{
  "contract_id": "YEFFAI_TARGET_SIDE_MONITORING_SECURITY_CONTRACT",
  "contract_file": "yeffai_target_side_monitoring_security_contract.json",
  "version": "v1.0",
  "status": "PASS",
  "created_at": "2026-07-08T14:57:35.790591Z",
  "updated_at": "2026-07-08T14:57:35.790591Z",
  "created_by_action": "PATCH_CREATE_YEFFAI_TARGET_SIDE_MONITORING_SECURITY_CONTRACT",
  "run_on": "WARESITES",
  "source_of_truth": "YEFFAI",
  "waresites_runtime_role": "UI_PULL_RUNTIME_ONLY",
  "remote_yeffai_mutation": "NO",
  "remote_mutation_allowed_now": "NO",
  "installation_command_executed": "NO",
  "installation_started": "NO",
  "step002_status": "BLOCKED",
  "step002_blocked_until": "APPROVE_YEFFAI_TARGET_SIDE_MONITORING_SECURITY_CONTRACT",
  "next_required_action": "APPROVE_YEFFAI_TARGET_SIDE_MONITORING_SECURITY_CONTRACT",
  "next_patch_after_user_approval": "CREATE_YEFFAI_TARGET_SIDE_MONITORING_SECURITY_READONLY_AUDIT_AND_HARDENING_PLAN",
  "target": {
    "name": "YEFF AI",
    "ssh_alias": "YEFFAI",
    "ip": "157.173.100.205",
    "primary_evidence_root": "/opt/yeffai/evidence",
    "primary_state_root": "/opt/yeffai/state",
    "primary_logs_root": "/opt/yeffai/logs",
    "remote_mutation_allowed_now": "NO",
    "installation_command_allowed_now": "NO"
  },
  "purpose": "Define the mandatory target-side monitoring and security contract before any Step 002 or additional YEFF AI installation work. The UI must observe real YEFF AI evidence, not local Waresites guesses.",
  "scope": {
    "runner_governance": "MISSING_UNTIL_APPROVED",
    "observer_delta_detection": "MISSING_UNTIL_APPROVED",
    "hardware_monitoring": "MISSING_UNTIL_APPROVED",
    "security_monitoring": "MISSING_UNTIL_APPROVED",
    "filesystem_event_capture": "MISSING_UNTIL_APPROVED",
    "network_exposure_monitoring": "MISSING_UNTIL_APPROVED",
    "log_integrity_monitoring": "MISSING_UNTIL_APPROVED",
    "incident_detection": "MISSING_UNTIL_APPROVED",
    "contract_gap_emission": "REQUIRED_FOR_UNCONTRACTED_FINDINGS"
  },
  "required_capabilities": {
    "max_ui_refresh_seconds": 30,
    "source_priority": [
      "YEFFAI target evidence",
      "YEFFAI target latest state",
      "Waresites read-only pull cache",
      "Waresites UI rendering"
    ],
    "runner_required": "YES",
    "runner_rule": "Official commands must be executed only through an approved governed runner that records intent, command, output, status, evidence_id and rollback metadata.",
    "observer_required": "YES",
    "observer_rule": "Out-of-runner changes must be detected as deltas and emitted as evidence or CONTRACT_GAP.",
    "security_baseline_required": "YES",
    "hardware_baseline_required": "YES",
    "network_baseline_required": "YES",
    "package_change_detection_required": "YES",
    "service_change_detection_required": "YES",
    "file_change_detection_required": "YES",
    "auth_log_detection_required": "YES",
    "ufw_policy_detection_required": "YES",
    "ssh_policy_detection_required": "YES"
  },
  "known_current_blockers": {
    "fail2ban_available": "NO",
    "auditd_available": "NO",
    "inotifywait_available": "NO",
    "ufw_status": "INACTIVE",
    "ssh_root_login": "PERMITTED",
    "step002_contract": "MISSING",
    "target_side_runner": "MISSING",
    "target_side_observer": "MISSING"
  },
  "blocked_before_approval": {
    "step002_execution": "YES",
    "new_package_install": "YES",
    "security_hardening_mutation": "YES",
    "service_enable_or_restart": "YES",
    "firewall_change": "YES",
    "ssh_config_change": "YES",
    "reverse_channel_from_yeffai_to_waresites": "YES",
    "application_start": "YES"
  },
  "allowed_before_approval": {
    "waresites_local_contract_creation": "YES",
    "read_only_runtime_validation": "YES",
    "read_only_ssh_audit": "YES",
    "read_only_ui_validation": "YES"
  },
  "approval_gate": {
    "requires_explicit_user_approval": "YES",
    "approval_phrase": "APROVO O CONTRATO DE MONITORAMENTO E SEGURANÇA TARGET-SIDE DO YEFF AI",
    "approval_action": "APPROVE_YEFFAI_TARGET_SIDE_MONITORING_SECURITY_CONTRACT",
    "approval_effect": "Allows the next patch to create a read-only target-side monitoring/security audit plan. It does not authorize mutation or installation by itself."
  },
  "validation_rule": {
    "pass": "PASS when the contract exists, plan/registry/ledger point to APPROVE_YEFFAI_TARGET_SIDE_MONITORING_SECURITY_CONTRACT, Step 002 remains blocked, and runtime remains clean with YEFF AI as primary source.",
    "fail": "FAIL if Step 002 becomes executable, if Waresites becomes source of truth, if remote mutation is authorized without approval, or if monitoring/security gaps are hidden.",
    "missing": "MISSING if target-side runner, observer, security telemetry, or hardware telemetry are not yet contracted."
  },
  "contract_gap_policy": {
    "status": "PASS",
    "rule": "Any discovered target condition not covered by this contract must create or preserve CONTRACT_GAP instead of being silently ignored."
  },
  "ui_visibility_rule": "Visible in the panel as the next approval gate before Step 002; it must not be rendered as installation progress.",
  "evidence_policy": {
    "remote_evidence_required": "YES_AFTER_APPROVAL",
    "local_runtime_cache_allowed": "YES_READ_ONLY",
    "manual_progress_allowed": "NO",
    "fake_progress_policy": "BLOCKED"
  }
}
