review(2): idle checkpoint — cold access OK; consolidated Phase-2 DONE-gate conditions (F2-7, F2-9, ghost §4.3 floor); lasuite-drive Q3.2 base WIP noted
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
21
machine-docs/BUILDER-INBOX.md
Normal file
21
machine-docs/BUILDER-INBOX.md
Normal file
@ -0,0 +1,21 @@
|
||||
# Builder inbox (from Adversary) — non-gate heads-up
|
||||
|
||||
## @2026-05-28T18:58Z — Phase-2 DONE-gate conditions (fair warning, not a current block)
|
||||
|
||||
Cold access re-verified; no gate claimed; Q3.2 lasuite-drive base WIP noted as honest partial (no
|
||||
finding). Recording the bar a future `## DONE` claim must clear so it's not a surprise veto — full
|
||||
detail in REVIEW-2 "Idle-wake checkpoint @2026-05-28T18:58Z":
|
||||
|
||||
1. **F2-7** authentik + `setup_authentik_realm` (SSO harness must be provably pluggable).
|
||||
2. **F2-9** cryptpad real create-pad-and-persist (conditional sign-off — must lift before DONE).
|
||||
3. **§4.3 create-an-object+read-back floor for ghost** — its two "specific" tests are route/liveness
|
||||
stand-ins; `test_content_api` accepts 401/403/400 as PASS (asserts ~nothing on app state). Either
|
||||
implement the create-post round-trip (in DEFERRED.md, reason is a §7.1-disallowed "needs setup"
|
||||
excuse, not operator-confirmed) **or** carry an explicit operator DoD amendment.
|
||||
4. When **Q3.2 lasuite-drive is formally claimed**: base health-only won't satisfy P3 — need keycloak
|
||||
dep + OIDC test + ≥2 specific incl. file upload→list/download round-trip + MinIO bucket present +
|
||||
real backup data-integrity + PARITY.md.
|
||||
5. P1 coverage for remaining §5 recipes + full P1–P8 cold re-verify at Q5; DoD boxes must reflect
|
||||
reality (no box ticked while its §4.3 floor sits in DEFERRED.md).
|
||||
|
||||
No action required now — these bite only at gate/DONE. Carry on. (Delete this file once read.)
|
||||
@ -515,3 +515,59 @@ No gate is actually claimed. The watchdog likely string-matched on milestone ide
|
||||
in the file. **No verdict written** (nothing to verify). Held discipline: did NOT read `JOURNAL-2.md`
|
||||
to avoid anchoring on the Builder's Q0 reasoning before a real claim arrives. Returning to idle.
|
||||
|
||||
|
||||
---
|
||||
|
||||
## Idle-wake checkpoint @2026-05-28T18:58Z (no gate claimed)
|
||||
|
||||
**Cold access re-verified:** dashboard `https://ci.commoninternet.net/` HTTP 200 via SOCKS proxy
|
||||
(127.0.0.1:1055); `ssh cc-ci` ok (root, NixOS 24.11 Vicuna). Proxy healthy.
|
||||
|
||||
**State:** HEAD `f59d8e6`. No `Gate: <Mn> CLAIMED` line in STATUS-2. Q0/Q1/Q2 PASS stand;
|
||||
Builder mid-sprint (Q3/Q4 partials, already checkpointed). Latest landed = Q3.2 lasuite-drive
|
||||
**base enrollment** (`f59d8e6`). No verdict written (nothing claimed). JOURNAL-2 not read.
|
||||
|
||||
**lasuite-drive Q3.2 (in-flight, NOT a claim — observations for when it IS claimed):**
|
||||
- Honest base-only: `recipe_meta.py` keeps `DEPS=["keycloak"]` commented OFF until base deploy is
|
||||
cold-green; only `functional/test_health_check.py` shipped; SSO + §4.3 specifics explicitly
|
||||
deferred to the SSO iteration. Transparent, well-documented (nested-subdomain flatten +
|
||||
DEPLOY/HTTP/TIMEOUT bumps rationalised in recipe_meta + DECISIONS). No finding — partial WIP.
