diff --git a/docs/session-ledger.md b/docs/session-ledger.md index 49464a6..98a1414 100644 --- a/docs/session-ledger.md +++ b/docs/session-ledger.md @@ -21,21 +21,17 @@ ## Machine-derived (re-seed from `scripts/ledger-scan.sh`; do not hand-edit) -_As of repo HEAD 2026-07-04 (re-run the scan to refresh):_ +_As of repo HEAD 968fe6c, 2026-07-05 (re-run the scan to refresh):_ -- **PROPOSED / OPEN decisions:** D-050 (keystone policyd override, no policy zip), - D-068 (Vault substrate hardening, Roosevelt), D-071 (routine update cadence + - controller patch policy -- filed 2026-07-04 by the jumphost stream, operator to rule). - _(D-063 is CLOSED as of 2026-07-03.)_ -- **OPEN security rows:** SEC-001 (libvirt cred rotate), SEC-003 (Vault unseal custody / - second-person rehearsal), SEC-004 (repo public -> private at v1 close). -- **Next-free numbers:** D = 073, DOCFIX = 090, BUNDLEFIX = 012. (D-072 + - DOCFIX-089 + BUNDLEFIX-011 consumed by the jumphost stream, addendum 18.) - The 2026-07-03 D-071 contention is RESOLVED: the jumphost stream filed D-071 + - DOCFIX-086 (ops-update-procedure) in changelog addendum 13 (2026-07-04); main - stream numbering resumes at the values above. The wrapped-pointer scan artifact - was fixed by the main stream (addendum 11) and independently confirmed at merge - (addendum 13 FINDING 2); the scan and these numbers now agree. +- **PROPOSED / OPEN decisions:** D-050 (keystone `use-policyd-override=true` with no + policy zip, FINDING-1), D-068 (Vault substrate hardening, Roosevelt -- 1.16 ruled + out per amendment; off-EOL path OPEN), D-071 (routine update cadence + controller + patch policy -- operator to rule; gated on the pre-DC-DC HA/backup session). +- **OPEN security rows:** SEC-001 (rotate after the current rebuild completes), + SEC-003 (assign custodians + rehearse second-person unseal), SEC-004 (flip repo + to private at v1 close). +- **Next-free numbers:** D = 073, DOCFIX = 091, BUNDLEFIX = 012. + (Scan, handoff-20260705, and the changelog next-free pointer all agree.) --- @@ -168,6 +164,20 @@ 4. juju status --format=line omits workload messages on 3.6 (root cause of the A7 false negative; fixed by DOCFIX-087). +## Jumphost stream -- session 2026-07-05 (post-window resume) + +- Orientation + reconcile DONE: machine-derived block re-seeded from today's scan + (DOCFIX next-free 090 -> 091 was stale); shared-section stale-facts correction + appended per the handoff reconcile item. Fences validate 4/0/0. +- FINDING (logged, not actioned): `repo_lint.py` L5 "next-free identifiers" info + line counts ANY textual mention of D-/DOCFIX-/BUNDLEFIX-NNN across all files, so + it is inflated by the deliberate tests/ledger-scan fixture (DOCFIX-099 / + BUNDLEFIX-050, "must NOT inflate") and by next-free pointer lines themselves + (reports D-074/DOCFIX-100/BUNDLEFIX-051). ledger-scan (heading-based, pointer- + excluding) is the numbering authority and is correct. DOCFIX candidate: make L5 + reuse ledger-scan's exclusion rules or drop the info line. No number consumed. +- Standing by for batch-3 live validation support (verify-live queue). + @@ -177,6 +187,10 @@ - repo is temporarily **PUBLIC** for Claude web_fetch (SEC-004) -- flip private at v1 close. - Jumphost stream: see "Active window" section above (ops-update-20260705 in flight). Vault stays 1.8/stable (D-068 unruled). +- CORRECTION (2026-07-05, jumphost stream, per handoff reconcile item): the two bullets + above are stale -- ops-update-20260705 is CLOSED (fleet fully current, juju 3.6.25); + D-068 is RULED on the 1.16 question (1.16 ruled out; vault stays 1.8/stable rev 714; + the off-EOL-1.8.8 path remains OPEN under D-068). ## Project-completion (execute after D-011 passes)