Auto-PR: Merge pull request #15 from WeOwnNetwork/feature/wp-hardening-shd

[weown-bot]

🤖 Automated Pull Request — authored by weown-bot (ecosystem service account)

Opened by: @mshahid538
Last pushed by: @ncimino
Branch: feature/wordpress-docker-copier-template → main

Contributors on this branch:

• @mshahid538 (7 commits)
• @ncimino (4 commits)
• @romandidomizio (1 commit)

---

📋 Human Review Checklist — NIST CSF 2.0 Functions

Review per the 6 NIST CSF Functions. Frameworks referenced: NIST CSF 2.0, CIS Controls v8 IG1, CSA CCM v4, ISO/IEC 27001:2022, SOC 2, ISO/IEC 42001:2023. See docs/COMPLIANCE_ROADMAP.md.

🏛️ Govern (GV)

• CODEOWNERS correct for affected paths (.github/CODEOWNERS)
• ADR required/updated if an architectural decision is introduced
• Policy impact considered and documented
• All Copilot AI review comments addressed or explicitly deferred with rationale

🔍 Identify (ID)

• New assets inventoried (Helm values, container images, dependencies)
• SBOM regenerated if dependencies changed
• Risk register / threat model touched if threat surface changed (.github/SECURITY_ASSESSMENT.md)

🛡️ Protect (PR)

• Least privilege: RBAC, ServiceAccounts, scoped PATs (NIST PR.AC, CIS 5/6, ISO A.5.15-A.5.18)
• Secrets managed via Infisical (never --from-literal, never /tmp, always $(mktemp) — ISO A.8.24)
• NetworkPolicy present for new deployments (NIST PR.AC-5, CIS 12, CSA IVS)
• TLS 1.3 with strong cipher suites where applicable (NIST PR.DS-1, CIS 3)
• Container security: non-root UID 1000+, Pod Security restricted (NIST PR.IP, CIS 4)

🕵️ Detect (DE)

• Logs / metrics added for new components (NIST DE.CM, CIS 8/13)
• Alert rules updated if thresholds change
• Health checks (livenessProbe + readinessProbe) configured

🚨 Respond (RS)

• Runbook updated if operational behavior changes (.github/INCIDENT_RESPONSE.md)
• Incident response impact considered (escalation paths, on-call)

♻️ Recover (RC)

• Backup strategy covers new persistent data (NIST RC.RP, CIS 11, ISO A.8.13)
• Rollback procedure tested or documented
• DR impact assessed for new critical components

📚 Documentation & Versioning

• Relevant CHANGELOG.md updated (per-directory or repo-level /CHANGELOG.md)
• #WeOwnVer version bumped per docs/VERSIONING_WEOWNVER.md
• READMEs / ADRs / inline comments updated

---

📝 Recent Commits (full bodies for Copilot context)

543ff8e Merge pull request #15 from WeOwnNetwork/feature/wp-hardening-shd

Author: Nik Cimino
Date: Thu May 14 18:03:14 2026 -0600

Feature/wp hardening shd

8249072 fix(wordpress/helm): address PR #15 review items 10-12

Author: Nik
Date: Wed May 13 23:49:36 2026 -0600

• ingress.yaml: parameterize spec.tls[0].secretName from
  .Values.ingress.tls[0].secretName so per-site overrides
  (burnedout-tls, ptoken-tls) actually take effect. Falls
  back to "wordpress-tls" when .Values.ingress.tls is a
  map or unset (preserves default and TLS hardening map).
• php-config-configmap.yaml: gate "auto_prepend_file =
  wordfence-waf.php" behind .Values.wordpress.wordfence.enabled
  (default false) to avoid PHP warnings when the plugin is
  not installed.
• ingress.yaml: gate the file-blocking server-snippet annotation
  behind .Values.ingress.serverSnippet.enabled (default true)
  so the chart can deploy on hardened controllers that set
  allow-snippet-annotations: false.
• values.yaml: add wordpress.wordfence.enabled and
  ingress.serverSnippet.enabled.
• Chart.yaml: bump 3.2.7 -> 3.3.0 (SemVer + WeOwnVer valid).
• wordpress/CHANGELOG.md: document 3.3.0.

Verified: helm template renders correctly with default,
values-burnedout, and values-ptoken; helm lint clean.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

---

0318268 docs: apply markdownlint autofixes for PR #15 CI

Author: Nik
Date: Wed May 13 23:35:57 2026 -0600

• ADR-004: add blank line before bulleted list (MD032)
• workflows/README.md: switch emphasis to emphasis for style consistency (MD049)

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

---

d514af5 Merge remote-tracking branch 'origin/main' into feature/wp-hardening-shd

Author: romandidomizio
Date: Wed May 13 13:07:40 2026 -0600

---

488ebfb fix: resolve yamllint line endings

Author: m.shahid
Date: Wed May 6 23:03:36 2026 +0500

---

52bc0a2 fix: resolve yamllint line endings and comment indentation

Author: m.shahid
Date: Wed May 6 22:52:40 2026 +0500

---

c073eb0 udated version bump

Author: m.shahid
Date: Wed May 6 22:42:50 2026 +0500

---

994c8be fix: resolve trivy security scan and linting issues

Author: m.shahid
Date: Wed May 6 22:31:06 2026 +0500

---

30b5355 Merge branch 'feature/wordpress-docker-copier-template' into feature/wp-hardening-shd

Author: Nik
Date: Tue May 5 16:28:43 2026 -0600

---

b98ac28 chore: bump helm chart version to 3.2.7

Author: m.shahid
Date: Thu Apr 23 14:46:43 2026 +0500

---

8d44f58 chore(helm): implement multi-site values strategy for burnedout and ptoken

Author: m.shahid
Date: Thu Apr 23 14:43:00 2026 +0500

---

1ece74f feat: codify PHP limits and block .user.ini per Task D152 & #264

Author: m.shahid
Date: Thu Apr 23 14:38:47 2026 +0500

---

---

🔍 Copilot AI Review: Copilot is configured to auto-request review for bot-authored PRs. If an auto-created PR opens without an initial Copilot review, push a follow-up commit to the same open PR (review_on_push: true) to trigger review automatically.

👥 Required Reviewers: 1 human approval enforced by branch protection. requested automatically.

📚 Review Guidelines: .github/copilot-instructions.md (phase-aware compliance directives)

🛠️ Workflow Operations: .github/workflows/README.md

Auto-generated by .github/workflows/auto-pr-to-main.yml

[ncimino]

prefer #19 it is identical but has review comments