status(shot): M2 evidence assembled — P3/P4 ledgers complete, proof table, durations, dashboard checks
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
autonomic-bot
@ -57,21 +57,50 @@ PNG-size note: 4801/4802 B at 1280×800 is a byte-stable blank-frame fingerprint
|
||||
default page at `/` (no content seeded for this recipe's install; only custom-html-tiny seeds via
|
||||
install_steps.sh). Screenshot is an honest representative view of a fresh install. → OK as-is.
|
||||
|
||||
### P3 — Fixes
|
||||
### P3 — Fixes (all merged to main)
|
||||
|
||||
- [ ] Harness default improvement (fixes BLANK+LOADING classes): after domcontentloaded nav, bounded
|
||||
network-idle/paint wait + blank-frame detect (tiny PNG → one retry with stronger wait), all within
|
||||
NAV_DEADLINE_S=45 / step worst-case ≤ ~60s. Unit tests in tests/unit/test_screenshot.py.
|
||||
- [ ] plausible SCREENSHOT hook (tests/plausible/recipe_meta.py) to a rendering, credential-free path.
|
||||
- [ ] Re-audit mattermost-lts / mumble / keycloak / lasuite-* after harness fix; per-recipe hooks only
|
||||
where the default still can't work.
|
||||
- [ ] bluesky-pds: document N/A in matrix (Adversary agreement at M1/M2).
|
||||
- [x] Harness default improvement (ce50f64 + A1 hardening 7ad7d1f): bounded networkidle settle
|
||||
(10s) + 0.5s render grace after domcontentloaded; blank/spinner-frame detect (<10000 B) → ONE
|
||||
retry with 4s settle, larger frame kept (A1). Wait budget 45+10+0.5+4+0.5 = 60s, unit-tested.
|
||||
8 new unit tests; 207 pass; lint PASS.
|
||||
- [x] plausible — NOT a hook in the end: the real root cause was EXTRA_ENV SECRET_KEY_BASE being
|
||||
62 chars (<64-byte Phoenix cookie-store minimum) → every HTML render 500'd. Fixed to 68 chars
|
||||
(b98a471); default capture then lands the genuine registration page. Stale auth_controller
|
||||
comments corrected (no assertion touched).
|
||||
- [x] mattermost-lts SCREENSHOT hook (80e5713 + 3c33129): interstitial appears on ANY first-visit
|
||||
route incl /login (proven byte-identical PNG) → hook navigates /login, clicks "View in Browser"
|
||||
best-effort, settles; lands the real login form. First real hook; public screenshot.settle().
|
||||
- [x] keycloak / lasuite-docs / lasuite-drive / lasuite-meet / immich / cryptpad / n8n: fixed by
|
||||
the harness default alone (no hooks needed — proof PNGs below).
|
||||
- [x] mumble: NOT fixable harness-side — pinned mumble-web:0.5 client never paints UI for an
|
||||
anonymous browser (≥90s DOM/console/network observation: no errors, no failed requests,
|
||||
connect-dialog elements absent, no autoconnect overrides). Loader frame = the genuine anonymous
|
||||
web view; voice (the recipe's function) fully covered by protocol tests. DEFERRED.md entry filed
|
||||
(upstream question for the operator).
|
||||
- [x] bluesky-pds: documented N/A while upstream image broken (rcust DEFERRED; Adversary-agreed at
|
||||
M1, contingent re-check at M2 — latest failing evidence ab-bluesky-pds-oldmain, 2026-06-11).
|
||||
|
||||
### P4 — Proof runs
|
||||
### P4 — Proof runs (fresh, post-fix; every PNG visually Read by Builder)
|
||||
|
||||
- [ ] Fresh real-CI run per fixed recipe (immich, lasuite-meet, n8n, cryptpad, keycloak, lasuite-docs,
|
||||
lasuite-drive, mumble, mattermost-lts, plausible), ≥2 via drone `!testme`; visual check each PNG;
|
||||
card + dashboard render. Healthy class: cite existing artifact + visual check (done in P1).