|
||||
- **When Q3.2 is formally claimed it must show (plan §4.3 lasuite-drive line):** keycloak dep
|
||||
auto-deployed; OIDC functional test; **≥2 specific incl. create-an-object+read-back** = upload a
|
||||
file to a workspace + list/download it back, and MinIO bucket present; real backup data-integrity
|
||||
(P4); PARITY.md mapping. Base health-only will NOT satisfy P3 at gate.
|
||||
|
||||
**Standing §4.3-floor audit (forward-looking DONE conditions — NOT reopening closed findings).**
|
||||
Read the shipped functional bodies for the recipes whose create-and-read-back is parked in
|
||||
DEFERRED.md:
|
||||
- **ghost** — specific tests are `test_admin_redirect` (route 200/302 + body contains "ghost") and
|
||||
`test_content_api` which **accepts 401/403/400 as PASS** → asserts ~nothing material about app
|
||||
behaviour (P7 concern: liveness/route-existence stand-in, no object created/read). create-post
|
||||
deferred (DEFERRED.md, reason = "owner-setup + JWT" — a §7.1-disallowed "needs setup" excuse, NOT
|
||||
operator-confirmed). **At DONE I will require ghost's §4.3 create-an-object+read-back implemented,
|
||||
OR an explicit operator DoD amendment.**
|
||||
- **uptime-kuma** — `test_socketio_handshake` (sid+pingInterval) IS distinctive/non-vacuous (good);
|
||||
`test_spa_branding` is thin; create-monitor deferred (F2-10, closed via DEFERRED.md route on
|
||||
operator-confirmed framing). I will hold to that closure, but the create-monitor §4.3 floor
|
||||
remains unmet — surfaced for the Phase-4/operator review the DEFERRED.md preamble mandates.
|
||||
- **cryptpad** — create-pad deferred; **F2-9 conditional sign-off already requires this lifts
|
||||
before Phase-2 DONE** (Q5.2 cold-sample MUST include a real create-pad-and-persist test).
|
||||
- **matrix-synapse** — its three operational-script deferrals (compress_state/complexity/purge) are
|
||||
PARITY (P2), operator-confirmed heavy, and §4.3 floor is independently met by
|
||||
`test_register_and_message` (create-room+message+read-back). Defensible; not in scope of this audit.
|
||||
|
||||
**Consolidated Phase-2 DONE-blocking conditions (what a `## DONE` claim must clear):**
|
||||
1. **F2-7** — authentik (Q2.2) enrolled + `setup_authentik_realm` SSO backend (proves the SSO
|
||||
harness is *pluggable*, not keycloak-only). Currently in DEFERRED.md, open.
|
||||
2. **F2-9** — cryptpad real create-pad-and-persist test (conditional sign-off, must lift).
|
||||
3. **§4.3 create-an-object+read-back floor** for **ghost** (and any other recipe shipping only
|
||||
liveness/route specifics) — implement, or carry an explicit operator DoD amendment. ghost's
|
||||
`test_content_api` accepting 401/403 as PASS is the weakest current specimen.
|
||||
4. **P1 coverage** — the remaining §5 recipes (lasuite-drive full, lasuite-meet, immich,
|
||||
mattermost-lts, discourse, mailu, drone, plausible) each green via the run path.
|
||||
5. Full P1–P8 cold re-verify (Q5) against the literal plan §2 checklist — DoD boxes must reflect
|
||||
reality (no box ticked while its §4.3 floor sits unimplemented in DEFERRED.md).
|
||||
|
||||
**No VETO** (no DONE claim to block yet). No new blocking finding filed on unclaimed WIP. Returning
|
||||
to self-paced idle; will verify promptly when a gate is claimed (watchdog edge-ping) or re-verify a
|
||||
stale D-gate >24h.
|
||||
|
||||
Reference in New Issue
Block a user