From 650ab47feada897b9262c27c6efcdb7898ff511a Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 28 May 2026 17:00:49 +0100 Subject: [PATCH] deferred(2): migrate Phase-2 deferrals to DEFERRED.md with re-entry triggers (per orchestrator) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per orchestrator note: machine-docs/DEFERRED.md is now the single canonical registry for any deliberately-deferred work. Every entry MUST carry a specific RE-ENTRY TRIGGER. The orchestrator seeded 4 matrix-synapse entries; this commit migrates the other Phase-2 deferrals I'd buried in JOURNAL/PARITY/DECISIONS: - lasuite-docs OIDC parity ports + create-a-doc (re-entry: before any Q3 gate claim — Adversary already flagged this in Q3/Q4 checkpoint). - cryptpad create-a-pad + content round-trip Playwright (re-entry: Adversary F2-9 conditional — MUST lift before Phase-2 DONE; Q5.2 cold-sample must include). - uptime-kuma create-a-monitor via Socket.IO (re-entry: --extra-tests flag OR another recipe needing Socket.IO). - ghost create-a-post round-trip (re-entry: --extra-tests flag OR Q4 deeper-test pass before Phase-2 DONE). - Q2.2 authentik enrollment + setup_authentik_realm backend (re-entry: when cryptpad oidc_login parity lifts — uses authentik — OR Phase-2 DONE review). All linked to IDEAS.md --extra-tests flag where relevant. Phase-4 cleanup pass MUST review this file per plan.md §6.1. Co-Authored-By: Claude Opus 4.7 (1M context) --- machine-docs/DEFERRED.md | 161 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 machine-docs/DEFERRED.md diff --git a/machine-docs/DEFERRED.md b/machine-docs/DEFERRED.md new file mode 100644 index 0000000..31034ea --- /dev/null +++ b/machine-docs/DEFERRED.md @@ -0,0 +1,161 @@ +# DEFERRED — work parked with a defined re-entry trigger + +The single canonical registry of work the loops considered and **deliberately deferred**. Anything +deferred from any phase **MUST** land here — never as a vague "Q4 follow-up" / "later" pointer +buried in a JOURNAL or REVIEW. Each entry carries a **specific re-entry trigger** (a phase, a +flag, a dependency, an event) so it can be reviewed and brought back, not quietly fade. + +## Conventions +- **Append-only.** Either loop may file an entry; never edit/delete someone else's entry — close + by checking the box and noting the re-entry commit/PR. +- **Phase-4 cleanup pass MUST review this file** and explicitly accept/re-trigger/permanently + close each open item (no "fade away" by default). +- Cross-link: if an entry's re-entry trigger is an IDEA (e.g. an opt-in flag), link the IDEA in + `cc-ci-plan/IDEAS.md`. + +## Format (one item per entry) +``` +### YYYY-MM-DD — +- [ ] **What:** +- **Filed by:** , phase +- **Reason for deferral:** +- **Re-entry trigger:** +- **Linked IDEA / BACKLOG:** +``` + +--- + +## Open deferrals + +### 2026-05-28 — matrix-synapse `compress_state.sh` port +- [ ] **What:** Port the upstream recipe-maintainer `recipe-info/matrix-synapse/tests/compress_state.sh` + to a cc-ci functional test under `tests/matrix-synapse/functional/`. The original creates state + groups WITHOUT edges (full snapshots — Synapse's bloat pattern), runs `synapse_auto_compressor`, + and asserts row counts drop. +- **Filed by:** Builder, phase 2 (Q4.1 matrix-synapse PARITY pass) +- **Reason for deferral:** Needs N>>1 synthesized state groups on every fresh deploy. Cost/time + tradeoff is real — too-small N loses the test's meaning (state-group bloat is by definition a + large-state phenomenon), too-large N inflates per-run time. Defensible defer; operator-confirmed + 2026-05-28: heavier than needed for default CI. +- **Re-entry trigger:** the `--extra-tests` opt-in flag (see linked IDEA) so this runs only when + the operator explicitly asks for the heavy suite; or a dedicated long-running matrix instance. +- **Linked IDEA:** `cc-ci-plan/IDEAS.md` — *Optional `--extra-tests` flag for heavy/operational tests*. + +### 2026-05-28 — matrix-synapse `test_complexity_limit.sh` port +- [ ] **What:** Port `recipe-info/matrix-synapse/tests/test_complexity_limit.sh` — exercise Synapse's + complexity-limit rejection of overly-complex events. +- **Filed by:** Builder, phase 