|
||||
| recipe | proof run (dir on cc-ci) | level (baseline) | PNG B | visual |
|
||||
|---|---|---|---|---|
|
||||
| immich | 370 (drone !testme immich#2) | 4 (=356:4) | 234351 | real "Welcome to Immich" onboarding |
|
||||
| plausible | 371 (drone !testme plausible#3) | 4 (=357:4) | 64132 | real registration form, empty fields |
|
||||
| keycloak | shot-proof-keycloak | 4 | 215587 | real "Sign in to your account" form |
|
||||
| cryptpad | shot-proof-cryptpad | 4 | 57310 | real landing + document-type picker |
|
||||
| lasuite-meet | shot-proof-lasuite-meet | 4 | 225686 | real video-conferencing landing |
|
||||
| lasuite-docs | shot-proof-lasuite-docs | 4 | 284769 | real Docs landing |
|
||||
| lasuite-drive | shot-proof2-lasuite-drive | 4 | 132037 | real Drive landing |
|
||||
| n8n | shot-proof-n8n | 4 | 26433 | real "Set up owner account", empty fields (now deterministic) |
|
||||
| mattermost-lts | shot-proof3-mattermost-lts | 2 (=m2r:2) | 178367 | real "Log in to your account" form (hook v2) |
|
||||
| mumble | shot-proof-mumble | 4 | 7980 | loader frame — best-available (see P3/DEFERRED) |
|
||||
|
||||
Drone durations pre/post (same recipe+PR): immich 199s→198s; plausible 209s→166s (faster — capture
|
||||
no longer burns 45s failing). Healthy class (ghost, hedgedoc, discourse, custom-html,
|
||||
custom-html-tiny, mailu, matrix-synapse, uptime-kuma): existing artifacts cited in P1 matrix, each
|
||||
visually verified real + credential-free; no new runs needed per plan §3 P4.
|
||||
Dashboard/card: grid thumbnails for runs 370/371 served 200, summary.html embeds screenshot.png,
|
||||
/badge/immich.svg 200.
|
||||
|
||||
## Adversary findings
|
||||
|
||||
|
||||
@ -72,3 +72,28 @@ mumble: proof run still spinner after settle+retry (7980B). Probing live what mu
|
||||
because the websocket voice path may not be browser-reachable). Orchestrated probe2 running.
|
||||
Also in flight: n8n + lasuite-docs proofs from the A1-fixed tree. Queue: lasuite-drive, mattermost
|
||||
re-run; then ghost/hedgedoc/etc. healthy-class citations + dashboard/card check + runtime compare.
|
||||
|
||||
## 2026-06-11 ~06:40-07:15Z — mattermost solved via click-through; mumble settled as best-available; M2 assembled
|
||||
|
||||
mattermost: hook v1 (/login) produced a byte-identical interstitial PNG — mattermost shows the
|
||||
desktop-or-browser chooser on ANY first-visit route. Hook v2 clicks "View in Browser" (best-effort,
|
||||
suppress) → shot-proof3 PNG is the genuine "Log in to your account" form at L2=baseline. That's
|
||||
watch-list item 3 satisfied the hard way.
|
||||
|
||||
mumble: three live probes. probe4 (90s DOM+console watch): localization loads, NO errors, NO failed
|
||||
requests, connect-dialog selectors match nothing, page stays at loading-container forever. orch5:
|
||||
websockify serves everything (its own 404s on /ws,/websocket; config.local.js = untouched sample, no
|
||||
autoconnect). Conclusion: the pinned mumble-web:0.5 client never paints for an anonymous visitor —
|
||||
not a capture bug, not fixable harness-side without changing the deploy (guardrail says upstream).
|
||||
Filed DEFERRED (6104a99); claiming the loader frame as documented best-available. Voice = the
|
||||
recipe's function and is protocol-tested; the Adversary may still want a different disposition —
|
||||
their call at the gate.
|
||||
|
||||
Ops lessons this stretch: 3 simultaneous run launches race on abra catalogue fetch (lasuite-drive
|
||||
died "unable to update catalogue"; reran solo green) — stagger launches. Backgrounded one-shot ssh
|
||||
launchers with `cd X && nohup A & nohup B &` only cd for the first — give each its own cd.
