# Session ledger -- in-flight work continuity record

**Purpose.** Long ops sessions on this cloud routinely exceed a single context window
and get COMPACTED (sometimes several times). Anything living only in the chat scrollback
is lost at compaction. This ledger is the durable, committed record of what is in flight,
so any session -- after a compaction, or a fresh one, or the parallel Claude Code stream --
can resume without losing pending work.

**How to use it (standing practice).**
1. At session start: read this ledger AND run `bash scripts/ledger-scan.sh`. Reconcile.
2. `ledger-scan.sh` is the DRIFT CHECK -- it derives the open-work it reliably can
   (PROPOSED/OPEN decisions, OPEN security rows, next-free numbers) straight from the repo.
   This narrative must not claim CLOSED anything the scan shows OPEN, nor omit what it surfaces.
3. Update this ledger at every deliverable/commit -- it is a standing deliverable like the
   changelog. The changelog says what CHANGED; this ledger says what is still OPEN.
4. Numbers and the machine-derived section below are seeded from a scan; re-run the scan and
   re-seed rather than editing those by hand.

---

## Machine-derived (re-seed from `scripts/ledger-scan.sh`; do not hand-edit)

_As of repo HEAD 2026-07-04 (re-run the scan to refresh):_

- **PROPOSED / OPEN decisions:** D-050 (keystone policyd override, no policy zip),
  D-068 (Vault substrate hardening, Roosevelt), D-071 (routine update cadence +
  controller patch policy -- filed 2026-07-04 by the jumphost stream, operator to rule).
  _(D-063 is CLOSED as of 2026-07-03.)_
- **OPEN security rows:** SEC-001 (libvirt cred rotate), SEC-003 (Vault unseal custody /
  second-person rehearsal), SEC-004 (repo public -> private at v1 close).
- **Next-free numbers:** D = 072, DOCFIX = 088, BUNDLEFIX = 010.
  The 2026-07-03 D-071 contention is RESOLVED: the jumphost stream filed D-071 +
  DOCFIX-086 (ops-update-procedure) in changelog addendum 13 (2026-07-04); main
  stream numbering resumes at the values above. The wrapped-pointer scan artifact
  was fixed by the main stream (addendum 11) and independently confirmed at merge
  (addendum 13 FINDING 2); the scan and these numbers now agree.

---

## Active build (this session)

- **validate.sh D-011 runner -- modular.** Foundation committed: `scripts/lib-validate.sh`
  (exit contract 0/1/2/3/4, emit, vr_json stderr-safe, run, env hygiene, disruptive gate) +
  `scripts/validate.sh` orchestrator (profiles, verdict, --stop-on-fail, --include-disruptive).
  - Batch 1 committed: `checks/d011-01-charms`, `checks/d011-06-vault-unseal` (MANUAL until
    the SEC-003 rehearsal closes).
  - Batch 2 committed: `checks/d011-02-vip-jumphost` (catalog-derive public origins, TLS+HTTP),
    `checks/d011-03-vip-tenant` (ephemeral agnhost pod egress -> keystone VIP, D-035 proof).
    `post-restart` profile now fully populated.
  - Batch 3 DRAFTED (mock-tested only, NEEDS LIVE VALIDATION): `d011-04-octavia-lb`
    (RR+member additive; amphora failover --disruptive, N+1 headroom-guarded) +
    `d011-05-magnum-e2e` (wraps tenant-acceptance + timing). full-d011 profile now COMPLETE.
  - **Next:** live-validate batch 3 (see Verify-live queue), then item-3/#5-#8 backlog.
  - D-011 AMENDED bar: 1 charms; 2 VIP jumphost; 3 VIP tenant; 4 octavia RR/failover/recovery;
    5 magnum e2e + OCCM; 6 second-person manual unseal (attestation, D-069); 7 DROPPED
    (D-070 supersedes D-012 snapshots); 8 DROPPED (D-019, no Designate).

## Script backlog (changelog-tracked)

- DONE: tenant-offboard.sh, vault-kv-health.sh, cloud-assert.sh (item 3 largely), validate
  foundation + batch 1.
- **item 3 remainder:** fold `vault-kv-health.sh` into cloud-assert as a section; use the
  combined gate to regenerate the stale restart-procedure runbook.
- **item 5:** `scripts/tenant-cluster-create.sh` -- generalize the t2-02 stage6 + watch +
  D-066-evidence wrapper. Not started.
- **item 6:** `scripts/keystone-policy-drift.sh` -- D-051 base_* alignment (LIVE-READ PENDING).
  Not started.
- **item 7:** `scripts/cloud-snapshot.sh` -- juju-export baseline capture (D-070 retired KVM
  snapshots but KEPT the export/inventory baseline). Not started.
- **item 8:** `tests/tenant-acceptance/` harness -- pending (tenant-onboard harness landed).

