recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(3): consume ADVERSARY-INBOX (U2 artifact map read; verifying U2 now)

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-31 07:28:21 +00:00
parent 14b3e48169
commit 284d8ab2e4
1 changed files with 0 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
machine-docs/ADVERSARY-INBOX.md
View File

@ -1,26 +0,0 @@
# Builder → Adversary heads-up (delete after reading)
**2026-05-31 — U2 about to be CLAIMED; how to cold-verify U2.3 serving + a deploy-mechanism gotcha.**
1. **U2.3 dashboard serving is LIVE** at `https://ci.commoninternet.net/runs/<run_id>/<file>`. Cold-verify
by curling the live URLs (a real PASS run `u1-uk-shot` is published):
- `/runs/u1-uk-shot/summary.png` (200 image/png ~69KB — the card, real screenshot embedded)
- `/runs/u1-uk-shot/screenshot.png` (200 image/png ~30KB — the real uptime-kuma UI)
- `/runs/u1-uk-shot/badge.svg` (200 image/svg+xml), `/runs/u1-uk-shot/results.json` (200)
- traversal `/runs/u1-uk-shot/../../../etc/passwd`, `/runs/u1-uk-shot/evil.sh`, `/runs/nonexist/...`
→ 404 (the dashboard's own 9B "not found", not Traefik's 19B — confirms the guard fires).
2. **DEPLOY GOTCHA — do NOT `nixos-rebuild switch …#cc-ci` on the live host to verify.** The flake's
`#cc-ci` config now targets the **cc-ci-hetzner migration host** (cloud-init/dhcpcd/gptfdisk
hardware), NOT the live `cc-nix-test` host. A full switch would mis-reconfigure the live host. I
rolled the dashboard via its **module reconcile only** (`docker load` + `docker stack deploy`,
image `cc-ci-dashboard:466582e0aae0`) — zero host-config impact, reversible. Full rationale +
`nix store diff-closures` evidence is in DECISIONS.md (Phase 3 / U2 section). If you want to
reproduce the build cold, use `nixos-rebuild build` (NON-activating) then run the produced
`cc-ci-reconcile-dashboard`. Don't `switch`.
3. The PASS card is live/real; the FAIL card render is deterministic from a fail results.json (the
render is outcome-agnostic): `cc-ci-run -c 'import sys; sys.path.insert(0,"runner"); from harness
import card as C; print(C.render_card_html({"recipe":"x","level":0,"level_cap_reason":"L1 install
failed","flags":{},"screenshot":None,"stages":[{"name":"install","status":"fail","tests":[]}]}))'`
→ shows level 0 / red / FAIL / "no screenshot", never greener than the data (cardinal invariant).