|
||||
|
||||
M2 evidence: 10 fixed-class proof runs (table in BACKLOG-shot P4, every PNG Read by me), 2 of them
|
||||
real !testme drone builds (370/371, durations 198s/166s vs 199s/209s baselines — plausible FASTER
|
||||
since capture stops burning its 45s fail window), healthy-class cited from P1, dashboard grid/card/
|
||||
badge all 200. Claiming M2.
|
||||
|
||||
@ -4,34 +4,54 @@ SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-shot-screenshots.md
|
||||
|
||||
## Current section
|
||||
|
||||
Gate: M1 CLAIMED, awaiting Adversary.
|
||||
P1 audit matrix COMPLETE (all 19 enrolled recipes, every PNG visually inspected).
|
||||
P2 diagnoses COMPLETE (see BACKLOG-shot.md P2 — each with evidence).
|
||||
Meanwhile working (unblocked, pre-M2): P3 harness default-wait improvement + unit tests.
|
||||
Gate: M1 PASS (REVIEW-shot.md ae10b55). Finding A1 CLOSED (5fc8699).
|
||||
Gate: M2 CLAIMED, awaiting Adversary.
|
||||
|
||||
## M1 claim — verification map (WHAT/HOW/EXPECTED/WHERE)
|
||||
## M2 claim — verification map (WHAT/HOW/EXPECTED/WHERE)
|
||||
|
||||
WHAT: M1 = full audit matrix (19/19 enrolled recipes, BACKLOG-shot.md "P1 — Audit matrix") +
|
||||
root-cause diagnosis with evidence for every non-OK row (BACKLOG-shot.md "P2") + N/A candidates
|
||||
argued (bluesky-pds: blocked-upstream N/A; mumble: explicitly NOT an N/A — real web UI).
|
||||
Claimed at commit 8978fa6 (matrix+diagnoses) — claim commit follows.
|
||||
WHAT: every enrolled recipe (19) is OK or Adversary-agreed N/A; fixes merged to main; fresh proof
|
||||
runs incl. 2 via drone !testme; verdicts/levels/durations unaffected; screenshot path stays
|
||||
best-effort end-to-end (R7); no PNG shows credentials.
|
||||
|
||||
- Enrolled set (19): `ls tests/*/recipe_meta.py` minus fixtures `_generic, regression, concurrency,
|
||||
custom-html-bkp-bad, custom-html-rst-bad` (those first three have no recipe_meta.py; the two
|
||||
`-bad` ones do but are harness canaries).
|
||||
- Matrix: BACKLOG-shot.md "P1 — Audit matrix". Reproduce any row:
|
||||
`ssh cc-ci 'grep -o "\"screenshot\": *[^,}]*" /var/lib/cc-ci-runs/<run>/results.json; stat -c%s /var/lib/cc-ci-runs/<run>/screenshot.png'`
|
||||
then scp the PNG and Read it. Run ids are in the matrix "latest run" column.
|
||||
- plausible NULL evidence: Drone sqlite, build 357 ci step (step_id 947):
|
||||
`ssh cc-ci 'docker run --rm -v drone_ci_commoninternet_net_data:/data alpine sh -c "apk add -q sqlite; sqlite3 /data/database.sqlite \"select log_data from logs where log_id=947\"" | grep -o "screenshot[^\"]*"'`
|
||||
EXPECTED: `capture failed … last status=500` after 15 attempts/45s.
|
||||
- bluesky-pds NULL evidence: `grep '"install"' /var/lib/cc-ci-runs/m2rr-bluesky-pds/results.json`
|
||||
→ fail, level=0; capture is gated on deploy_ok (runner/run_recipe_ci.py:1024).
|
||||
- Default capture path under audit: runner/harness/screenshot.py:84-93 (domcontentloaded, no paint
|
||||
wait) — the BLANK/LOADING mechanism; accept_statuses excludes 500 — the plausible mechanism.
|
||||
- mumble web UI exists: tests/mumble/recipe_meta.py header (compose.mumbleweb.yml, HEALTH_PATH "/").
