feat(iwooos): 新增 Wazuh release lane preflight
This commit is contained in:
@@ -18,7 +18,7 @@
|
||||
|
||||
本地 commit:
|
||||
|
||||
- `codex/iwooos-wazuh-boundary-guard-20260624` Wazuh API commit:`47d36e85 fix(iwooos): 接上 Wazuh 只讀 API 邊界`
|
||||
- `codex/iwooos-wazuh-boundary-guard-20260624` Wazuh API commit 會在每次 rebase 後改變;請在 release 前用 `git log --oneline gitea/main..HEAD` 讀回,不硬寫在本文件內。
|
||||
- `codex/iwooos-wazuh-boundary-guard-20260624` 最終分支 HEAD 不硬寫在本文件內;請在 release 前用 `git rev-parse HEAD` 讀回,避免 commit 自我引用造成 hash 漂移。
|
||||
- Release patch set 需在最終 docs commit 後以 `git format-patch gitea/main..HEAD` 重新產生,再用 `shasum -a 256` 讀回;不得沿用 rebase 前或文件修正前的舊 patch SHA。
|
||||
|
||||
@@ -30,8 +30,10 @@
|
||||
- `scripts/security/wazuh-readonly-route-boundary-guard.py`
|
||||
- `scripts/security/wazuh-readonly-production-readback.py`
|
||||
- `scripts/security/wazuh-readonly-release-gate.py`
|
||||
- `scripts/security/wazuh-readonly-release-lane-preflight.py`
|
||||
- `scripts/security/security-mirror-progress-guard.py`
|
||||
- `docs/security/wazuh-readonly-release-gate.snapshot.json`
|
||||
- `docs/security/wazuh-readonly-release-lane-preflight.snapshot.json`
|
||||
- `docs/LOGBOOK.md`
|
||||
|
||||
完成內容:
|
||||
@@ -46,6 +48,7 @@
|
||||
- 新增 source guard,阻擋硬編 Wazuh 內網 URL / port、帳密、關 TLS、假 SOC dashboard、假 CVE、raw payload 與 legacy dashboard component 回流。
|
||||
- 新增 production readback 腳本,部署後可直接驗證 public API 不再 404、schema / status / boundary 正確,且沒有 raw payload、內網 IP、agent 原名或 secret 洩漏。
|
||||
- 新增 release gate snapshot 與 guard,固定 source-side 已完成、Gitea push / production deploy / production readback 尚未完成,避免後續把 predeploy 404 誤判成通過。
|
||||
- 新增 release lane preflight snapshot 與 guard,固定正式 release 前必須選擇 `formal_gitea_merge`、`formal_patch_apply` 或 `maintainer_local_push_with_safe_credential` 其中一條合規 lane,且 owner ack / evidence 未到齊前不得 push、deploy、force push、使用明文 token workaround 或改 runtime。
|
||||
|
||||
## 已完成驗證
|
||||
|
||||
@@ -55,9 +58,10 @@
|
||||
pytest apps/api/tests/test_iwooos_wazuh_api.py
|
||||
python3 scripts/security/wazuh-readonly-route-boundary-guard.py --root .
|
||||
python3 scripts/security/wazuh-readonly-release-gate.py --root .
|
||||
python3 scripts/security/wazuh-readonly-release-lane-preflight.py --root .
