fix(iwooos): sync Wazuh route readback gates

This commit is contained in:
ogt
2026-06-25 11:28:36 +08:00
parent 2a4d13b959
commit 21ecff9528
12 changed files with 145 additions and 118 deletions

View File

@@ -1,3 +1,26 @@
## 2026-06-25Wazuh release / route readback 狀態收斂與 agent registry 未完成邊界
**背景**Wazuh 用戶端消失事故的關鍵狀態已從「IwoooS production route 仍 404」前進到「route 已部署但 Wazuh live metadata / agent registry 尚未驗收」。本輪同步前台、release gate、live metadata env gate、handoff 與 LOGBOOK避免 operator 或平行工作視窗把 route 200、agent transport、service active 或 UI 可見誤判成所有主機已納回 Wazuh。
**完成**
- `/zh-TW/iwooos` 的 Wazuh release gate 卡片改為顯示 source、feature branch、formal main release、production deploy 與 production readback 皆為 `1`
- 同一張卡保留 `wazuh_live_metadata_env_enabled_count=0``runtime_gate_count=0``wazuh_active_response_authorized=false``host_write_authorized=false`
- Wazuh live metadata env gate 改為 `route_readback=1 owner=0 secret_meta=0 live_query=0 runtime_gate=0`;下一步從修 404 改成 owner gate、secret source metadata、readonly account scope、manager registry 讀回與 Dashboard stored API / RBAC / TLS 修復。
- `IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md` 更新為正式 route 已讀回 `200 disabled_waiting_iwooos_wazuh_owner_gate`,並明確標示 Wazuh manager agent registry accepted 仍為 `0%`
- `wazuh-readonly-production-readback.py` 調整 raw payload pattern避免把安全邊界字串 `raw_wazuh_payload_storage_allowed=false` 誤判成 raw payload 洩漏;仍會阻擋 raw log / raw event / raw alert / raw request / raw response。
**目前真相**
- IwoooS production Wazuh route readback`100%``/api/iwooos/wazuh``200 disabled_waiting_iwooos_wazuh_owner_gate`
- Wazuh release / deploy / readback gate`100%` source + production route 層。
- Wazuh live metadata env enable`0%`,未啟用 server-side Wazuh API 查詢。
- Wazuh manager agent registry accepted`0%`,尚未取得可驗收的 manager registry truth。
- Dashboard stored API / RBAC / run_as / rate-limit / TLS 修復:`0%`,仍是下一個 P0。
- Active response / host write / agent re-enroll / Wazuh restart / Kali active scan`0%`,維持禁止。
**驗證待跑**:本段提交前需重跑 production readback、Wazuh release gate、live metadata env gate、agent visibility runtime gate、frontend display redaction guard、security mirror progress guard、i18n JSON / mirror、TypeScript typecheck、diff check 與 production page 脫敏讀回。
**邊界**:本輪只修 repo / 前台 / 文件 / guard 狀態一致性;沒有讀 Wazuh secret、沒有保存 raw log、沒有重新註冊 agent、沒有重啟 Wazuh、沒有修改 Dashboard stored API、RBAC、TLS、Nginx、Docker、K8s、firewall 或 host config也沒有 active response 或 Kali active scan。
## 2026-06-25Wazuh agent 消失事故二次只讀定位與 no-false-green 加嚴
**背景**:使用者追問 Wazuh 為什麼仍未把所有主機納回監控、原本已納管為何又不見,以及為什麼尚未修復。本輪暫停前台 release gate 收尾,優先做 112 / Wazuh runtime 只讀定位與 repo guard 加嚴。

