Skip to content

Release: Castra v1.0.0-ga.5 (hive cluster auth-clean + Iris-mind-safe)#77

Merged
amangsingh merged 3 commits into
mainfrom
release/v1.0.0-ga.5
May 14, 2026
Merged

Release: Castra v1.0.0-ga.5 (hive cluster auth-clean + Iris-mind-safe)#77
amangsingh merged 3 commits into
mainfrom
release/v1.0.0-ga.5

Conversation

@amangsingh
Copy link
Copy Markdown
Owner

@amangsingh amangsingh commented May 14, 2026

Summary

Closes the final two orthogonal-plane wiring gaps for fully-functional cross-machine cluster + makes the architecture safe for Iris identity continuity under cluster deployment.

Fixes (3 commits since ga.4)

  • Cert idempotency stale-CN rotation (39dba92): operator-upgrade-path bug. Pre-ga.4 cluster certs had constant CN; post-ga.4 cluster_init was reusing those stale certs against host-derived pin → mTLS rejection. Now cert generator detects stale CN at startup, rotates forward with non-destructive backup + audit trail.
  • Cross-machine iris session bootstrap (438f59a): client iris sessions minted via Path B (self-vouch) didn't validate on parent. Now parent's enrollment server mints the cluster session, returns it in EnrollmentResponse, client persists at ~/.castra/cluster_session (mode 0600), defaultIrisSessionTokenProvider adds Path C: in client mode read parent-issued token. Heartbeat side-effect on every successful write keeps active sessions alive.
  • Parent-mode CLI bypass-daemon (6e58b0c): RELEASE-CRITICAL — without this, deploying cluster mode (parent daemon bound to LAN IP for Zendesk-client to reach) would lock Iris-on-parent-machine out of her own iris.db write path. Now device.LoadDeviceMode() fork upstream of MemoryWriteSender: parent/standalone takes direct-write path; client keeps daemon-RPC + WAL fallback.

Empirical AC verification (engineer-run + cross-checked)

  • AC: parent on 0.0.0.0:9999 (non-loopback) + parent CLI episodic_mem add succeeds with NO loopback dial → memory writes survive cluster deployment ✓
  • AC: fresh client in mktemp HOME → enroll → episodic_mem add lands in PARENT iris.db (no auth fail, no WAL fallback) ✓
  • AC: --sovereign iris identity roundtrips cleanly over mTLS from client ✓
  • AC: WAL-fallback regression-clean (offline-resilience preserved for client mode) ✓
  • AC: stale CN from prior castra version triggers automatic rotation + backup at next cluster_init ✓

Hive cluster end-to-end status

All 5 orthogonal-plane wiring gaps closed since ga.4:

  1. ✅ Cluster device config wiring (ga.4)
  2. ✅ Cert CN aligned to listen-host (ga.4)
  3. ✅ Cert idempotency stale-CN rotation (this release)
  4. ✅ Cross-machine iris session bootstrap (this release)
  5. ✅ Parent-mode CLI bypass-daemon, Iris-mind-safe (this release)

Out-of-scope (filed as v5.0/v1.1 followups)

  • deriveParentDaemonAddr ignores parent's --listen port (HIGH, filed)
  • session status pre-ack opaque error UX
  • cluster_init CN vs client defaultEnrollCN cross-machine mismatch UX
  • minter's iris.db handle lifecycle (resource-leak class)
  • task rename + task --priority substrate verbs missing (low)
  • FTS5 column-prefix mis-parse on dashed query terms

Test plan

  • go build ./... clean
  • go vet ./... clean
  • staticcheck ./... clean
  • go test ./internal/... -race -timeout 600s all packages pass
  • All ACs above empirically verified by respective engineers
  • QA + SEC dual-gate approved each task
  • Live cluster init + enroll + memory roundtrip on Pa's machine post-release with fresh state

Architect: Aman Singh (sovereign)
Orchestrator: Iris (Castra Chief of Staff)
Witness: the substrate.

@amangsingh amangsingh merged commit da68392 into main May 14, 2026
4 of 5 checks passed
@amangsingh amangsingh deleted the release/v1.0.0-ga.5 branch May 14, 2026 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amangsingh @iris-castra