diff --git a/JOURNAL-rcust.md b/JOURNAL-rcust.md index c8fed01..4771301 100644 --- a/JOURNAL-rcust.md +++ b/JOURNAL-rcust.md @@ -122,3 +122,26 @@ new test file — all fixed. Verified on cc-ci (rsync of working tree): cc-ci-ru tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS. Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix). + +## 2026-06-10 P6 — docs (branch da558ca) + inbox response (858e0f5) + +Rewrote the three docs to the restructured end state; kept the generated §4 table byte-identical +(doc-sync test pins it). recipe-customization.md flipped from review spec to reference; §8 is now +the R1–R9 resolution ledger. Facts double-checked against code before writing: R2 proof lives in +test_screenshot.py::test_screenshot_reachable_through_real_load_path (not test_meta.py — fixed a +first-draft error); mumble's post-F2-14c shape has NO install_steps.sh/CHAOS_BASE_DEPLOY (base = +mumbleweb-only COMPOSE_FILE, host-ports added at head via UPGRADE_EXTRA_ENV); lasuite-docs now +ships install_steps.sh (P2b migration); deps file shape is dict recipe->entry; custom_tests +discovery is NON-recursive over functional/+playwright/ (old doc said recursive — corrected). + +Adversary inbox (19:06Z, non-blocking): manifest dumps meta values verbatim -> dashboard shows a +field named SECRET_KEY_BASE (plausible's committed CI dummy — public, no real leak). Took the +redaction option: _jsonable masks values whose key NAME matches +SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment-KEY, recursing into dict values (the plausible case +is a NESTED key under EXTRA_ENV); names stay visible. KEYCLOAK_URL deliberately not matched +(word-segment KEY). Unit test pins redacted+passthrough both. + +Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 192 passed; +nix develop .#lint --command scripts/lint.sh -> lint: PASS. + +Next: M1 prep — tests/concurrency proof run on the branch + the 21-dir baseline matrix. diff --git a/STATUS-rcust.md b/STATUS-rcust.md index b11aa17..1583631 100644 --- a/STATUS-rcust.md +++ b/STATUS-rcust.md @@ -20,15 +20,22 @@ Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged t custom-test counts, active CCCI_SKIP_GENERIC* env overrides with !! CI flag) printed + embedded verbatim in results.json under "customization"; pure presentation, HC2-honoring (branch commit 68954be — new runner/harness/manifest.py + tests/unit/test_manifest.py) -- [ ] P6 — docs +- [x] P6 — docs rewritten to the end state: recipe-customization.md is now the REFERENCE (was + review spec) — §8 records R1–R9 resolutions, §4 keeps the generated table + HookCtx, §5 the + end-state shapes; testing.md invariant updated to install-time-deps isolation, generic + opt-out documented dev-only; enroll-recipe.md worked examples (lasuite-docs install-time + OIDC, mumble post-F2-14c), deps fixture, ctx signatures (branch commit da558ca) +- [x] Adversary inbox 19:06Z (P5 manifest dashboard hygiene) — addressed: secret-NAMED meta + values (top-level + nested dict keys) render as '' in manifest + results.json; + key names stay visible; unit-test pinned (branch commit 858e0f5) -## P1–P5 verification facts (for the eventual M1 cold-verify) +## P1–P6 verification facts (for the eventual M1 cold-verify) - WHERE: branch `restructure/recipe-custom`, P1=472a68b, P2=8cd72fd, P3=fd02d9f, P4=29a28e2, - P5=68954be. + P5=68954be, P6=da558ca, manifest-redaction fix=858e0f5 (branch head). - HOW: `cc-ci-run -m pytest tests/unit -q` and `nix develop .#lint --command scripts/lint.sh` from a clean checkout of the branch. -- EXPECTED: 191 passed; `lint: PASS`. +- EXPECTED: 192 passed; `lint: PASS`. - New single loader: `runner/harness/meta.py::load()`; all-recipes typo gate + R2 proof in `tests/unit/test_meta.py`; docs §4 table generated by `scripts/gen-meta-docs.py` (sync pinned by unit test). @@ -39,5 +46,5 @@ Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged t ## Current -P1–P5 done on the branch; starting P6 (docs rewrite), then M1 prep (concurrency suite proof + -baseline matrix) before claiming M1. +P1–P6 all done on the branch (head 858e0f5). M1 prep in progress: tests/concurrency proof run + +21-recipe baseline matrix, then claiming M1. diff --git a/machine-docs/BUILDER-INBOX.md b/machine-docs/BUILDER-INBOX.md deleted file mode 100644 index 1e0df4f..0000000 --- a/machine-docs/BUILDER-INBOX.md +++ /dev/null @@ -1,20 +0,0 @@ - -## [adversary heads-up @2026-06-10T19:06Z] P5 manifest — sensitive-named meta values on dashboard (non-blocking) - -NOT a gate FAIL, NOT a VETO — P5 is clean and I logged a PASS-equivalent pre-review. Heads-up for -your consideration before M1: - -`manifest.build` dumps `meta_non_default` dict VALUES verbatim into the run log AND results.json -(→ dashboard). Across all 21 recipes the only secret-shaped value is plausible's -`EXTRA_ENV.SECRET_KEY_BASE` = "ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123". -That's a committed PUBLIC dummy CI constant, so no real secret leaks — fine today. - -But the dashboard now shows a field literally named `SECRET_KEY_BASE` with a value. Consider, at -your discretion: - - redacting values of meta keys whose name matches a sensitive pattern - (SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL) in the manifest (render the key, mask the value), OR - - documenting in the manifest/docs that meta values are repo-public-by-construction so a - secret-scan hit on the dashboard is expected noise for that one field. - -Either is acceptable to me. I'll re-check the real dashboard for this at the M1 cold-verify. No -action required to keep P5 green.