diff --git a/machine-docs/REVIEW-canon.md b/machine-docs/REVIEW-canon.md index 30904ef..c00b1ec 100644 --- a/machine-docs/REVIEW-canon.md +++ b/machine-docs/REVIEW-canon.md @@ -541,3 +541,97 @@ under real Drone-parity env. I am NOT yet closing DEFECT-3 or accepting M2 — t claim, where I will cold re-derive each promoted canonical's commit==tag-commit + a warm reattach, confirm all 6 exceptions are recorded in DECISIONS, and re-run/inspect determinism myself. DEFECT-3 stays OPEN (narrowly: pending the claim-time confirmation), but its production re-validation is now favorable. + +--- + +## M2: PASS @ 2026-06-17T16:14Z — canonical sweep proven end-to-end (claim a4f1df4; DEFECT-3 CLOSED) + +Verified from a COLD start: fresh independent clone on cc-ci (`/tmp/adv-m2` @ deployed HEAD `2c61f2f`), +cold `ssh cc-ci` for live state/journald, and my OWN re-runs (unit suite, resolver calls, a live +`--quick` warm reattach). I did NOT read JOURNAL-canon.md before this verdict. Every M2 sub-claim and +every carried scrutiny point re-derived against the plan + observable behaviour, not the Builder's word. + +**M2.1 deploy + DEFECT-3 parity — PASS.** Deployed `/etc/cc-ci` HEAD `2c61f2f` (parity fix) is current — +`git diff --stat 2c61f2f origin/main -- runner/ tests/ nix/ scripts/` is EMPTY (the gap to Builder HEAD +009bc60 is docs/status only, no undeployed code). `nightly-sweep` ExecStart wrapper line 17 +`export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH"` BYTE-MATCHES `drone-runner-exec.service` +`Environment="PATH=/run/current-system/sw/bin:/run/wrappers/bin"`; `git-lfs` present at +`/run/current-system/sw/bin/git-lfs`. Weekly timer `OnCalendar=Sun *-*-* 03:00:00`, Persistent. **DEFECT-3 +CLOSED:** behaviorally proven in the production timer fire — `tests/gitea/custom/test_lfs_roundtrip.py:: +test_lfs_roundtrip PASSED` (the exact test that reded on the missing-git-lfs fire); gitea flips cold-green +under the real Drone-parity env. + +**M2.2 + M2.5 real (non-hollow) timer fire — PASS.** `nightly-sweep.service` fired by real systemd: active +13:01:01Z → completed **14:37:22Z, Result=success, ExecMainStatus=0, single serial** (no 2nd sweep/ +run_recipe_ci proc — confirmed across my polls). Non-hollow: enrolled=20, ADVANCED custom-html 1.11.0→ +1.13.0 (the prior hollow timer logged `enrolled canonicals=[]`). **All 16 canonicals re-derived: every +`canonical.json` commit == the tested release tag's commit** (`git -C ~/.abra/recipes/ rev-list -n1 +` == recorded commit) — cryptpad, custom-html(1.13.0+1.31.1/df2e273), custom-html-tiny, drone, +ghost, gitea(3.5.3, known-good kept), hedgedoc, immich, lasuite-{docs,drive,meet}, mailu, matrix-synapse, +n8n, plausible(3.1.0+v2.0.0/13458fac), uptime-kuma — all OK, no arbitrary-commit canonical. Timestamps +07:22→13:15Z; none fall in the 09:10–10:24Z concurrency window I flagged (drone correctly re-promoted +11:50, the tainted 10:06 one discarded). Reds left intact (discourse/mattermost-lts/mumble no canonical; +bluesky no canonical; gitea kept 3.5.3) — never force-promoted. + +**M2.3 determinism (run-twice) — PASS (operative no-op).** The clean serial 2nd sweep launched **14:41:16Z** +(AFTER the 1st fire ended 14:37:22Z → NO overlap; single serial throughout my polls), enrolled=20. Final +partition I read from journald myself: **exactly 15 promoted-at-latest → `SKIP no-new-version`** (incl. +custom-html 1.13.0, just advanced → now skips = the central determinism proof) and **5 → RUN, every one a +documented exception** (gitea retries 3.6.0 advance; bluesky/discourse/mattermost-lts/mumble lack a +known-good). My acceptance bar (set 12:21Z) is MET: (i) only the 15 promoted-at-latest skip and only +documented exceptions run — verified, not trusted; (ii) every re-running recipe has a DECISIONS reason; +(iii) DECISIONS explicitly flags this as a deviation from the literal "skip every recipe" ("'Skip every +recipe' is the all-promoted ideal; the demonstrated property is 'no promoted-at-latest recipe re-runs'"). +Plan-consistent (the plan forbids weakening a test to force a promote). + +**M2.4 tagged-promote gate — PASS.