diff --git a/machine-docs/JOURNAL-5.md b/machine-docs/JOURNAL-5.md index eca64cd..aec960d 100644 --- a/machine-docs/JOURNAL-5.md +++ b/machine-docs/JOURNAL-5.md @@ -255,3 +255,68 @@ Current state: - The repo-side enrollment fix is durable on origin/main. - Live verification that the bridge poller now watches `recipe-maintainers/lasuite-meet` is blocked on host reachability returning. + +## 2026-06-01 — Host recovered; lasuite-meet enrolled and green + +Recovery point: +- `ssh cc-ci "hostname && systemctl is-system-running"` + -> `nixos` + -> `running` + +Bridge rollout verification after recovery: +- Initial live check still showed the old poll set in the running task logs, even though the host source + and built stack contained `recipe-maintainers/lasuite-meet`. +- Located the updated built artifacts on the host: + - stack with `lasuite-meet`: `/nix/store/377c59lcpjj8bgs0dlq7l1z128y53016-cc-ci-bridge-stack.yml` + - corresponding reconcile helper: + `/nix/store/rk9vwyfvdryp4zln0ywlg6q2vyjmwfw4-cc-ci-reconcile-bridge/bin/cc-ci-reconcile-bridge` +- Ran that helper directly on `cc-ci`; service spec then showed: + - `POLL_REPOS=...recipe-maintainers/lasuite-docs,recipe-maintainers/lasuite-meet,recipe-maintainers/n8n...` +- Waited for the new task banner: + - `docker service logs ccci-bridge_app --since 20s` + -> `poller (primary) watching ['recipe-maintainers/cc-ci', 'recipe-maintainers/custom-html', + 'recipe-maintainers/custom-html-tiny', 'recipe-maintainers/keycloak', + 'recipe-maintainers/cryptpad', 'recipe-maintainers/matrix-synapse', + 'recipe-maintainers/lasuite-docs', 'recipe-maintainers/lasuite-meet', + 'recipe-maintainers/n8n', 'recipe-maintainers/hedgedoc'] every 30s` + +Real `lasuite-meet` trigger after enrollment: +- `POST=1 MAX_WAIT=90 INTERVAL=5 /srv/cc-ci-orch/.claude/skills/recipe-upgrade/testme-on-pr.sh lasuite-meet 2` + -> `VERDICT=RED` + -> `BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/55` + +Authenticated Drone build inspection from `cc-ci`: +- `curl -H "Authorization: Bearer $(cat /run/secrets/bridge_drone_token)" \ + https://drone.ci.commoninternet.net/api/repos/recipe-maintainers/cc-ci/builds/55` + showed a real run failure, not a trigger issue. +- Step-log fetch (`.../builds/55/logs/1/2`) showed the root cause: + - `tests/lasuite-meet/install_steps.sh` failed at + `abra app secret insert oidc_rpcs@v2` + - exact error: + `FATA unable to fetch tags in /root/.abra/recipes/lasuite-meet: authentication required: Unauthorized` +- Classification: NOT a stale-test case; this was a harness/install-hook issue. + +Harness fix: +- Patched the La Suite OIDC secret-insert hooks to use offline/current-checkout mode (`-C -o`), matching + the rest of the harness and avoiding private-origin tag fetches: + - `tests/lasuite-meet/install_steps.sh` + - `tests/lasuite-drive/install_steps.sh` + - `tests/lasuite-docs/setup_custom_tests.sh` +- Verified syntax: + - `bash -n` on all three scripts -> exit 0 +- Committed + pushed: + - `7225138 fix(tests): keep La Suite OIDC secret inserts offline` + +Re-test on the real path: +- `POST=1 MAX_WAIT=90 INTERVAL=5 /srv/cc-ci-orch/.claude/skills/recipe-upgrade/testme-on-pr.sh lasuite-meet 2` + -> `VERDICT=PENDING` + -> `BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/58` +- `POST=0 MAX_WAIT=360 INTERVAL=10 /srv/cc-ci-orch/.claude/skills/recipe-upgrade/testme-on-pr.sh lasuite-meet 2` + -> `VERDICT=GREEN` + -> `BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/58` + +Conclusion: +- `lasuite-meet` is now fully enrolled in the live bridge poll path. +- The RED after enrollment was a real harness bug, now fixed. +- After the fix, the actual recipe upgrade PR is GREEN, so `lasuite-meet` still does NOT provide the V5 + stale-test branch. diff --git a/machine-docs/STATUS-5.md b/machine-docs/STATUS-5.md index 03aadb0..a4f2170 100644 --- a/machine-docs/STATUS-5.md +++ b/machine-docs/STATUS-5.md @@ -6,10 +6,9 @@ ## Current focus -Minimal enrollment fix for `lasuite-meet` is committed (`f28a2a3`). Current work is verifying the live -bridge rollout so Phase-5 V5/V6 can continue on `lasuite-meet` PR #2. Verification is currently paused -on host reachability: after `nixos-rebuild test --flake path:/root/builder-clone#cc-ci`, `cc-ci` -stopped answering Tailscale SSH. +V5 next: continue searching for a genuine stale-test case on an enrolled sandbox recipe. `lasuite-meet` +is now enrolled and its upgrade PR is GREEN after a minimal harness fix, so it does not provide the V5 +stale-test branch either. ## Fixes applied (A5-1, A5-2, related) @@ -104,11 +103,18 @@ preferred, `/root/cc-ci` fallback) instead of hard-coding `/root/cc-ci`. enrolled poll list. That makes it unusable for V5/V6 until explicitly enrolled. - Enrollment fix authored and pushed: `f28a2a3 fix(bridge): enroll lasuite-meet for !testme` adds `recipe-maintainers/lasuite-meet` to `nix/modules/bridge.nix` `POLL_REPOS`. +- Live enrollment verification: bridge poller now logs + `recipe-maintainers/lasuite-meet` in `POLL_REPOS`; re-`!testme` on PR #2 triggered build `#55`. +- Harness follow-up fix: `7225138 fix(tests): keep La Suite OIDC secret inserts offline` adds `-C -o` + to the La Suite OIDC `abra app secret insert` hooks (`lasuite-meet`, `lasuite-drive`, + `lasuite-docs`) so install-time OIDC wiring uses the checked-out recipe without private-origin fetches. +- Result: `POST=1 ... testme-on-pr.sh lasuite-meet 2` now returns `VERDICT=GREEN` + `BUILD=https://drone.ci.commoninternet.net/recipe-maintainers/cc-ci/58`. ## Verification next step -- When `ssh cc-ci` returns, verify the live bridge poller logs include `recipe-maintainers/lasuite-meet`, - then re-run `POST=1/POST=0 /srv/cc-ci/.claude/skills/recipe-upgrade/testme-on-pr.sh lasuite-meet 2`. +- Continue the V5/V6 search on another enrolled recipe with a real upgrade path and more version-shaped + assertions; `n8n`, `cryptpad`, and `lasuite-meet` all stayed GREEN on real upgrade PRs. ## Phase 5 gates @@ -116,10 +122,4 @@ preferred, `/root/cc-ci` fallback) instead of hard-coding `/root/cc-ci`. ## Blocked -- `cc-ci` host is currently unreachable over Tailscale after `nixos-rebuild test --flake - path:/root/builder-clone#cc-ci` (used to activate the `lasuite-meet` bridge enrollment without touching - the bootloader). Current probes from the orchestrator: - - `ssh cc-ci ...` -> `connect to host 100.95.31.88 port 22: Connection timed out` - - `tailscale status` shows `100.95.31.88 cc-ci ... active; relay "nue"; offline` - - `tailscale ping -c 3 cc-ci` -> `no reply` - The code change is pushed; live verification is blocked until host reachability returns. +(none)