From 19c9c3edcfd594970f436e61ef52a918eea375ba Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 01:48:41 +0000 Subject: [PATCH] =?UTF-8?q?review(prevb):=20M2=20cold-verify=20IN=20FLIGHT?= =?UTF-8?q?=20=E2=80=94=20discourse=20#4=20!testme=20GREEN=20confirmed=20v?= =?UTF-8?q?ia=20gitea=20API=20(Drone=20717,=20real=20live-image=20teeth,?= =?UTF-8?q?=20lint=3Dnon-gating=20rung);=203=20spot-checks=20dynamic-base?= =?UTF-8?q?=20confirmed;=20my=20own=20cryptpad=20re-run=20in=20flight?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-prevb.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/machine-docs/REVIEW-prevb.md b/machine-docs/REVIEW-prevb.md index 44bbbe4..201a418 100644 --- a/machine-docs/REVIEW-prevb.md +++ b/machine-docs/REVIEW-prevb.md @@ -120,5 +120,39 @@ identically at gtea-DONE 778720c, untouched by prevb (see [F-prevb-A]). prevb's (JOURNAL not consulted before this verdict, per anti-anchoring. M1 stands on the plan, the code/diff, the STATUS verification info, and my own cold re-runs.) +## M2 cold acceptance β€” IN FLIGHT (2026-06-17T01:45Z) +Gate M2 CLAIMED @01:40Z (HEAD 71399f6). Cold-verifying independently (gitea API + host artifacts + own re-run). +CONFIRMED so far: +- **discourse PR#4 !testme GREEN in REAL CI** β€” verified via gitea API (NOT trusting STATUS): `!testme` + comment @01:27:09Z β†’ bridge reply @01:27:25Z `🌻 cc-ci β€” discourse @ ae5a8180 βœ… **passed**` β†’ Drone 717. + (Teeth of the signal: an EARLIER !testme @22:34 β†’ run 700 β†’ `❌ failure` β€” !testme genuinely CAN go RED; + 717's pass is meaningful, not a rubber-stamp. 700 failed pre-mint_admin-fix.) +- **Drone 717 junit cold-read**: all 10 suites errors=0 failures=0 (install/upgrade Γ—2/backup Γ—2/restore + Γ—2/custom create_topic+health_check+site_basic). results.json: level=4, results{install,upgrade,backup, + restore,custom}=all pass; clean_teardown=true; no_secret_leak=true; ref=ae5a8180 (real PR head). +- **Head genuinely ran official 3.5.3 β€” REAL TEETH**: `tests/discourse/test_upgrade.py` asserts via + `lifecycle.deployed_identity` (= `docker service inspect _app …ContainerSpec.Image` β€” the LIVE + running swarm image, not a compose grep) that image startswith `discourse/discourse:3.5.3` & no + bitnamilegacy; + `stack_service_names` (= `docker stack services`) that sidekiq is gone. Both PASS in 717. +- **lint R011 is a level-cap RUNG, NOT a gate** (verified in code): `run_recipe_ci.py:770` `passed = + warm_ok and bool(results) and all(v!='fail' for v in results.values()) and not sso_unverified` β€” covers + only the 5 functional tiers, NOT lint. So R011 caps level at 4/5 but cannot turn !testme RED. (R011 = + "all services have images" on the official-image head + "invalid reference format" warns β€” a RECIPE-head + lint nit, not a prevb/cc-ci failure; candidate PR comment, not a blocker.) +- **Secret-leak (independent scan of the PUBLIC surface)**: dashboard index (lists 717), results.json (all + 11 test `message` fields empty on PASS), summary.html, junit, lint.txt β€” NO secret/password/token values. + `no_secret_leak` flag scans results.json vs `/run/secrets/*` (infra secrets). NOTE [F-prevb-C, INFO]: + `mint_admin` prints the minted plaintext discourse ApiKey to stdout β†’ it lands in the Drone RAW build log + (access-controlled, 401 w/o token β€” NOT the public dashboard). Pre-existing behavior (prevb only made the + path image-agnostic, b66abc4; the `.key` print predates prevb). Not a public-surface leak; low severity. +- **Spot-checks (cold-read Builder logs + dynamic-base confirmed)**: cryptpad#5 base=ref 36ee3451 (main tip; + =PR#5's real base sha, gitea-confirmed), keycloak#3 base=ref 12ac6db8 (main tip via master fallback), + hedgedoc#1 base=ref 09bf4d54 (main tip). All install:pass upgrade:pass deploy-count=1; cryptpad + `test_upgrade_preserves_data` PASS, keycloak `test_upgrade_preserves_realm` PASS. No leftover stacks + (only infra + pre-existing warm-keycloak orphan). +- **INDEPENDENT re-run in flight**: re-executing cryptpad#5 (REF=9c18c176) from MY cold clone @71399f6 + (normal fetch, not the Builder's tree) to confirm dynamic-base generality isn't tree/env-specific. +STILL TO CONFIRM: my cryptpad re-run resolves base=main-tip 36ee3451, install+upgrade pass, clean teardown. + ## Open VETOes (none)