docs: session meta + guide truthfulness fixes (2026-06-25 review)#680
Merged
Conversation
…DOC-3 High-impact, verified guide defects fixed: - UPGRADE/QUICKSTART/ENVIRONMENT/MONITORING: --config is a GLOBAL flag (Go flag parsing stops at the first non-flag arg), so 'openwatch migrate --config X' silently ignored --config. Moved --config before the subcommand everywhere. - COMPLIANCE_CONTROLS: removed the invented 'analyst' role + 'three-tier role model' (real: 5 roles — viewer/auditor/ops_lead/security_admin/admin) and the fabricated '100/min per user, 1000/min per IP' rate-limit (real: per-IP sliding window on the auth endpoints). - API_GUIDE: the 'not yet in the API' section was almost entirely false (scans, remediation, exceptions, posture/drift, audit export, rule browser all ship); rewrote it to list the live surface + only the genuinely-absent /metrics and /security-info. Added the missing ops_lead role to the role table. - Version sweep rc.13 -> rc.14; bumped Last Updated to 2026-06-25 on edited guides. BACKLOG DOC-3 captures the remaining audit items (SCANNING dead-endpoint appendix, USER_ROLES matrix, INSTALLATION PG-dep, DATABASE_MIGRATIONS fake output, style sweep) and flags the audit's '538->539' suggestion as a FALSE POSITIVE — rc.14 bundles Kensa v0.6.0 = 538 (the guides correctly say 538).
… flake It hard-asserts 2s and gated #676's CI under -race (passed on rerun); it missed the 2026-06-21 perftest.Budgetf() migration the other perf tests got.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Output of the 2026-06-25 quality/security review + docs pass.
Meta-docs
[Unreleased]— entries for the session's functional PRs (fix(packaging): remediation broken under hardened unit — pin Kensa store to writable tree (PKG-3) #673/feat(auth): client-side idle-session timeout (AUTH-1 slice 1) #675/fix(hosts): Avg compliance KPI now matches /dashboard (shared fleet/score) #676/feat(auth): absolute-timeout ceiling + slide-on-user-activity (AUTH-1 b+c) #678/feat(notifications): change-driven in-app feed — Slice 1 (durable bell) #679).Guide truthfulness fixes (verified against code)
--configis a global flag (Go flag parsing stops at the first non-flag arg) —openwatch migrate --config Xsilently ignored--config. Moved it before the subcommand in UPGRADE/QUICKSTART/ENVIRONMENT/MONITORING.analystrole + "three-tier" (real: 5 roles) and the fabricated rate-limit numbers (real: per-IP sliding window on auth endpoints)./metrics//security-info; addedops_leadto the role table.Security/quality review (two independent agents, findings verified)
/api/v1/events) + zero-deadline guard. Backend (b) verified sound (ceiling can't be reset/bypassed, checked before issue, legacy-NULL safe).user_id, 401 on nil caller); per-user fan-out batched into oneINSERT…SELECT(was N round-trips). Fleet fan-out leaks nothing to built-in roles (all havehost:read); per-host RBAC scoping tracked for custom-role GA.Remaining guide items (SCANNING dead-endpoint appendix, USER_ROLES matrix, INSTALLATION PG-dep, DATABASE_MIGRATIONS fake output, style sweep) are tracked in DOC-3.