recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

status(pxgate): ## DONE — M1+M2 PASS, cycle broken, cold-boot sim confirms no deadlock
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source 
M2 verified: nixos-rebuild @13:43Z deployed /api/version probe; deploy-proxy
active(exited) in 279ms (nixos-rebuild) and 17ms (cold-boot sim) — no alert, no
deadlock. All 9 services 1/1. Running server unaffected. Adversary PASS @13:44Z.
BUILDER-INBOX consumed.
This commit is contained in:
autonomic-bot
2026-06-13 13:47:42 +00:00
parent 927cbfa747
commit 162f731e91
3 changed files with 60 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
machine-docs/BUILDER-INBOX.md
View File

@ -1,24 +0,0 @@
# BUILDER-INBOX — from Orchestrator, 2026-06-13
**pxgate M2 is UNBLOCKED — the orchestrator completed the cc-ci-host nixos-rebuild.**
Done on the live cc-ci host (operator authorized; no CI running):
- Staged current main at `/root/cc-ci-deploy` (+ copied the operator-held `secrets/secrets.yaml`
from `/etc/cc-ci/secrets/`, dropped `.git` so the untracked secrets are in the flake source).
- `nixos-rebuild switch --flake .#cc-ci` — succeeded; only the proxy/keycloak/sweep units rebuilt
(nixpkgs pinned), sops secrets imported OK.
**Verification (your M2 evidence — Adversary should re-check on the host via `ssh cc-ci`):**
- Running `deploy-proxy.service` execs `/nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py traefik`,
whose traefik spec is `domain: traefik.ci.commoninternet.net, health_path: /api/version`
(lines ~122-123) — **the probe no longer references `ci.commoninternet.net` (the dashboard)**, so
the circular dependency is broken by construction.
- `deploy-proxy.service` is `active`; all 9 infra services 1/1; no `--failed` units;
`traefik.ci.commoninternet.net/api/version` → 200 independently.
- Rollback intact (a broken traefik won't serve /api/version → still rolls back to last-good).
NOTE: a true from-scratch *reboot* proof (the ultimate D8 cold-boot) is pending operator decision —
the static + active-service evidence above already proves the deadlock can't occur. Proceed to claim
M2 on this; if the operator later does a reboot, fold that in as extra confirmation.
Delete this file (commit + push) once consumed.

37
machine-docs/JOURNAL-pxgate.md
View File

@ -98,3 +98,40 @@ ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull'
```
STATUS-pxgate.md updated to include `git checkout main` safeguard in nixos-rebuild instructions.
Builder-clone is now pre-staged on main at d23baf8 — orchestrator only needs to run nixos-rebuild.
## 2026-06-13T13:44Z — M2 PASS: nixos-rebuild complete, all checks green
**Orchestrator BUILDER-INBOX:** nixos-rebuild completed on live cc-ci host. Fixed committed.
- Used `/root/cc-ci-deploy` (not builder-clone) + operator-held secrets.yaml
- `nixos-rebuild switch --flake .#cc-ci` succeeded
**Builder M2 verification (all checks run independently):**
```
# Check 1: deploy-proxy active
systemctl status deploy-proxy → Active: active (exited) since 13:44:01 UTC ✓ (279ms CPU)
# Check 2: new runner with /api/version
cat /nix/store/8qjh8apxcbs85asgizkymjskicf4zmsl-cc-ci-reconcile-proxy/bin/cc-ci-reconcile-proxy
→ exec python3 /nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py traefik
grep '"traefik"' .../warm_reconcile.py:
"health_path": "/api/version" ← confirmed ✓
"health_domain" key: absent ← defaults to traefik.ci.commoninternet.net ✓
# Check 3: all services 1/1
docker service ls → 9 services all 1/1 ✓
# Check 4: cold-boot simulation
systemctl stop deploy-dashboard
systemctl stop deploy-proxy && systemctl reset-failed deploy-proxy
systemctl start deploy-proxy
→ Active: active (exited) since 13:46:05 UTC (17ms!) — NO DASHBOARD NEEDED ✓
systemctl start deploy-dashboard → active (exited) ✓
# Check 5: running server unaffected
curl https://ci.commoninternet.net/ → 200 ✓
curl https://traefik.ci.commoninternet.net/api/version → 200 ✓
```
**Adversary PASS received** (independently verified same checks). "Builder may write ## DONE."
STATUS-pxgate.md updated with M2 PASS + ## DONE. BUILDER-INBOX consumed.

82
machine-docs/STATUS-pxgate.md
View File

@ -17,68 +17,32 @@ One non-blocking documentation note from Adversary: STATUS claim said "999 error
---
## Gate: M2 — AWAITING ORCHESTRATOR nixos-rebuild
## Gate: M2 — PASS @2026-06-13T13:44Z (Adversary cold-verified)
M2 requires the orchestrator to deploy the fix to the live cc-ci host and verify deploy-proxy completes without deadlock.
See REVIEW-pxgate.md for full evidence. Summary:
- nixos-rebuild at ~13:43 UTC; deploy-proxy re-ran with new nix store path `8qjh8apxcbs85asgizkymjskicf4zmsl`
- New runner `/nix/store/5hic3aba65i88m1ib67b7g6dwzrzd1z2-runner/warm_reconcile.py` confirmed: `health_path="/api/version"`, `health_domain` absent → probe is `traefik.ci.commoninternet.net/api/version`
- deploy-proxy `active (exited)` in 279ms (nixos-rebuild run) and 17ms (cold-boot sim) — no alert, no deadlock
- Cold-boot simulation: dashboard stopped → proxy started → `active (exited)` immediately ✓ → dashboard restored ✓
- All 9 services 1/1 after rebuild and cold-boot sim; `ci.commoninternet.net` → 200; `/api/version` → 200
- Rollback path unchanged: `health_code()` returns 0 on curl failure → 0 ∉ `health_ok=(200,)` → rollback ✓
- A1/DEFERRED entry closed (at M1); consumer ordering unchanged ✓
### WHAT is needed from the orchestrator
---
Run `nixos-rebuild switch` on cc-ci. The builder-clone **has been pre-staged** (checked out to `main` at `d23baf8` — 2026-06-13T13:35Z). The orchestrator only needs to run nixos-rebuild:
## DONE
```bash
ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull && git log --oneline -1'
# EXPECTED: d23baf8 (or newer) review(pxgate): idle break-it probes PASS @13:31Z...
Phase pxgate complete. All Definition-of-Done items met and Adversary-verified:
nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"
```
| Item | Status | Evidence |
|---|---|---|
| Cycle broken (deploy-proxy↔dashboard) | ✅ | Cold-boot sim: proxy active (exited) without dashboard |
| Dashboard-independent health gate | ✅ | `traefik.ci.commoninternet.net/api/version` — traefik's own API |
| Rollback intact | ✅ | Gate returns 0 on failure → not in (200,) → rollback triggered |
| No consumer mis-ordered | ✅ | Adversary P3 probe: all After=deploy-proxy consumers unchanged |
| Running server unaffected | ✅ | All 9 services 1/1; ci.commoninternet.net → 200 |
| A1/DEFERRED closed | ✅ | DEFERRED.md entry closed at M1; DECISIONS.md updated |
| M1 Adversary PASS | ✅ | REVIEW-pxgate.md @2026-06-13T13:00Z |
| M2 Adversary PASS | ✅ | REVIEW-pxgate.md @2026-06-13T13:44Z |
Note: `git checkout main` is included as a safeguard — the builder-clone was previously on `restructure/concurrency`; it is now on `main` but the checkout ensures correctness if it drifts.
This rebuilds the nix store with the new `runner/warm_reconcile.py` and restarts `deploy-proxy.service` (unit script path changes → systemd restarts it on daemon-reload).
### HOW the Adversary verifies M2 (after nixos-rebuild)
```bash
# 1. deploy-proxy is active (not failed):
ssh cc-ci 'systemctl status deploy-proxy --no-pager | head -10'
# EXPECTED: Active: active (exited)
# 2. New nix store path is in use:
ssh cc-ci 'systemctl cat cc-ci-reconcile-proxy 2>/dev/null || cat $(systemctl cat deploy-proxy | grep ExecStart | awk "{print \$2}")'
# OR:
ssh cc-ci 'grep -r "api/version" /nix/store/*cc-ci-reconcile-proxy*/bin/ 2>/dev/null | head -3'
# EXPECTED: /api/version appears in the reconcile script (new nix store path)
# 3. All services still up (running server unaffected):
ssh cc-ci 'docker service ls --format "{{.Name}}\t{{.Replicas}}"'
# EXPECTED: all services 1/1 (or their normal replica count)
# 4. Rollback path — code-proof (no live rollback test needed; logic unchanged):
# health_code() line 276: returns int(r.stdout.strip() or "0")
# → on curl failure: stdout="000" → int("000")=0 → 0 ∉ health_ok=(200,) → wait_healthy returns False
# → upgrade path: unhealthy → write_alert + roll back to last_good
# → no-op path: unhealthy → try redeploy → if still bad → write_alert
# Unchanged from pre-fix; M1 confirms endpoint is dashboard-independent.
# 5. Cold-boot simulation (optional but durable — run if not doing a fresh VM):
ssh cc-ci 'systemctl stop deploy-dashboard'
ssh cc-ci 'systemctl stop deploy-proxy && systemctl reset-failed deploy-proxy'
ssh cc-ci 'systemctl start deploy-proxy'
ssh cc-ci 'systemctl status deploy-proxy --no-pager | head -5'
# EXPECTED: Active: active (exited) WITHOUT needing deploy-dashboard running
ssh cc-ci 'systemctl start deploy-dashboard'
```
### EXPECTED M2 outcomes
| Check | Expected |
|---|---|
| deploy-proxy after nixos-rebuild | `active (exited)` |
| `/api/version` in nix store reconcile script | present |
| All services 1/1 | yes |
| Cold-boot sim (proxy starts without dashboard) | `active (exited)` |
| Running server unaffected | all routes return expected codes |
### WHERE
Fix commit: `0e9fd38` (on origin/main). nixos-rebuild command: `nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"` (pull main first).
Fix commit: `0e9fd38` (`claim(pxgate-M1): change traefik health probe to /api/version`). Live since nixos-rebuild @2026-06-13T13:43Z.