+| DOC-3 | Operator-guide truthfulness + style remediation (2026-06-25 audit) | P2 | **Done** | A full audit of `docs/guides/*.md` vs code found defects clustering in API-surface sections, RBAC specifics, and stale versions. **Pass 1 (#680):** UPGRADE_PROCEDURE `--config`-after-subcommand x3; COMPLIANCE_CONTROLS invented `analyst` role + "three-tier role model" + fabricated rate-limit numbers; API_GUIDE false "not yet in the API" section; `rc.13`->`rc.14` sweep. **Pass 2 (#682, all code-verified):** SCANNING_AND_COMPLIANCE appendix dead `/api/v1/compliance/{posture,drift,alerts,audit/*}` paths replaced with real endpoints (paths + query params checked vs `openapi_embed.yaml`); USER_ROLES matrix now 67 rows = full registry (added token:*/system:auth_policy_*), `remediation:execute/rollback` corrected to free-core+`ops_lead`-held (only `audit:export` is license_gated), 19->20 categories, ops_lead prose; DATABASE_MIGRATIONS real `migrations applied — version N -> N` + 10-min timeout; HOSTS_AND_REMEDIATION 5-min `DefaultProbeInterval` + ICMP/SSH-banner/privilege layering (not 30s/SSH-auth); INSTALLATION kensa-rules `0.5.0`->`0.6.0` + create-admin password-echo caveat; LINUX_DISTRIBUTION_SUPPORT re-verified Kensa v0.6.0 = 538/538 rhel-family; Last Updated headers added to SECURITY_HARDENING + LINUX_DISTRIBUTION_SUPPORT. **Two backlog assumptions were themselves wrong and corrected during the pass:** (1) INSTALLATION's PostgreSQL dependency is **NOT phantom** — `packaging/rpm/openwatch.spec:37` really has `Requires: postgresql-server`, so the claim was kept; (2) LINUX_DISTRIBUTION_SUPPORT **did** carry the stale `v0.4.3`/`539` (the rest of the guides were already 538), now corrected to v0.6.0/538 via direct module count. **Deferred (separate cleanup):** blanket spaced-em-dash close-up across all guides (pre-existing, large mechanical diff); MONITORING date left at 2026-06-10 (no content review this pass — bumping unreviewed dates would be dishonest metadata). |
0 commit comments