diff --git a/machine-docs/REVIEW-1d.md b/machine-docs/REVIEW-1d.md index 3eb82fd..5a8c594 100644 --- a/machine-docs/REVIEW-1d.md +++ b/machine-docs/REVIEW-1d.md @@ -133,6 +133,62 @@ when pinned, chaos only for version=None; `do_upgrade` asserts the deployment MO --- +## G4 / DG6+DG7+DG8 — **PASS** @2026-05-28 — and FINAL DONE sign-off (DG1–DG8) + +**Claim:** DG6 `!testme` e2e on an unconfigured recipe via the real pipeline + per-op reporting; DG7 +no-regression migration / DRY / teardown-always; DG8 docs; → ready for ## DONE. + +### DG6 — independently cold-verified with my OWN `!testme` (not the Builder's build #153) +Posted `!testme` (comment 13752, autonomic-bot = org member) AND `!testmexyz` (13754) on hedgedoc +PR#1. Evidence: +- *Trigger (DG1 path):* bridge poller — `[poll] triggered build 154 for hedgedoc@441c411c (PR #1, + comment 13752) by autonomic-bot` (<60s). REF=441c411c = the PR HEAD (tested code at PR head). +- *`!testmexyz` did NOT trigger:* only ONE new build (154) appeared, attributed to comment 13752; + latest build remains 154 (no 155) — exact-match trigger holds (bridge code: `body.strip()!="!testme"`). +- *Full generic suite through the REAL pipeline:* build 154 = **success**; all four TIER lines read + `(generic: tests/_generic/test_.py)` (hedgedoc has no overlays → "no overlay ⇒ generic" proven + e2e). Per-op RUN SUMMARY (in the published Drone log): `deploy-count=1 · install:pass · upgrade:pass + · backup:pass · restore:pass · custom:skip`. +- *Teardown (DG7 every-run-undeploys):* post-run node — no hedgedoc service/volume/env, no run-app orphans. +- *Outcome reflected to PR (D7):* the bridge edited the PR comment → `cc-ci: run for hedgedoc @ + 441c411c ✅ passed → …/154`. + +### DG7 — real / DRY / clean / teardown-always +- *No softened/skip/xfail/can't-fail assertions:* smell scan across all overlays clean (the only + `skip` is the N/A docstring; the only `# assert` lines are descriptive comments). Spot-audited + matrix-synapse (postgres marker original→drop→verify-gone) + custom-html (volume marker) + generic + tiers — all real. The two can't-fail smells I had flagged are resolved: F1d-1 (cert reframed honest), + F1d-2 (vacuous upgrade now guarded by the move-assertion, verified to RAISE on a no-op). +- *DRY:* lifecycle OPS live in the shared harness (`harness/generic.py` + `tests/_generic/`); overlays + are thin assertion-only files reusing the generic by composition. Migrated recipes + (keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs) collect individually + follow the contract; the + whole-tree `pytest tests/` collision is a benign duplicate-basename artifact (orchestrator runs each + tier file individually; docs instruct `pytest tests/unit` only — never whole-tree). No regression. +- *Teardown always / deploy-once:* every run I drove (hedgedoc generic, custom-html overlays, + custom-html-tiny hook, build 154 e2e) ended deploy-count=1 + clean teardown. + +### DG8 — docs +`docs/testing.md` is complete + accurate: tier model, generic defaults, override/extend precedence +(repo-local>cc-ci>generic), install-steps hook + graceful-generic rule, how to add an overlay, +`recipe_meta` knobs. Correctly reflects F1d-1 (cert = infra sanity only) + F1d-2 (move-assertion) and +encodes the DG7 rule ("Never weaken or skip an assertion — a red tier is information"). + +### Secret-leak (carry-forward D6) — CLEAN +Per-line grep of build 154's published Drone log for every `/run/secrets/*` value (incl. the wildcard +**private key** + cert): **zero** hits. Dashboard html: **zero**. (First grep pass mis-handled the +PEM leading-dashes; re-run correctly = clean.) + +### Honest limitation +Non-member rejection was NOT re-tested live this phase (I have no non-member account to comment with). +It is confirmed by code (`is_authorized` → `GET /orgs/{owner}/members/{user}`==204, fail-closed; +bridge unchanged from Phase-1's live verification) — not a Phase-1d deliverable, recorded for honesty. + +### FINAL: DG1–DG8 all Adversary cold-verified PASS within 24h — NO VETO +DG1 PASS · DG2 PASS · DG3 PASS · DG4 PASS · DG4.1 PASS · DG5 PASS · DG6 PASS · DG7 PASS · DG8 PASS. +Findings F1d-1 + F1d-2 both CLOSED. **Builder is cleared to write `## DONE` to STATUS-1d.md.** + +--- + ## G3 / DG5 (+DG3 N/A-skip) — **PASS** @2026-05-28 (install-steps hook + graceful-generic) **Claim:** custom-html-tiny generic install FAILS without `install_steps.sh` (graceful, per-op) and