feat(slice-bc): framework-at-query-time + runtime wiring specs (+code corrections) (#429)

Five new specs, two v2 amendments, two API addendums, and the matching
code corrections to make scheduler + kensa-executor materially
implement v2.0.0 in main. The runtime wiring itself (openwatch worker
subcommand, daemon orchestration, live Kensa binding) and findings UI
are spec'd but not implemented in this PR — those land in follow-up
PRs that take these specs as their contract.

Architectural correction
  Kensa's API is Kensa.Scan(ctx, host, rules, opts...) — the caller
  passes the rules; framework identity is per-rule metadata in
  rule.References, not a scan input. OpenWatch's v1 spec wrongly
  modeled scans as framework-scoped:
    - scheduler.JobPayload carried a FrameworkID HMAC-bound field.
    - executor.Run took a framework parameter.
    - Fleet/host APIs had no framework slicing surface.
  v2 corrects this: jobs are per-host (no framework), executor runs
  the full applicable rule corpus, framework is a query-time
  projection on host_rule_state.framework_refs JSONB.

New specs (3)
  system-daemon-orchestration  cmd/openwatch serve / migrate / worker
                              / check-config boot+shutdown ordering;
                              13 ACs; EmitFunc DI invariant;
                              alertrouter MUST subscribe before bus
                              has publishers.
  system-worker-subcommand    SKIP-LOCKED claim, HMAC verify,
                              transient-vs-permanent retry policy,
                              advisory-lock per-host concurrency
                              guard, graceful drain on SIGTERM;
                              13 ACs; references system-job-queue
                              for retry/dead-letter semantics.
  frontend-findings-ui        First frontend spec; route /hosts/{id}
                              with three regions (identity+liveness,
                              compliance, recent transactions),
                              optional ?framework= URL param,
                              role-gated, axe-core clean; 15 ACs;
                              framework-of-implementation agnostic.

Spec amendments (2)
  system-scheduler 1.0.0 -> 2.0.0
    - C-11 HMAC inputs: (host_id, policy_version, enqueued_at).
    - C-12 NEW: NewService has no defaultFramework param; JobPayload
      has no FrameworkID field. Source-inspection enforces.
    - AC-06 reworded; AC-16 NEW (source-inspection).
  system-kensa-executor 1.0.0 -> 2.0.0
    - C-12 Run signature: Run(ctx, hostID, policyVersion).
    - C-13 Production scanFunc binds pkg/kensa.Default;
      unwiredScanFunc remains test-only //nolint:unused.
    - C-14 Result.Outcomes covers every rule Kensa returned;
      RuleOutcome.FrameworkRefs flattened from rule References.
    - AC-01 reworded; AC-06 drops framework_unsupported reason;
      AC-17/18 NEW (source-inspection).

API spec addendums (2)
  api-fleet-observability 1.0.0 -> 1.1.0
    - C-07/08 NEW: optional ?framework= filter on every endpoint;
      exact-key match on framework_refs JSONB; absent / empty value
      is unfiltered (identical to v1.0.0).
    - AC-14/15/16/17 NEW (framework filter); AC-18 = renumbered
      v1.0.0 AC-14 (POST returns 405).
  api-hosts 1.1.0 -> 1.2.0
    - C-07/08 NEW: ?framework= filters compliance_summary; liveness
      unaffected.
    - AC-17/18 NEW (framework filter; CIS-only host returns zeros
      when STIG requested).

Code corrections (signature changes, no behavior drift on
unfiltered paths)
  internal/scheduler
    - JobPayload drops FrameworkID; Encode layout updated.
      v1 payloads now fail Verify (intended migration behavior —
      pre-v2 queued jobs are dead-lettered).
    - NewService drops defaultFramework parameter.
    - Dispatch body map drops framework_id key.
    - source_test.go NEW: AC-16 source-inspection.
  internal/kensa
    - Result drops FrameworkID (per-rule FrameworkRefs stays).
    - ScanFunc, Run, emitStarted/Completed/Failure,
      reportHostKeyUnknown/EvidenceOversize/KensaError all drop
      framework param.
    - unwiredScanFunc annotated //nolint:unused per AC-18 — the
      production binding lands with the worker subcommand PR.
    - source_test.go: AC-17/18 NEW (Run / ScanFunc signature
      inspection).
  internal/fleetrollup
    - options.go NEW: WithFramework functional option.
    - service.go: 4 methods now accept optional opts; SQL uses
      "$N::text IS NULL OR framework_refs ? $N" for unbranched
      filtering. Empty string -> NULL -> unfiltered.
  api/openapi.yaml
    - All 5 fleet endpoints + GET /hosts/{id} accept ?framework=.
    - Re-ran make generate-api to refresh server.gen.go.
  internal/server
    - fleet_handlers.go: 4 handlers thread Framework param into
      fleetrollup via frameworkOpts() helper.
    - fleet_helpers.go: frameworkOpts() converts *string to
      []fleetrollup.Option.
    - hosts_handlers.go: GetHostByID now takes
      GetHostByIDParams; threads framework into
      loadHostComplianceSummary.
    - hosts_enrichment.go: loadHostComplianceSummary takes
      framework; SQL filters via JSONB ?-operator.

