docs(changelog): complete v0.11.0 entry with ENIP analyzer + MITRE ICS detections#340
Merged
Merged
Conversation
…S detections Rewrites the incomplete [0.11.0] section (which only listed EC-X1/EC-X2 bug fixes) to reflect the full release: the headline EtherNet/IP + CIP protocol analyzer (STORY-130..139, PRs #317–#334), five MITRE ATT&CK for ICS technique detections (T0846, T0888, T0858, T0816, T0836, T0814), new CLI flags (--enip, --enip-write-burst-threshold, --enip-error-burst-threshold), session summary, cargo-fuzz harnesses (PR #332), real-pcap E2E tests (PR #333), green- doc-tense CI gate (b9b2e93), ENIP source-IP attribution fix (PR #328), and the summarize-open-flows fix (PR #330). Existing EC-X1/EC-X2/desync-latch bullets preserved verbatim. Footer links unchanged.
Fix four PR reference errors verified against GitHub: - STORY-131 dispatcher integration: #316 → #318 - STORY-135 CIP command detections: #325 → #324 - Green-doc-tense CI gate: bare b9b2e93 → PR #321 (with commit retained) - PR range in headline bullet: #316–#334 → #317–#334 (#316 is the epic issue, not a PR)
Zious11
added a commit
that referenced
this pull request
Jun 29, 2026
…HANGELOG-FULL-RANGE-001 lesson + STORY-143 Post-release correction record (docs-only, develop only): - v0.11.0 CHANGELOG entry initially omitted the ENIP analyzer epic (STORY-130..138, PRs #317-#334); corrected via PR #339 (footer links) + PR #340 (complete entry). - GitHub v0.11.0 release notes edited to match (40 ENIP/MITRE markers confirmed). - Release tag/commit unchanged; main CHANGELOG catches up on next gitflow back-merge. Lesson codified (cycles/feature-enip-v0.11.0/lessons.md): - RELEASE-CHANGELOG-FULL-RANGE-001: release prep MUST enumerate git log <prev-tag>..HEAD --first-parent to derive changelog content; hand-summarized "recent wave" lists are not a substitute. Process-gap disposition (STORY-143, E-11, draft, 3 pts): - Draft story stub created at stories/STORY-143.md (wave TBD, v0.12.0 planning). - Goal: add policy DF-RELEASE-CHANGELOG-RANGE-001 or update CLAUDE.md release-workflow section to mandate commit-range enumeration + PR-range completeness anchor. - STORY-INDEX.md v3.1 -> v3.2: total_stories 95->96, E-11 count 2->3 (pts 8->11), epic-table TOTAL 622->625. Wave-table scheduled 614 unchanged (STORY-143 wave-TBD). Decision D-301 recorded in STATE.md. DO NOT REDO guards added. Count-propagation sweep: updated 4 files. Stale "95 stories" / "STORY-INDEX v3.1" references corrected in STATE.md (line 64) and STORY-INDEX.md frontmatter/arithmetic. Historical D-294 decision row retains "v3.1 (95 stories/64 waves)" -- immutable audit trail (records state at that past decision point; intentionally not updated).
Zious11
added a commit
that referenced
this pull request
Jun 29, 2026
Pipeline IDLE post-v0.11.0 release. STATE.md rewritten as lean, self- contained resume document. Decisions D-267..D-301 archived to cycle file. Changes: - STATE.md: compacted from 280 → 252 lines (WARNING range; below 500-line cap) - Frontmatter corrected: document_type/mode/phase fields now standard-compliant - develop_head corrected: ecbcd26 → ab0b388 (PRs #339+#340 had landed) - factory_artifacts_head: resolved from placeholder to d67eb27 - Full SHAs recorded for main, develop, factory-artifacts - Tag facts: annotated tag object c50d89e → commit 3072e82 verified - Stale "Do NOT re-X" block removed (30+ historical lines archived) - Verbose inline decisions D-270..D-299 removed from STATE.md body - D-300/D-301 kept as terse summary rows in decisions table - EXACT RESUME POINT block updated with verified facts - Open human question (main CHANGELOG fast-track y/n) explicitly surfaced - Backlog table: STORY-143, SEC-001, TLS-CLIENTHELLO-FRAG-001 (CRIT candidate recommended first), edge-hunt register, design notes, Wave-64 NITs, process watch - Session Resume Checkpoint updated with current state - cycles/feature-enip-v0.11.0/decisions-archive.md: extended D-228..D-266 → D-228..D-301 (appended D-267..D-301 with full narrative text) Verified live facts (git/gh, not trusted from memory): - origin/main = 3072e82 - origin/develop = ab0b388 - v0.11.0 tag → commit 3072e82 (annotated; GitHub release: not draft, not prerelease, Latest) - Cargo.toml version on both branches: 0.11.0 - Open PRs: only #311 and #325 (Dependabot, awaiting human triage) - Worktrees: main + .factory (active) + 2 stale scratch (enip-edgecase-verify, enip-f6-hardening)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The v0.11.0 CHANGELOG entry published with the release PR (#337) only documented the EC-X1/EC-X2 carry-buffer direction-split and EC-X2
saturating_subbug fixes. The headline feature — the new EtherNet/IP (ENIP) + CIP protocol analyzer — was entirely absent from the entry, leaving the## [0.11.0]section incomplete and misleading for anyone reading the changelog to understand what shipped in this release.This PR completes the entry by adding the full ENIP/CIP feature documentation with verified PR numbers.
