Session ledger -- in-flight work continuity record
Purpose. Long ops sessions on this cloud routinely exceed a single context window and get COMPACTED (sometimes several times). Anything living only in the chat scrollback is lost at compaction. This ledger is the durable, committed record of what is in flight, so any session -- after a compaction, or a fresh one, or the parallel Claude Code stream -- can resume without losing pending work.
How to use it (standing practice).
- At session start: read this ledger AND run
bash scripts/ledger-scan.sh. Reconcile.
ledger-scan.sh is the DRIFT CHECK -- it derives the open-work it reliably can (PROPOSED/OPEN decisions, OPEN security rows, next-free numbers) straight from the repo. This narrative must not claim CLOSED anything the scan shows OPEN, nor omit what it surfaces.
- Update this ledger at every deliverable/commit -- it is a standing deliverable like the changelog. The changelog says what CHANGED; this ledger says what is still OPEN.
- Numbers and the machine-derived section below are seeded from a scan; re-run the scan and re-seed rather than editing those by hand.
Machine-derived (re-seed from scripts/ledger-scan.sh; do not hand-edit)
As of repo HEAD 2026-07-04 (re-run the scan to refresh):
- PROPOSED / OPEN decisions: D-050 (keystone policyd override, no policy zip), D-068 (Vault substrate hardening, Roosevelt), D-071 (routine update cadence + controller patch policy -- filed 2026-07-04 by the jumphost stream, operator to rule). (D-063 is CLOSED as of 2026-07-03.)
- OPEN security rows: SEC-001 (libvirt cred rotate), SEC-003 (Vault unseal custody / second-person rehearsal), SEC-004 (repo public -> private at v1 close).
- Next-free numbers: D = 072, DOCFIX = 088, BUNDLEFIX = 010. The 2026-07-03 D-071 contention is RESOLVED: the jumphost stream filed D-071 + DOCFIX-086 (ops-update-procedure) in changelog addendum 13 (2026-07-04); main stream numbering resumes at the values above. The wrapped-pointer scan artifact was fixed by the main stream (addendum 11) and independently confirmed at merge (addendum 13 FINDING 2); the scan and these numbers now agree.
Active build (this session)
- validate.sh D-011 runner -- modular. Foundation committed:
scripts/lib-validate.sh (exit contract 0/1/2/3/4, emit, vr_json stderr-safe, run, env hygiene, disruptive gate) + scripts/validate.sh orchestrator (profiles, verdict, --stop-on-fail, --include-disruptive).
- Batch 1 committed:
checks/d011-01-charms, checks/d011-06-vault-unseal (MANUAL until the SEC-003 rehearsal closes).
- Batch 2 committed:
checks/d011-02-vip-jumphost (catalog-derive public origins, TLS+HTTP), checks/d011-03-vip-tenant (ephemeral agnhost pod egress -> keystone VIP, D-035 proof). post-restart profile now fully populated.
- Batch 3 DRAFTED (mock-tested only, NEEDS LIVE VALIDATION):
d011-04-octavia-lb (RR+member additive; amphora failover --disruptive, N+1 headroom-guarded) + d011-05-magnum-e2e (wraps tenant-acceptance + timing). full-d011 profile now COMPLETE.
- Next: live-validate batch 3 (see Verify-live queue), then item-3/#5-#8 backlog.
- D-011 AMENDED bar: 1 charms; 2 VIP jumphost; 3 VIP tenant; 4 octavia RR/failover/recovery; 5 magnum e2e + OCCM; 6 second-person manual unseal (attestation, D-069); 7 DROPPED (D-070 supersedes D-012 snapshots); 8 DROPPED (D-019, no Designate).
Script backlog (changelog-tracked)
- DONE: tenant-offboard.sh, vault-kv-health.sh, cloud-assert.sh (item 3 largely), validate foundation + batch 1.
- item 3 remainder: fold
vault-kv-health.sh into cloud-assert as a section; use the combined gate to regenerate the stale restart-procedure runbook.
- item 5:
scripts/tenant-cluster-create.sh -- generalize the t2-02 stage6 + watch + D-066-evidence wrapper. Not started.
- item 6:
scripts/keystone-policy-drift.sh -- D-051 base_* alignment (LIVE-READ PENDING). Not started.
- item 7:
scripts/cloud-snapshot.sh -- juju-export baseline capture (D-070 retired KVM snapshots but KEPT the export/inventory baseline). Not started.
- item 8:
tests/tenant-acceptance/ harness -- pending (tenant-onboard harness landed).
Register / operator-gated (see docs/handoff-20260703-open-items.md)
- R-1 / SEC-003: Vault unseal-key custodian assignment (OPEN). Gates V-2 and closes
d011-06-vault-unseal (currently MANUAL). Operator input, recorded off-repo.
- V-2: second-person unseal rehearsal (blocked on R-1).
- R-2 (D-043 caveat): capi-mgmt-v2 auto-resume exclusion -- rule or accept.
- R-3: was D-063 -- now CLOSED. The handoff doc still lists R-3 OPEN; update it.
- D-1: Pattern-A full redeploy (VR0 DC0).
Verify-live queue (batch 3 drafts -- confirm on real cloud before trusting)
- d011-04 amphora_headroom() field parsing (
server show .flavor; hypervisor list --long vcpu/ram) -- safe default HOLDs on any parse miss, but confirm the OK path live.
- d011-04 OCCM LB-name-contains-service-name assumption; agnhost /hostname round-robin behavior.
- d011-05 needs a FOIL tenant (2nd tenant) for P3 isolation -- onboard one or set VR_FOIL_APPCRED (acme, the former foil, was offboarded).
- Sequence: run d011-04 non-disruptively first (RR+member), then --include-disruptive once headroom confirmed.
Logged-not-actioned (small; would vanish at compaction)
- offboard v2
--sweep-magnum-orphans mode (orphan per-cluster trustee in the magnum domain).
- offboard stage-3 app-cred idempotency re-run guard.
host_href=None barbican observation (exercised fine in stage 6; probably closeable).
- DOCFIX candidate: sweep repo for other
-f json ... 2>&1 stderr-merge hazards (DOCFIX-085 class).
- D-050 (keystone policyd override) and the D-063-adjacent
identity:list_trusts="" hardening remain PROPOSED/OPEN, not actioned.
State facts to remember
- beta cluster left at node_count=2 (deliberate; bonus resize acceptance coverage).
- repo is temporarily PUBLIC for Claude web_fetch (SEC-004) -- flip private at v1 close.
- Parallel Claude Code stream on the jumphost: D-071 + DOCFIX-086 FILED (addendum 11, 2026-07-04). Its next step is the LIVE EXECUTION of runbooks/ops-update-procedure.md (controller 3.6.24 -> 3.6.25 + ~20 in-channel charm refreshes), operator-gated, in a run-logged session. Vault stays 1.8/stable (D-068 unruled).
Project-completion (execute after D-011 passes)
- Consolidate 10 per-phase do-documents into
docs/v1-deploy-runbook.md.
- Set repo visibility PRIVATE (SEC-004).
- v2-deferred: SSH on GitBucket (port 29418), IPv6 dual-stack, NetBox import bundle.