From 5ee92ad5b1f5c5321a872be634adf59d5e236c44 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Sun, 31 May 2026 18:23:05 -0700 Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-05-31 18:23:00 Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-05-31 18:23:00 --- .../2026-05-31-mike-spec004-sprint-deploy.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/session-logs/2026-05-31-mike-spec004-sprint-deploy.md b/session-logs/2026-05-31-mike-spec004-sprint-deploy.md index 8d0da85..2915c0e 100644 --- a/session-logs/2026-05-31-mike-spec004-sprint-deploy.md +++ b/session-logs/2026-05-31-mike-spec004-sprint-deploy.md @@ -87,3 +87,52 @@ Production server 172.16.3.30: code reset b3e8f32→96f9c0a; rebuilt dashboard S - Specs: specs/v2-stable-identity/plan.md (SPEC-004 Tasks 1-5). docs/specs/SPEC-004-session-lifecycle-and-removal.md. - Sprint tasks: #13 A1, #14 A2, #15 A3a, #21 A3b, #20 A4 (all done); #18/#19 B, #3/#4 C, #16 D pending. - Memory updated: reference_guru5070_rust_toolchain.md (CI fmt-gate lesson). Deploy procedure: project_guruconnect_deploy.md. + +## Update: 18:22 PT — B-track (v0.3.0 release), D1 (publish), C1 (Phase-1 EXIT) + +Continued the P1 sprint after the A-track deploy. Discovered that B1 (auto-versioning) and B2 +(code signing) were ALREADY implemented in `.gitea/workflows/release.yml` (24KB; conventional-commit +version bump + git-cliff changelog + native Windows build on Pluto + jsign Azure Trusted Signing + +Gitea release) — they had been mislabeled in the sprint plan as "build" tasks. Validated them by +cutting a real release: reconciled the drifted manifests to a clean v0.2.2 baseline (agent/server +Cargo.toml were hardcoded 0.2.0 below the workspace/tag; dashboard was on a divergent 2.0.0 scheme; +synced package-lock; commit 16586c4), then triggered release.yml. Gitea 1.25.2's workflow_dispatch API +returns 204 but does NOT enqueue a run (known bug) — Mike triggered it from the web UI. Release run #71 +succeeded all three jobs and published **v0.3.0**: tag e967cce, signed guruconnect.exe (Azure Trusted +Signing) + .sha256 + CHANGELOG.md as Gitea release assets. + +D1 (#16): there is NO 0.1.0 fleet (Mike corrected the stale task framing) — the connect_machines rows +were ghosts (purged) + test boxes + stale Dec-2025 client rows. So D1 reduced to PUBLISHING v0.3.0 as +the canonical release rather than a fleet push. The `/api/version` endpoint reads `get_latest_stable_release` +from the empty `releases` table ("No stable release available"). Registered v0.3.0 via direct SQL INSERT +(no dashboard admin creds available): download_url = the public Gitea release asset, checksum +bc4767f4...06ef (verified the binary actually hashes to it). `/api/version` now serves v0.3.0 on both +the local endpoint and the public connect.azcomputerguru.com ingress. + +C1 (#3): v2 Phase 1 formally EXITED. Live functional verification of the secure-session-core CRITICAL +boundaries against the DEPLOYED binary (forged HS256 tokens via curl WS upgrade): login-JWT on +/ws/viewer -> 401; validly-signed viewer token for session AAAA used on session BBBB -> 403 (session +bind enforced); login-JWT as agent api_key on /ws/agent -> 401; wrong-sig -> 401. Then ran +`/gc-audit --pass=security` (Agent E, Opus): PASS, 0 CRITICAL/HIGH/MEDIUM/LOW. The 3 relay CRITICALs +stay closed, the prior agent-update-TLS HIGH and chat-logging LOW are fixed, and the net-new SPEC-004 +surface (machine_uid dedup gate, reaper/supersede, operator removal API) audits clean — no non-admin +removal path, no uid-spoof hijack (worst case denial-of-persistence), no auth-plane crossover. Report: +reports/2026-05-31-gc-audit.md (commit 1601745). Roadmap banner updated to mark Phase 1 exited. + +### Commits (this update) +- 16586c4 chore: reconcile manifest versions to v0.2.2 baseline +- e967cce chore: release v0.3.0 [skip ci] (release.yml; tag v0.3.0) +- 1601745 docs: 2026-05-31 security re-audit (Phase-1 EXIT) + roadmap reconcile +- parent: 8fafd5a..3a3362b (submodule pointer bumps) + +### Key facts +- v0.3.0 release assets (public): https://git.azcomputerguru.com/azcomputerguru/guru-connect/releases/download/v0.3.0/guruconnect.exe (+ .sha256, CHANGELOG.md). sha256 bc4767f4d2088459b984f7b266f45b0678aad8edddbdab716bbf3c1ae8ee06ef +- /api/version serves: latest_version 0.3.0, that download_url, is_mandatory false. +- Gitea 1.25.2 workflow_dispatch API = 204 but no-op; use the web UI to trigger releases. +- release.yml does NOT bump package-lock.json root version (cosmetic; npm ci tolerates the lag). +- Running server binary self-reports 0.2.0 (built from 96f9c0a pre-bump); functionally == 0.3.0 (version-string only). Optional redeploy at the v0.3.0 tag for self-version consistency. + +### P1 sprint status +A1-A4 done+deployed (ghosts purged 19->8); B1/B2 done (v0.3.0 signed); C1 done (Phase-1 exit); D1 done +(v0.3.0 published). ONLY C2 (#4) remains: live HW-H.264 cross-GPU validation (beast agent -> 5070 viewer), +then decide DEFAULT_PREFER_H264 (stays false until validated). Not a Phase-1 blocker.