fix(2): Q4.2 mumble — CHAOS_BASE_DEPLOY meta flag for chaos base deploy (clean-tree gate)

mumble's pinned base deploy (prev version 0.2.0) FATAs 'has locally unstaged changes' because install_steps provides an untracked compose.host-ports.yml. New recipe_meta CHAOS_BASE_DEPLOY=True + lifecycle._recipe_meta_flag + deploy_app branch -> base uses chaos (skips clean-tree/lint, deploys the checked-out pinned version, not LATEST), mirroring the lightweight-tag chaos-base path. DECISIONS.md records the full mumble enrollment design. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 19:32:48 +01:00
parent 1b6c77c76a
commit 999dd0d564
3 changed files with 64 additions and 0 deletions
--- a/runner/harness/lifecycle.py
+++ b/runner/harness/lifecycle.py
@ -90,6 +90,19 @@ def _recipe_extra_env(recipe: str, domain: str) -> dict[str, str]:
    return {str(k): str(v) for k, v in (ee or {}).items()}


+def _recipe_meta_flag(recipe: str, key: str) -> bool:
+    """Read a boolean flag from tests/<recipe>/recipe_meta.py (e.g. CHAOS_BASE_DEPLOY). Returns
+    False if the recipe ships no meta or the flag is absent/falsey. Trusted in-repo exec, same as
+    _recipe_extra_env."""
+    path = os.path.join(os.path.dirname(__file__), "..", "..", "tests", recipe, "recipe_meta.py")
+    if not os.path.exists(path):
+        return False
+    ns: dict = {}
+    with open(path) as fh:
+        exec(compile(fh.read(), path, "exec"), ns)  # noqa: S102 (trusted, in-repo)
+    return bool(ns.get(key))
+
+
 def _record_deploy() -> None:
    """Increment the per-run deploy counter (DG4.1: one deploy per run). No-op unless the
    orchestrator set CCCI_DEPLOY_COUNT_FILE — so it never affects standalone/manual use."""
@ -217,6 +230,19 @@ def deploy_app(
                flush=True,
            )
            chaos = True
+        # A recipe may force a chaos base deploy via recipe_meta CHAOS_BASE_DEPLOY=True when cc-ci adds
+        # an untracked compose overlay to the recipe checkout (e.g. mumble's host-ports.yml, provided
+        # by install_steps for older versions that predate it). The untracked file makes abra's
+        # pinned-deploy clean-tree check FATA ('has locally unstaged changes'); chaos skips lint +
+        # the clean-tree gate and deploys the EXPLICITLY-checked-out pinned version (we already ran
+        # recipe_checkout(version) above) — NOT latest. Same mechanism as the lightweight-tag branch.
+        elif _recipe_meta_flag(recipe, "CHAOS_BASE_DEPLOY"):
+            print(
+                f"  deploy_app({recipe}@{version}): CHAOS_BASE_DEPLOY set → chaos base deploy of the "
+                "checked-out pinned version (skips clean-tree/lint; deploys version, not LATEST)",
+                flush=True,
+            )
+            chaos = True
    # Pin DOMAIN to the run domain explicitly. `abra app new -D` fills it for recipes whose
    # .env.sample uses a literal placeholder, but NOT for ones using a `{{ .Domain }}` Go-template
    # (this abra version leaves it unexpanded → deploy fails "can't evaluate field Domain"). Setting