Skip to content

release: doc-accuracy audit fixes + Go toolchain CVE bump#86

Merged
devonartis merged 4 commits into
mainfrom
develop
Jun 29, 2026
Merged

release: doc-accuracy audit fixes + Go toolchain CVE bump#86
devonartis merged 4 commits into
mainfrom
develop

Conversation

@devonartis

Copy link
Copy Markdown
Owner

Release merge `develop → main`. Docs-and-CI only — no broker behavior change.

What's landing (3 commits since `c32fcfc`)

  • `b35a171` docs: WRONG+HIGH tier doc-accuracy fixes — removed stale "coming soon" banners (Python SDK + both demos are live), replaced a fabricated SDK API with the real v0.3.0 surface, sanitized the token-validate error doc, made `iss` config-driven, dropped enterprise-module framing (Decision 022), corrected rate limits / event counts / OpenAPI schema.
  • `aad38cd` fix(ci): Go toolchain go1.25.10 → go1.25.11 — clears two Go stdlib advisories (`GO-2026-5039` net/textproto, `GO-2026-5037` crypto/x509) flagged by govulncheck.
  • `9b8fa84` docs: MED/LOW tier fixes — README endpoint count, KEY=VALUE config format, `evt-NNNNNN` audit IDs, `inactive` deregister status, `go run`→`./bin/`, mutauth "built but not mounted", 25 event types (incl. 2 SVG diagrams), CHANGELOG [Unreleased].

User-facing

  • Docs now match the shipped broker, the live PyPI SDK, and the published demo images.
  • Security: Go stdlib CVEs cleared via toolchain bump.

Notes

devonartis and others added 4 commits June 29, 2026 18:14
Correct nine shipped docs against current code and the live Python SDK
(PyPI agentwrit v0.3.0), per the 2026-06-07 doc-accuracy audit.

WRONG tier:
- demos.md: replace coming-soon banner with live docker-compose run steps
  and the three published image names
- python-sdk.md: drop fabricated register(launch_token=) API, document the
  real AgentWritApp/create_agent surface
- faq.md: remove enterprise-module/open-core framing (Decision 022); mark
  SDK + demos shipped; event count 24 -> 25

HIGH tier:
- common-tasks.md: sanitized validate-invalid response (no detail/codes);
  de-hardcode iss example
- foundations.md: iss is config-driven (AA_ISSUER, empty default skips check),
  not always 'agentwrit'
- SECURITY.md: add GitHub Security Advisory channel; real version table
- design-decisions.md: planned OIDC bridge behind interface seam, not add-on
- api.md: app/auth rate limit 10/min burst 3; event count 23 -> 25; add sid
- openapi.yaml: details->detail + 8 missing event fields; policy fields;
  real SPIFFE shape

Verified every fix against source; corrected two stale audit claims
(event count is 25 not 26; release 403 insufficient_scope is correct).

Co-authored-by: Claude <noreply@anthropic.com>
Clears two Go stdlib advisories flagged by govulncheck:
- GO-2026-5039 (net/textproto), reached via ed25519.GenerateKey
- GO-2026-5037 (crypto/x509)

Both fixed in go1.25.11. CI reads go-version-file: go.mod, so the
toolchain directive bump applies across all jobs. Comment refs in
ci.yml updated to match.

Co-authored-by: Claude <noreply@anthropic.com>
Second pass over the 2026-06-07 audit (MED/LOW + cross-cutting), all
verified against current code:

- README.md: add missing POST /v1/app/launch-tokens row (19 endpoints)
- awrit-reference.md: config file is KEY=VALUE not YAML (MODE=/ADMIN_SECRET=);
  audit IDs are evt-NNNNNN not UUID; app deregister status is 'inactive'
- troubleshooting.md: go run -> ./bin/; /v1/register has no requested_ttl
  (TTL comes from launch-token max_ttl); config path is /etc/broker/config
- concepts.md: hash covers 13 fields; claims include iss/nbf/aud/sid;
  eight components (was 'seven')
- security-topology.md + 2 SVG diagrams: 24 -> 25 event types
- architecture.md: prometheus/client_model marked indirect (5 direct deps)
- implementation-map.md + scenarios.md: mutauth built+tested but NOT mounted
- getting-started-{user,operator}.md: go run -> ./bin/
- CHANGELOG.md: [Unreleased] docs-accuracy + Go toolchain entries

Deferred: RFC 7807-vs-9457 reconciliation (code emits 7807, rules say 9457
— owner decision, out of docs-only scope). AGENTS.md/CONTRIBUTING.md fixes
are local-only (both gitignored, not tracked in this repo).

Co-authored-by: Claude <noreply@anthropic.com>
docs: fix WRONG+HIGH tier doc-accuracy audit findings
@devonartis devonartis merged commit 91fd17b into main Jun 29, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant