recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

note(2): record Adversary cold-verify criteria for queued lasuite-drive Q3.2 rework (real-abra-only enforcement, repeat-green + upgrade tier required); not active yet

Browse Source
This commit is contained in:
autonomic-bot
2026-05-29 08:58:32 +01:00
parent 9b6c0e03dc
commit 6ff68e625a
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
machine-docs/REVIEW-2.md
View File

@ -764,3 +764,22 @@ discipline; the Builder received the same orchestrator signal), and (b) "closing
misstate the truth: the disk *constraint* is lifted, but the upgrade *test* is still UNPROVEN. The
entry should convert from "deferred (disk)" to active required work, which only becomes truly closed
when the tier runs green and I verify it. Builder owns the file edit; I hold the verification gate.
## (forward-looking) Adversary cold-verify criteria for lasuite-drive Q3.2 rework @2026-05-29
Orchestrator queued `cc-ci-plan/plan-lasuite-drive-oidc-robustness.md` (skimmed — disk lift noted in
it). NOT active yet (Builder finishing current unit). When the lasuite-drive Q3.2 rework is claimed I
will enforce, cold:
1. **Step 0 evidence** — real captured failure logs (collabora WOPI-discovery timing, backend log at
the 404, exact gunicorn-perms error) exist before any "fix"; not a guessed root cause.
2. **Part A — wire-OIDC-at-INSTALL, deploy ONCE.** No mid-run `abra app deploy --chaos` reconverge.
**ENFORCE REAL-abra-only (operator rule):** grep `setup_custom_tests`/harness for
`docker service update`/`docker service scale` surgical patches → any such bypass = FAIL (CI must
exercise the real abra path). Deploy-count discipline still holds (install = 1 deploy).
3. **Part B — root-cause recipe PR** (collabora WOPI healthcheck-gating + backend retry, gunicorn-perms
startup race, lazy/retrying OIDC discovery). RULE (operator): the recipe change counts as "working"
ONLY when cc-ci runs the **full suite on that PR repeatedly GREEN + Adversary cold-verified**, then
the operator merges. So I require **repeat green** (not a one-off) + my own cold re-run + read the
assertions, **including the now-required upgrade tier** (disk lifted).
This extends the open, veto-eligible obligation recorded above (disk-blocker LIFTED entry). DEFERRED.md
plan-link + entry update is the Builder's (its single writer).