What Changed
File:
CHANGELOG.mdonly — +111 lines, no source or test files touched.Added to
## [0.11.0]—### Addedsection (new)EtherNet/IP (ENIP) + CIP protocol analyzer — TCP/44818 flow analysis using the ODVA ENIP + CIP stack, enabled via
--enip/--all. Documents: 24-byte ENIP header parse, CPF item-list walk, StreamDispatcher Rule 7 placement (ADR-010), per-flowEnipFlowStatewith 600-byte carry buffers, CLI flags (--enip,--enip-write-burst-threshold,--enip-error-burst-threshold), and the 7-keyenip_summaryJSON object. Feature references: Feature feat(enip): add EtherNet/IP + CIP ICS analyzer (SS-17) #316, STORY-130..139, PRs feat(enip): STORY-130 EtherNet/IP pure-core parse [#316] #317–fix(enip): per-direction carry isolation + saturating-clock window monotonicity (EC-X1/EC-X2) [STORY-139] #334, ADR-010.MITRE ATT&CK for ICS detections (ics-attack-19.1): T0846 Remote System Discovery, T0888 Remote System Information Discovery (two patterns), T0858 Change Operating Mode, T0816 Device Restart/Shutdown, T0836 Modify Parameter, T0814 Denial of Service. New
MitreTactic::IcsExecutionvariant (TA0104). Catalog: 25→28 seeded, 17→20 emitted. STORY-133/134/135, PRs feat(mitre): STORY-133 seed EtherNet/IP ICS techniques (VP-007) [#316] #320/feat(enip): STORY-134 EtherNet/IP recon detections (T0846/T0888) [#316] #323/feat(enip): STORY-135 CIP command detections (T0858/T0816/T0836) [#316] #324.Formal verification + QA: VP-032 Kani harnesses Sub-A through Sub-D (STORY-130/132),
fuzz_enip_cip_parsecargo-fuzz harness discharging F-P9-002 (PR test(fuzz): F-P9-002 cargo-fuzz harness for ENIP CIP parsers [#316] #332), full-pipeline E2E tests against real ENIP/CIP pcaps — HS-110 through HS-122 (PR test(enip): full-pipeline E2E tests against real ENIP/CIP pcaps [#316] #333).Added to
## [0.11.0]—### Changedsection (new)ENIP
enip_summarywire format canonical key name ("parse_errors"not"total_parse_errors"), consistent field ordering, null-safety. [PR refactor(enip): wire summarize through EnipSummary + doc fixes [#316] #331, BC-2.17.021 Invariant 1]Green-doc-tense CI gate (
green-doc-tense-gatejob,bin/check-green-doc-tense). [PR ci(test): add green-doc-tense gate and fix stale T0846 EMITTED guard #321]Added to
## [0.11.0]—### Fixedsection — ENIP-specific fixes (new bullets prepended before existing EC-X1/EC-X2 bullets)enip summarize()now includes still-open flows at call time (RULING-W61-001). [PR fix(enip): summarize folds open flows so enip_summary reflects live traffic [#316] #330, BC-2.17.021 Postcondition 1]Preserved unchanged
### Fixedbullets for Modbus EC-X1/EC-X2 (PR fix(analyzer): per-direction carry split + saturating_sub (Modbus EC-X1/EC-X2) + DNP3 desync-latch frame_count guard (Wave 64) #336) and DNP3 desync-latch (PR fix(dnp3): per-direction carry isolation + saturating-clock window monotonicity (EC-X1/EC-X2) [STORY-140] #335/336) are unchanged.[0.11.0]: ...,[Unreleased]: ...) are unchanged.[0.10.0],[0.9.3], etc.) are touched.Traceability
## [0.11.0]CI Gate Notes
This repo has a
green-doc-tenseCI gate (bin/check-green-doc-tense) that rejects aspirational/future-tense wording ("will", "planned", "future") in doc contexts. The CHANGELOG entry was authored in present/past tense throughout (e.g., "analyzes", "parses", "added", "corrected"). If this gate fails, do not bypass — stop and route a fix.Pre-Merge Checklist
[0.11.0]untouched