49a2e2557e
Logs the full output of the 9-agent deep-dive run on 2026-05-05 to
docs/research/2026-05-05-agent-wave/. Pulls every actionable finding
into one indexed location so v0.5.32 planning has a paper trail.
Files:
docs/research/2026-05-05-agent-wave/README.md — index
docs/research/2026-05-05-agent-wave/01-...real-hardware.md — Plymouth + LUKS edge cases
docs/research/2026-05-05-agent-wave/02-...firstboot-ux.md — SDDM + first-boot UX
docs/research/2026-05-05-agent-wave/03-...spike-plan.md — bootc-image-builder 1-week spike
docs/research/2026-05-05-agent-wave/04-...tier-2.md — AppArmor + nftables + audit + homed
docs/research/2026-05-05-agent-wave/05-...launch.md — threat model + v0.7 launch checklist
docs/research/2026-05-05-agent-wave/06-...log-capture.md — virtio-9p host-share for anaconda logs
docs/research/2026-05-05-agent-wave/07-...skel-branding.md — /etc/skel gap audit
docs/research/2026-05-05-agent-wave/08-...ci-hardening.md — SHA-pin actions + SBOM + SLSA L3
docs/research/2026-05-05-agent-wave/09-...failure-modes.md — real-hardware pessimistic audit
Plus the prior linter-applied:
docs/ROADMAP.md — Lessons learned section, v0.5.32 active block,
v0.6 promotion of veilor-postinstall + veilor-doctor,
v0.7 bootc spike scheduled
docs/THREAT-MODEL.md — drafted by Agent 5; in/out scope, comparison
matrix, v0.7 launch checklist
Top blockers identified for v0.5.32 (cross-cited in README):
1. Suspend/resume wifi death (kernel.modules_disabled=1)
2. veilor-firstboot.service WantedBy=graphical.target
3. kernel-upgrade grub drift
4. USBGuard hash-rules problem (already learned on onyx)
5. firewalld blocks tailscale0
6. /etc/skel/ empty
7. virtio-9p log capture replaces broken virtio-serial path
Wave + verifier pattern (per ROADMAP lessons learned #4) validated:
9 parallel agents on distinct topics produced converging blocker
list. The same pattern landed v0.5.31 four-bug fix from the prior
4-agent verification wave on v0.5.30 outcome.
|
||
|---|---|---|
| .. | ||
| 01-plymouth-luks-real-hardware.md | ||
| 02-sddm-firstboot-ux.md | ||
| 03-bootc-spike-plan.md | ||
| 04-hardening-tier-2.md | ||
| 05-threat-model-launch.md | ||
| 06-anaconda-log-capture.md | ||
| 07-kde-skel-branding.md | ||
| 08-ci-hardening.md | ||
| 09-realhw-failure-modes.md | ||
| README.md | ||
9-agent research wave — 2026-05-05
Deep-dive research wave kicked off after v0.5.31 ship to surface every plausible failure mode + future bug class before the v0.7 public flex. Each agent took ~15 min, returned a focused report. Findings indexed here, full reports in this directory.
The findings already inform docs/ROADMAP.md (Lessons learned section
- v0.5.32 / v0.6 / v0.7 reorder) and
docs/THREAT-MODEL.md(drafted by Agent 5).
| # | Topic | File | Key finding |
|---|---|---|---|
| 1 | Plymouth + LUKS real-hardware edge cases | 01-plymouth-luks-real-hardware.md | Initramfs keymap missing breaks non-US users at LUKS prompt |
| 2 | SDDM + first-boot UX failure modes | 02-sddm-firstboot-ux.md | veilor-firstboot.service WantedBy=multi-user.target only — silently doesn't run on real installs (graphical target) |
| 3 | bootc-image-builder spike plan | 03-bootc-spike-plan.md | Full Containerfile draft + 1-week timebox; v0.7 schedule |
| 4 | Hardening tier 2 (AppArmor + nftables + audit + homed) | 04-hardening-tier-2.md | nftables + audit log shipping = S effort each, ship in v0.5.32 |
| 5 | Threat model + public launch prep | 05-threat-model-launch.md | Drafted at docs/THREAT-MODEL.md. Honest in/out scope tables |
| 6 | Anaconda log virtio-serial silent fix | 06-anaconda-log-capture.md | virtio-serial requires rsyslog (not in our live ISO). Switch to virtio-9p host-share with EXIT trap copy |
| 7 | KDE theme + DuckSans + /etc/skel branding | 07-kde-skel-branding.md | /etc/skel/ doesn't exist; branding evaporates the moment user opens System Settings |
| 8 | Build-iso CI hardening | 08-ci-hardening.md | Pin actions to SHA, dependabot, SBOM, SLSA L3 attestation — all S effort |
| 9 | Real-hardware failure mode audit | 09-realhw-failure-modes.md | CRITICAL: kernel.modules_disabled=1 kills wifi on suspend/resume. Top blocker for v0.5.32 |
Top blockers for next ship (v0.5.32)
Cross-referenced by severity × probability:
- Suspend/resume wifi death (Agent 9) — every laptop bricks on lid-close
- veilor-firstboot.service WantedBy=graphical.target (Agent 2) — login broken on real installs
- kernel-upgrade grub drift (Agent 9) — first
dnf upgrade kernel= unbootable - USBGuard hash-rules problem (Agent 9, mirrors
feedback_usbguard_dock.md) - firewalld blocks tailscale0 (Agent 9) — user uses tailscale daily
- /etc/skel/ empty → no per-user branding (Agent 7)
- virtio-9p log capture (Agent 6) — replaces broken virtio-serial path
Research wave protocol
This wave validated the wave + verifier pattern from v0.5.31 fix
(per ROADMAP lessons learned #4). Multi-agent debug only produces
signal when one agent's findings are checked against another's;
9 parallel agents on distinct topics gave independent angles that
converged on the v0.5.32 blocker list above.