Tests
  All affected specs at 100% AC coverage:
    api-fleet-observability    18/18 (was 14/14)
    api-hosts                  18/18 (was 16/16)
    system-scheduler           16/16 (was 15/15)
    system-kensa-executor      18/18 (was 16/16)
    system-fleet-rollup        13/13 (unchanged — already 100%)
  Existing test files updated for the new signatures; 4 new tests
  added for fleet AC-14/15/16/17 + 2 for hosts AC-17/18.

Verification
  go vet ./...            clean
  go test -race -count=1  PASS (full tree, with Postgres, 4 minutes)
  specter parse           PASS (44 specs total — 3 new)
  specter check           PASS
  specter coverage        all touched specs at 100%

Not in this PR (specs deliberately reference but implement nothing):
  - openwatch worker subcommand binary
  - Slice B package wiring into cmd/openwatch serve (scheduler tick,
    liveness loop, alertrouter)
  - Live Kensa binding (pkg/kensa.Default-backed ScanFunc)
  - Frontend code (only the spec is in this PR)

Specs touched
  system-scheduler         v1.0.0 -> v2.0.0
  system-kensa-executor    v1.0.0 -> v2.0.0
  api-fleet-observability  v1.0.0 -> v1.1.0
  api-hosts                v1.1.0 -> v1.2.0
  system-daemon-orchestration  NEW
  system-worker-subcommand     NEW
  frontend-findings-ui         NEW

Author: remyluslosius

.secrets.baseline

@@ -690,6 +690,10 @@ paths:
       x-required-permission: host:read
       parameters:
         - {name: id, in: path, required: true, schema: {type: string, format: uuid}}
+        - name: framework
+          in: query
+          description: Filter compliance_summary to host_rule_state rows whose framework_refs contains this key (v1.2.0). Liveness is unaffected.
+          schema: {type: string}
       responses:
         '200':
           description: Host detail (includes liveness + compliance_summary)
@@ -797,11 +801,16 @@ paths:
         '400':
           $ref: '#/components/responses/BadRequest'
 
-  # Spec: app/specs/api/fleet-observability.spec.yaml
+  # Spec: app/specs/api/fleet-observability.spec.yaml (v1.1.0)
   /api/v1/fleet/score:
     get:
       operationId: getFleetScore
       summary: Fleet-wide compliance score (passing/total)
+      parameters:
+        - name: framework
+          in: query
+          description: Filter to host_rule_state rows whose framework_refs contains this key (v1.1.0).
+          schema: {type: string}
       responses:
         '200':
           description: Fleet score
@@ -845,6 +854,10 @@ paths:
       operationId: getFleetTopFailingRules
       summary: Rules with the most failing hosts (descending)
       parameters:
+        - name: framework
+          in: query
+          description: Filter to host_rule_state rows whose framework_refs contains this key (v1.1.0).
+          schema: {type: string}
         - name: limit
           in: query
           schema: {type: integer, minimum: 1, maximum: 1000, default: 50}
@@ -871,6 +884,10 @@ paths:
       operationId: getFleetTopFailingHosts
       summary: Hosts with the most failing rules (descending)
       parameters:
+        - name: framework
+          in: query
+          description: Filter to host_rule_state rows whose framework_refs contains this key (v1.1.0).
+          schema: {type: string}
         - name: limit
           in: query
           schema: {type: integer, minimum: 1, maximum: 1000, default: 50}
@@ -897,6 +914,10 @@ paths:
       operationId: getFleetRecentChanges
       summary: Recent transactions (state changes), newest first
       parameters:
+        - name: framework
+          in: query
+          description: Filter to transactions whose framework_refs contains this key (v1.1.0).
+          schema: {type: string}
         - name: since
           in: query
           description: Filter to transactions strictly newer than this RFC3339 timestamp

