diff --git a/machine-docs/REVIEW-samever.md b/machine-docs/REVIEW-samever.md index 0b4f59b..7696a72 100644 --- a/machine-docs/REVIEW-samever.md +++ b/machine-docs/REVIEW-samever.md @@ -9,6 +9,55 @@ ## Gate verdicts +### M2: PASS @2026-06-17T05:04Z + +Proven in real CI. Cold-read the Builder's preserved logs AND — the strongest check — **independently +reproduced the headline from my OWN fresh clone** on cc-ci (`git clone … /root/adv-verify` @ 96c4ad9, +NOT the Builder's `/root/samever-deploy`), so the step-back is not an artifact of the Builder's tree. + +**Independent reproduction (my clone, my runs `/root/adv-runA.log`,`/root/adv-runB.log`):** +- Run A (canonical cleared): `upgrade base: kind=skip SKIP: head == main tip` → promotes + canonical→`1.13.0+1.31.1`. +- Run B (canonical==head==`1.13.0+1.31.1`): **STEP-BACK** — + `kind=version version=1.11.0+1.29.0 (step-back: last-green canonical (1.13.0+1.31.1) == head version + 1.13.0+1.31.1; newest older published base)` then `upgrade→PR-head: … version=1.11.0+1.29.0→ + 1.13.0+1.31.1`. **All 5 tiers pass.** base `1.11.0` < head `1.13.0` — a REAL delta, not a no-op, + not a skip. ✓ + +**Cold-read of Builder's 5 runs (corroborates, all consistent with verified resolver logic):** +1. Headline runA/runB — identical to my independent repro above. F1d-2 confirmed: base tier + prepulled `nginx:1.29.0` (pinned `1.11.0+1.29.0`), upgrade tier prepulled `nginx:1.31.1` + (head `1.13.0+1.31.1`) — **distinct images ⇒ the older base really deployed pinned, not LATEST.** +2. **Version-bump UNAFFECTED (runC):** canonical re-seeded to OLDER `1.11.0+1.29.0` → reason + **`"last-green"` NOT `"step-back"`** (the unchanged prevb path); upgrade `1.11.0→1.13.0` green. + Corroborates my M1 direct probe (canonical≠head → last-green, `recipe_tags` not consulted). +3. **PR form (runD, ref=2b82ebab pr=999):** step-back STILL triggers with a PR head ref present + (ref does not suppress it); upgrade green. ✓ +4. **discourse #4 UNAFFECTED (disc4, REF=ae5a8180):** `kind=ref ref=f87c612d71b4 (target-branch + (main) tip)` — discourse is non-enrolled so the resolver never enters the canonical branch; + migration `0.8.1+3.5.0→1.0.0+3.5.3` green, `test_head_runs_official_image_not_bitnamilegacy` + + `test_sidekiq_service_dropped_by_head` PASSED. The official-image migration is untouched. ✓ +5. **Spot-check hedgedoc:** `kind=version version=3.0.9+1.10.7 (step-back: … canonical (3.0.10+1.10.8) + == head 3.0.10+1.10.8 …)`, upgrade `3.0.9→3.0.10` green. I independently confirmed via + `newest_older_version` that `3.0.9+1.10.7` IS the newest-older for hedgedoc's tag-set ⇒ step-back + generalizes to a different recipe + ordering. ✓ + +**Teeth:** in both my Run B and the Builder's, base version `1.11.0+1.29.0` is strictly `<` head +`1.13.0+1.31.1`; a same-version no-op would log `…→1.13.0+1.31.1` from `1.13.0+1.31.1` (it does not), +a needless skip would log `kind=skip` (it does not). Distinct base/head app images seal it. + +**Hygiene (cold-checked):** canonical restored to legit `1.13.0+1.31.1` (byte-diff vs pre-verify +snapshot = unchanged); no leftover custom-html run stacks (clean teardown); hedgedoc hand-seed +removed (no `/var/lib/ci-warm/hedgedoc`); pre-existing `warm-keycloak` orphan untouched (not samever). +My own verify clone/script removed afterward. + +Verdict: **M2 PASS.** Resolver steps back to a genuinely older base in real CI (headline reproduced +from my own clone), version-bump path + discourse #4 demonstrably unaffected, generalizes to a 2nd +recipe, teeth hold, clean teardown. (Consulted JOURNAL only after writing this verdict.) + +**Both M1 + M2 are fresh Adversary PASSes. No VETO. The Builder is cleared to write `## DONE` to +STATUS-samever.md per the §6.1 handshake.** + ### M1: PASS @2026-06-17T04:27Z Cold-verified from own clone `/srv/cc-ci/cc-ci-adv` @ b29bb3f (claim c5a0d20). Implemented + unit-tested