status(rcust): P6 complete (da558ca) + Adversary inbox consumed — manifest redaction landed (858e0f5); M1 prep starting

2026-06-10 19:10:00 +00:00
parent 5ccc0d1c34
commit 8984b57b35
3 changed files with 36 additions and 26 deletions
--- a/JOURNAL-rcust.md
+++ b/JOURNAL-rcust.md
@ -122,3 +122,26 @@ new test file — all fixed. Verified on cc-ci (rsync of working tree): cc-ci-ru
 tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS.

 Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix).
+
+## 2026-06-10 P6 — docs (branch da558ca) + inbox response (858e0f5)
+
+Rewrote the three docs to the restructured end state; kept the generated §4 table byte-identical
+(doc-sync test pins it). recipe-customization.md flipped from review spec to reference; §8 is now
+the R1–R9 resolution ledger. Facts double-checked against code before writing: R2 proof lives in
+test_screenshot.py::test_screenshot_reachable_through_real_load_path (not test_meta.py — fixed a
+first-draft error); mumble's post-F2-14c shape has NO install_steps.sh/CHAOS_BASE_DEPLOY (base =
+mumbleweb-only COMPOSE_FILE, host-ports added at head via UPGRADE_EXTRA_ENV); lasuite-docs now
+ships install_steps.sh (P2b migration); deps file shape is dict recipe->entry; custom_tests
+discovery is NON-recursive over functional/+playwright/ (old doc said recursive — corrected).
+
+Adversary inbox (19:06Z, non-blocking): manifest dumps meta values verbatim -> dashboard shows a
+field named SECRET_KEY_BASE (plausible's committed CI dummy — public, no real leak). Took the
+redaction option: _jsonable masks values whose key NAME matches
+SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment-KEY, recursing into dict values (the plausible case
+is a NESTED key under EXTRA_ENV); names stay visible. KEYCLOAK_URL deliberately not matched
+(word-segment KEY). Unit test pins redacted+passthrough both.
+
+Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 192 passed;
+nix develop .#lint --command scripts/lint.sh -> lint: PASS.
+
+Next: M1 prep — tests/concurrency proof run on the branch + the 21-dir baseline matrix.
--- a/STATUS-rcust.md
+++ b/STATUS-rcust.md
@ -20,15 +20,22 @@ Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged t
      custom-test counts, active CCCI_SKIP_GENERIC* env overrides with !! CI flag) printed +
      embedded verbatim in results.json under "customization"; pure presentation, HC2-honoring
      (branch commit 68954be — new runner/harness/manifest.py + tests/unit/test_manifest.py)
- [ ] P6 — docs
+- [x] P6 — docs rewritten to the end state: recipe-customization.md is now the REFERENCE (was
+      review spec) — §8 records R1–R9 resolutions, §4 keeps the generated table + HookCtx, §5 the
+      end-state shapes; testing.md invariant updated to install-time-deps isolation, generic
+      opt-out documented dev-only; enroll-recipe.md worked examples (lasuite-docs install-time
+      OIDC, mumble post-F2-14c), deps fixture, ctx signatures (branch commit da558ca)
+- [x] Adversary inbox 19:06Z (P5 manifest dashboard hygiene) — addressed: secret-NAMED meta
+      values (top-level + nested dict keys) render as '<redacted>' in manifest + results.json;
+      key names stay visible; unit-test pinned (branch commit 858e0f5)

-## P1–P5 verification facts (for the eventual M1 cold-verify)
+## P1–P6 verification facts (for the eventual M1 cold-verify)

 - WHERE: branch `restructure/recipe-custom`, P1=472a68b, P2=8cd72fd, P3=fd02d9f, P4=29a28e2,
-  P5=68954be.
+  P5=68954be, P6=da558ca, manifest-redaction fix=858e0f5 (branch head).
 - HOW: `cc-ci-run -m pytest tests/unit -q` and `nix develop .#lint --command scripts/lint.sh`
  from a clean checkout of the branch.
- EXPECTED: 191 passed; `lint: PASS`.
+- EXPECTED: 192 passed; `lint: PASS`.
 - New single loader: `runner/harness/meta.py::load()`; all-recipes typo gate + R2 proof in
  `tests/unit/test_meta.py`; docs §4 table generated by `scripts/gen-meta-docs.py` (sync pinned
  by unit test).
@ -39,5 +46,5 @@ Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged t

 ## Current

-P1–P5 done on the branch; starting P6 (docs rewrite), then M1 prep (concurrency suite proof +
-baseline matrix) before claiming M1.
+P1–P6 all done on the branch (head 858e0f5). M1 prep in progress: tests/concurrency proof run +
+21-recipe baseline matrix, then claiming M1.
--- a/machine-docs/BUILDER-INBOX.md
+++ b/machine-docs/BUILDER-INBOX.md
@ -1,20 +0,0 @@
-
-## [adversary heads-up @2026-06-10T19:06Z] P5 manifest — sensitive-named meta values on dashboard (non-blocking)
-
-NOT a gate FAIL, NOT a VETO — P5 is clean and I logged a PASS-equivalent pre-review. Heads-up for
-your consideration before M1:
-
-`manifest.build` dumps `meta_non_default` dict VALUES verbatim into the run log AND results.json
-(→ dashboard). Across all 21 recipes the only secret-shaped value is plausible's
-`EXTRA_ENV.SECRET_KEY_BASE` = "ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123".
-That's a committed PUBLIC dummy CI constant, so no real secret leaks — fine today.
-
-But the dashboard now shows a field literally named `SECRET_KEY_BASE` with a value. Consider, at
-your discretion:
-  - redacting values of meta keys whose name matches a sensitive pattern
-    (SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL) in the manifest (render the key, mask the value), OR
-  - documenting in the manifest/docs that meta values are repo-public-by-construction so a
-    secret-scan hit on the dashboard is expected noise for that one field.
-
-Either is acceptable to me. I'll re-check the real dashboard for this at the M1 cold-verify. No
-action required to keep P5 green.