Skip to content

Commit d49117f

Browse files
docs(backlog): mark DOC-3 done (guide truthfulness pass merged in #682) (#683)
1 parent e267613 commit d49117f

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

BACKLOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -157,7 +157,7 @@ Gaps identified comparing `docs/KENSA_OPENWATCH_BOUNDARY.md` against current Ope
157157
|----|------|----------|--------|-------|
158158
| DOC-1 | CLAUDE.md "Packaging Infrastructure" describes a Python-era layout that doesn't exist in the Go native package | P2 | Open | The section claims package contents include `/opt/openwatch/backend/` (Python backend + requirements.txt), `/opt/openwatch/frontend/` (built SPA), and `/opt/openwatch/backend/kensa/` (rules, mappings, config, 508 rules), plus systemd units `openwatch-api`/`openwatch-worker@`/`openwatch-beat` and an nginx reverse proxy. None of that matches the rc7 Go RPM/DEB: the payload is a single `openwatch` Go binary (with embedded SPA), `openwatch.toml`, `openwatch.service`, and demo TLS certs (`packaging/rpm/openwatch.spec` + `build-rpm.sh`). The Kensa-rules-bundled claim is the same gap tracked in PKG-2. Fix: rewrite the section to match the Go packaging, or banner it as historical Python-era reference like the other frozen sections |
159159
| DOC-2 | `~539` approximate rule-count bounds not updated to `~538` after Kensa v0.6.0 | P3 | Open | The factual rule counts moved 539->538 with Kensa v0.6.0 (rc.14), but the explicitly-approximate `~539` bounds that justify the unpaginated host-compliance lens were left as-is in `internal/server/host_compliance_lens_handler.go`, `api/openapi.yaml` (+ generated `openapi_embed.yaml` / `frontend/src/api/schema.d.ts`), and specs `host-compliance` / `host-compliance-tab`. Cosmetic only (the `~` already disclaims precision and the bounded->no-pagination claim is unaffected by ±1); updating the openapi source requires `make generate-api` to re-sync the two generated copies |
160-
| DOC-3 | Operator-guide truthfulness + style remediation (2026-06-25 audit) | P2 | Partial | A full audit of `docs/guides/*.md` vs code (~80% truthful) found defects clustering in API-surface sections, RBAC specifics, and stale versions. **Fixed in this pass:** UPGRADE_PROCEDURE `--config`-after-subcommand (commands failed; `--config` is global, must precede the subcommand) x3; COMPLIANCE_CONTROLS invented `analyst` role + "three-tier role model" (real: 5 roles, no analyst) + fabricated rate-limit numbers; API_GUIDE false "not yet in the API" section (scans/remediation/exceptions/rules/OSCAL all ship); `rc.13`->`rc.14` version sweep. **Remaining:** SCANNING_AND_COMPLIANCE API appendix still lists dead `/api/v1/compliance/posture\|drift\|alerts\|audit/*` paths (real: `/hosts/{id}/compliance[/trend]`, `/api/v1/alerts`, `/audit/events/export`) — rewrite vs `api/openapi.yaml`; USER_ROLES permission-matrix license-gating mislabels (`remediation:execute/rollback` are **free-core**, not LG) + ops_lead remediation cells + missing token/auth_policy rows + "19->20 categories"; INSTALLATION phantom PostgreSQL package dependency + masked-password implication (code echoes); DATABASE_MIGRATIONS fabricated `migrate` output + "60s" timeout (real 10min); HOSTS_AND_REMEDIATION "30s" connectivity (real 5min) + "SSH-auth in probe" (probe is ICMP->TCP banner); add missing "Last Updated" to SECURITY_HARDENING + LINUX_DISTRIBUTION_SUPPORT, refresh stale MONITORING date; style sweep (close spaced em-dashes, lowercase Title-Case headings, drop "just" in LINUX:78). **DO NOT** apply the audit's "538->539" rule-count suggestion — it is a FALSE POSITIVE: rc.14 bundles Kensa v0.6.0 = **538** (live-scan confirmed); the guides correctly say 538. (The audit mis-sourced 539, likely the older kensa-rules v0.4.3 package.) |
160+
| DOC-3 | Operator-guide truthfulness + style remediation (2026-06-25 audit) | P2 | **Done** | A full audit of `docs/guides/*.md` vs code found defects clustering in API-surface sections, RBAC specifics, and stale versions. **Pass 1 (#680):** UPGRADE_PROCEDURE `--config`-after-subcommand x3; COMPLIANCE_CONTROLS invented `analyst` role + "three-tier role model" + fabricated rate-limit numbers; API_GUIDE false "not yet in the API" section; `rc.13`->`rc.14` sweep. **Pass 2 (#682, all code-verified):** SCANNING_AND_COMPLIANCE appendix dead `/api/v1/compliance/{posture,drift,alerts,audit/*}` paths replaced with real endpoints (paths + query params checked vs `openapi_embed.yaml`); USER_ROLES matrix now 67 rows = full registry (added token:*/system:auth_policy_*), `remediation:execute/rollback` corrected to free-core+`ops_lead`-held (only `audit:export` is license_gated), 19->20 categories, ops_lead prose; DATABASE_MIGRATIONS real `migrations applied — version N -> N` + 10-min timeout; HOSTS_AND_REMEDIATION 5-min `DefaultProbeInterval` + ICMP/SSH-banner/privilege layering (not 30s/SSH-auth); INSTALLATION kensa-rules `0.5.0`->`0.6.0` + create-admin password-echo caveat; LINUX_DISTRIBUTION_SUPPORT re-verified Kensa v0.6.0 = 538/538 rhel-family; Last Updated headers added to SECURITY_HARDENING + LINUX_DISTRIBUTION_SUPPORT. **Two backlog assumptions were themselves wrong and corrected during the pass:** (1) INSTALLATION's PostgreSQL dependency is **NOT phantom** — `packaging/rpm/openwatch.spec:37` really has `Requires: postgresql-server`, so the claim was kept; (2) LINUX_DISTRIBUTION_SUPPORT **did** carry the stale `v0.4.3`/`539` (the rest of the guides were already 538), now corrected to v0.6.0/538 via direct module count. **Deferred (separate cleanup):** blanket spaced-em-dash close-up across all guides (pre-existing, large mechanical diff); MONITORING date left at 2026-06-10 (no content review this pass — bumping unreviewed dates would be dishonest metadata). |
161161

162162
---
163163

0 commit comments

Comments
 (0)