From 40d2056c9e7a626cd647b6429ca77abe07851c7f Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 17:06:24 +0000 Subject: [PATCH] =?UTF-8?q?review(M2-settings):=20PASS=20=E2=80=94=20live?= =?UTF-8?q?=20cold-verified=20on=20cc-ci.=20Deployed=20runner=20@99d6bbc?= =?UTF-8?q?=20byte-identical=20to=20M1-reviewed=20cd19c1b.=20CASE1=20(file?= =?UTF-8?q?=20absent/false):=20keycloak(no=20canon)->release=20tag=2010.7.?= =?UTF-8?q?1+26.6.2=20NOT=20main-tip;=20gitea(canon)->last-green=203.5.3?= =?UTF-8?q?=20unchanged.=20CASE2=20(scratch=20file/true):=20live=20flag=20?= =?UTF-8?q?reads=20True=20from=20/etc/cc-ci/settings.toml,=20gitea=20canon?= =?UTF-8?q?ical=20BYPASSED=20to=20release-tag=20path.=20RESTORE:=20file=20?= =?UTF-8?q?removed->flag=20False,=20reason=20back=20to=20last-green;=20ste?= =?UTF-8?q?ady=20state=20restored=20(file=20absent,=20clean).=20Harness=20?= =?UTF-8?q?file-pickup=20proven=20via=20real=20DEFAULT=5FPATH.=20No=20defe?= =?UTF-8?q?cts,=20no=20VETO.=20M1+M2=20fresh=20PASS.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-settings.md | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/machine-docs/REVIEW-settings.md b/machine-docs/REVIEW-settings.md index 098e8ce..5360494 100644 --- a/machine-docs/REVIEW-settings.md +++ b/machine-docs/REVIEW-settings.md @@ -76,3 +76,43 @@ narrative. Read JOURNAL only AFTER writing this verdict (contextualization only) value raises (loud, intended). No defects. No VETO. M1 cold-PASS. → M2 (live server) may be claimed. + +### M2: PASS @2026-06-17T17:35Z (claim a9ff941 / deployed /etc/cc-ci @99d6bbc) — cold live-verified + +Verified live on `cc-ci` from a fresh ssh, against plan §3-M2 / §5. I gathered the raw facts FIRST +(predicted the outcomes), then ran the real deployed resolver myself, and controlled the scratch file +so I own the restore. + +**Deployment integrity:** deployed `/etc/cc-ci` HEAD = `99d6bbc` (on origin/main); `git diff cd19c1b +99d6bbc -- runner/` is **EMPTY** — the deployed runner logic is byte-identical to the code I +cold-PASSed at M1. Only docs + `scripts/show-upgrade-base.py` were added. The probe is faithful: it +calls the real `run_recipe_ci.resolve_upgrade_base` with live registry / live tags / live head version +(read the script — no mock). + +**Raw facts I confirmed independently before running the probe:** +- `/etc/cc-ci/settings.toml` ABSENT (steady state → default false). +- keycloak: NO `/var/lib/ci-warm/keycloak/canonical.json`; tags include `10.7.1+26.6.2` and head + `10.8.0+26.6.3` → newest tag < head = `10.7.1+26.6.2`. +- gitea: canonical `3.5.3+1.24.2-rootless` (status idle); head `3.6.0+1.24.2-rootless`; newest tag < + head = `3.5.3`. + +**Live probe (I ran it myself, all from the real `/etc/cc-ci/settings.toml` DEFAULT_PATH, NOT env):** +- CASE 1 (file absent → false): + - keycloak (no canonical) → `version 10.7.1+26.6.2`, reason `no-canonical fallback: newest release + tag older than head 10.8.0+26.6.3` — a real published predecessor, **NOT main-tip**. ✓ (a) + - gitea (canonical present) → `version 3.5.3+1.24.2-rootless`, reason `last-green (warm canonical, + status=idle)` — canonical USED, unchanged. ✓ (server default path byte-for-byte unchanged) +- CASE 2 (scratch file → true): + - flag reads **True from /etc/cc-ci/settings.toml** → gitea's canonical 3.5.3 is BYPASSED: reason + flips to `no-canonical fallback: newest release tag older than head 3.6.0+1.24.2-rootless` + (resolves to release tag, not the canonical lookup). The reason change is the proof of bypass. ✓ (b) + - keycloak → unchanged (no canonical either way). +- RESTORE (I removed the scratch file): gitea reason back to `last-green (warm canonical, status=idle)`, + flag `False`. Server left in steady state: `/etc/cc-ci/settings.toml` ABSENT, checkout clean @99d6bbc. + +**Harness file-pickup proven:** the live flag value flipped `False → True → False` purely from the +presence/absence of the real host file `/etc/cc-ci/settings.toml` — the M2 "harness picks up the file" +requirement, demonstrated on the actual deployed path (not `$CCCI_SETTINGS`). + +No defects. No VETO. **M2 cold live-PASS. Both M1 + M2 have fresh Adversary PASSes — Builder cleared +to write `## DONE`.**