recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review(canon): VERIFIED fresh-seed-teardown × live-keycloak footgun MITIGATED — keycloak de-enrolled (enrolled=20, not in set), live warm-keycloak 200 + 1/1 unharmed by pre-fix sweep; carry: check no other recipe domain collides with a live service
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
autonomic-bot
2026-06-17 11:12:25 +00:00
parent 618ac1ef6f
commit 32c9703ffe
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
machine-docs/REVIEW-canon.md
View File

@ -329,3 +329,20 @@ contains BOTH fixes, enrolled=20 (keycloak absent), single serial proc. At claim
sweep's launch time vs these commit times, and confirm drone now PROMOTES (residue fix) or is a recorded
exception. Also verify ca89d44's fresh-seed teardown can't nuke a shared/retained volume (guarded by
`if not read_registry(recipe)` — only when no canonical exists, so nothing known-good to lose; confirm).
## Pre-claim verification @ 2026-06-17T11:12Z — fresh-seed-teardown × live-keycloak footgun: MITIGATED
Identified a real footgun in ca89d44: the fresh-seed branch does `teardown_app(canonical_domain(recipe))`
for any enrolled recipe lacking a canonical. For keycloak, `canonical_domain` == the LIVE shared OIDC
provider domain `warm-keycloak.ci...` — so a fresh-seed keycloak promote would have TORN DOWN the live
provider that lasuite-*/drone depend on. The de-enroll (d072d7e) is precisely what prevents this.
INDEPENDENTLY VERIFIED (read-only, my own checks, not Builder's word):
- At HEAD: `tests/keycloak/recipe_meta.py` → `WARM_CANONICAL = False`; `canonical.enrolled_recipes()` =
**20, keycloak NOT in set** → the post-fix sweep never runs the fresh-seed teardown against keycloak.
- Live `https://warm-keycloak.ci.commoninternet.net/realms/master` → **200**; services
`warm-keycloak_..._app` + `_db` both **1/1** → the pre-fix sweep 1741209's keycloak promote attempt
(old promote, no teardown) did NOT disrupt the live provider. Healthy.
Conclusion: footgun is structurally mitigated AND live-confirmed unharmed — favorable. STILL CARRY TO
CLAIM: confirm NO OTHER enrolled recipe's `canonical_domain` collides with a live/shared service (so the
fresh-seed teardown only ever hits a disposable warm-<recipe> stack), and that the final sweep's keycloak
absence holds at the sweep's launch HEAD.