# Session ledger -- in-flight work continuity record

**Purpose.** Long ops sessions on this cloud routinely exceed a single context window
and get COMPACTED (sometimes several times). Anything living only in the chat scrollback
is lost at compaction. This ledger is the durable, committed record of what is in flight,
so any session -- after a compaction, or a fresh one, or the parallel Claude Code stream --
can resume without losing pending work.

**How to use it (standing practice).**
1. At session start: read this ledger AND run `bash scripts/ledger-scan.sh`. Reconcile.
2. `ledger-scan.sh` is the DRIFT CHECK -- it derives the open-work it reliably can
   (PROPOSED/OPEN decisions, OPEN security rows, next-free numbers) straight from the repo.
   This narrative must not claim CLOSED anything the scan shows OPEN, nor omit what it surfaces.
3. Update this ledger at every deliverable/commit -- it is a standing deliverable like the
   changelog. The changelog says what CHANGED; this ledger says what is still OPEN.
4. Numbers and the machine-derived section below are seeded from a scan; re-run the scan and
   re-seed rather than editing those by hand.

---

## Machine-derived (re-seed from `scripts/ledger-scan.sh`; do not hand-edit)

_As of repo HEAD 2026-07-04 (re-run the scan to refresh):_

- **PROPOSED / OPEN decisions:** D-050 (keystone policyd override, no policy zip),
  D-068 (Vault substrate hardening, Roosevelt), D-071 (routine update cadence +
  controller patch policy -- filed 2026-07-04 by the jumphost stream, operator to rule).
  _(D-063 is CLOSED as of 2026-07-03.)_
- **OPEN security rows:** SEC-001 (libvirt cred rotate), SEC-003 (Vault unseal custody /
  second-person rehearsal), SEC-004 (repo public -> private at v1 close).
- **Next-free numbers:** D = 072, DOCFIX = 087, BUNDLEFIX = 010.
  The 2026-07-03 D-071 contention is RESOLVED: the jumphost stream filed D-071 +
  DOCFIX-086 (ops-update-procedure) in changelog addendum 13 (2026-07-04); main
  stream numbering resumes at the values above. The wrapped-pointer scan artifact
  was fixed by the main stream (addendum 11) and independently confirmed at merge
  (addendum 13 FINDING 2); the scan and these numbers now agree.

---

## Active build (this session)

- **validate.sh D-011 runner -- modular.** Foundation committed: `scripts/lib-validate.sh`
  (exit contract 0/1/2/3/4, emit, vr_json stderr-safe, run, env hygiene, disruptive gate) +
  `scripts/validate.sh` orchestrator (profiles, verdict, --stop-on-fail, --include-disruptive).
  - Batch 1 committed: `checks/d011-01-charms`, `checks/d011-06-vault-unseal` (MANUAL until
    the SEC-003 rehearsal closes).
  - Batch 2 committed: `checks/d011-02-vip-jumphost` (catalog-derive public origins, TLS+HTTP),
    `checks/d011-03-vip-tenant` (ephemeral agnhost pod egress -> keystone VIP, D-035 proof).
    `post-restart` profile now fully populated.
  - Batch 3 DRAFTED (mock-tested only, NEEDS LIVE VALIDATION): `d011-04-octavia-lb`
    (RR+member additive; amphora failover --disruptive, N+1 headroom-guarded) +
    `d011-05-magnum-e2e` (wraps tenant-acceptance + timing). full-d011 profile now COMPLETE.
  - **Next:** live-validate batch 3 (see Verify-live queue), then item-3/#5-#8 backlog.
  - D-011 AMENDED bar: 1 charms; 2 VIP jumphost; 3 VIP tenant; 4 octavia RR/failover/recovery;
    5 magnum e2e + OCCM; 6 second-person manual unseal (attestation, D-069); 7 DROPPED
    (D-070 supersedes D-012 snapshots); 8 DROPPED (D-019, no Designate).

## Script backlog (changelog-tracked)

- DONE: tenant-offboard.sh, vault-kv-health.sh, cloud-assert.sh (item 3 largely), validate
  foundation + batch 1.
- **item 3 remainder:** fold `vault-kv-health.sh` into cloud-assert as a section; use the
  combined gate to regenerate the stale restart-procedure runbook.
- **item 5:** `scripts/tenant-cluster-create.sh` -- generalize the t2-02 stage6 + watch +
  D-066-evidence wrapper. Not started.
- **item 6:** `scripts/keystone-policy-drift.sh` -- D-051 base_* alignment (LIVE-READ PENDING).
  Not started.
- **item 7:** `scripts/cloud-snapshot.sh` -- juju-export baseline capture (D-070 retired KVM
  snapshots but KEPT the export/inventory baseline). Not started.
- **item 8:** `tests/tenant-acceptance/` harness -- pending (tenant-onboard harness landed).

## Register / operator-gated (see docs/handoff-20260703-open-items.md)

- **R-1 / SEC-003:** Vault unseal-key custodian assignment (OPEN). Gates V-2 and closes
  `d011-06-vault-unseal` (currently MANUAL). Operator input, recorded off-repo.
- **V-2:** second-person unseal rehearsal (blocked on R-1).
- **R-2 (D-043 caveat):** capi-mgmt-v2 auto-resume exclusion -- rule or accept.
- **R-3:** was D-063 -- now CLOSED. The handoff doc still lists R-3 OPEN; update it.
- **D-1:** Pattern-A full redeploy (VR0 DC0).

## Verify-live queue (batch 3 drafts -- confirm on real cloud before trusting)

- d011-04 amphora_headroom() field parsing (`server show` .flavor; `hypervisor list --long`
  vcpu/ram) -- safe default HOLDs on any parse miss, but confirm the OK path live.
- d011-04 OCCM LB-name-contains-service-name assumption; agnhost /hostname round-robin behavior.
- d011-05 needs a FOIL tenant (2nd tenant) for P3 isolation -- onboard one or set VR_FOIL_APPCRED
  (acme, the former foil, was offboarded).
- Sequence: run d011-04 non-disruptively first (RR+member), then --include-disruptive once
  headroom confirmed.

## Logged-not-actioned (small; would vanish at compaction)

- offboard v2 `--sweep-magnum-orphans` mode (orphan per-cluster trustee in the magnum domain).
- offboard stage-3 app-cred idempotency re-run guard.
- `host_href=None` barbican observation (exercised fine in stage 6; probably closeable).
- DOCFIX candidate: sweep repo for other `-f json ... 2>&1` stderr-merge hazards (DOCFIX-085 class).
- D-050 (keystone policyd override) and the D-063-adjacent `identity:list_trusts=""` hardening
  remain PROPOSED/OPEN, not actioned.

## State facts to remember

- beta cluster left at **node_count=2** (deliberate; bonus resize acceptance coverage).
- repo is temporarily **PUBLIC** for Claude web_fetch (SEC-004) -- flip private at v1 close.
- Parallel Claude Code stream on the jumphost: D-071 + DOCFIX-086 FILED (addendum 11,
  2026-07-04). Its next step is the LIVE EXECUTION of runbooks/ops-update-procedure.md
  (controller 3.6.24 -> 3.6.25 + ~20 in-channel charm refreshes), operator-gated, in a
  run-logged session. Vault stays 1.8/stable (D-068 unruled).

## Project-completion (execute after D-011 passes)

- Consolidate 10 per-phase do-documents into `docs/v1-deploy-runbook.md`.
- Set repo visibility PRIVATE (SEC-004).
- v2-deferred: SSH on GitBucket (port 29418), IPv6 dual-stack, NetBox import bundle.
