status(rcust): P6 complete (da558ca) + Adversary inbox consumed — manifest redaction landed (858e0f5); M1 prep starting
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
@ -122,3 +122,26 @@ new test file — all fixed. Verified on cc-ci (rsync of working tree): cc-ci-ru
|
|||||||
tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS.
|
tests/unit -q -> 191 passed; nix develop .#lint --command scripts/lint.sh -> lint: PASS.
|
||||||
|
|
||||||
Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix).
|
Next: P6 docs, then M1 prep (tests/concurrency proof run + 21-recipe baseline matrix).
|
||||||
|
|
||||||
|
## 2026-06-10 P6 — docs (branch da558ca) + inbox response (858e0f5)
|
||||||
|
|
||||||
|
Rewrote the three docs to the restructured end state; kept the generated §4 table byte-identical
|
||||||
|
(doc-sync test pins it). recipe-customization.md flipped from review spec to reference; §8 is now
|
||||||
|
the R1–R9 resolution ledger. Facts double-checked against code before writing: R2 proof lives in
|
||||||
|
test_screenshot.py::test_screenshot_reachable_through_real_load_path (not test_meta.py — fixed a
|
||||||
|
first-draft error); mumble's post-F2-14c shape has NO install_steps.sh/CHAOS_BASE_DEPLOY (base =
|
||||||
|
mumbleweb-only COMPOSE_FILE, host-ports added at head via UPGRADE_EXTRA_ENV); lasuite-docs now
|
||||||
|
ships install_steps.sh (P2b migration); deps file shape is dict recipe->entry; custom_tests
|
||||||
|
discovery is NON-recursive over functional/+playwright/ (old doc said recursive — corrected).
|
||||||
|
|
||||||
|
Adversary inbox (19:06Z, non-blocking): manifest dumps meta values verbatim -> dashboard shows a
|
||||||
|
field named SECRET_KEY_BASE (plausible's committed CI dummy — public, no real leak). Took the
|
||||||
|
redaction option: _jsonable masks values whose key NAME matches
|
||||||
|
SECRET|PASSWORD|TOKEN|CREDENTIAL|word-segment-KEY, recursing into dict values (the plausible case
|
||||||
|
is a NESTED key under EXTRA_ENV); names stay visible. KEYCLOAK_URL deliberately not matched
|
||||||
|
(word-segment KEY). Unit test pins redacted+passthrough both.
|
||||||
|
|
||||||
|
Verified on cc-ci (rsync of working tree): cc-ci-run -m pytest tests/unit -q -> 192 passed;
|
||||||
|
nix develop .#lint --command scripts/lint.sh -> lint: PASS.
|
||||||
|
|
||||||
|
Next: M1 prep — tests/concurrency proof run on the branch + the 21-dir baseline matrix.
|
||||||
|
|||||||
@ -20,15 +20,22 @@ Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged t
|
|||||||
custom-test counts, active CCCI_SKIP_GENERIC* env overrides with !! CI flag) printed +
|
custom-test counts, active CCCI_SKIP_GENERIC* env overrides with !! CI flag) printed +
|
||||||
embedded verbatim in results.json under "customization"; pure presentation, HC2-honoring
|
embedded verbatim in results.json under "customization"; pure presentation, HC2-honoring
|
||||||
(branch commit 68954be — new runner/harness/manifest.py + tests/unit/test_manifest.py)
|
(branch commit 68954be — new runner/harness/manifest.py + tests/unit/test_manifest.py)
|
||||||
- [ ] P6 — docs
|
- [x] P6 — docs rewritten to the end state: recipe-customization.md is now the REFERENCE (was
|
||||||
|
review spec) — §8 records R1–R9 resolutions, §4 keeps the generated table + HookCtx, §5 the
|
||||||
|
end-state shapes; testing.md invariant updated to install-time-deps isolation, generic
|
||||||
|
opt-out documented dev-only; enroll-recipe.md worked examples (lasuite-docs install-time
|
||||||
|
OIDC, mumble post-F2-14c), deps fixture, ctx signatures (branch commit da558ca)
|
||||||
|
- [x] Adversary inbox 19:06Z (P5 manifest dashboard hygiene) — addressed: secret-NAMED meta
|
||||||
|
values (top-level + nested dict keys) render as '<redacted>' in manifest + results.json;
|
||||||
|
key names stay visible; unit-test pinned (branch commit 858e0f5)
|
||||||
|
|
||||||
## P1–P5 verification facts (for the eventual M1 cold-verify)
|
## P1–P6 verification facts (for the eventual M1 cold-verify)
|
||||||
|
|
||||||
- WHERE: branch `restructure/recipe-custom`, P1=472a68b, P2=8cd72fd, P3=fd02d9f, P4=29a28e2,
|
- WHERE: branch `restructure/recipe-custom`, P1=472a68b, P2=8cd72fd, P3=fd02d9f, P4=29a28e2,
|
||||||
P5=68954be.
|
P5=68954be, P6=da558ca, manifest-redaction fix=858e0f5 (branch head).
|
||||||
- HOW: `cc-ci-run -m pytest tests/unit -q` and `nix develop .#lint --command scripts/lint.sh`
|
- HOW: `cc-ci-run -m pytest tests/unit -q` and `nix develop .#lint --command scripts/lint.sh`
|
||||||
from a clean checkout of the branch.
|
from a clean checkout of the branch.
|
||||||
- EXPECTED: 191 passed; `lint: PASS`.
|
- EXPECTED: 192 passed; `lint: PASS`.
|
||||||
- New single loader: `runner/harness/meta.py::load()`; all-recipes typo gate + R2 proof in
|
- New single loader: `runner/harness/meta.py::load()`; all-recipes typo gate + R2 proof in
|
||||||
`tests/unit/test_meta.py`; docs §4 table generated by `scripts/gen-meta-docs.py` (sync pinned
|
`tests/unit/test_meta.py`; docs §4 table generated by `scripts/gen-meta-docs.py` (sync pinned
|
||||||
by unit test).
|
by unit test).
|
||||||
@ -39,5 +46,5 @@ Work branch: `restructure/recipe-custom` (one commit per phase P1–P6; merged t
|
|||||||
|
|
||||||
## Current
|
## Current
|
||||||
|
|
||||||
P1–P5 done on the branch; starting P6 (docs rewrite), then M1 prep (concurrency suite proof +
|
P1–P6 all done on the branch (head 858e0f5). M1 prep in progress: tests/concurrency proof run +
|
||||||
baseline matrix) before claiming M1.
|
21-recipe baseline matrix, then claiming M1.
|
||||||
|
|||||||
@ -1,20 +0,0 @@
|
|||||||
|
|
||||||
## [adversary heads-up @2026-06-10T19:06Z] P5 manifest — sensitive-named meta values on dashboard (non-blocking)
|
|
||||||
|
|
||||||
NOT a gate FAIL, NOT a VETO — P5 is clean and I logged a PASS-equivalent pre-review. Heads-up for
|
|
||||||
your consideration before M1:
|
|
||||||
|
|
||||||
`manifest.build` dumps `meta_non_default` dict VALUES verbatim into the run log AND results.json
|
|
||||||
(→ dashboard). Across all 21 recipes the only secret-shaped value is plausible's
|
|
||||||
`EXTRA_ENV.SECRET_KEY_BASE` = "ccciplausibletestkeybase64charsexactlyforCIephemeral4567890123".
|
|
||||||
That's a committed PUBLIC dummy CI constant, so no real secret leaks — fine today.
|
|
||||||
|
|
||||||
But the dashboard now shows a field literally named `SECRET_KEY_BASE` with a value. Consider, at
|
|
||||||
your discretion:
|
|
||||||
- redacting values of meta keys whose name matches a sensitive pattern
|
|
||||||
(SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL) in the manifest (render the key, mask the value), OR
|
|
||||||
- documenting in the manifest/docs that meta values are repo-public-by-construction so a
|
|
||||||
secret-scan hit on the dashboard is expected noise for that one field.
|
|
||||||
|
|
||||||
Either is acceptable to me. I'll re-check the real dashboard for this at the M1 cold-verify. No
|
|
||||||
action required to keep P5 green.
|
|
||||||
Reference in New Issue
Block a user