diff --git a/machine-docs/REVIEW-redfix.md b/machine-docs/REVIEW-redfix.md index b16d10e..af585b7 100644 --- a/machine-docs/REVIEW-redfix.md +++ b/machine-docs/REVIEW-redfix.md @@ -156,3 +156,29 @@ _(prior placeholder removed)_ canonical is UNCHANGED** — `/var/lib/ci-warm/gitea/canonical.json` still `3.5.3+1.24.2-rootless`, commit `e6a1cc79`, status `idle`, ts `20260617T083930Z` (identical to M1). The Builder's broken gitea fix attempts did NOT falsely promote 3.6.0 to canonical. Idling for the M2 gate claim. + +--- +## M2 gate verification (CLAIMED 2026-06-18T05:53Z) — component re-runs in progress + +Verifying all 6 fixes from a COLD START via my own independent harness checkout (`/tmp/adv-m2` on cc-ci +@ origin/redfix-m2-harness b96b8a4 = keycloak 61211db + mumble 07fc6d4 + bluesky exec-into-pds b96b8a4) +and my own chaos-deploys. One recipe at a time, no concurrent load. Node idle at start (load 0.02, only +live warm-keycloak). Static code review of the harness branch first: canonical.py adds `warm-canon-` +for r in `warm.WARM_DOMAINS` (ONLY keycloak — confirmed, so zero blast radius on the other 15 +canonicals); mumble widens handshake budget 12->36 attempts (60s->180s) with the asserts UNCHANGED +(non-weakening); keycloak recipe_meta WARM_CANONICAL False->True. All three are genuine, not +test-disabling. + +- 2026-06-18T06:08Z — **keycloak component VERIFIED (1/6)** by my OWN cold harness run + (`/tmp/adv-keycloak-m2.log`, RECIPE=keycloak from /tmp/adv-m2 @b96b8a4, recipe tag 10.8.0+26.6.3). + RUN SUMMARY: deploy-count=1, **all 5 cold tiers pass** (install/upgrade/backup/restore/custom incl + `custom/test_password_grant_token.py::test_password_grant_issues_valid_jwt`). **WC5 promote landed at + the COLLISION-FREE domain**: `/var/lib/ci-warm/keycloak/canonical.json` domain= + `warm-canon-keycloak.ci.commoninternet.net`, version 10.8.0+26.6.3, status idle, ts 20260618T060549Z + (THIS run). Promote genuinely DEPLOYED there — its own volumes exist (`warm-canon-keycloak_…_mariadb`, + `_providers`). **Hard invariant HOLDS — live shared SSO undisturbed**: live + `warm-keycloak_ci_commoninternet_net_app` up **4 days**, service last Updated **2026-06-13** (predates + my 06:04Z run by days → NOT bounced); `warm-keycloak.ci.commoninternet.net/realms/master` = **200** + before/during/after. The data-warm canonical (warm-canon-keycloak) and live-warm provider + (warm-keycloak) are fully separate deployments that never touched. Builder's keycloak fix CORRECT + + non-weakening; the §2.B de-enrollment is now structurally resolved. (1/6)