|
||||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||||
python3 scripts/ops/doc-secrets-sanity-check.py docs apps/api/src/api/v1/iwooos.py apps/web/src/app/api/iwooos/wazuh/route.ts scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py
|
||||
python3 -m py_compile apps/api/src/api/v1/iwooos.py scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/security-mirror-progress-guard.py
|
||||
python3 scripts/ops/doc-secrets-sanity-check.py docs apps/api/src/api/v1/iwooos.py apps/web/src/app/api/iwooos/wazuh/route.ts scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/wazuh-readonly-release-lane-preflight.py
|
||||
python3 -m py_compile apps/api/src/api/v1/iwooos.py scripts/security/wazuh-readonly-route-boundary-guard.py scripts/security/wazuh-readonly-production-readback.py scripts/security/wazuh-readonly-release-gate.py scripts/security/wazuh-readonly-release-lane-preflight.py scripts/security/security-mirror-progress-guard.py
|
||||
git diff --check
|
||||
```
|
||||
|
||||
@@ -66,6 +70,7 @@ git diff --check
|
||||
- `pytest apps/api/tests/test_iwooos_wazuh_api.py`:`4 passed`。
|
||||
- `wazuh-readonly-route-boundary-guard`:`route=2 public_ui_files=1 forbidden=0 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-gate`:`source=1 push=0 deploy=0 readback=0 runtime_gate=0`。
|
||||
- `wazuh-readonly-release-lane-preflight`:`ready=0 acks=0/6 evidence=0/6 runtime_gate=0`。
|
||||
- `security-mirror-progress-guard`:`SECURITY_MIRROR_PROGRESS_GUARD_OK`。
|
||||
- `doc-secrets-sanity-check`:`DOC_SECRET_SANITY_OK scanned_files=969`。
|
||||
- `py_compile`:通過。
|
||||
@@ -73,7 +78,7 @@ git diff --check
|
||||
|
||||
## 乾淨套用 Proof
|
||||
|
||||
乾淨套用 proof 需從最新 `gitea/main=80604403` 或更新的主線建立獨立 worktree:
|
||||
乾淨套用 proof 需從最新 `gitea/main` 建立獨立 worktree:
|
||||
|
||||
```bash
|
||||
git worktree add /private/tmp/awoooi-iwooos-wazuh-release-apply-check-<timestamp> gitea/main
|
||||
@@ -113,6 +118,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --allow-predeploy
|
||||
合併 / 部署前需確認:
|
||||
|
||||
- 使用具備正式權限的 Gitea lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD 或同等 patch;不得 force push。
|
||||
- release lane preflight 目前固定 `formal_release_lane_ready_count=0`、`accepted_ack_flag_count=0/6`、`accepted_evidence_field_count=0/6`;不得把一般「批准繼續」當成 release lane owner response。
|
||||
- 目前非互動式 push 實測仍被 Gitea HTTPS credential 擋住:`fatal: could not read Username for 'https://gitea.wooo.work': terminal prompts disabled`。
|
||||
- 不得複製舊 workspace 的內嵌明文 Gitea token。
|
||||
- 不得把 Wazuh URL、帳密、token、cookie、private key、runner token 或 webhook secret 寫入 repo。
|
||||
@@ -161,6 +167,7 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json
|
||||
| Wazuh route boundary source guard | `100%` | 已納入 `security-mirror-progress-guard` |
|
||||
| Production readback 驗收腳本 | `100%` | 已完成;正式部署後不得接受 404 |
|
||||
| Wazuh release gate snapshot / guard | `100%` | 已完成;固定 push/deploy/readback 仍 blocked |
|
||||
| Wazuh release lane preflight | `100%` | 已完成;owner acks `0/6`、evidence `0/6`、正式 release ready `0` |
|
||||
| 乾淨套用 proof | `100%` | patch set 可落在最新 `gitea/main` 並通過同組 guard;最終 hash 以 release 前 readback 為準 |
|
||||
| Gitea push | `0%` | 受控 workspace HTTPS credential 缺失 |
|
||||
| Production deploy / readback | `0%` | 等待 release lane |
|
||||
@@ -170,8 +177,9 @@ python3 scripts/security/wazuh-readonly-production-readback.py --json
|
