Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 15 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,39 @@ Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

---

## [0.2.0-rc.10] Eyrie — 2026-06-17

Per-host SSH credentials become directly manageable from the UI, the bundled
Kensa engine moves to v0.5.0, and a packaging fix stops upgrades from
overwriting an operator's TLS certificate.

### Added

- SSH credentials can now be edited in place. The Settings credentials page
updates a credential directly instead of deleting and recreating it, so
changing a name, username, or authentication method no longer forces you to
re-enter the key or password. Leave a secret field blank to keep the stored
one.
one (#595).
- Per-host SSH credential management from the host detail page. A host can be
given its own credential, have that credential edited in place, or be reverted
to the workspace default, all from the host Edit dialog and the Connectivity
card's Edit credentials link.
card's Edit credentials link (#595).
- A Reconnect action on the host Connectivity card runs OS discovery
immediately, ahead of the scan queue, so you can confirm a host is reachable
and its SSH credential works right after changing it.
and its SSH credential works right after changing it (#595).

### Changed

- The host Connectivity card now shows the credential the host actually uses
(its own override or the workspace default) instead of a fixed label.
(its own override or the workspace default) instead of a fixed label (#595).
- Updated the bundled Kensa scan engine and rule corpus to v0.5.0. v0.5.0 adds
native sudo-with-password support for hosts where passwordless sudo is
disallowed (a common CIS/STIG control); the change is backward-compatible and
OpenWatch's existing scan behavior is unchanged. The corpus stays at 539
rules. The `kensa-rules` package version tracks the engine, so it becomes
0.5.0 in the next build.
0.5.0 in the next build (#594).

### Fixed

Expand All @@ -44,7 +52,8 @@ Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
certificate with a fresh self-signed demo on every upgrade. The demo
certificate is now generated at install time only when the TLS files are
absent (the same generate-if-absent model already used for the server's
identity keys), so a certificate you put in place survives upgrades untouched.
identity keys), so a certificate you put in place survives upgrades untouched
(#596).

---

Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ OpenWatch is the compliance operating system for teams managing Linux infrastruc
> Python/FastAPI implementation was archived out of the repo on 2026-06-05). The
> Go tree lives at the **repo root**: Go 1.26 backend (`cmd/`, `internal/`),
> React 19 + TanStack frontend (`frontend/`), PostgreSQL-only. The current
> version is `0.2.0-rc.9`, a pre-release — not a GA build.
> version is `0.2.0-rc.10`, a pre-release — not a GA build.

![OpenWatch Compliance Dashboard](docs/images/dashboard-preview.png)

Expand Down
2 changes: 1 addition & 1 deletion packaging/version.env
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@
#
# The Go binary's ldflags read this file via the Makefile; build scripts
# in packaging/{rpm,deb}/ source it for spec macros.
VERSION="0.2.0-rc.9"
VERSION="0.2.0-rc.10"
CODENAME="Eyrie"
Loading