|
2 | 2 |
|
3 | 3 | ## Unreleased |
4 | 4 |
|
| 5 | +- **spectral-mesh (Linux only):** Removed Windows and macOS sensor entrypoints, **`hook/darwin`** / **`hook/windows`**, **`internal/capture/winssl`**, **`internal/capture/esmmap`**, **`internal/capture/platformhint`**, **`cmd/spectral-ssl-wrap`**, **`packaging/macos`**, and **`metrics_other.go`**. **`cli.go`** now holds all mesh flags (including **`-k8s-enrich`**). CI and **`make ci`** no longer cross-compile the root package for **`GOOS=windows`** / **`darwin`**. Optional cleartext bridges (**`-capture-ingest-addr`**, stdin JSONL, hook socket) remain on Linux for tests and auxiliary feeds. |
5 | 6 | - **Repository layout:** **Helm** charts (`helm/spectral-mesh`, `helm/spectral-edge`), **cloud Terraform** (`deploy/aws`, `deploy/gcp`, `deploy/azure`), **OpenShift** manifests (`openshift/`), and Kubernetes-focused docs (**`DEPLOY_*`**, **`ENTERPRISE_SELF_HOSTED`**, **`K8S_ALERT_ENRICHMENT`**, **`MESH_RUNBOOK`**) moved to the companion repository **[Spectral-Cloud](https://github.com/spectral-mesh/Spectral-Cloud)**. This repository remains the **Spectral Mesh** application and BPF source; cross-links in **`README.md`** and **`docs/`** point at **Spectral-Cloud** for installs. |
6 | 7 | - **Observability:** New scripts **`scripts/simulate_mesh_ingest.sh`**, **`simulate_mesh_grafana.sh`**, **`simulate_capture_demo.sh`**, **`simulate_edge_scan.sh`**; fix **`simulate_mesh_ingest.sh`** under **`set -u`** when **`INGEST_TOKEN`** is unset (avoid empty **`extra[@]`** expansion). Grafana dashboards **`monitoring/grafana/dashboards/spectral-mesh.json`** (cleartext/ingest wording + metric semantics row) and **`spectral-edge.json`** (**Job**/**Instance** variables, **HTTP 429** rate on throughput panel, simulation note). **`monitoring/README.md`** documents the script matrix. |
7 | 8 | - **Docs:** Refresh **Windows/macOS** descriptions across **`README.md`**, **`docs/EDGE_VS_MESH.md`**, **`docs/EDGE.md`**, **`docs/POLICY_MESH_AND_EDGE.md`**, **Spectral-Cloud `docs/ENTERPRISE_SELF_HOSTED.md`**, **`docs/SAAS_ARCHITECTURE.md`**, **`docs/INFOSEC_SUMMARY.md`**, **`docs/BACKGROUND_OF_INVENTION.md`**, and **`docs/INVENTION_DISCLOSURE_OUTLINE_US.md`** to match **ingest**, **hookwire**, optional **hooks**, and **edge** vs host rolling-buffer behavior (replacing outdated “capture stub” wording). |
8 | | -- **Windows OpenSSL discovery:** **`-windows-openssl-discovery-interval`** polls module lists via Toolhelp32 and logs **`windows_openssl_module_mapped`** (`internal/capture/winssl`). |
9 | | -- **macOS Endpoint Security (opt-in build):** **`-darwin-es-mmap-watch`** with **`go build -tags spectral_es`** (CGO) subscribes to **`ES_EVENT_TYPE_NOTIFY_MMAP`** and logs **`es_openssl_mmap`** when mapped paths look like OpenSSL (`internal/capture/esmmap`, **`internal/capture/platformhint`**). Default macOS binaries omit ES linkage; use an SDK-equipped toolchain to link **EndpointSecurity.framework**. |
10 | | -- **OpenSSL TLS hook path:** **`-capture-hook-socket unix:…` or `tcp:…`** accepts a binary **`hookwire`** frame stream into **`HandleChunk`**. **macOS:** `hook/darwin/spectral_ssl_hook.dylib` (**`make hook-darwin`**) interposes **`SSL_write`**; **`cmd/spectral-ssl-wrap`** sets **`DYLD_INSERT_LIBRARIES`** and execs a child. **Windows:** **`hook/windows/CMakeLists.txt`** builds **`spectral_openssl_hook.dll`** (MinHook via **FetchContent**) + **`spectral_inject.exe`** (`LoadLibraryW` injection); shared TCP sender in **`hook_send_tcp.c`**. **Packaging:** **`packaging/macos/entitlements/EndpointSecurityClient.plist`** and **`packaging/macos/SYSTEM_EXTENSION_SIGNING.md`** for ES / System Extension signing. |
