Documentation · Releases · Cassandra

Cassandra

v0.7.9 — Cassandra

Every audit step is preserved on-disk and replayable.

The Ancient Holdings Hub records every operator-visible action with typed attribution, retention class, and a tamper-evident hash chain across monthly archives. Any signed-in operator can export their own scoped slice as a `.jsonl.gz` with an Ed25519 signature from the hub's audit-signing key, and a public transparency pulse surfaces aggregate activity to unauthenticated visitors so trust does not require sign-in.

What landed

Phase A — admin_audit schema enriched with actor_role, node_id, source, hub_id, severity, and retention_class. Typed action catalog under lib/audit-actions/ with per-namespace files; logAudit becomes generic over the catalog so detail payloads are checked at compile time.
Phase B — operator-facing /hub/audit-log viewer with severity badges, action-kind filters, and tier-aware scoping (Operator / Baron see their own slice; Modern+ see fleet-wide).
Phase C — self-service export as `.jsonl.gz` with manifest + body SHA-256 + Ed25519 signature from the hub audit-signing key. Public verification page at /docs/audit-integrity.
Phase D — retention classes wired through (permanent / rolling_30d / rolling_7d) and a monthly archival worker that emits hash-chained manifests (each month references the previous month's SHA-256).
Phase E — pluggable storage backend. Local disk by default; S3-compatible (AWS, Backblaze B2, Wasabi, MinIO) as an opt-in with libsodium-sealed blobs.
Phase F — historical archive downloads. Operator-tier visitors download their own scoped slice of any archived month; Ancient admins download unfiltered monthlies or yearly seals.
Phase G — public transparency pulse. Aggregate counters visible to unauthenticated visitors (no PII, no row-level data) — a trust signal for prospective operators.

Operator notes

Cassandra is the audit-system expansion release. Before v0.7.9, the hub kept a single `admin_audit` table with a free-form `detail_json` column and no retention policy — rows accumulated forever and the only viewer was a paginated chronological list gated to Modern+. After Cassandra, every audit row carries actor role, node id, source (ui / api / worker / cronoton), hub id, severity, and retention class, and operators see the slice scoped to their own nodes.

The integrity story matters: each Cassandra export is signed with the hub's Ed25519 audit-signing key, and the monthly archives form a hash chain where each manifest references the previous month's SHA-256. Rewriting any past month breaks the chain and is detectable with a single script. Storage is pluggable — local disk by default, S3-compatible with libsodium-sealed blobs as an opt-in — so operators choose their own durability posture without forking the hub.

Cassandra predates the formal audit-grade documentation convention introduced with Pythagoras (v0.7.11), so there is no separate audit reference page for this release. The authoritative spec lives at `plans/v0.7.9-audit-system.md` in the repo, committed alongside the code that produced it.

Patch log

Patch log (13 entries)

v0.7.9p · docs cross-reference correctness — fix mis-numbered chapter
v0.7.9o · StoaChain data migration — move the whole StoaNode/ tree from one
v0.7.9n · three new doc surfaces for prospective Custodians.
v0.7.9m · ops fix-pool catchup — 3 items closed in one patch.
v0.7.9l · hub tunnel tracking + TLS cert vault backup + multi-node
v0.7.9k · CGNAT-friendly operator onboarding via VPS tunnel.
v0.7.9j · docs — three-way distinction between IPv4 types in
v0.7.9i · documentation patch — public IPv4 address made an
v0.7.9h · post-audit fix-pool batch + change-host feature.
v0.7.9g · audit system — Phase G. Public transparency pulse.
v0.7.9f · audit system — Phase F. Historical archive downloads with
v0.7.9e · audit system — Phase E. Pluggable storage backend +
v0.7.9d · audit system — Phase D. Retention + monthly archival +

← back to Releases · stamped against H.1.19