Skip to content

Commit 279ae7c

Browse files
docs(session-log): record rc.15 cut + end-to-end signature verification + DOC-3 (#684)
1 parent d49117f commit 279ae7c

1 file changed

Lines changed: 51 additions & 0 deletions

File tree

SESSION_LOG.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,57 @@ and their provenance lives here + in the commit history.
66

77
---
88

9+
## 2026-06-25 (later) — Opus 4.8 (1M context) — merge 8-PR stack, cut + verify v0.2.0-rc.15 (Eyrie), DOC-3
10+
11+
**Done** — Landed the prior session's feature/fix stack, cut and fully verified
12+
rc.15, and finished the operator-guide truthfulness audit.
13+
- **Merged the 8-PR stack** (#673 PKG-3, #675/#678 AUTH-1, #677/#679
14+
notifications, #676 avg-compliance parity, #680 docs/STATUS/CHANGELOG) in
15+
dependency order, resolving the branch-protection rebase cascade and BACKLOG
16+
date conflicts. One CI flake en route: `TestApply_1000Rules_Under2Seconds`
17+
(transactionlog) — a P2 gating flake (hard 2s assert under `-race`, missed the
18+
`perftest.Budgetf()` migration), filed in BACKLOG; cleared on rerun.
19+
- **Cut v0.2.0-rc.15 "Eyrie" (#681):** `version.env` 0.2.0-rc.15, CHANGELOG
20+
`[0.2.0-rc.15] — 2026-06-25`. Annotated tag `v0.2.0-rc.15``8e468ce6`
21+
triggered `release.yml`.
22+
- **rc.15 release verified end-to-end** (signed pre-release, 16 assets,
23+
published 14:44 UTC):
24+
1. **Detached GPG**`SHA256SUMS.asc` is a **Good signature** from "Hanalyx
25+
LLC (release signing) <ops@hanalyx.com>", RSA subkey
26+
`C78B8AFF…FF7E515E` (primary `4CB70E1C…E239E50C`).
27+
2. **Manifest → bytes**`sha256sum -c SHA256SUMS`: **13/13 OK** (6 packages
28+
+ 7 CycloneDX SBOMs).
29+
3. **In-header RPM**`rpm -Kv` against an isolated rpmdb with `KEYS`
30+
imported: **3/3** `V4 RSA/SHA256, key ID ff7e515e: OK` + all header/payload
31+
digests OK. (`.deb` files aren't header-signed; covered by the signed
32+
manifest.) Same key signs the manifest and each RPM header.
33+
- **DOC-3 done (#682, all code-verified):** SCANNING appendix dead
34+
`/api/v1/compliance/*` paths → real endpoints (verified vs `openapi_embed.yaml`);
35+
USER_ROLES matrix → 67 rows = full registry (+`token:*`, `+system:auth_policy_*`),
36+
`remediation:execute/rollback` corrected to **free-core + ops_lead-held** (only
37+
`audit:export` is license-gated), 19→20 categories; DATABASE_MIGRATIONS real
38+
`migrations applied — version N -> N` + 10-min timeout; HOSTS_AND_REMEDIATION
39+
5-min `DefaultProbeInterval` + ICMP/SSH-banner/privilege layering;
40+
INSTALLATION kensa-rules `0.5.0``0.6.0` + create-admin password-echo caveat;
41+
LINUX_DISTRIBUTION_SUPPORT re-verified Kensa v0.6.0 = **538/538 rhel-family**.
42+
BACKLOG DOC-3 → Done (#683).
43+
44+
**Next** — Notifications Slice 2 (transaction-log rule-regression projector:
45+
critical pass→fail, grouped per host/scan) + per-host RBAC recipient scoping.
46+
Deferred guide cleanup: blanket spaced-em-dash close-up across `docs/guides/`
47+
(pre-existing, large mechanical diff); MONITORING date left at 2026-06-10 (no
48+
content review). GA gate: Stage 3 fleet-verification per `docs/runbooks/RELEASING.md`.
49+
50+
**Notes** — Two BACKLOG assumptions in the DOC-3 entry were themselves wrong and
51+
corrected during the pass: (1) INSTALLATION's PostgreSQL dependency is **real**
52+
(`packaging/rpm/openwatch.spec:37` `Requires: postgresql-server`), not phantom —
53+
kept; (2) LINUX_DISTRIBUTION_SUPPORT **did** carry the stale `v0.4.3`/`539` (the
54+
other guides were already 538). The `~539` approximate lens bounds (DOC-2) and
55+
CLAUDE.md Python-era packaging section (DOC-1) remain open. The git stash still
56+
has 10 pre-existing entries — do not `git stash pop` blindly.
57+
58+
---
59+
960
## 2026-06-25 — Opus 4.8 (1M context) — AUTH-1 completion, notifications Slice 1, PKG-3, review
1061

1162
**Done** — A large feature + fix session, all on feature branches (7 open PRs;

0 commit comments

Comments
 (0)