docs(readme): correct to Go reality + current screenshot; trim redundancy#669
Merged
Conversation
…ancy
The README is the Go rebuild's landing page; this pass makes its claims
truthful against the binary/openapi/code and refreshes the hero image.
- Hero image: replace the stale dashboard preview with the current Host
Management screenshot (10 hosts, per-host compliance vs 539 Kensa rules).
- Fixed verified inaccuracies:
- RBAC: "6 roles (Superadmin/Analyst/Compliance Officer/Guest...)" -> the real
5 built-in roles (viewer, auditor, ops_lead, security_admin, admin) + 67
permissions.
- FIPS: "140-2, enable via OPENWATCH_FIPS_MODE=true" -> 140-3 build via
`make build-fips` (build-time, Go-native; there is no such env var).
- Rate limiting: "100/min per user, 1000/min per IP" -> the real per-IP
sliding window on the auth endpoints (login + MFA verify), 20/min -> 429.
- Adaptive scan cadence: "healthy every 15 min / degraded 5 / critical 2" ->
the real bands (4h critical to 48h compliant, operator-tunable).
- API example `ssh_port` -> `port` (matches HostCreateRequest).
- Monitoring: dropped the "exposes Prometheus metrics" claim (the /metrics
endpoint is roadmap, not shipped); kept the real health endpoint.
- Version 0.2.0-rc.11 -> rc.13; architecture targets add Ubuntu.
- Conciseness: removed the install block duplicated between "Deploy in 10
minutes" and "Production Deployment".
No Python content presented as current; all local links/images resolve.
remyluslosius
added a commit
that referenced
this pull request
Jun 23, 2026
* chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules) Updates the bundled Kensa scan engine + rule corpus from v0.5.2 to v0.6.0, keeping the three version pins in sync (go.mod, internal/kensa.KensaModuleVersion, specs/system/kensa-executor.spec.yaml — TestKensaModuleVersion/TestSpec_VersionPin enforce agreement). What's in v0.6.0: - The remediation "atomicity engine": crash-recovery intent journal + `kensa recover`, mandatory post-apply VALIDATE re-check, post-state recapture into the signed evidence envelope, a footprint pre-commit gate, and agent-mode kernel-IO handlers. Kensa's CHANGELOG marks the consumed `api/` surface as additive (crash-recovery types) with no breaking change; the OpenWatch build and scan-path tests confirm it. - Rule corpus: 539 -> 538. One STIG rule was removed (system/pkg-gdm-absent.yml). No rules added. - Pulls 3 new indirect deps (elastic/go-libaudit, elastic/go-licenser, kballard/go-shellquote) from the agent-mode kernel-IO features. Verified: go build ./... clean, go vet clean, internal/kensa + the server scan-config/variable-catalog/lens tests pass, specter check 113/113 at 100% coverage. Note: docs/README/guides reference "539" rules; those need a 539->538 follow-up (left out here to avoid colliding with the pending README PR #669). * docs(kensa): update rule count 539 -> 538 for v0.6.0 Kensa v0.6.0 removed one rule, so the bundled corpus is now 538 (verified by a live end-to-end scan against a RHEL host: status=completed, total_rules=538, 0 errors). Update the factual rule-count claims in the README and the scanning/controls guides to match. Version-pinned historical statements are intentionally left unchanged (LINUX_DISTRIBUTION_SUPPORT verified against v0.4.3=539; engineering plan past measurements), as are the explicitly-approximate "~539" architectural bounds in the lens handler/openapi (the tilde already disclaims precision and the bounded-no-pagination claim is unaffected).
remyluslosius
added a commit
that referenced
this pull request
Jun 23, 2026
Bump version.env to 0.2.0-rc.14 and cut the CHANGELOG [Unreleased] accumulator into a dated [0.2.0-rc.14] section covering everything landed since rc.13: - Kensa engine v0.6.0 / 538-rule corpus (#670) - known-hosts concurrent first-use fail-closed (#668, Security) - liveness privilege probe via internal/ssh (#664) - settings fixes: group-maintenance stub removed (#665), Users 'Invite member' -> 'Add member' (#666) - operator-guide accuracy pass (#667), README Go-accuracy + screenshot (#669) Also corrects the stale rule-count inside the #667 entry (539 -> 538) now that v0.6.0 is the bundled engine. Local: changelog + version-consistency + fips + package-build tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The README is the Go rebuild's landing page. This pass makes its claims truthful against the binary /
api/openapi.yaml/ code, refreshes the hero image to the current product, and trims one redundancy — net −7 lines, +1 image.Hero image
Replaced the stale dashboard preview with the current Host Management screenshot (10 hosts online, per-host compliance against 539 Kensa rules — RHEL + Ubuntu).
Verified inaccuracies fixed
internal/auth/roles.gen.goOPENWATCH_FIPS_MODE=true"make build-fips(no such env var exists)Makefile,SECURITY_HARDENING.mdinternal/server/ratelimit.goSCANNING_AND_COMPLIANCE.md"ssh_port":22"port":22HostCreateRequest/metricslabeled roadmapPRODUCTION_DEPLOYMENT.md0.2.0-rc.11rc.13packaging/version.envOther