## Register / operator-gated (see docs/handoff-20260703-open-items.md)

- **R-1 / SEC-003:** Vault unseal-key custodian assignment (OPEN). Gates V-2 and closes
  `d011-06-vault-unseal` (currently MANUAL). Operator input, recorded off-repo.
- **V-2:** second-person unseal rehearsal (blocked on R-1).
- **R-2 (D-043 caveat):** capi-mgmt-v2 auto-resume exclusion -- rule or accept.
- **R-3:** was D-063 -- now CLOSED. The handoff doc still lists R-3 OPEN; update it.
- **D-1:** Pattern-A full redeploy (VR0 DC0).

## Verify-live queue (batch 3 drafts -- confirm on real cloud before trusting)

- d011-04 amphora_headroom() field parsing (`server show` .flavor; `hypervisor list --long`
  vcpu/ram) -- safe default HOLDs on any parse miss, but confirm the OK path live.
- d011-04 OCCM LB-name-contains-service-name assumption; agnhost /hostname round-robin behavior.
- d011-05 needs a FOIL tenant (2nd tenant) for P3 isolation -- onboard one or set VR_FOIL_APPCRED
  (acme, the former foil, was offboarded).
- Sequence: run d011-04 non-disruptively first (RR+member), then --include-disruptive once
  headroom confirmed.

## Logged-not-actioned (small; would vanish at compaction)

- offboard v2 `--sweep-magnum-orphans` mode (orphan per-cluster trustee in the magnum domain).
- offboard stage-3 app-cred idempotency re-run guard.
- `host_href=None` barbican observation (exercised fine in stage 6; probably closeable).
- DOCFIX candidate: sweep repo for other `-f json ... 2>&1` stderr-merge hazards (DOCFIX-085 class).
- D-050 (keystone policyd override) and the D-063-adjacent `identity:list_trusts=""` hardening
  remain PROPOSED/OPEN, not actioned.

## Active window (jumphost stream) -- ops-update-20260705, IN FLIGHT

First execution of runbooks/ops-update-procedure.md (DOCFIX-086; addendum 13).
Logged session ops-update-20260705; checkpointed here at each milestone for
cross-stream sync. State as of the Section 2 entry checkpoint:

- **DONE Section 1 (pre-flight):** client 3.6.25 / controller 3.6.24 / all 91 agents
  uniformly 3.6.24 -> target 3.6.25. Worklist = 17 apps. Quiesce clean. Pre-change BOM
  asbuilt/20260705-102951 committed on a TRUE cloud-assert PASS (required the DOCFIX-087
  A7 false-negative fix, addendum 14 -- window was HELD on the operator's Option B
  ruling until it landed).
- **DONE Section 2.1:** controller state backup via `juju create-backup -m
  admin/controller` (902MB, checksummed, ~/openstack-baseline/, jumphost-only).
  NOTE: controller model is admin/controller, NOT <user>/controller.
- **NEXT:** Section 2.2 `juju upgrade-controller --agent-version 3.6.25` (gated),
  then model agents (S3), then 17 charm refreshes in groups (S4), post-verify (S5),
  re-baseline + close-out (S6).
- **Window findings logged for close-out (do not action mid-window):**
  1. magnum can-upgrade-to anomaly REPRODUCED (points at magnum-dashboard-122;
     evidence ~/openstack-baseline/magnum-can-upgrade-anomaly-20260705.json) AND
     Charmhub magnum 2024.1/stable latest release (r101, 2026-07-01) is s390x-ONLY --
     no valid amd64 target; magnum EXCLUDED; report upstream to OpenStack Charmers.
  2. vault NEWLY offers in-channel 372->714 on 1.8/stable -- NOT refreshed (D-068);
     logged only.
  3. `juju create-backup`/`download-backup` EXIST on juju 3.6 -- authoring assumption
     ("removed in 3.0, expected absent") is WRONG; correct ops-update-procedure 2.1
     and the D-071 risk section at window close (DOCFIX candidate).
  4. juju status --format=line omits workload messages on 3.6 (root cause of the A7
     false negative; fixed by DOCFIX-087).

## State facts to remember

- beta cluster left at **node_count=2** (deliberate; bonus resize acceptance coverage).
- repo is temporarily **PUBLIC** for Claude web_fetch (SEC-004) -- flip private at v1 close.
- Jumphost stream: see "Active window" section above (ops-update-20260705 in flight).
  Vault stays 1.8/stable (D-068 unruled).

## Project-completion (execute after D-011 passes)

- Consolidate 10 per-phase do-documents into `docs/v1-deploy-runbook.md`.
- Set repo visibility PRIVATE (SEC-004).
- v2-deferred: SSH on GitBucket (port 29418), IPv6 dual-stack, NetBox import bundle.