View File

@@ -1,19 +1,20 @@
# IwoooS Wazuh 只讀 API Release Handoff
> 狀態source-side 修補完成,feature branch 已推送;仍等待具備正式 release 權限的 lane 合併到主線並部署
> 狀態source-side 修補feature branch、正式主線、deploy marker 與 production route readback 已完成;仍等待 Wazuh live metadata owner gate、manager registry 驗收與 Dashboard stored API / RBAC / TLS 修復
> 本文件不包含 secret、token、內網 Wazuh URL、raw log、raw Wazuh payload 或工作視窗逐字稿。
## 目前分層狀態
- feature branch`codex/iwooos-wazuh-boundary-guard-20260624` 已推送到 Gitea精確 HEAD 請用 `git ls-remote` 讀回,不在本文件硬寫避免文件 commit 後自我漂移。
- formal main release`0%`尚未合併到 `main`
- production deploy`0%`,正式 API 仍為部署前 404 邊界
- formal main release`100%`Wazuh 只讀 route / no-false-green patch 已進正式主線
- production deploy`100%`,正式 API 已讀回 `200 disabled_waiting_iwooos_wazuh_owner_gate`
- Wazuh live metadata env enable`0%`,尚未收到正式負責人回覆、機密來源中繼資料、唯讀帳號範圍與 post-enable readback。
- Wazuh manager agent registry accepted`0%`,尚未取得可驗收的 manager registry 只讀讀回。
- active response / host write / Kali active scan`0%`,必須維持關閉。
## 根因判定
`https://awoooi.wooo.work/api/iwooos/wazuh` production 目前`404 {"detail":"Not Found"}`,同時 `https://awoooi.wooo.work/zh-TW/iwooos``200`
正式釋出前,`https://awoooi.wooo.work/api/iwooos/wazuh` `404 {"detail":"Not Found"}`,同時 `https://awoooi.wooo.work/zh-TW/iwooos``200`
判定根因:
@@ -21,6 +22,7 @@
- 既有 `apps/web/src/app/api/iwooos/wazuh/route.ts` 是 Next.js route沒有被 public gateway 暴露到這條 production path。
- FastAPI 後端原本沒有 `/api/iwooos/wazuh` 相容 route因此回 404。
- 這個 404 不能被解讀成 Wazuh manager 一定故障,也不能被解讀成 Wazuh 已未安裝。
- 正式釋出後production route 已讀回 `200 disabled_waiting_iwooos_wazuh_owner_gate`;這只代表 IwoooS route 已部署,不代表 Wazuh manager registry 已恢復或所有 agent 已納管。
## Source-Side 修補
@@ -66,7 +68,7 @@
- 不回傳 raw Wazuh payload、agent 原名、內網 IP、token、password 或 secret。
- 新增 source guard阻擋硬編 Wazuh 內網 URL / port、帳密、關 TLS、假 SOC dashboard、假 CVE、raw payload 與 legacy dashboard component 回流。
- 新增 production readback 腳本,部署後可直接驗證 public API 不再 404、schema / status / boundary 正確,且沒有 raw payload、內網 IP、agent 原名或 secret 洩漏。
- 新增 release gate snapshot 與 guard固定 source-sidefeature branch push 已完成,但 formal main release / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過
- 新增 release gate snapshot 與 guard固定 source-sidefeature branch pushformal main releaseproduction deploy production route readback 已完成;同時保留 Wazuh live metadata / manager registry / active response / host write 仍未授權,避免後續把 route 200 誤判成 Wazuh 納管恢復
- 新增 release lane preflight snapshot 與 guard固定正式 release 前必須選擇 `formal_gitea_merge``formal_patch_apply``maintainer_local_push_with_safe_credential` 其中一條合規 lane且 owner ack / evidence 未到齊前不得推主線、deploy、force push、使用明文 token workaround 或改 runtime。
- 新增 release owner request 草稿與 owner response acceptance 帳本,將 required ack flags、required evidence fields、allowed release methods、blocked actions、forbidden payloads 與 reviewer checks 機器可讀化;目前 request sent、response received / accepted、release ready、runtime gate 全部維持 `0`
- 新增 live metadata env gate固定部署後要先通過 production route readback、server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope、post-enable readback、rollback 與 no-secret / no-raw-payload attestation目前 live query authorized 仍為 `0`
@@ -98,11 +100,11 @@ NEXT_PUBLIC_API_URL=https://awoooi.wooo.work NEXT_PRIVATE_BUILD_WORKER_COUNT=1 S
- `pytest apps/api/tests/test_iwooos_wazuh_api.py``6 passed`
- `wazuh-readonly-route-boundary-guard``route=2 public_ui_files=1 forbidden=0 runtime_gate=0`
- `wazuh-readonly-release-gate``source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`
- `wazuh-readonly-release-gate``source=1 push=1 main=1 deploy=1 readback=1 runtime_gate=0`
