Aggregator for the 2026.07 release. Two themes:
- 2026.06 Phase 2 + Phase 3 carry-over — TerminalAdmin + scoped RBAC paired (the roadmap's "must-ship paired" group that got displaced when Phase 0 grew with the projector/storage-abstraction work), plus the polish items that slipped (doctor cmd, SECURITY.md, ADRs).
- Deploy-stack consolidation — drop the redis-stack dependency, fully switch to valkey + valkey-search 1.2+.
Confirmed line items
| Issue |
What |
| #319 |
feat(deploy): migrate from redis-stack to valkey + valkey-search 1.2+ |
| #70 |
feat: TerminalAdmin Limited / Full (carries forward from 2026.06 Phase 2) |
| #321 |
docs(adr): TerminalAdmin threat model + mitigation matrix — hard blocker for #70 |
| #7 |
feat: scoped device-group RBAC (paired with #70 — ship together or not at all) |
| #322 |
feat(control): power-manage-control doctor subcommand |
| #323 |
docs: SECURITY.md at workspace root |
| #324 |
docs(adr): ADR series 0001–0005 |
Pairing constraint
#70 and #7 are intentionally paired per the original 2026.06 roadmap. TerminalAdmin expands the operator-privilege surface; scoped RBAC is the blast-radius limiter that decides which devices a given operator can reach. Shipping either in isolation creates the wrong incentives ("TerminalAdmin for everyone" or "scoped roles with nothing interesting to scope"). Treat them as one feature.
Group variables (#59) — postponed indefinitely
Postmortem on the 2026.06 first attempt is on the issue itself. Net: implementing variables without a prior secret-taint infrastructure pass is unsafe (rendered secrets can flow into event store, projections, Asynq payloads, audit, search index, logs, debug dumps — every sink needs explicit redaction). Reopening for active development requires that infrastructure, a separate threat-model doc, and an ADR on the rendering boundary. Not on the 2026.07 milestone.
Carry-forward from 2026.06 rc1/rc2 testing (filed individually as they get picked up)
install.sh/setup.sh shouldn't default IMAGE_TAG=latest when the operator passed RELEASE_TAG=latest-rc to install.sh — the inner setup prompt should default to whatever the outer install resolved. Caught testing 2026.06-rc2 when an operator typed RELEASE_TAG=latest-rc ./install.sh and ended up with v2026.05 images.
- Agent SyncActions log message ("synced actions" →
standalone_total=0) reads as "nothing received" when the agent did receive an action set but treats it as a group rather than a flat action. Rename to synced_total = standalone + sum(group.actions).
- v2026.05 agent + v2026.06 server is a silent protocol-version gap (the agent doesn't parse
action_sets in the SyncActions response). Worth a server-side gate that refuses or warns on old-agent SyncActions calls.
unattended-upgrade exec.LookPath lookup in agent/internal/executor/action_update.go:599 — works under the operator's interactive $PATH but fragile under hardened systemd. Use absolute path or list of known locations.
- Compliance precondition idea: assignments with
securityOnly=true for apt-based actions should require unattended-upgrades installed on the target. Today the runtime guard fails-loud (correct) but a policy-time check would tell the operator before they hit it.
Aggregator for the 2026.07 release. Two themes:
Confirmed line items
Pairing constraint
#70 and #7 are intentionally paired per the original 2026.06 roadmap. TerminalAdmin expands the operator-privilege surface; scoped RBAC is the blast-radius limiter that decides which devices a given operator can reach. Shipping either in isolation creates the wrong incentives ("TerminalAdmin for everyone" or "scoped roles with nothing interesting to scope"). Treat them as one feature.
Group variables (#59) — postponed indefinitely
Postmortem on the 2026.06 first attempt is on the issue itself. Net: implementing variables without a prior secret-taint infrastructure pass is unsafe (rendered secrets can flow into event store, projections, Asynq payloads, audit, search index, logs, debug dumps — every sink needs explicit redaction). Reopening for active development requires that infrastructure, a separate threat-model doc, and an ADR on the rendering boundary. Not on the 2026.07 milestone.
Carry-forward from 2026.06 rc1/rc2 testing (filed individually as they get picked up)
install.sh/setup.shshouldn't defaultIMAGE_TAG=latestwhen the operator passedRELEASE_TAG=latest-rctoinstall.sh— the inner setup prompt should default to whatever the outer install resolved. Caught testing 2026.06-rc2 when an operator typedRELEASE_TAG=latest-rc ./install.shand ended up with v2026.05 images.standalone_total=0) reads as "nothing received" when the agent did receive an action set but treats it as a group rather than a flat action. Rename tosynced_total = standalone + sum(group.actions).action_setsin the SyncActions response). Worth a server-side gate that refuses or warns on old-agent SyncActions calls.unattended-upgradeexec.LookPathlookup inagent/internal/executor/action_update.go:599— works under the operator's interactive$PATHbut fragile under hardened systemd. Use absolute path or list of known locations.securityOnly=truefor apt-based actions should requireunattended-upgradesinstalled on the target. Today the runtime guard fails-loud (correct) but a policy-time check would tell the operator before they hit it.