review(2pc): PASS gate 2pc (re-claim 9e73ebd) — PC1+PC2+PC3 cold-verified; F2pc-1 CLEARED. git==host: docker-prune.nix+swarm.nix byte-identical to /root/cc-ci, committed units now ci-docker-prune = live (enabled+active), old docker-prune.timer not-found. Live re-confirm: no-op prune@<80% images 18->18, cold->warm redis reuse. Pressure-branch keep-cache property structural (image prune w/o --all). PC2 PAT nptest2+retention+no-mirror, PC3 teardown-keeps-images+bogus-tag-fails GREEN from prior pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -23,7 +23,12 @@ storage).
|
|||||||
|
|
||||||
## Adversary findings
|
## Adversary findings
|
||||||
|
|
||||||
- [ ] **F2pc-1 [adversary] BLOCKING — committed code ≠ deployed/"verified" host (gate 2pc, claim de6103d).**
|
- [x] **F2pc-1 [adversary] CLOSED @2026-05-29 (re-verified, re-claim 9e73ebd).** Builder renamed
|
||||||
|
committed units `docker-prune`→`ci-docker-prune` (b9bbd25; NixOS reserves `docker-prune`).
|
||||||
|
Re-verified: `git show HEAD:nix/modules/{docker-prune,swarm}.nix` byte-identical to host
|
||||||
|
`/root/cc-ci`; committed units = `ci-docker-prune.*` = live (enabled+active); old
|
||||||
|
`docker-prune.timer` not-found. git now reproduces the verified system → CLOSED by Adversary.
|
||||||
|
- [x] ~~**F2pc-1 [adversary] BLOCKING — committed code ≠ deployed/"verified" host (gate 2pc, claim de6103d).**~~
|
||||||
The verified prune behavior is correct, but git does not reproduce the verified system.
|
The verified prune behavior is correct, but git does not reproduce the verified system.
|
||||||
- **Observed.** origin/main HEAD `de6103d` `nix/modules/docker-prune.nix:56,67` defines
|
- **Observed.** origin/main HEAD `de6103d` `nix/modules/docker-prune.nix:56,67` defines
|
||||||
`systemd.services.docker-prune` / `systemd.timers.docker-prune`. The live host runs
|
`systemd.services.docker-prune` / `systemd.timers.docker-prune`. The live host runs
|
||||||
|
|||||||
@ -7,7 +7,34 @@ each Adversary cold-verified here before Builder may write `## DONE` to STATUS-2
|
|||||||
is **DROPPED / deferred to IDEAS** — single authenticated non-pruning host ⇒ Docker's own
|
is **DROPPED / deferred to IDEAS** — single authenticated non-pruning host ⇒ Docker's own
|
||||||
local image store already IS the cache. Phase 2pc is now **prune-policy only**.
|
local image store already IS the cache. Phase 2pc is now **prune-policy only**.
|
||||||
|
|
||||||
## Status: FAIL @2026-05-29 (gate 2pc claim de6103d) — substance GREEN, but git ≠ verified host
|
## Status: PASS @2026-05-29 (gate 2pc re-claim 9e73ebd) — PC1+PC2+PC3 cold-verified; F2pc-1 CLEARED
|
||||||
|
|
||||||
|
**Verdict: PASS.** Builder reconciled the git≠host drift (F2pc-1) via `b9bbd25` (rename
|
||||||
|
committed units `docker-prune`→`ci-docker-prune`; NixOS reserves `docker-prune`). Re-verified
|
||||||
|
cold:
|
||||||
|
- **git == deploy source**: `git show HEAD:nix/modules/docker-prune.nix` and `swarm.nix` are
|
||||||
|
**byte-identical** to the host's `/root/cc-ci` copies (diff clean). Committed units now
|
||||||
|
`systemd.services.ci-docker-prune` / `.timer` (`docker-prune.nix:56,67`) = what runs live.
|
||||||
|
- **live**: `ci-docker-prune.timer` enabled+active (daily 00:00); old `docker-prune.timer`
|
||||||
|
`not-found`. PC1 no-op @<80% (`docker images` 18→18 unchanged). PC3 redis re-confirm: cold
|
||||||
|
`Downloaded newer` → warm `Image is up to date` (local reuse, manifest-only).
|
||||||
|
- All PC1/PC2/PC3 substance from the prior pass still holds (below). A from-git rebuild now
|
||||||
|
reproduces the verified system, and STATUS-2pc's `ci-docker-prune.timer` verify commands match.
|
||||||
|
|
||||||
|
**F2pc-1 → CLOSED** (Adversary, this verdict): git==host==`ci-docker-prune`, confirmed by
|
||||||
|
byte-diff + live unit state.
|
||||||
|
|
||||||
|
_Scope note on PC1 pressure branch:_ I verified the no-op (<80%) gate live and the ≥80% code
|
||||||
|
path by read — it runs `docker {container,image,builder} prune -f --filter until=24h`. Crucially
|
||||||
|
`image prune` **without `--all`** removes only dangling+old layers and **cannot** evict tagged
|
||||||
|
base/in-use images (docker contract) — the cardinal "keep the cache" property is structural, not
|
||||||
|
incidental. I did **not** fill the 64G disk to fire the ≥80% branch live (disproportionate); I
|
||||||
|
rely on that code-read + Builder probe-5 evidence (2.34 GB dangling reclaimed, tagged images
|
||||||
|
kept). The behavior I could break-test (no-op, teardown-keeps-images, bogus-tag-fails,
|
||||||
|
cold→warm reuse) is all GREEN.
|
||||||
|
|
||||||
|
---
|
||||||
|
### (superseded) FAIL @2026-05-29 (gate 2pc claim de6103d) — substance GREEN, git ≠ verified host
|
||||||
|
|
||||||
**Verdict: FAIL** — PC1/PC2/PC3 *behavior* is verified-GREEN on the live host, but the
|
**Verdict: FAIL** — PC1/PC2/PC3 *behavior* is verified-GREEN on the live host, but the
|
||||||
**committed code does not match the deployed-and-"verified" artifact**, so the claim is not
|
**committed code does not match the deployed-and-"verified" artifact**, so the claim is not
|
||||||
|
|||||||
Reference in New Issue
Block a user