review(1d): G4 PASS + FINAL sign-off — DG1-DG8 all Adversary cold-verified, NO VETO
DG6 cold-verified with my OWN !testme (build 154, not the Builder's #153): poller triggered <60s (comment 13752), !testmexyz (13754) triggered nothing, all 4 tiers GENERIC e2e, per-op report install/upgrade/backup/restore=pass custom=skip, deploy-count=1, clean teardown, PR comment ✅ passed. DG7 clean (no softened/skip/xfail; DRY shared harness; teardown always; F1d-1+F1d-2 resolved). DG8 docs/testing.md complete+accurate. Secret-leak grep (incl. wildcard PRIVATE KEY) on build 154 log + dashboard = ZERO. Non-member rejection confirmed by code (no live account; Phase-1 carry-forward). DG1-DG8 all PASS <24h, F1d-1+F1d-2 CLOSED, no VETO — Builder cleared to write ## DONE. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -133,6 +133,62 @@ when pinned, chaos only for version=None; `do_upgrade` asserts the deployment MO
|
||||
|
||||
---
|
||||
|
||||
## G4 / DG6+DG7+DG8 — **PASS** @2026-05-28 — and FINAL DONE sign-off (DG1–DG8)
|
||||
|
||||
**Claim:** DG6 `!testme` e2e on an unconfigured recipe via the real pipeline + per-op reporting; DG7
|
||||
no-regression migration / DRY / teardown-always; DG8 docs; → ready for ## DONE.
|
||||
|
||||
### DG6 — independently cold-verified with my OWN `!testme` (not the Builder's build #153)
|
||||
Posted `!testme` (comment 13752, autonomic-bot = org member) AND `!testmexyz` (13754) on hedgedoc
|
||||
PR#1. Evidence:
|
||||
- *Trigger (DG1 path):* bridge poller — `[poll] triggered build 154 for hedgedoc@441c411c (PR #1,
|
||||
comment 13752) by autonomic-bot` (<60s). REF=441c411c = the PR HEAD (tested code at PR head).
|
||||
- *`!testmexyz` did NOT trigger:* only ONE new build (154) appeared, attributed to comment 13752;
|
||||
latest build remains 154 (no 155) — exact-match trigger holds (bridge code: `body.strip()!="!testme"`).
|
||||
- *Full generic suite through the REAL pipeline:* build 154 = **success**; all four TIER lines read
|
||||
`(generic: tests/_generic/test_<op>.py)` (hedgedoc has no overlays → "no overlay ⇒ generic" proven
|
||||
e2e). Per-op RUN SUMMARY (in the published Drone log): `deploy-count=1 · install:pass · upgrade:pass
|
||||
· backup:pass · restore:pass · custom:skip`.
|
||||
- *Teardown (DG7 every-run-undeploys):* post-run node — no hedgedoc service/volume/env, no run-app orphans.
|
||||
- *Outcome reflected to PR (D7):* the bridge edited the PR comment → `cc-ci: run for hedgedoc @
|
||||
441c411c ✅ passed → …/154`.
|
||||
|
||||
### DG7 — real / DRY / clean / teardown-always
|
||||
- *No softened/skip/xfail/can't-fail assertions:* smell scan across all overlays clean (the only
|
||||
`skip` is the N/A docstring; the only `# assert` lines are descriptive comments). Spot-audited
|
||||
matrix-synapse (postgres marker original→drop→verify-gone) + custom-html (volume marker) + generic
|
||||
tiers — all real. The two can't-fail smells I had flagged are resolved: F1d-1 (cert reframed honest),
|
||||
F1d-2 (vacuous upgrade now guarded by the move-assertion, verified to RAISE on a no-op).
|
||||
- *DRY:* lifecycle OPS live in the shared harness (`harness/generic.py` + `tests/_generic/`); overlays
|
||||
are thin assertion-only files reusing the generic by composition. Migrated recipes
|
||||
(keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs) collect individually + follow the contract; the
|
||||
whole-tree `pytest tests/` collision is a benign duplicate-basename artifact (orchestrator runs each
|
||||
tier file individually; docs instruct `pytest tests/unit` only — never whole-tree). No regression.
|
||||
- *Teardown always / deploy-once:* every run I drove (hedgedoc generic, custom-html overlays,
|
||||
custom-html-tiny hook, build 154 e2e) ended deploy-count=1 + clean teardown.
|
||||
|
||||
### DG8 — docs
|
||||
`docs/testing.md` is complete + accurate: tier model, generic defaults, override/extend precedence
|
||||
(repo-local>cc-ci>generic), install-steps hook + graceful-generic rule, how to add an overlay,
|
||||
`recipe_meta` knobs. Correctly reflects F1d-1 (cert = infra sanity only) + F1d-2 (move-assertion) and
|
||||
encodes the DG7 rule ("Never weaken or skip an assertion — a red tier is information").
|
||||
|
||||
### Secret-leak (carry-forward D6) — CLEAN
|
||||
Per-line grep of build 154's published Drone log for every `/run/secrets/*` value (incl. the wildcard
|
||||
**private key** + cert): **zero** hits. Dashboard html: **zero**. (First grep pass mis-handled the
|
||||
PEM leading-dashes; re-run correctly = clean.)
|
||||
|
||||
### Honest limitation
|
||||
Non-member rejection was NOT re-tested live this phase (I have no non-member account to comment with).
|
||||
It is confirmed by code (`is_authorized` → `GET /orgs/{owner}/members/{user}`==204, fail-closed;
|
||||
bridge unchanged from Phase-1's live verification) — not a Phase-1d deliverable, recorded for honesty.
|
||||
|
||||
### FINAL: DG1–DG8 all Adversary cold-verified PASS within 24h — NO VETO
|
||||
DG1 PASS · DG2 PASS · DG3 PASS · DG4 PASS · DG4.1 PASS · DG5 PASS · DG6 PASS · DG7 PASS · DG8 PASS.
|
||||
Findings F1d-1 + F1d-2 both CLOSED. **Builder is cleared to write `## DONE` to STATUS-1d.md.**
|
||||
|
||||
---
|
||||
|
||||
## G3 / DG5 (+DG3 N/A-skip) — **PASS** @2026-05-28 (install-steps hook + graceful-generic)
|
||||
|
||||
**Claim:** custom-html-tiny generic install FAILS without `install_steps.sh` (graceful, per-op) and
|
||||
|
||||
Reference in New Issue
Block a user