release: bundle 0.2.0-rc.11 (Kensa v0.5.2 + remediation governance/UX + auth fix)#609
Merged
Conversation
An anonymous request (no credentials, or a session cookie that expired in the browser and is no longer sent) to a protected endpoint now returns 401 auth.required instead of 403. The SPA redirects to login on a 401, so an expired session surfaces as a clean re-login prompt rather than a dead-end 'failed to load'. An authenticated caller whose role lacks the permission still gets 403 authz.permission_denied; the audit event is unchanged for both.
The 12 specs/tests that strictly asserted anonymous -> 403 now assert 401 auth.required (alerts, audit-events-query, fleet-observability, host-system-info, os-intelligence, system-rbac AC-09/AC-15, system/fleet connectivity, discovery/ intelligence config). Authenticated-but-unauthorized -> 403 language preserved. Specs that already said '401/403' are unchanged.
…roves Implements the A-keep ADR: free-core single-rule remediation no longer requires a separate human approval, so a single operator can request and Fix a finding directly (removing the self-review deadlock). The approve/reject flow with separation of duties is retained for the licensed bulk/auto track. - Request(...requiresApproval bool): false (free core) inserts an 'approved' row directly (reviewed_at set, reviewed_by NULL, auto-approved review_note) and emits remediation.requested + remediation.approved; true (licensed bulk/auto) inserts 'pending_approval' and goes through Approve/Reject. - The single-rule request handler passes false. - Tests: AC-01 covers auto-approve + the approval-required path; the HTTP AC-05/AC-06 approve and pending-execute paths seed a pending_approval request (the free-core POST auto-approves). Frontend unchanged (the hook already renders approved -> Fix and keeps the pending_approval/approve UI for the licensed track). Note: the ADR + governance docs land in #604; their status flips to 'implemented' once both merge.
…ling Clicking Fix on several findings on the same host enqueued multiple jobs that ran concurrently; the second collided on the per-host SSH guard (ErrHostBusy) and the remediation worker marked it failed. Now the worker treats a busy host as transient: it backs off and requeues (queue.EnqueueAfter) until the host is free, so the fixes apply one at a time. - queue: add a delayed-visibility column (migration 0039 available_at) + EnqueueAfter(delay); Dequeue skips not-yet-available rows so the requeue does not busy-loop the drain (job-queue AC-13). - remediation: HostHasExecuting + RevertToApproved primitives (api-remediation AC-08); worker processExecute/processRollback pre-check the host and revert+ requeue on an ErrHostBusy race instead of failing the request.
The Remediation tab required a manual refresh to see a fix finish. The worker already publishes remediation.completed on the event bus; useLiveEvents now subscribes to it and invalidates ['host', id, 'remediations'] + ['host', id], so the tab and the compliance score update automatically when a queued fix or rollback reaches its terminal state. frontend-live-events AC-09 + AC-01 (topic set grows to 6).
Kensa v0.5.2 is a PATCH release with a frozen api/ surface, so OpenWatch's
library integration is unchanged. Its notable fix corrects a config_value
matching bug ('" "' delimiter now matches any whitespace incl. TAB), which
removes a class of false FAILs on TAB-delimited rules (RHEL login.defs) —
affected hosts may see their compliance score improve. The jsonl skipped-vs-
error fix (kensa#104) is confirmed no-impact for the library path (issue #603).
- go.mod kensa v0.5.1 -> v0.5.2; KensaModuleVersion + kensa-executor spec pin
updated to match (version-pin tests pass; corpus stays at 539 rules, the
variable-catalog AC still sees exactly 3 placeholders).
- version.env -> 0.2.0-rc.11; README + operator guides + CHANGELOG cut a
0.2.0-rc.11 section.
github-actions
Bot
added
documentation
This was referenced Jun 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bundles the remaining rc.11 PRs into one branch to avoid the CHANGELOG rebase
cascade under branch protection's require-up-to-date rule (#604 already merged).
Carries:
All four code-merged with
--no-ff; the CHANGELOG was reconciled into a single[0.2.0-rc.11]section (Added/Changed/Fixed) andversion.envis0.2.0-rc.11.Verified live on a dev instance built from this exact tree (kensa v0.5.2 +
conditional approval + serialize/live status): login.defs now passes after a
re-scan, free-core fix auto-approves, and concurrent fixes queue instead of
failing.
Once green, this merges and
v0.2.0-rc.11gets tagged (release workflow signs +publishes; GPG keys are configured).