From 3bdd5d143bdea563d1fa18ca52d160f8c0625664 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 07:11:34 +0000 Subject: [PATCH] =?UTF-8?q?review(M1):=20PASS=20=E2=80=94=20tagged-gate=20?= =?UTF-8?q?+=20trigger=20+=20mirror-sync=20+=20all-21-enrolled=20+=20weekl?= =?UTF-8?q?y=20timer=20cold-verified;=20live=20canonical=20records=20tag?= =?UTF-8?q?=20commit=20df2e273;=20295=20unit=20pass=20from=20fresh=20clone?= =?UTF-8?q?.=20No=20VETO?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-canon.md | 73 ++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/machine-docs/REVIEW-canon.md b/machine-docs/REVIEW-canon.md index 4aff214..8ce959e 100644 --- a/machine-docs/REVIEW-canon.md +++ b/machine-docs/REVIEW-canon.md @@ -77,3 +77,76 @@ when claimed: - **Still owed for M1 claim:** M1.2 `sweep_decision(recipe, latest_tag, canon_version)` → run|skip:no-new-version|skip:never-released keyed on `version_key` NOT commit; mirror-sync via `open-recipe-pr.sh --reconcile-only` (faithful, vendored); cold-run ON THE TAG. Unit tests for all. + +--- + +## M1: PASS @ 2026-06-17T07:12Z — machinery cold-verified (claim 626badd, code @ d4cc9e4) + +Verified from a COLD start: my own clone for code/pure-logic, a fresh independent clone on cc-ci +(`/tmp/adv-canon` @ 626badd) for the unit suite, and a cold `ssh cc-ci` for live state. I did NOT +read JOURNAL-canon.md before forming this verdict. Every M1 sub-claim re-derived against the plan, +not the Builder's narrative. + +**M1.1 tagged-promote gate (§2.A) — PASS.** +- Code: `should_promote_canonical` returns `is_enrolled and overall==0 and not quick and not ref and + tagged`; caller computes `tagged = is_released_version(recipe, head_version)`; `promote_canonical` + now records the TESTED `head_version` (commit d4cc9e4), not a re-derived `latest_version`. My prior + PROBE (head_version-vs-latest_version divergence on a manual `RECIPE=` run) is CLOSED by d4cc9e4 + — read the diff, it promotes exactly the tested version. +- Unit: ran `tests/unit/test_promote.py` myself in the fresh cc-ci clone — all 6 pass, each gate + clause individually exercised (`test_no_promote_when_untagged` asserts `tagged=False → False`; + all-conditions asserts `tagged=True → True`). Not hollow. +- Live PROMOTE: re-derived `git rev-list -n1 1.13.0+1.31.1` = `df2e27339f983a25da548fc8b8d56e9af8645f83` + and `/var/lib/ci-warm/custom-html/canonical.json` records EXACTLY that commit + version + `1.13.0+1.31.1`, status idle, retained volume `warm-custom-html_..._content` present. So the promote + recorded the tag's own commit (correcting samever's earlier `2b82eba` merge-commit record) — the + divergence fix is live-proven, not just unit-tested. +- Live UNTAGGED → NO PROMOTE: independently confirmed `1.13.1+1.31.1` is `NOT-A-TAG` in the custom-html + clone → `is_released_version` returns False → gate blocks. canonical.json is unchanged (still + df2e273). The full live tagged-vs-untagged e2e is M2.4; at M1 the code + unit + live-not-a-tag + + unchanged-canonical chain is sufficient. + +**M1.2 release-tag trigger + faithful mirror-sync (§2.C/§2.D) — PASS.** +- `sweep_decision` re-derived directly (no pytest) — truth table exactly right and VERSION-keyed, not + commit-keyed: new>canon→run; equal→skip no-new-version; older→skip; no tag→skip never-released; no + canon→run(seed). The function takes only (latest_tag, canon_version) — it CANNOT see commits, so new + untagged commits on `main` can never trigger a run. That IS the operator's refinement. +- `scripts/recipe-mirror-sync.sh` read in full: pins an explicit coopcloud `upstream` remote, force- + syncs mirror `main := upstream/main` + all tags, pushes NOTHING of our own. PR close is gated on + `git merge-tree --write-tree NEW_MAIN_SHA ` == upstream `MAIN_TREE` (i.e. the PR's merge is + a no-op because it's already in upstream) → close; otherwise "left as-is". Faithful, never merges, + never disturbs unrelated PRs. +- `nightly_sweep.sweep()` wiring read: per enrolled recipe `mirror_sync → fetch_recipe → + sweep_decision → run_on_tag` (checkout the release tag + `CCCI_SKIP_FETCH=1` so head IS the tag → + tagged-gate passes; REF popped → cold → promote allowed). Pure script. + +**M1.3 all recipes enrolled (§2.B) — PASS.** My `grep -rl 'WARM_CANONICAL = True'` set is EXACTLY the +21 `used-recipes.md` rows (incl. `uptime-kuma`, the lone `external` row — correctly enrolled for +CI/canonical even though excluded from weekly upgrade). Fixtures (`custom-html-*-bad`, `concurrency`, +`regression`) NOT enrolled. + +**M1.4 hollow-sweep fix — PASS (code; live is M2.1).** `nix/modules/nightly-sweep.nix` exports +`CCCI_REPO=/etc/cc-ci`, `cd`s there, and execs `$CCCI_REPO/runner/nightly_sweep.py` — the checkout WITH +`tests/`, replacing the store copy whose missing `tests/` caused `enrolled_recipes()=[]`. Root cause +correctly addressed in code. ⚠️ CARRIED TO M2: `/etc/cc-ci` is currently STALE — `git -C /etc/cc-ci` +HEAD is `e60415d` (Phase-3 era), canon code NOT yet there. M2.1 deploy MUST `git -C /etc/cc-ci pull` +before `nixos-rebuild`, else the deployed timer stays hollow. I will verify the pull + a real fire at +M2.5. + +**M1.5 weekly timer (§2.F) — PASS (code).** `OnCalendar = "Sun *-*-* 03:00:00"`, `Persistent = true`. +Deployed-timer schedule verified at M2. + +**Guardrail NO-AI-at-runtime — PASS.** grep of `nightly_sweep.py` / `warm_reconcile.py` / +`recipe-mirror-sync.sh` for anthropic|claude|openai|llm|gpt|ai_ → only one code COMMENT match, zero +calls. Pure script + systemd timer. + +**Full unit suite — PASS.** Ran `cc-ci-run -m pytest tests/unit/` in the fresh independent cc-ci clone +@ 626badd → **295 passed in 5.60s**, matching the claim. Enrolling 21 recipes broke nothing. + +**Minor narrative note (not a defect):** the claim cites proof-A ts `065027Z` but live canonical ts is +`065532Z`; promoting the same tag again yields the same version+commit (only ts moves), so this is a +benign re-run, not a divergence — the recorded version/commit are correct either way. + +**Verdict: M1 PASS.** No VETO. All M1 DoD items cold-verified; the deployed-state items (M1.4 live, +M1.5 timer schedule) are honestly scoped by the Builder to M2 and I will hold them there. (Consulted +JOURNAL-canon.md only AFTER writing this verdict: no surprises — confirms the proof-A/C sequence.)