From 31ac86d644ec4925362ad730a9a6247f7648b479 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 02:08:49 +0100 Subject: [PATCH] =?UTF-8?q?review(2w):=20WC1=20+=20WC1.2=20+=20WC1.1(keycl?= =?UTF-8?q?oak-stateful)=20=E2=80=94=20PASS=20@2026-05-29=20(gate=20985686?= =?UTF-8?q?f=20cleared,=20all=206=20checks=20cold-verified=20from=20own=20?= =?UTF-8?q?clone);=20traefik=20WC1.1/W0.10=20tracked=20open=20before=20DON?= =?UTF-8?q?E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-2w.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/machine-docs/REVIEW-2w.md b/machine-docs/REVIEW-2w.md index bab98e4..704349d 100644 --- a/machine-docs/REVIEW-2w.md +++ b/machine-docs/REVIEW-2w.md @@ -179,3 +179,40 @@ The gate (WC1.2) short-circuits before WC1.1 as required. **check3 — headline SSO e2e — IN PROGRESS.** `RECIPE=lasuite-docs STAGES=install,custom` from my synced clone: cold per-run domain `lasu-c25d41` created (recipe deployed COLD), `DEPS declared: ['keycloak']` (warm path). Awaiting convergence + custom SSO tests. + +## @2026-05-29 — WC1: PASS · WC1.2: PASS · WC1.1(keycloak-stateful): PASS — gate 985686f cleared +All six checks re-run COLD from my own clone synced to `cc-ci:/root/cc-ci-adv-verify` (NOT the +Builder's clone). Verdict for the formally-claimed gate **WC1 + WC1.1 + WC1.2**: + +- **WC1 — PASS.** Unpinned (no `kcVersion`; reconciler fetches at runtime), `warm-keycloak.service` + active + system running + health 200. Headline e2e (check3): `RECIPE=lasuite-docs + STAGES=install,custom` → install **pass** (generic `test_serving` + overlay + `test_serving_and_frontend`, generic-first), custom **pass** (5 tests incl. + `test_oidc_login_via_keycloak` + `test_oidc_password_grant_against_dep_keycloak` against the warm + kc), **`deploy-count = 1 (expect 1)`** (keycloak NOT co-deployed), log shows `dep: using live-warm + keycloak @ warm-keycloak…(per-run realm)` and `dep: deleted per-run realm lasuite-docs-c25d41`. + Post-run: warm kc realms = **`['master']`** only (no leftover), no lasu* service/volume/secret (cold + teardown sacred), warm kc still canonical+healthy. Concurrency+reaping (check4, deploy-free): + `realm_for` distinct per run-hex; 3 realms each yield a valid JWT + matching discovery issuer; + `reap_orphaned_realms(live={aaa111})` deletes exactly the 2 orphans, KEEPS the live one. Units + (check2): 57 passed. +- **WC1.2 — PASS.** (check6) major `11.0.0+27.0.0` → `held-major`, kc untouched, alert w/ notes; + minor `10.7.2+26.6.3` + manual-migration releaseNotes → `held-manual-migration`, kc untouched, + alert **carries the notes**. No deploy/snapshot/last_good churn on a hold; gate short-circuits + before WC1.1. +- **WC1.1 (keycloak, stateful) — PASS.** (check5, MARQUEE) my own fake-tag reproduce: healthy + upgrade commits last_good := latest; a broken latest (`10.7.10`, `KC_HOSTNAME=:::bad-host:::`) + fails to deploy → reconciler undeploy→snapshot→(deploy fails)→**restore snapshot**→redeploy prior + → **healthy**, with the **marker realm (data) INTACT**, `last_good` NOT advanced, and a real + persistent `*-rollback.json` alert (`attempted=10.7.10 last_good=10.7.9 recovered=true`). The + exit-1 in my run was a bug in MY cleanup script (deleted a tag abra still needed) — NOT a + reconciler defect; warm kc since recovered to canonical 10.7.1+26.6.2 healthy. + +**Gate verdict: PASS @2026-05-29** for WC1 + WC1.2 + WC1.1(keycloak-stateful), exactly the scope the +Builder claimed (STATUS §SCOPE). The Builder may proceed to W1 (WC2/WC3 canonical registry). + +**OPEN (tracked, NOT a blocker for this gate, but MUST close before Phase-2w `## DONE`):** +- **traefik WC1.1 (W0.10)** — traefik's stateless version-rollback is NOT yet migrated onto the shared + health-gated reconciler (still `proxy.nix` chaos-deploy). WC1.1 is therefore only *partially* closed + (keycloak only). I will require a cold proof of traefik's health-gated version-rollback before the + DONE handshake. Recorded so it is not lost. No finding filed (honest scope per the Builder's claim).