@@ -6,6 +6,57 @@ and their provenance lives here + in the commit history.
66
77---
88
9+ ## 2026-06-25 (later) — Opus 4.8 (1M context) — merge 8-PR stack, cut + verify v0.2.0-rc.15 (Eyrie), DOC-3
10+
11+ ** Done** — Landed the prior session's feature/fix stack, cut and fully verified
12+ rc.15, and finished the operator-guide truthfulness audit.
13+ - ** Merged the 8-PR stack** (#673 PKG-3, #675 /#678 AUTH-1, #677 /#679
14+ notifications, #676 avg-compliance parity, #680 docs/STATUS/CHANGELOG) in
15+ dependency order, resolving the branch-protection rebase cascade and BACKLOG
16+ date conflicts. One CI flake en route: ` TestApply_1000Rules_Under2Seconds `
17+ (transactionlog) — a P2 gating flake (hard 2s assert under ` -race ` , missed the
18+ ` perftest.Budgetf() ` migration), filed in BACKLOG; cleared on rerun.
19+ - ** Cut v0.2.0-rc.15 "Eyrie" (#681 ):** ` version.env ` 0.2.0-rc.15, CHANGELOG
20+ ` [0.2.0-rc.15] — 2026-06-25 ` . Annotated tag ` v0.2.0-rc.15 ` → ` 8e468ce6 `
21+ triggered ` release.yml ` .
22+ - ** rc.15 release verified end-to-end** (signed pre-release, 16 assets,
23+ published 14:44 UTC):
24+ 1 . ** Detached GPG** — ` SHA256SUMS.asc ` is a ** Good signature** from "Hanalyx
25+ LLC (release signing) < ops@hanalyx.com > ", RSA subkey
26+ ` C78B8AFF…FF7E515E ` (primary ` 4CB70E1C…E239E50C ` ).
27+ 2 . ** Manifest → bytes** — ` sha256sum -c SHA256SUMS ` : ** 13/13 OK** (6 packages
28+ + 7 CycloneDX SBOMs).
29+ 3 . ** In-header RPM** — ` rpm -Kv ` against an isolated rpmdb with ` KEYS `
30+ imported: ** 3/3** ` V4 RSA/SHA256, key ID ff7e515e: OK ` + all header/payload
31+ digests OK. (` .deb ` files aren't header-signed; covered by the signed
32+ manifest.) Same key signs the manifest and each RPM header.
33+ - ** DOC-3 done (#682 , all code-verified):** SCANNING appendix dead
34+ ` /api/v1/compliance/* ` paths → real endpoints (verified vs ` openapi_embed.yaml ` );
35+ USER_ROLES matrix → 67 rows = full registry (+` token:* ` , ` +system:auth_policy_* ` ),
36+ ` remediation:execute/rollback ` corrected to ** free-core + ops_lead-held** (only
37+ ` audit:export ` is license-gated), 19→20 categories; DATABASE_MIGRATIONS real
38+ ` migrations applied — version N -> N ` + 10-min timeout; HOSTS_AND_REMEDIATION
39+ 5-min ` DefaultProbeInterval ` + ICMP/SSH-banner/privilege layering;
40+ INSTALLATION kensa-rules ` 0.5.0 ` →` 0.6.0 ` + create-admin password-echo caveat;
41+ LINUX_DISTRIBUTION_SUPPORT re-verified Kensa v0.6.0 = ** 538/538 rhel-family** .
42+ BACKLOG DOC-3 → Done (#683 ).
43+
44+ ** Next** — Notifications Slice 2 (transaction-log rule-regression projector:
45+ critical pass→fail, grouped per host/scan) + per-host RBAC recipient scoping.
46+ Deferred guide cleanup: blanket spaced-em-dash close-up across ` docs/guides/ `
47+ (pre-existing, large mechanical diff); MONITORING date left at 2026-06-10 (no
48+ content review). GA gate: Stage 3 fleet-verification per ` docs/runbooks/RELEASING.md ` .
49+
50+ ** Notes** — Two BACKLOG assumptions in the DOC-3 entry were themselves wrong and
51+ corrected during the pass: (1) INSTALLATION's PostgreSQL dependency is ** real**
52+ (` packaging/rpm/openwatch.spec:37 ` ` Requires: postgresql-server ` ), not phantom —
53+ kept; (2) LINUX_DISTRIBUTION_SUPPORT ** did** carry the stale ` v0.4.3 ` /` 539 ` (the
54+ other guides were already 538). The ` ~539 ` approximate lens bounds (DOC-2) and
55+ CLAUDE.md Python-era packaging section (DOC-1) remain open. The git stash still
56+ has 10 pre-existing entries — do not ` git stash pop ` blindly.
57+
58+ ---
59+
960## 2026-06-25 — Opus 4.8 (1M context) — AUTH-1 completion, notifications Slice 1, PKG-3, review
1061
1162** Done** — A large feature + fix session, all on feature branches (7 open PRs;
0 commit comments