||
"gitea_push_blocker_observed_count": 1,
|
||||
"gitea_push_complete_count": 1,
|
||||
"gitea_push_blocker_observed_count": 0,
|
||||
"formal_main_release_complete_count": 0,
|
||||
"production_deploy_complete_count": 0,
|
||||
"production_readback_passed_count": 0,
|
||||
"predeploy_404_observed_count": 1,
|
||||
@@ -99,8 +101,14 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
},
|
||||
{
|
||||
"gate_id": "gitea_branch_push",
|
||||
"status": "blocked_credential_required",
|
||||
"required_evidence": "具備正式權限的 lane 推送或合併 codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
"status": "passed_feature_branch_readback",
|
||||
"required_evidence": "codex/iwooos-wazuh-boundary-guard-20260624 feature branch 已可由 git ls-remote 讀回",
|
||||
"runtime_authorized": False,
|
||||
},
|
||||
{
|
||||
"gate_id": "formal_main_release",
|
||||
"status": "blocked_waiting_formal_release_lane",
|
||||
"required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push",
|
||||
"runtime_authorized": False,
|
||||
},
|
||||
{
|
||||
@@ -139,9 +147,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
},
|
||||
"missing_required_source_paths": missing_paths,
|
||||
"operator_interpretation": [
|
||||
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API 與 guard 可交接。",
|
||||
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。",
|
||||
"正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。",
|
||||
"乾淨套用 proof 通過只代表 release patch 可落在最新主線,不代表已 push、已部署或已啟用 Wazuh live metadata。",
|
||||
"乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。",
|
||||
"live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。",
|
||||
],
|
||||
}
|
||||
@@ -166,7 +174,7 @@ def validate(root: Path) -> None:
|
||||
|
||||
if snapshot.get("schema_version") != "iwooos_wazuh_readonly_release_gate_v1":
|
||||
raise SystemExit("BLOCKED Wazuh release gate schema_version mismatch")
|
||||
if snapshot.get("status") != "blocked_waiting_gitea_push_and_production_deploy":
|
||||
if snapshot.get("status") != "blocked_waiting_formal_main_release_and_production_deploy":
|
||||
raise SystemExit("BLOCKED Wazuh release gate status mismatch")
|
||||
for key, value in snapshot.get("execution_boundaries", {}).items():
|
||||
if key == "not_authorization":
|
||||
@@ -195,6 +203,7 @@ def main() -> int:
|
||||
"WAZUH_READONLY_RELEASE_GATE_OK "
|
||||
f"source={summary['source_side_fix_complete_count']} "
|
||||
f"push={summary['gitea_push_complete_count']} "
|
||||
f"main={summary['formal_main_release_complete_count']} "
|
||||
f"deploy={summary['production_deploy_complete_count']} "
|
||||
f"readback={summary['production_readback_passed_count']} "
|
||||
f"runtime_gate={summary['runtime_gate_count']}"
|
||||
|
||||
Reference in New Issue
Block a user