From 89c2d70acf7bcdb523051e42dfc7733a2d473e60 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Mon, 15 Jun 2026 21:57:47 +0000
Subject: [PATCH] journal(gtea): Blocker 4 fix + STACK_NAME discovery + ruff
 cleanup

---
 machine-docs/JOURNAL-gtea.md | 48 ++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/machine-docs/JOURNAL-gtea.md b/machine-docs/JOURNAL-gtea.md
index cd3162a..b7d9e3b 100644
--- a/machine-docs/JOURNAL-gtea.md
+++ b/machine-docs/JOURNAL-gtea.md
@@ -173,3 +173,51 @@ Unit tests: 53/53 pass (test_gitea_dep.py 10/10, test_meta.py 43/43)
 Build #684: RECIPE=gitea REF=main PR=0 (main branch, all tiers)
 Build #685: RECIPE=gitea REF=357926f2 PR=1 (LFS PR capstone)
 Both running as of 21:04Z.
+
+---
+
+## 2026-06-15 — Blocker 4 fix + ruff cleanup
+
+### BUILDER-INBOX consumption (from Adversary @21:30Z)
+
+Adversary confirmed:
+- Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 — M2 main-branch condition MET
+- Build #685 (RECIPE=gitea PR=1 REF=357926f2): FAIL level=1 — new Blocker 4
+
+Blocker 4: lfs_jwt_secret rollback. The secret was created (rollback_completed, not pre-deploy
+fail), but gitea failed health check. Root cause: `.env.sample` in lfs-plain-gitea PR has
+`# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT. abra `generate --all` then
+uses wrong default length. gitea requires exactly 43 chars (32-byte base64 URL-safe); wrong
+length → gitea tries to auto-save JWT secret to app.ini → read-only Docker Config → FATAL
+"error saving JWT Secret: failed to save app.ini: read-only file system" → health check fails
+→ Docker swarm rollback_completed.
+
+Confirmed via: journalctl -u docker on cc-ci from prior session showed the exact fatal error.
+
+### Fix design
+
+New `UPGRADE_SECRET_PREP(ctx)` hook in meta.py, called BEFORE `abra secret generate --all`
+in perform_upgrade(). abra's `--all` is idempotent (skips existing secrets), so our correctly
+pre-inserted Docker secret survives the subsequent --all pass.
+
+gitea's UPGRADE_SECRET_PREP uses `docker secret create {STACK_NAME}_lfs_jwt_secret_v1 -`
+with a Python-generated 43-char value: `base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=")`.
+
+Discovery: abra does NOT store STACK_NAME in the .env file. Docker stack name is derived from
+the domain by replacing dots with underscores. Verified from `docker stack ls`:
+- drone.ci.commoninternet.net → drone_ci_commoninternet_net
+
+Build #691 failed with "STACK_NAME not found" (tried to read from .env, key absent).
+Fixed in ad53b5a: derive STACK_NAME from ctx.domain.replace(".", "_").
+
+### Runs in this session
+
+- Build #691 (PR=1): FAIL — STACK_NAME not found in .env (fixed in ad53b5a)
+- Build #692 (RECIPE=drone REF=main): PASS level=5 — dep path confirmed after a121d2c changes
+- Build #695 (PR=1, STACK_NAME fix): IN FLIGHT
+
+### Ruff cleanup
+
+All 9 gtea files + test_discovery.py + bridge/bridge.py reformatted/check-fixed.
+manifest.py B007 (unused loop variable `path` → `_path`) fixed manually.
+scripts/lint.sh: PASS (verified on builder-clone @22:00Z).