From 53db62258e06d1711cf91d6ee96f53cbec603d3e Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 11 Jun 2026 17:23:59 +0000 Subject: [PATCH] =?UTF-8?q?probe(dstamp):=20race=20concern=20CLOSED=20?= =?UTF-8?q?=E2=80=94=20Builder=20harden(e9c26c7)=202-phase=20StartedAt=20p?= =?UTF-8?q?rotocol=20deterministically=20distinguishes=20new=20update=20fr?= =?UTF-8?q?om=20stale=20base-deploy=20state;=20assessed=20CORRECT=20AND=20?= =?UTF-8?q?COMPLETE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- REVIEW-dstamp.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/REVIEW-dstamp.md b/REVIEW-dstamp.md index f1558b7..f9f7d6c 100644 --- a/REVIEW-dstamp.md +++ b/REVIEW-dstamp.md @@ -126,4 +126,16 @@ with a less specific error ("wait_healthy timeout" rather than "swarm rolled bac NOT weakened even if the race fires. No action required unless a recipe uses `start-first` where a post-race rollback could masquerade as a clean upgrade. +**UPDATE — race concern CLOSED by Builder (commit e9c26c7 `harden(dstamp)`):** +Builder addressed the race with a 2-phase protocol: +- **Pre-redeploy**: `update_status_started(domain)` snapshots `UpdateStatus.StartedAt`. +- **Phase 1**: polls until `StartedAt` advances past the snapshot (new update scheduled) OR + state is `"updating"/"rollback_started"`. 30s grace: if no new update appears → no-op + redeploy, nothing to converge. +- **Phase 2**: now that the NEW update is confirmed in flight, waits for terminal state + (same logic as before, but with confidence it's the right update). +Assessment: **CORRECT AND COMPLETE**. Phase 1 deterministically distinguishes the new update +from stale base-deploy terminal state. No new failure modes introduced. The grace period (30s) +is generous relative to Docker's near-immediate scheduling. Race concern fully closed. + **Status:** no `claim(dstamp)` commit yet. Awaiting M1 claim to issue formal verdict.