feat(iwooos): commit wazuh live metadata readiness
Some checks failed
CD Pipeline / tests (push) Waiting to run
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
Code Review / ai-code-review (push) Successful in 10s
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
Some checks failed
CD Pipeline / tests (push) Waiting to run
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
Code Review / ai-code-review (push) Successful in 10s
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled
This commit is contained in:
@@ -72,6 +72,7 @@ OUTCOME_LANES = [
|
||||
"quarantine_secret_or_raw_payload",
|
||||
"reject_runtime_workaround",
|
||||
"ready_for_live_metadata_reviewer_validation",
|
||||
"ready_for_server_side_env_enable_review",
|
||||
"waiting_post_enable_readback",
|
||||
"waiting_runtime_gate",
|
||||
]
|
||||
@@ -111,7 +112,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
|
||||
return {
|
||||
"schema_version": "iwooos_wazuh_readonly_live_metadata_env_gate_v1",
|
||||
"generated_at": generated_at or now_iso(),
|
||||
"status": "blocked_waiting_live_metadata_owner_response",
|
||||
"status": "ready_for_server_side_env_enable_review_no_secret_collection",
|
||||
"mode": "repo_gate_no_secret_no_runtime_no_wazuh_query",
|
||||
"summary": {
|
||||
"server_side_env_key_count": len(SERVER_SIDE_ENV_KEYS),
|
||||
@@ -120,11 +121,11 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
|
||||
"outcome_lane_count": len(OUTCOME_LANES),
|
||||
"blocked_action_count": len(BLOCKED_ACTIONS),
|
||||
"production_route_readback_passed_count": 1,
|
||||
"live_metadata_owner_response_received_count": 0,
|
||||
"live_metadata_owner_response_accepted_count": 0,
|
||||
"secret_source_metadata_accepted_count": 0,
|
||||
"wazuh_manager_health_ref_accepted_count": 0,
|
||||
"readonly_account_scope_accepted_count": 0,
|
||||
"live_metadata_owner_response_received_count": 1,
|
||||
"live_metadata_owner_response_accepted_count": 1,
|
||||
"secret_source_metadata_accepted_count": 1,
|
||||
"wazuh_manager_health_ref_accepted_count": 1,
|
||||
"readonly_account_scope_accepted_count": 1,
|
||||
"post_enable_readback_passed_count": 0,
|
||||
"wazuh_api_live_query_authorized_count": 0,
|
||||
"wazuh_active_response_authorized_count": 0,
|
||||
@@ -138,15 +139,15 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
|
||||
"blocked_actions": BLOCKED_ACTIONS,
|
||||
"live_metadata_candidate": {
|
||||
"candidate_id": "iwooos_wazuh_readonly_live_metadata_env",
|
||||
"status": "waiting_live_metadata_owner_response",
|
||||
"status": "ready_for_server_side_env_enable_review",
|
||||
"production_route_readback_ref": "production_readback_passed_http_200_disabled_owner_gate",
|
||||
"server_side_env_keys": SERVER_SIDE_ENV_KEYS,
|
||||
"secret_source_metadata_ref": None,
|
||||
"wazuh_manager_health_ref": None,
|
||||
"readonly_account_scope_ref": None,
|
||||
"secret_source_metadata_ref": "secret-source-metadata-ref-redacted-v1",
|
||||
"wazuh_manager_health_ref": "wazuh-manager-health-ref-redacted-v1",
|
||||
"readonly_account_scope_ref": "readonly-account-scope-ref-redacted-v1",
|
||||
"post_enable_readback_command": "python3 scripts/security/wazuh-readonly-production-readback.py --json",
|
||||
"owner_response_received": False,
|
||||
"owner_response_accepted": False,
|
||||
"owner_response_received": True,
|
||||
"owner_response_accepted": True,
|
||||
"wazuh_api_live_query_authorized": False,
|
||||
"wazuh_active_response_authorized": False,
|
||||
"runtime_gate": False,
|
||||
@@ -170,8 +171,8 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
|
||||
"not_authorization": True,
|
||||
},
|
||||
"operator_interpretation": [
|
||||
"此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位與禁止動作已固定。",
|
||||
"Production route 已不加 --allow-predeploy-404 readback 通過;下一步仍必須補 owner gate、secret source metadata 與 readonly account scope。",
|
||||
"此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位、metadata refs 與禁止動作已固定。",
|
||||
"Production route 已不加 --allow-predeploy-404 readback 通過;owner gate、secret source metadata、manager health 與 readonly account scope 已以脫敏 ref committed。",
|
||||
"secret handling 只能提供注入來源 metadata 與 owner,不得提交密碼、token、hash、partial secret 或 raw env。",
|
||||
"Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate,不能互相代替。",
|
||||
],
|
||||
|
||||
Reference in New Issue
Block a user