sync: auto-sync from GURU-5070 at 2026-05-31 18:23:00

Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-05-31 18:23:00
2026-05-31 18:23:05 -07:00
parent 3a3362ba8c
commit 5ee92ad5b1
1 changed files with 49 additions and 0 deletions
--- a/session-logs/2026-05-31-mike-spec004-sprint-deploy.md
+++ b/session-logs/2026-05-31-mike-spec004-sprint-deploy.md
@@ -87,3 +87,52 @@ Production server 172.16.3.30: code reset b3e8f32→96f9c0a; rebuilt dashboard S
 - Specs: specs/v2-stable-identity/plan.md (SPEC-004 Tasks 1-5). docs/specs/SPEC-004-session-lifecycle-and-removal.md.
 - Sprint tasks: #13 A1, #14 A2, #15 A3a, #21 A3b, #20 A4 (all done); #18/#19 B, #3/#4 C, #16 D pending.
 - Memory updated: reference_guru5070_rust_toolchain.md (CI fmt-gate lesson). Deploy procedure: project_guruconnect_deploy.md.
+
+## Update: 18:22 PT — B-track (v0.3.0 release), D1 (publish), C1 (Phase-1 EXIT)
+
+Continued the P1 sprint after the A-track deploy. Discovered that B1 (auto-versioning) and B2
+(code signing) were ALREADY implemented in `.gitea/workflows/release.yml` (24KB; conventional-commit
+version bump + git-cliff changelog + native Windows build on Pluto + jsign Azure Trusted Signing +
+Gitea release) — they had been mislabeled in the sprint plan as "build" tasks. Validated them by
+cutting a real release: reconciled the drifted manifests to a clean v0.2.2 baseline (agent/server
+Cargo.toml were hardcoded 0.2.0 below the workspace/tag; dashboard was on a divergent 2.0.0 scheme;
+synced package-lock; commit 16586c4), then triggered release.yml. Gitea 1.25.2's workflow_dispatch API
+returns 204 but does NOT enqueue a run (known bug) — Mike triggered it from the web UI. Release run #71
+succeeded all three jobs and published **v0.3.0**: tag e967cce, signed guruconnect.exe (Azure Trusted
+Signing) + .sha256 + CHANGELOG.md as Gitea release assets.
+
+D1 (#16): there is NO 0.1.0 fleet (Mike corrected the stale task framing) — the connect_machines rows
+were ghosts (purged) + test boxes + stale Dec-2025 client rows. So D1 reduced to PUBLISHING v0.3.0 as
+the canonical release rather than a fleet push. The `/api/version` endpoint reads `get_latest_stable_release`
+from the empty `releases` table ("No stable release available"). Registered v0.3.0 via direct SQL INSERT
+(no dashboard admin creds available): download_url = the public Gitea release asset, checksum
+bc4767f4...06ef (verified the binary actually hashes to it). `/api/version` now serves v0.3.0 on both
+the local endpoint and the public connect.azcomputerguru.com ingress.
+
+C1 (#3): v2 Phase 1 formally EXITED. Live functional verification of the secure-session-core CRITICAL
+boundaries against the DEPLOYED binary (forged HS256 tokens via curl WS upgrade): login-JWT on
+/ws/viewer -> 401; validly-signed viewer token for session AAAA used on session BBBB -> 403 (session
+bind enforced); login-JWT as agent api_key on /ws/agent -> 401; wrong-sig -> 401. Then ran
+`/gc-audit --pass=security` (Agent E, Opus): PASS, 0 CRITICAL/HIGH/MEDIUM/LOW. The 3 relay CRITICALs
+stay closed, the prior agent-update-TLS HIGH and chat-logging LOW are fixed, and the net-new SPEC-004
+surface (machine_uid dedup gate, reaper/supersede, operator removal API) audits clean — no non-admin
+removal path, no uid-spoof hijack (worst case denial-of-persistence), no auth-plane crossover. Report:
+reports/2026-05-31-gc-audit.md (commit 1601745). Roadmap banner updated to mark Phase 1 exited.
+
+### Commits (this update)
+- 16586c4 chore: reconcile manifest versions to v0.2.2 baseline
+- e967cce chore: release v0.3.0 [skip ci] (release.yml; tag v0.3.0)
+- 1601745 docs: 2026-05-31 security re-audit (Phase-1 EXIT) + roadmap reconcile
+- parent: 8fafd5a..3a3362b (submodule pointer bumps)
+
+### Key facts
+- v0.3.0 release assets (public): https://git.azcomputerguru.com/azcomputerguru/guru-connect/releases/download/v0.3.0/guruconnect.exe (+ .sha256, CHANGELOG.md). sha256 bc4767f4d2088459b984f7b266f45b0678aad8edddbdab716bbf3c1ae8ee06ef
+- /api/version serves: latest_version 0.3.0, that download_url, is_mandatory false.
+- Gitea 1.25.2 workflow_dispatch API = 204 but no-op; use the web UI to trigger releases.
+- release.yml does NOT bump package-lock.json root version (cosmetic; npm ci tolerates the lag).
+- Running server binary self-reports 0.2.0 (built from 96f9c0a pre-bump); functionally == 0.3.0 (version-string only). Optional redeploy at the v0.3.0 tag for self-version consistency.
+
+### P1 sprint status
+A1-A4 done+deployed (ghosts purged 19->8); B1/B2 done (v0.3.0 signed); C1 done (Phase-1 exit); D1 done
+(v0.3.0 published). ONLY C2 (#4) remains: live HW-H.264 cross-GPU validation (beast agent -> 5070 viewer),
+then decide DEFAULT_PREFER_H264 (stays false until validated). Not a Phase-1 blocker.