821675ab4a
Specs stay at repo root (cross-VM). Move deploy and code into logical projects with README per domain, updated manifest.yaml, and symlinks at legacy paths for VM122 backward compatibility. |
||
|---|---|---|
| .. | ||
| README.md | ||
| security_audit.py | ||
| security_webhook_client.py | ||
| traefik-csp-headers.example.yml | ||
VM112 — Wizard Cybersecurity (Spec 021)
Pacote de referência para instalar na VM112 (/opt/ligbox-wizard).
Componentes
| Ficheiro | Função |
|---|---|
security_audit.py |
Middleware FastAPI — audita inputs (SQLi/XSS/path) |
security_webhook_client.py |
Envia eventos security.* para VM122 |
Variáveis de ambiente (VM112)
DESK_SECURITY_WEBHOOK_URL=https://desk.ligbox.com.br/api/v1/webhooks/security
DESK_WEBHOOK_SECRET=<mesmo WEBHOOK_SECRET do Desk>
Integração no wizard
from security_audit import SecurityAuditMiddleware
from security_webhook_client import emit_security_event
app.add_middleware(SecurityAuditMiddleware, on_block=emit_security_event)
Em rotas de handoff (/onboard-handoff, /consume):
emit_security_event("security.handoff_rejected", session_id=..., domain=..., data={"reason": "expired"})
CSP (Traefik CT114)
Ver traefik-csp-headers.example.yml — aplicar no router do portal/wizard.
Report URI: https://desk.ligbox.com.br/api/v1/security/csp-report
Teste rápido (Desk)
curl -s -X POST "https://desk.ligbox.com.br/api/v1/webhooks/security" \
-H "Content-Type: application/json" \
-H "X-Webhook-Secret: $WEBHOOK_SECRET" \
-d '{"event":"security.input_blocked","session_id":"demo-001","domain":"evil.test","data":{"reason":"xss_pattern","severity":"high"}}'