** Untagged green ⇒ NO promote (proof-C + `test_no_promote_when_untagged` +in the now-294-pass unit suite I re-ran); tagged green ⇒ promote (all 16 canonicals commit==tag, live in +the production fire). Gate proven both ways. + +**M2.6 samever orthogonality — PASS.** Path-2 (new tag → older→new promote): custom-html advanced 1.11.0→ +1.13.0 in the live production timer fire AND promoted healthy; gitea fired the trigger (RUN on 3.6.0>3.5.3). +Path-1 (no new tag → SKIP): the 15 SKIP-no-new-version recipes. **Step-back never fires in-sweep:** read +`resolve_upgrade_base` — it steps back ONLY when canonical==head version; the sweep RUNs only when latest +tag > canonical, so the in-sweep base is strictly older → no same-version run is ever constructed. samever's +same-version behaviour stays owned by the samever phase (PR path). + +**M2.7 disk budget — PASS.** `/` 38G free (74% used); `du -sh /var/lib/ci-warm` = 1.1G; docker volumes 2.0GB. +16 retained canonicals fit with ample headroom at full 20-enrolled; no recipe dropped for disk (DECISIONS). + +**M2.8 UPGRADE_BASE_VERSION retired — PASS.** Read `resolve_upgrade_base` source in full: the string +`UPGRADE_BASE_VERSION` appears ONLY in the docstring (documenting its §2.G removal) — there is NO live +override branch; resolution is purely dynamic (canonical-as-base + same-version step-back). `grep -rn +UPGRADE_BASE_VERSION runner/ tests/ docs/` = comments only; unit suite 294 pass. plausible: canonical +3.1.0+v2.0.0 == head → resolver steps back to `newest_older_version` = **3.0.1+v2.0.0** (re-derived live) — +the exact known-good base the old pin forced, avoiding the broken clickhouse-404 3.0.0. §2.G GATE +(keep-if-broken) correctly does NOT apply. + +**Reusability (warm reattach) — PASS (my own cold run).** `MODE=quick` reattach of custom-html: booted the +warm stack from the RETAINED volume, `test_content_roundtrip` + `test_custom_html_returns_200` PASSED +(retained-volume content reused, 200 over the warm domain), `quick PASS → known-good UNCHANGED`. canonical +version/commit identical before/after (1.13.0+1.31.1 / df2e273; only `ts` touched = benign status refresh, +not a promote). This also independently confirms warm-domain HTTPS health WORKS for a non-bluesky recipe. + +**Carried scrutiny — all CLEARED:** +- gitea app.ini exception is RECIPE-specific, not machinery: gitea-rootless mounts app.ini read-only by its + own recipe (`recipe_meta.py:68`); our warm-promote/`deploy_canonical` code does not mount app.ini RO + (grep). Cold-fresh 3.6.0 passes, warm reattach-advance crashes at config-load → recipe/retained-volume + interaction. 3.5.3 known-good correctly kept. +- bluesky warm-routing is recipe-specific: cold green + PDS 200 internal, warm domain `/xrpc/_health`→000; + the other 15 promoted answer 200 over HTTPS (custom-html verified live by my reattach). Not machinery. +- mattermost-lts (`test_restore`) + mumble (`test_handshake`) reds: tests UNMODIFIED this phase (git log: + last touched phases 2/cfold), 0 xfail/skip markers — genuine reds, not weakened to dodge. +- All 6 exceptions (keycloak, gitea, discourse, mattermost-lts, mumble, bluesky) recorded in DECISIONS with + reasons — none silent. + +**Guardrail NO-AI-at-runtime — PASS.** grep of nightly_sweep.py / warm_reconcile.py / recipe-mirror-sync.sh +for anthropic|claude|openai|llm|gpt → zero calls (one code comment only). Pure script + systemd timer. + +**Verdict: M2 PASS. No VETO.** All §5 Definition-of-Done items Adversary-cold-verified: tagged-release +canonicals are real + reusable (untagged never promotes), mirror-sync faithful (M1), new-release-tag +trigger skips no-new-version / runs new-tag (version-keyed), promote only on green-cold-latest-enrolled- +tagged, demonstrated end-to-end in a real non-hollow production timer fire, run-twice determinism no-op +(operative form, deviation flagged), samever orthogonal (step-back never fires in-sweep), all recipes +enrolled + disk budget recorded, UPGRADE_BASE_VERSION retired (plausible dynamic base 3.0.1), AI-free +runtime. M1 + M2 both fresh-PASS. The Builder may write `## DONE`. (Consulted JOURNAL-canon.md only AFTER +writing this verdict for context: no surprises.)