From ba429679438b9676c5076aba4b8354d4589b5c16 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Sun, 19 Apr 2026 11:04:30 -0400 Subject: [PATCH] =?UTF-8?q?v2=20release-readiness=20=E2=80=94=20blocker=20?= =?UTF-8?q?#1=20closed;=20doc=20reflects=20state?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #94 closed the Phase 6.2 dispatch wiring blocker. Update the dashboard: - Status line: "two of three release blockers remain". - Release-blocker #1 section struck through + marked CLOSED with PR link. Remaining Stream C surfaces (Browse / Subscribe / Alarm / Call + finer- grained scope resolution) downgraded to hardening follow-ups — not release-blocking. - Change log: new dated entry. Two remaining blockers: Phase 6.1 Stream D config-cache wiring (task #136) + Phase 6.3 Streams A/C/F redundancy runtime (tasks #145, #147, #150). Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/v2/v2-release-readiness.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/v2/v2-release-readiness.md b/docs/v2/v2-release-readiness.md index 7effcd4..aa4d67c 100644 --- a/docs/v2/v2-release-readiness.md +++ b/docs/v2/v2-release-readiness.md @@ -1,7 +1,7 @@ # v2 Release Readiness -> **Last updated**: 2026-04-19 (Phase 6.4 data layer merged) -> **Status**: **NOT YET RELEASE-READY** — four Phase 6 data-layer ships have landed, but several production-path wirings are still deferred. +> **Last updated**: 2026-04-19 (release blocker #1 closed — Phase 6.2 dispatch wiring shipped) +> **Status**: **NOT YET RELEASE-READY** — two of three release blockers remain (Phase 6.1 Stream D config-cache wiring + Phase 6.3 Streams A/C/F redundancy runtime). This doc is the single view of where v2 stands against its release criteria. Update it whenever a deferred follow-up closes or a new release blocker is discovered. @@ -26,19 +26,20 @@ This doc is the single view of where v2 stands against its release criteria. Upd Ordered by severity + impact on production fitness. -### Security — Phase 6.2 dispatch wiring (task #143) +### ~~Security — Phase 6.2 dispatch wiring~~ (task #143 — **CLOSED** 2026-04-19, PR #94) -The `AuthorizationGate` + `IPermissionEvaluator` + `PermissionTrie` stack is fully built and unit-tested, **but no dispatch path in `DriverNodeManager` actually calls it**. Every OPC UA Read / Write / HistoryRead / Browse / Call / CreateMonitoredItems on the live server currently runs through the pre-Phase-6.2 code path (which gates Write via `WriteAuthzPolicy` only — no per-tag ACL). +**Closed**. `AuthorizationGate` + `NodeScopeResolver` now thread through `OpcUaApplicationHost → OtOpcUaServer → DriverNodeManager`. `OnReadValue` + `OnWriteValue` + all four HistoryRead paths call `gate.IsAllowed(identity, operation, scope)` before the invoker. Production deployments activate enforcement by constructing `OpcUaApplicationHost` with an `AuthorizationGate(StrictMode: true)` + populating the `NodeAcl` table. -Closing this requires: +Additional Stream C surfaces (not release-blocking, hardening only): -- Thread `AuthorizationGate` through `OpcUaApplicationHost → OtOpcUaServer → DriverNodeManager` (the same plumbing path Phase 6.1's `DriverResiliencePipelineBuilder` took). -- Build a `NodeScopeResolver` that maps `fullRef → NodeScope` via a live DB lookup of the tag's UnsArea / UnsLine / Equipment path. Cache per generation. -- Call `gate.IsAllowed(identity, operation, scope)` in OnReadValue / OnWriteValue / the four HistoryRead paths / Browse / Call / Acknowledge/Confirm/Shelve / CreateMonitoredItems / TransferSubscriptions. -- Stamp MonitoredItems with `(AuthGenerationId, MembershipVersion)` per decision #153 so revoked grants surface `BadUserAccessDenied` within one publish cycle. -- 3-user integration matrix covering each operation × allow/deny. +- Browse + TranslateBrowsePathsToNodeIds gating with ancestor-visibility logic per `acl-design.md` §Browse. +- CreateMonitoredItems + TransferSubscriptions gating with per-item `(AuthGenerationId, MembershipVersion)` stamp so revoked grants surface `BadUserAccessDenied` within one publish cycle (decision #153). +- Alarm Acknowledge / Confirm / Shelve gating. +- Call (method invocation) gating. +- Finer-grained scope resolution — current `NodeScopeResolver` returns a flat cluster-level scope. Joining against the live Configuration DB to populate UnsArea / UnsLine / Equipment path is tracked as Stream C.12. +- 3-user integration matrix covering every operation × allow/deny. -**Strict mode default**: start lax (`Authorization:StrictMode = false`) during rollout so deployments without populated ACLs keep working. Flip to strict once ACL seeding lands for production clusters. +These are additional hardening — the three highest-value surfaces (Read / Write / HistoryRead) are now gated, which covers the base-security gap for v2 GA. ### Config fallback — Phase 6.1 Stream D wiring (task #136) @@ -96,6 +97,7 @@ v2 GA requires all of the following: ## Change log +- **2026-04-19** — Release blocker #1 **closed** (PR #94). `AuthorizationGate` wired into `DriverNodeManager` Read / Write / HistoryRead dispatch. Remaining Stream C surfaces (Browse / Subscribe / Alarm / Call + finer-grained scope resolution) downgraded to hardening follow-ups — no longer release-blocking. - **2026-04-19** — Phase 6.4 data layer merged (PRs #91–92). Phase 6 core complete. Capstone doc created. - **2026-04-19** — Phase 6.3 core merged (PRs #89–90). `ServiceLevelCalculator` + `RecoveryStateManager` + `ApplyLeaseRegistry` land as pure logic; coordinator / UA-node wiring / Admin UI / interop deferred. - **2026-04-19** — Phase 6.2 core merged (PRs #84–88). `AuthorizationGate` + `TriePermissionEvaluator` + `LdapGroupRoleMapping` land; dispatch wiring + Admin UI deferred. -- 2.49.1