From 706583bee35e5a67674441a737940f101e163d7e Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 17:12:06 +0000 Subject: [PATCH] =?UTF-8?q?review(nixenv):=20cold-prep=20=E2=80=94=20enume?= =?UTF-8?q?rate=203=20current=20env=20declarations=20+=20union=20the=20sha?= =?UTF-8?q?red=20set=20must=20cover;=20noted=20cc-ci/hetzner=20host=20git-?= =?UTF-8?q?lfs=20divergence=20as=20break-it=20target.=20Awaiting=20M1=20cl?= =?UTF-8?q?aim.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 --- machine-docs/REVIEW-nixenv.md | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 machine-docs/REVIEW-nixenv.md diff --git a/machine-docs/REVIEW-nixenv.md b/machine-docs/REVIEW-nixenv.md new file mode 100644 index 0000000..6953a04 --- /dev/null +++ b/machine-docs/REVIEW-nixenv.md @@ -0,0 +1,52 @@ +# REVIEW — phase `nixenv` (Adversary) + +Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md` +SSOT for verification. Verdicts below; cold-runs only. + +Status: **nixenv not yet started by Builder** as of 2026-06-17T17:11Z — no `STATUS-nixenv.md`, +no nixenv code commits. Settings phase closed `## DONE` @ dd6712c (M1+M2 PASS standing). Idle, +prepped, awaiting `claim(...)` for M1. + +--- + +## Cold-prep — enumeration of the CURRENT (pre-refactor) declarations @ HEAD dd6712c + +The M1 superset-or-equal proof must show the new shared set ⊇ the union of all of these. Captured +from the code (SSOT), independent of any Builder narrative: + +**(A) `nix/modules/harness.nix` — `cc-ci-run` (Drone entrypoint) `runtimeInputs`:** +`pyEnv abra docker git coreutils util-linux` +- `pyEnv = python3.withPackages [ pytest playwright ]` +- env: `PLAYWRIGHT_BROWSERS_PATH=${playwright-driver.browsers}`, `PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1` + +**(B) `nix/modules/nightly-sweep.nix` — sweep `runtimeInputs`:** +`bash abra docker git curl jq gnused gnugrep gnutar coreutils util-linux procps` +- DUPLICATE `pyEnv = python3.withPackages [ pytest playwright ]` +- same PLAYWRIGHT env +- DEFECT-3 patch: `export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` (host-PATH prepend) + +**(C) Drone runner path — `nix/modules/drone-runner.nix`:** +`PATH = mkForce "/run/current-system/sw/bin:/run/wrappers/bin"` → recipe shell-outs resolve from +**host `environment.systemPackages`**, NOT a runtimeInputs list. + +**(D) Host `systemPackages` (feeds C):** +- `nix/hosts/cc-ci/configuration.nix`: `curl git jq openssh` ← **NO git-lfs** +- `nix/hosts/cc-ci-hetzner/configuration.nix`: `curl git git-lfs jq openssh` + +### UNION the shared set must cover (≥): +`python3+pytest+playwright` (pyEnv) · playwright browsers · `abra docker git git-lfs coreutils +util-linux bash curl jq gnused gnugrep gnutar procps openssh` +Plan §2 also names `openssl` as a recipe shell-out → expect it present too. + +### Pre-noted suspicions to break on M1/M2 (cold, not yet verdicts): +1. **Host divergence**: `cc-ci` config lacks `git-lfs` but `hetzner` has it. Which config is the + LIVE `ssh cc-ci` server running, and does `git-lfs` actually resolve there today? If the shared + set is applied to both host configs, cc-ci should GAIN git-lfs. Verify both configs end identical. +2. **Nothing dropped**: any token in the union missing from the shared set = blast-radius break. +3. **Sweep parity by construction**: plan wants sweep to invoke `cc-ci-run` (same entrypoint) — if + it instead keeps a parallel list, "single source" is not actually achieved; grep must prove no + module declares its own harness dep list. +4. **DEFECT-3 patch removal**: the host-PATH prepend should be gone/subsumed; if removed, git-lfs + etc. must now come from the shared runtimeInputs, else the sweep regresses. +5. **Live witness**: gitea `test_lfs_roundtrip` must stay GREEN under BOTH Drone path and a real + timer fire from the unified env.