app/api/openapi.yaml

@@ -0,0 +1,34 @@
+package fleetrollup
+
+// Option is a functional option for fleetrollup query methods.
+// Spec api-fleet-observability v1.1.0 C-07/C-08, api-hosts v1.2.0 C-07/C-08.
+type Option func(*queryOpts)
+
+// queryOpts is the internal options bag.
+type queryOpts struct {
+	// framework, when non-empty, filters results to rows whose
+	// framework_refs JSONB contains the given key. Empty string =
+	// unfiltered (legacy v1.0.0 behavior).
+	framework string
+}
+
+// WithFramework filters fleet aggregations and per-host queries to
+// rows whose framework_refs JSONB contains the given key (e.g.,
+// "cis_rhel9_v2.0.0"). Empty string is a no-op (unfiltered).
+//
+// The match is exact-key on the top-level JSONB object — no fuzzy
+// matching, no case folding.
+func WithFramework(framework string) Option {
+	return func(o *queryOpts) {
+		o.framework = framework
+	}
+}
+
+// applyOpts collects opts into a queryOpts bag.
+func applyOpts(opts []Option) queryOpts {
+	var o queryOpts
+	for _, fn := range opts {
+		fn(&o)
+	}
+	return o
+}

app/internal/fleetrollup/options.go

@@ -29,14 +29,23 @@ func NewService(pool *pgxpool.Pool) *Service {
 //
 // On an empty fleet, returns Score{0, 0} with nil error (NOT
 // pgx.ErrNoRows). Spec AC-01 / AC-02 / AC-03.
-func (s *Service) FleetComplianceScore(ctx context.Context) (Score, error) {
+//
+// WithFramework filters to rows whose framework_refs JSONB contains
+// the given key (api-fleet-observability v1.1.0 AC-14).
+func (s *Service) FleetComplianceScore(ctx context.Context, opts ...Option) (Score, error) {
+	o := applyOpts(opts)
+
+	// Single SQL covers both the unfiltered (framework="") and
+	// framework-filtered paths via NULLIF + ? operator. PostgreSQL
+	// short-circuits to TRUE when $1 is NULL (no framework given).
 	const q = `
 		SELECT
 			COUNT(*) FILTER (WHERE current_status = 'pass')                  AS passing,
 			COUNT(*) FILTER (WHERE current_status IN ('pass','fail'))        AS evaluations
-		  FROM host_rule_state`
+		  FROM host_rule_state
+		 WHERE ($1::text IS NULL OR framework_refs ? $1)`
 	var passing, evaluations int64
-	if err := s.pool.QueryRow(ctx, q).Scan(&passing, &evaluations); err != nil {
+	if err := s.pool.QueryRow(ctx, q, nullableFramework(o.framework)).Scan(&passing, &evaluations); err != nil {
 		if errors.Is(err, pgx.ErrNoRows) {
 			// Filtered COUNT never returns NoRows but defend anyway.
 			return Score{}, nil
@@ -52,6 +61,16 @@ func (s *Service) FleetComplianceScore(ctx context.Context) (Score, error) {
 	}, nil
 }
 