||||
|
||||
## 下一步優先序
|
||||
|
||||
1. 解決受控 workspace Gitea HTTPS push 認證,或由正式 release lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD。
|
||||
2. 部署後先驗證 `/api/iwooos/wazuh` 不再 404,且預設 disabled 邊界正確。
|
||||
3. 另開 owner gate 決定是否啟用 server-side Wazuh read-only metadata query。
|
||||
4. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof。
|
||||
5. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。
|
||||
1. 先補 release lane owner response:選擇 formal merge、formal patch apply 或安全 credential push,並補 6 個 ack 與 6 個 evidence 欄位。
|
||||
2. 解決受控 workspace Gitea HTTPS push 認證,或由正式 release lane 合併 `codex/iwooos-wazuh-boundary-guard-20260624` 分支 HEAD。
|
||||
3. 部署後先驗證 `/api/iwooos/wazuh` 不再 404,且預設 disabled 邊界正確。
|
||||
4. 另開 owner gate 決定是否啟用 server-side Wazuh read-only metadata query。
|
||||
5. 收件 Wazuh manager health ref、agent status ref、event refs、host forensic refs 與 containment / recovery proof。
|
||||
6. 仍禁止 active response、host write、firewall / Nginx / Docker / K8s runtime action、Kali active scan、secret 明文收集。
|
||||
|
||||
@@ -14,7 +14,7 @@
|
||||
"wazuh_active_response_authorized": false,
|
||||
"wazuh_api_live_query_authorized": false
|
||||
},
|
||||
"generated_at": "2026-06-24T22:05:00+08:00",
|
||||
"generated_at": "2026-06-24T22:25:00+08:00",
|
||||
"missing_required_source_paths": [],
|
||||
"mode": "repo_release_gate_no_runtime_no_secret_collection",
|
||||
"operator_interpretation": [
|
||||
@@ -75,13 +75,13 @@
|
||||
],
|
||||
"release_lane_evidence": {
|
||||
"apply_check_status": "passed_external_readback_required_after_final_commit",
|
||||
"base_commit": "80604403",
|
||||
"base_commit_readback": "run git rev-parse gitea/main before release; do not hardcode a moving main commit",
|
||||
"base_ref": "gitea/main",
|
||||
"gitea_push_blocker": "https_noninteractive_credential_required",
|
||||
"production_readback_status": "predeploy_404_observed",
|
||||
"release_patch_set_readback": "generate with git format-patch gitea/main..HEAD after the final docs commit, then record sha256 outside the committed file",
|
||||
"source_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
|
||||
"source_fix_commit": "47d36e85",
|
||||
"source_fix_commit_readback": "run git log --oneline gitea/main..HEAD before release; do not hardcode a rebase-sensitive commit hash",
|
||||
"source_head_readback": "run git rev-parse HEAD after the final docs commit; do not hardcode a self-referential commit hash"
|
||||
},
|
||||
"required_source_paths": [
|
||||
|
||||
@@ -0,0 +1,104 @@
|
||||
{
|
||||
"allowed_release_methods": [
|
||||
"formal_gitea_merge",
|
||||
"formal_patch_apply",
|
||||
"maintainer_local_push_with_safe_credential"
|
||||
],
|
||||
"blocked_actions": [
|
||||
"plain_text_gitea_token_in_remote_url",
|
||||
"copy_token_from_dirty_workspace",
|
||||
"force_push",
|
||||
"nginx_or_gateway_workaround_for_404",
|
||||
"docker_restart_for_wazuh_route",
|
||||
"k8s_or_argocd_manual_apply_for_wazuh_route",
|
||||
"firewall_change_for_wazuh_route",
|
||||
"wazuh_secret_or_manager_change_for_api_404",
|
||||
"enable_wazuh_live_metadata_without_owner_gate",
|
||||
"enable_wazuh_active_response",
|
||||
"host_write_or_kali_active_scan"
|
||||
],
|
||||
"execution_boundaries": {
|
||||
"force_push_allowed": false,
|
||||
"host_write_authorized": false,
|
||||
"kali_active_scan_authorized": false,
|
||||
"not_authorization": true,
|
||||
"plain_text_token_workaround_allowed": false,
|
||||
"production_deploy_authorized": false,
|
||||
"repo_write_authorized": false,
|
||||
"runtime_execution_authorized": false,
|
||||
"secret_value_collection_allowed": false,
|
||||
"wazuh_active_response_authorized": false,
|
||||
"wazuh_api_live_query_authorized": false
|
||||
},
|
||||
"generated_at": "2026-06-24T22:20:00+08:00",
|
||||
"mode": "repo_preflight_no_secret_no_runtime_no_push",
|
||||
"operator_interpretation": [
|
||||
"此 preflight 通過前,不得把 Gitea credential blocker 視為可繞過。",
|
||||
"正式 release 可以選 formal merge、formal patch apply 或安全 credential push,但都需要 owner response 與 deploy 後 readback。",
|
||||
"不得用 Nginx、Docker、K8s、firewall、Wazuh secret 或主機重啟來修 public API 404。",
|
||||
"Wazuh live metadata 查詢與 active response 是不同 gate;本 preflight 不授權任何 runtime action。"
|
||||
],
|
||||
"post_deploy_readback": {
|
||||
"command": "python3 scripts/security/wazuh-readonly-production-readback.py --json",
|
||||
"must_not_return_http_404": true,
|
||||
"required": true,
|
||||
"runtime_gate_expected": 0
|
||||
},
|
||||
"release_lanes": [
|
||||
{
|
||||
"lane_id": "formal_gitea_merge",
|
||||
"meaning": "由具備正式 Gitea 權限者合併 Wazuh 分支;不得 force push。",
|
||||
"runtime_authorized": false,
|
||||
"status": "blocked_owner_response_required"
|
||||
},
|
||||
{
|
||||
"lane_id": "formal_patch_apply",
|
||||
"meaning": "由正式 release lane 套用已驗證 patch set;不得跳過 production readback。",
|
||||
"runtime_authorized": false,
|
||||
"status": "blocked_owner_response_required"
|
||||
},
|
||||
{
|
||||
"lane_id": "maintainer_local_push_with_safe_credential",
|
||||
"meaning": "只接受安全的 credential helper / SSH key / 正式 release token;不得使用明文 token workaround。",
|
||||
"runtime_authorized": false,
|
||||
"status": "blocked_safe_credential_required"
|
||||
}
|
||||
],
|
||||
"required_ack_flags": [
|
||||
"approve_formal_release_lane",
|
||||
"confirm_no_plaintext_token_workaround",
|
||||
"confirm_no_force_push",
|
||||
"confirm_no_runtime_workaround",
|
||||
"confirm_production_readback_after_deploy",
|
||||
"confirm_wazuh_live_metadata_requires_separate_owner_gate"
|
||||
],
|
||||
"required_evidence_fields": [
|
||||
"release_lane_owner",
|
||||
"release_method",
|
||||
"target_branch_or_patch_set",
|
||||
"post_deploy_readback_command",
|
||||
"rollback_owner",
|
||||
"blocked_runtime_actions_ack"
|
||||
],
|
||||
"schema_version": "iwooos_wazuh_readonly_release_lane_preflight_v1",
|
||||
"status": "blocked_waiting_formal_release_lane_owner_response",
|
||||
"summary": {
|
||||
"accepted_ack_flag_count": 0,
|
||||
"accepted_evidence_field_count": 0,
|
||||
"allowed_release_method_count": 3,
|
||||
"force_push_allowed_count": 0,
|
||||
"formal_release_lane_ready_count": 0,
|
||||
"gitea_push_authorized_count": 0,
|
||||
"patch_apply_authorized_count": 0,
|
||||
"plain_text_token_workaround_allowed_count": 0,
|
||||
"production_deploy_authorized_count": 0,
|
||||
"production_readback_passed_count": 0,
|
||||
"production_readback_required_count": 1,
|
||||
"required_ack_flag_count": 6,
|
||||
"required_evidence_field_count": 6,
|
||||
"runtime_gate_count": 0,
|
||||
"runtime_workaround_allowed_count": 0,
|
||||
"safe_credential_available_count": 0,
|
||||
"wazuh_live_metadata_owner_gate_ready_count": 0
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user