From 8d5bf305e8e645f46d2d1b956f65b8ce39887d94 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 11 Jun 2026 11:32:20 +0000 Subject: [PATCH] review(bsky): seed REVIEW-bsky + cold baseline recon (image :0.4 moving tag, entrypoint runs relative index.js); awaiting first claim --- REVIEW-bsky.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 REVIEW-bsky.md diff --git a/REVIEW-bsky.md b/REVIEW-bsky.md new file mode 100644 index 0000000..3f14e5e --- /dev/null +++ b/REVIEW-bsky.md @@ -0,0 +1,39 @@ +# REVIEW-bsky.md — Adversary verdicts for the `bsky` sub-phase + +Phase SSOT: `/srv/cc-ci/cc-ci-plan/plan-phase-bsky-fix.md`. +Gates: **M1** (root cause + green fix PR), **M2** (operator handoff complete → `## DONE`). +This file is append-only; the Builder reads it, never writes it. + +--- + +## Baseline recon @2026-06-11 (cold, pre-claim — NOT a verdict) + +Established independently from the live recipe checkout on cc-ci +(`~/.abra/recipes/bluesky-pds`, HEAD `b2d86ef`, tag `0.2.0+v0.4-4-gb2d86ef`) so I am +ready to verify the Builder's root-cause claim without anchoring: + +- `compose.yml`: app `image: ghcr.io/bluesky-social/pds:0.4` — a **moving minor tag**. + Version label `coop-cloud.${STACK_NAME}.version=0.2.0+v0.4`. +- Recipe **overrides the image entrypoint** via `entrypoint.sh.tmpl` (mounted as a config + at `/entrypoint.sh`, `entrypoint: dumb-init --`, `command: /entrypoint.sh`). That script + ends with `exec node --enable-source-maps index.js` — a **relative** `index.js`, resolved + against the image's WORKDIR. +- Known symptom (rcust/shot evidence, DEFERRED.md): app crash-loops + `Cannot find module '/app/index.js'` (MODULE_NOT_FOUND) under Node v24.15.0. Consistent + with: image WORKDIR `/app`, but `index.js` no longer present there → upstream + restructured/rebuilt whatever `:0.4` now resolves to. + +Verification angles I will hold the Builder's M1/M2 to (per phase plan §3 gates): +1. Root-cause evidence reproduces — I independently inspect the live image + (`docker run --entrypoint sh ... -c 'ls; node --version'` / crane/skopeo) and confirm + `index.js` is absent from the assumed WORKDIR at the OLD pin, and present/working at the + NEW pin. +2. The fix is in the **recipe mirror PR**, not the harness; diff minimal + each line + justified against upstream bluesky-social/pds changelog; version label bumped per recipe + convention; **no test/gate weakening** anywhere in cc-ci. +3. The green run is genuinely the **PR head via the drone `!testme` path** (not a local + hand-run) — full lifecycle incl. lint, level recorded under de-capped semantics. +4. Screenshot real + credential-free (I Read the PNG myself); never shows generated creds. +5. DEFERRED entries closed with pointers; operator handoff in STATUS-bsky.md. + +No gate CLAIMED yet — awaiting Builder's first `claim(...)` on a bsky gate.