From e529bdbae2ea8500addba60d46395f0d9f2ea017 Mon Sep 17 00:00:00 2001 From: ogt Date: Thu, 25 Jun 2026 10:37:46 +0800 Subject: [PATCH] fix(iwooos): split Wazuh release gate layers --- docs/LOGBOOK.md | 58 +++++++++++++------ ...OOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md | 14 ++--- .../wazuh-readonly-release-gate.snapshot.json | 25 +++++--- .../security/wazuh-readonly-release-gate.py | 31 ++++++---- 4 files changed, 84 insertions(+), 44 deletions(-) diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index 35ea9bfc..0d35a2f2 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,27 @@ +## 2026-06-25|Wazuh release gate feature branch / formal release 分層校正 + +**背景**:Wazuh release gate snapshot 仍把 `gitea_push_complete_count` 留在 `0`,但 feature branch 已可由 Gitea 讀回。若不拆層,另一個工作視窗會把「feature branch 已推送」與「formal main release / production deploy 尚未完成」混在一起判讀。 + +**完成**: +- `scripts/security/wazuh-readonly-release-gate.py` 改為固定 source-side 與 feature branch push 已完成。 +- `docs/security/wazuh-readonly-release-gate.snapshot.json` 更新為 `source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 +- 新增 `formal_main_release_complete_count=0` 與 `formal_main_release` gate,明確等待正式 release lane 合併到 `main` 或套用等效 patch。 +- `IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md` 同步拆開 feature branch push、formal main release、production deploy、production readback 與 live metadata env enable。 +- 保留 production predeploy readback `404 / runtime_gate=0`;不得把 feature branch push 當成 production 已部署或 Wazuh live query 已授權。 + +**驗證**: +- `python3 scripts/security/wazuh-readonly-release-gate.py --root . --output docs/security/wazuh-readonly-release-gate.snapshot.json --generated-at 2026-06-25T23:40:00+08:00`:`source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 +- `security-mirror-progress-guard.py`、`doc-secrets-sanity-check.py`、`py_compile`、`git diff --check`、diff 洩漏掃描與 production `predeploy_404_observed` 讀回皆已通過。 + +**完成度同步**: +- Wazuh release gate 分層正確性:`100%` source-side。 +- Wazuh feature branch push:`100%`。 +- Formal main release:`0%`。 +- Production deploy / readback:`0%`。 +- Wazuh live metadata env、event refs、host forensic refs accepted、active response、host write、Kali active scan:仍維持 `0%`。 + +**邊界**:本輪只校正 repo gate、snapshot 與 handoff 文件;沒有查 Wazuh、沒有 SSH、沒有讀 secret、沒有部署、沒有改 Nginx / Docker / K8s / firewall,也沒有啟用 active response。 + ## 2026-06-25|Wazuh agent registry owner evidence 收件預檢 **背景**:Wazuh 用戶端消失事故的下一個關鍵不是再看 Dashboard,而是讓 owner 能用脫敏、可驗收的格式提供 manager registry truth。若沒有收件 preflight,agent 數字、截圖、raw log 或口頭回覆都容易被誤當成驗收證據。 @@ -77,7 +101,7 @@ ## 2026-06-25|Wazuh release handoff 分層狀態校正 -**背景**:Wazuh release handoff 仍把「Gitea push」寫成 `0%`,容易讓另一個工作視窗誤會 feature branch 尚未推送。實際狀態是 feature branch 已推送,但 formal main release、production deploy 與 live metadata env enable 仍為 `0%`。 +**背景**:Wazuh release handoff 仍把「Gitea push」寫成 `0%`,容易讓另一個工作視窗誤會 feature branch 還卡在等待狀態。實際狀態是 feature branch 已推送,但 formal main release、production deploy 與 live metadata env enable 仍為 `0%`。 **完成**: - `IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md` 新增目前分層狀態。 @@ -351,8 +375,8 @@ - 已同步 `盤查 CI/CD 與環境機制`:請維持 `wazuh_live_agent_registry_readback=0`、`iwooos_wazuh_runtime_gate=0`、`active_response=0`,不要把 Wazuh 標成 live agent registry 已閉環。 **Gitea branch readback**: -- HTTPS `gitea` push 仍因非互動式 credential 缺失失敗;本輪沒有要求或保存 secret。 -- 內網 Gitea branch `codex/iwooos-wazuh-boundary-guard-20260624` 已建立,readback HEAD `3d173712f3b20e21e96f99d2ebdc737f6f84438b`。 +- 後續已完成 feature branch push;正式 release 仍需由合規 lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 到 `main` 或套用等效 patch。 +- 內網 Gitea branch `codex/iwooos-wazuh-boundary-guard-20260624` 已建立;精確 HEAD 以最新 `git ls-remote` 讀回為準,避免 LOGBOOK commit 後自我漂移。 - `main` 未被本輪更新;production Wazuh readback 仍為 `predeploy_404_observed`,不得視為部署完成。 **完成度**: @@ -399,7 +423,7 @@ - `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`4 passed`。 - `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。 - `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .`:`route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。 -- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`source=1 push=0 deploy=0 readback=0 runtime_gate=0`。 +- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:已由 2026-06-25 分層校正更新為 `source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 - `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .`:`ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。 - `python3 scripts/security/wazuh-readonly-release-owner-request.py --root .`:`drafts=1 sent=0 accepted=0 runtime_gate=0`。 - `python3 scripts/security/wazuh-readonly-release-owner-response-acceptance.py --root .`:`received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`。 @@ -513,7 +537,7 @@ **Wazuh 分工邊界**: - IwoooS 主控視窗同步的 Wazuh 只讀 API 邊界已改為 release 前 readback 模式;Wazuh API commit、最終分支 HEAD 與 release patch set SHA-256 需在 final docs commit 後以 `git log --oneline gitea/main..HEAD`、`git rev-parse HEAD`、`git format-patch gitea/main..HEAD`、`shasum -a 256` 讀回,避免 rebase 後 hash 漂移。 -- 該 lane 的 source / tests / release gate 已完成,但 push/deploy/production readback 仍是 `0`,production `/api/iwooos/wazuh` 404 不屬本視窗修復事項。 +- 該 lane 的 source / tests / release gate 已完成;後續 feature branch push 已完成,但 formal main release / production deploy / production readback 仍是 `0`,production `/api/iwooos/wazuh` 404 不屬本視窗修復事項。 - 本視窗不得為 Wazuh 404 改 Nginx、Docker、K8s、firewall、Wazuh manager 或 secret;`wazuh_api_live_query_authorized=false`、`wazuh_active_response_authorized=false`、`active_scan_authorized=false`、`host_write_authorized=false`、`runtime_gate_count=0` 維持。 **判定**: @@ -560,12 +584,12 @@ - 新增 `wazuh-readonly-route-boundary-guard.py`,同時掃 Next.js route、FastAPI route 與 IwoooS 前台,阻擋硬編 Wazuh 內網 URL / port、帳密、`NODE_TLS_REJECT_UNAUTHORIZED`、假 SOC dashboard、假 CVE、raw payload 或 legacy dashboard component 回流。 - `security-mirror-progress-guard.py` 已直接呼叫此 guard,讓 Wazuh 接線邊界進入既有 IwoooS security mirror gate。 - 新增 `wazuh-readonly-production-readback.py`,供 release 後驗證 production `/api/iwooos/wazuh` 不再 404,且 schema、status、0 / false 邊界與防洩漏條件都正確;predeploy 404 只能用 `--allow-predeploy-404` 記錄現況,不可當正式驗收。 -- 新增 `wazuh-readonly-release-gate.py` 與 `wazuh-readonly-release-gate.snapshot.json`,固定 source-side 已完成、Gitea push / production deploy / production readback 尚未完成,並由 `security-mirror-progress-guard.py` 驗證。 +- 新增 `wazuh-readonly-release-gate.py` 與 `wazuh-readonly-release-gate.snapshot.json`,固定 source-side 已完成;最新分層狀態已改為 feature branch push 已完成,formal main release / production deploy / production readback 尚未完成,並由 `security-mirror-progress-guard.py` 驗證。 **驗證**: - `pytest apps/api/tests/test_iwooos_wazuh_api.py` → `4 passed`。 - `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .` → `WAZUH_READONLY_ROUTE_BOUNDARY_GUARD_OK route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。 -- `python3 scripts/security/wazuh-readonly-release-gate.py --root .` → `WAZUH_READONLY_RELEASE_GATE_OK source=1 push=0 deploy=0 readback=0 runtime_gate=0`。 +- `python3 scripts/security/wazuh-readonly-release-gate.py --root .` → 最新分層校正後為 `WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 - `python3 scripts/security/security-mirror-progress-guard.py --root .` → `SECURITY_MIRROR_PROGRESS_GUARD_OK`。 - `python3 -m py_compile apps/api/src/api/v1/iwooos.py scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/security-mirror-progress-guard.py` 通過。 - `python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy-404 --json` 可記錄尚未部署現況;正式部署後需不加 allow flag,且不得回 404。 @@ -576,21 +600,21 @@ - Wazuh route boundary source guard:`100%`。 - Production readback 驗收腳本:`100%`。 - Wazuh release gate snapshot / guard:`100%`。 -- Production deploy / readback:`0%`,尚未推送與部署。 +- Formal main release / production deploy / readback:`0%`,feature branch 已推送,但尚未由正式 release lane 合併主線與部署。 - Wazuh server-side env enable:`0%`,尚未由 secrets / env gate 啟用。 - Wazuh event refs、host forensic refs、containment decision、recovery proof accepted:全部 `0%`。 - active response、host write、Kali active scan、firewall / Nginx / Docker / K8s runtime action:全部 `0 / false`。 **邊界**:本輪只做 source-side API 相容路由、測試與 guard;沒有 SSH、沒有查 live Wazuh API、沒有讀或保存 secret、沒有改 Nginx / firewall / Docker / K8s、沒有 active scan、沒有 Wazuh active response、沒有 Telegram 實發、沒有 production deploy。 -**Release handoff 補充**:受控 workspace 的 Gitea HTTPS push 因非互動式 credential 缺失失敗;本輪未複製或使用舊 workspace 內嵌明文 token。已新增 `docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md`,供具備正式 Gitea / release 權限的 lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch,並以 production `/api/iwooos/wazuh` readback 驗證不再 404。 +**Release handoff 補充**:後續已完成 feature branch push;本輪未複製或使用舊 workspace 內嵌明文 token。已新增 `docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md`,供具備正式 Gitea / release 權限的 lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch,並以 production `/api/iwooos/wazuh` readback 驗證不再 404。 **Release apply proof 補充,21:58 Asia/Taipei**: - Wazuh API commit、最終分支 HEAD 與 release patch set SHA-256 不硬寫進 committed 文件,需在 final docs commit 後以命令讀回。 - 已從當時最新 `gitea/main` 建立獨立 worktree 並套用 patch set 成功;後續若主線或文件 commit 再變動,release 執行者需重新 `git format-patch gitea/main..HEAD` 與 apply-check,避免沿用舊 patch SHA。 - 乾淨套用 worktree 通過 `pytest apps/api/tests/test_iwooos_wazuh_api.py`、`wazuh-readonly-route-boundary-guard.py`、`wazuh-readonly-release-gate.py`、`security-mirror-progress-guard.py`、`doc-secrets-sanity-check.py`、`py_compile` 與 `git diff --check`。 -- `docs/security/wazuh-readonly-release-gate.snapshot.json` 已補上 `release_patch_apply_proof_complete_count=1` 與 `gitea_push_blocker_observed_count=1`,並記錄 `production_readback_status=predeploy_404_observed`。 -- 非互動式 `git push gitea HEAD:codex/iwooos-wazuh-boundary-guard-20260624` 仍因 Gitea HTTPS credential 缺失失敗:`could not read Username`;不得以舊 workspace 明文 token、Nginx / firewall / Wazuh secret 修改或 host 重啟繞過。 +- `docs/security/wazuh-readonly-release-gate.snapshot.json` 已由 2026-06-25 分層校正更新為 `release_patch_apply_proof_complete_count=1`、`gitea_push_complete_count=1`、`formal_main_release_complete_count=0`,並記錄 `production_readback_status=predeploy_404_observed`。 +- feature branch push 後仍不得以舊 workspace 明文 token、Nginx / firewall / Wazuh secret 修改或 host 重啟繞過 formal main release / production deploy gate。 - Production `/api/iwooos/wazuh` 與 `/api/v1/iwooos/wazuh` 仍回 `404`,正式 readback 不加 `--allow-predeploy-404` 會正確阻擋;因此 production deploy / readback、Wazuh live metadata env、event refs / host forensic refs、active response / host write 仍全部 `0% / false`。 **Release lane preflight 補充,22:20 Asia/Taipei**: @@ -598,22 +622,22 @@ - 新增 `scripts/security/wazuh-readonly-release-lane-preflight.py` 與 `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`,並接入 `security-mirror-progress-guard.py`。 - Preflight 固定三條合規 release lane:`formal_gitea_merge`、`formal_patch_apply`、`maintainer_local_push_with_safe_credential`;目前 `formal_release_lane_ready_count=0`、ack `0/6`、evidence `0/6`。 - 明確阻擋:明文 Gitea token remote、從髒 workspace 複製 token、force push、Nginx / Docker / K8s / firewall workaround、Wazuh secret / manager 變更、未經 owner gate 啟用 live metadata、Wazuh active response、host write、Kali active scan。 -- 完成度:release lane preflight artifact / guard `100%`;owner acks / evidence `0%`;Gitea push / production deploy / production readback / runtime gate 仍 `0%`。 +- 完成度:release lane preflight artifact / guard `100%`;feature branch push 現已 `100%`;owner acks / evidence、formal main release、production deploy、production readback、runtime gate 仍 `0%`。 - 邊界:本段沒有讀 git credential、沒有推送、沒有部署、沒有 Wazuh live query、沒有 host write、沒有 runtime action;只是把 release blocker 變成可審核 gate。 **Release lane rebase/readback 補充,22:26 Asia/Taipei**: - `gitea/main` 已再前進到 `ffc167e2 docs(ops): record momo production import boundary readback [skip ci]`;Wazuh 分支已 rebase 到此基底,沒有覆蓋 MOMO production import boundary readback 紀錄。 - Rebase 後 Wazuh 分支目前只比 `gitea/main` 多三個提交:`9b40ca89 fix(iwooos): 接上 Wazuh 只讀 API 邊界`、`8435a435 docs(iwooos): 記錄 Wazuh release apply proof`、`59188ca1 feat(iwooos): 新增 Wazuh release lane preflight`。 -- 已重新產生 `docs/security/wazuh-readonly-release-gate.snapshot.json` 與 `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`;兩者仍固定 source / guard 已完成,但 push、deploy、production readback、runtime gate 仍為 `0`。 +- 已重新產生 `docs/security/wazuh-readonly-release-gate.snapshot.json` 與 `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`;最新分層固定 source / guard / feature branch push 已完成,但 formal main release、deploy、production readback、runtime gate 仍為 `0`。 - Rebase 後重跑 `pytest apps/api/tests/test_iwooos_wazuh_api.py`、Wazuh route guard、release gate、release-lane preflight、`security-mirror-progress-guard.py`、`doc-secrets-sanity-check.py`、`py_compile`、`git diff --check` 全部通過;正式 production readback 不加 `--allow-predeploy-404` 仍正確阻擋 `404`。 -- 完成度:rebase / snapshot refresh `100%`;formal release lane owner acks `0/6`、evidence `0/6`;Gitea push / production deploy / production readback `0%`。 +- 完成度:rebase / snapshot refresh `100%`;feature branch push 現已 `100%`;formal release lane owner acks `0/6`、evidence `0/6`;formal main release / production deploy / production readback `0%`。 - 邊界:本段沒有讀 git credential、沒有推送、沒有部署、沒有 live Wazuh query、沒有 Nginx / Docker / K8s / firewall / host / Wazuh secret 變更。 **Release owner request / acceptance 補充,22:32 Asia/Taipei**: - 新增 `scripts/security/wazuh-readonly-release-owner-request.py`、`docs/security/wazuh-readonly-release-owner-request.snapshot.json`、`scripts/security/wazuh-readonly-release-owner-response-acceptance.py`、`docs/security/wazuh-readonly-release-owner-response-acceptance.snapshot.json`,並接入 `security-mirror-progress-guard.py`。 - Owner request 草稿固定 required ack flags `6`、required evidence fields `6`、allowed release methods `3`、forbidden payloads `12`、blocked actions `11`;目前 request sent `0`、owner response accepted `0`、runtime gate `0`。 - Owner response acceptance 帳本固定 reviewer checks `15`、outcome lanes `10`、blocked actions `13`;目前 received `0`、accepted `0`、acks `0/6`、evidence `0/6`、formal release ready `0`。 -- 完成度:release owner request / acceptance artifact 與 guard `100%`;正式 owner response / release ready / push / deploy / production readback `0%`。 +- 完成度:release owner request / acceptance artifact 與 guard `100%`;正式 owner response / release ready / formal main release / deploy / production readback `0%`。 - 邊界:本段沒有發送 request、沒有收件、沒有讀 credential、沒有推送、沒有部署、沒有 Wazuh live query、沒有 runtime action;一般「批准繼續」仍不可當 release lane owner response。 **Live metadata env gate 補充,22:42 Asia/Taipei**: @@ -625,8 +649,8 @@ **Release lane rebase/readback 補充,22:48 Asia/Taipei**: - `gitea/main` 已再前進到 `b540fc0c docs(ops): record momo source absence readback [skip ci]`;Wazuh 分支已 rebase 到此基底,沒有覆蓋 MOMO source absence / recovery readback 紀錄。 - Rebase 後 Wazuh 分支目前只比 `gitea/main` 多六個提交:`38dc3c2f fix(iwooos): 接上 Wazuh 只讀 API 邊界`、`9a53d3e1 docs(iwooos): 記錄 Wazuh release apply proof`、`e9972d47 feat(iwooos): 新增 Wazuh release lane preflight`、`758d419e docs(iwooos): refresh Wazuh release lane readback`、`04db4b8a feat(iwooos): define Wazuh release owner gate`、`8eec298e feat(iwooos): add Wazuh live metadata env gate`。 -- 已重新產生 Wazuh release gate、release lane preflight、owner request、owner response acceptance 與 live metadata env gate snapshots;全部仍固定 push、deploy、production readback、runtime gate、live query、active response、host write 為 `0`。 -- 完成度:rebase / snapshot refresh `100%`;formal release lane owner acks `0/6`、evidence `0/6`;live metadata owner accepted `0`;Gitea push / production deploy / production readback `0%`。 +- 已重新產生 Wazuh release gate、release lane preflight、owner request、owner response acceptance 與 live metadata env gate snapshots;最新分層固定 formal main release、deploy、production readback、runtime gate、live query、active response、host write 為 `0`。 +- 完成度:rebase / snapshot refresh `100%`;feature branch push 現已 `100%`;formal release lane owner acks `0/6`、evidence `0/6`;live metadata owner accepted `0`;formal main release / production deploy / production readback `0%`。 - 邊界:本段沒有讀 git credential、沒有推送、沒有部署、沒有 Wazuh live query、沒有 secret collection、沒有 Nginx / Docker / K8s / firewall / host / Wazuh secret 變更。 ## 2026-06-24|21:04 recovery readback 與 MOMO V10.651 雙機基準收斂 diff --git a/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md b/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md index 30b0ce33..31555c30 100644 --- a/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md +++ b/docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md @@ -66,8 +66,8 @@ - 不回傳 raw Wazuh payload、agent 原名、內網 IP、token、password 或 secret。 - 新增 source guard,阻擋硬編 Wazuh 內網 URL / port、帳密、關 TLS、假 SOC dashboard、假 CVE、raw payload 與 legacy dashboard component 回流。 - 新增 production readback 腳本,部署後可直接驗證 public API 不再 404、schema / status / boundary 正確,且沒有 raw payload、內網 IP、agent 原名或 secret 洩漏。 -- 新增 release gate snapshot 與 guard,固定 source-side 已完成、Gitea push / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。 -- 新增 release lane preflight snapshot 與 guard,固定正式 release 前必須選擇 `formal_gitea_merge`、`formal_patch_apply` 或 `maintainer_local_push_with_safe_credential` 其中一條合規 lane,且 owner ack / evidence 未到齊前不得 push、deploy、force push、使用明文 token workaround 或改 runtime。 +- 新增 release gate snapshot 與 guard,固定 source-side 與 feature branch push 已完成,但 formal main release / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。 +- 新增 release lane preflight snapshot 與 guard,固定正式 release 前必須選擇 `formal_gitea_merge`、`formal_patch_apply` 或 `maintainer_local_push_with_safe_credential` 其中一條合規 lane,且 owner ack / evidence 未到齊前不得推主線、deploy、force push、使用明文 token workaround 或改 runtime。 - 新增 release owner request 草稿與 owner response acceptance 帳本,將 required ack flags、required evidence fields、allowed release methods、blocked actions、forbidden payloads 與 reviewer checks 機器可讀化;目前 request sent、response received / accepted、release ready、runtime gate 全部維持 `0`。 - 新增 live metadata env gate,固定部署後要先通過 production route readback、server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope、post-enable readback、rollback 與 no-secret / no-raw-payload attestation;目前 live query authorized 仍為 `0`。 - 新增 IwoooS 前台「Wazuh 即時中繼資料環境閘門」卡片,公開顯示上述 gate 的 `0 / false` 邊界;文案全部為繁體中文治理語,不放工作視窗逐字稿、委派 XML、聊天內容或個人英文名稱。 @@ -98,7 +98,7 @@ NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 S - `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`6 passed`。 - `wazuh-readonly-route-boundary-guard`:`route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。 -- `wazuh-readonly-release-gate`:`source=1 push=0 deploy=0 readback=0 runtime_gate=0`。 +- `wazuh-readonly-release-gate`:`source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 - `wazuh-readonly-release-lane-preflight`:`ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。 - `wazuh-readonly-release-owner-request`:`drafts=1 sent=0 accepted=0 runtime_gate=0`。 - `wazuh-readonly-release-owner-response-acceptance`:`received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`。 @@ -123,13 +123,13 @@ git worktree add /private/tmp/awoooi-iwooos-wazuh-release-apply-check-/*.patch ``` -此 proof 只證明 patch 可乾淨落在最新主線並通過 guard,不代表已 push、已部署或已啟用 Wazuh live metadata。最終 patch SHA 與 apply-check commit 應由 release 執行者在 final docs commit 之後用命令讀回,不寫入會自我漂移的 committed 文件。 +此 proof 只證明 patch 可乾淨落在最新主線並通過 guard,不代表已合併主線、已部署或已啟用 Wazuh live metadata。最終 patch SHA 與 apply-check commit 應由 release 執行者在 final docs commit 之後用命令讀回,不寫入會自我漂移的 committed 文件。 乾淨套用 worktree 驗證結果: - `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`6 passed`。 - `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .`:`WAZUH_READONLY_ROUTE_BOUNDARY_GUARD_OK route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。 -- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`WAZUH_READONLY_RELEASE_GATE_OK source=1 push=0 deploy=0 readback=0 runtime_gate=0`。 +- `python3 scripts/security/wazuh-readonly-release-gate.py --root .`:`WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`。 - `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .`:`WAZUH_READONLY_RELEASE_LANE_PREFLIGHT_OK ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。 - `python3 scripts/security/security-mirror-progress-guard.py --root .`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。 - `python3 scripts/ops/doc-secrets-sanity-check.py ...`:`DOC_SECRET_SANITY_OK scanned_files=973`。 @@ -158,7 +158,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy - 使用具備正式權限的 Gitea lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch;不得 force push。 - release lane preflight 目前固定 `formal_release_lane_ready_count=0`、`accepted_ack_flag_count=0/6`、`accepted_evidence_field_count=0/6`;不得把一般「批准繼續」當成 release lane owner response。 -- 目前非互動式 push 實測仍被 Gitea HTTPS credential 擋住:`fatal: could not read Username for 'https://gitea.wooo.work': terminal prompts disabled`。 +- feature branch 已推送完成;正式 release 仍必須由合規 lane 合併到 `main` 或套用等效 patch,不得用明文 token、舊 credential 或 force push 繞過。 - 不得複製舊 workspace 的內嵌明文 Gitea token。 - 不得把 Wazuh URL、帳密、token、cookie、private key、runner token 或 webhook secret 寫入 repo。 - 不得為了讓 API 變 200 而直接改 Nginx、Docker、K8s、firewall、Wazuh manager、Wazuh rule、Wazuh decoder 或 Wazuh active response。 @@ -207,7 +207,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json | Wazuh public API 404 source-side 修補 | `100%` | 已完成本地分支 HEAD | | Wazuh route boundary source guard | `100%` | 已納入 `security-mirror-progress-guard` | | Production readback 驗收腳本 | `100%` | 已完成;正式部署後不得接受 404 | -| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 push/deploy/readback 仍 blocked | +| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 feature branch push 已完成,formal main release / deploy / readback 仍 blocked | | Wazuh release lane preflight | `100%` | 已完成;owner acks `0/6`、evidence `0/6`、正式 release ready `0` | | Wazuh release owner request / acceptance | `100%` | 已完成只讀草稿與收件帳本;request sent `0`、response accepted `0` | | Wazuh live metadata env gate | `100%` | 已完成只讀 gate;route readback / owner / secret metadata / live query 仍 `0` | diff --git a/docs/security/wazuh-readonly-release-gate.snapshot.json b/docs/security/wazuh-readonly-release-gate.snapshot.json index ec58fd40..eddce029 100644 --- a/docs/security/wazuh-readonly-release-gate.snapshot.json +++ b/docs/security/wazuh-readonly-release-gate.snapshot.json @@ -14,13 +14,13 @@ "wazuh_active_response_authorized": false, "wazuh_api_live_query_authorized": false }, - "generated_at": "2026-06-24T22:48:00+08:00", + "generated_at": "2026-06-25T23:40:00+08:00", "missing_required_source_paths": [], "mode": "repo_release_gate_no_runtime_no_secret_collection", "operator_interpretation": [ - "此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API 與 guard 可交接。", + "此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。", "正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。", - "乾淨套用 proof 通過只代表 release patch 可落在最新主線,不代表已 push、已部署或已啟用 Wazuh live metadata。", + "乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。", "live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。" ], "release_gates": [ @@ -50,9 +50,15 @@ }, { "gate_id": "gitea_branch_push", - "required_evidence": "具備正式權限的 lane 推送或合併 codex/iwooos-wazuh-boundary-guard-20260624", + "required_evidence": "codex/iwooos-wazuh-boundary-guard-20260624 feature branch 已可由 git ls-remote 讀回", "runtime_authorized": false, - "status": "blocked_credential_required" + "status": "passed_feature_branch_readback" + }, + { + "gate_id": "formal_main_release", + "required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push", + "runtime_authorized": false, + "status": "blocked_waiting_formal_release_lane" }, { "gate_id": "production_deploy", @@ -77,7 +83,7 @@ "apply_check_status": "passed_external_readback_required_after_final_commit", "base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit", "base_ref": "gitea/main", - "gitea_push_blocker": "https_noninteractive_credential_required", + "feature_branch_push_status": "completed_readback_required_before_release", "production_readback_status": "predeploy_404_observed", "release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file", "source_branch": "codex/iwooos-wazuh-boundary-guard-20260624", @@ -93,11 +99,12 @@ "scripts/security/wazuh-readonly-route-boundary-guard.py" ], "schema_version": "iwooos_wazuh_readonly_release_gate_v1", - "status": "blocked_waiting_gitea_push_and_production_deploy", + "status": "blocked_waiting_formal_main_release_and_production_deploy", "summary": { "active_response_authorized_count": 0, - "gitea_push_blocker_observed_count": 1, - "gitea_push_complete_count": 0, + "formal_main_release_complete_count": 0, + "gitea_push_blocker_observed_count": 0, + "gitea_push_complete_count": 1, "host_forensics_ref_accepted_count": 0, "host_write_authorized_count": 0, "missing_required_source_path_count": 0, diff --git a/scripts/security/wazuh-readonly-release-gate.py b/scripts/security/wazuh-readonly-release-gate.py index 262d5361..bc178e28 100644 --- a/scripts/security/wazuh-readonly-release-gate.py +++ b/scripts/security/wazuh-readonly-release-gate.py @@ -3,8 +3,9 @@ IwoooS Wazuh 只讀 API release gate。 本工具只檢查 repo 內 source、snapshot 與 gate 狀態,不連 production、 -不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 已完成」 -與「Gitea push / production deploy / production readback 尚未完成」的界線。 +不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 與 +feature branch push 已完成」以及「formal main release / production deploy / +production readback 尚未完成」的界線。 """ from __future__ import annotations @@ -39,7 +40,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: return { "schema_version": "iwooos_wazuh_readonly_release_gate_v1", "generated_at": generated_at or now_iso(), - "status": "blocked_waiting_gitea_push_and_production_deploy", + "status": "blocked_waiting_formal_main_release_and_production_deploy", "mode": "repo_release_gate_no_runtime_no_secret_collection", "release_lane_evidence": { "source_branch": "codex/iwooos-wazuh-boundary-guard-20260624", @@ -49,8 +50,8 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: "base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit", "release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file", "apply_check_status": "passed_external_readback_required_after_final_commit", + "feature_branch_push_status": "completed_readback_required_before_release", "production_readback_status": "predeploy_404_observed", - "gitea_push_blocker": "https_noninteractive_credential_required", }, "required_source_paths": REQUIRED_SOURCE_PATHS, "summary": { @@ -60,8 +61,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: "release_handoff_complete_count": 1 if (root / "docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md").exists() else 0, "release_patch_apply_proof_complete_count": 1, "missing_required_source_path_count": len(missing_paths), - "gitea_push_complete_count": 0, - "gitea_push_blocker_observed_count": 1, + "gitea_push_complete_count": 1, + "gitea_push_blocker_observed_count": 0, + "formal_main_release_complete_count": 0, "production_deploy_complete_count": 0, "production_readback_passed_count": 0, "predeploy_404_observed_count": 1, @@ -99,8 +101,14 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: }, { "gate_id": "gitea_branch_push", - "status": "blocked_credential_required", - "required_evidence": "具備正式權限的 lane 推送或合併 codex/iwooos-wazuh-boundary-guard-20260624", + "status": "passed_feature_branch_readback", + "required_evidence": "codex/iwooos-wazuh-boundary-guard-20260624 feature branch 已可由 git ls-remote 讀回", + "runtime_authorized": False, + }, + { + "gate_id": "formal_main_release", + "status": "blocked_waiting_formal_release_lane", + "required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push", "runtime_authorized": False, }, { @@ -139,9 +147,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]: }, "missing_required_source_paths": missing_paths, "operator_interpretation": [ - "此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API 與 guard 可交接。", + "此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。", "正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。", - "乾淨套用 proof 通過只代表 release patch 可落在最新主線,不代表已 push、已部署或已啟用 Wazuh live metadata。", + "乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。", "live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。", ], } @@ -166,7 +174,7 @@ def validate(root: Path) -> None: if snapshot.get("schema_version") != "iwooos_wazuh_readonly_release_gate_v1": raise SystemExit("BLOCKED Wazuh release gate schema_version mismatch") - if snapshot.get("status") != "blocked_waiting_gitea_push_and_production_deploy": + if snapshot.get("status") != "blocked_waiting_formal_main_release_and_production_deploy": raise SystemExit("BLOCKED Wazuh release gate status mismatch") for key, value in snapshot.get("execution_boundaries", {}).items(): if key == "not_authorization": @@ -195,6 +203,7 @@ def main() -> int: "WAZUH_READONLY_RELEASE_GATE_OK " f"source={summary['source_side_fix_complete_count']} " f"push={summary['gitea_push_complete_count']} " + f"main={summary['formal_main_release_complete_count']} " f"deploy={summary['production_deploy_complete_count']} " f"readback={summary['production_readback_passed_count']} " f"runtime_gate={summary['runtime_gate_count']}"