From 9d52aa420d0dbd8f0fe6b228a6a3f19a12b38871 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 28 May 2026 04:09:06 +0100 Subject: [PATCH] =?UTF-8?q?review(1e):=20E2/HC1=20PASS=20=E2=80=94=20head?= =?UTF-8?q?=5Fref=3D=3Dchaos-version=20proven=20cold=20(custom-html=201.10?= =?UTF-8?q?.0=E2=86=921.11.0,=20deploy-count=3D1);=20non-vacuousness=20pro?= =?UTF-8?q?ven=20via=20adversarial=20probe?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/REVIEW-1e.md | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/machine-docs/REVIEW-1e.md b/machine-docs/REVIEW-1e.md index deef815..d5f93ee 100644 --- a/machine-docs/REVIEW-1e.md +++ b/machine-docs/REVIEW-1e.md @@ -4,7 +4,7 @@ Adversary-owned, append-only. Phase plan: `/srv/cc-ci/cc-ci-plan/plan-phase1e-ha Definition of Done = HC1–HC4 each cold-verified PASS here (handshake per plan.md §6.1). ## Definition-of-Done tracker -- [ ] **HC1** — Upgrade tier upgrades to PR head (prev published → PR-head via `abra app deploy --chaos`), not a published tag; moved-assertion adapted; DG4.1 deploy-count guard reconciled. +- [x] **HC1** — Upgrade tier upgrades to PR head (prev published → PR-head via `abra app deploy --chaos`), not a published tag; moved-assertion adapted; DG4.1 deploy-count guard reconciled. **PASS @2026-05-28 (E2, commit 7472561).** - [x] **HC2** — Repo-local (PR-authored) `test_*.py` / `install_steps.sh` NOT executed unless recipe is on the cc-ci approval allowlist (default-deny). **PASS @2026-05-28 (E0, commit c7ae296).** - [x] **HC3** — Generic runs by default alongside an overlay (additive); skipped only via explicit opt-out; op runs once. **PASS @2026-05-28 (E1 re-claim, fix commit 6eabfdc).** - [ ] **HC4** — No regression: D1–D10 / DG1–DG8 re-verified cold; deploy-once (DG4.1) holds; teardown sacred; three new behaviors demonstrated. @@ -102,6 +102,40 @@ stays 1 in both modes; (4) assertion-only overlays — no double-op risk; (5) no **Open robustness item:** F1e-2 (recipe-fetch concurrency race) — pre-existing, orthogonal, tracked for HC4. +### E2 / HC1 — upgrade to PR head via chaos redeploy — PASS @2026-05-28 (commit 7472561) +Builder claim (STATUS-1e gate, commit 7472561 fixing 6eabfdc multi-line-edit-miss): upgrade tier now +re-checks-out the PR-head ref (`head_ref = $REF or recipe_head_commit(recipe)`, captured pre-tag-checkout) +and chaos-redeploys (`abra.deploy(chaos=True)` direct, not via `deploy_app` — count not incremented). +`assert_upgraded` (when head_ref known) requires the deployed `coop-cloud..chaos-version` label +to MATCH head_ref (prefix-tolerant for short ↔ full commit); falls back to the version/image/chaos +moved-check when head_ref is unknown. + +**Cold verification (own clone HEAD=7472561 shipped to `/tmp/adv-hc1`):** +1. **e2e custom-html install,upgrade** (`cc-ci-run runner/run_recipe_ci.py`): + ``` + ===== TIER: upgrade (generic=run, overlay=cc-ci:tests/custom-html/test_upgrade.py) ===== + upgrade→PR-head: head_ref=8a026066 chaos-version=8a026066 version=1.10.0+1.28.0→1.11.0+1.29.0 + deploy-count = 1 (expect 1) + install : pass upgrade : pass + ``` + `head_ref == chaos-version` (deterministic prefix match), real version move 1.10.0→1.11.0, + **deploy-count=1**, additive generic+overlay both ran post-op, clean teardown (no leftover + stack/volume). ✓ PR-head code under test demonstrably deployed. +2. **Adversarial probe — non-vacuousness:** monkey-patched `deployed_identity` to return + `chaos='09bf4d54'` against a fake `head_ref='deadbeefcafe0001'` in op_state, called + `generic.assert_upgraded` directly → `AssertionError: upgrade deployed chaos commit '09bf4d54', + not the intended PR-head 'deadbeefcafe' — the re-checkout to the code under test failed`. + ✓ A wrong PR-head fails loudly; the assertion is strictly non-vacuous (guards F1d-2 and the prev- + checkout-vacuous-pass bug that 7472561 itself just fixed). + +Verdict: **PASS** — HC1 acceptance met. deploy-count guard correctly reconciled (chaos path direct; +`_record_deploy` lives only in `deploy_app`). No assertion weakened (the move-check fallback for the +no-head_ref path is unchanged; production `!testme` always sets `$REF`). HC3 additive still holds +(generic+overlay both ran post-chaos-deploy). No new finding. + +**Phase-1e D-o-D tracker:** HC1 ✓ HC2 ✓ HC3 ✓ — three corrections all Adversary-verified cold. +**Pending:** HC4 (no-regression D1–D10/DG1–DG8) — re-verify when Builder claims E3. + ### Separate observation while testing (NOT F1e-1) A controlled 2-concurrent same-recipe test (PR=8001/PR=8002, both custom-html) on the **OLD** code showed run-a die in `abra recipe fetch custom-html -n` (rc=1) — concurrent rm-rf + abra-fetch on the