History

Ligbox Spec Hub 3a2c64834b Initial import: ligbox-ops-platform + specs + LAPTOP + obsidian merge (CT130) Source: VM122 /opt + obsidian-infra + LAPTOP Hub: CT130 spec-hub 10.10.10.130		2026-06-19 17:26:41 +00:00
..
README.md	Initial import: ligbox-ops-platform + specs + LAPTOP + obsidian merge (CT130)	2026-06-19 17:26:41 +00:00
security_audit.py	Initial import: ligbox-ops-platform + specs + LAPTOP + obsidian merge (CT130)	2026-06-19 17:26:41 +00:00
security_webhook_client.py	Initial import: ligbox-ops-platform + specs + LAPTOP + obsidian merge (CT130)	2026-06-19 17:26:41 +00:00
traefik-csp-headers.example.yml	Initial import: ligbox-ops-platform + specs + LAPTOP + obsidian merge (CT130)	2026-06-19 17:26:41 +00:00

README.md

VM112 — Wizard Cybersecurity (Spec 021)

Pacote de referência para instalar na VM112 (/opt/ligbox-wizard).

Componentes

Ficheiro	Função
`security_audit.py`	Middleware FastAPI — audita inputs (SQLi/XSS/path)
`security_webhook_client.py`	Envia eventos `security.*` para VM122

Variáveis de ambiente (VM112)

DESK_SECURITY_WEBHOOK_URL=https://desk.ligbox.com.br/api/v1/webhooks/security
DESK_WEBHOOK_SECRET=<mesmo WEBHOOK_SECRET do Desk>

Integração no wizard

from security_audit import SecurityAuditMiddleware
from security_webhook_client import emit_security_event

app.add_middleware(SecurityAuditMiddleware, on_block=emit_security_event)

Em rotas de handoff (/onboard-handoff, /consume):

emit_security_event("security.handoff_rejected", session_id=..., domain=..., data={"reason": "expired"})

CSP (Traefik CT114)

Ver traefik-csp-headers.example.yml — aplicar no router do portal/wizard.

Report URI: https://desk.ligbox.com.br/api/v1/security/csp-report

Teste rápido (Desk)

curl -s -X POST "https://desk.ligbox.com.br/api/v1/webhooks/security" \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Secret: $WEBHOOK_SECRET" \
  -d '{"event":"security.input_blocked","session_id":"demo-001","domain":"evil.test","data":{"reason":"xss_pattern","severity":"high"}}'