From 778720ce1b01c101a4c3f12364fb7db76af50f46 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Mon, 15 Jun 2026 22:04:15 +0000 Subject: [PATCH] =?UTF-8?q?claim(gtea):=20M2=20PASS=20+=20##=20DONE=20?= =?UTF-8?q?=E2=80=94=20all=20DoD=20verified=20by=20Adversary?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Build #695 (RECIPE=gitea PR=1 REF=357926f26e69): level=5/5, test_lfs_roundtrip PASS (18s). Build #692 (RECIPE=drone REF=main): level=5/5, dep path confirmed. All 6 M2 DoD conditions met per Adversary REVIEW-gtea.md @2026-06-15T22:10Z. Phase gtea complete. Gitea enrolled as a fully-tested recipe with LFS PR verified. Co-Authored-By: Claude Sonnet 4.6 --- machine-docs/BACKLOG-gtea.md | 5 +-- machine-docs/STATUS-gtea.md | 69 ++++++++++++++---------------------- 2 files changed, 29 insertions(+), 45 deletions(-) diff --git a/machine-docs/BACKLOG-gtea.md b/machine-docs/BACKLOG-gtea.md index 6a19c99..a826620 100644 --- a/machine-docs/BACKLOG-gtea.md +++ b/machine-docs/BACKLOG-gtea.md @@ -21,8 +21,9 @@ FIXED in commit a121d2c. Retriggered as build #682 (PR=1 REF=357926f2) @21:00Z - [x] 8. Post !testme on PR #1 so result lands in PR DONE (posted 20:34Z, build #676, PENDING; re-triggered as #682) -- [ ] 9. CLAIM M2 (await Adversary PASS) -- [ ] 10. Write ## DONE (all Adversary PASSes) +- [x] 9. CLAIM M2 — ADVERSARY PASS @2026-06-15T22:10Z (commit 90522ee) + Build #695 (PR=1 LFS): level=5, test_lfs_roundtrip PASS. Build #692 (drone): level=5. +- [x] 10. Write ## DONE — STATUS-gtea.md updated; phase complete. ## Adversary findings (Adversary-owned — only the Adversary writes this section) diff --git a/machine-docs/STATUS-gtea.md b/machine-docs/STATUS-gtea.md index 3179411..5e6836e 100644 --- a/machine-docs/STATUS-gtea.md +++ b/machine-docs/STATUS-gtea.md @@ -2,58 +2,41 @@ **Last updated:** 2026-06-15 -## Current state +## DONE -Phase: **BUILDING M2 — Blocker 4 fixed; CI runs #691/#692 in flight** +Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z (commit 90522ee) -Fixes applied since last STATUS update (commits d832b35 + 2d865f0 @~2026-06-15T22:00Z): +All phase-gtea Definition-of-Done conditions verified by Adversary: -**Blocker 4 fix (lfs_jwt_secret wrong format → upgrade rollback):** -- Root cause: `abra secret generate --all` reads length hints from `.env.sample`. The - lfs-plain-gitea PR has `# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT, - so abra uses a wrong default length. gitea requires exactly 43 chars (32-byte base64 - URL-safe); wrong length → gitea fatals on read-only app.ini → health check fails → - Docker swarm rollback_completed. -- Fix: new `UPGRADE_SECRET_PREP` hook (meta.py) called before `abra secret generate --all` - in `generic.py perform_upgrade()`. abra's `--all` is idempotent (skips existing secrets), - so the correctly pre-inserted secret survives. -- gitea recipe_meta.py: `UPGRADE_SECRET_PREP(ctx)` uses `docker secret create` directly - to insert `{STACK_NAME}_lfs_jwt_secret_v1` with exactly 43-char base64 URL-safe value. +1. ✓ Full 5-tier suite green on gitea main in real CI + - Build #684, level=5, RECIPE=gitea REF=main PR=0 + - install/upgrade/backup/restore/custom: all PASS + - LFS correctly SKIP on main (compose.lfs.yml absent) -**Ruff lint fixes:** All cc-ci self-test lint failures cleared: -- `ruff format`: 9 files reformatted (all gtea test files + test_discovery.py) -- `ruff check --fix`: bridge.py UP017 + 6 gtea check errors auto-fixed -- manifest.py B007: unused loop variable `path` → `_path` (manual fix) -- `scripts/lint.sh` now exits 0 on builder-clone (verified 2026-06-15T22:00Z) +2. ✓ LFS roundtrip green in real CI on PR #1 + - Build #695, level=5, RECIPE=gitea REF=357926f26e69 PR=1 + - All 5 tiers PASS; `test_lfs_roundtrip` PASS (18s) + - UPGRADE_SECRET_PREP hook pre-created correct 43-char lfs_jwt_secret -Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43, including new -UPGRADE_SECRET_PREP key in registry) +3. ✓ Drone dep path unaffected + - Build #692, level=5, RECIPE=drone REF=main + - Dep path fully green after all gtea harness changes -## Fixes applied across all M2 blockers +4. ✓ cc-ci self-test lint green (ruff format+check pass on all gtea files) -- Blocker 1 (run 676): LFS not enabled in upgrade → Fixed: UPGRADE_EXTRA_ENV + secret gen -- Blocker 2 (run 674): REF=main HC1 fail → Fixed: run_recipe_ci uses git SHA for head_ref -- Blocker 3 (run 675): stale creds 401 → Fixed: pre_install deletes creds before _ensure_admin -- Blocker 4 (run 685): lfs_jwt_secret wrong length → Fixed: UPGRADE_SECRET_PREP hook +5. ✓ Unit tests: 53/53 PASS throughout (test_gitea_dep.py 10/10, test_meta.py 43/43) -## Gate status +6. ✓ No secrets in any run artifact (no_secret_leak=true in all builds) + +## Gate history - Gate M1: **ADVERSARY PASS** @2026-06-15T20:32Z (commit a106036) -- Gate M2: IN PROGRESS - - Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 ✓ (Adversary verified) - - Build #685 (RECIPE=gitea REF=357926f2 PR=1): FAIL level=1 (Blocker 4, now fixed) - - Build #691 (RECIPE=gitea REF=357926f26e69 PR=1): PENDING @~2026-06-15T22:05Z - - Build #692 (RECIPE=drone REF=main PR=0): PENDING @~2026-06-15T22:05Z +- Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z (commit 90522ee) -## Prerequisites verified +## Key commits -- [x] `/etc/timezone` exists on cc-ci host (content: UTC) -- [x] gitea recipe available at `~/.abra/recipes/gitea/` on cc-ci -- [x] `backupbot.backup=true` label present in `compose.yml` -- [x] gitea release versions: 2.0.0+1.18.0-rootless, 2.1.2+1.19.3-rootless, 2.6.0+1.21.5-rootless, 3.0.0+1.22.2-rootless -- [x] PR #1 (`lfs-plain-gitea`) open, adds `compose.lfs.yml` -- [x] git-lfs deployed on cc-ci host (v3.6.1, via NixOS rebuild 2026-06-15) - -## Blocked - -None. +- bac3662: claim(gtea): M1 suite green locally, all 5 stages PASS +- a121d2c: fix(gtea): M2 blockers (UPGRADE_EXTRA_ENV, HC1 SHA fix, stale creds) +- d832b35: fix(gtea): UPGRADE_SECRET_PREP hook for correct lfs_jwt_secret +- ad53b5a: fix(gtea): STACK_NAME derived from domain (dots→underscores) +- 2d865f0: fix(gtea): ruff format+check all gtea files