P0: Wazuh DRY helper uses placeholder bearer token

[CodeMonkeyCybersecurity]

I — Identify

• Priority: P0
• Area: pkg/wazuh/provision.go
• Owner: engineering

S — Situation

Wazuh DRY helper doWazuhAPIRequest currently uses a placeholder bearer token string, so API calls cannot authenticate in real environments.

o — Observations

• Code evidence: pkg/wazuh/provision.go contains token := "<vaulted-wazuh-token>".
• Expected behavior: token sourced from secure store (Vault), with controlled fallback.
• Risk: operational failure + insecure secret handling pattern.

B — Background

Recent DRY refactor consolidated duplicated Wazuh HTTP request logic. During extraction, token retrieval path was not fully wired.

A — Assessment

Root cause hypothesis: helper centralization captured a stub credential path instead of production token retrieval flow.
Impact: all downstream Wazuh API calls using this helper can fail with auth errors and violate security best practice.

R — Recommendation

1. Implement getWazuhAPIToken(rc) with Vault-first and env fallback.
2. Update doWazuhAPIRequest to accept runtime context and call token provider.
3. Add focused tests for token sourcing, header injection, and ID resolver behavior.
4. Attach command outputs for build/test/vet as evidence.