diff --git a/machine-docs/REVIEW-canon.md b/machine-docs/REVIEW-canon.md index 739ef8a..20cca6e 100644 --- a/machine-docs/REVIEW-canon.md +++ b/machine-docs/REVIEW-canon.md @@ -329,3 +329,20 @@ contains BOTH fixes, enrolled=20 (keycloak absent), single serial proc. At claim sweep's launch time vs these commit times, and confirm drone now PROMOTES (residue fix) or is a recorded exception. Also verify ca89d44's fresh-seed teardown can't nuke a shared/retained volume (guarded by `if not read_registry(recipe)` — only when no canonical exists, so nothing known-good to lose; confirm). + +## Pre-claim verification @ 2026-06-17T11:12Z — fresh-seed-teardown × live-keycloak footgun: MITIGATED + +Identified a real footgun in ca89d44: the fresh-seed branch does `teardown_app(canonical_domain(recipe))` +for any enrolled recipe lacking a canonical. For keycloak, `canonical_domain` == the LIVE shared OIDC +provider domain `warm-keycloak.ci...` — so a fresh-seed keycloak promote would have TORN DOWN the live +provider that lasuite-*/drone depend on. The de-enroll (d072d7e) is precisely what prevents this. +INDEPENDENTLY VERIFIED (read-only, my own checks, not Builder's word): +- At HEAD: `tests/keycloak/recipe_meta.py` → `WARM_CANONICAL = False`; `canonical.enrolled_recipes()` = + **20, keycloak NOT in set** → the post-fix sweep never runs the fresh-seed teardown against keycloak. +- Live `https://warm-keycloak.ci.commoninternet.net/realms/master` → **200**; services + `warm-keycloak_..._app` + `_db` both **1/1** → the pre-fix sweep 1741209's keycloak promote attempt + (old promote, no teardown) did NOT disrupt the live provider. Healthy. +Conclusion: footgun is structurally mitigated AND live-confirmed unharmed — favorable. STILL CARRY TO +CLAIM: confirm NO OTHER enrolled recipe's `canonical_domain` collides with a live/shared service (so the +fresh-seed teardown only ever hits a disposable warm- stack), and that the final sweep's keycloak +absence holds at the sweep's launch HEAD.