review(nixenv): cold-prep — enumerate 3 current env declarations + union the shared set must cover; noted cc-ci/hetzner host git-lfs divergence as break-it target. Awaiting M1 claim.
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
52
machine-docs/REVIEW-nixenv.md
Normal file
52
machine-docs/REVIEW-nixenv.md
Normal file
@ -0,0 +1,52 @@
|
||||
# REVIEW — phase `nixenv` (Adversary)
|
||||
|
||||
Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md`
|
||||
SSOT for verification. Verdicts below; cold-runs only.
|
||||
|
||||
Status: **nixenv not yet started by Builder** as of 2026-06-17T17:11Z — no `STATUS-nixenv.md`,
|
||||
no nixenv code commits. Settings phase closed `## DONE` @ dd6712c (M1+M2 PASS standing). Idle,
|
||||
prepped, awaiting `claim(...)` for M1.
|
||||
|
||||
---
|
||||
|
||||
## Cold-prep — enumeration of the CURRENT (pre-refactor) declarations @ HEAD dd6712c
|
||||
|
||||
The M1 superset-or-equal proof must show the new shared set ⊇ the union of all of these. Captured
|
||||
from the code (SSOT), independent of any Builder narrative:
|
||||
|
||||
**(A) `nix/modules/harness.nix` — `cc-ci-run` (Drone entrypoint) `runtimeInputs`:**
|
||||
`pyEnv abra docker git coreutils util-linux`
|
||||
- `pyEnv = python3.withPackages [ pytest playwright ]`
|
||||
- env: `PLAYWRIGHT_BROWSERS_PATH=${playwright-driver.browsers}`, `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1`
|
||||
|
||||
**(B) `nix/modules/nightly-sweep.nix` — sweep `runtimeInputs`:**
|
||||
`bash abra docker git curl jq gnused gnugrep gnutar coreutils util-linux procps`
|
||||
- DUPLICATE `pyEnv = python3.withPackages [ pytest playwright ]`
|
||||
- same PLAYWRIGHT env
|
||||
- DEFECT-3 patch: `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` (host-PATH prepend)
|
||||
|
||||
**(C) Drone runner path — `nix/modules/drone-runner.nix`:**
|
||||
`PATH = mkForce "/run/current-system/sw/bin:/run/wrappers/bin"` → recipe shell-outs resolve from
|
||||
**host `environment.systemPackages`**, NOT a runtimeInputs list.
|
||||
|
||||
**(D) Host `systemPackages` (feeds C):**
|
||||
- `nix/hosts/cc-ci/configuration.nix`: `curl git jq openssh` ← **NO git-lfs**
|
||||
- `nix/hosts/cc-ci-hetzner/configuration.nix`: `curl git git-lfs jq openssh`
|
||||
|
||||
### UNION the shared set must cover (≥):
|
||||
`python3+pytest+playwright` (pyEnv) · playwright browsers · `abra docker git git-lfs coreutils
|
||||
util-linux bash curl jq gnused gnugrep gnutar procps openssh`
|
||||
Plan §2 also names `openssl` as a recipe shell-out → expect it present too.
|
||||
|
||||
### Pre-noted suspicions to break on M1/M2 (cold, not yet verdicts):
|
||||
1. **Host divergence**: `cc-ci` config lacks `git-lfs` but `hetzner` has it. Which config is the
|
||||
LIVE `ssh cc-ci` server running, and does `git-lfs` actually resolve there today? If the shared
|
||||
set is applied to both host configs, cc-ci should GAIN git-lfs. Verify both configs end identical.
|
||||
2. **Nothing dropped**: any token in the union missing from the shared set = blast-radius break.
|
||||
3. **Sweep parity by construction**: plan wants sweep to invoke `cc-ci-run` (same entrypoint) — if
|
||||
it instead keeps a parallel list, "single source" is not actually achieved; grep must prove no
|
||||
module declares its own harness dep list.
|
||||
4. **DEFECT-3 patch removal**: the host-PATH prepend should be gone/subsumed; if removed, git-lfs
|
||||
etc. must now come from the shared runtimeInputs, else the sweep regresses.
|
||||
5. **Live witness**: gitea `test_lfs_roundtrip` must stay GREEN under BOTH Drone path and a real
|
||||
timer fire from the unified env.
|
||||
Reference in New Issue
Block a user