From 7f8e6cb13e7de46381bfc4d0044ba91afa478824 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 12:56:26 +0100 Subject: [PATCH] guardrail: abra convergence by default; custom READY_PROBE only when necessary + a real strict test (operator 2026-05-29, re F2-12) Co-Authored-By: Claude Opus 4.8 (1M context) --- cc-ci-plan/plan.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/cc-ci-plan/plan.md b/cc-ci-plan/plan.md index 8500ced..38cfcf6 100644 --- a/cc-ci-plan/plan.md +++ b/cc-ci-plan/plan.md @@ -794,5 +794,15 @@ Each default stands until the Adversary or reality forces a change; record the c persists for the run, and destroys at teardown — a missing app secret is never a blocker, it is something the harness creates. See §4.4. +- **Real abra deploys; abra convergence by default; custom readiness only if it's a real test.** + Deploys/upgrades use the **real abra commands** (`abra app deploy`/`upgrade`) — never bypass abra + with `docker service update`/`scale`. **Prefer abra's own convergence checks.** Only skip abra's + post-deploy convergence monitor (`-c`/`--no-converge-checks`) and substitute a **harness READY_PROBE** + when abra's monitor genuinely doesn't fit (e.g. its window is too short for a heavy app and it FATAs + on a deploy that *does* converge). When you do: the deploy is still real abra (only abra's *waiting* + is replaced), and the probe MUST be a **genuinely strict** readiness test — all services N/N **plus** + a real app-level check — that **RAISES on actual non-readiness**, never a no-op that masks a failed + deploy. **Prove it has teeth** (a negative test that fails on stuck convergence, e.g. F2-12's + P7-negative). The Adversary treats a custom probe as a potential test-weakening until cold-verified. - **Honest reporting.** If a stage is skipped or a check failed, say so in `STATUS.md`/`JOURNAL.md` with the output. The loop's value depends entirely on the ledgers being true.