From 24b16fe6c540cfa32e0e9644e84a7cb90e67f836 Mon Sep 17 00:00:00 2001 From: rcourtman Date: Sat, 27 Jun 2026 10:24:01 +0100 Subject: [PATCH] Refresh RC7 release packet after install-default fix --- .../HIGH_RISK_RELEASE_VERIFICATION_MATRIX.md | 48 +++++++++++++++++ ...legacy-cleanup-v6-rc7-packet-2026-06-27.md | 51 +++++++++++++++++++ .../subsystems/deployment-installability.md | 4 ++ docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md | 22 +++++--- docs/releases/V6_CHANGELOG_RC7_DRAFT.md | 16 ++++-- .../V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md | 6 +-- 6 files changed, 132 insertions(+), 15 deletions(-) create mode 100644 docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md diff --git a/docs/release-control/v6/internal/HIGH_RISK_RELEASE_VERIFICATION_MATRIX.md b/docs/release-control/v6/internal/HIGH_RISK_RELEASE_VERIFICATION_MATRIX.md index 9c06377d0..20e4874eb 100644 --- a/docs/release-control/v6/internal/HIGH_RISK_RELEASE_VERIFICATION_MATRIX.md +++ b/docs/release-control/v6/internal/HIGH_RISK_RELEASE_VERIFICATION_MATRIX.md @@ -820,6 +820,54 @@ Companion drill: A token can outlive revocation, exceed assigned scope, or detach from the intended user/org identity. +## Gate: `commercial-support-operations-canonical-case` + +- Why this is risky: + Support operations can touch customer identity, invoices, Stripe + subscriptions, local licenses, license transfers, configuration review, and + diagnostics. If operators resolve those records through ad hoc email, + Stripe, or license matching, a support action can disclose customer data, + cancel the wrong subscription, transfer the wrong license, or retain secrets + from diagnostics. +- Primary runtime surfaces: + `pulse-pro/landing-page/manage.html` + `pulse-pro/license-server/admin_support.go` + `pulse-pro/license-server/admin_support_test.go` + `pulse-pro/license-server/main.go` + `pulse-pro/license-server/support_cases.go` + `pulse-pro/license-server/support_cases_test.go` +- Automated proof: + `cd /Volumes/Development/pulse/repos/pulse-pro && go test ./license-server -run 'Test(AdminSupport|SupportCase)' -count=1` +- Manual scenario: + 1. Start from a customer support request that includes an email address and + at least one commercial identifier such as invoice number, subscription + ID, license ID, license-transfer target, configuration detail, or + diagnostics payload. + 2. Resolve the case through the Pulse Pro support/admin surface, not by + manually correlating Gmail, Stripe, and license records. + 3. Confirm exact customer-email matches can expose only the intended support + decision, while same-domain or mismatched requester details require + identity review before invoice, cancellation, or license-transfer action. + 4. Confirm duplicate invoice numbers, mismatched subscription IDs, unknown + support emails, self-transfers, and secret-bearing messages fail closed + without consuming verification codes or mutating customer state. + 5. Confirm diagnostics are redacted before storage and admin review, support + case status changes are audited, and approved license-transfer or + subscription-cancel actions are written through the canonical support case + path. +- Pass when: + Support staff can resolve customer, invoice, subscription, local license, + license-transfer, configuration-review, and diagnostics-review cases through + the canonical Pulse Pro support systems with exact identity decisions, + redacted diagnostics, and audited mutations. +- Latest exercised record: + `docs/release-control/v6/internal/status.json` +- Block release if: + Any data-protection-sensitive support action still depends on ad hoc + Gmail-to-Stripe or Gmail-to-license matching, or if support case resolution + can expose invoice/license data, consume verification, or mutate Stripe or + license state before the canonical case decision allows it. + ## Gate Ownership Rule Update these machine-visible gate states in `docs/release-control/v6/internal/status.json` diff --git a/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md b/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md new file mode 100644 index 000000000..5ad05f976 --- /dev/null +++ b/docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md @@ -0,0 +1,51 @@ +# RC7 Release Packet Currentness Record + +## Scope + +- From tag: `v6.0.0-rc.6` +- From commit: `c25e95cb2b071551df95c8add62773905ba0628b` +- To validation-risk commit: `55204cde9b93004fb04850b638de38ac3abaa27e` +- Git range: `v6.0.0-rc.6..55204cde9b93004fb04850b638de38ac3abaa27e` +- Commit