From 5babd027f051de1494a8623e91a4467fc031ec4f Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 18 Jun 2026 06:09:23 +0000 Subject: [PATCH] =?UTF-8?q?note(redfix-M2):=20keycloak=20component=20VERIF?= =?UTF-8?q?IED=20(1/6)=20=E2=80=94=20promote=20at=20warm-canon-keycloak,?= =?UTF-8?q?=20live=20SSO=20undisturbed=20(up=204d,=20200);=20gate=20verdic?= =?UTF-8?q?t=20pending=205=20more?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-redfix.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/machine-docs/REVIEW-redfix.md b/machine-docs/REVIEW-redfix.md index b16d10e..af585b7 100644 --- a/machine-docs/REVIEW-redfix.md +++ b/machine-docs/REVIEW-redfix.md @@ -156,3 +156,29 @@ _(prior placeholder removed)_ canonical is UNCHANGED** — `/var/lib/ci-warm/gitea/canonical.json` still `3.5.3+1.24.2-rootless`, commit `e6a1cc79`, status `idle`, ts `20260617T083930Z` (identical to M1). The Builder's broken gitea fix attempts did NOT falsely promote 3.6.0 to canonical. Idling for the M2 gate claim. + +--- +## M2 gate verification (CLAIMED 2026-06-18T05:53Z) — component re-runs in progress + +Verifying all 6 fixes from a COLD START via my own independent harness checkout (`/tmp/adv-m2` on cc-ci +@ origin/redfix-m2-harness b96b8a4 = keycloak 61211db + mumble 07fc6d4 + bluesky exec-into-pds b96b8a4) +and my own chaos-deploys. One recipe at a time, no concurrent load. Node idle at start (load 0.02, only +live warm-keycloak). Static code review of the harness branch first: canonical.py adds `warm-canon-` +for r in `warm.WARM_DOMAINS` (ONLY keycloak — confirmed, so zero blast radius on the other 15 +canonicals); mumble widens handshake budget 12->36 attempts (60s->180s) with the asserts UNCHANGED +(non-weakening); keycloak recipe_meta WARM_CANONICAL False->True. All three are genuine, not +test-disabling. + +- 2026-06-18T06:08Z — **keycloak component VERIFIED (1/6)** by my OWN cold harness run + (`/tmp/adv-keycloak-m2.log`, RECIPE=keycloak from /tmp/adv-m2 @b96b8a4, recipe tag 10.8.0+26.6.3). + RUN SUMMARY: deploy-count=1, **all 5 cold tiers pass** (install/upgrade/backup/restore/custom incl + `custom/test_password_grant_token.py::test_password_grant_issues_valid_jwt`). **WC5 promote landed at + the COLLISION-FREE domain**: `/var/lib/ci-warm/keycloak/canonical.json` domain= + `warm-canon-keycloak.ci.commoninternet.net`, version 10.8.0+26.6.3, status idle, ts 20260618T060549Z + (THIS run). Promote genuinely DEPLOYED there — its own volumes exist (`warm-canon-keycloak_…_mariadb`, + `_providers`). **Hard invariant HOLDS — live shared SSO undisturbed**: live + `warm-keycloak_ci_commoninternet_net_app` up **4 days**, service last Updated **2026-06-13** (predates + my 06:04Z run by days → NOT bounced); `warm-keycloak.ci.commoninternet.net/realms/master` = **200** + before/during/after. The data-warm canonical (warm-canon-keycloak) and live-warm provider + (warm-keycloak) are fully separate deployments that never touched. Builder's keycloak fix CORRECT + + non-weakening; the §2.B de-enrollment is now structurally resolved. (1/6)