- `wazuh-readonly-release-lane-preflight``ready=0 acks=0/6 evidence=0/6 runtime_gate=0`
- `wazuh-readonly-release-owner-request``drafts=1 sent=0 accepted=0 runtime_gate=0`
- `wazuh-readonly-release-owner-response-acceptance``received=0 accepted=0 acks=0/6 evidence=0/6 runtime_gate=0`
- `wazuh-readonly-live-metadata-env-gate``route_readback=0 owner=0 secret_meta=0 live_query=0 runtime_gate=0`
- `wazuh-readonly-live-metadata-env-gate``route_readback=1 owner=0 secret_meta=0 live_query=0 runtime_gate=0`
- `security-mirror-progress-guard``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `doc-secrets-sanity-check``DOC_SECRET_SANITY_OK scanned_files=973`
- `py_compile`:通過。
@@ -129,39 +131,38 @@ git am /private/tmp/awoooi-iwooos-wazuh-boundary-release-patch-<timestamp>/*.pat
- `pytest apps/api/tests/test_iwooos_wazuh_api.py``6 passed`
- `python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .``WAZUH_READONLY_ROUTE_BOUNDARY_GUARD_OK route=2 public_ui_files=1 forbidden=0 runtime_gate=0`
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .``WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=0 deploy=0 readback=0 runtime_gate=0`
- `python3 scripts/security/wazuh-readonly-release-gate.py --root .``WAZUH_READONLY_RELEASE_GATE_OK source=1 push=1 main=1 deploy=1 readback=1 runtime_gate=0`
- `python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .``WAZUH_READONLY_RELEASE_LANE_PREFLIGHT_OK ready=0 acks=0/6 evidence=0/6 runtime_gate=0`
- `python3 scripts/security/security-mirror-progress-guard.py --root .``SECURITY_MIRROR_PROGRESS_GUARD_OK`
- `python3 scripts/ops/doc-secrets-sanity-check.py ...``DOC_SECRET_SANITY_OK scanned_files=973`
- `python3 -m py_compile ...`:通過。
- `git diff --check`:通過。
尚未部署的 production 現況記錄:
正式部署的 production 現況記錄:
```bash
python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy-404 --json
python3 scripts/security/wazuh-readonly-production-readback.py --json
```
預期只可回 `status=predeploy_404_observed`。正式部署驗收不得加 `--allow-predeploy-404`
預期只可回 IwoooS Wazuh read-only route 的安全邊界狀態;目前尚未啟用 Wazuh live metadata因此不得顯示綠燈
目前實測:
```json
{"http_status": 404, "runtime_gate_count": 0, "schema_version": "iwooos_wazuh_production_readback_v1", "status": "predeploy_404_observed"}
{"api_status":"disabled_waiting_iwooos_wazuh_owner_gate","configured":false,"http_status":200,"runtime_gate_count":0,"schema_version":"iwooos_wazuh_production_readback_v1","status":"production_readback_passed"}
```
不加 `--allow-predeploy-404` 時會正確阻擋:`BLOCKED production readback returned 404; Wazuh FastAPI compatibility route is not deployed`
這個讀回不代表 Wazuh manager registry 已恢復;它只代表 route 部署完成且目前仍正確停在 owner gate
## Release 前 Gate
合併 / 部署前需確認:
下一階段 gate 需確認:
- 使用具備正式權限的 Gitea lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch不得 force push
- release lane preflight 目前固定 `formal_release_lane_ready_count=0``accepted_ack_flag_count=0/6``accepted_evidence_field_count=0/6`;不得把一般「批准繼續」當成 release lane owner response
- feature branch 已推送完成;正式 release 仍必須由合規 lane 合併到 `main` 或套用等效 patch不得用明文 token、舊 credential 或 force push 繞過。
- Wazuh live metadata env gate 目前固定 `owner=0``secret_meta=0``live_query=0`;不得把一般「批准繼續」當成 server-side env owner response
- route 已部署完成;下一步不是再修 404而是建立 Wazuh manager registry 只讀驗收、Dashboard stored API / RBAC / TLS 修復與 post-enable readback
- 不得複製舊 workspace 的內嵌明文 Gitea token。
- 不得把 Wazuh URL、帳密、token、cookie、private key、runner token 或 webhook secret 寫入 repo。
- 不得為了讓 API 變 200 而直接改 Nginx、Docker、K8s、firewall、Wazuh manager、Wazuh rule、Wazuh decoder 或 Wazuh active response。