count: `940` +- Date span in the range: `2026-05-27` through `2026-06-27` +- Changed scope: `1966` files, `236770` insertions, `46839` deletions + +The final release workflow dispatch may use a later metadata-only packet +refresh commit. That refresh is not counted as a new validation-risk commit +when it only updates the packet to name the last code-backed release fix. + +## Outcome + +The RC7 packet refresh keeps v6 on the opt-in prerelease channel and preserves +the stable rollback target as `v5.1.35`. + +The branch had accumulated follow-up CI fixes after the initial RC7 packet: +Discovery disabled-state test copy, frontend bundle-size baseline drift, +Patrol-control telemetry disclosure wording, and RC7 Docker install defaults. +`Build and Test` run `28284309278` then exposed the release-installability +blocker: root `docker-compose.yml` and `scripts/install-docker.sh` still +defaulted to the stable `6.0.0` image while `VERSION` was `6.0.0-rc.7`. + +The corrected packet pins the repo-root Docker Compose default and Docker +bootstrap installer fallback to `6.0.0-rc.7`. The installer proof now keeps the +stable-promotion guard version-aware: prerelease defaults are valid only when +the governed `VERSION` is prerelease, and leftover `-rc.` defaults remain a +blocker when the governed `VERSION` is stable. + +No public issue comment, retitle, closure, release publication, or customer +message was made as part of this packet update. + +## Verification + +- `go test ./scripts/installtests -count=1` +- `go test -race -timeout 25m ./...` +- `python3 scripts/release_control/contract_audit.py --check` +- `git diff --check` +- No-attribution preflight for the RC7 Docker install default commit message + and changed files. +- `Build and Test` run `28284309278`: + - `Secret Scan` passed + - `Frontend unit tests`, `Type-check frontend`, frontend bundle build, + bundle-size check, and script smoke tests passed + - `Go unit tests` failed on stale `6.0.0` Docker install defaults before the + RC7 Docker-default correction diff --git a/docs/release-control/v6/internal/subsystems/deployment-installability.md b/docs/release-control/v6/internal/subsystems/deployment-installability.md index 9360853ad..447829f9c 100644 --- a/docs/release-control/v6/internal/subsystems/deployment-installability.md +++ b/docs/release-control/v6/internal/subsystems/deployment-installability.md @@ -800,6 +800,10 @@ For the active `v6.0.0-rc.7` cut, the repo-root compose default and `scripts/install-docker.sh` fallback must both pin `6.0.0-rc.7`; the stable promotion guard remains in force by rejecting leftover `-rc.` defaults only when the governed `VERSION` is a stable release. +The RC7 packet refresh records `55204cde9b93004fb04850b638de38ac3abaa27e` +as the validation-risk commit for that correction; later metadata-only packet +refreshes may be the workflow dispatch head only when they do not change the +code-backed release-risk range. `internal/updates/` is the live deployment and upgrade planner. It owns deployment-type detection, update-plan generation, adapter selection, server diff --git a/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md b/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md index 756aee3ba..ccf12c180 100644 --- a/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md +++ b/docs/releases/RELEASE_NOTES_v6_RC7_DRAFT.md @@ -84,8 +84,8 @@ making those pages denser, calmer, and more consistent: The self-hosted free-first posture carries through: core monitoring is included on current public self-hosted plans, and paid value is explicit through Relay, -mobile handoff, support, history, AI operations, automation, Cloud, MSP, and -account surfaces. +Pulse Mobile pairing for handoff, support, history, AI operations, automation, +Cloud, MSP, and account surfaces. RC7 also carries provider MSP control-plane install, preflight, status, proof, backup, recovery, token-rotation, and isolation work. Cloud and account copy, @@ -120,13 +120,20 @@ health filters. ## Validation This packet is audited against the commit range from the published -`v6.0.0-rc.6` tag through the current candidate head: +`v6.0.0-rc.6` tag through the validation-risk commit. A later packet-only +refresh may be the workflow dispatch head; the validation range below is the +code-backed release-risk range. - `v6.0.0-rc.6`: `c25e95cb2b071551df95c8add62773905ba0628b` -- candidate head: `5c2e465cde2f6202ef76fcdb6874555a8636a583` -- range: `v6.0.0-rc.6..5c2e465cde2f6202ef76fcdb6874555a8636a583` -- commit count: `934` -- changed