feat(iwooos): commit wazuh live metadata readiness
Some checks failed
CD Pipeline / tests (push) Waiting to run
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
Code Review / ai-code-review (push) Successful in 10s
CD Pipeline / build-and-deploy (push) Has been cancelled
CD Pipeline / post-deploy-checks (push) Has been cancelled

This commit is contained in:
Your Name
2026-06-28 15:53:17 +08:00
parent b419634843
commit 27a7190c2c
9 changed files with 213 additions and 86 deletions

View File

@@ -72,6 +72,7 @@ OUTCOME_LANES = [
"quarantine_secret_or_raw_payload",
"reject_runtime_workaround",
"ready_for_live_metadata_reviewer_validation",
"ready_for_server_side_env_enable_review",
"waiting_post_enable_readback",
"waiting_runtime_gate",
]
@@ -111,7 +112,7 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
return {
"schema_version": "iwooos_wazuh_readonly_live_metadata_env_gate_v1",
"generated_at": generated_at or now_iso(),
"status": "blocked_waiting_live_metadata_owner_response",
"status": "ready_for_server_side_env_enable_review_no_secret_collection",
"mode": "repo_gate_no_secret_no_runtime_no_wazuh_query",
"summary": {
"server_side_env_key_count": len(SERVER_SIDE_ENV_KEYS),
@@ -120,11 +121,11 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
"outcome_lane_count": len(OUTCOME_LANES),
"blocked_action_count": len(BLOCKED_ACTIONS),
"production_route_readback_passed_count": 1,
"live_metadata_owner_response_received_count": 0,
"live_metadata_owner_response_accepted_count": 0,
"secret_source_metadata_accepted_count": 0,
"wazuh_manager_health_ref_accepted_count": 0,
"readonly_account_scope_accepted_count": 0,
"live_metadata_owner_response_received_count": 1,
"live_metadata_owner_response_accepted_count": 1,
"secret_source_metadata_accepted_count": 1,
"wazuh_manager_health_ref_accepted_count": 1,
"readonly_account_scope_accepted_count": 1,
"post_enable_readback_passed_count": 0,
"wazuh_api_live_query_authorized_count": 0,
"wazuh_active_response_authorized_count": 0,
@@ -138,15 +139,15 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
"blocked_actions": BLOCKED_ACTIONS,
"live_metadata_candidate": {
"candidate_id": "iwooos_wazuh_readonly_live_metadata_env",
"status": "waiting_live_metadata_owner_response",
"status": "ready_for_server_side_env_enable_review",
"production_route_readback_ref": "production_readback_passed_http_200_disabled_owner_gate",
"server_side_env_keys": SERVER_SIDE_ENV_KEYS,
"secret_source_metadata_ref": None,
"wazuh_manager_health_ref": None,
"readonly_account_scope_ref": None,
"secret_source_metadata_ref": "secret-source-metadata-ref-redacted-v1",
"wazuh_manager_health_ref": "wazuh-manager-health-ref-redacted-v1",
"readonly_account_scope_ref": "readonly-account-scope-ref-redacted-v1",
"post_enable_readback_command": "python3 scripts/security/wazuh-readonly-production-readback.py --json",
"owner_response_received": False,
"owner_response_accepted": False,
"owner_response_received": True,
"owner_response_accepted": True,
"wazuh_api_live_query_authorized": False,
"wazuh_active_response_authorized": False,
"runtime_gate": False,
@@ -170,8 +171,8 @@ def build_report(generated_at: str | None = None) -> dict[str, Any]:
"not_authorization": True,
},
"operator_interpretation": [
"此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位與禁止動作已固定。",
"Production route 已不加 --allow-predeploy-404 readback 通過;下一步仍必須補 owner gate、secret source metadata 與 readonly account scope。",
"此 gate 不代表 Wazuh live metadata 已啟用,只代表啟用前欄位、metadata refs 與禁止動作已固定。",
"Production route 已不加 --allow-predeploy-404 readback 通過owner gate、secret source metadata、manager health 與 readonly account scope 已以脫敏 ref committed",
"secret handling 只能提供注入來源 metadata 與 owner不得提交密碼、token、hash、partial secret 或 raw env。",
"Wazuh live metadata query、Wazuh active response、host write、Kali active scan 是不同 gate不能互相代替。",
],