chore(release): Kensa v0.5.2 + prepare 0.2.0-rc.11#608
Closed
remyluslosius wants to merge 1 commit into
Closed
Conversation
Kensa v0.5.2 is a PATCH release with a frozen api/ surface, so OpenWatch's
library integration is unchanged. Its notable fix corrects a config_value
matching bug ('" "' delimiter now matches any whitespace incl. TAB), which
removes a class of false FAILs on TAB-delimited rules (RHEL login.defs) —
affected hosts may see their compliance score improve. The jsonl skipped-vs-
error fix (kensa#104) is confirmed no-impact for the library path (issue #603).
- go.mod kensa v0.5.1 -> v0.5.2; KensaModuleVersion + kensa-executor spec pin
updated to match (version-pin tests pass; corpus stays at 539 rules, the
variable-catalog AC still sees exactly 3 placeholders).
- version.env -> 0.2.0-rc.11; README + operator guides + CHANGELOG cut a
0.2.0-rc.11 section.
github-actions
Bot
added
documentation
remyluslosius
added a commit
that referenced
this pull request
Jun 20, 2026
… + auth fix) (#609) * fix(auth): return 401 for anonymous callers on protected endpoints An anonymous request (no credentials, or a session cookie that expired in the browser and is no longer sent) to a protected endpoint now returns 401 auth.required instead of 403. The SPA redirects to login on a 401, so an expired session surfaces as a clean re-login prompt rather than a dead-end 'failed to load'. An authenticated caller whose role lacks the permission still gets 403 authz.permission_denied; the audit event is unchanged for both. * test+spec: update anonymous-denial contract to 401 across specs/tests The 12 specs/tests that strictly asserted anonymous -> 403 now assert 401 auth.required (alerts, audit-events-query, fleet-observability, host-system-info, os-intelligence, system-rbac AC-09/AC-15, system/fleet connectivity, discovery/ intelligence config). Authenticated-but-unauthorized -> 403 language preserved. Specs that already said '401/403' are unchanged. * feat(remediation): conditional approval (A-keep) — free-core auto-approves Implements the A-keep ADR: free-core single-rule remediation no longer requires a separate human approval, so a single operator can request and Fix a finding directly (removing the self-review deadlock). The approve/reject flow with separation of duties is retained for the licensed bulk/auto track. - Request(...requiresApproval bool): false (free core) inserts an 'approved' row directly (reviewed_at set, reviewed_by NULL, auto-approved review_note) and emits remediation.requested + remediation.approved; true (licensed bulk/auto) inserts 'pending_approval' and goes through Approve/Reject. - The single-rule request handler passes false. - Tests: AC-01 covers auto-approve + the approval-required path; the HTTP AC-05/AC-06 approve and pending-execute paths seed a pending_approval request (the free-core POST auto-approves). Frontend unchanged (the hook already renders approved -> Fix and keeps the pending_approval/approve UI for the licensed track). Note: the ADR + governance docs land in #604; their status flips to 'implemented' once both merge. * fix(remediation): serialize concurrent fixes on a host instead of failing Clicking Fix on several findings on the same host enqueued multiple jobs that ran concurrently; the second collided on the per-host SSH guard (ErrHostBusy) and the remediation worker marked it failed. Now the worker treats a busy host as transient: it backs off and requeues (queue.EnqueueAfter) until the host is free, so the fixes apply one at a time. - queue: add a delayed-visibility column (migration 0039 available_at) + EnqueueAfter(delay); Dequeue skips not-yet-available rows so the requeue does not busy-loop the drain (job-queue AC-13). - remediation: HostHasExecuting + RevertToApproved primitives (api-remediation AC-08); worker processExecute/processRollback pre-check the host and revert+ requeue on an ErrHostBusy race instead of failing the request. * feat(frontend): live remediation status via remediation.completed SSE The Remediation tab required a manual refresh to see a fix finish. The worker already publishes remediation.completed on the event bus; useLiveEvents now subscribes to it and invalidates ['host', id, 'remediations'] + ['host', id], so the tab and the compliance score update automatically when a queued fix or rollback reaches its terminal state. frontend-live-events AC-09 + AC-01 (topic set grows to 6). * chore(release): bump Kensa to v0.5.2 and prepare 0.2.0-rc.11 Kensa v0.5.2 is a PATCH release with a frozen api/ surface, so OpenWatch's library integration is unchanged. Its notable fix corrects a config_value matching bug ('" "' delimiter now matches any whitespace incl. TAB), which removes a class of false FAILs on TAB-delimited rules (RHEL login.defs) — affected hosts may see their compliance score improve. The jsonl skipped-vs- error fix (kensa#104) is confirmed no-impact for the library path (issue #603). - go.mod kensa v0.5.1 -> v0.5.2; KensaModuleVersion + kensa-executor spec pin updated to match (version-pin tests pass; corpus stays at 539 rules, the variable-catalog AC still sees exactly 3 placeholders). - version.env -> 0.2.0-rc.11; README + operator guides + CHANGELOG cut a 0.2.0-rc.11 section. * docs(changelog): reconcile rc.11 section (bundle #604-#608)
Contributor
Author
|
Folded into #609 (release: bundle 0.2.0-rc.11) and merged there to avoid the CHANGELOG rebase cascade. Content is on main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bump Kensa to v0.5.2 + prepare 0.2.0-rc.11
Kensa v0.5.2 review (done before upgrading)
PATCH release; frozen
api/surface untouched, so OpenWatch's library integration (pkg/kensa.Default,ScanResult.Outcomes,mapStatus) needs no code changes.config_value" "delimiter now matches any whitespace (incl. TAB), fixing a class of false FAILs on TAB-delimited rules (RHELlogin.defs). → affected hosts may see their compliance score improve. Called out in the changelog.skipped-not-error fix (kensa#104) — confirmed no-impact for OpenWatch (library path consumesOutcomes), matching the reply on issue Heads-up: Kensa --format jsonl scan wire shape changing — skipped no longer counted as error #603.Changes
go.mod: kensav0.5.1 → v0.5.2(+go mod tidy).KensaModuleVersionand thesystem-kensa-executorspec pin updated to match — version-pin tests pass; corpus stays at 539 rules and the variable-catalog AC still sees exactly 3 placeholders.packaging/version.env → 0.2.0-rc.11; README + 5 operator guides updated; CHANGELOG cut a[0.2.0-rc.11]section (Kensa bump + the GA-readiness CI/release hardening that was already onmain).Verified locally
Full
internal/kensapackage green on v0.5.2; version-pin + variable-catalog + version-consistency tests pass; Specter 110 specs valid; gofmt clean; build OK; no strayrc.10refs.