Skip to content

docs(readme): correct to Go reality + current screenshot; trim redundancy#669

Merged
remyluslosius merged 3 commits into
mainfrom
docs/readme-go-accuracy
Jun 23, 2026
Merged

docs(readme): correct to Go reality + current screenshot; trim redundancy#669
remyluslosius merged 3 commits into
mainfrom
docs/readme-go-accuracy

Conversation

@remyluslosius

Copy link
Copy Markdown
Contributor

The README is the Go rebuild's landing page. This pass makes its claims truthful against the binary / api/openapi.yaml / code, refreshes the hero image to the current product, and trims one redundancy — net −7 lines, +1 image.

Hero image

Replaced the stale dashboard preview with the current Host Management screenshot (10 hosts online, per-host compliance against 539 Kensa rules — RHEL + Ubuntu).

Verified inaccuracies fixed

Claim (was) Now Source
RBAC "6 roles — Superadmin, Analyst, Compliance Officer, Guest…" 5 built-in roles (viewer, auditor, ops_lead, security_admin, admin) + 67 permissions internal/auth/roles.gen.go
FIPS "140-2, enable via OPENWATCH_FIPS_MODE=true" 140-3 build via make build-fips (no such env var exists) Makefile, SECURITY_HARDENING.md
Rate limit "100/min per user, 1000/min per IP" per-IP sliding window on auth endpoints (login + MFA verify), 20/min → 429 internal/server/ratelimit.go
Adaptive cadence "healthy 15 min / degraded 5 / critical 2" real bands: 4h critical → 48h compliant, operator-tunable SCANNING_AND_COMPLIANCE.md
API example "ssh_port":22 "port":22 HostCreateRequest
"exposes Prometheus metrics" health endpoint only; /metrics labeled roadmap PRODUCTION_DEPLOYMENT.md
version 0.2.0-rc.11 rc.13 packaging/version.env

Other

  • Architecture targets now include Ubuntu.
  • Removed the install block duplicated between "Deploy in 10 minutes" and "Production Deployment".
  • No Python content presented as current; all local links/images resolve.

…ancy

The README is the Go rebuild's landing page; this pass makes its claims
truthful against the binary/openapi/code and refreshes the hero image.

- Hero image: replace the stale dashboard preview with the current Host
  Management screenshot (10 hosts, per-host compliance vs 539 Kensa rules).
- Fixed verified inaccuracies:
  - RBAC: "6 roles (Superadmin/Analyst/Compliance Officer/Guest...)" -> the real
    5 built-in roles (viewer, auditor, ops_lead, security_admin, admin) + 67
    permissions.
  - FIPS: "140-2, enable via OPENWATCH_FIPS_MODE=true" -> 140-3 build via
    `make build-fips` (build-time, Go-native; there is no such env var).
  - Rate limiting: "100/min per user, 1000/min per IP" -> the real per-IP
    sliding window on the auth endpoints (login + MFA verify), 20/min -> 429.
  - Adaptive scan cadence: "healthy every 15 min / degraded 5 / critical 2" ->
    the real bands (4h critical to 48h compliant, operator-tunable).
  - API example `ssh_port` -> `port` (matches HostCreateRequest).
  - Monitoring: dropped the "exposes Prometheus metrics" claim (the /metrics
    endpoint is roadmap, not shipped); kept the real health endpoint.
  - Version 0.2.0-rc.11 -> rc.13; architecture targets add Ubuntu.
- Conciseness: removed the install block duplicated between "Deploy in 10
  minutes" and "Production Deployment".

No Python content presented as current; all local links/images resolve.
@github-actions github-actions Bot added documentation Improvements or additions to documentation size/M labels Jun 23, 2026
remyluslosius added a commit that referenced this pull request Jun 23, 2026
* chore(deps): bump Kensa to v0.6.0 (atomicity engine; 538 rules)

Updates the bundled Kensa scan engine + rule corpus from v0.5.2 to v0.6.0,
keeping the three version pins in sync (go.mod, internal/kensa.KensaModuleVersion,
specs/system/kensa-executor.spec.yaml — TestKensaModuleVersion/TestSpec_VersionPin
enforce agreement).

What's in v0.6.0:
- The remediation "atomicity engine": crash-recovery intent journal + `kensa
  recover`, mandatory post-apply VALIDATE re-check, post-state recapture into
  the signed evidence envelope, a footprint pre-commit gate, and agent-mode
  kernel-IO handlers. Kensa's CHANGELOG marks the consumed `api/` surface as
  additive (crash-recovery types) with no breaking change; the OpenWatch build
  and scan-path tests confirm it.
- Rule corpus: 539 -> 538. One STIG rule was removed
  (system/pkg-gdm-absent.yml). No rules added.
- Pulls 3 new indirect deps (elastic/go-libaudit, elastic/go-licenser,
  kballard/go-shellquote) from the agent-mode kernel-IO features.

Verified: go build ./... clean, go vet clean, internal/kensa + the server
scan-config/variable-catalog/lens tests pass, specter check 113/113 at 100%
coverage.

Note: docs/README/guides reference "539" rules; those need a 539->538 follow-up
(left out here to avoid colliding with the pending README PR #669).

* docs(kensa): update rule count 539 -> 538 for v0.6.0

Kensa v0.6.0 removed one rule, so the bundled corpus is now 538 (verified
by a live end-to-end scan against a RHEL host: status=completed,
total_rules=538, 0 errors). Update the factual rule-count claims in the
README and the scanning/controls guides to match.

Version-pinned historical statements are intentionally left unchanged
(LINUX_DISTRIBUTION_SUPPORT verified against v0.4.3=539; engineering
plan past measurements), as are the explicitly-approximate "~539"
architectural bounds in the lens handler/openapi (the tilde already
disclaims precision and the bounded-no-pagination claim is unaffected).
@remyluslosius
remyluslosius merged commit 783523c into main Jun 23, 2026
13 checks passed
@remyluslosius
remyluslosius deleted the docs/readme-go-accuracy branch June 23, 2026 04:46
remyluslosius added a commit that referenced this pull request Jun 23, 2026
Bump version.env to 0.2.0-rc.14 and cut the CHANGELOG [Unreleased]
accumulator into a dated [0.2.0-rc.14] section covering everything landed
since rc.13:
- Kensa engine v0.6.0 / 538-rule corpus (#670)
- known-hosts concurrent first-use fail-closed (#668, Security)
- liveness privilege probe via internal/ssh (#664)
- settings fixes: group-maintenance stub removed (#665), Users
  'Invite member' -> 'Add member' (#666)
- operator-guide accuracy pass (#667), README Go-accuracy + screenshot (#669)

Also corrects the stale rule-count inside the #667 entry (539 -> 538) now
that v0.6.0 is the bundled engine. Local: changelog + version-consistency +
fips + package-build tests pass.
remyluslosius added a commit that referenced this pull request Jun 24, 2026
Prepend the 2026-06-23 SESSION_LOG entry (Kensa v0.6.0, the six landed
fix PRs #664-#669, the rc.14 cut+publish #671, dev-server rebuild + live
re-verification) and bump BACKLOG Last Updated to 2026-06-23 with a new
DOC-2 (P3) row for the deferred ~539->~538 approximate-bound cleanup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation size/M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant