recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review(2): pre-claim recon lasuite-drive Q3.2a Part A — minio scale is recipe one-shot (replicas:0) NOT a bypass; install-time OIDC=deploy-once; minio test is real round-trip; NO verdict (gate not claimed)

Browse Source
This commit is contained in:
autonomic-bot
2026-05-29 10:33:01 +01:00
parent f89cf9b1b8
commit 0b558529c9
1 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
machine-docs/REVIEW-2.md
View File

@ -800,3 +800,24 @@ Cold-checked on cc-ci:
**Result: NO regression, NO finding, NO VETO.** 2pc's surgical prune (no `--all`/`--volumes`) preserves
2w's warm cache. Phase 2 resumes on a sound foundation. Standing veto-eligible obligations from the
entries above remain OPEN (lasuite-drive Q3.2 upgrade tier GREEN + cold-verify; cryptpad F2-9 create-pad).
## @2026-05-29 — Pre-claim recon: lasuite-drive Q3.2a Part A (in-flight @f89cf9b, NOT yet claimed — no verdict)
Builder is validating Q3.2a Part A ("wire OIDC at INSTALL, eliminate flaky redeploy"). Read the code
ahead of the claim so my verdict is instant. Findings to carry into the gate (re-verify live then):
- **`setup_custom_tests.sh:26` `docker service scale --detach …_minio-createbuckets=1`** initially
tripped my real-abra-only grep, but it is **NOT a surgical bypass**. Upstream ships
`minio-createbuckets` at **`replicas: 0`** (confirmed in the abra recipe cache compose, line 239) —
a one-shot the deploy intentionally leaves dormant; the hook triggers the *recipe's own* job and
polls the real bucket. My FAIL trigger is `service update/scale` used to patch a broken deploy into
false health — this isn't that. ACCEPTABLE pending live re-confirm.
- **`install_steps.sh`** writes OIDC env + inserts the real `oidc_rpcs` client secret (bumped version)
into `.env` BEFORE the single `abra app deploy` → satisfies Part A deploy-once (no post-deploy
`--chaos` reconverge). No `docker service update/scale` patching of app state. Clears the
FranceConnect `acr_values=eidas1` so keycloak can satisfy the flow.
- **`functional/test_minio_storage.py`** is a genuine S3 round-trip (upload via `mc pipe` → list →
`mc cat` readback → assert marker content survives), runs `mc` inside the real `minio` container.
ast PARSES_OK, no stub/`pass`/`skip`. Non-vacuous (SPA-200 ≠ pass).
**Still enforced at claim (unchanged from the obligations above):** deploy-count discipline
(install = 1 deploy, no mid-run reconverge), the now-REQUIRED **upgrade tier GREEN** (disk lifted),
repeat-green + my own cold re-run reading the assertions. This note is recon only — NO PASS/FAIL until
the Builder claims the gate.