feat(iwooos): classify Wazuh dashboard readback degradation

This commit is contained in:
ogt
2026-06-25 09:13:17 +08:00
parent 3a179e7f4a
commit 027ffb73ae
9 changed files with 100 additions and 14 deletions

View File

@@ -26,8 +26,8 @@
|------|--------|
| source formatter markers | `11` |
| 最後出口合約 | `3` |
| 測試合約 | `10` |
| AIOps signal lanes | `6` |
| 測試合約 | `11` |
| AIOps signal lanes | `7` |
| Host resource lanes | `6` |
| raw output 阻擋 marker | `12` |
| required output marker | `6` |
@@ -37,7 +37,8 @@
- `TelegramGateway._send_request()` 必須套用 `normalize_telegram_send_message_payload()`
- `send_alert_notification()``send_text()` 必須先走 `normalize_alert_notification_payload()`
- Host CPU / load / root Node.js / Prisma / Next build 只能轉成 `主機資源壓力` AI 事件卡。
- Wazuh、Kali、Nginx drift、backup / restore、provider freshness、supply-chain 類訊號只能轉成 AIOps 候選事件卡。
- Wazuh Dashboard / API 讀回退化、Wazuh 入侵訊號、Kali、Nginx drift、backup / restore、provider freshness、supply-chain 類訊號只能轉成 AIOps 候選事件卡。
- Wazuh Dashboard 顯示 agent 消失但 manager registry 尚未驗收時,必須轉成 `wazuh_dashboard_api_readback_degraded`,不得把它誤寫為 agent 全部消失或已恢復。
- 外部版本檢查 URL、套件樹路徑、workspace 路徑、runner toolcache 路徑、raw Wazuh path、raw Nginx path、內網 IP、token-like 字串、raw Prisma JSON 不得出現在格式化後訊息。
## 3. 驗收邊界

View File

@@ -73,7 +73,7 @@
| P0-A | Wazuh manager agent registry 只讀驗收 | owner 提供脫敏 `agent_total / active / disconnected / last_seen` ref或經 server-side secret metadata 啟用 IwoooS 只讀 API | `40%` |
| P0-B | Dashboard stored API / rate-limit / TLS trust 修復 gate | 查明 `/api/check-stored-api` 429/500 根因;維修前有 owner、rollback、postcheck維修後 Dashboard 與 API count 一致 | `35%` |
| P0-C | IwoooS live metadata route 正式部署 | `/api/iwooos/wazuh` 不再 404回傳 schema `iwooos_wazuh_readonly_status_v1`,不洩漏 agent identity / internal IP / secret | `55%` source-side、`0%` production |
| P0-D | Wazuh agent disappearance alert card | 產出 `ai_automation_alert_card_v1`,包含 agent count delta、Dashboard API status、manager health、next gate、owner | `20%` |
| P0-D | Wazuh agent disappearance alert card | 產出 `ai_automation_alert_card_v1`,包含 agent count delta、Dashboard API status、manager health、next gate、owner;本輪已新增 `wazuh_dashboard_api_readback_degraded` formatter / test / guard | `70%` source-side、`0%` delivery receipt |
| P0-E | 112/Wazuh owner response | 回覆 owner role/team、decision、reason、affected scope、redacted evidence refs、rollback owner、followup owner | `0%` |
| P1-A | 110/188 agent receipt heartbeat | 每台 host 定期只讀確認 service active、manager target、1514 established、last evidence ref | `45%` |
| P1-B | Dashboard no-false-green | Dashboard 429/500 或 Wazuh API check failure 要進 IwoooS incident不可顯示綠燈 | `15%` |
@@ -84,7 +84,7 @@
1. 請 Wazuh/112 owner 補脫敏 agent registry evidence`agent_total``active``disconnected``never_connected``last_seen` 時間窗,不提供密碼或 raw payload。
2. 啟用 IwoooS `/api/iwooos/wazuh` 前,先完成 production route readback、server-side env owner、secret source metadata、readonly account scope 與 rollback owner。
3. 若 owner 批准維修 Dashboard stored API必須先做 read-only preflightrate-limit 現況、stored API 指向、TLS trust、API user scope、Dashboard 與 manager 版本、回滾方式。
4. 補 IwoooS AI 事件卡:當 Dashboard 顯示 agents 空白但 110/188 agent 仍 connected 時,分類為 `wazuh_dashboard_api_readback_degraded`,而不是 `all_agents_missing`
4. 補 IwoooS AI 事件卡正式 readbacksource-side formatter 已能把 Dashboard/API mismatch 分類為 `wazuh_dashboard_api_readback_degraded`;下一步需接 delivery receipt、AwoooP timeline 與 IwoooS 前台 readback
## 7. 完成度
@@ -92,5 +92,5 @@
- 真正 agent registry 驗收:`0%`
- IwoooS live readback production`0%`
- Dashboard stored API 修復:`0%`
- SOC / Wazuh no-false-green 納管:`45%`
- SOC / Wazuh no-false-green 納管:`52%`
- active response / host write / auto block`0%`,保持關閉。

View File

@@ -1,5 +1,6 @@
{
"ai_signal_lanes": [
"wazuh_dashboard_api_readback_degraded",
"wazuh_intrusion_signal",
"kali_assessment_signal",
"nginx_config_drift",
@@ -54,8 +55,8 @@
"required_marker": "normalize_alert_notification_payload"
}
],
"generated_at": "2026-06-19T02:01:35+08:00",
"git_commit": "7d032eab",
"generated_at": "2026-06-25T09:07:58+08:00",
"git_commit": "3a179e7f",
"host_resource_lanes": [
"orphan_browser_smoke_runaway_process",
"ci_runner_load_saturation",
@@ -93,7 +94,7 @@
"status": "telegram_alert_readability_guard_ready_no_runtime_action",
"summary": {
"action_button_count": 0,
"ai_signal_lane_count": 6,
"ai_signal_lane_count": 7,
"blocked_raw_output_marker_count": 12,
"bot_api_call_authorized_count": 0,
"final_exit_contract_count": 3,
@@ -105,11 +106,12 @@
"secret_value_collection_allowed_count": 0,
"source_formatter_marker_count": 11,
"telegram_send_authorized_count": 0,
"test_contract_count": 10
"test_contract_count": 11
},
"test_contracts": [
"test_ci_runner_load_alert_becomes_capacity_event_packet",
"test_wazuh_alert_becomes_aiops_signal_event_packet",
"test_wazuh_dashboard_api_degraded_alert_becomes_readback_gap_event_packet",
"test_nginx_drift_alert_becomes_public_gateway_event_packet",
"test_aiops_signal_formatter_covers_non_host_alert_lanes",
"test_send_alert_notification_normalizes_host_resource_raw_dump",