veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/research/2026-05-05-agent-wave/README.md
veilor-org 4e9782a18a docs: 9-agent research wave findings — v0.5.32 blocker map 
Logs the full output of the 9-agent deep-dive run on 2026-05-05 to
docs/research/2026-05-05-agent-wave/. Pulls every actionable finding
into one indexed location so v0.5.32 planning has a paper trail.

Files:
  docs/research/2026-05-05-agent-wave/README.md             — index
  docs/research/2026-05-05-agent-wave/01-...real-hardware.md — Plymouth + LUKS edge cases
  docs/research/2026-05-05-agent-wave/02-...firstboot-ux.md  — SDDM + first-boot UX
  docs/research/2026-05-05-agent-wave/03-...spike-plan.md    — bootc-image-builder 1-week spike
  docs/research/2026-05-05-agent-wave/04-...tier-2.md         — AppArmor + nftables + audit + homed
  docs/research/2026-05-05-agent-wave/05-...launch.md         — threat model + v0.7 launch checklist
  docs/research/2026-05-05-agent-wave/06-...log-capture.md    — virtio-9p host-share for anaconda logs
  docs/research/2026-05-05-agent-wave/07-...skel-branding.md  — /etc/skel gap audit
  docs/research/2026-05-05-agent-wave/08-...ci-hardening.md   — SHA-pin actions + SBOM + SLSA L3
  docs/research/2026-05-05-agent-wave/09-...failure-modes.md  — real-hardware pessimistic audit

Plus the prior linter-applied:
  docs/ROADMAP.md      — Lessons learned section, v0.5.32 active block,
                          v0.6 promotion of veilor-postinstall + veilor-doctor,
                          v0.7 bootc spike scheduled
  docs/THREAT-MODEL.md  — drafted by Agent 5; in/out scope, comparison
                          matrix, v0.7 launch checklist

Top blockers identified for v0.5.32 (cross-cited in README):
  1. Suspend/resume wifi death (kernel.modules_disabled=1)
  2. veilor-firstboot.service WantedBy=graphical.target
  3. kernel-upgrade grub drift
  4. USBGuard hash-rules problem (already learned on onyx)
  5. firewalld blocks tailscale0
  6. /etc/skel/ empty
  7. virtio-9p log capture replaces broken virtio-serial path

Wave + verifier pattern (per ROADMAP lessons learned #4) validated:
9 parallel agents on distinct topics produced converging blocker
list. The same pattern landed v0.5.31 four-bug fix from the prior
4-agent verification wave on v0.5.30 outcome.
2026-05-05 14:52:53 +01:00

3.1 KiB
Raw Blame History

9-agent research wave — 2026-05-05

Deep-dive research wave kicked off after v0.5.31 ship to surface every plausible failure mode + future bug class before the v0.7 public flex. Each agent took ~15 min, returned a focused report. Findings indexed here, full reports in this directory.

The findings already inform docs/ROADMAP.md (Lessons learned section

  • v0.5.32 / v0.6 / v0.7 reorder) and docs/THREAT-MODEL.md (drafted by Agent 5).
# Topic File Key finding
1 Plymouth + LUKS real-hardware edge cases 01-plymouth-luks-real-hardware.md Initramfs keymap missing breaks non-US users at LUKS prompt
2 SDDM + first-boot UX failure modes 02-sddm-firstboot-ux.md veilor-firstboot.service WantedBy=multi-user.target only — silently doesn't run on real installs (graphical target)
3 bootc-image-builder spike plan 03-bootc-spike-plan.md Full Containerfile draft + 1-week timebox; v0.7 schedule
4 Hardening tier 2 (AppArmor + nftables + audit + homed) 04-hardening-tier-2.md nftables + audit log shipping = S effort each, ship in v0.5.32
5 Threat model + public launch prep 05-threat-model-launch.md Drafted at docs/THREAT-MODEL.md. Honest in/out scope tables
6 Anaconda log virtio-serial silent fix 06-anaconda-log-capture.md virtio-serial requires rsyslog (not in our live ISO). Switch to virtio-9p host-share with EXIT trap copy
7 KDE theme + DuckSans + /etc/skel branding 07-kde-skel-branding.md /etc/skel/ doesn't exist; branding evaporates the moment user opens System Settings
8 Build-iso CI hardening 08-ci-hardening.md Pin actions to SHA, dependabot, SBOM, SLSA L3 attestation — all S effort
9 Real-hardware failure mode audit 09-realhw-failure-modes.md CRITICAL: kernel.modules_disabled=1 kills wifi on suspend/resume. Top blocker for v0.5.32

Top blockers for next ship (v0.5.32)

Cross-referenced by severity × probability:

  1. Suspend/resume wifi death (Agent 9) — every laptop bricks on lid-close
  2. veilor-firstboot.service WantedBy=graphical.target (Agent 2) — login broken on real installs
  3. kernel-upgrade grub drift (Agent 9) — first dnf upgrade kernel = unbootable
  4. USBGuard hash-rules problem (Agent 9, mirrors feedback_usbguard_dock.md)
  5. firewalld blocks tailscale0 (Agent 9) — user uses tailscale daily
  6. /etc/skel/ empty → no per-user branding (Agent 7)
  7. virtio-9p log capture (Agent 6) — replaces broken virtio-serial path

Research wave protocol

This wave validated the wave + verifier pattern from v0.5.31 fix (per ROADMAP lessons learned #4). Multi-agent debug only produces signal when one agent's findings are checked against another's; 9 parallel agents on distinct topics gave independent angles that converged on the v0.5.32 blocker list above.