awoooi/docs/security/wazuh-agent-visibility-runtime-gate.snapshot.json

{
  "schema_version": "wazuh_agent_visibility_runtime_gate_v1",
  "generated_at": "2026-06-25T11:19:38+08:00",
  "status": "blocked_waiting_manager_agent_registry_readback",
  "mode": "snapshot_only_no_runtime_no_secret_collection",
  "incident_id": "wazuh-agent-visibility-20260624",
  "runtime_gate_count": 0,
  "manager_agent_registry_readback_passed": false,
  "iwooos_live_route_readback_passed": false,
  "dashboard_agent_list_recovered": false,
  "active_response_authorized": false,
  "host_write_authorized": false,
  "secret_value_collection_allowed": false,
  "manager_services_active_observed": true,
  "agent_transport_connected_observed": true,
  "manager_transport_established_connection_count": 6,
  "dashboard_api_degraded_observed": true,
  "dashboard_startup_check_observed": true,
  "dashboard_api_connection_check_status": "pending_or_spinning",
  "dashboard_api_version_check_status": "not_verified",
  "dashboard_alerts_index_pattern_check_status": "ok",
  "dashboard_monitoring_index_pattern_check_status": "ok",
  "dashboard_statistics_index_pattern_check_status": "ok",
  "dashboard_index_pattern_ok_count": 3,
  "dashboard_api_connection_ok_count": 0,
  "dashboard_api_version_ok_count": 0,
  "dashboard_stored_api_unreachable_observed": true,
  "dashboard_api_login_500_observed": true,
  "dashboard_api_rate_limited_observed": true,
  "dashboard_api_run_as_permission_error_observed": true,
  "dashboard_api_tls_client_cert_unknown_observed": true,
  "manager_registry_cli_permission_blocked": true,
  "manager_registry_cli_requires_privilege": true,
  "production_route_http_status": 200,
  "observed_at_taipei": "2026-06-25T11:19:38+08:00",
  "observed_layers": {
    "iwooos_production_route": {
      "status": "deployed_owner_gate_disabled",
      "evidence": "正式站 Wazuh 只讀 API 路由已回 200，狀態為 disabled_waiting_iwooos_wazuh_owner_gate；這代表 route 已部署，但尚未取得 Wazuh manager registry live metadata",
      "completion_percent": 65
    },
    "wazuh_control_plane": {
      "status": "observed_active",
      "evidence": "112 上 manager、indexer、dashboard 服務已只讀觀察為 active",
      "completion_percent": 70
    },
    "host_agent_transport": {
      "status": "observed_connected",
      "evidence": "manager 端只讀觀察到多條 agent transport 已建立；這只代表傳輸層存在，不代表 registry 已驗收",
      "completion_percent": 65
    },
    "direct_agent_host_readback": {
      "status": "partial_current_readback",
      "evidence": "受管節點 A agent service active 且 transport 已建立；受管節點 B 本輪 SSH 只讀連線未通過，需另補合法讀回",
      "completion_percent": 45
    },
    "manager_agent_registry": {
      "status": "blocked_no_readonly_registry_access",
      "evidence": "kali 使用者無法以一般權限讀 manager registry；CLI 需要更高權限，Wazuh API 需要正式只讀認證",
      "completion_percent": 0
    },
    "dashboard_api_check": {
      "status": "degraded_current_observed",
      "evidence": "dashboard plugin 在 stored API、login、API check 與 TLS client trust 路徑觀察到 400、429、500 與權限錯誤",
      "completion_percent": 70
    },
    "dashboard_startup_check": {
      "status": "api_connection_pending_index_patterns_ok",
      "evidence": "Dashboard 啟動畫面可見且 alerts、monitoring、statistics index pattern 已通過；API connection 仍未完成，API version 尚未驗證",
      "completion_percent": 45
    }
  },
  "registry_counts": {
    "agent_total": null,
    "agent_active": null,
    "agent_disconnected": null,
    "agent_never_connected": null,
    "last_seen_window_verified": false
  },
  "dashboard_error_codes_observed": [
    400,
    429,
    500
  ],
  "current_root_cause_hypotheses": [
    "dashboard_stored_api_target_or_health_check_degraded",
    "wazuh_api_run_as_or_internal_user_permission_mismatch",
    "dashboard_api_check_rate_limited",
    "dashboard_tls_client_trust_mismatch",
    "dashboard_frontend_index_patterns_ok_but_manager_api_check_pending",
    "manager_registry_read_permission_missing_for_current_readonly_user"
  ],
  "required_evidence_before_green": [
    {
      "evidence_id": "manager_agent_registry_counts",
      "accepted": false,
      "required_fields": [
        "agent_total",
        "agent_active",
        "agent_disconnected",
        "agent_never_connected",
        "last_seen_window"
      ],
      "allowed_source": "Wazuh API 只讀中繼資料或 owner 提供的脫敏證據"
    },
    {
      "evidence_id": "iwooos_live_route_readback",
      "accepted": false,
      "required_fields": [
        "schema_version",
        "status",
        "aggregate_counts",
        "runtime_gate_count"
      ],
      "allowed_source": "正式站 /api/iwooos/wazuh 讀回"
    },
    {
      "evidence_id": "dashboard_api_check_repaired_or_explained",
      "accepted": false,
      "required_fields": [
        "stored_api_status",
        "api_check_status",
        "api_connection_check_status",
        "api_version_check_status",
        "index_pattern_check_statuses",
        "rate_limit_status",
        "tls_trust_status"
      ],
      "allowed_source": "已脫敏 dashboard 讀回或 owner 維修證據"
    },
    {
      "evidence_id": "readonly_account_scope",
      "accepted": false,
      "required_fields": [
        "secret_name_only",
        "read_scope",
        "rotation_owner",
        "rollback_owner"
      ],
      "allowed_source": "不含 secret value 的 server-side secret metadata"
    },
    {
      "evidence_id": "owner_response",
      "accepted": false,
      "required_fields": [
        "owner_role",
        "team",
        "decision",
        "decision_reason",
        "affected_scope",
        "redacted_evidence_refs",
        "followup_owner",
        "rollback_owner"
      ],
      "allowed_source": "owner response 封包"
    }
  ],
  "forbidden_completion_claims": [
    "Wazuh 用戶端已恢復",
    "Wazuh agent registry 已驗收",
    "IwoooS 已能偵測 agent 消失",
    "active response 已授權",
    "host write 已授權"
  ],
  "next_priority_order": [
    "P0-A manager agent registry 只讀計數",
    "P0-B dashboard stored API 與 rate-limit 根因",
    "P0-C IwoooS Wazuh server-side owner gate 與 live metadata 啟用",
    "P0-D dashboard/API mismatch 的 AI 自動化告警卡",
    "P0-E owner response 與 rollback owner"
  ]
}