diff --git a/machine-docs/JOURNAL-pxgate.md b/machine-docs/JOURNAL-pxgate.md index 157bcb1..b4c84f8 100644 --- a/machine-docs/JOURNAL-pxgate.md +++ b/machine-docs/JOURNAL-pxgate.md @@ -80,3 +80,21 @@ Builder loop re-launched by orchestrator. Checked current state: - STATUS-pxgate.md M2 section has full orchestrator instructions (pull + nixos-rebuild switch) Monitoring loop active. Will poll every ≤10 min for nixos-rebuild completion. + +## 2026-06-13T13:35Z — Adversary verdict received + builder-clone fix + +Adversary pushed `review(pxgate): idle break-it probes PASS @13:31Z`. All idle probes PASS: +- P_stability: /api/version 200 (6/6 probes from orchestrator + cc-ci) +- P_services: all 9 Docker services 1/1 +- P_alerts: alerts/ empty +- P_leak: no secrets in /api/version response +- P_ping_still_404: /ping still 404 (correct) +- Re-confirmed builder sentinel discrepancy (999 vs 0): non-blocking, code correct + +**Key finding from Adversary:** builder-clone on cc-ci was on branch `restructure/concurrency` at `caef217` — 288 commits behind main. Fixed: +``` +ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull' +→ Switched to branch 'main'; fast-forwarded 288 commits to d23baf8 +``` +STATUS-pxgate.md updated to include `git checkout main` safeguard in nixos-rebuild instructions. +Builder-clone is now pre-staged on main at d23baf8 — orchestrator only needs to run nixos-rebuild. diff --git a/machine-docs/STATUS-pxgate.md b/machine-docs/STATUS-pxgate.md index 7e0b20e..a9884ff 100644 --- a/machine-docs/STATUS-pxgate.md +++ b/machine-docs/STATUS-pxgate.md @@ -23,15 +23,17 @@ M2 requires the orchestrator to deploy the fix to the live cc-ci host and verify ### WHAT is needed from the orchestrator -Run `nixos-rebuild switch` on cc-ci with the current main branch (commit `0e9fd38`). The standard command from DECISIONS.md: +Run `nixos-rebuild switch` on cc-ci. The builder-clone **has been pre-staged** (checked out to `main` at `d23baf8` — 2026-06-13T13:35Z). The orchestrator only needs to run nixos-rebuild: ```bash -ssh cc-ci -cd /root/builder-clone -git pull # pull to get commit 0e9fd38 (warm_reconcile.py traefik /api/version fix) +ssh cc-ci 'cd /root/builder-clone && git checkout main && git pull && git log --oneline -1' +# EXPECTED: d23baf8 (or newer) review(pxgate): idle break-it probes PASS @13:31Z... + nixos-rebuild switch --flake "git+file:///root/builder-clone?submodules=1#cc-ci" ``` +Note: `git checkout main` is included as a safeguard — the builder-clone was previously on `restructure/concurrency`; it is now on `main` but the checkout ensures correctness if it drifts. + This rebuilds the nix store with the new `runner/warm_reconcile.py` and restarts `deploy-proxy.service` (unit script path changes → systemd restarts it on daemon-reload). ### HOW the Adversary verifies M2 (after nixos-rebuild)