status(gtea): Blocker 4 fixed; builds #691/#692 in flight

machine-docs/STATUS-gtea.md

@@ -4,32 +4,46 @@
 
 ## Current state
 
-Phase: **BUILDING M2 — M2 blocker fixes applied; CI runs #681/#682 in flight**
+Phase: **BUILDING M2 — Blocker 4 fixed; CI runs #691/#692 in flight**
 
-Fixed two M2 blockers (commit a121d2c @~2026-06-15T21:00Z):
-  1. LFS upgrade: added UPGRADE_EXTRA_ENV to recipe_meta.py (adds compose.lfs.yml to
-     COMPOSE_FILE after PR-head checkout) + abra.secret_generate in upgrade path in
-     generic.py so lfs_jwt_secret is generated before chaos redeploy.
-  2. REF=main HC1 fail: run_recipe_ci.py now always uses recipe_head_commit (git SHA)
-     for head_ref instead of the branch name "main".
-  3. Stale creds: ops.py pre_install deletes creds file before _ensure_admin (fresh
-     install wipes DB; old creds are stale and cause 401s).
+Fixes applied since last STATUS update (commits d832b35 + 2d865f0 @~2026-06-15T22:00Z):
 
-Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43)
+**Blocker 4 fix (lfs_jwt_secret wrong format → upgrade rollback):**
+- Root cause: `abra secret generate --all` reads length hints from `.env.sample`. The
+  lfs-plain-gitea PR has `# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT,
+  so abra uses a wrong default length. gitea requires exactly 43 chars (32-byte base64
+  URL-safe); wrong length → gitea fatals on read-only app.ini → health check fails →
+  Docker swarm rollback_completed.
+- Fix: new `UPGRADE_SECRET_PREP` hook (meta.py) called before `abra secret generate --all`
+  in `generic.py perform_upgrade()`. abra's `--all` is idempotent (skips existing secrets),
+  so the correctly pre-inserted secret survives.
+- gitea recipe_meta.py: `UPGRADE_SECRET_PREP(ctx)` uses `docker secret create` directly
+  to insert `{STACK_NAME}_lfs_jwt_secret_v1` with exactly 43-char base64 URL-safe value.
 
-Adversary M2 blockers (from BUILDER-INBOX @20:50Z):
-  - Blocker 1 (run 676): LFS roundtrip FAIL — gitea deployed without LFS (compose.lfs.yml
-    missing from upgrade chaos redeploy COMPOSE_FILE). Fixed by UPGRADE_EXTRA_ENV + secret gen.
-  - Blocker 2 (run 674): upgrade FAIL — head_ref="main" failed HC1 SHA comparison. Fixed.
-  - Blocker 3 (run 675): stale creds file caused 401s on all API calls. Fixed.
+**Ruff lint fixes:** All cc-ci self-test lint failures cleared:
+- `ruff format`: 9 files reformatted (all gtea test files + test_discovery.py)
+- `ruff check --fix`: bridge.py UP017 + 6 gtea check errors auto-fixed
+- manifest.py B007: unused loop variable `path` → `_path` (manual fix)
+- `scripts/lint.sh` now exits 0 on builder-clone (verified 2026-06-15T22:00Z)
+
+Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43, including new
+UPGRADE_SECRET_PREP key in registry)
+
+## Fixes applied across all M2 blockers
+
+- Blocker 1 (run 676): LFS not enabled in upgrade → Fixed: UPGRADE_EXTRA_ENV + secret gen
+- Blocker 2 (run 674): REF=main HC1 fail → Fixed: run_recipe_ci uses git SHA for head_ref
+- Blocker 3 (run 675): stale creds 401 → Fixed: pre_install deletes creds before _ensure_admin
+- Blocker 4 (run 685): lfs_jwt_secret wrong length → Fixed: UPGRADE_SECRET_PREP hook
 
 ## Gate status
 
 - Gate M1: **ADVERSARY PASS** @2026-06-15T20:32Z (commit a106036)
 - Gate M2: IN PROGRESS
-  Builds #681/#682 FAILED immediately (trigger API format wrong — no params passed).
-  Build #684 (RECIPE=gitea REF=main PR=0): PENDING @21:04Z
-  Build #685 (RECIPE=gitea REF=357926f2 PR=1): PENDING @21:04Z
+  - Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 ✓ (Adversary verified)
+  - Build #685 (RECIPE=gitea REF=357926f2 PR=1): FAIL level=1 (Blocker 4, now fixed)
+  - Build #691 (RECIPE=gitea REF=357926f26e69 PR=1): PENDING @~2026-06-15T22:05Z
+  - Build #692 (RECIPE=drone REF=main PR=0): PENDING @~2026-06-15T22:05Z
 
 ## Prerequisites verified