fix(iwooos): split Wazuh release gate layers
This commit is contained in:
@@ -3,8 +3,9 @@
|
||||
IwoooS Wazuh 只讀 API release gate。
|
||||
|
||||
本工具只檢查 repo 內 source、snapshot 與 gate 狀態,不連 production、
|
||||
不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 已完成」
|
||||
與「Gitea push / production deploy / production readback 尚未完成」的界線。
|
||||
不查 Wazuh、不讀 secret、不做 deploy。目的在於固定「source-side 與
|
||||
feature branch push 已完成」以及「formal main release / production deploy /
|
||||
production readback 尚未完成」的界線。
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
@@ -39,7 +40,7 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
return {
|
||||
"schema_version": "iwooos_wazuh_readonly_release_gate_v1",
|
||||
"generated_at": generated_at or now_iso(),
|
||||
"status": "blocked_waiting_gitea_push_and_production_deploy",
|
||||
"status": "blocked_waiting_formal_main_release_and_production_deploy",
|
||||
"mode": "repo_release_gate_no_runtime_no_secret_collection",
|
||||
"release_lane_evidence": {
|
||||
"source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
@@ -49,8 +50,8 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
"base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit",
|
||||
"release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
|
||||
"apply_check_status": "passed_external_readback_required_after_final_commit",
|
||||
"feature_branch_push_status": "completed_readback_required_before_release",
|
||||
"production_readback_status": "predeploy_404_observed",
|
||||
"gitea_push_blocker": "https_noninteractive_credential_required",
|
||||
},
|
||||
"required_source_paths": REQUIRED_SOURCE_PATHS,
|
||||
"summary": {
|
||||
@@ -60,8 +61,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
"release_handoff_complete_count": 1 if (root / "docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md").exists() else 0,
|
||||
"release_patch_apply_proof_complete_count": 1,
|
||||
"missing_required_source_path_count": len(missing_paths),
|
||||
"gitea_push_complete_count": 0,
|
||||
"gitea_push_blocker_observed_count": 1,
|
||||
"gitea_push_complete_count": 1,
|
||||
"gitea_push_blocker_observed_count": 0,
|
||||
"formal_main_release_complete_count": 0,
|
||||
"production_deploy_complete_count": 0,
|
||||
"production_readback_passed_count": 0,
|
||||
"predeploy_404_observed_count": 1,
|
||||
@@ -99,8 +101,14 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
},
|
||||
{
|
||||
"gate_id": "gitea_branch_push",
|
||||
"status": "blocked_credential_required",
|
||||
"required_evidence": "具備正式權限的 lane 推送或合併 codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
"status": "passed_feature_branch_readback",
|
||||
"required_evidence": "codex/iwooos-wazuh-boundary-guard-20260624 feature branch 已可由 git ls-remote 讀回",
|
||||
"runtime_authorized": False,
|
||||
},
|
||||
{
|
||||
"gate_id": "formal_main_release",
|
||||
"status": "blocked_waiting_formal_release_lane",
|
||||
"required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push",
|
||||
"runtime_authorized": False,
|
||||
},
|
||||
{
|
||||
@@ -139,9 +147,9 @@ def build_report(root: Path, generated_at: str | None = None) -> dict[str, Any]:
|
||||
},
|
||||
"missing_required_source_paths": missing_paths,
|
||||
"operator_interpretation": [
|
||||
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API 與 guard 可交接。",
|
||||
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。",
|
||||
"正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。",
|
||||
"乾淨套用 proof 通過只代表 release patch 可落在最新主線,不代表已 push、已部署或已啟用 Wazuh live metadata。",
|
||||
"乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。",
|
||||
"live Wazuh metadata query 必須另走 owner gate 與 server-side env;active response、host write、Kali active scan 仍為 0 / false。",
|
||||
],
|
||||
}
|
||||
@@ -166,7 +174,7 @@ def validate(root: Path) -> None:
|
||||
|
||||
if snapshot.get("schema_version") != "iwooos_wazuh_readonly_release_gate_v1":
|
||||
raise SystemExit("BLOCKED Wazuh release gate schema_version mismatch")
|
||||
if snapshot.get("status") != "blocked_waiting_gitea_push_and_production_deploy":
|
||||
if snapshot.get("status") != "blocked_waiting_formal_main_release_and_production_deploy":
|
||||
raise SystemExit("BLOCKED Wazuh release gate status mismatch")
|
||||
for key, value in snapshot.get("execution_boundaries", {}).items():
|
||||
if key == "not_authorization":
|
||||
@@ -195,6 +203,7 @@ def main() -> int:
|
||||
"WAZUH_READONLY_RELEASE_GATE_OK "
|
||||
f"source={summary['source_side_fix_complete_count']} "
|
||||
f"push={summary['gitea_push_complete_count']} "
|
||||
f"main={summary['formal_main_release_complete_count']} "
|
||||
f"deploy={summary['production_deploy_complete_count']} "
|
||||
f"readback={summary['production_readback_passed_count']} "
|
||||
f"runtime_gate={summary['runtime_gate_count']}"
|
||||
|
||||
Reference in New Issue
Block a user