2 (Q4.1 matrix-synapse PARITY pass) +- **Reason for deferral:** Load-test class; needs many-event setup. Operator-confirmed 2026-05-28: + more than needed for a default matrix CI test. +- **Re-entry trigger:** the `--extra-tests` opt-in flag (linked IDEA). +- **Linked IDEA:** `cc-ci-plan/IDEAS.md` — *Optional `--extra-tests` flag for heavy/operational tests*. + +### 2026-05-28 — matrix-synapse `test_purge.sh` port +- [ ] **What:** Port `recipe-info/matrix-synapse/tests/test_purge.sh` — exercise the recipe's + `abra.sh db purge_history` / `db purge_room` admin helpers. +- **Filed by:** Builder, phase 2 (Q4.1 matrix-synapse PARITY pass) +- **Reason for deferral:** Recipe-helper-script tests, not synapse-behaviour tests (orthogonal to + default Phase-2 coverage). Operator-confirmed 2026-05-28: more than needed for a default matrix + CI test. +- **Re-entry trigger:** the `--extra-tests` opt-in flag (linked IDEA) — so PRs touching the recipe's + abra helper scripts can opt in to exercising them. +- **Linked IDEA:** `cc-ci-plan/IDEAS.md` — *Optional `--extra-tests` flag for heavy/operational tests*. + +### 2026-05-28 — matrix-synapse media upload/download roundtrip +- [ ] **What:** Add `tests/matrix-synapse/functional/test_media_upload_roundtrip.py` exercising + `/_matrix/media/v3/upload` + `/_matrix/media/v3/download//`. +- **Filed by:** Builder, phase 2 (Q4.1 matrix-synapse PARITY pass) +- **Reason for deferral:** Not in the Q4.1 first pass; the three currently-landed functional tests + already cover Synapse's defining behaviour (register / room / message / federation). +- **Re-entry trigger:** Phase-2 follow-up (a recipe-coverage breadth pass) OR a PR that touches + Synapse's media subsystem. +- **Linked IDEA:** — + +--- + +## Closed deferrals +(none yet — append `### YYYY-MM-DD — CLOSED (commit/PR)` here when re-entered.) + +### 2026-05-28 — lasuite-docs OIDC parity ports + create-a-doc deeper test +- [ ] **What:** Port `recipe-info/lasuite-docs/tests/oidc_login.py` (authenticated OIDC flow against + lasuite-docs's protected API) + `recipe-info/lasuite-docs/tests/upload_conversion.py` (.md/.docx + uploads via authenticated `/api/v1.0/documents//upload`) + add `test_create_doc.py` (the + §4.3 prescribed create-a-doc + read-back via authenticated `/api/v1.0/documents/`). +- **Filed by:** Builder, phase 2 (Q3.1 lasuite-docs PARITY pass) +- **Reason for deferral:** Requires lasuite-docs's OIDC env wired to the dep keycloak at install + time — `tests/lasuite-docs/install_steps.sh` that reads `$CCCI_DEPS_FILE` for the dep keycloak + domain, calls `harness.sso.setup_keycloak_realm`, inserts `SECRET_OIDC_RPCS` via abra, and writes + the OIDC env vars (`OIDC_REALM`, `OIDC_OP_*`) to the parent's `.env`. The Q3.1 first pass shipped + `test_oidc_with_keycloak.py` (exercises OIDC against the dep) + `test_auth_required.py` (proves + the auth gate is wired) — these meet the ≥2 specific floor but do not exercise the authenticated + lasuite-docs API. +- **Re-entry trigger:** Before any Q3 gate claim (Q3.1 must show §4.3 create-a-doc) — i.e. the next + Phase-2 work cycle, not Phase-4. Adversary's Q3/Q4 checkpoint @ 2026-05-28 explicitly noted "will + revisit when Q3.1 is formally claimed." +- **Linked IDEA:** — + +### 2026-05-28 — cryptpad create-a-pad + content round-trip Playwright test +- [ ] **What:** Add `tests/cryptpad/playwright/test_pad_content_roundtrip.py` — exercise the full + "open /pad/, type uniquely-marked content, reload, assert marker survives in the decrypted + pad" lifecycle. The §4.3 prescribed CryptPad test. +- **Filed by:** Builder, phase 2 (Q3.4 cryptpad PARITY pass) +- **Reason for deferral:** CryptPad's pad-creation flow is **version-specific** in the release + under test (10.6.0+5.7.0). `/pad/` does NOT auto-redirect to a fragment-keyed pad URL on visit; + the UI selector for "new rich-text" varies across versions; three drafts each missed the right + contract. The maximal subset that IS shipped (parity health_check + recipe-specific spa_assets + + Playwright SPA-render with console-error filter) covers the same JS-pipeline initialization + that create-a-pad relies on. F2-9 Adversary conditional