review(M2): PASS — canonical sweep proven end-to-end, no VETO. 16 canonicals commit==tag (cold re-derived), real non-hollow timer fire (Result=success, single serial, custom-html 1.11→1.13 advance), determinism 2nd sweep 15-skip/5-documented-exception-run (no overlap, launched 14:41 after 14:37 fire end), tagged-gate both ways, samever step-back never fires in-sweep, UPGRADE_BASE_VERSION retired (plausible dynamic base 3.0.1 re-derived), my own --quick warm reattach reuses retained volume + 200, all 6 exceptions in DECISIONS, AI-free. DEFECT-3 CLOSED (parity byte-match + gitea lfs PASS in prod fire). M1+M2 fresh PASS → Builder may write ## DONE
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
autonomic-bot
@ -541,3 +541,97 @@ under real Drone-parity env. I am NOT yet closing DEFECT-3 or accepting M2 — t
|
||||
claim, where I will cold re-derive each promoted canonical's commit==tag-commit + a warm reattach, confirm
|
||||
all 6 exceptions are recorded in DECISIONS, and re-run/inspect determinism myself. DEFECT-3 stays OPEN
|
||||
(narrowly: pending the claim-time confirmation), but its production re-validation is now favorable.
|
||||
|
||||
---
|
||||
|
||||
## M2: PASS @ 2026-06-17T16:14Z — canonical sweep proven end-to-end (claim a4f1df4; DEFECT-3 CLOSED)
|
||||
|
||||
Verified from a COLD start: fresh independent clone on cc-ci (`/tmp/adv-m2` @ deployed HEAD `2c61f2f`),
|
||||
cold `ssh cc-ci` for live state/journald, and my OWN re-runs (unit suite, resolver calls, a live
|
||||
`--quick` warm reattach). I did NOT read JOURNAL-canon.md before this verdict. Every M2 sub-claim and
|
||||
every carried scrutiny point re-derived against the plan + observable behaviour, not the Builder's word.
|
||||
|
||||
**M2.1 deploy + DEFECT-3 parity — PASS.** Deployed `/etc/cc-ci` HEAD `2c61f2f` (parity fix) is current —
|
||||
`git diff --stat 2c61f2f origin/main -- runner/ tests/ nix/ scripts/` is EMPTY (the gap to Builder HEAD
|
||||
009bc60 is docs/status only, no undeployed code). `nightly-sweep` ExecStart wrapper line 17
|
||||
`export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` BYTE-MATCHES `drone-runner-exec.service`
|
||||
`Environment="PATH=/run/current-system/sw/bin:/run/wrappers/bin"`; `git-lfs` present at
|
||||
`/run/current-system/sw/bin/git-lfs`. Weekly timer `OnCalendar=Sun *-*-* 03:00:00`, Persistent. **DEFECT-3
|
||||
CLOSED:** behaviorally proven in the production timer fire — `tests/gitea/custom/test_lfs_roundtrip.py::
|
||||
test_lfs_roundtrip PASSED` (the exact test that reded on the missing-git-lfs fire); gitea flips cold-green
|
||||
under the real Drone-parity env.
|
||||
|
||||
**M2.2 + M2.5 real (non-hollow) timer fire — PASS.** `nightly-sweep.service` fired by real systemd: active
|
||||
13:01:01Z → completed **14:37:22Z, Result=success, ExecMainStatus=0, single serial** (no 2nd sweep/
|
||||
run_recipe_ci proc — confirmed across my polls). Non-hollow: enrolled=20, ADVANCED custom-html 1.11.0→
|
||||
1.13.0 (the prior hollow timer logged `enrolled canonicals=[]`). **All 16 canonicals re-derived: every
|
||||
`canonical.json` commit == the tested release tag's commit** (`git -C ~/.abra/recipes/<r> rev-list -n1
|
||||
<version>` == recorded commit) — cryptpad, custom-html(1.13.0+1.31.1/df2e273), custom-html-tiny, drone,
|
||||
ghost, gitea(3.5.3, known-good kept), hedgedoc, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse,
|
||||
n8n, plausible(3.1.0+v2.0.0/13458fac), uptime-kuma — all OK, no arbitrary-commit canonical. Timestamps
|
||||
07:22→13:15Z; none fall in the 09:10–10:24Z concurrency window I flagged (drone correctly re-promoted
|
||||
11:50, the tainted 10:06 one discarded). Reds left intact (discourse/mattermost-lts/mumble no canonical;
|
||||
bluesky no canonical; gitea kept 3.5.3) — never force-promoted.
|
||||
|
||||
**M2.3 determinism (run-twice) — PASS (operative no-op).** The clean serial 2nd sweep launched **14:41:16Z**
|
||||
(AFTER the 1st fire ended 14:37:22Z → NO overlap; single serial throughout my polls), enrolled=20. Final
|
||||
partition I read from journald myself: **exactly 15 promoted-at-latest → `SKIP no-new-version`** (incl.
|
||||
custom-html 1.13.0, just advanced → now skips = the central determinism proof) and **5 → RUN, every one a
|
||||
documented exception** (gitea retries 3.6.0 advance; bluesky/discourse/mattermost-lts/mumble lack a
|
||||
known-good). My acceptance bar (set 12:21Z) is MET: (i) only the 15 promoted-at-latest skip and only
|
||||
documented exceptions run — verified, not trusted; (ii) every re-running recipe has a DECISIONS reason;
|
||||
(iii) DECISIONS explicitly flags this as a deviation from the literal "skip every recipe" ("'Skip every
|
||||
recipe' is the all-promoted ideal; the demonstrated property is 'no promoted-at-latest recipe re-runs'").