- 不得為了讓 agent 顯示回來而直接改 Nginx、Docker、K8s、firewall、Wazuh manager、Wazuh rule、Wazuh decoder、stored API、RBAC、TLS 或 Wazuh active response。
- 若要啟用 live metadata query必須由正式 secrets / env 注入 `IWOOOS_WAZUH_READONLY_ENABLED=true` 與 Wazuh server-side env且要先有 owner gate。
## Production Readback 預期
@@ -207,25 +208,25 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json
| Wazuh public API 404 source-side 修補 | `100%` | 已完成本地分支 HEAD |
| Wazuh route boundary source guard | `100%` | 已納入 `security-mirror-progress-guard` |
| Production readback 驗收腳本 | `100%` | 已完成;正式部署後不得接受 404 |
| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 feature branch push 已完成formal main release / deploy / readback 仍 blocked |
| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 source / feature branch / main / deploy / readback 已完成live metadata 仍 blocked |
| Wazuh release lane preflight | `100%` | 已完成owner acks `0/6`、evidence `0/6`、正式 release ready `0` |
| Wazuh release owner request / acceptance | `100%` | 已完成只讀草稿與收件帳本request sent `0`、response accepted `0` |
| Wazuh live metadata env gate | `100%` | 已完成只讀 gateroute readback / owner / secret metadata / live query 仍 `0` |
| Wazuh live metadata env gate | `100%` | 已完成只讀 gateroute readback `1`owner / secret metadata / live query 仍 `0` |
| Wazuh agent registry no-false-green | `100%` | source-side 已能區分 registry 空與低於預期production live registry accepted 仍 `0` |
| IwoooS 前台 Wazuh live metadata env gate 卡片 | `100%` | source-side 與本機桌機 / 手機驗證完成production deploy`0` |
| IwoooS 前台 Wazuh live metadata env gate 卡片 | `100%` | source-side 與本機桌機 / 手機驗證完成production route readback 已完成live metadata`0` |
| 乾淨套用 proof | `100%` | patch set 可落在最新 `gitea/main` 並通過同組 guard最終 hash 以 release 前 readback 為準 |
| Gitea feature branch push | `100%` | `codex/iwooos-wazuh-boundary-guard-20260624` 已推送;精確 HEAD 以 release 前讀回為準 |
| Formal main release | `0%` | 尚未由正式 release lane 合併到 `main` |
| Production deploy / readback | `0%` | 等待 release lane |
| Formal main release | `100%` | 已進正式主線 |
| Production deploy / readback | `100%` | 已回 `200 disabled_waiting_iwooos_wazuh_owner_gate` |
| Wazuh server-side env enable | `0%` | 等待 owner gate 與 secrets 注入 |
| Wazuh manager agent registry accepted | `0%` | 尚未取得可驗收 registry truth |
| Wazuh event refs / host forensic refs accepted | `0%` | 尚未收到合格證據 |
| Wazuh active response / host write / Kali active scan | `0%` | 必須維持 false |
## 下一步優先序
1. `wazuh-readonly-release-owner-request.snapshot.json` 補 release lane owner response選擇 formal merge、formal patch apply 或安全 credential push並補 6 個 ack 與 6 個 evidence 欄位
2. 解決受控 workspace Gitea HTTPS push 認證,或由正式 release lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD
3. 部署後先驗證 `/api/iwooos/wazuh` 不再 404且預設 disabled 邊界正確
4. 另依 `wazuh-readonly-live-metadata-env-gate.snapshot.json` 補 server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope 與 post-enable readback才可考慮啟用 Wazuh read-only metadata query
5. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof。
6. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。
1.`wazuh-readonly-live-metadata-env-gate.snapshot.json` 補 server-side env owner response、secret source metadata、Wazuh manager health ref、readonly account scope 與 post-enable readback才可考慮啟用 Wazuh read-only metadata query
2. 取得 Wazuh manager agent registry 的脫敏、可驗收只讀讀回:總數、在線、離線、從未連線、最後連線時間窗與 Dashboard API 狀態參照
3. 修復 Dashboard stored API / RBAC / run_as / rate-limit / TLS trust 退化;修復前不得把 Dashboard 看不到 agent 解讀成 agent 全部消失,也不得把 transport count 解讀成 agent registry 恢復
4. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof
5. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。