scope: `1961` files, `236190` insertions, `46825` deletions +- validation-risk commit: `55204cde9b93004fb04850b638de38ac3abaa27e` +- range: `v6.0.0-rc.6..55204cde9b93004fb04850b638de38ac3abaa27e` +- commit count: `940` +- changed scope: `1966` files, `236770` insertions, `46839` deletions + +The final validation-risk correction pins the repo-root Docker Compose default +and `scripts/install-docker.sh` fallback to `6.0.0-rc.7`, and keeps the stable +promotion guard version-aware so future `6.0.0` promotion still rejects stale +prerelease Docker defaults. ## Retest plan @@ -161,6 +168,7 @@ This packet is audited against the commit range from the published - `docs/release-control/v6/internal/subsystems/patrol-intelligence.md` - `docs/release-control/v6/internal/subsystems/ai-runtime.md` - `docs/release-control/v6/internal/subsystems/frontend-primitives.md` +- `docs/release-control/v6/internal/records/documentation-currentness-and-legacy-cleanup-v6-rc7-packet-2026-06-27.md` - `frontend-modern/src/features/platformPage/columnAlignment.ts` - `.github/workflows/create-release.yml` - `.github/workflows/release-dry-run.yml` diff --git a/docs/releases/V6_CHANGELOG_RC7_DRAFT.md b/docs/releases/V6_CHANGELOG_RC7_DRAFT.md index 677be5922..dc1c9f395 100644 --- a/docs/releases/V6_CHANGELOG_RC7_DRAFT.md +++ b/docs/releases/V6_CHANGELOG_RC7_DRAFT.md @@ -19,13 +19,14 @@ prerelease channel for another evaluation pass. ## Commit coverage audit The changelog is audited against every feature/runtime commit in the exact -candidate range: +validation-risk range. A later packet-only refresh may be the workflow dispatch +head; the validation range below is the code-backed release-risk range. - `v6.0.0-rc.6`: `c25e95cb2b071551df95c8add62773905ba0628b` -- candidate head: `5c2e465cde2f6202ef76fcdb6874555a8636a583` -- range: `v6.0.0-rc.6..5c2e465cde2f6202ef76fcdb6874555a8636a583` -- commit count: `934` -- changed scope: `1961` files, `236190` insertions, `46825` deletions +- validation-risk commit: `55204cde9b93004fb04850b638de38ac3abaa27e` +- range: `v6.0.0-rc.6..55204cde9b93004fb04850b638de38ac3abaa27e` +- commit count: `940` +- changed scope: `1966` files, `236770` insertions, `46839` deletions Those commits are grouped here by operator-visible behavior and release risk instead of listed one by one. @@ -87,6 +88,8 @@ instead of listed one by one. - The self-hosted free-first commercial posture remains the default: current public self-hosted plans include core monitoring. +- Relay value remains framed around secure remote access to the Pulse web UI, + Pulse Mobile pairing for handoff, push notifications, and longer history. - Cloud, account, billing, support, migration, and entitlement copy were aligned with the current v6 commercial model. - Provider MSP gained control-plane mode, install artifacts, preflight/status @@ -102,6 +105,9 @@ instead of listed one by one. - Workflow action pins, Go toolchain selection, release dry-run, release asset validation, release promotion policy support, installer smoke tests, Docker and Helm publication paths, and update readiness checks were tightened. +- RC7 Docker install defaults now pin the governed `6.0.0-rc.7` image in both + the repo-root Compose sample and Docker bootstrap installer fallback, while + keeping stable-promotion proof guarded against leftover prerelease defaults. - Installer scripts gained additional update resilience, Windows agent install coverage, root install tests, uninstall sensor-proxy support, and bundled agent installer fail-closed behavior. diff --git a/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md b/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md index b1bd3a325..8223d7cbb 100644 --- a/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md +++ b/docs/releases/V6_RC7_OPERATOR_SUPPORT_PACK_DRAFT.md @@ -61,9 +61,9 @@ return in RC7. ### Does self-hosted v6 still cap monitored systems? No for current public self-hosted plans. Community, Relay, and Pro include core -monitoring. Paid value remains explicit through Relay convenience, Pulse Mobile -handoff, push delivery, longer history, AI operations, automation, support, -Cloud, MSP, and commercial account surfaces. +monitoring. Paid value remains explicit through Relay convenience, +Pulse Mobile pairing for handoff, push delivery, longer history, AI operations, +automation, support, Cloud, MSP, and commercial account surfaces. Current shorthand: Community, Relay, and Pro have core monitoring included; paid value is explicit service, history, support, automation, and hosted