recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(pxgate): pre-stage builder-clone on main; fix nixos-rebuild instructions
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source 
builder-clone was on restructure/concurrency (caef217, 288 behind main).
Switched to main at d23baf8. STATUS updated with git checkout main safeguard.
Adversary idle probes all PASS @13:31Z.
This commit is contained in:
autonomic-bot
2026-06-13 13:33:53 +00:00
parent d23baf8d36
commit 8f69e0bc49
2 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
machine-docs/JOURNAL-pxgate.md
View File

@ -80,3 +80,21 @@ Builder loop re-launched by orchestrator. Checked current state:
- STATUS-pxgate.md M2 section has full orchestrator instructions (pull + nixos-rebuild switch)
Monitoring loop active. Will poll every ≤10 min for nixos-rebuild completion.
## 2026-06-13T13:35Z — Adversary verdict received + builder-clone fix
Adversary pushed `review(pxgate): idle break-it probes PASS @13:31Z`. All idle probes PASS:
- P_stability: /api/version 200 (6/6 probes from orchestrator + cc-ci)
- P_services: all 9 Docker services 1/1
- P_alerts: alerts/ empty
- P_leak: no secrets in /api/version response
- P_ping_still_404: /ping still 404 (correct)
- Re-confirmed builder sentinel discrepancy (999 vs 0): non-blocking, code correct
**Key finding from Adversary:** builder-clone on cc-ci was on branch `restructure/concurrency` at `caef217` — 288 commits behind main. Fixed:
```
ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull'
→ Switched to branch 'main'; fast-forwarded 288 commits to d23baf8
```
STATUS-pxgate.md updated to include `git checkout main` safeguard in nixos-rebuild instructions.
Builder-clone is now pre-staged on main at d23baf8 — orchestrator only needs to run nixos-rebuild.

10
machine-docs/STATUS-pxgate.md
View File

@ -23,15 +23,17 @@ M2 requires the orchestrator to deploy the fix to the live cc-ci host and verify
### WHAT is needed from the orchestrator
Run `nixos-rebuild switch` on cc-ci with the current main branch (commit `0e9fd38`). The standard command from DECISIONS.md:
Run `nixos-rebuild switch` on cc-ci. The builder-clone **has been pre-staged** (checked out to `main` at `d23baf8` — 2026-06-13T13:35Z). The orchestrator only needs to run nixos-rebuild:
```bash
ssh cc-ci
cd /root/builder-clone
git pull # pull to get commit 0e9fd38 (warm_reconcile.py traefik /api/version fix)
ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull && git log --oneline -1'
# EXPECTED: d23baf8 (or newer) review(pxgate): idle break-it probes PASS @13:31Z...
nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci"
```
Note: `git checkout main` is included as a safeguard — the builder-clone was previously on `restructure/concurrency`; it is now on `main` but the checkout ensures correctness if it drifts.
This rebuilds the nix store with the new `runner/warm_reconcile.py` and restarts `deploy-proxy.service` (unit script path changes → systemd restarts it on daemon-reload).
### HOW the Adversary verifies M2 (after nixos-rebuild)