You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
2026.08 is a stability, auditability & compliance release — no new feature surface. New device-config action types + compliance-on-inventory are deferred to 2026.09 (server#492). This release hardens the product and builds the audit/retention/GDPR controls we'll need for a hosted (SaaS) offering anyway — building them into the OSS product means our own SaaS deployment is just another operator, with nothing bespoke to maintain. Rationale recorded 2026-07-03; also gives the just-merged event-sourcing-integrity rewrite (#498) a production bake cycle before more core churn.
Large, reopens the rebuild core (#498) — design before code.
Rolling snapshot + prune: replay to a sequence_num checkpoint, persist projection state as the new "start," archive+prune events ≤ checkpoint. RebuildAll changes from truncate+replay-all to load-snapshot+replay-tail. Snapshot must be a single global sequence_num cut (cross-projection consistency).
Tamper-evidence preserved: pruning collides with the append-only trigger (migration 011, a security control). The prune must itself emit an EventLogPruned{up_to_seq, archive_sha256, snapshot_id} event (prune lands IN the tamper-evident chain), and the archived cold-storage export must be integrity-sealed (hash-chained/signed).
Tiered retention (industry norm — nobody deletes audit logs; compliance wants 1–7yr): hot (queryable) → cold/archive (compressed SQL on cheap storage). Configurable per tier.
Crypto-shred erasure: for PII in domain events (can't DELETE from append-only, can't lose replay), destroy the actor→person linkage by crypto-erasing under the enc:v2/KEK model — event row survives for replay, PII becomes unreadable everywhere (live + cold) at once. High-frequency audit-only events (session-refresh) may hard-prune; domain events crypto-shred.
Doctor observability: control doctor REPORTS retention posture (configured window, oldest event, row count) — it does NOT prune (destructive mutation belongs in a scheduled worker, like stale-execution-expiry). Enforcement = background worker; doctor = observation.
GDPR framing: OSS vendor ships the capability (operator is controller); a hosted PM makes US processor/controller — these controls are the ones customers will contractually require. Fold in existing Security-Audit + SIEM planning (SIEM egress is the other half of a grown-up audit story). Not legal advice — DPO sets retention periods.
Stability / correctness (extracted from the old 2026.08 umbrella + filed findings)
Search-staleness: device online/offline is wrong up to 1h — AffectedSearchOps has no DeviceHeartbeat case, so indexed last_seen_at only refreshes on other device events / hourly reconcile while deviceStatusClause judges a 5-min window. server#499 — fix = O(1) HSET touch on the heartbeat path.
Server-side inventory interval: cadence becomes a server-held setting delivered on the sync response (SetDeviceSyncInterval pattern: per-device override, group min, 24h default). server#500. NOT an agent env var — cadence is policy; server must know it to flag "inventory overdue" for offline devices.
server#494 — GetDeviceLpsPasswords / GetDeviceLuksKeys return decrypted secrets with NO audit event (compliance gap) + SCIM discovery comment.
Theme
2026.08 is a stability, auditability & compliance release — no new feature surface. New device-config action types + compliance-on-inventory are deferred to 2026.09 (server#492). This release hardens the product and builds the audit/retention/GDPR controls we'll need for a hosted (SaaS) offering anyway — building them into the OSS product means our own SaaS deployment is just another operator, with nothing bespoke to maintain. Rationale recorded 2026-07-03; also gives the just-merged event-sourcing-integrity rewrite (#498) a production bake cycle before more core churn.
Already merged (this window)
lps_keypairevent-sourced, 6 silent RPCs now audit-logged, 12 projections given rebuild targets, 3 self-discovering guards, ADR 0029. Closed guard: self-discovering test that every state-changing RPC appends an event (no AppendEvent bypass) #495/audit gaps: six state-changing RPCs append no event (found by the #495 guard) #496/replay gaps: projections without rebuild targets + in-place writes replay loses (found by #495 schema guard) #497.Auditability & compliance (the headline)
Audit-log UX + richer data — server#501
Audit-log retention — server#502 (SPEC-FIRST)
Large, reopens the rebuild core (#498) — design before code.
sequence_numcheckpoint, persist projection state as the new "start," archive+prune events ≤ checkpoint.RebuildAllchanges from truncate+replay-all to load-snapshot+replay-tail. Snapshot must be a single globalsequence_numcut (cross-projection consistency).EventLogPruned{up_to_seq, archive_sha256, snapshot_id}event (prune lands IN the tamper-evident chain), and the archived cold-storage export must be integrity-sealed (hash-chained/signed).control doctorREPORTS retention posture (configured window, oldest event, row count) — it does NOT prune (destructive mutation belongs in a scheduled worker, like stale-execution-expiry). Enforcement = background worker; doctor = observation.Stability / correctness (extracted from the old 2026.08 umbrella + filed findings)
AffectedSearchOpshas noDeviceHeartbeatcase, so indexedlast_seen_atonly refreshes on other device events / hourly reconcile whiledeviceStatusClausejudges a 5-min window. server#499 — fix = O(1)HSETtouch on the heartbeat path.Hardening passes (do the sweeps, don't just fix known tickets)
Not in this release