|
||||
- custom-html fresh install serves nginx default: no install_steps.sh in tests/custom-html/ (only
|
||||
pre_backup/pre_upgrade seeds in ops.py, which run AFTER the capture moment).
|
||||
Fix commits on main: ce50f64 (harness settle+blank-retry), 7ad7d1f (A1 keep-larger), b98a471
|
||||
(plausible SECRET_KEY_BASE 62→68ch — the real NULL root cause; no hook needed), 80e5713+3c33129
|
||||
(mattermost hook → /login + click "View in Browser"; public settle()). Unit: 207 pass
|
||||
(`cc-ci-run -m pytest tests/unit -q`), lint PASS (`nix develop .#lint --command scripts/lint.sh`).
|
||||
|
||||
HOW to verify per recipe — artifacts on cc-ci `/var/lib/cc-ci-runs/<run>/{results.json,
|
||||
screenshot.png,summary.html}`; scp the PNG and Read it. Full table with run dirs, levels
|
||||
(each = its baseline), exact PNG bytes, and what each image shows: BACKLOG-shot.md "P4 — Proof
|
||||
runs". Fixed-class proofs: immich=370 (drone !testme immich#2, posted 05:56:32Z), plausible=371
|
||||
(drone !testme plausible#3), keycloak, cryptpad, lasuite-meet, lasuite-docs, lasuite-drive, n8n,
|
||||
mattermost-lts (shot-proof3-* = hook v2 → real login form), mumble (best-available loader frame —
|
||||
see N/A-variant below). Healthy-class (ghost 444183B, hedgedoc 131967B, discourse 66121B,
|
||||
custom-html 35707B, custom-html-tiny 12950B, mailu 33800B, matrix-synapse 33296B,
|
||||
uptime-kuma 30858B): cite the P1-matrix artifacts (m2r-*/m2p-* dirs per P1 table) — plan §3 P4 allows
|
||||
existing artifact + visual check for class-3; all Read by Builder, all credential-free.
|
||||
|
||||
EXPECTED on re-run of any fixed recipe: results.json `screenshot: "screenshot.png"`, PNG ≥ ~26KB
|
||||
real app view (mumble excepted), level equal to that recipe's baseline (immich 4, plausible 4,
|
||||
keycloak 4, cryptpad 4, lasuite-* 4, n8n 4, mattermost-lts 2, mumble 4).
|
||||
|
||||
R7 / budget: wait components 45(nav, only-on-failure)+10(settle)+0.5+4(blank retry)+0.5 = 60s,
|
||||
unit-tested (test_wait_budget_within_step_cap); capture() still swallows everything → None →
|
||||
placeholder; double-wrapped at the call site (run_recipe_ci.py:1024-1037, unchanged).
|
||||
|
||||
Durations (drone, same recipe+PR pre/post): immich 199s→198s, plausible 209s→166s. Drone sqlite:
|
||||
`select build_id, build_finished-build_started from builds where build_id in (356,357,370,371)`.
|
||||
|
||||
Dashboard/card: `https://ci.commoninternet.net/` grid references runs/370+371 screenshot.png (both
|
||||
HTTP 200); summary.html embeds screenshot.png; /badge/immich.svg 200.
|
||||
|
||||
N/A + N/A-variant (need Adversary agreement at this gate):
|
||||
- bluesky-pds: unchanged upstream MODULE_NOT_FOUND breakage (DEFERRED.md, evidence
|
||||
ab-bluesky-pds-oldmain 2026-06-11, install=fail level=0) → capture correctly skipped, placeholder
|
||||
correct.
|
||||
- mumble: web client (rankenstein/mumble-web:0.5) never paints UI for an anonymous browser —
|
||||
≥90s observation, no console errors, no failed requests, connect-dialog DOM absent, no
|
||||
autoconnect overrides (probes: /tmp/mumble-probe{3,4}.out, /tmp/mumble-orch{4,5}.log on cc-ci).
|
||||
The 7980B loader frame IS the genuine anonymous web view; voice covered by protocol tests.
|
||||
DEFERRED.md entry filed (upstream question). Claimed as documented best-available, not a defect.
|
||||
|
||||
## Blocked
|
||||
|
||||
|
||||
Reference in New Issue
Block a user