+// nullableFramework returns nil for the empty string (so the query's
+// "$1::text IS NULL OR …" short-circuits to TRUE = unfiltered) or the
+// string otherwise. Keeps the SQL constant across both code paths.
+func nullableFramework(framework string) any {
+	if framework == "" {
+		return nil
+	}
+	return framework
+}
+
 // FleetLiveness returns host counts by reachability status. The four
 // buckets sum to the count of active (deleted_at IS NULL) hosts. Hosts
 // that have a row in `hosts` but no row in `host_liveness` are counted
@@ -79,19 +98,24 @@ func (s *Service) FleetLiveness(ctx context.Context) (LivenessRollup, error) {
 // descending order. limit is coerced to [0, MaxLimit]. A coerced
 // limit of 0 returns an empty slice with nil error (no query
 // executed). Spec AC-05 / AC-06 / AC-10.
-func (s *Service) TopFailingRules(ctx context.Context, limit int) ([]RuleFailureRollup, error) {
+//
+// WithFramework filters to rows whose framework_refs JSONB contains
+// the given key (api-fleet-observability v1.1.0 AC-15).
+func (s *Service) TopFailingRules(ctx context.Context, limit int, opts ...Option) ([]RuleFailureRollup, error) {
 	n := clampLimit(limit)
 	if n == 0 {
 		return []RuleFailureRollup{}, nil
 	}
+	o := applyOpts(opts)
 	const q = `
 		SELECT rule_id, COUNT(*)::BIGINT AS failing_host_count
 		  FROM host_rule_state
 		 WHERE current_status = 'fail'
+		   AND ($2::text IS NULL OR framework_refs ? $2)
 		 GROUP BY rule_id
 		 ORDER BY failing_host_count DESC, rule_id ASC
 		 LIMIT $1`
-	rows, err := s.pool.Query(ctx, q, n)
+	rows, err := s.pool.Query(ctx, q, n, nullableFramework(o.framework))
 	if err != nil {
 		return nil, fmt.Errorf("fleetrollup: TopFailingRules: %w", err)
 	}
@@ -113,19 +137,24 @@ func (s *Service) TopFailingRules(ctx context.Context, limit int) ([]RuleFailure
 
 // TopFailingHosts returns the hosts with the most failing rules, in
 // descending order. limit is coerced to [0, MaxLimit]. Spec AC-07 / AC-10.
-func (s *Service) TopFailingHosts(ctx context.Context, limit int) ([]HostFailureRollup, error) {
+//
+// WithFramework filters to rows whose framework_refs JSONB contains
+// the given key (api-fleet-observability v1.1.0).
+func (s *Service) TopFailingHosts(ctx context.Context, limit int, opts ...Option) ([]HostFailureRollup, error) {
 	n := clampLimit(limit)
 	if n == 0 {
 		return []HostFailureRollup{}, nil
 	}
+	o := applyOpts(opts)
 	const q = `
 		SELECT host_id, COUNT(*)::BIGINT AS failing_rule_count
 		  FROM host_rule_state
 		 WHERE current_status = 'fail'
+		   AND ($2::text IS NULL OR framework_refs ? $2)
 		 GROUP BY host_id
 		 ORDER BY failing_rule_count DESC, host_id ASC
 		 LIMIT $1`
-	rows, err := s.pool.Query(ctx, q, n)
+	rows, err := s.pool.Query(ctx, q, n, nullableFramework(o.framework))
 	if err != nil {
 		return nil, fmt.Errorf("fleetrollup: TopFailingHosts: %w", err)
 	}
@@ -149,25 +178,29 @@ func (s *Service) TopFailingHosts(ctx context.Context, limit int) ([]HostFailure
 // occurred_at DESC. since filters to rows strictly newer than the
 // given timestamp. Pass time.Time{} (the zero value) to disable the
 // cursor. limit is coerced to [0, MaxLimit]. Spec AC-08 / AC-10.
-func (s *Service) RecentChanges(ctx context.Context, since time.Time, limit int) ([]TransactionRollup, error) {
+//
+// WithFramework filters to transactions whose framework_refs JSONB
+// contains the given key (api-fleet-observability v1.1.0 AC-16).
+func (s *Service) RecentChanges(ctx context.Context, since time.Time, limit int, opts ...Option) ([]TransactionRollup, error) {
 	n := clampLimit(limit)
 	if n == 0 {
 		return []TransactionRollup{}, nil
 	}
+	o := applyOpts(opts)
 	// The "$2::timestamptz IS NULL" idiom lets us encode "no cursor"
-	// without branching the SQL. Pass NULL for since to skip the
-	// filter, otherwise apply the strict >.
+	// without branching the SQL. Same trick for framework via $3::text.
 	const q = `
 		SELECT id, host_id, rule_id, status, COALESCE(severity, ''), change_kind, occurred_at
 		  FROM transactions
 		 WHERE ($2::timestamptz IS NULL OR occurred_at > $2)
+		   AND ($3::text IS NULL OR framework_refs ? $3)
 		 ORDER BY occurred_at DESC
 		 LIMIT $1`
 	var sinceParam any
 	if !since.IsZero() {
 		sinceParam = since
 	}
-	rows, err := s.pool.Query(ctx, q, n, sinceParam)
+	rows, err := s.pool.Query(ctx, q, n, sinceParam, nullableFramework(o.framework))
 	if err != nil {
 		return nil, fmt.Errorf("fleetrollup: RecentChanges: %w", err)
 	}