|
||||
Plan-consistent (the plan forbids weakening a test to force a promote).
|
||||
|
||||
**M2.4 tagged-promote gate — PASS.** Untagged green ⇒ NO promote (proof-C + `test_no_promote_when_untagged`
|
||||
in the now-294-pass unit suite I re-ran); tagged green ⇒ promote (all 16 canonicals commit==tag, live in
|
||||
the production fire). Gate proven both ways.
|
||||
|
||||
**M2.6 samever orthogonality — PASS.** Path-2 (new tag → older→new promote): custom-html advanced 1.11.0→
|
||||
1.13.0 in the live production timer fire AND promoted healthy; gitea fired the trigger (RUN on 3.6.0>3.5.3).
|
||||
Path-1 (no new tag → SKIP): the 15 SKIP-no-new-version recipes. **Step-back never fires in-sweep:** read
|
||||
`resolve_upgrade_base` — it steps back ONLY when canonical==head version; the sweep RUNs only when latest
|
||||
tag > canonical, so the in-sweep base is strictly older → no same-version run is ever constructed. samever's
|
||||
same-version behaviour stays owned by the samever phase (PR path).
|
||||
|
||||
**M2.7 disk budget — PASS.** `/` 38G free (74% used); `du -sh /var/lib/ci-warm` = 1.1G; docker volumes 2.0GB.
|
||||
16 retained canonicals fit with ample headroom at full 20-enrolled; no recipe dropped for disk (DECISIONS).
|
||||
|
||||
**M2.8 UPGRADE_BASE_VERSION retired — PASS.** Read `resolve_upgrade_base` source in full: the string
|
||||
`UPGRADE_BASE_VERSION` appears ONLY in the docstring (documenting its §2.G removal) — there is NO live
|
||||
override branch; resolution is purely dynamic (canonical-as-base + same-version step-back). `grep -rn
|
||||
UPGRADE_BASE_VERSION runner/ tests/ docs/` = comments only; unit suite 294 pass. plausible: canonical
|
||||
3.1.0+v2.0.0 == head → resolver steps back to `newest_older_version` = **3.0.1+v2.0.0** (re-derived live) —
|
||||
the exact known-good base the old pin forced, avoiding the broken clickhouse-404 3.0.0. §2.G GATE
|
||||
(keep-if-broken) correctly does NOT apply.
|
||||
|
||||
**Reusability (warm reattach) — PASS (my own cold run).** `MODE=quick` reattach of custom-html: booted the
|
||||
warm stack from the RETAINED volume, `test_content_roundtrip` + `test_custom_html_returns_200` PASSED
|
||||
(retained-volume content reused, 200 over the warm domain), `quick PASS → known-good UNCHANGED`. canonical
|
||||
version/commit identical before/after (1.13.0+1.31.1 / df2e273; only `ts` touched = benign status refresh,
|
||||
not a promote). This also independently confirms warm-domain HTTPS health WORKS for a non-bluesky recipe.
|
||||
|
||||
**Carried scrutiny — all CLEARED:**
|
||||
- gitea app.ini exception is RECIPE-specific, not machinery: gitea-rootless mounts app.ini read-only by its
|
||||
own recipe (`recipe_meta.py:68`); our warm-promote/`deploy_canonical` code does not mount app.ini RO
|
||||
(grep). Cold-fresh 3.6.0 passes, warm reattach-advance crashes at config-load → recipe/retained-volume
|
||||
interaction. 3.5.3 known-good correctly kept.
|
||||
- bluesky warm-routing is recipe-specific: cold green + PDS 200 internal, warm domain `/xrpc/_health`→000;
|
||||
the other 15 promoted answer 200 over HTTPS (custom-html verified live by my reattach). Not machinery.
|
||||
- mattermost-lts (`test_restore`) + mumble (`test_handshake`) reds: tests UNMODIFIED this phase (git log:
|
||||
last touched phases 2/cfold), 0 xfail/skip markers — genuine reds, not weakened to dodge.
|
||||
- All 6 exceptions (keycloak, gitea, discourse, mattermost-lts, mumble, bluesky) recorded in DECISIONS with
|
||||
reasons — none silent.
|
||||
|
||||
**Guardrail NO-AI-at-runtime — PASS.** grep of nightly_sweep.py / warm_reconcile.py / recipe-mirror-sync.sh
|
||||
for anthropic|claude|openai|llm|gpt → zero calls (one code comment only). Pure script + systemd timer.
|
||||
|
||||
**Verdict: M2 PASS. No VETO.** All §5 Definition-of-Done items Adversary-cold-verified: tagged-release
|
||||
canonicals are real + reusable (untagged never promotes), mirror-sync faithful (M1), new-release-tag
|
||||
trigger skips no-new-version / runs new-tag (version-keyed), promote only on green-cold-latest-enrolled-
|
||||
tagged, demonstrated end-to-end in a real non-hollow production timer fire, run-twice determinism no-op
|
||||
(operative form, deviation flagged), samever orthogonal (step-back never fires in-sweep), all recipes
|
||||
enrolled + disk budget recorded, UPGRADE_BASE_VERSION retired (plausible dynamic base 3.0.1), AI-free
|
||||
runtime. M1 + M2 both fresh-PASS. The Builder may write `## DONE`. (Consulted JOURNAL-canon.md only AFTER
|
||||
writing this verdict for context: no surprises.)
|
||||
|
||||
Reference in New Issue
Block a user