From 32c9703ffe031f77631bd3e201705d41d98bb8fa Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 11:12:25 +0000 Subject: [PATCH] =?UTF-8?q?review(canon):=20VERIFIED=20fresh-seed-teardown?= =?UTF-8?q?=20=C3=97=20live-keycloak=20footgun=20MITIGATED=20=E2=80=94=20k?= =?UTF-8?q?eycloak=20de-enrolled=20(enrolled=3D20,=20not=20in=20set),=20li?= =?UTF-8?q?ve=20warm-keycloak=20200=20+=201/1=20unharmed=20by=20pre-fix=20?= =?UTF-8?q?sweep;=20carry:=20check=20no=20other=20recipe=20domain=20collid?= =?UTF-8?q?es=20with=20a=20live=20service?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-canon.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/machine-docs/REVIEW-canon.md b/machine-docs/REVIEW-canon.md index 739ef8a..20cca6e 100644 --- a/machine-docs/REVIEW-canon.md +++ b/machine-docs/REVIEW-canon.md @@ -329,3 +329,20 @@ contains BOTH fixes, enrolled=20 (keycloak absent), single serial proc. At claim sweep's launch time vs these commit times, and confirm drone now PROMOTES (residue fix) or is a recorded exception. Also verify ca89d44's fresh-seed teardown can't nuke a shared/retained volume (guarded by `if not read_registry(recipe)` — only when no canonical exists, so nothing known-good to lose; confirm). + +## Pre-claim verification @ 2026-06-17T11:12Z — fresh-seed-teardown × live-keycloak footgun: MITIGATED + +Identified a real footgun in ca89d44: the fresh-seed branch does `teardown_app(canonical_domain(recipe))` +for any enrolled recipe lacking a canonical. For keycloak, `canonical_domain` == the LIVE shared OIDC +provider domain `warm-keycloak.ci...` — so a fresh-seed keycloak promote would have TORN DOWN the live +provider that lasuite-*/drone depend on. The de-enroll (d072d7e) is precisely what prevents this. +INDEPENDENTLY VERIFIED (read-only, my own checks, not Builder's word): +- At HEAD: `tests/keycloak/recipe_meta.py` → `WARM_CANONICAL = False`; `canonical.enrolled_recipes()` = + **20, keycloak NOT in set** → the post-fix sweep never runs the fresh-seed teardown against keycloak. +- Live `https://warm-keycloak.ci.commoninternet.net/realms/master` → **200**; services + `warm-keycloak_..._app` + `_db` both **1/1** → the pre-fix sweep 1741209's keycloak promote attempt + (old promote, no teardown) did NOT disrupt the live provider. Healthy. +Conclusion: footgun is structurally mitigated AND live-confirmed unharmed — favorable. STILL CARRY TO +CLAIM: confirm NO OTHER enrolled recipe's `canonical_domain` collides with a live/shared service (so the +fresh-seed teardown only ever hits a disposable warm- stack), and that the final sweep's keycloak +absence holds at the sweep's launch HEAD.