View File

@@ -1,6 +1,6 @@
{
"schema_version": "wazuh_agent_visibility_runtime_gate_v1",
"generated_at": "2026-06-25T10:45:00+08:00",
"generated_at": "2026-06-25T11:19:38+08:00",
"status": "blocked_waiting_manager_agent_registry_readback",
"mode": "snapshot_only_no_runtime_no_secret_collection",
"incident_id": "wazuh-agent-visibility-20260624",
@@ -22,13 +22,13 @@
"dashboard_api_tls_client_cert_unknown_observed": true,
"manager_registry_cli_permission_blocked": true,
"manager_registry_cli_requires_privilege": true,
"production_route_http_status": 404,
"observed_at_taipei": "2026-06-25T10:43:16+08:00",
"production_route_http_status": 200,
"observed_at_taipei": "2026-06-25T11:19:38+08:00",
"observed_layers": {
"iwooos_production_route": {
"status": "blocked",
"evidence": "正式站 Wazuh 只讀 API 路由在部署前仍回 404",
"completion_percent": 0
"status": "deployed_owner_gate_disabled",
"evidence": "正式站 Wazuh 只讀 API 路由已回 200狀態為 disabled_waiting_iwooos_wazuh_owner_gate這代表 route 已部署,但尚未取得 Wazuh manager registry live metadata",
"completion_percent": 65
},
"wazuh_control_plane": {
"status": "observed_active",
@@ -147,7 +147,7 @@
"next_priority_order": [
"P0-A manager agent registry 只讀計數",
"P0-B dashboard stored API 與 rate-limit 根因",
"P0-C IwoooS 正式站 Wazuh 路由讀回",
"P0-C IwoooS Wazuh server-side owner gate 與 live metadata 啟用",
"P0-D dashboard/API mismatch 的 AI 自動化告警卡",
"P0-E owner response 與 rollback owner"
]

View File

@@ -41,14 +41,14 @@
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false
},
"generated_at": "2026-06-24T22:48:00+08:00",
"generated_at": "2026-06-25T11:19:38+08:00",
"live_metadata_candidate": {
"candidate_id": "iwooos_wazuh_readonly_live_metadata_env",
"not_authorization": true,
"owner_response_accepted": false,
"owner_response_received": false,
"post_enable_readback_command": "python3 scripts/security/wazuh-readonly-production-readback.py --json",
"production_route_readback_ref": null,
"production_route_readback_ref": "production_readback_passed_http_200_disabled_owner_gate",
"readonly_account_scope_ref": null,
"runtime_gate": false,
"secret_source_metadata_ref": null,
@@ -58,7 +58,7 @@
"WAZUH_API_USERNAME",
"WAZUH_API_PASSWORD"
],
"status": "waiting_release_readback_and_live_metadata_owner_response",
"status": "waiting_live_metadata_owner_response",
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false,
"wazuh_manager_health_ref": null
@@ -66,7 +66,7 @@
"mode": "repo_gate_no_secret_no_runtime_no_wazuh_query",
"operator_interpretation": [
"此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位與禁止動作已固定。",
"Production route 必須先不加 --allow-predeploy-404 readback 通過,才能考慮 server-side env enable。",
"Production route 不加 --allow-predeploy-404 readback 通過;下一步仍必須補 owner gate、secret source metadata 與 readonly account scope。",
"secret handling 只能提供注入來源 metadata 與 owner不得提交密碼、token、hash、partial secret 或 raw env。",
"Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate不能互相代替。"
],
@@ -123,7 +123,7 @@
"WAZUH_API_USERNAME",
"WAZUH_API_PASSWORD"
],
"status": "blocked_waiting_release_readback_and_live_metadata_owner_response",
"status": "blocked_waiting_live_metadata_owner_response",
"summary": {
"blocked_action_count": 23,
"host_write_authorized_count": 0,
@@ -131,7 +131,7 @@
"live_metadata_owner_response_received_count": 0,
"outcome_lane_count": 10,
"post_enable_readback_passed_count": 0,
"production_route_readback_passed_count": 0,
"production_route_readback_passed_count": 1,
"readonly_account_scope_accepted_count": 0,
"required_owner_field_count": 15,
"reviewer_check_count": 15,

