unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

docs: correct stale references + document new mechanisms #7

Merged
zach merged 1 commit from docs/accuracy-pass into main 2026-05-30 06:10:03 +00:00
Conversation 0 Commits 1 Files changed 9 +82 -65
zach commented 2026-05-30 06:07:19 +00:00
Owner
Copy link

A documentation-accuracy pass after the recent CI/pipeline work (cve-watch, repro-check, hardening-drift guard, seed-bump, bot-account migration). Docs-only; the intent-matches-policy gate still passes after the POLICY.md rewrite, and all code fences are balanced.

Accuracy fixes

  • releases/README.md — manifest schema rewritten to the seed-era model (upstream_seed + sbom; dropped the pre-seed config_sha256 / build_scripts_commit / stock_config_sources, none of which exist in real manifests). Fixed the final.config description: the drift baseline is consumed by tools/check-hardening-drift.sh in build-kernel.yml, not a "new-symbol guard in configure-kernel.sh".
  • docs/operators/first-build.md — removed "run publish.yml twice with component=main/debug" (there is no component input; one dispatch auto-splits and publishes both). Replaced the GitHub-only gh release delete with a Forgejo/tea note. Added the post-publish repro-check.yml dispatch step.
  • configs/POLICY.md — container-NAT pins live in intent.config, not a non-existent configs/debian-trixie-amd64.config; rewrote the review process to the real two gates (fidelity assertion + check-hardening-drift.sh), dropped the non-existent hardened-overlay.config, and noted the drift guard now catches the silent-disappearance class.
  • docs/operators/runner-setup.md — dropped the obsolete per-target / sibling-container model (the build runs in one debian:trixie job container); corrected the docker-socket rationale; noted Forgejo 15.0.2 and the absent workflow_run trigger.
  • docs/users/building-from-source.mdcd linux-hardenedlinux-hardened-unredacted.
  • README.md — dropped /dev/kmem (removed upstream, not a project pin).

New docs

  • Bot-account (unredacted-bot) custody model in runner-setup.md + SECURITY.md (it's part of the trust surface; can't sign a kernel).
  • archive apt component (installing rotated-out versions) in install.md.
  • Hardening-drift failure runbook + ALLOW_HARDENING_REGRESSION in POLICY.md and config-architecture.md.
  • REQUIRE_NET_ISOLATION knob in runner-setup.md.

Note: OPERATOR_TODO.md and DECISIONS.md are gitignored, so their (also-stale) copies are out of scope for this PR — the tracked operator docs carry the corrected guidance.

🤖 Generated with Claude Code

A documentation-accuracy pass after the recent CI/pipeline work (cve-watch, repro-check, hardening-drift guard, seed-bump, bot-account migration). Docs-only; the `intent-matches-policy` gate still passes after the POLICY.md rewrite, and all code fences are balanced. ## Accuracy fixes - **`releases/README.md`** — manifest schema rewritten to the seed-era model (`upstream_seed` + `sbom`; dropped the pre-seed `config_sha256` / `build_scripts_commit` / `stock_config_sources`, none of which exist in real manifests). Fixed the `final.config` description: the drift baseline is consumed by `tools/check-hardening-drift.sh` in `build-kernel.yml`, not a "new-symbol guard in configure-kernel.sh". - **`docs/operators/first-build.md`** — removed "run `publish.yml` twice with `component=main/debug`" (there is no `component` input; one dispatch auto-splits and publishes both). Replaced the GitHub-only `gh release delete` with a Forgejo/`tea` note. Added the post-publish `repro-check.yml` dispatch step. - **`configs/POLICY.md`** — container-NAT pins live in `intent.config`, not a non-existent `configs/debian-trixie-amd64.config`; rewrote the review process to the real two gates (fidelity assertion + `check-hardening-drift.sh`), dropped the non-existent `hardened-overlay.config`, and noted the drift guard now catches the silent-disappearance class. - **`docs/operators/runner-setup.md`** — dropped the obsolete per-target / sibling-container model (the build runs in one `debian:trixie` job container); corrected the docker-socket rationale; noted Forgejo 15.0.2 and the absent `workflow_run` trigger. - **`docs/users/building-from-source.md`** — `cd linux-hardened` → `linux-hardened-unredacted`. - **`README.md`** — dropped `/dev/kmem` (removed upstream, not a project pin). ## New docs - **Bot-account (`unredacted-bot`) custody model** in `runner-setup.md` + `SECURITY.md` (it's part of the trust surface; can't sign a kernel). - **`archive` apt component** (installing rotated-out versions) in `install.md`. - **Hardening-drift failure runbook** + `ALLOW_HARDENING_REGRESSION` in `POLICY.md` and `config-architecture.md`. - **`REQUIRE_NET_ISOLATION`** knob in `runner-setup.md`. Note: `OPERATOR_TODO.md` and `DECISIONS.md` are gitignored, so their (also-stale) copies are out of scope for this PR — the tracked operator docs carry the corrected guidance. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
docs: correct stale references + document new mechanisms
All checks were successful
validate / shellcheck (pull_request) Successful in 13s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
8e887758aa 
Audit + fix across user/operator docs after the recent CI/pipeline work
(cve-watch, repro-check, hardening-drift guard, seed-bump, bot account).

Accuracy fixes:
- releases/README.md: rewrite the manifest schema to the seed-era model
  (upstream_seed + sbom; drop the pre-seed config_sha256 /
  build_scripts_commit / stock_config_sources, none of which exist). Fix
  the final.config description: the drift baseline is consumed by
  check-hardening-drift.sh in build-kernel.yml, not a "new-symbol guard in
  configure-kernel.sh".
- first-build.md: remove "run publish.yml twice with component=main/debug"
  — there is no component input; one dispatch auto-splits and publishes
  both. Replace the GitHub-only `gh release delete` with a Forgejo/tea
  note. Add the post-publish repro-check dispatch step.
- configs/POLICY.md: the container-NAT pins live in intent.config, not a
  non-existent configs/debian-trixie-amd64.config; rewrite the review
  process to the real two gates (fidelity assertion + check-hardening-drift),
  drop the non-existent hardened-overlay.config, and note the drift guard
  now catches the silent-disappearance class.
- runner-setup.md: drop the obsolete per-target / sibling-container model
  (the build runs in one debian:trixie job container); correct the
  docker-socket rationale; note Forgejo 15.0.2 and the absent workflow_run.
- building-from-source.md: fix `cd linux-hardened` -> -unredacted.
- README.md: drop /dev/kmem (removed upstream, not a project pin).

New docs:
- Bot-account (unredacted-bot) custody model in runner-setup.md + SECURITY.md.
- archive apt component (installing rotated-out versions) in install.md.
- Hardening-drift failure runbook + ALLOW_HARDENING_REGRESSION in POLICY.md
  and config-architecture.md.
- REQUIRE_NET_ISOLATION knob in runner-setup.md.

Docs-only; intent-matches-policy parity still passes. (OPERATOR_TODO.md and
DECISIONS.md are gitignored, so their stale copies are out of scope.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
zach merged commit ea5c1db81d into main 2026-05-30 06:10:03 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!7
No description provided.