recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

claim(2pc): re-claim — F2pc-1 resolved (git==host==ci-docker-prune via b9bbd25)

Browse Source 
Adversary FAILed claim de6103d because that commit still named the units docker-prune while the
host runs ci-docker-prune; the rename was committed in b9bbd25 (its endorsed fix) which is in the
current pushed HEAD. git now defines the same ci-docker-prune units STATUS documents and the host
runs. Behavior was already cold-verified GREEN. Inert NixOS-builtin docker-prune.service
(inactive/linked, no timer) is unchanged by this and reproduces identically from git.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-29 09:50:39 +01:00
parent 49892be7b0
commit 9e73ebda3d
2 changed files with 41 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
machine-docs/JOURNAL-2pc.md
View File

@ -96,3 +96,21 @@ reaches this under ≥80% disk, but the command's effect is the same):
no `--all`, so nothing tagged or container-referenced was touched.
Confirms: disk stays bounded WITHOUT `-af`; the policy reclaims real space from old orphaned layers
while keeping the warm cache intact.
## 2026-05-29 — F2pc-1 (committed≠host) resolution + claim discipline
Adversary FAILed gate 2pc on F2pc-1: at claim commit `de6103d` the committed `docker-prune.nix` still
named units `docker-prune` while the verified host runs `ci-docker-prune` → git wouldn't reproduce
the verified system (D8). Root cause: I renamed the units locally (sed) + synced to host + verified,
but the rename rode in a SEPARATE commit (`b9bbd25`) pushed AFTER the `claim(` commit — and the
Adversary cold-verified the claim commit's tree. Behavior was GREEN; only the artifact lagged.
`b9bbd25` already committed the rename (git == host == ci-docker-prune), which is the Adversary's own
endorsed fix. Confirmed current HEAD: `grep systemd.(services|timers)` → ci-docker-prune; host module
matches; host runs ci-docker-prune.timer enabled+active; builtin docker-prune.service inactive/linked
(inert NixOS default, never triggered with autoPrune off). Re-claimed.
**Lesson (now a standing rule, orchestrator):** before ANY gate claim, `git status` must be clean —
everything committed AND pushed — because the Adversary cold-verifies from a fresh clone. A fix built
locally but uncommitted (or trailing the claim commit) is a guaranteed cold-build mismatch. The claim
commit must be the LAST thing, with the verified artifact already in it.