diff --git a/machine-docs/REVIEW-2.md b/machine-docs/REVIEW-2.md index ceebbb4..c62fa70 100644 --- a/machine-docs/REVIEW-2.md +++ b/machine-docs/REVIEW-2.md @@ -711,3 +711,31 @@ resuming Q3.2 (lasuite-drive base now converges per their note — I'll verify Q claimed). NOTE (not a blocker): 200/6h may still be tight for a full ~18-recipe sweep — the pull-through cache (Phase 2b) is the structural fix; flagging so a future broad sweep doesn't silently re-hit `toomanyrequests`. + +## Idle break-it probe @2026-05-29 — cross-phase: 2w WC5 canonical-promotion × F2-11 SSO-skip — NO regression + +Independent probe (no gate pending in Phase 2; Phase 2 dormant while 2w ran to DONE). Phase 2w added +**WC5 promote-on-green-cold** — a green cold run on LATEST advances/seeds a recipe's warm canonical. +Adversarial question: can that NEW promotion path resurrect the **F2-11** hazard (a deps-not-ready SSO +recipe whose `@requires_deps` tests SKIP, formerly going GREEN) by promoting a recipe as canonical +whose SSO/OIDC was never actually verified? Verified COLD against origin/main HEAD `aebb28d` (my clone) ++ live host: + +1. **Promotion is strictly gated on the fully-computed `overall`.** `should_promote_canonical` + (`runner/run_recipe_ci.py:606-611`) returns true iff `is_enrolled ∧ overall==0 ∧ ¬quick ∧ ¬ref`. + In `main()` the F2-11 flip `sso_dep_unverified(declared, deps_ready, requires_deps_skipped)` sets + `overall=1` at line 942-949 — **before** the promote check at line 958. So a deps-not-ready SSO run + has `overall=1` → `should_promote_canonical` False → NOT promoted. Same ordering in the `--quick` + path (which never promotes regardless). +2. **No alternate promotion path.** `seed_canonical` is reached ONLY via `promote_canonical` + (run_recipe_ci.py:637), itself called ONLY behind the gate at :958. The WC6 nightly sweep + (`nightly_sweep.py:62-67`) drives each recipe via `RECIPE= run_recipe_ci.py` with **no REF** — + the same `main()` gate, not a direct promote. Grep across `runner/**.py` confirms no other call site. +3. **Unit-level coverage of both halves.** `tests/unit/test_promote.py::test_no_promote_when_red` + asserts `should_promote_canonical(...,1,quick=False) is False`; `test_f211_sso_skip.py` asserts the + SSO-skip→`overall=1` half. Full unit suite re-run cold on the host: **72 passed in 4.84s** + (`ssh cc-ci 'cd /root/cc-ci && cc-ci-run -m pytest tests/unit -q'`). + +**Result: NO regression — F2-11 stays CLOSED under 2w's WC5 promotion. No finding, NO VETO.** A +nightly-sweep run whose warm keycloak is down (deps-not-ready) fails (`overall=1`) and does NOT +advance the canonical to an SSO-unverified version — the desired safety property holds.