View File

@@ -14,13 +14,13 @@
"wazuh_active_response_authorized": false,
"wazuh_api_live_query_authorized": false
},
"generated_at": "2026-06-25T23:40:00+08:00",
"generated_at": "2026-06-25T11:19:38+08:00",
"missing_required_source_paths": [],
"mode": "repo_release_gate_no_runtime_no_secret_collection",
"operator_interpretation": [
"此 gate 通過不代表 production 已部署,只代表 source-side Wazuh read-only API、guard 與 feature branch push 可交接。",
"正式 release 前不得用 predeploy 404 當成功,也不得為了修 404 直接改 Nginx、Docker、K8s、firewall 或 Wazuh secret。",
"乾淨套用 proof 與 feature branch push 通過只代表 release patch 可交接,不代表已合併 main、已部署或已啟用 Wazuh live metadata。",
"此 gate 通過代表 source-side、feature branch、main release、deploy marker 與 production route readback 已完成。",
"production route 回 200 只代表 IwoooS Wazuh read-only route 已部署;目前狀態仍為 disabled_waiting_iwooos_wazuh_owner_gate。",
"不得把 route 200、UI 可見、agent transport 或 service active 當成 Wazuh manager registry 已驗收。",
"live Wazuh metadata query 必須另走 owner gate 與 server-side envactive response、host write、Kali active scan 仍為 0 / false。"
],
"release_gates": [
@@ -56,21 +56,21 @@
},
{
"gate_id": "formal_main_release",
"required_evidence": "由正式 release lane 合併 feature branch 或套用等效 patch 到 main;不得 force push",
"required_evidence": "main 已快轉到包含 Wazuh fix 的 commit;不得 force push",
"runtime_authorized": false,
"status": "blocked_waiting_formal_release_lane"
"status": "passed_main_fast_forward_readback"
},
{
"gate_id": "production_deploy",
"required_evidence": "Gitea CD / deploy marker 指向已合併 Wazuh fix 的 commit",
"required_evidence": "Gitea CD deploy marker 指向已合併 Wazuh fix 的 commit",
"runtime_authorized": false,
"status": "blocked_waiting_release_lane"
"status": "passed_deploy_marker_readback"
},
{
"gate_id": "production_readback",
"required_evidence": "python3 scripts/security/wazuh-readonly-production-readback.py --json 通過且不回 404",
"runtime_authorized": false,
"status": "blocked_waiting_deploy"
"status": "passed_disabled_owner_gate_readback"
},
{
"gate_id": "wazuh_live_metadata_env",
@@ -84,7 +84,7 @@
"base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit",
"base_ref": "gitea/main",
"feature_branch_push_status": "completed_readback_required_before_release",
"production_readback_status": "predeploy_404_observed",
"production_readback_status": "production_readback_passed",
"release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
"source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
"source_fix_commit_readback": "run git log --oneline gitea/main..HEAD before release; do not hardcode a rebase-sensitive commit hash",
@@ -99,18 +99,18 @@
"scripts/security/wazuh-readonly-route-boundary-guard.py"
],
"schema_version": "iwooos_wazuh_readonly_release_gate_v1",
"status": "blocked_waiting_formal_main_release_and_production_deploy",
"status": "released_waiting_wazuh_live_metadata_owner_gate",
"summary": {
"active_response_authorized_count": 0,
"formal_main_release_complete_count": 0,
"formal_main_release_complete_count": 1,
"gitea_push_blocker_observed_count": 0,
"gitea_push_complete_count": 1,
"host_forensics_ref_accepted_count": 0,
"host_write_authorized_count": 0,
"missing_required_source_path_count": 0,
"predeploy_404_observed_count": 1,
"production_deploy_complete_count": 0,
"production_readback_passed_count": 0,
"predeploy_404_observed_count": 0,
"production_deploy_complete_count": 1,
"production_readback_passed_count": 1,
"production_readback_script_complete_count": 1,
"release_handoff_complete_count": 1,
"release_patch_apply_proof_complete_count": 1,