Skip to content

tracker: 2026.07 release #320

Description

@PaulDotterer

Aggregator for the 2026.07 release. Two themes:

  1. 2026.06 Phase 2 + Phase 3 carry-over — TerminalAdmin + scoped RBAC paired (the roadmap's "must-ship paired" group that got displaced when Phase 0 grew with the projector/storage-abstraction work), plus the polish items that slipped (doctor cmd, SECURITY.md, ADRs).
  2. Deploy-stack consolidation — drop the redis-stack dependency, fully switch to valkey + valkey-search 1.2+.

Confirmed line items

Issue What
#319 feat(deploy): migrate from redis-stack to valkey + valkey-search 1.2+
#70 feat: TerminalAdmin Limited / Full (carries forward from 2026.06 Phase 2)
#321 docs(adr): TerminalAdmin threat model + mitigation matrix — hard blocker for #70
#7 feat: scoped device-group RBAC (paired with #70 — ship together or not at all)
#322 feat(control): power-manage-control doctor subcommand
#323 docs: SECURITY.md at workspace root
#324 docs(adr): ADR series 0001–0005

Pairing constraint

#70 and #7 are intentionally paired per the original 2026.06 roadmap. TerminalAdmin expands the operator-privilege surface; scoped RBAC is the blast-radius limiter that decides which devices a given operator can reach. Shipping either in isolation creates the wrong incentives ("TerminalAdmin for everyone" or "scoped roles with nothing interesting to scope"). Treat them as one feature.

Group variables (#59) — postponed indefinitely

Postmortem on the 2026.06 first attempt is on the issue itself. Net: implementing variables without a prior secret-taint infrastructure pass is unsafe (rendered secrets can flow into event store, projections, Asynq payloads, audit, search index, logs, debug dumps — every sink needs explicit redaction). Reopening for active development requires that infrastructure, a separate threat-model doc, and an ADR on the rendering boundary. Not on the 2026.07 milestone.

Carry-forward from 2026.06 rc1/rc2 testing (filed individually as they get picked up)

  • install.sh/setup.sh shouldn't default IMAGE_TAG=latest when the operator passed RELEASE_TAG=latest-rc to install.sh — the inner setup prompt should default to whatever the outer install resolved. Caught testing 2026.06-rc2 when an operator typed RELEASE_TAG=latest-rc ./install.sh and ended up with v2026.05 images.
  • Agent SyncActions log message ("synced actions" → standalone_total=0) reads as "nothing received" when the agent did receive an action set but treats it as a group rather than a flat action. Rename to synced_total = standalone + sum(group.actions).
  • v2026.05 agent + v2026.06 server is a silent protocol-version gap (the agent doesn't parse action_sets in the SyncActions response). Worth a server-side gate that refuses or warns on old-agent SyncActions calls.
  • unattended-upgrade exec.LookPath lookup in agent/internal/executor/action_update.go:599 — works under the operator's interactive $PATH but fragile under hardened systemd. Use absolute path or list of known locations.
  • Compliance precondition idea: assignments with securityOnly=true for apt-based actions should require unattended-upgrades installed on the target. Today the runtime guard fails-loud (correct) but a policy-time check would tell the operator before they hit it.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions