138 lines
4.9 KiB
JSON
138 lines
4.9 KiB
JSON
{
|
||
"execution_boundaries": {
|
||
"dispatch_authorized": false,
|
||
"force_push_allowed": false,
|
||
"gitea_push_authorized": false,
|
||
"host_write_authorized": false,
|
||
"kali_active_scan_authorized": false,
|
||
"not_authorization": true,
|
||
"patch_apply_authorized": false,
|
||
"plain_text_token_workaround_allowed": false,
|
||
"production_deploy_authorized": false,
|
||
"recipient_confirmed": false,
|
||
"repo_write_authorized": false,
|
||
"request_sent": false,
|
||
"runtime_execution_authorized": false,
|
||
"secret_value_collection_allowed": false,
|
||
"wazuh_active_response_authorized": false,
|
||
"wazuh_api_live_query_authorized": false
|
||
},
|
||
"generated_at": "2026-06-24T22:48:00+08:00",
|
||
"handoff_envelope_fields": [
|
||
"request_id",
|
||
"stage_id",
|
||
"recipient_role_or_team",
|
||
"sender_role_or_team",
|
||
"requested_response_window",
|
||
"allowed_release_methods",
|
||
"required_ack_flags",
|
||
"required_evidence_fields",
|
||
"target_branch_or_patch_set",
|
||
"post_deploy_readback_command",
|
||
"forbidden_payloads",
|
||
"blocked_runtime_actions",
|
||
"followup_owner",
|
||
"not_approval"
|
||
],
|
||
"mode": "repo_request_draft_no_secret_no_runtime_no_push",
|
||
"request_draft": {
|
||
"action_buttons_allowed": false,
|
||
"allowed_release_methods": [
|
||
"formal_gitea_merge",
|
||
"formal_patch_apply",
|
||
"maintainer_local_push_with_safe_credential"
|
||
],
|
||
"blocked_runtime_actions": [
|
||
"plain_text_gitea_token_in_remote_url",
|
||
"copy_token_from_dirty_workspace",
|
||
"force_push",
|
||
"nginx_or_gateway_workaround_for_404",
|
||
"docker_restart_for_wazuh_route",
|
||
"k8s_or_argocd_manual_apply_for_wazuh_route",
|
||
"firewall_change_for_wazuh_route",
|
||
"wazuh_secret_or_manager_change_for_api_404",
|
||
"enable_wazuh_live_metadata_without_owner_gate",
|
||
"enable_wazuh_active_response",
|
||
"host_write_or_kali_active_scan"
|
||
],
|
||
"followup_owner": "pending_followup_owner",
|
||
"forbidden_payloads": [
|
||
"token",
|
||
"secret",
|
||
"private_key",
|
||
"cookie",
|
||
"session",
|
||
"authorization_header",
|
||
"runner_token",
|
||
"webhook_secret",
|
||
"wazuh_password",
|
||
"wazuh_raw_payload",
|
||
"git_credential",
|
||
"repo_archive"
|
||
],
|
||
"not_approval": true,
|
||
"owner_response_accepted": false,
|
||
"owner_response_received": false,
|
||
"post_deploy_readback_command": "python3 scripts/security/wazuh-readonly-production-readback.py --json",
|
||
"recipient_confirmed": false,
|
||
"recipient_role_or_team": "pending_release_lane_owner",
|
||
"redacted_evidence_refs": [
|
||
"docs/security/IWOOOS-WAZUH-READONLY-API-RELEASE-HANDOFF.md",
|
||
"docs/security/wazuh-readonly-release-gate.snapshot.json",
|
||
"docs/security/wazuh-readonly-release-lane-preflight.snapshot.json"
|
||
],
|
||
"request_id": "iwooos_wazuh_readonly_release_owner_request",
|
||
"request_sent": false,
|
||
"requested_response_window": "not_scheduled",
|
||
"required_ack_flags": [
|
||
"approve_formal_release_lane",
|
||
"confirm_no_plaintext_token_workaround",
|
||
"confirm_no_force_push",
|
||
"confirm_no_runtime_workaround",
|
||
"confirm_production_readback_after_deploy",
|
||
"confirm_wazuh_live_metadata_requires_separate_owner_gate"
|
||
],
|
||
"required_evidence_fields": [
|
||
"release_lane_owner",
|
||
"release_method",
|
||
"target_branch_or_patch_set",
|
||
"post_deploy_readback_command",
|
||
"rollback_owner",
|
||
"blocked_runtime_actions_ack"
|
||
],
|
||
"runtime_gate": false,
|
||
"sender_role_or_team": "iwooos_security_reviewer",
|
||
"stage_id": "P0-IWOOOS-WAZUH-RELEASE",
|
||
"target_branch": "codex/iwooos-wazuh-boundary-guard-20260624",
|
||
"target_branch_readback": "git log --oneline gitea/main..HEAD",
|
||
"target_patch_set_readback": "git format-patch gitea/main..HEAD after final docs commit; record sha256 outside committed docs"
|
||
},
|
||
"schema_version": "iwooos_wazuh_readonly_release_owner_request_v1",
|
||
"send_after_conditions": [
|
||
"先確認 gitea/main、Wazuh 分支與另一個 AwoooP Session 基線。",
|
||
"只送脫敏欄位與 refs;不得附 secret、raw Wazuh payload、git credential 或 runtime 操作要求。",
|
||
"一般批准繼續不是 release owner response。",
|
||
"收到 response 後仍需先通過 owner response acceptance ledger,不能直接 push 或 deploy。"
|
||
],
|
||
"status": "draft_not_dispatched_waiting_release_lane_owner",
|
||
"summary": {
|
||
"allowed_release_method_count": 3,
|
||
"blocked_action_count": 11,
|
||
"forbidden_payload_count": 12,
|
||
"formal_release_lane_ready_count": 0,
|
||
"gitea_push_authorized_count": 0,
|
||
"handoff_envelope_field_count": 14,
|
||
"owner_response_accepted_count": 0,
|
||
"owner_response_received_count": 0,
|
||
"patch_apply_authorized_count": 0,
|
||
"production_deploy_authorized_count": 0,
|
||
"production_readback_passed_count": 0,
|
||
"recipient_confirmed_count": 0,
|
||
"request_draft_count": 1,
|
||
"request_sent_count": 0,
|
||
"required_ack_flag_count": 6,
|
||
"required_evidence_field_count": 6,
|
||
"runtime_gate_count": 0
|
||
}
|
||
}
|