feat(recipe-report): use approved 2026-06-02 report as the style template; tighter lead for future runs

Save the operator-approved 2026-06-02 spec as example-spec.json (gold standard for voice/structure/specificity). Skill now tells the agent to match it, with one deliberate change: keep the editorial lead TIGHT (~2 short paragraphs, ~120 words). The live 2026-06-02 page stays as the reference. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-04 02:06:45 +00:00
parent f20a066f5c
commit ea2d8c8210
2 changed files with 142 additions and 3 deletions
--- a/.claude/skills/recipe-report/SKILL.md
+++ b/.claude/skills/recipe-report/SKILL.md
@ -29,9 +29,11 @@ Helper: `python3 /srv/cc-ci/cc-ci-plan/recipe-report.py {survey|render|publish}`
     of the version bumps) for upgrades that fix **CVEs / security issues**. Anything **critical/high**
     leads the page → the `security` bulletin (recipe · CVE id(s) + severity · what it fixes · PR link).
     This is the most important section; be specific about severity and what's exposed if not merged.
-   - **Lead / editorial.** Write a short `lead` (2–4 short paragraphs): the **overall state of the recipe
-     fleet** this week (how healthy, what moved, any worrying trend) and **specific, opinionated
-     suggestions of what to focus on** — like a newspaper lead. This is opus's voice; be useful, concrete.
+   - **Lead / editorial.** Write the `lead`: the **overall state of the recipe fleet** this week (how
+     healthy, what moved, any worrying trend) and **specific, opinionated suggestions of what to focus
+     on** — opus's voice, useful and concrete. **Keep it TIGHT: 2 short paragraphs, ~120 words total** —
+     lead with the single most important thing, then security/focus in a sentence or two. (Trim hard;
+     the rest of the page carries the detail.)
   - **Needs attention** — GREEN PRs ready to merge + errors/failures to investigate (RED `!testme`,
     recipe bugs). Short, specific prose + links. Flag cross-cutting issues (e.g. two open PRs to reconcile).
   - **Routine** — minor/clean bumps, stale-test PRs (need operator `--with-tests`), up-to-date / skipped.
@ -43,6 +45,11 @@ Helper: `python3 /srv/cc-ci/cc-ci-plan/recipe-report.py {survey|render|publish}`
   GREEN/STALE/FAILED/SKIPPED/UPTODATE, `ci` as a level/result number+info string e.g. `build 154 ✓`
   or `RED · restore` with `ci_url`, `pr`/`pr_url`, `notes`). **CI = link + number/info only; no images.**

+   **Template — match this.** `.claude/skills/recipe-report/example-spec.json` is the gold-standard
+   example (the 2026-06-02 report; the operator approved its style/format). **Match its editorial voice,
+   structure, field shapes, and level of specificity** — the only deliberate change is the **shorter
+   `lead`** described above. Read it before writing your spec.
+
 5. **Render & publish.**
   `python3 .../recipe-report.py render /tmp/report-spec.json /tmp/week-<DATE>.html`
   `python3 .../recipe-report.py publish /tmp/week-<DATE>.html <DATE>`
--- a/.claude/skills/recipe-report/example-spec.json
+++ b/.claude/skills/recipe-report/example-spec.json
@ -0,0 +1,132 @@
+{
+  "date": "2026-06-02",
+  "subtitle": "Week of June 2, 2026",
+  "lead": "The recipe fleet is in good health this week. Of 18 recipes considered, eleven upgrades are !testme GREEN and ready for your merge, two are blocked on genuine failures, and just one waits on a stale-test refresh. Ghost was already cleared by the operator since the run, and discourse flipped green overnight at build 179 — so the open-failure count is lower than the morning summary suggested.\n\nSecurity leads the page, and it is nginx-heavy. The 1.29 → 1.31 jump closes a batch of memory-safety and request-smuggling CVEs (heap overflow in the rewrite module, proxy_set_body data injection, an ssl_ocsp use-after-free, HTTP/3 address spoofing) and rides into two recipes — custom-html and cryptpad — both already green. Merge those two first. Right behind them: mailu rolls up a Roundcube webmail CVE, uptime-kuma patches an authenticated RCE, and the redis 8.8 bump (lasuite-meet, lasuite-docs) carries several redis CVEs. All green, all low-risk.\n\nThe two failures share a single theme worth your attention: Postgres/ClickHouse backup-and-restore plumbing. mattermost-lts can't go green because of a pre-existing restore bug (its 10.11.19 ESR ships medium-severity security fixes that are now hostage to it), and plausible's pg13→16 + ClickHouse 24 migration trips on a deploy-time issue. Both have companion ci/* fix PRs that predate this run — reconcile each upgrade with its sibling rather than chasing the version bump alone.\n\nThe trend to watch is Postgres majors. pgautoupgrade 17→18 and the various pg13→16 jumps are this week's recurring friction: n8n needs a mandatory volume-path move (it's green, but do not merge-and-forget), matrix-synapse's data-preservation test went stale against pg18's new data-dir layout, and the same family of restore tests is what blocks mattermost. A pass over the CI's pg18 data-preservation tests would pay for itself.",
+  "security": [
+    {
+      "title": "nginx 1.31 — memory-safety + request-smuggling CVE batch (high) · custom-html, cryptpad",
+      "body": "Bumping the nginx sidecar from 1.29 to 1.31.1 closes a cluster of CVEs fixed in 1.31.0/1.31.1: heap buffer overflows in the rewrite module, data injection via proxy_set_body, an HTTP/3 address-spoofing flaw, and a use-after-free in the DNS/ssl_ocsp path. Two recipes ship the sidecar — custom-html (also alpine/git → v2.52.0) and cryptpad — and both are !testme GREEN. These are the highest-value merges of the week; do them first.",
+      "links": [
+        {"text": "custom-html PR #1 (build 163)", "url": "https://git.autonomic.zone/recipe-maintainers/custom-html/pulls/1"},
+        {"text": "cryptpad PR #4 (build 154)", "url": "https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/4"}
+      ]
+    },
+    {
+      "title": "mailu — Roundcube webmail CVE-2026-49217 (high) · internet-facing",
+      "body": "mailu 2024.06.37 → 2024.06.52 rolls up the Roundcube security fix CVE-2026-49217 along with certdumper v2.11.2 and a redis 8.8 bump. Webmail is exposed on a mail host, so this one is worth prioritising. No config changes; !testme GREEN.",
+      "links": [
+        {"text": "mailu PR #1 (build 157)", "url": "https://git.autonomic.zone/recipe-maintainers/mailu/pulls/1"}
+      ]
+    },
+    {
+      "title": "uptime-kuma — authenticated RCE fix (high) · plus MariaDB 12.3 major bump",
+      "body": "uptime-kuma 2.2.1 → 2.4.0 patches a remote-code-execution flaw in an upstream dependency (exploitable by authenticated users). It is bundled with a MariaDB 11.8 → 12.3 major-version bump, so take a database backup before deploying if you run the mariadb overlay. !testme GREEN.",
+      "links": [
+        {"text": "uptime-kuma PR #2 (build 165)", "url": "https://git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/2"}
+      ]
+    },
+    {
+      "title": "redis 8.8 — CVE-2026-23479, CVE-2026-25243 (moderate) · lasuite-meet, lasuite-docs",
+      "body": "The redis 8.6.3 → 8.8.0 bump carries several redis security patches, including CVE-2026-23479 and CVE-2026-25243. It ships in lasuite-meet (alongside the meet v1.16→v1.17 app upgrade) and lasuite-docs. Redis is used purely as cache/session/pub-sub here, so the upgrade is drop-in. Both green.",
+      "links": [
+        {"text": "lasuite-meet PR #3 (build 156)", "url": "https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/3"},
+        {"text": "lasuite-docs PR #4 (build 169)", "url": "https://git.autonomic.zone/recipe-maintainers/lasuite-docs/pulls/4"}
+      ]
+    },
+    {
+      "title": "static-web-server — Basic-Auth timing attack CVE-2026-27480 (low/moderate) · custom-html-tiny",
+      "body": "static-web-server 2.38 → 2.42 picks up CVE-2026-27480, a timing attack in Basic Auth fixed in v2.41.0. Note v2.41 also flips --ignore-hidden-files and --disable-symlinks on by default; this recipe serves an explicit -d path and is unaffected. !testme GREEN.",
+      "links": [
+        {"text": "custom-html-tiny PR #6 (build 164)", "url": "https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/6"}
+      ]
+    }
+  ],
+  "needs_attention": [
+    {
+      "title": "Eleven green PRs await your merge",
+      "body": "The merge-ready set: cryptpad, custom-html, custom-html-tiny, discourse, keycloak, lasuite-docs, lasuite-meet, mailu, n8n, and uptime-kuma — plus ghost, which the operator already resolved. discourse #2 is the late arrival: it is now !testme GREEN at build 179, clearing the stale-test RED (the allow_uncategorized_topics default flip) that the morning run had flagged. Full per-recipe detail in the wire below.",
+      "links": []
+    },
+    {
+      "title": "mattermost-lts — RED on restore; a security patch is held hostage",
+      "body": "The 10.11.19 ESR bump is correct and carries medium-severity security fixes, but !testme is RED at build 161 on test_restore_returns_state — a pre-existing backup/restore bug (the ci_marker row does not survive backup→restore), not something this upgrade introduced. Three restore strategies were tried without success. A companion fix PR (#1, ci/pg-restore) is open; reconcile the pair. The security patch cannot land until restore is fixed.",
+      "links": [
+        {"text": "upgrade PR #2 (build 161 RED)", "url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/2"},
+        {"text": "companion fix PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/1"}
+      ]
+    },
+    {
+      "title": "plausible — RED on deploy after the pg13→16 + ClickHouse 24 jump",
+      "body": "plausible 4.0.0+v2.1.5 (image moved Docker Hub → GHCR, postgres 13→16, ClickHouse 23.4→24.3) is RED at build 168. The ClickHouse IPv6-bind crash was fixed with an ipv4-only config, but the deploy still fails: Postgres appears to stay at 13 and the app gets NXDOMAIN for the events DB — most likely abra re-fetching the upstream compose over the PR head. A companion PR (#1, ci/clickhouse-backup-resilient) is also open and RED. Note: the v3.x-only CVE-2026-8467 does not affect this v2.1.5 target.",
+      "links": [
+        {"text": "upgrade PR #2 (build 168 RED)", "url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/2"},
+        {"text": "companion PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/1"}
+      ]
+    },
+    {
+      "title": "matrix-synapse — green except for one stale test; run --with-tests",
+      "body": "synapse v1.149.1 → v1.153.0 (with mas 1.17, nginx 1.31.1, pgautoupgrade 17→18) is RED at build 158 only on test_upgrade_preserves_data — the ci_marker table is lost across the pg17→18 in-place upgrade. Everything else passes (reconverge, serving, backup, restore, /_matrix/client/versions 200), so the diagnosis is a stale CI test, not a broken upgrade. Refresh it with /recipe-upgrade matrix-synapse --with-tests.",
+      "links": [
+        {"text": "PR #1 (build 158 RED · upgrade-test)", "url": "https://git.autonomic.zone/recipe-maintainers/matrix-synapse/pulls/1"}
+      ]
+    },
+    {
+      "title": "n8n — GREEN, but a mandatory migration rides with it",
+      "body": "n8n 2.20.6 → 2.23.2 is !testme GREEN at build 162, but the pgautoupgrade 17→18 bump requires the volume mount path to move from /var/lib/postgresql/data to /var/lib/postgresql, and an in-place pg_upgrade --link runs on first start. Back up the database first, and apply the path change on existing deployments — green here does not mean no-op for operators.",
+      "links": [
+        {"text": "n8n PR #4 (build 162)", "url": "https://git.autonomic.zone/recipe-maintainers/n8n/pulls/4"}
+      ]
+    },
+    {
+      "title": "ghost — already resolved since the run",
+      "body": "Ghost now has no open PR. The operator merged the backup-fix PR (#1, which landed Ghost at 6.42.0-alpine and added a proper mysql restore hook) and closed the 6.43.1 PR (#3). Net effect: the data-loss-on-restore bug is fixed, but Ghost sits one patch behind the 6.43.1 the upgrader had proposed — a future run can re-offer that bump.",
+      "links": [
+        {"text": "merged PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/ghost/pulls/1"}
+      ]
+    }
+  ],
+  "routine": [
+    {
+      "title": "Clean dependency bumps",
+      "body": "keycloak 10.7.1 → 10.8.0 (MariaDB 12.2 → 12.3, app unchanged) and lasuite-docs 0.3.3 → 0.3.4 (redis 8.8) are routine, no-operator-action bumps — both green. lasuite-meet also carries its meet v1.17.0 app upgrade with no required config changes.",
+      "links": []
+    },
+    {
+      "title": "Skipped — already current",
+      "body": "bluesky-pds, mumble, and lasuite-drive are up-to-date (drive's collabora/minio/onlyoffice tags are unparseable to abra, but its core images are at latest).",
+      "links": []
+    },
+    {
+      "title": "immich — blocked by an abra tooling limit",
+      "body": "immich was skipped: abra cannot parse its tag-plus-digest image references (e.g. ghcr.io/immich-app/postgres:14-vectorchord…@sha256:…), so the survey can't compute an upgrade. An explanatory comment was left on its open PR #1. This is a tooling gap, not a recipe fault.",
+      "links": [
+        {"text": "immich PR #1", "url": "https://git.autonomic.zone/recipe-maintainers/immich/pulls/1"}
+      ]
+    },
+    {
+      "title": "Infrastructure footnote",
+      "body": "Eight recipes initially failed the survey with an abra go-git auth error (credentials must be embedded in the git origin URL, not via .netrc); all were recovered before the run completed. No fleet impact.",
+      "links": []
+    }
+  ],
+  "table": [
+    {"recipe": "cryptpad", "change": "0.5.4+v2026.2.0 → 0.5.5+v2026.2.0", "status": "GREEN", "ci": "build 154 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/154", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/cryptpad/pulls/4", "notes": "nginx 1.29 → 1.31 (CVE batch). Ready to merge."},
+    {"recipe": "custom-html", "change": "1.11.0+1.29.0 → 1.13.0+1.31.1", "status": "GREEN", "ci": "build 163 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/163", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/custom-html/pulls/1", "notes": "nginx 1.31.1 CVEs + alpine/git v2.52.0. Ready to merge."},
+    {"recipe": "custom-html-tiny", "change": "1.0.1+2.38.0 → 1.1.0+2.42.0", "status": "GREEN", "ci": "build 164 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/164", "pr": "#6", "pr_url": "https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/6", "notes": "static-web-server 2.42 (Basic-Auth timing CVE)."},
+    {"recipe": "discourse", "change": "0.7.0+3.3.1 → 0.8.0+3.5.0", "status": "GREEN", "ci": "build 179 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/179", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/discourse/pulls/2", "notes": "Now green — stale test cleared. pg13→16, backup fix, bitnami→bitnamilegacy (archived mirror)."},
+    {"recipe": "ghost", "change": "1.2.0+6.21.2-alpine → 1.3.0+6.42.0-alpine", "status": "UPTODATE", "ci": "merged", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/ghost/pulls/1", "notes": "Resolved by operator: #1 merged (backup fix, 6.42.0); 6.43.1 PR #3 closed."},
+    {"recipe": "keycloak", "change": "10.7.1+26.6.2 → 10.8.0+26.6.2", "status": "GREEN", "ci": "build 155 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/155", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/keycloak/pulls/2", "notes": "MariaDB 12.2 → 12.3. Clean."},
+    {"recipe": "lasuite-docs", "change": "0.3.3+v5.1.0 → 0.3.4+v5.1.0", "status": "GREEN", "ci": "build 169 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/169", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/lasuite-docs/pulls/4", "notes": "redis 8.6.3 → 8.8.0 (CVEs). Clean."},
+    {"recipe": "lasuite-meet", "change": "0.3.0+v1.16.0 → 0.3.0+v1.17.0", "status": "GREEN", "ci": "build 156 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/156", "pr": "#3", "pr_url": "https://git.autonomic.zone/recipe-maintainers/lasuite-meet/pulls/3", "notes": "meet v1.17.0 + redis 8.8 (CVEs). Swagger routes now /api-prefixed."},
+    {"recipe": "mailu", "change": "3.0.1+2024.06.37 → 3.0.1+2024.06.52", "status": "GREEN", "ci": "build 157 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/157", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/mailu/pulls/1", "notes": "Roundcube CVE-2026-49217 + certdumper v2.11.2 + redis 8.8."},
+    {"recipe": "matrix-synapse", "change": "7.1.1+v1.149.1 → 7.2.0+v1.153.0", "status": "STALE", "ci": "RED 158 · upgrade-test", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/158", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/matrix-synapse/pulls/1", "notes": "Stale test_upgrade_preserves_data (pg17→18 ci_marker loss). Run --with-tests."},
+    {"recipe": "mattermost-lts", "change": "2.1.10+10.11.18 → 2.2.0+10.11.19", "status": "FAILED", "ci": "RED 161 · restore", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/161", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/mattermost-lts/pulls/2", "notes": "Pre-existing restore bug; see companion #1. ESR carries a medium-severity security patch."},
+    {"recipe": "n8n", "change": "3.2.0+2.20.6 → 3.3.0+2.23.2", "status": "GREEN", "ci": "build 162 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/162", "pr": "#4", "pr_url": "https://git.autonomic.zone/recipe-maintainers/n8n/pulls/4", "notes": "⚠ pg17→18: volume path /var/lib/postgresql/data → /var/lib/postgresql; back up first."},
+    {"recipe": "plausible", "change": "3.0.1+v2.0.0 → 4.0.0+v2.1.5", "status": "FAILED", "ci": "RED 168 · deploy", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/168", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/plausible/pulls/2", "notes": "GHCR move + pg13→16 + ClickHouse 24. ClickHouse fixed; deploy still fails (pg re-fetch). See #1."},
+    {"recipe": "uptime-kuma", "change": "3.0.0+2.2.1 → 4.0.0+2.4.0", "status": "GREEN", "ci": "build 165 ✓", "ci_url": "https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/165", "pr": "#2", "pr_url": "https://git.autonomic.zone/recipe-maintainers/uptime-kuma/pulls/2", "notes": "Authenticated RCE fix + MariaDB 11.8 → 12.3 (back up first)."},
+    {"recipe": "bluesky-pds", "change": "—", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date."},
+    {"recipe": "mumble", "change": "—", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date."},
+    {"recipe": "lasuite-drive", "change": "—", "status": "UPTODATE", "ci": "", "pr": "", "notes": "Up-to-date (some tags unparseable; core images at latest)."},
+    {"recipe": "immich", "change": "—", "status": "SKIPPED", "ci": "", "pr": "#1", "pr_url": "https://git.autonomic.zone/recipe-maintainers/immich/pulls/1", "notes": "abra cannot parse tag+digest image pins; explanatory comment left on PR."}
+  ]
+}