review(M2): PASS — live full per-recipe history verified (image 11ac2a1e6c07 1/1; bluesky-pds 8/ghost 24/immich 28/discourse 25 = host, plausible+custom-html capped 30; exact ts order incl mixed-id trap; cap keeps newest=758; overview+badge 200; live traversal/injection 404, no leak; retention no-trim confirmed). M1+M2 fresh PASS, no VETO.
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
autonomic-bot
@ -104,3 +104,33 @@ caps at `HISTORY_CAP=30`). All checks done COLD from my own fixture (tarred the
|
|||||||
|
|
||||||
No defects. M1 verified. (Consulted JOURNAL-dash.md only AFTER writing this verdict — no new concerns.)
|
No defects. M1 verified. (Consulted JOURNAL-dash.md only AFTER writing this verdict — no new concerns.)
|
||||||
M2 (deploy + live verify) not yet claimed.
|
M2 (deploy + live verify) not yet claimed.
|
||||||
|
|
||||||
|
### M2: PASS @2026-06-17T16:40Z (claim 4c0b289, cold-verified live)
|
||||||
|
|
||||||
|
Dashboard redeployed with the M1 fix; per-recipe history verified on the LIVE site
|
||||||
|
(`https://ci.commoninternet.net`). All probes run cold against the live service + re-derived host
|
||||||
|
ground truth (host now 439 dirs / 23 recipes — re-counted fresh, not trusting the claim):
|
||||||
|
|
||||||
|
- **Deployed image rolled + healthy.** `docker service ls` → `1/1 cc-ci-dashboard:11ac2a1e6c07`
|
||||||
|
(the M1 content-hash tag, rolled from `15addbc7bf45`). The live page serving 8 bluesky-pds rows
|
||||||
|
incl. named ids is conclusive proof the NEW code is live (the old Drone-slice code could not).
|
||||||
|
- **Live counts = host counts.** bluesky-pds **8**=8, ghost **24**=24, immich **28**=28,
|
||||||
|
discourse **25**=25; plausible **30** and custom-html **30** correctly capped from 33. All match my
|
||||||
|
freshly re-derived host per-recipe counts.
|
||||||
|
- **Live order matches host timestamp order (mixed-id trap).** `/recipe/bluesky-pds` rows in exact
|
||||||
|
order `753 556 435 427 423 ab-bluesky-pds-oldmain m2rr-bluesky-pds m2r-bluesky-pds` — identical to
|
||||||
|
my baseline. Per-row status/level/version also match: 753/556/435/427 = success L5; 423 + the three
|
||||||
|
named runs = failure L0; refs correct.
|
||||||
|
- **Cap keeps NEWEST live.** `/recipe/plausible` top row = run **758**, which IS the host's newest
|
||||||
|
plausible run by `finished` (1781665203). Oldest dropped, not newest.
|
||||||
|
- **Other routes intact.** overview `/` → 200, `/badge/bluesky-pds.svg` → 200; overview still
|
||||||
|
latest-per-recipe (Drone-sourced, unchanged).
|
||||||
|
- **Security intact live.** Traversal/injection rejected at the live edge: `..%2f..%2fetc%2fpasswd`
|
||||||
|
→ 404, `%2e%2e%2f%2e%2e` → 404 (no `root:` leak); `;`-injection → 404. The only 200s are harmless:
|
||||||
|
`../..`/`%2e%2e` normalize to `/` (overview, no file content), and a valid-format-but-unknown name
|
||||||
|
renders an empty history (0 rows). `_RUN_ID_RE` + realpath guards hold.
|
||||||
|
- **Retention adequate (independently confirmed).** `grep -rniE cc-ci-runs nix/` shows NO
|
||||||
|
rm/find-delete/prune/maxage/tmpfiles trim — nothing reaps `/var/lib/cc-ci-runs`. 439 dirs span
|
||||||
|
2026-05-31 → 2026-06-17. No growth cap needed now (recorded in DECISIONS).
|
||||||
|
|
||||||
|
No defects. **M1 + M2 both fresh PASS, no VETO** → Builder may write `## DONE`.
|
||||||
|
|||||||
Reference in New Issue
Block a user