fix: External Access Lockout uses FAIL not WARN, AND logic for detection

Dobby · claude · Dobby · commit ace1d738f843 · 2026-04-15T05:04:57.000Z
- PASS requires BOTH waagent inactive AND Extensions.Enabled=n
- No WARN state — either locked out (PASS) or not (FAIL)
- Clear messaging for users

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/privateclaw b/privateclaw
@@ -595,27 +595,25 @@ PYEOF
   # Method 2: Check waagent.conf Extensions.Enabled setting
   EXTENSIONS_CONF=$(grep -i "^Extensions.Enabled" /etc/waagent.conf 2>/dev/null | cut -d= -f2 | tr -d ' ' || echo "unknown")
 
-  if [ "$WAAGENT_STATUS" = "inactive" ] || [ "$EXTENSIONS_CONF" = "n" ]; then
+  # PASS requires BOTH: waagent inactive AND config disables extensions.
+  # Anything else is FAIL — no WARN state.
+  if [ "$WAAGENT_STATUS" = "inactive" ] && [ "$EXTENSIONS_CONF" = "n" ]; then
     echo "  VM Extensions: disabled (waagent $WAAGENT_STATUS, config=$EXTENSIONS_CONF)"
     EXTENSIONS_DISABLED="true"
-  elif [ "$WAAGENT_STATUS" = "active" ] && [ "$EXTENSIONS_CONF" != "n" ]; then
-    echo "  VM Extensions: WARN — waagent is running, az vm run-command may work"
-    EXTENSIONS_DISABLED="false"
   else
-    echo "  VM Extensions: waagent=$WAAGENT_STATUS, config=$EXTENSIONS_CONF"
+    echo "  VM Extensions: FAIL — not fully locked out (waagent=$WAAGENT_STATUS, config=$EXTENSIONS_CONF)"
     EXTENSIONS_DISABLED="false"
   fi
 
-  # Overall: PASS requires SSH keys<=1 AND firewall active AND extensions disabled.
-  # Extensions enabled is a WARN (staging intentionally has them on).
+  # Overall: PASS requires SSH keys<=1 AND extensions disabled.
   if [ "$KEY_COUNT" -le 1 ] && [ "$EXTENSIONS_DISABLED" = "true" ]; then
     echo "  Status:        PASS"
     PASS_COUNT=$((PASS_COUNT + 1))
   elif [ "$KEY_COUNT" -le 1 ] && [ "$EXTENSIONS_DISABLED" = "false" ]; then
-    echo "  Status:        WARN (VM extensions not disabled — expected on staging, not on prod)"
+    echo "  Status:        FAIL (VM extensions not disabled)"
     FAIL_COUNT=$((FAIL_COUNT + 1))
   else
-    echo "  Status:        WARN ($KEY_COUNT keys — expected 1)"
+    echo "  Status:        FAIL ($KEY_COUNT SSH keys — expected 1)"
     FAIL_COUNT=$((FAIL_COUNT + 1))
   fi
   echo ""