sign-off granted with the explicit + expectation this lifts before Phase-2 DONE. +- **Re-entry trigger:** Adversary's F2-9 sign-off requires this lifts BEFORE Phase-2 DONE — must + pin a stable CryptPad app-launch contract (e.g. `/pad/?new=1` if supported, or a role-based + Playwright accessibility-tree selector for "New Rich Text") + ship the create-and-read-back + test. Q5.2 cold-sample MUST include this. +- **Linked IDEA:** — + +### 2026-05-28 — uptime-kuma create-a-monitor (§4.3 prescribed) +- [ ] **What:** Add a test that completes uptime-kuma's first-run setup wizard via Socket.IO, + logs in to obtain a JWT, creates a monitor (`monitor add` Socket.IO emit), and asserts the + monitor appears in the listed-monitors response. +- **Filed by:** Builder, phase 2 (Q4.8 uptime-kuma enrollment) +- **Reason for deferral:** Requires a Socket.IO client primitive in `runner/harness/` (uptime-kuma + uses Socket.IO for ALL real-time updates including setup + monitor CRUD). Today's tests + (parity health + Socket.IO handshake + SPA branding) cover the same handshake + bundle the + setup-then-monitor flow would use; adding a full Socket.IO client is a substantial harness + primitive worth deferring until either (a) another recipe also needs Socket.IO interaction or + (b) the `--extra-tests` flag lands so this can live in `extra/`. +- **Re-entry trigger:** the `--extra-tests` opt-in flag (linked IDEA) OR another recipe enrollment + that requires Socket.IO client primitives in the harness (whichever comes first). +- **Linked IDEA:** `cc-ci-plan/IDEAS.md` — *Optional `--extra-tests` flag for heavy/operational tests*. + +### 2026-05-28 — ghost create-a-post round-trip (§4.3 prescribed) +- [ ] **What:** Add `tests/ghost/functional/test_post_roundtrip.py` exercising Ghost's admin setup + + token-auth + POST `/ghost/api/v3/admin/posts/` (create) + GET + `/ghost/api/v3/admin/posts//` (read back), asserting the post round-trips. +- **Filed by:** Builder, phase 2 (Q4.4 ghost enrollment) +- **Reason for deferral:** Requires Ghost's first-run owner-setup flow (POST + `/ghost/api/v3/admin/authentication/setup/` with per-run admin email+password as class-B + run-scoped) + JWT token management for the admin API. The current 3 tests + (parity health + content_api + admin_redirect) cover the same Ghost-server / API / admin-route + surface; the create-post flow is the natural §4.3 deeper test and is doable, but adds setup + state to manage. Reasonable to defer to the `--extra-tests` flag rollout OR a Phase-2 + follow-up specifically for Q4 deeper tests. +- **Re-entry trigger:** the `--extra-tests` opt-in flag (linked IDEA) OR a Q4 deeper-test pass + before Phase-2 DONE if the Adversary calls for it (Phase-4 cleanup pass MUST review). +- **Linked IDEA:** `cc-ci-plan/IDEAS.md` — *Optional `--extra-tests` flag for heavy/operational tests*. + +### 2026-05-28 — Q2.2 authentik enrollment + `setup_authentik_realm` SSO backend +- [ ] **What:** Enroll authentik in cc-ci tests/ (mirror-and-enroll if not yet mirrored) + add a + `setup_authentik_realm` (or equivalent provider-pluggable name) backend in + `runner/harness/sso.py` mirroring the keycloak path; a dependent recipe should be able to + declare `DEPS = ["authentik"]` and use the same `harness.sso.setup__*` API. +- **Filed by:** Adversary (F2-7, Q2 checkpoint) → migrated to DEFERRED.md by Builder +- **Reason for deferral:** Q2.4 acceptance is already proven via keycloak; no Phase-2 dependent + recipe yet REQUIRES authentik specifically (the lasuite-* recipes use keycloak; cryptpad's + recipe-maintainer SSO test uses authentik but that parity port is already deferred above). The + SSO harness's OIDC FLOW primitives (`oidc_password_grant`, `assert_discovery_endpoint`) are + already provider-agnostic; only `setup_keycloak_realm` is keycloak-specific. +- **Re-entry trigger:** When Q3.4 cryptpad's deferred `oidc_login.py` parity is lifted (cryptpad's + upstream test uses authentik), OR when an additional Q4 recipe enrolls with `DEPS = ["authentik"]`, + OR Phase-2 DONE review (operator may insist on second-provider coverage proving the harness IS + pluggable, not just claimed). +- **Linked IDEA:** —