Skip to content

fix(reports): release hardening for rc.13 (claim, audit, channel validation)#660

Merged
remyluslosius merged 1 commit into
mainfrom
fix/reports-release-hardening
Jun 22, 2026
Merged

fix(reports): release hardening for rc.13 (claim, audit, channel validation)#660
remyluslosius merged 1 commit into
mainfrom
fix/reports-release-hardening

Conversation

@remyluslosius

Copy link
Copy Markdown
Contributor

Summary

Pre-release quality + security pass on the Reports surface ahead of
v0.2.0-rc.13, implementing the remediation set chosen from the release
review (Blockers + HIGH + M1 + the quick wins).

Release (B1, B2)

  • Bump packaging/version.env to 0.2.0-rc.13 (Eyrie).
  • Add the 0.2.0-rc.13 CHANGELOG entry: four report kinds, OSCAL SAR,
    scheduled email delivery, async rendering + report.ready notification
    bell, Ed25519 signing, migrations 0043–0046.

Hardening (H1, H2, M2, L1)

  • H1 – atomic claim: the scheduled-report dispatcher now claims due
    schedules with FOR UPDATE SKIP LOCKED. ClaimDue advances next_run_at
    inside the locked transaction; MarkResult records the per-run outcome. Two
    concurrent dispatchers see disjoint sets, so a scheduled report is never
    double-generated or double-emailed (mirrors the scan/remediation job queue).
  • H2 – audit: report generate and schedule create / toggle / delete now
    emit audit events (report.generated, report.schedule.created /
    .toggled / .deleted).
  • L1 – channel validation: a non-email (or unknown) delivery channel is
    rejected at schedule create (400) instead of failing silently at every
    dispatch.
  • M2 – CRLF: report-email subject + attachment filename are CRLF-sanitized
    (header-injection defense, CWE-93).

Test isolation (M1)

  • freshAPIServer truncates report_schedules / report_snapshots /
    notification_channels between API tests (closed isolation gap).

Tests + specs

  • New AC-05 no-double-claim test for ClaimDue; the schedule API test
    asserts the create audit event (async, polled) and the non-email-channel
    400.
  • system-report-schedule → 1.1.0 (C-03 atomic claim, C-04 CRLF, C-05
    channel validation + audit, AC-04 extended, AC-05 added).
  • api-reports → 1.14.0 (C-06 report.generated audit).
  • L4 cleanup: stale "dispatcher not built" / "MVP one kind" comments and
    the dead ReportsPage ComingSoon copy replaced with accurate text.

Validation

  • gofmt / go build ./... / go vet clean
  • reportschedule, notification, report, audit packages pass
  • full internal/server API surface passes (-parallel 2, 229s)
  • specter check 0 errors; structural coverage 100% (--strictness annotation)
  • frontend tsc / eslint / prettier / vitest pass

Deferred (fast-follow, per chosen scope)

M3 (host:write vs a report-specific permission), M4 (remaining AC coverage),
L2 / L3 / L5 from the review were intentionally left out of this PR.

…dation)

Pre-release quality + security pass on the Reports surface ahead of
v0.2.0-rc.13.

Release:
- Bump version.env to 0.2.0-rc.13 (Eyrie).
- Add the 0.2.0-rc.13 CHANGELOG entry (four report kinds, OSCAL SAR,
  scheduled email delivery, async rendering + report.ready bell,
  Ed25519 signing, migrations 0043-0046).

Hardening:
- Dispatcher now claims due schedules atomically with FOR UPDATE SKIP
  LOCKED (ClaimDue advances next_run_at in the locked tx; MarkResult
  records the outcome), so two concurrent dispatchers never double-send
  a scheduled report.
- Emit audit events on report generate and on schedule create / toggle /
  delete (report.generated, report.schedule.created/.toggled/.deleted).
- Reject a non-email (or unknown) delivery channel at schedule create
  (400) instead of failing silently at dispatch.
- CRLF-sanitize report-email subject + attachment filename
  (header-injection defense, CWE-93).

Tests:
- freshAPIServer truncates report_schedules / report_snapshots /
  notification_channels between API tests (isolation gap).
- New AC-05 no-double-claim test for ClaimDue; schedule API test asserts
  the create audit event and the non-email-channel 400.

Specs:
- system-report-schedule -> 1.1.0 (C-03 atomic claim, C-04 CRLF, C-05
  channel validation + audit, AC-04 extended, AC-05 added).
- api-reports -> 1.14.0 (C-06 report.generated audit).
@remyluslosius remyluslosius merged commit dad7967 into main Jun 22, 2026
21 checks passed
@remyluslosius remyluslosius deleted the fix/reports-release-hardening branch June 22, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant