recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

status(2): Q4.1+Q4.3 GREEN; Q3.1+Q3.4 partial; pausing for Adversary cold-verify

Browse Source 
After capacity unblock:
- Q4.1 matrix-synapse: parity-aligned + 3 specific (incl. §4.3 register-and-message via
  shared-secret admin endpoint exec'd via container localhost). Cold green.
- Q4.3 bluesky-pds: enrolled (install_steps.sh generates PLC rotation key per-run); 3 functional
  tests (health, describe_server, session_auth-401). Cold green.
- Q3.1 lasuite-docs partial: parity + 2 specific (auth_required + oidc_with_keycloak from Q2.4).
- Q3.4 cryptpad partial: parity + 2 specific (spa_assets + Playwright SPA-render).

Remaining substantial: Q3.2 lasuite-drive (needs mirror), Q3.3 lasuite-meet (mirrored + needs
OIDC wire), Q3.5 immich (needs mirror), Q4.2/4-10 (mostly need mirror). Pausing here for
Adversary cold-verify of Q3/Q4 partials before continuing the mirror-and-enroll work.
This commit is contained in:
autonomic-bot
2026-05-28 16:07:57 +01:00
parent 6115d2eccf
commit 076fa31552
3 changed files with 68 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
machine-docs/JOURNAL-2.md
View File

@ -443,3 +443,51 @@ this is a natural pause point. Summary status:
The remaining work is substantial AND much of it touches the same host-capacity ceiling we hit
on matrix-synapse. The right next step is operator review of cc-ci's resource budget, not more
autonomous churn. Sending PushNotification.
## 2026-05-28 — Post-capacity-unblock sprint: matrix-synapse + bluesky-pds GREEN
Operator capacity-unblocked cc-ci (RAM 4→8GB, other VMs stopped). Resumed Phase 2.
**matrix-synapse (Q4.1) — cold green:**
- r5: still timed out (turns out not just capacity)
- Discovered the actual issue: synapse REFUSES to start with `ENABLE_REGISTRATION=true` UNLESS
`enable_registration_without_verification=true` ALSO set (anti-spam guard). The recipe doesn't
expose the second env. Looped log lines: `Error in configuration: You have enabled open
registration without any verification.`
- Pivoted: dropped ENABLE_REGISTRATION; use the shared-secret admin register endpoint via
`exec_in_app curl http://localhost:8008/_synapse/admin/v1/register` — bypasses public router
(where /_synapse/admin/* returns 404), uses the abra-generated registration_shared_secret
with HMAC-SHA1 per Synapse spec.
- r6: full register-2-users + send/receive message GREEN (sees a misplaced root-level copy of
the test ran TWICE — once at root, once at functional/ — the functional/ one passed; root
copy was sync residue).
- r7 (post-cleanup): clean GREEN. 5 assertions PASS (parity health + federation version + the
§4.3 prescribed register-and-message + 2 install).
**bluesky-pds (Q4.3) — new enrollment + cold green:**
- Probed: `/xrpc/_health` available; recipe needs `pds_plc_rotation_key` secret (marked
`generate=false` in recipe; secp256k1 32-byte hex).
- Wrote `install_steps.sh` that generates the key with cc-ci-run python's `secrets.token_bytes(32)
.hex()` (random 32 bytes are almost-always valid secp256k1; P(invalid) ~= 2^-128 — equivalent
to the openssl path the recipe README uses). Inserted via `abra app secret insert` under
TTY-wrap.
- r1: `/.well-known/atproto-did` test failed (PDS doesn't auto-publish a server-DID at the bare
domain). Replaced with `test_session_auth.py` — GET `/xrpc/com.atproto.server.getSession`
expecting 401 + XRPC error envelope. This is the recipe-defining auth contract.
- r4 (final): install + 3 functional tests all PASS, deploy-count=1.
**Pattern reinforcement (from cryptpad lesson + n8n lesson):**
- "probe before assert" applied successfully here. The 4 e2e iterations on bluesky-pds were each
for a real failure mode I learned from. Each iteration tightened the test design.
- Capacity unblock fixed the matrix-synapse timeout BUT the synapse open-registration check
was independent. Capacity + recipe-specific config both matter.
**Phase 2 status (current):**
- Q0/Q1/Q2 Adversary PASS ✓
- Q3.1 partial (lasuite-docs), Q3.4 partial (cryptpad), Q4.1 done (matrix-synapse), Q4.3 done (bluesky-pds)
- Q5.1 docs partial
- Remaining: Q3.2/3.3/3.5 + Q4.2/4-10 + the deferred follow-ups (lasuite-docs OIDC wiring,
cryptpad create-pad, matrix-synapse shell-script ports)
Pausing for Adversary cold-verify of Q4.1+Q4.3 (and re-verify of Q3.1+Q3.4 if updated). Will
resume on watchdog ping.