ligbox-ops-platform/projects/wizard/deploy/vm112-wizard-security/README.md

# VM112 — Wizard Cybersecurity (Spec 021)

Pacote de referência para instalar na VM112 (`/opt/ligbox-wizard`).

## Componentes

| Ficheiro | Função |
|----------|--------|
| `security_audit.py` | Middleware FastAPI — audita inputs (SQLi/XSS/path) |
| `security_webhook_client.py` | Envia eventos `security.*` para VM122 |

## Variáveis de ambiente (VM112)

```bash
DESK_SECURITY_WEBHOOK_URL=https://desk.ligbox.com.br/api/v1/webhooks/security
DESK_WEBHOOK_SECRET=<mesmo WEBHOOK_SECRET do Desk>
```

## Integração no wizard

```python
from security_audit import SecurityAuditMiddleware
from security_webhook_client import emit_security_event

app.add_middleware(SecurityAuditMiddleware, on_block=emit_security_event)
```

Em rotas de handoff (`/onboard-handoff`, `/consume`):

```python
emit_security_event("security.handoff_rejected", session_id=..., domain=..., data={"reason": "expired"})
```

## CSP (Traefik CT114)

Ver `traefik-csp-headers.example.yml` — aplicar no router do portal/wizard.

Report URI: `https://desk.ligbox.com.br/api/v1/security/csp-report`

## Teste rápido (Desk)

```bash
curl -s -X POST "https://desk.ligbox.com.br/api/v1/webhooks/security" \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Secret: $WEBHOOK_SECRET" \
  -d '{"event":"security.input_blocked","session_id":"demo-001","domain":"evil.test","data":{"reason":"xss_pattern","severity":"high"}}'
```