Skip to content

2026.08 tracker — stability, auditability & compliance #503

Description

@PaulDotterer

Theme

2026.08 is a stability, auditability & compliance release — no new feature surface. New device-config action types + compliance-on-inventory are deferred to 2026.09 (server#492). This release hardens the product and builds the audit/retention/GDPR controls we'll need for a hosted (SaaS) offering anyway — building them into the OSS product means our own SaaS deployment is just another operator, with nothing bespoke to maintain. Rationale recorded 2026-07-03; also gives the just-merged event-sourcing-integrity rewrite (#498) a production bake cycle before more core churn.

Already merged (this window)

Auditability & compliance (the headline)

Audit-log UX + richer data — server#501

Audit-log retention — server#502 (SPEC-FIRST)

Large, reopens the rebuild core (#498) — design before code.

  • Rolling snapshot + prune: replay to a sequence_num checkpoint, persist projection state as the new "start," archive+prune events ≤ checkpoint. RebuildAll changes from truncate+replay-all to load-snapshot+replay-tail. Snapshot must be a single global sequence_num cut (cross-projection consistency).
  • Tamper-evidence preserved: pruning collides with the append-only trigger (migration 011, a security control). The prune must itself emit an EventLogPruned{up_to_seq, archive_sha256, snapshot_id} event (prune lands IN the tamper-evident chain), and the archived cold-storage export must be integrity-sealed (hash-chained/signed).
  • Tiered retention (industry norm — nobody deletes audit logs; compliance wants 1–7yr): hot (queryable) → cold/archive (compressed SQL on cheap storage). Configurable per tier.
  • Crypto-shred erasure: for PII in domain events (can't DELETE from append-only, can't lose replay), destroy the actor→person linkage by crypto-erasing under the enc:v2/KEK model — event row survives for replay, PII becomes unreadable everywhere (live + cold) at once. High-frequency audit-only events (session-refresh) may hard-prune; domain events crypto-shred.
  • Doctor observability: control doctor REPORTS retention posture (configured window, oldest event, row count) — it does NOT prune (destructive mutation belongs in a scheduled worker, like stale-execution-expiry). Enforcement = background worker; doctor = observation.
  • GDPR framing: OSS vendor ships the capability (operator is controller); a hosted PM makes US processor/controller — these controls are the ones customers will contractually require. Fold in existing Security-Audit + SIEM planning (SIEM egress is the other half of a grown-up audit story). Not legal advice — DPO sets retention periods.

Stability / correctness (extracted from the old 2026.08 umbrella + filed findings)

  • Search-staleness: device online/offline is wrong up to 1h — AffectedSearchOps has no DeviceHeartbeat case, so indexed last_seen_at only refreshes on other device events / hourly reconcile while deviceStatusClause judges a 5-min window. server#499 — fix = O(1) HSET touch on the heartbeat path.
  • Server-side inventory interval: cadence becomes a server-held setting delivered on the sync response (SetDeviceSyncInterval pattern: per-device override, group min, 24h default). server#500. NOT an agent env var — cadence is policy; server must know it to flag "inventory overdue" for offline devices.
  • server#494 — GetDeviceLpsPasswords / GetDeviceLuksKeys return decrypted secrets with NO audit event (compliance gap) + SCIM discovery comment.
  • server#475 — security_only precondition signal.
  • agent#165 — seal LUKS passphrases agent→control (same gateway-cleartext shape LPS fixed; hardening).
  • agent#169 — ENCRYPTION/WIFI/SERVICE backend params accepted-but-ignored → remove unimplemented enum values / fail-closed; USER root-disable-guard decision.
  • sdk#268 — proto contract hygiene: stale default-comments, ServiceParams.enable tri-state, LogQueryResult truncation flag.

Hardening passes (do the sweeps, don't just fix known tickets)

  • Run a security-review sweep across the codebase (not only the filed items).
  • Run a test-coverage sweep on the request/handler boundary.

Not in this release

  • New action types + compliance-on-inventory → 2026.09 (server#492).
  • Own releases, unscheduled: server#490 (authentik), server#491 (reinstall), server#493 (artifact storage).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions