claim(M1-nixenv): single-source harness runtime env — ccciPyEnv+ccciRuntimeTools+cc-ci-run in packages.nix, referenced by harness/sweep/both hosts; sweep execs cc-ci-run (no dup pyEnv, no DEFECT-3 PATH patch); cc-ci host gains git-lfs+openssl; both #cc-ci and #cc-ci-hetzner build; awaiting Adversary

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 17:23:28 +00:00
parent 706583bee3
commit 8b8fc1ff8e
8 changed files with 242 additions and 64 deletions
--- a/nix/modules/packages.nix
+++ b/nix/modules/packages.nix
@ -1,25 +1,77 @@
 # Project package overlay. `abra` (the Co-op Cloud CLI) is exposed as `pkgs.abra` so every
 # module (systemPackages, the proxy/drone reconcile oneshots) can use the same pinned build.
+#
+# Phase `nixenv` — SINGLE SOURCE OF TRUTH for the harness/recipe-test runtime env. The Drone
+# runner entrypoint (`cc-ci-run`), the nightly/weekly sweep timer, and host `systemPackages` ALL
+# reference the definitions here, so a dependency can never be present for one path and missing
+# for another (that was DEFECT-3, caught in `canon`: the sweep's tool list had drifted from what
+# the Drone path provided). Adding the next dependency to `ccciRuntimeTools` propagates atomically
+# to every consumer.
 _:
 {
  nixpkgs.overlays = [
-    (_: prev: {
-      abra = prev.stdenv.mkDerivation rec {
-        pname = "abra";
-        version = "0.13.0-beta";
-        src = prev.fetchurl {
-          url = "https://git.coopcloud.tech/toolshed/abra/releases/download/${version}/abra_${version}_linux_amd64.tar.gz";
-          sha256 = "12csk6wp1pk9cspzqfl4a6h5jdz8p055sf0ggxw9k7ljhpd5qvc6";
+    (final: prev:
+      let
+        # The harness drives run_recipe_ci.py / nightly_sweep.py (pytest + Playwright). Defined
+        # ONCE here; consumed only via `cc-ci-run` below (no module builds its own pyEnv anymore).
+        ccciPyEnv = final.python3.withPackages (ps: with ps; [ pytest playwright ]);
+      in
+      {
+        abra = prev.stdenv.mkDerivation rec {
+          pname = "abra";
+          version = "0.13.0-beta";
+          src = prev.fetchurl {
+            url = "https://git.coopcloud.tech/toolshed/abra/releases/download/${version}/abra_${version}_linux_amd64.tar.gz";
+            sha256 = "12csk6wp1pk9cspzqfl4a6h5jdz8p055sf0ggxw9k7ljhpd5qvc6";
+          };
+          sourceRoot = ".";
+          nativeBuildInputs = [ prev.autoPatchelfHook ];
+          buildInputs = [ prev.stdenv.cc.cc.lib ];
+          installPhase = ''
+            runHook preInstall
+            install -Dm755 abra "$out/bin/abra"
+            runHook postInstall
+          '';
        };
-        sourceRoot = ".";
-        nativeBuildInputs = [ prev.autoPatchelfHook ];
-        buildInputs = [ prev.stdenv.cc.cc.lib ];
-        installPhase = ''
-          runHook preInstall
-          install -Dm755 abra "$out/bin/abra"
-          runHook postInstall
-        '';
-      };
-    })
+
+        # === Single source of truth: the recipe-test runtime tooling ===
+        # The union of everything a recipe test + the harness shell out to. This is a
+        # superset-or-equal of every prior list (cc-ci-run's old runtimeInputs, the sweep's old
+        # runtimeInputs, and the host PATH's hand-maintained `curl git git-lfs jq`):
+        #   abra docker git coreutils util-linux        (old cc-ci-run)
+        # + bash curl jq gnused gnugrep gnutar procps    (old sweep)
+        # + git-lfs openssl                              (formerly only on the host PATH / plan §2)
+        # `util-linux` provides `script` (abra's PTY wrapper for backup/restore TTY ops).
+        ccciRuntimeTools = with final; [
+          abra
+          docker
+          git
+          git-lfs
+          bash
+          coreutils
+          util-linux
+          curl
+          jq
+          gnused
+          gnugrep
+          gnutar
+          openssl
+          procps
+        ];
+
+        # === The harness entrypoint, used by BOTH the Drone exec pipeline (.drone.yml:
+        # `cc-ci-run runner/run_recipe_ci.py`) and the nightly sweep (which execs this same
+        # binary). Carries the full tool set in runtimeInputs so the recipe shell-outs resolve
+        # the same tooling on every path, independent of the caller's inherited PATH. ===
+        cc-ci-run = final.writeShellApplication {
+          name = "cc-ci-run";
+          runtimeInputs = [ ccciPyEnv ] ++ final.ccciRuntimeTools;
+          text = ''
+            export PLAYWRIGHT_BROWSERS_PATH=${final.playwright-driver.browsers}
+            export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
+            exec ${ccciPyEnv}/bin/python3 "$@"
+          '';
+        };
+      })
  ];
 }