11 | | -- **Capture ingest bridge:** **`-capture-ingest-addr`** (localhost HTTP **`POST /v1/ingest/chunk`**) and **`-capture-stdin-jsonl`** feed **`sensorcore.HandleChunkWithMeta`** on **Linux, Windows, and macOS**; optional **`subject_*`** identity fields in JSON. **`cmd/spectral-capture-demo`** posts split chunks for cross-platform **`policy_alert`** demos without kernel hooks. |
12 | | -- **Multi-platform `spectral-mesh` source:** **`main_linux.go`**, **`main_windows.go`**, **`main_darwin.go`** with shared **`internal/sensorcore`** (`Processor.HandleChunk`, alert limiter). **Linux** retains full eBPF + uprobes; **Windows/macOS** share the same policy path with **pluggable** cleartext feeds (ingest, stdin JSONL, hook socket, native hooks); kernel enforcement remains **Linux-only** until separate platform integration. **`cli.go`**, **`metrics_other.go`**, **`spectral_bpf_generate.go`**; **`internal/rollbuf`** gains OS-specific PID listing for prune. **CI** / **`make ci`**: cross-compile **windows/amd64** and **darwin/arm64** with **`CGO_ENABLED=0`**. **`policy_alert`** adds **`enforcement_mode`**. |
| 9 | +- **Capture ingest bridge:** **`-capture-ingest-addr`** (localhost HTTP **`POST /v1/ingest/chunk`**) and **`-capture-stdin-jsonl`** feed **`sensorcore.HandleChunkWithMeta`** on **Linux**; optional **`subject_*`** identity fields in JSON. **`cmd/spectral-capture-demo`** posts split chunks for **`policy_alert`** demos without kernel hooks. |
| 10 | +- **OpenSSL TLS hook socket:** **`-capture-hook-socket unix:…` or `tcp:…`** accepts a binary **`hookwire`** frame stream into **`HandleChunk`** (see **`internal/capture/hookwire`**). |
13 | 11 | - **Enterprise self-hosted:** Spectral-Cloud [`docs/ENTERPRISE_SELF_HOSTED.md`](https://github.com/spectral-mesh/Spectral-Cloud/blob/main/docs/ENTERPRISE_SELF_HOSTED.md), [`docs/INFOSEC_SUMMARY.md`](docs/INFOSEC_SUMMARY.md), Spectral-Cloud [`docs/MESH_RUNBOOK.md`](https://github.com/spectral-mesh/Spectral-Cloud/blob/main/docs/MESH_RUNBOOK.md); Helm **[`README.md`](https://github.com/spectral-mesh/Spectral-Cloud/blob/main/helm/spectral-mesh/README.md)** / **[`README.md`](https://github.com/spectral-mesh/Spectral-Cloud/blob/main/helm/spectral-edge/README.md)** and **[`values-enterprise.yaml`](https://github.com/spectral-mesh/Spectral-Cloud/blob/main/helm/spectral-edge/values-enterprise.yaml)**; root **[`SECURITY.md`](SECURITY.md)**; **`spectral-edge` GitHub Releases** ship a **CycloneDX** Go dependency SBOM (`spectral-edge-<tag>-sbom.cdx.json`). Chart **`version`** / **`appVersion`** bumped to **0.2.0**; **`spectral-edge`** default **PodDisruptionBudget** enabled. |
14 | 12 | - **Network edge:** `cmd/spectral-edge` — HTTP server that scans request bodies with the same policy as the host sensor; **`POST /v1/scan`**, optional **`-upstream`** reverse proxy, **`policy_alert`** with **`sensor_kind: edge`**. Shared **`internal/policyengine`** (refactor from in-tree policy state). See **`docs/EDGE.md`**. **`make edge`** / CI builds with **`CGO_ENABLED=0`**. |
15 | 13 | - Build metadata: **`-version`**, **`GET /version`**, **`sensor_active`** fields (`version`, `git_commit`, `build_time` via Makefile `LDFLAGS`). |
|
0 commit comments