|
Ledger collapse: close the coverage gap in the carry-forward
The collapse commit's guards (lint, ASCII, ledger-scan, size) validated FORM, not COVERAGE. Two ledger regions had only been keyword-grepped, not read. Read them. Three items surfaced; each was VERIFIED against the repo rather than trusted: - run-tests-all.sh dirtying the tree with 37 spurious mode-change diffs: NOW FIXED (the fakebin stubs are committed 100755 -- 36 of them, measured). Not carried. - `scripts/opnsense-apply-config.sh` (once "wanted"): SUPERSEDED, and dangerous to build -- its snapshot/scp/install/reboot flow IS the config.xml path D-113(a2) deleted. Recorded as "do not build this", so nobody resurrects it from the history. - The tcsh trap it taught is REAL and carried forward: root's shell on the OPNsense edge is tcsh, so `$(...)` in a quoted remote command dies with "Illegal variable name" -- QUIETLY. It already cost a silently no-op'd pre-install snapshot. Always feed remote commands to `sh -s`. Also carried (this one matters and was nowhere in the open lists): DHCP HAS NEVER SERVED A REAL LEASE. kea-dhcp4 is bound to udp/67 with the subnet+pool intact, but office1-local has no client host, so the DAEMON is proven and the SERVICE is not. The first VM on office1-local (the Stage 2 headend VMs) is the real test -- logged as that stage's gate rather than an assumption. Plus a measured doc-accuracy finding: SEC-007 says "D-112(c) makes SSH the only management path", but the edge's web GUI IS listening on the LAN (10.10.0.1:443, HTTPS 200) and is correctly firewalled off on the WAN. Not an exposure -- OPNsense default, and D-113 kept OPNsense *because* the GUI is an operator requirement -- but the wording is imprecise. Logged, not actioned (hard rule 1). Guards: repo-lint 0 fail (1 documented legacy warn), 0 non-ASCII. No live system touched; the edge probes were read-only TCP/HTTP reachability checks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
|---|
|
|
| docs/session-ledger.md |
|---|